From 0716768891cbad6a890faa0ea3bda523d216e2f3 Mon Sep 17 00:00:00 2001 From: Krish Suchak Date: Tue, 2 Jun 2026 15:02:25 -0400 Subject: [PATCH 1/8] feat(policy): DSPX-2754 POC package for dynamic attribute value entitlement --- .../v2/dynamicentitlement/attribute_rule.go | 86 +++++++++ .../access/v2/dynamicentitlement/core.go | 150 +++++++++++++++ .../access/v2/dynamicentitlement/core_test.go | 106 ++++++++++ .../access/v2/dynamicentitlement/doc.go | 44 +++++ .../access/v2/dynamicentitlement/entitle.go | 181 ++++++++++++++++++ .../v2/dynamicentitlement/entitle_test.go | 102 ++++++++++ .../v2/dynamicentitlement/new_primitive.go | 53 +++++ .../v2/dynamicentitlement/options_test.go | 181 ++++++++++++++++++ .../reuse_subjectmapping.go | 155 +++++++++++++++ 9 files changed, 1058 insertions(+) create mode 100644 service/internal/access/v2/dynamicentitlement/attribute_rule.go create mode 100644 service/internal/access/v2/dynamicentitlement/core.go create mode 100644 service/internal/access/v2/dynamicentitlement/core_test.go create mode 100644 service/internal/access/v2/dynamicentitlement/doc.go create mode 100644 service/internal/access/v2/dynamicentitlement/entitle.go create mode 100644 service/internal/access/v2/dynamicentitlement/entitle_test.go create mode 100644 service/internal/access/v2/dynamicentitlement/new_primitive.go create mode 100644 service/internal/access/v2/dynamicentitlement/options_test.go create mode 100644 service/internal/access/v2/dynamicentitlement/reuse_subjectmapping.go diff --git a/service/internal/access/v2/dynamicentitlement/attribute_rule.go b/service/internal/access/v2/dynamicentitlement/attribute_rule.go new file mode 100644 index 0000000000..d0b4ffabff --- /dev/null +++ b/service/internal/access/v2/dynamicentitlement/attribute_rule.go @@ -0,0 +1,86 @@ +package dynamicentitlement + +import ( + "fmt" + "strings" + + "github.com/opentdf/platform/lib/flattening" + "github.com/opentdf/platform/protocol/go/policy" +) + +// AttributeRule mirrors the conceptual attribute-definition rule set +// (policy.AttributeRuleTypeEnum: ANY_OF / ALL_OF / HIERARCHY) extended with RuleDynamic +// for Option C, "a different attribute rule". +// +// A definition marked RuleDynamic entitles its values by selector match rather than by +// static per-value subject mappings. RuleAnyOf / RuleAllOf / RuleHierarchy are also +// modeled here because the driver needs a combination rule when a single resource +// carries multiple values under one definition (see entitle.go Decide). +type AttributeRule int + +const ( + RuleUnspecified AttributeRule = iota + RuleAnyOf + RuleAllOf + RuleHierarchy + RuleDynamic +) + +func (r AttributeRule) String() string { + switch r { + case RuleAnyOf: + return "ANY_OF" + case RuleAllOf: + return "ALL_OF" + case RuleHierarchy: + return "HIERARCHY" + case RuleDynamic: + return "DYNAMIC" + case RuleUnspecified: + return "UNSPECIFIED" + default: + return fmt.Sprintf("AttributeRule(%d)", int(r)) + } +} + +// DynamicRuleDefinition is Option C. Rather than a separate mapping object, the +// AttributeDefinition itself carries the dynamic intent (Rule == RuleDynamic) plus the +// selector/operator/actions inline. +// +// Modeling dynamic as a rule VALUE surfaces a structural tension captured in ADR 0005: +// the rule slot already encodes how multiple values on one definition COMBINE +// (ANY_OF / ALL_OF / HIERARCHY). Spending that slot on RuleDynamic — which describes how +// values are ENTITLED — conflates two orthogonal axes, so a dynamic definition can no +// longer also state its combination semantics. Here, RuleDynamic combines as ANY_OF by +// default (see Decide). +type DynamicRuleDefinition struct { + AttributeDefinitionFQN string + Rule AttributeRule // expected RuleDynamic + Selector string + Operator DynamicOperator + Actions []*policy.Action + Canonicalizer Canonicalizer +} + +var _ Mapping = (*DynamicRuleDefinition)(nil) + +// DefinitionFQN implements Mapping. +func (d *DynamicRuleDefinition) DefinitionFQN() string { + return strings.ToLower(d.AttributeDefinitionFQN) +} + +// EntitledActions implements Mapping. It only entitles when the definition is actually +// marked RuleDynamic, demonstrating that the rule value gates the behavior. +func (d *DynamicRuleDefinition) EntitledActions(entity flattening.Flattened, segment string) ([]*policy.Action, error) { + if d.Rule != RuleDynamic { + return nil, nil + } + matched, err := evaluateDynamicMatch(d.Operator, entity, d.Selector, segment, d.Canonicalizer) + if err != nil { + return nil, err + } + if !matched { + return nil, nil + } + return d.Actions, nil +} diff --git a/service/internal/access/v2/dynamicentitlement/core.go b/service/internal/access/v2/dynamicentitlement/core.go new file mode 100644 index 0000000000..a86e5f2483 --- /dev/null +++ b/service/internal/access/v2/dynamicentitlement/core.go @@ -0,0 +1,150 @@ +package dynamicentitlement + +import ( + "errors" + "fmt" + "strings" + + "github.com/opentdf/platform/lib/flattening" + "github.com/opentdf/platform/lib/identifier" +) + +// DynamicOperator enumerates the comparison semantics for dynamic, definition-level +// entitlement. Unlike policy.SubjectMappingOperatorEnum — whose right-hand operand is a +// STATIC list authored into policy (policy.Condition.subject_external_values) — a +// DynamicOperator's right-hand operand is supplied at decision time from the resource's +// attribute value segment. Each value below is the inversion of its static counterpart. +type DynamicOperator int + +const ( + // OperatorUnspecified is the zero value and is always an error to evaluate. + OperatorUnspecified DynamicOperator = iota + // ResourceValueIn is true when the resource value segment exactly matches one of the + // values produced by resolving the selector against the entity representation. It is + // the inversion of SUBJECT_MAPPING_OPERATOR_ENUM_IN. + ResourceValueIn + // ResourceValueInContains is true when any selector-resolved entity value contains + // the resource value segment as a substring. It is the inversion of + // SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS. + ResourceValueInContains +) + +func (o DynamicOperator) String() string { + switch o { + case ResourceValueIn: + return "RESOURCE_VALUE_IN" + case ResourceValueInContains: + return "RESOURCE_VALUE_IN_CONTAINS" + case OperatorUnspecified: + return "UNSPECIFIED" + default: + return fmt.Sprintf("DynamicOperator(%d)", int(o)) + } +} + +// Canonicalizer normalizes a single identifier token prior to comparison. External +// systems (EHRs, IdPs) frequently disagree with policy on case and surrounding +// whitespace; without a canonicalization step the same logical ID fails to match. This +// is the normalization/canonicalization concern raised by @biscoe916 on ADR#266. The +// default lowercases and trims; deployments needing more (e.g. Unicode NFC folding) +// supply their own. +type Canonicalizer func(string) string + +// DefaultCanonicalizer lowercases and trims surrounding whitespace. It matches the +// case-insensitivity that lib/identifier already applies to FQNs (identifier.Parse +// lowercases), so the resource side and entity side land in the same space. +func DefaultCanonicalizer(s string) string { + return strings.ToLower(strings.TrimSpace(s)) +} + +// fqnAmbiguousChars are characters that must never appear in an attribute value segment +// because they collide with FQN structure or URL encoding (raised by @jentfoo on +// ADR#266). Even if the value character set is loosened for dynamic values — e.g. to +// admit '@' for email-like identifiers — these remain forbidden as the safety floor. +const fqnAmbiguousChars = "/.%\x00" + +// maxASCII is the highest ASCII code point; runes above it are rejected in value +// segments to avoid Unicode confusables and normalization hazards. +const maxASCII = 127 + +var ( + // ErrUnspecifiedOperator indicates a mapping was evaluated with the zero operator. + ErrUnspecifiedOperator = errors.New("dynamicentitlement: unspecified dynamic operator") + // ErrUnsupportedOperator indicates an operator value with no evaluation semantics. + ErrUnsupportedOperator = errors.New("dynamicentitlement: unsupported dynamic operator") + // ErrAmbiguousValueSegment indicates a value segment contains characters that are + // unsafe in an attribute value FQN. + ErrAmbiguousValueSegment = errors.New("dynamicentitlement: attribute value segment contains FQN-ambiguous characters") + // ErrNotValueFQN indicates an FQN that is not a concrete attribute value FQN. + ErrNotValueFQN = errors.New("dynamicentitlement: not a value FQN") +) + +// parseResourceValue splits a concrete attribute value FQN into its parent definition +// FQN and the value segment, reusing lib/identifier so the spike inherits the exact FQN +// grammar (and character-set validation) used by policy today. Both returned strings are +// lowercased, matching identifier.Parse behavior. +func parseResourceValue(valueFQN string) (string, string, error) { + parsed, err := identifier.Parse[*identifier.FullyQualifiedAttribute](valueFQN) + if err != nil { + return "", "", fmt.Errorf("parsing resource value FQN %q: %w", valueFQN, err) + } + if parsed.Value == "" { + return "", "", fmt.Errorf("%w: %q", ErrNotValueFQN, valueFQN) + } + def := &identifier.FullyQualifiedAttribute{Namespace: parsed.Namespace, Name: parsed.Name} + return def.FQN(), parsed.Value, nil +} + +// validateValueSegment is the reusable safety floor for a value segment. lib/identifier +// already enforces a strict alphanumeric+[-_] set today; this function expresses the +// minimum that must survive ANY future loosening of that set (e.g. to support emails or +// dotted IDs): reject FQN-structural characters, percent-encoding, NUL, and non-ASCII. +func validateValueSegment(segment string) error { + if segment == "" { + return fmt.Errorf("%w: empty segment", ErrAmbiguousValueSegment) + } + if strings.ContainsAny(segment, fqnAmbiguousChars) { + return fmt.Errorf("%w: %q", ErrAmbiguousValueSegment, segment) + } + for _, r := range segment { + if r > maxASCII { + return fmt.Errorf("%w: non-ASCII rune in %q", ErrAmbiguousValueSegment, segment) + } + } + return nil +} + +// evaluateDynamicMatch reports whether resourceSegment is entitled given the values +// produced by resolving selector against the (already flattened) entity, under the +// supplied operator. canon is applied to both sides before comparison; a nil canon falls +// back to DefaultCanonicalizer. +// +// This is the single shared mechanic every option in the spike depends on. +func evaluateDynamicMatch(op DynamicOperator, entity flattening.Flattened, selector, resourceSegment string, canon Canonicalizer) (bool, error) { + if canon == nil { + canon = DefaultCanonicalizer + } + entityValues := flattening.GetFromFlattened(entity, selector) + target := canon(resourceSegment) + + switch op { + case ResourceValueIn: + for _, ev := range entityValues { + if canon(fmt.Sprintf("%v", ev)) == target { + return true, nil + } + } + return false, nil + case ResourceValueInContains: + for _, ev := range entityValues { + if strings.Contains(canon(fmt.Sprintf("%v", ev)), target) { + return true, nil + } + } + return false, nil + case OperatorUnspecified: + return false, ErrUnspecifiedOperator + default: + return false, fmt.Errorf("%w: %s", ErrUnsupportedOperator, op) + } +} diff --git a/service/internal/access/v2/dynamicentitlement/core_test.go b/service/internal/access/v2/dynamicentitlement/core_test.go new file mode 100644 index 0000000000..581012d897 --- /dev/null +++ b/service/internal/access/v2/dynamicentitlement/core_test.go @@ -0,0 +1,106 @@ +package dynamicentitlement + +import ( + "testing" + + "github.com/opentdf/platform/lib/flattening" + "github.com/opentdf/platform/protocol/go/entityresolution" + "github.com/opentdf/platform/protocol/go/policy" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "google.golang.org/protobuf/types/known/structpb" +) + +// --- shared test helpers --- + +func entityRep(t *testing.T, props map[string]interface{}) *entityresolution.EntityRepresentation { + t.Helper() + s, err := structpb.NewStruct(props) + require.NoError(t, err) + return &entityresolution.EntityRepresentation{ + OriginalId: "entity-1", + AdditionalProps: []*structpb.Struct{s}, + } +} + +func actions(names ...string) []*policy.Action { + out := make([]*policy.Action, 0, len(names)) + for _, n := range names { + out = append(out, &policy.Action{Name: n}) + } + return out +} + +func actionNames(acts []*policy.Action) []string { + out := make([]string, 0, len(acts)) + for _, a := range acts { + out = append(out, a.GetName()) + } + return out +} + +// --- core mechanic tests --- + +func TestParseResourceValue(t *testing.T) { + def, seg, err := parseResourceValue("https://hospital.co/attr/mrn/value/mrn-123") + require.NoError(t, err) + assert.Equal(t, "https://hospital.co/attr/mrn", def) + assert.Equal(t, "mrn-123", seg) + + // case is normalized to lowercase, matching lib/identifier behavior + def, seg, err = parseResourceValue("https://hospital.co/attr/MRN/value/MRN-123") + require.NoError(t, err) + assert.Equal(t, "https://hospital.co/attr/mrn", def) + assert.Equal(t, "mrn-123", seg) + + // a definition FQN (no /value/) is not a value FQN + _, _, err = parseResourceValue("https://hospital.co/attr/mrn") + require.ErrorIs(t, err, ErrNotValueFQN) + + // an email-like value is rejected by the current (strict) identifier character set — + // a finding: today's value grammar cannot represent emails/dotted IDs. + _, _, err = parseResourceValue("https://acme.co/attr/owner/value/user@acme.co") + require.Error(t, err) +} + +func TestValidateValueSegment(t *testing.T) { + for _, s := range []string{"mrn-123", "abc", "a_b-c", "123", "acct-42"} { + require.NoError(t, validateValueSegment(s), s) + } + // FQN-structural chars, percent-encoding, NUL, and non-ASCII are always forbidden. + for _, s := range []string{"", "a/b", "a.b", "a%2Fb", "a\x00b", "naïve"} { + require.ErrorIs(t, validateValueSegment(s), ErrAmbiguousValueSegment, s) + } +} + +func TestEvaluateDynamicMatchOperatorErrors(t *testing.T) { + f, err := flattening.Flatten(map[string]interface{}{"a": "b"}) + require.NoError(t, err) + + _, err = evaluateDynamicMatch(OperatorUnspecified, f, ".a", "b", nil) + require.ErrorIs(t, err, ErrUnspecifiedOperator) + + _, err = evaluateDynamicMatch(DynamicOperator(99), f, ".a", "b", nil) + require.ErrorIs(t, err, ErrUnsupportedOperator) +} + +func TestEvaluateDynamicMatchSemantics(t *testing.T) { + f, err := flattening.Flatten(map[string]interface{}{ + "scalar": "mrn-123", + "list": []interface{}{"a", "prefix-team-suffix"}, + }) + require.NoError(t, err) + + got, err := evaluateDynamicMatch(ResourceValueIn, f, ".scalar", "mrn-123", nil) + require.NoError(t, err) + assert.True(t, got) + + got, err = evaluateDynamicMatch(ResourceValueIn, f, ".scalar", "mrn-999", nil) + require.NoError(t, err) + assert.False(t, got) + + // substring semantics: "team" is contained in "prefix-team-suffix" + got, err = evaluateDynamicMatch(ResourceValueInContains, f, ".list[]", "team", nil) + require.NoError(t, err) + assert.True(t, got) +} diff --git a/service/internal/access/v2/dynamicentitlement/doc.go b/service/internal/access/v2/dynamicentitlement/doc.go new file mode 100644 index 0000000000..cae87fb9d2 --- /dev/null +++ b/service/internal/access/v2/dynamicentitlement/doc.go @@ -0,0 +1,44 @@ +// Package dynamicentitlement is a SPIKE / proof-of-concept for entitling dynamic +// attribute values at the AttributeDefinition level, exploring DSPX-2754. +// +// It is NOT wired into any live decision path. It exists to evaluate, with working +// code and tests, the options the architecture team deferred to an implementation +// spike in the dynamic-attribute-value ADR (virtru-corp/adr#266): +// +// - reuse the existing SubjectMapping / SubjectConditionSet primitive, +// - introduce a new primitive (DefinitionValueEntitlementMapping), +// - introduce a new attribute rule, or +// - introduce a new comparison operator. +// +// # The problem +// +// Today, entitling a highly dynamic / high-cardinality value (medical record numbers, +// account IDs, emails) means duplicating every value as an AttributeValue plus a +// per-value SubjectMapping + SubjectConditionSet, kept constantly in sync with an +// external system of record. The ADR proposes raising the condition-set authority up +// to the AttributeDefinition so one mapping (selector + operator + actions) resolves +// entitlement to concrete value FQNs dynamically. +// +// # The shared mechanic +// +// Existing condition evaluation compares an entity's selector result against a STATIC +// list authored into policy (policy.Condition.subject_external_values; see +// subjectmappingbuiltin.EvaluateCondition). The dynamic case INVERTS this: the +// right-hand operand is the resource's value segment (e.g. "mrn-123" parsed from +// .../value/mrn-123), known only at decision time, tested for membership in the +// entity's selector-resolved set (e.g. .patientAssignments -> ["mrn-123","mrn-789"]). +// +// All four options share that one comparison (see core.go). They differ only in their +// container, schema, and admin UX. This package implements the comparison once and +// wraps it three ways (reuse_subjectmapping.go, new_primitive.go, attribute_rule.go), +// driven by a common entitlement/decision driver (entitle.go), so the trade-offs can +// be compared on real behavior rather than prose. +// +// Findings are summarized in service/policy/adr/0005-dynamic-attribute-value-entitlements-spike.md. +// +// # Out of scope +// +// No proto, codegen, database, sqlc, service-handler, or PDP changes — the ADR states +// primitive names and schema are still subject to change, so persistence/wire plumbing +// would be premature churn. POC-only Go types stand in for would-be proto additions. +package dynamicentitlement diff --git a/service/internal/access/v2/dynamicentitlement/entitle.go b/service/internal/access/v2/dynamicentitlement/entitle.go new file mode 100644 index 0000000000..1461a52a3d --- /dev/null +++ b/service/internal/access/v2/dynamicentitlement/entitle.go @@ -0,0 +1,181 @@ +package dynamicentitlement + +import ( + "errors" + "fmt" + "sort" + "strings" + + "github.com/opentdf/platform/lib/flattening" + "github.com/opentdf/platform/protocol/go/entityresolution" + "github.com/opentdf/platform/protocol/go/policy" +) + +// Mapping is the common behavior shared by all three option shapes +// (DefinitionScopedSubjectMapping, DefinitionValueEntitlementMapping, +// DynamicRuleDefinition). Implementing one interface across all three lets the driver +// and the tests treat them uniformly, which is what makes the options directly +// comparable. +type Mapping interface { + // DefinitionFQN returns the lowercased parent attribute definition FQN the mapping + // is scoped to. + DefinitionFQN() string + // EntitledActions returns the actions entitled on a resource value segment for a + // single flattened entity representation, or nil when there is no match. + EntitledActions(entity flattening.Flattened, segment string) ([]*policy.Action, error) +} + +var ( + // ErrHierarchyUnsupported indicates dynamic entitlement was requested for a + // HIERARCHY definition, which requires statically ordered values. + ErrHierarchyUnsupported = errors.New("dynamicentitlement: HIERARCHY rule is incompatible with dynamic value entitlement") + // ErrCoexistence indicates a definition has both a value-level (static) subject + // mapping and a dynamic mapping, which the ADR forbids. + ErrCoexistence = errors.New("dynamicentitlement: a definition cannot have both a value-level subject mapping and a dynamic mapping") +) + +// Entitle resolves the set of actions entitled to an entity on a single concrete +// resource value FQN, across all supplied dynamic mappings scoped to that value's parent +// definition. Mappings scoped to other definitions are ignored, which keeps entitlement +// from leaking across definitions/namespaces that happen to share a value segment +// (the pass-through-value collision concern raised by @jakedoublev). +func Entitle(mappings []Mapping, entityRep *entityresolution.EntityRepresentation, resourceValueFQN string) ([]*policy.Action, error) { + defFQN, segment, err := parseResourceValue(resourceValueFQN) + if err != nil { + return nil, err + } + if err := validateValueSegment(segment); err != nil { + return nil, err + } + + flats, err := flattenEntity(entityRep) + if err != nil { + return nil, err + } + + actionsByName := map[string]*policy.Action{} + for _, m := range mappings { + if !strings.EqualFold(m.DefinitionFQN(), defFQN) { + continue + } + for _, flat := range flats { + acts, err := m.EntitledActions(flat, segment) + if err != nil { + return nil, err + } + for _, a := range acts { + actionsByName[strings.ToLower(a.GetName())] = a + } + } + } + return sortedActions(actionsByName), nil +} + +// Decide applies a definition's combination rule across one or more concrete resource +// value FQNs under a single definition and reports whether action is granted. It mirrors +// the production PDP rules in service/internal/access/v2/evaluate.go (anyOfRule / +// allOfRule) so the spike exercises multi-value resources (ADR decision-flow step 6). +// +// RuleDynamic combines as ANY_OF (see the conflation note on DynamicRuleDefinition). +// RuleHierarchy is rejected outright. +func Decide(mappings []Mapping, entityRep *entityresolution.EntityRepresentation, rule AttributeRule, action string, resourceValueFQNs []string) (bool, error) { + if len(resourceValueFQNs) == 0 { + return false, nil + } + + switch rule { + case RuleAnyOf, RuleDynamic: + for _, fqn := range resourceValueFQNs { + ok, err := actionEntitled(mappings, entityRep, action, fqn) + if err != nil { + return false, err + } + if ok { + return true, nil + } + } + return false, nil + case RuleAllOf: + for _, fqn := range resourceValueFQNs { + ok, err := actionEntitled(mappings, entityRep, action, fqn) + if err != nil { + return false, err + } + if !ok { + return false, nil + } + } + return true, nil + case RuleHierarchy: + return false, ErrHierarchyUnsupported + case RuleUnspecified: + return false, errors.New("dynamicentitlement: unspecified rule") + default: + return false, fmt.Errorf("dynamicentitlement: unsupported rule: %s", rule) + } +} + +func actionEntitled(mappings []Mapping, entityRep *entityresolution.EntityRepresentation, action, resourceValueFQN string) (bool, error) { + acts, err := Entitle(mappings, entityRep, resourceValueFQN) + if err != nil { + return false, err + } + for _, a := range acts { + if strings.EqualFold(a.GetName(), action) { + return true, nil + } + } + return false, nil +} + +// ValidateNoCoexistence enforces the ADR's API rule that a definition cannot carry both +// a value-level (static) subject mapping and a dynamic mapping. A real implementation +// would enforce this in the policy service CRUD layer; here it is a standalone check so +// the rule can be exercised by tests. +func ValidateNoCoexistence(definitionFQN string, hasValueLevelSubjectMapping bool, dynamicMappings []Mapping) error { + if !hasValueLevelSubjectMapping { + return nil + } + for _, m := range dynamicMappings { + if strings.EqualFold(m.DefinitionFQN(), strings.ToLower(definitionFQN)) { + return fmt.Errorf("%w: %s", ErrCoexistence, strings.ToLower(definitionFQN)) + } + } + return nil +} + +// ValidateRule rejects rules that are incompatible with dynamic value entitlement. +func ValidateRule(rule AttributeRule) error { + if rule == RuleHierarchy { + return ErrHierarchyUnsupported + } + return nil +} + +func flattenEntity(er *entityresolution.EntityRepresentation) ([]flattening.Flattened, error) { + var out []flattening.Flattened + for _, props := range er.GetAdditionalProps() { + f, err := flattening.Flatten(props.AsMap()) + if err != nil { + return nil, fmt.Errorf("flattening entity representation: %w", err) + } + out = append(out, f) + } + return out, nil +} + +func sortedActions(byName map[string]*policy.Action) []*policy.Action { + if len(byName) == 0 { + return nil + } + names := make([]string, 0, len(byName)) + for n := range byName { + names = append(names, n) + } + sort.Strings(names) + out := make([]*policy.Action, 0, len(names)) + for _, n := range names { + out = append(out, byName[n]) + } + return out +} diff --git a/service/internal/access/v2/dynamicentitlement/entitle_test.go b/service/internal/access/v2/dynamicentitlement/entitle_test.go new file mode 100644 index 0000000000..8903de3306 --- /dev/null +++ b/service/internal/access/v2/dynamicentitlement/entitle_test.go @@ -0,0 +1,102 @@ +package dynamicentitlement + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +// TestCrossDefinitionNoLeak verifies entitlement is scoped to the value's parent +// definition: the same pass-through segment under a different definition is NOT granted. +// This is the cross-definition/namespace collision concern raised by @jakedoublev. +func TestCrossDefinitionNoLeak(t *testing.T) { + er := entityRep(t, map[string]interface{}{"assignments": []interface{}{"shared-1"}}) + mA := &DefinitionValueEntitlementMapping{ + AttributeDefinitionFQN: "https://a.co/attr/x", + Selector: ".assignments[]", + Operator: ResourceValueIn, + Actions: actions("read"), + } + + got, err := Entitle([]Mapping{mA}, er, "https://a.co/attr/x/value/shared-1") + require.NoError(t, err) + assert.Equal(t, []string{"read"}, actionNames(got)) + + // same value segment, different definition -> no entitlement (no leak) + got, err = Entitle([]Mapping{mA}, er, "https://b.co/attr/y/value/shared-1") + require.NoError(t, err) + assert.Empty(t, got) +} + +// TestDecideMultiValue exercises a single resource carrying multiple values under one +// definition (ADR decision-flow step 6), across the ANY_OF / ALL_OF combination rules. +func TestDecideMultiValue(t *testing.T) { + const def = "https://hospital.co/attr/mrn" + er := entityRep(t, map[string]interface{}{"patientAssignments": []interface{}{"mrn-123"}}) + m := &DefinitionValueEntitlementMapping{ + AttributeDefinitionFQN: def, Selector: ".patientAssignments[]", + Operator: ResourceValueIn, Actions: actions("read"), + } + values := []string{def + "/value/mrn-123", def + "/value/mrn-999"} // entity has only mrn-123 + + anyOf, err := Decide([]Mapping{m}, er, RuleAnyOf, "read", values) + require.NoError(t, err) + assert.True(t, anyOf, "ANY_OF: one matched value suffices") + + allOf, err := Decide([]Mapping{m}, er, RuleAllOf, "read", values) + require.NoError(t, err) + assert.False(t, allOf, "ALL_OF: mrn-999 is not entitled") + + dynamic, err := Decide([]Mapping{m}, er, RuleDynamic, "read", values) + require.NoError(t, err) + assert.True(t, dynamic, "RuleDynamic combines as ANY_OF by default") + + _, err = Decide([]Mapping{m}, er, RuleHierarchy, "read", values) + require.ErrorIs(t, err, ErrHierarchyUnsupported) +} + +// TestValidators covers the two API-enforcement findings: no coexistence with +// value-level subject mappings, and HIERARCHY rejection. +func TestValidators(t *testing.T) { + const def = "https://hospital.co/attr/mrn" + m := &DefinitionValueEntitlementMapping{AttributeDefinitionFQN: def, Selector: ".x", Operator: ResourceValueIn} + + require.ErrorIs(t, ValidateNoCoexistence(def, true, []Mapping{m}), ErrCoexistence) + require.NoError(t, ValidateNoCoexistence(def, false, []Mapping{m})) + require.NoError(t, ValidateNoCoexistence("https://other.co/attr/z", true, []Mapping{m})) + + require.ErrorIs(t, ValidateRule(RuleHierarchy), ErrHierarchyUnsupported) + require.NoError(t, ValidateRule(RuleAnyOf)) +} + +// TestEntitleRejectsBadResourceFQN ensures a non-value or character-unsafe FQN is +// rejected before evaluation. +func TestEntitleRejectsBadResourceFQN(t *testing.T) { + er := entityRep(t, map[string]interface{}{"a": "b"}) + + _, err := Entitle(nil, er, "https://acme.co/attr/owner/value/user@acme.co") + require.Error(t, err) + + _, err = Entitle(nil, er, "https://acme.co/attr/owner") // not a value FQN + require.ErrorIs(t, err, ErrNotValueFQN) +} + +// TestDirectEntitlementOverlap demonstrates the migration story (@biscoe916 Q1): a +// direct entitlement is effectively a (value FQN, actions) pair sourced from ERS at +// decision time. The dynamic mapping reproduces the identical grant from a single +// policy artifact, without per-value records. +func TestDirectEntitlementOverlap(t *testing.T) { + const def = "https://acme.co/attr/account" + const valueFQN = def + "/value/acct-42" + er := entityRep(t, map[string]interface{}{"accounts": []interface{}{"acct-42"}}) + + m := &DefinitionValueEntitlementMapping{ + AttributeDefinitionFQN: def, Selector: ".accounts[]", + Operator: ResourceValueIn, Actions: actions("read"), + } + got, err := Entitle([]Mapping{m}, er, valueFQN) + require.NoError(t, err) + // equivalent to a direct entitlement record {attribute_value_fqn: valueFQN, actions:[read]} + assert.Equal(t, []string{"read"}, actionNames(got)) +} diff --git a/service/internal/access/v2/dynamicentitlement/new_primitive.go b/service/internal/access/v2/dynamicentitlement/new_primitive.go new file mode 100644 index 0000000000..99005f9336 --- /dev/null +++ b/service/internal/access/v2/dynamicentitlement/new_primitive.go @@ -0,0 +1,53 @@ +package dynamicentitlement + +import ( + "strings" + + "github.com/opentdf/platform/lib/flattening" + "github.com/opentdf/platform/protocol/go/policy" +) + +// DefinitionValueEntitlementMapping is the spike's purpose-built primitive — Option B, +// "new primitive". It raises condition-set authority to the AttributeDefinition: a +// single mapping resolves entitlement for every concrete value FQN under the definition. +// +// Compared with Option A (reuse_subjectmapping.go) it carries exactly the four fields +// the dynamic case needs and nothing it does not: there is no static +// subject_external_values to overload, and the operator field is typed to the dynamic +// operators only, so an admin cannot author a nonsensical static/dynamic mix. This is +// the model the ADR sketched as DefinitionValueEntitlementMapping. +type DefinitionValueEntitlementMapping struct { + // AttributeDefinitionFQN is the parent definition this mapping is scoped to, + // e.g. "https://hospital.co/attr/mrn". + AttributeDefinitionFQN string + // Selector is the flattened entity-representation selector, e.g. ".medicalRecordNumber" + // or ".patientAssignments[]" for an array field. + Selector string + // Operator is the dynamic comparison applied between the selector result and the + // resource value segment (initially ResourceValueIn). + Operator DynamicOperator + // Actions are granted on the concrete value FQN when the comparison matches. + Actions []*policy.Action + // Canonicalizer optionally overrides DefaultCanonicalizer. + Canonicalizer Canonicalizer +} + +var _ Mapping = (*DefinitionValueEntitlementMapping)(nil) + +// DefinitionFQN implements Mapping. +func (m *DefinitionValueEntitlementMapping) DefinitionFQN() string { + return strings.ToLower(m.AttributeDefinitionFQN) +} + +// EntitledActions implements Mapping: it resolves the selector against the entity and, +// on a match, returns the mapped actions for the given resource value segment. +func (m *DefinitionValueEntitlementMapping) EntitledActions(entity flattening.Flattened, segment string) ([]*policy.Action, error) { + matched, err := evaluateDynamicMatch(m.Operator, entity, m.Selector, segment, m.Canonicalizer) + if err != nil { + return nil, err + } + if !matched { + return nil, nil + } + return m.Actions, nil +} diff --git a/service/internal/access/v2/dynamicentitlement/options_test.go b/service/internal/access/v2/dynamicentitlement/options_test.go new file mode 100644 index 0000000000..e65d6c9bdb --- /dev/null +++ b/service/internal/access/v2/dynamicentitlement/options_test.go @@ -0,0 +1,181 @@ +package dynamicentitlement + +import ( + "testing" + + "github.com/opentdf/platform/protocol/go/policy" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +// dynamicSCS builds a reused SubjectConditionSet with a single dynamic condition: one +// subject set, one AND condition group, one condition whose subject_external_values +// carries the ResourceValuePlaceholder sentinel. +func dynamicSCS(selector string) *policy.SubjectConditionSet { + return &policy.SubjectConditionSet{ + SubjectSets: []*policy.SubjectSet{{ + ConditionGroups: []*policy.ConditionGroup{{ + BooleanOperator: policy.ConditionBooleanTypeEnum_CONDITION_BOOLEAN_TYPE_ENUM_AND, + Conditions: []*policy.Condition{{ + SubjectExternalSelectorValue: selector, + Operator: policy.SubjectMappingOperatorEnum_SUBJECT_MAPPING_OPERATOR_ENUM_IN, + SubjectExternalValues: []string{ResourceValuePlaceholder}, + }}, + }}, + }}, + } +} + +// shapeFactory builds each option shape from the same inputs so the identical scenarios +// can be replayed across all three, which is what makes the options directly comparable. +type shapeFactory struct { + name string + make func(defFQN, selector string, op DynamicOperator, acts []*policy.Action) Mapping +} + +func allShapes() []shapeFactory { + return []shapeFactory{ + {"new_primitive", func(def, sel string, op DynamicOperator, acts []*policy.Action) Mapping { + return &DefinitionValueEntitlementMapping{ + AttributeDefinitionFQN: def, Selector: sel, Operator: op, Actions: acts, + } + }}, + {"attribute_rule", func(def, sel string, op DynamicOperator, acts []*policy.Action) Mapping { + return &DynamicRuleDefinition{ + AttributeDefinitionFQN: def, Rule: RuleDynamic, Selector: sel, Operator: op, Actions: acts, + } + }}, + {"reuse_subjectmapping", func(def, sel string, op DynamicOperator, acts []*policy.Action) Mapping { + return &DefinitionScopedSubjectMapping{ + AttributeDefinitionFQN: def, Operator: op, Actions: acts, SubjectConditionSet: dynamicSCS(sel), + } + }}, + } +} + +// TestMRNExampleAcrossAllShapes replays the ADR#266 worked example (patient / provider / +// nurse rows) against every option shape, proving they produce identical decisioning. +func TestMRNExampleAcrossAllShapes(t *testing.T) { + const def = "https://hospital.co/attr/mrn" + const resource = "https://hospital.co/attr/mrn/value/mrn-123" + + cases := []struct { + name string + selector string + props map[string]interface{} + acts []string + wantMatch bool + }{ + { + name: "patient", + selector: ".medicalRecordNumber", + props: map[string]interface{}{"medicalRecordNumber": "mrn-123"}, + acts: []string{"read", "update_profile"}, + wantMatch: true, + }, + { + name: "provider", + selector: ".patientAssignments[]", + props: map[string]interface{}{"patientAssignments": []interface{}{"mrn-123", "mrn-789"}}, + acts: []string{"read", "write_order", "update_chart"}, + wantMatch: true, + }, + { + name: "nurse", + selector: ".careTeamAssignments[]", + props: map[string]interface{}{"careTeamAssignments": []interface{}{"mrn-123"}}, + acts: []string{"read", "update_chart"}, + wantMatch: true, + }, + { + name: "unassigned provider", + selector: ".patientAssignments[]", + props: map[string]interface{}{"patientAssignments": []interface{}{"mrn-456"}}, + acts: []string{"read"}, + wantMatch: false, + }, + } + + for _, shape := range allShapes() { + for _, tc := range cases { + t.Run(shape.name+"/"+tc.name, func(t *testing.T) { + m := shape.make(def, tc.selector, ResourceValueIn, actions(tc.acts...)) + got, err := Entitle([]Mapping{m}, entityRep(t, tc.props), resource) + require.NoError(t, err) + if tc.wantMatch { + assert.ElementsMatch(t, tc.acts, actionNames(got)) + } else { + assert.Empty(t, got) + } + }) + } + } +} + +// TestCanonicalization exercises the normalization concern (@biscoe916): the external +// system reports a differently-cased ID. The default canonicalizer matches; a no-op +// canonicalizer does not. +func TestCanonicalization(t *testing.T) { + const def = "https://hospital.co/attr/mrn" + const resource = "https://hospital.co/attr/mrn/value/mrn-123" + er := entityRep(t, map[string]interface{}{"medicalRecordNumber": "MRN-123"}) + + m := &DefinitionValueEntitlementMapping{ + AttributeDefinitionFQN: def, Selector: ".medicalRecordNumber", + Operator: ResourceValueIn, Actions: actions("read"), + } + got, err := Entitle([]Mapping{m}, er, resource) + require.NoError(t, err) + assert.Equal(t, []string{"read"}, actionNames(got)) + + m.Canonicalizer = func(s string) string { return s } // no-op: case now matters + got, err = Entitle([]Mapping{m}, er, resource) + require.NoError(t, err) + assert.Empty(t, got) +} + +// TestReuseStaticAndDynamicConditions shows Option A's distinguishing capability: a +// reused SubjectConditionSet can mix a STATIC condition (department check, evaluated by +// the existing subjectmappingbuiltin leaf evaluator) with a DYNAMIC condition (resource +// MRN in the entity's assignments). +func TestReuseStaticAndDynamicConditions(t *testing.T) { + const def = "https://hospital.co/attr/mrn" + const resource = def + "/value/mrn-123" + + scs := &policy.SubjectConditionSet{ + SubjectSets: []*policy.SubjectSet{{ + ConditionGroups: []*policy.ConditionGroup{{ + BooleanOperator: policy.ConditionBooleanTypeEnum_CONDITION_BOOLEAN_TYPE_ENUM_AND, + Conditions: []*policy.Condition{ + { + SubjectExternalSelectorValue: ".department", + Operator: policy.SubjectMappingOperatorEnum_SUBJECT_MAPPING_OPERATOR_ENUM_IN, + SubjectExternalValues: []string{"cardiology"}, + }, + { + SubjectExternalSelectorValue: ".patientAssignments[]", + Operator: policy.SubjectMappingOperatorEnum_SUBJECT_MAPPING_OPERATOR_ENUM_IN, + SubjectExternalValues: []string{ResourceValuePlaceholder}, + }, + }, + }}, + }}, + } + m := &DefinitionScopedSubjectMapping{AttributeDefinitionFQN: def, SubjectConditionSet: scs, Actions: actions("read")} + + // cardiology provider assigned to mrn-123 -> both conditions pass + got, err := Entitle([]Mapping{m}, entityRep(t, map[string]interface{}{ + "department": "cardiology", + "patientAssignments": []interface{}{"mrn-123"}, + }), resource) + require.NoError(t, err) + assert.Equal(t, []string{"read"}, actionNames(got)) + + // wrong department -> static condition fails -> no entitlement + got, err = Entitle([]Mapping{m}, entityRep(t, map[string]interface{}{ + "department": "oncology", + "patientAssignments": []interface{}{"mrn-123"}, + }), resource) + require.NoError(t, err) + assert.Empty(t, got) +} diff --git a/service/internal/access/v2/dynamicentitlement/reuse_subjectmapping.go b/service/internal/access/v2/dynamicentitlement/reuse_subjectmapping.go new file mode 100644 index 0000000000..acc7198c57 --- /dev/null +++ b/service/internal/access/v2/dynamicentitlement/reuse_subjectmapping.go @@ -0,0 +1,155 @@ +package dynamicentitlement + +import ( + "errors" + "fmt" + "strings" + + "github.com/opentdf/platform/lib/flattening" + "github.com/opentdf/platform/protocol/go/policy" + smbuiltin "github.com/opentdf/platform/service/internal/subjectmappingbuiltin" +) + +// ResourceValuePlaceholder is the sentinel an admin places in a reused +// policy.Condition.subject_external_values list to signal that the right-hand operand is +// the resource value segment rather than a static value. +// +// The fact that a sentinel is REQUIRED is itself a spike finding: the existing +// SubjectConditionSet schema has nowhere to express "this condition is dynamic", so +// Option A must overload an existing field. See ADR 0005. +const ResourceValuePlaceholder = "${resource.value}" + +// DefinitionScopedSubjectMapping is Option A — "reuse Subject Mappings". It is the +// existing policy.SubjectConditionSet primitive re-scoped from an AttributeValue to an +// AttributeDefinition. It genuinely reuses the existing evaluator: static conditions go +// through subjectmappingbuiltin.EvaluateCondition unchanged, while a condition whose +// subject_external_values contains ResourceValuePlaceholder is routed to the shared +// dynamic core. The AND/OR subject-set / condition-group walk mirrors +// subjectmappingbuiltin.EvaluateSubjectSet. +// +// This shape supports mixed static + dynamic conditions, but at the cost of the sentinel +// overload above and a near-duplicate group walk (the production walk is hard-wired to +// the static leaf evaluator) — both captured as findings. +type DefinitionScopedSubjectMapping struct { + // AttributeDefinitionFQN is the parent definition this mapping is scoped to. + AttributeDefinitionFQN string + // SubjectConditionSet is the reused, unmodified policy primitive. + SubjectConditionSet *policy.SubjectConditionSet + // Operator is the dynamic operator applied to placeholder conditions. When + // OperatorUnspecified, it is derived from each placeholder condition's static + // SubjectMappingOperatorEnum (IN -> ResourceValueIn, IN_CONTAINS -> ResourceValueInContains). + Operator DynamicOperator + // Actions are granted when the condition set matches. + Actions []*policy.Action + // Canonicalizer optionally overrides DefaultCanonicalizer. + Canonicalizer Canonicalizer +} + +var _ Mapping = (*DefinitionScopedSubjectMapping)(nil) + +// DefinitionFQN implements Mapping. +func (m *DefinitionScopedSubjectMapping) DefinitionFQN() string { + return strings.ToLower(m.AttributeDefinitionFQN) +} + +// EntitledActions implements Mapping. Subject sets AND together (mirroring +// subjectmappingbuiltin.EvaluateSubjectMappings); on full match the mapped actions are +// returned. +func (m *DefinitionScopedSubjectMapping) EntitledActions(entity flattening.Flattened, segment string) ([]*policy.Action, error) { + scs := m.SubjectConditionSet + if scs == nil { + return nil, nil + } + for _, ss := range scs.GetSubjectSets() { + ok, err := m.evaluateSubjectSet(ss, entity, segment) + if err != nil { + return nil, err + } + if !ok { + return nil, nil + } + } + return m.Actions, nil +} + +func (m *DefinitionScopedSubjectMapping) evaluateSubjectSet(ss *policy.SubjectSet, entity flattening.Flattened, segment string) (bool, error) { + // condition groups AND together + for _, cg := range ss.GetConditionGroups() { + ok, err := m.evaluateConditionGroup(cg, entity, segment) + if err != nil { + return false, err + } + if !ok { + return false, nil + } + } + return true, nil +} + +func (m *DefinitionScopedSubjectMapping) evaluateConditionGroup(cg *policy.ConditionGroup, entity flattening.Flattened, segment string) (bool, error) { + switch cg.GetBooleanOperator() { + case policy.ConditionBooleanTypeEnum_CONDITION_BOOLEAN_TYPE_ENUM_AND: + for _, c := range cg.GetConditions() { + ok, err := m.evaluateCondition(c, entity, segment) + if err != nil { + return false, err + } + if !ok { + return false, nil + } + } + return true, nil + case policy.ConditionBooleanTypeEnum_CONDITION_BOOLEAN_TYPE_ENUM_OR: + for _, c := range cg.GetConditions() { + ok, err := m.evaluateCondition(c, entity, segment) + if err != nil { + return false, err + } + if ok { + return true, nil + } + } + return false, nil + case policy.ConditionBooleanTypeEnum_CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED: + return false, errors.New("unspecified condition group boolean operator") + default: + return false, fmt.Errorf("unsupported condition group boolean operator: %s", cg.GetBooleanOperator()) + } +} + +// evaluateCondition routes dynamic (placeholder) conditions to the shared core and +// static conditions to the existing, reused leaf evaluator. +func (m *DefinitionScopedSubjectMapping) evaluateCondition(c *policy.Condition, entity flattening.Flattened, segment string) (bool, error) { + if !conditionIsDynamic(c) { + return smbuiltin.EvaluateCondition(c, entity) + } + op := m.Operator + if op == OperatorUnspecified { + op = dynamicFromStatic(c.GetOperator()) + } + return evaluateDynamicMatch(op, entity, c.GetSubjectExternalSelectorValue(), segment, m.Canonicalizer) +} + +func conditionIsDynamic(c *policy.Condition) bool { + for _, v := range c.GetSubjectExternalValues() { + if v == ResourceValuePlaceholder { + return true + } + } + return false +} + +// dynamicFromStatic maps a static SubjectMappingOperatorEnum to its dynamic inversion. +func dynamicFromStatic(op policy.SubjectMappingOperatorEnum) DynamicOperator { + switch op { + case policy.SubjectMappingOperatorEnum_SUBJECT_MAPPING_OPERATOR_ENUM_IN: + return ResourceValueIn + case policy.SubjectMappingOperatorEnum_SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS: + return ResourceValueInContains + case policy.SubjectMappingOperatorEnum_SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN, + policy.SubjectMappingOperatorEnum_SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED: + return OperatorUnspecified + default: + return OperatorUnspecified + } +} From 83fb6b427ec233f06904d12cb798cd8310e1d910 Mon Sep 17 00:00:00 2001 From: Krish Suchak Date: Wed, 3 Jun 2026 18:32:24 -0400 Subject: [PATCH 2/8] docs(policy): DSPX-2754 dynamic attribute value entitlement spike findings --- ...amic-attribute-value-entitlements-spike.md | 130 ++++++++++++++++++ 1 file changed, 130 insertions(+) create mode 100644 service/policy/adr/0005-dynamic-attribute-value-entitlements-spike.md diff --git a/service/policy/adr/0005-dynamic-attribute-value-entitlements-spike.md b/service/policy/adr/0005-dynamic-attribute-value-entitlements-spike.md new file mode 100644 index 0000000000..240d907f0f --- /dev/null +++ b/service/policy/adr/0005-dynamic-attribute-value-entitlements-spike.md @@ -0,0 +1,130 @@ +# Dynamic Attribute Value Entitlement + +Entitling highly dynamic, high-cardinality attribute values (medical record numbers, account IDs, +email-like identifiers) is impractical today: each value must be duplicated as an `AttributeValue` and +paired with its own `SubjectMapping` + `SubjectConditionSet`, then kept constantly in sync with an +external system of record. The cross-repo ADR [virtru-corp/adr#266](https://github.com/virtru-corp/adr/pull/266) +chose a definition-level dynamic entitlement model (its Option 3) but **explicitly deferred to an +implementation spike** the question of *how* to model it. This document records what that spike +([DSPX-2754](https://virtru.atlassian.net/browse/DSPX-2754)) found. + +The spike code lives in [`service/internal/access/v2/dynamicentitlement`](../../internal/access/v2/dynamicentitlement) +and is **not wired into any live decision path**. It is a throwaway proof-of-concept whose purpose is to +make the options below comparable on real behavior. No protos, database, sqlc, service handlers, or PDP +code were changed, because the source ADR states primitive names and schema are still subject to change. + +## Context + +How should condition-set authority be moved up from the `AttributeValue` to the `AttributeDefinition`? +Four shapes were on the table (from the ADR discussion threads): reuse Subject Mappings, add a new +primitive, add a new attribute rule, or add a new operator. + +## Recommendation: a new primitive (`DefinitionValueEntitlementMapping`) carrying a new operator + +The spike recommends a **new first-class primitive** scoped to an `AttributeDefinition`, holding a +`selector`, a **new dynamic operator**, and `actions`. The four "options" are not mutually exclusive: the +new operator is the shared mechanic *every* shape needs, and the new primitive is the cleanest container +for it. Reuse-of-subject-mappings and a new-attribute-rule were both prototyped and found to carry +avoidable downsides (below). + +### Shared Mechanic: a new operator (required by every option) + +Existing condition evaluation compares an entity's selector result against a **static list authored into +policy** (`policy.Condition.subject_external_values`; see +[`subjectmappingbuiltin.EvaluateCondition`](../../internal/subjectmappingbuiltin/subject_mapping_builtin.go)). +The dynamic case **inverts** the comparison: the right-hand operand is the **resource's value segment** +(e.g. `mrn-123`, parsed from `…/value/mrn-123`), known only at decision time, tested for membership in the +entity's selector-resolved set (e.g. `.patientAssignments` → `["mrn-123","mrn-789"]`). + +This inversion cannot be expressed by the current operators, so a new operator is unavoidable regardless +of container. The spike implements `RESOURCE_VALUE_IN` (and `RESOURCE_VALUE_IN_CONTAINS`) as the inversion +of `IN` / `IN_CONTAINS`. Per @jrschumacher's feedback on the ADR, the operator name should make the +direction explicit, so `RESOURCE_VALUE_IN` reads as "the resource value is in the selector result". + +This single function (`evaluateDynamicMatch` in `core.go`) backs all three prototyped shapes. The +`TestMRNExampleAcrossAllShapes` test replays the ADR's worked example against all three and confirms they +decide identically. The shapes therefore differ only in schema, admin UX, and enforcement, not behavior. + +## Options + +| Dimension | A. Reuse Subject Mappings | B. New Primitive (recommended) | C. New Attribute Rule | +| --- | --- | --- | --- | +| Expresses "dynamic" in schema | ✗ must overload `subject_external_values` with a sentinel | ✓ typed fields, intent explicit | ◑ rule value implies it | +| Operator field honesty | ✗ static `SubjectMappingOperatorEnum` reused for dynamic meaning | ✓ typed to dynamic operators only | ✓ | +| Combination rule (ANY_OF/ALL_OF) still available | ✓ orthogonal | ✓ orthogonal | ✗ rule slot consumed (see below) | +| Reuses existing evaluator code | ✓ partial (static leaves) | ✗ (new, small) | ✗ | +| Mixed static + dynamic conditions | ✓ supported | ✗ would need a companion subject mapping | ✗ | +| Admin/UX clarity | ✗ "why is this subject mapping on a definition?" | ✓ distinct object, distinct mental model | ◑ overloads "rule" concept | +| Migration drift from today | low (same tables) | medium (new table/proto) | medium | + +### A. Reuse Subject Mappings (Prototyped, Not Recommended) + +The existing `SubjectConditionSet` was re-scoped from an `AttributeValue` to an `AttributeDefinition` +(`DefinitionScopedSubjectMapping`). It reuses the AND/OR condition-group plumbing and the static leaf +evaluator, and it uniquely supports **mixed static + dynamic conditions** (e.g. "department is cardiology +AND the resource MRN is in your assignments"; see `TestReuseStaticAndDynamicConditions`). + +But the `SubjectConditionSet` schema has no way to mark a condition as dynamic, so the prototype overloads +`subject_external_values` with a `${resource.value}` sentinel. This is fragile: it is invisible to existing +tooling, easy to mistype, and reuses a field that everywhere else holds a static list. It also forces a +near-duplicate of the group-walk, because the production walk is hard-wired to the static leaf evaluator. +Reuse keeps table and migration drift low but reduces clarity. This answers @strantalis's and @biscoe916's +"why not just extend subject mappings?": it can be done, but the result reads less clearly than a +purpose-built object. + +### C. New Attribute Rule (Prototyped, Not Recommended) + +Modeling dynamic as a new `AttributeRuleTypeEnum` value (`RuleDynamic`) conflates two separate ideas. The +rule slot already encodes how *multiple values on one definition combine* (`ANY_OF` / `ALL_OF` / +`HIERARCHY`). Using that slot to describe how values are *entitled* means a dynamic definition can no +longer state its combination semantics. In the prototype, `RuleDynamic` defaults to `ANY_OF`, which hides +that choice from the author. How values are entitled and how they combine are separate concerns and should +not share one field. + +## Edge Cases (all exercised by tests) + +- **Character Set / FQN Ambiguity** (@jentfoo): value segments must never contain FQN-structural or + encoding characters (`/`, `.`, `%`, NUL) or non-ASCII. The spike enforces this floor + (`validateValueSegment`) independently of any future loosening of the value grammar. As a consequence, the + **current** value grammar (`lib/identifier`, strictly `[a-zA-Z0-9_-]`) already cannot represent + email-like identifiers (`user@acme.co` fails to parse). If the owner/email use case is in scope, the + value grammar must be deliberately widened, but only to a set that excludes the ambiguous characters + above. +- **Canonicalization** (@biscoe916): external systems disagree with policy on case and whitespace. Without a + normalization step, `MRN-123` from the IdP fails to match `mrn-123` in the FQN. The spike applies a + pluggable `Canonicalizer` (default: lowercase + trim) to both sides. `TestCanonicalization` shows the + match succeed with it and fail without it. A real implementation must decide where canonicalization is + authoritative and whether it is configurable per definition. +- **Cross-Definition / Namespace Collisions** (@jakedoublev): because entitlement is keyed to the value's + *parent definition FQN*, the same pass-through segment under a different definition is **not** granted + (`TestCrossDefinitionNoLeak`). This is the key advantage of entitling concrete value FQNs over entitling + bare pass-through values. +- **Multi-Value Resources** (ADR decision-flow step 6): a single resource carrying several values under + one definition evaluates the definition rule normally. `TestDecideMultiValue` covers `ANY_OF` (one match + suffices) and `ALL_OF` (every value must match). +- **API Enforcement**: a definition must not carry both a value-level static subject mapping and a dynamic + mapping (`ValidateNoCoexistence`), and `HIERARCHY` definitions are rejected for dynamic entitlement since + they require statically ordered values (`ValidateRule`). +- **Direct-Entitlements Overlap / Migration** (@biscoe916 Q1): a direct entitlement is effectively a + `(value FQN, actions)` pair sourced from ERS at decision time. `TestDirectEntitlementOverlap` shows the + dynamic mapping reproduces the identical grant from a single policy artifact, supporting the + "cover the common case in policy, keep direct entitlements/EPOP for true remote entitlement" path. + +## Open Questions + +1. **Selector Syntax**: the existing flattener addresses array elements as `.patientAssignments[]`, not + the `.patientAssignments` shown in the ADR. The selector grammar surfaced to admins should be specified + and documented. +2. **ERS Trust** (@jentfoo, @jrschumacher): like all entitlement, this trusts the ERS response. The + dynamic model does not worsen that posture but also does not improve it. Provenance/MITM mitigations + remain future work. +3. **Persistence**: where the new primitive's selector values live for any match-acceleration analogous to + the cached `subject_condition_set.selector_values` column. +4. **Canonicalization Authority**: per-definition configuration vs a single global normalization. +5. **Value Grammar**: whether/how far to widen the allowed value character set for the email/owner use case. + +## Out Of Scope + +The broader options (do nothing, productize direct entitlements, plugin PDP) were already decided in +[virtru-corp/adr#266](https://github.com/virtru-corp/adr/pull/266). This spike only covers how to model the +chosen definition-level approach. From 7620b87e37a5e3b87677279eca321cf7a9441f79 Mon Sep 17 00:00:00 2001 From: Krish Suchak Date: Thu, 4 Jun 2026 14:29:07 -0400 Subject: [PATCH 3/8] feat(policy): DSPX-2754 dynamic attribute value entitlement mappings Implement the DefinitionValueEntitlementMapping primitive end to end: a definition-scoped mapping that entitles dynamically-requested attribute values by comparing the requested resource value segment against the entity representation at decision time, instead of pre-provisioning a value + subject mapping per discrete value. Design (per ADR 0005, improving on the reference spike): - A dedicated DynamicValueOperatorEnum (RESOURCE_VALUE_IN / _IN_CONTAINS) and DefinitionValueResolver, so operators stay isolated from static subject mapping operators and the schema honestly expresses 'dynamic'. - An optional static SubjectConditionSet pre-gate (normal static semantics) to support compound 'entity attribute AND resource value' conditions. - No-coexistence enforcement (both directions) between value-level subject mappings and dynamic mappings on the same definition. - HIERARCHY rejected; canonicalized (case/space) value comparison. Wiring: proto + generated code + SDK client, DB migration + sqlc + CRUD, dedicated DefinitionValueEntitlementMappingService, decision-time evaluator, PDP load/merge, synthetic-value support, and authz cache. Replaces the throwaway spike package; ports its tests. Refs: DSPX-2754, virtru-corp/adr#266 Signed-off-by: Krish Suchak --- docs/grpc/index.html | 6105 +++++++++-------- .../authorization/authorization.openapi.yaml | 446 +- .../v2/authorization.openapi.yaml | 538 +- docs/openapi/common/common.openapi.yaml | 38 +- docs/openapi/entity/entity.openapi.yaml | 88 +- .../entity_resolution.openapi.yaml | 284 +- .../v2/entity_resolution.openapi.yaml | 294 +- docs/openapi/kas/kas.openapi.yaml | 265 +- .../policy/actions/actions.openapi.yaml | 497 +- .../policy/attributes/attributes.openapi.yaml | 755 +- .../definition_value_entitlement.openapi.yaml | 1472 ++++ .../key_access_server_registry.openapi.yaml | 1098 +-- .../keymanagement/key_management.openapi.yaml | 223 +- .../policy/namespaces/namespaces.openapi.yaml | 437 +- docs/openapi/policy/objects.openapi.yaml | 338 +- .../obligations/obligations.openapi.yaml | 651 +- .../registered_resources.openapi.yaml | 630 +- .../resource_mapping.openapi.yaml | 524 +- docs/openapi/policy/selectors.openapi.yaml | 24 +- .../subject_mapping.openapi.yaml | 571 +- .../openapi/policy/unsafe/unsafe.openapi.yaml | 526 +- .../wellknown_configuration.openapi.yaml | 144 +- .../definition_value_entitlement.pb.go | 1365 ++++ .../definition_value_entitlement_grpc.pb.go | 258 + .../definition_value_entitlement.connect.go | 245 + protocol/go/policy/objects.pb.go | 1699 +++-- sdk/codegen/main.go | 4 + sdk/sdk.go | 74 +- sdk/sdkconnect/definitionvalueentitlement.go | 70 + service/authorization/v2/cache.go | 50 +- .../v2/dynamicentitlement/attribute_rule.go | 86 - .../access/v2/dynamicentitlement/core.go | 150 - .../access/v2/dynamicentitlement/core_test.go | 106 - .../access/v2/dynamicentitlement/doc.go | 44 - .../access/v2/dynamicentitlement/entitle.go | 181 - .../v2/dynamicentitlement/entitle_test.go | 102 - .../v2/dynamicentitlement/new_primitive.go | 53 - .../v2/dynamicentitlement/options_test.go | 181 - .../reuse_subjectmapping.go | 155 - service/internal/access/v2/helpers.go | 40 +- service/internal/access/v2/helpers_test.go | 3 + .../internal/access/v2/just_in_time_pdp.go | 6 +- service/internal/access/v2/pdp.go | 96 +- service/internal/access/v2/policy_store.go | 37 +- service/internal/access/v2/validators.go | 34 + .../definition_value_entitlement_builtin.go | 148 + ...finition_value_entitlement_builtin_test.go | 179 + service/logger/audit/constants.go | 2 + ...amic-attribute-value-entitlements-spike.md | 12 +- service/policy/db/actions.sql.go | 2 +- service/policy/db/attribute_fqn.sql.go | 2 +- service/policy/db/attribute_values.sql.go | 2 +- service/policy/db/attributes.sql.go | 2 +- service/policy/db/copyfrom.go | 2 +- service/policy/db/db.go | 2 +- .../definition_value_entitlement_mappings.go | 397 ++ ...finition_value_entitlement_mappings.sql.go | 606 ++ .../db/key_access_server_registry.sql.go | 2 +- service/policy/db/key_management.sql.go | 2 +- ..._definition_value_entitlement_mappings.sql | 62 + service/policy/db/models.go | 22 +- service/policy/db/namespaces.sql.go | 2 +- service/policy/db/obligations.sql.go | 7 +- .../definition_value_entitlement_mappings.sql | 215 + service/policy/db/registered_resources.sql.go | 2 +- service/policy/db/resource_mapping.sql.go | 2 +- service/policy/db/subject_mappings.go | 7 + service/policy/db/subject_mappings.sql.go | 2 +- service/policy/db/utils.go | 21 + .../definition_value_entitlement.go | 189 + .../definition_value_entitlement.proto | 168 + service/policy/objects.proto | 62 + service/policy/policy.go | 2 + 73 files changed, 14405 insertions(+), 8705 deletions(-) create mode 100644 docs/openapi/policy/definitionvalueentitlement/definition_value_entitlement.openapi.yaml create mode 100644 protocol/go/policy/definitionvalueentitlement/definition_value_entitlement.pb.go create mode 100644 protocol/go/policy/definitionvalueentitlement/definition_value_entitlement_grpc.pb.go create mode 100644 protocol/go/policy/definitionvalueentitlement/definitionvalueentitlementconnect/definition_value_entitlement.connect.go create mode 100644 sdk/sdkconnect/definitionvalueentitlement.go delete mode 100644 service/internal/access/v2/dynamicentitlement/attribute_rule.go delete mode 100644 service/internal/access/v2/dynamicentitlement/core.go delete mode 100644 service/internal/access/v2/dynamicentitlement/core_test.go delete mode 100644 service/internal/access/v2/dynamicentitlement/doc.go delete mode 100644 service/internal/access/v2/dynamicentitlement/entitle.go delete mode 100644 service/internal/access/v2/dynamicentitlement/entitle_test.go delete mode 100644 service/internal/access/v2/dynamicentitlement/new_primitive.go delete mode 100644 service/internal/access/v2/dynamicentitlement/options_test.go delete mode 100644 service/internal/access/v2/dynamicentitlement/reuse_subjectmapping.go create mode 100644 service/internal/subjectmappingbuiltin/definition_value_entitlement_builtin.go create mode 100644 service/internal/subjectmappingbuiltin/definition_value_entitlement_builtin_test.go create mode 100644 service/policy/db/definition_value_entitlement_mappings.go create mode 100644 service/policy/db/definition_value_entitlement_mappings.sql.go create mode 100644 service/policy/db/migrations/20260604000000_add_definition_value_entitlement_mappings.sql create mode 100644 service/policy/db/queries/definition_value_entitlement_mappings.sql create mode 100644 service/policy/definitionvalueentitlement/definition_value_entitlement.go create mode 100644 service/policy/definitionvalueentitlement/definition_value_entitlement.proto diff --git a/docs/grpc/index.html b/docs/grpc/index.html index a59d73dd56..352c9bd474 100644 --- a/docs/grpc/index.html +++ b/docs/grpc/index.html @@ -241,6 +241,14 @@

Table of Contents

MConditionGroup +
  • + MDefinitionValueEntitlementMapping +
    • + +
  • + MDefinitionValueResolver +
    • +
  • MKasKey
    • @@ -370,6 +378,10 @@

    Table of Contents

    EConditionBooleanTypeEnum +
  • + EDynamicValueOperatorEnum +
    • +
  • EKasPublicKeyAlgEnum
    • @@ -1067,6 +1079,200 @@

    Table of Contents

    +
  • + policy/subjectmapping/subject_mapping.proto + +
    • + + +
  • + policy/definitionvalueentitlement/definition_value_entitlement.proto + +
    • + +
  • policy/kasregistry/key_access_server_registry.proto
      @@ -1854,249 +2060,118 @@

      Table of Contents

    • - policy/subjectmapping/subject_mapping.proto + policy/unsafe/unsafe.proto +
      • + + +
    • + wellknownconfiguration/wellknown_configuration.proto + -
      • - - -
    • - policy/unsafe/unsafe.proto - -
      • - - -
    • - wellknownconfiguration/wellknown_configuration.proto -
        - -
      • - MGetWellKnownConfigurationRequest -
        • - -
      • - MGetWellKnownConfigurationResponse -
        • - -
      • - MWellKnownConfig -
        • - -
      • - MWellKnownConfig.ConfigurationEntry + MWellKnownConfig.ConfigurationEntry
        • @@ -2708,6 +2783,106 @@

        ConditionGroup

        +

        DefinitionValueEntitlementMapping

        +

        Definition Value Entitlement Mapping: a Policy assigning permitted action(s) to

        dynamically-requested values under an Attribute Definition. It raises entitlement

        authority from a concrete Attribute Value to the Attribute Definition: at decision time

        the value_resolver compares the requested resource value segment against the entity

        representation, avoiding pre-provisioning a value + subject mapping per discrete value.

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        idstring

        attribute_definitionAttribute

        the Attribute Definition whose values are entitled dynamically

        value_resolverDefinitionValueResolver

        the dynamic resolver matched against the requested resource value segment

        subject_condition_setSubjectConditionSet

        optional static pre-gate on the entity, evaluated with normal SubjectConditionSet +semantics (no dynamic overload). When present, both the gate and the resolver must +pass for entitlement.

        actionsActionrepeated

        the actions permitted by subjects in this mapping

        namespaceNamespace

        the namespace containing this mapping

        metadatacommon.Metadata

        + + + + + +

        DefinitionValueResolver

        +

        Definition Value Resolver: the dynamic half of a DefinitionValueEntitlementMapping. It

        resolves a selector against the entity representation and compares the result to the

        requested resource value segment using a DynamicValueOperatorEnum.

        + + + + + + + + + + + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        subject_external_selector_valuestring

        a selector for a field value on a flattened Entity Representation (such as from +idP/LDAP), e.g. ".patientAssignments[]"

        operatorDynamicValueOperatorEnum

        the dynamic operator comparing the selector result to the resource value segment

        + + + + +

        KasKey

        @@ -4201,6 +4376,37 @@

        ConditionBooleanTypeEnum

        +

        DynamicValueOperatorEnum

        +

        Operators for dynamic, definition-level value entitlement. Unlike

        SubjectMappingOperatorEnum, whose right-hand operand is a static list authored into

        policy, a DynamicValueOperatorEnum's right-hand operand is the requested resource's

        attribute value segment, supplied at decision time. Each value is the inversion of its

        static SubjectMappingOperatorEnum counterpart.

        + + + + + + + + + + + + + + + + + + + + + + + + + +
        NameNumberDescription
        DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED0

        DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN1

        true when the requested resource value segment equals one of the values resolved by +the selector against the entity representation (inversion of IN)

        DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS2

        true when one of the selector-resolved entity values contains the requested resource +value segment as a substring (inversion of IN_CONTAINS)

        +

        KasPublicKeyAlgEnum

        @@ -9545,12 +9751,12 @@

        Methods with idempotency_level option

        -

        policy/kasregistry/key_access_server_registry.proto

        Top +

        policy/subjectmapping/subject_mapping.proto

        Top

        -

        ActivatePublicKeyRequest

        +

        CreateSubjectConditionSetRequest

        @@ -9561,32 +9767,22 @@

        ActivatePublicKeyRequest

        - + + + + + + + + - -
        idsubject_condition_setSubjectConditionSetCreate

        namespace_id string

        - - - - - -

        ActivatePublicKeyResponse

        -

        - - - - - - - - - - + + @@ -9598,8 +9794,8 @@

        ActivatePublicKeyResponse< -

        ChangeMappings

        -

        Simplified information about the resources that were rotated as part of the key rotation process.

        +

        CreateSubjectConditionSetResponse

        +

        FieldTypeLabelDescription
        keypolicy.Keynamespace_fqnstring

        @@ -9609,15 +9805,8 @@

        ChangeMappings

        - - - - - - - - - + + @@ -9629,7 +9818,7 @@

        ChangeMappings

        -

        CreateKeyAccessServerRequest

        +

        CreateSubjectMappingRequest

        @@ -9640,38 +9829,56 @@

        CreateKeyAccessServerRe

        - + - + - - + + + + + + + + + - + - - + + - + - + - + + + + + + + + - + @@ -9681,7 +9888,7 @@

        CreateKeyAccessServerRe -

        CreateKeyAccessServerResponse

        +

        CreateSubjectMappingResponse

        @@ -9692,8 +9899,8 @@

        CreateKeyAccessServerR

        - - + + @@ -9705,8 +9912,15 @@

        CreateKeyAccessServerR -

        CreateKeyRequest

        -

        Create a new asymmetric key for the specified Key Access Server (KAS)

        +

        DeleteAllUnmappedSubjectConditionSetsRequest

        +

        Prune any Subject Condition Sets not utilized within a Subject Mapping

        + + + + + +

        DeleteAllUnmappedSubjectConditionSetsResponse

        +

        idstring

        fqnstringsubject_condition_setpolicy.SubjectConditionSet

        uriattribute_value_id string

        Required

        Required +Attribute Value to be mapped to

        public_keypolicy.PublicKeyactionspolicy.Actionrepeated

        Required +The actions permitted by subjects in this mapping

        existing_subject_condition_set_idstring

        Deprecated

        Either of the following: +Reuse existing SubjectConditionSet (NOTE: prioritized over new_subject_condition_set)

        source_typepolicy.SourceTypenew_subject_condition_setSubjectConditionSetCreate

        Optional

        Create new SubjectConditionSet (NOTE: ignored if existing_subject_condition_set_id is provided)

        namenamespace_id string

        Optional

        Optional +Namespace ID or FQN for the subject mapping

        namespace_fqnstring
        metadata common.MetadataMutable

        Common metadata

        Optional

        key_access_serverpolicy.KeyAccessServersubject_mappingpolicy.SubjectMapping

        @@ -9716,84 +9930,34 @@

        CreateKeyRequest

        - - - - - - - - - - - - - - - - - - + + + + - - - - - +
        kas_idstring

        Required - -The unique identifier of the Key Access Server

        key_idstring

        Required - -A user-defined identifier for the key

        key_algorithmpolicy.Algorithm

        Required - -The algorithm to be used for the key

        		subject_condition_setspolicy.SubjectConditionSetrepeated

        Only IDs of any deleted Subject Condition Set provided

        key_modepolicy.KeyMode

        Required +

        -The mode of the key (e.g., local or external)

        - - - - public_key_ctx - policy.PublicKeyCtx - -

        Required + -Context or additional data specific to the public key, based on the key provider implementation

        - - - - private_key_ctx - policy.PrivateKeyCtx - -

        Conditionally Required + + +

        DeleteSubjectConditionSetRequest

        +

        -Context or additional data specific to the private key, based on the key provider implementation

        - + + + + + + - + - - - - - - - - - - - - - - - + @@ -9803,8 +9967,8 @@

        CreateKeyRequest

        -

        CreateKeyResponse

        -

        Response to a CreateKeyRequest, containing the created asymmetric key

        +

        DeleteSubjectConditionSetResponse

        +

        FieldTypeLabelDescription
        provider_config_idid string

        Optional - -Configuration ID for the key provider, if applicable

        legacybool

        Optional - -Whether the key is a legacy key

        metadatacommon.MetadataMutable

        Common metadata - -Mutable metadata for the key

        Required

        @@ -9814,10 +9978,10 @@

        CreateKeyResponse

        - - + + - + @@ -9827,7 +9991,7 @@

        CreateKeyResponse

        -

        CreatePublicKeyRequest

        +

        DeleteSubjectMappingRequest

        @@ -9838,26 +10002,12 @@

        CreatePublicKeyRequest

        - + - - - - - - - - - - - - - -
        kas_keypolicy.KasKeysubject_condition_setpolicy.SubjectConditionSet

        The created asymmetric key for a KAS.

        Only ID of deleted Subject Condition Set provided

        kas_idid string

        Required

        keypolicy.KasPublicKey

        Required

        metadatacommon.MetadataMutable

        Common metadata

        @@ -9865,7 +10015,7 @@

        CreatePublicKeyRequest

        -

        CreatePublicKeyResponse

        +

        DeleteSubjectMappingResponse

        @@ -9876,10 +10026,10 @@

        CreatePublicKeyResponse

        - key - policy.Key + subject_mapping + policy.SubjectMapping -

        +

        Only ID of the updated Subject Mapping provided

        @@ -9889,7 +10039,7 @@

        CreatePublicKeyResponse

        -

        DeactivatePublicKeyRequest

        +

        GetSubjectConditionSetRequest

        @@ -9903,7 +10053,7 @@

        DeactivatePublicKeyReques id string -

        +

        Required

        @@ -9913,7 +10063,7 @@

        DeactivatePublicKeyReques -

        DeactivatePublicKeyResponse

        +

        GetSubjectConditionSetResponse

        @@ -9924,12 +10074,19 @@

        DeactivatePublicKeyRespo - key - policy.Key + subject_condition_set + policy.SubjectConditionSet

        + + associated_subject_mappings + policy.SubjectMapping + repeated +

        contextualized Subject Mappings associated with this SubjectConditionSet

        + + @@ -9937,7 +10094,7 @@

        DeactivatePublicKeyRespo -

        DeleteKeyAccessServerRequest

        +

        GetSubjectMappingRequest

        @@ -9961,7 +10118,7 @@

        DeleteKeyAccessServerRe -

        DeleteKeyAccessServerResponse

        +

        GetSubjectMappingResponse

        @@ -9972,8 +10129,8 @@

        DeleteKeyAccessServerR - key_access_server - policy.KeyAccessServer + subject_mapping + policy.SubjectMapping

        @@ -9985,14 +10142,7 @@

        DeleteKeyAccessServerR -

        GetBaseKeyRequest

        -

        - - - - - -

        GetBaseKeyResponse

        +

        ListSubjectConditionSetsRequest

        @@ -10003,86 +10153,45 @@

        GetBaseKeyResponse

        - base_key - policy.SimpleKasKey + namespace_id + string -

        The current base key

        - - - - - - - - - -

        GetKeyAccessServerRequest

        -

        - - - - - - - - - - - - - + - + - + - - + + - + - - - - + + + +
        FieldTypeLabelDescription
        idstring

        Deprecated. Deprecated

        kas_idnamespace_fqn string

        option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field

        namestringpaginationpolicy.PageRequest

        Optional

        uristring

        		sortSubjectConditionSetsSortrepeated

        Optional - CONSTRAINT: max 1 item +Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC

        - - -

        Fields with deprecated option

        - - - - - - - - - - - - - - - -
        NameOption
        id

        true

        - - -

        GetKeyAccessServerResponse

        +

        ListSubjectConditionSetsResponse

        @@ -10093,8 +10202,15 @@

        GetKeyAccessServerRespons - key_access_server - policy.KeyAccessServer + subject_condition_sets + policy.SubjectConditionSet + repeated +

        + + + + pagination + policy.PageResponse

        @@ -10106,8 +10222,8 @@

        GetKeyAccessServerRespons -

        GetKeyRequest

        -

        Retrieve an existing asymmetric key from the Key Management System

        +

        ListSubjectMappingsRequest

        +

        @@ -10117,19 +10233,37 @@

        GetKeyRequest

        - + - + - - + + + + + + + + + + + + + + + +
        idnamespace_id string

        The unique identifier of the key to retrieve

        keyKasKeyIdentifiernamespace_fqnstring

        paginationpolicy.PageRequest

        Optional

        sortSubjectMappingsSortrepeated

        Optional - CONSTRAINT: max 1 item +Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC

        @@ -10137,8 +10271,8 @@

        GetKeyRequest

        -

        GetKeyResponse

        -

        Response to a GetKeyRequest, containing the requested asymmetric key

        +

        ListSubjectMappingsResponse

        +

        @@ -10148,10 +10282,17 @@

        GetKeyResponse

        - - + + + + + + + + + - + @@ -10161,8 +10302,8 @@

        GetKeyResponse

        -

        GetPublicKeyRequest

        -

        +

        MatchSubjectMappingsRequest

        +

        MatchSubjectMappingsRequest liberally returns a list of SubjectMappings based on the provided SubjectProperties.

        The SubjectMappings are returned if an external selector field matches.

        kas_keypolicy.KasKeysubject_mappingspolicy.SubjectMappingrepeated

        paginationpolicy.PageResponse

        The requested asymmetric key for a KAS.

        @@ -10172,9 +10313,9 @@

        GetPublicKeyRequest

        - - - + + + @@ -10185,7 +10326,7 @@

        GetPublicKeyRequest

        -

        GetPublicKeyResponse

        +

        MatchSubjectMappingsResponse

        @@ -10196,9 +10337,9 @@

        GetPublicKeyResponse

        - - - + + + @@ -10209,8 +10350,8 @@

        GetPublicKeyResponse

        -

        GrantedPolicyObject

        -

        Can be namespace, attribute definition, or value

        +

        SubjectConditionSetCreate

        +

        idstringsubject_propertiespolicy.SubjectPropertyrepeated

        keypolicy.Keysubject_mappingspolicy.SubjectMappingrepeated

        @@ -10220,17 +10361,18 @@

        GrantedPolicyObject

        - - - - + + + + - - + + - + @@ -10240,8 +10382,8 @@

        GrantedPolicyObject

        -

        KasKeyIdentifier

        -

        Nested message for specifying the active key using KAS ID and Key ID

        +

        SubjectConditionSetsSort

        +

        idstring

        		subject_setspolicy.SubjectSetrepeated

        Required

        fqnstringmetadatacommon.MetadataMutable

        Optional +Common metadata

        @@ -10251,33 +10393,19 @@

        KasKeyIdentifier

        - - - - - - - - - + + - - + + - - - - - - -
        kas_idstring

        namestringfieldSortSubjectConditionSetsType

        uristringdirectionpolicy.SortDirection

        kidstring

        Required Key ID of the key in question

        @@ -10285,7 +10413,7 @@

        KasKeyIdentifier

        -

        KasKeysSort

        +

        SubjectMappingsSort

        @@ -10297,7 +10425,7 @@

        KasKeysSort

        field - SortKasKeysType + SortSubjectMappingsType

        @@ -10316,8 +10444,8 @@

        KasKeysSort

        -

        KeyAccessServerGrants

        -

        Deprecated

        +

        UpdateSubjectConditionSetRequest

        +

        @@ -10327,30 +10455,31 @@

        KeyAccessServerGrants

        - - + + - + - - + + - + - - - - + + + + - - - + + + @@ -10361,7 +10490,7 @@

        KeyAccessServerGrants

        -

        KeyAccessServersSort

        +

        UpdateSubjectConditionSetResponse

        @@ -10372,17 +10501,10 @@

        KeyAccessServersSort

        - - - - - - - - - + + - + @@ -10392,7 +10514,7 @@

        KeyAccessServersSort

        -

        KeyMapping

        +

        UpdateSubjectMappingRequest

        @@ -10403,38 +10525,40 @@

        KeyMapping

        - + - + - + - + - - + + - + - - - - + + + + - - - - + + + + @@ -10444,8 +10568,8 @@

        KeyMapping

        -

        ListKeyAccessServerGrantsRequest

        -

        LIST of KAS Grants returns flat response of grants to all policy objects. It

        does not employ selectors for grants to specific policy objects or build the

        attribute tree relation. If grants to a known namespace, attribute, or value

        are needed, use the respective GET request to the specific policy object.

        +

        UpdateSubjectMappingResponse

        +

        key_access_serverpolicy.KeyAccessServeridstring

        Required

        namespace_grantsGrantedPolicyObjectsubject_setspolicy.SubjectSet repeated

        Optional +If provided, replaces entire existing structure of Subject Sets, Condition Groups, & Conditions

        attribute_grantsGrantedPolicyObjectrepeated

        		metadatacommon.MetadataMutable

        Common metadata

        value_grantsGrantedPolicyObjectrepeatedmetadata_update_behaviorcommon.MetadataUpdateEnum

        fieldSortKeyAccessServersType

        directionpolicy.SortDirectionsubject_condition_setpolicy.SubjectConditionSet

        Only ID of updated Subject Condition Set provided

        kidid string

        Required

        kas_urisubject_condition_set_id string

        Optional +Replaces the existing SubjectConditionSet id with a new one

        namespace_mappingsMappedPolicyObjectactionspolicy.Action repeated

        List of namespaces mapped to the key

        Optional +Replaces entire list of actions permitted by subjects

        attribute_mappingsMappedPolicyObjectrepeated

        List of attribute definitions mapped to the key

        		metadatacommon.MetadataMutable

        Common metadata

        value_mappingsMappedPolicyObjectrepeated

        List of attribute values mapped to the key

        		metadata_update_behaviorcommon.MetadataUpdateEnum
        @@ -10455,38 +10579,292 @@

        ListKeyAccessServer

        - + + + + + + + +
        kas_idsubject_mappingpolicy.SubjectMapping

        Only ID of the updated Subject Mapping provided

        + + + + + + + +

        SortSubjectConditionSetsType

        +

        + + + + + + + + + + + + + + + + + + + + + + + + + +
        NameNumberDescription
        SORT_SUBJECT_CONDITION_SETS_TYPE_UNSPECIFIED0

        SORT_SUBJECT_CONDITION_SETS_TYPE_CREATED_AT1

        SORT_SUBJECT_CONDITION_SETS_TYPE_UPDATED_AT2

        + +

        SortSubjectMappingsType

        +

        + + + + + + + + + + + + + + + + + + + + + + + + + +
        NameNumberDescription
        SORT_SUBJECT_MAPPINGS_TYPE_UNSPECIFIED0

        SORT_SUBJECT_MAPPINGS_TYPE_CREATED_AT1

        SORT_SUBJECT_MAPPINGS_TYPE_UPDATED_AT2

        + + + + + +

        SubjectMappingService

        +

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        Method NameRequest TypeResponse TypeDescription
        MatchSubjectMappingsMatchSubjectMappingsRequestMatchSubjectMappingsResponse

        Find matching Subject Mappings for a given Subject

        ListSubjectMappingsListSubjectMappingsRequestListSubjectMappingsResponse

        GetSubjectMappingGetSubjectMappingRequestGetSubjectMappingResponse

        CreateSubjectMappingCreateSubjectMappingRequestCreateSubjectMappingResponse

        UpdateSubjectMappingUpdateSubjectMappingRequestUpdateSubjectMappingResponse

        DeleteSubjectMappingDeleteSubjectMappingRequestDeleteSubjectMappingResponse

        ListSubjectConditionSetsListSubjectConditionSetsRequestListSubjectConditionSetsResponse

        GetSubjectConditionSetGetSubjectConditionSetRequestGetSubjectConditionSetResponse

        CreateSubjectConditionSetCreateSubjectConditionSetRequestCreateSubjectConditionSetResponse

        UpdateSubjectConditionSetUpdateSubjectConditionSetRequestUpdateSubjectConditionSetResponse

        DeleteSubjectConditionSetDeleteSubjectConditionSetRequestDeleteSubjectConditionSetResponse

        DeleteAllUnmappedSubjectConditionSetsDeleteAllUnmappedSubjectConditionSetsRequestDeleteAllUnmappedSubjectConditionSetsResponse

        + + + + +

        Methods with idempotency_level option

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        Method NameOption
        ListSubjectMappings

        NO_SIDE_EFFECTS

        GetSubjectMapping

        NO_SIDE_EFFECTS

        ListSubjectConditionSets

        NO_SIDE_EFFECTS

        GetSubjectConditionSet

        NO_SIDE_EFFECTS

        + + + + +
        +

        policy/definitionvalueentitlement/definition_value_entitlement.proto

        Top +
        +

        + + +

        CreateDefinitionValueEntitlementMappingRequest

        +

        + + + + + + + + + + - + - + - + - + + + + + + + + + + + + + + + - + - - + + + + + + + + + + + + + + + + + + + + + + + @@ -10498,8 +10876,8 @@

        ListKeyAccessServer -

        ListKeyAccessServerGrantsResponse

        -

        Deprecated

        +

        CreateDefinitionValueEntitlementMappingResponse

        +

        FieldTypeLabelDescription
        attribute_definition_id string

        Optional -Filter LIST by ID of a registered Key Access Server. -If neither is provided, grants from all registered KASs to policy attribute -objects are returned.

        kas_uriattribute_definition_fqn string

        Optional -Filter LIST by URI of a registered Key Access Server. -If none is provided, grants from all registered KASs to policy attribute -objects are returned.

        kas_namevalue_resolverpolicy.DefinitionValueResolver

        Required: the dynamic resolver comparing entity selector result to the resource value segment

        actionspolicy.Actionrepeated

        Required: actions permitted on a matched value

        existing_subject_condition_set_id string

        Optional -Filter LIST by name of a registered Key Access Server. -If none are provided, grants from all registered KASs to policy attribute -objects are returned.

        Optional static pre-gate. Reuse an existing SubjectConditionSet (prioritized) ...

        paginationpolicy.PageRequestnew_subject_condition_setpolicy.subjectmapping.SubjectConditionSetCreate

        ... or create a new one (ignored if existing_subject_condition_set_id is provided)

        namespace_idstring

        Optional: namespace ID or FQN for the mapping

        namespace_fqnstring

        metadatacommon.MetadataMutable

        Optional

        @@ -10509,15 +10887,39 @@

        ListKeyAccessServe

        - - - - + + + + + +
        grantsKeyAccessServerGrantsrepeated

        Deprecated.

        		definition_value_entitlement_mappingpolicy.DefinitionValueEntitlementMapping
        + + + + + +

        DefinitionValueEntitlementMappingsSort

        +

        + + + + + + + + - - + + + + + + + + + @@ -10526,31 +10928,58 @@

        ListKeyAccessServe

        FieldTypeLabelDescription
        paginationpolicy.PageResponsefieldSortDefinitionValueEntitlementMappingsType

        directionpolicy.SortDirection

        - - -

        Fields with deprecated option

        - - + + + +

        DeleteDefinitionValueEntitlementMappingRequest

        +

        + + +
        + + + + + - - + + + + - - + + +
        FieldTypeLabelDescription
        NameOptionidstring

        Required

        + + + + + +

        DeleteDefinitionValueEntitlementMappingResponse

        +

        + + + + + + + - - + + + + - -
        FieldTypeLabelDescription
        grants

        true

        		definition_value_entitlement_mappingpolicy.DefinitionValueEntitlementMapping

        Only ID of the deleted mapping provided

        - + + + -

        ListKeyAccessServersRequest

        +

        GetDefinitionValueEntitlementMappingRequest

        @@ -10561,21 +10990,10 @@

        ListKeyAccessServersRequ - pagination - policy.PageRequest + id + string -

        Optional

        - - - - sort - KeyAccessServersSort - repeated -

        Optional - CONSTRAINT: max 1 item -Sort defaults: - - direction UNSPECIFIED defaults to DESC for the specified field - - field UNSPECIFIED defaults to created_at with the specified direction - - both UNSPECIFIED or sort omitted defaults to created_at DESC

        +

        Required

        @@ -10585,7 +11003,7 @@

        ListKeyAccessServersRequ -

        ListKeyAccessServersResponse

        +

        GetDefinitionValueEntitlementMappingResponse

        @@ -10596,15 +11014,8 @@

        ListKeyAccessServersRes - key_access_servers - policy.KeyAccessServer - repeated -

        - - - - pagination - policy.PageResponse + definition_value_entitlement_mapping + policy.DefinitionValueEntitlementMapping

        @@ -10616,7 +11027,7 @@

        ListKeyAccessServersRes -

        ListKeyMappingsRequest

        +

        ListDefinitionValueEntitlementMappingsRequest

        @@ -10627,15 +11038,16 @@

        ListKeyMappingsRequest

        - id + namespace_id string -

        The unique identifier of the key to retrieve

        +

        Optional +Namespace ID or FQN, or Attribute Definition ID or FQN to filter by

        - key - KasKeyIdentifier + attribute_definition_id + string

        @@ -10644,7 +11056,14 @@

        ListKeyMappingsRequest

        pagination policy.PageRequest -

        Pagination request for the list of keys

        +

        Optional

        + + + + sort + DefinitionValueEntitlementMappingsSort + repeated +

        Optional - CONSTRAINT: max 1 item

        @@ -10654,7 +11073,7 @@

        ListKeyMappingsRequest

        -

        ListKeyMappingsResponse

        +

        ListDefinitionValueEntitlementMappingsResponse

        @@ -10665,17 +11084,17 @@

        ListKeyMappingsResponse

        - key_mappings - KeyMapping + definition_value_entitlement_mappings + policy.DefinitionValueEntitlementMapping repeated -

        The list of key mappings

        +

        pagination policy.PageResponse -

        Pagination response for the list of keys

        +

        @@ -10685,8 +11104,8 @@

        ListKeyMappingsResponse

        -

        ListKeysRequest

        -

        List all asymmetric keys managed by a specific Key Access Server or with a given algorithm

        +

        UpdateDefinitionValueEntitlementMappingRequest

        +

        @@ -10696,60 +11115,45 @@

        ListKeysRequest

        - - - - - - - - + - + - - + + - + - + - + - - - - + + + + - - + + - + - - - - + + + + @@ -10759,8 +11163,8 @@

        ListKeysRequest

        -

        ListKeysResponse

        -

        Response to a ListKeysRequest, containing the list of asymmetric keys and pagination information

        +

        UpdateDefinitionValueEntitlementMappingResponse

        +

        key_algorithmpolicy.Algorithm

        Filter keys by algorithm

        kas_idid string

        Filter keys by the KAS ID

        Required

        kas_namestringvalue_resolverpolicy.DefinitionValueResolver

        Filter keys by the KAS name

        Optional: replace the dynamic resolver

        kas_urisubject_condition_set_id string

        Filter keys by the KAS URI

        Optional: replace the static pre-gate SubjectConditionSet by id

        legacybooloptional

        Optional - -Filter for legacy keys

        		actionspolicy.Actionrepeated

        Optional: replace the entire list of actions

        paginationpolicy.PageRequestmetadatacommon.MetadataMutable

        Optional - -Pagination request for the list of keys

        Common metadata

        sortKasKeysSortrepeated

        Optional - CONSTRAINT: max 1 item -Sort defaults: - - direction UNSPECIFIED defaults to DESC for the specified field - - field UNSPECIFIED defaults to created_at with the specified direction - - both UNSPECIFIED or sort omitted defaults to created_at DESC

        		metadata_update_behaviorcommon.MetadataUpdateEnum
        @@ -10770,17 +11174,10 @@

        ListKeysResponse

        - - - - - - - - - + + - + @@ -10790,49 +11187,137 @@

        ListKeysResponse

        -

        ListPublicKeyMappingRequest

        + + +

        SortDefinitionValueEntitlementMappingsType

        +

        +
        kas_keyspolicy.KasKeyrepeated

        The list of kas keys

        paginationpolicy.PageResponsedefinition_value_entitlement_mappingpolicy.DefinitionValueEntitlementMapping

        Pagination response for the list of keys

        + + + + + + + + + + + + + + + + + + + + + + + + +
        NameNumberDescription
        SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED0

        SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT1

        SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT2

        + + + + + +

        DefinitionValueEntitlementMappingService

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        Method NameRequest TypeResponse TypeDescription
        ListDefinitionValueEntitlementMappingsListDefinitionValueEntitlementMappingsRequestListDefinitionValueEntitlementMappingsResponse

        GetDefinitionValueEntitlementMappingGetDefinitionValueEntitlementMappingRequestGetDefinitionValueEntitlementMappingResponse

        CreateDefinitionValueEntitlementMappingCreateDefinitionValueEntitlementMappingRequestCreateDefinitionValueEntitlementMappingResponse

        UpdateDefinitionValueEntitlementMappingUpdateDefinitionValueEntitlementMappingRequestUpdateDefinitionValueEntitlementMappingResponse

        DeleteDefinitionValueEntitlementMappingDeleteDefinitionValueEntitlementMappingRequestDeleteDefinitionValueEntitlementMappingResponse

        - + + +

        Methods with idempotency_level option

        +
        - + + + + + + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        Method NameOption
        ListDefinitionValueEntitlementMappings

        NO_SIDE_EFFECTS

        GetDefinitionValueEntitlementMapping

        NO_SIDE_EFFECTS

        + + + + +
        +

        policy/kasregistry/key_access_server_registry.proto

        Top +
        +

        + + +

        ActivatePublicKeyRequest

        +

        + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - + @@ -10842,7 +11327,7 @@

        ListPublicKeyMappingRequ -

        ListPublicKeyMappingResponse

        +

        ActivatePublicKeyResponse

        @@ -10853,15 +11338,8 @@

        ListPublicKeyMappingRes

        - - - - - - - - - + + @@ -10873,8 +11351,8 @@

        ListPublicKeyMappingRes -

        ListPublicKeyMappingResponse.Association

        -

        +

        ChangeMappings

        +

        Simplified information about the resources that were rotated as part of the key rotation process.

        FieldTypeLabelDescription
        kas_idstring

        Optional

        kas_namestring

        Optional

        kas_uristring

        Optional

        public_key_idstring

        Optional Public Key ID

        paginationpolicy.PageRequestidstring

        Optional

        public_key_mappingsListPublicKeyMappingResponse.PublicKeyMappingrepeated

        paginationpolicy.PageResponsekeypolicy.Key

        @@ -10904,7 +11382,7 @@

        ListPublicK -

        ListPublicKeyMappingResponse.PublicKey

        +

        CreateKeyAccessServerRequest

        @@ -10915,31 +11393,38 @@

        ListPublicKey

        - - + + - + - - - - + + + + - - - - + + + + - - - - + + + + + + + + + + + @@ -10949,7 +11434,7 @@

        ListPublicKey -

        ListPublicKeyMappingResponse.PublicKeyMapping

        +

        CreateKeyAccessServerResponse

        @@ -10960,33 +11445,12 @@

        ListPu

        - - - - - - - - - - - - - - - - + + - - - - - - -
        keypolicy.Keyuristring

        Required

        valuesListPublicKeyMappingResponse.Associationrepeated

        		public_keypolicy.PublicKey

        Deprecated

        definitionsListPublicKeyMappingResponse.Associationrepeated

        		source_typepolicy.SourceType

        Optional

        namespacesListPublicKeyMappingResponse.Associationrepeated

        		namestring

        Optional

        metadatacommon.MetadataMutable

        Common metadata

        kas_idstring

        kas_namestring

        kas_uristringkey_access_serverpolicy.KeyAccessServer

        public_keysListPublicKeyMappingResponse.PublicKeyrepeated
        @@ -10994,8 +11458,8 @@

        ListPu -

        ListPublicKeysRequest

        -

        +

        CreateKeyRequest

        +

        Create a new asymmetric key for the specified Key Access Server (KAS)

        @@ -11008,90 +11472,81 @@

        ListPublicKeysRequest

        - + - + - + - - + + - + - - + + - - - - -
        kas_id string

        Optional

        Required + +The unique identifier of the Key Access Server

        kas_namekey_id string

        Optional

        Required + +A user-defined identifier for the key

        kas_uristringkey_algorithmpolicy.Algorithm

        Optional

        Required + +The algorithm to be used for the key

        paginationpolicy.PageRequestkey_modepolicy.KeyMode

        Optional

        - - - - - -

        ListPublicKeysResponse

        -

        +

        Required - - - - - - +The mode of the key (e.g., local or external)

        + - - - - + + + + - - + + - + - -
        FieldTypeLabelDescription
        keyspolicy.Keyrepeated

        		public_key_ctxpolicy.PublicKeyCtx

        Required + +Context or additional data specific to the public key, based on the key provider implementation

        paginationpolicy.PageResponseprivate_key_ctxpolicy.PrivateKeyCtx

        Conditionally Required + +Context or additional data specific to the private key, based on the key provider implementation

        - - - - - -

        MappedPolicyObject

        -

        + + provider_config_id + string + +

        Optional - - - - - - +Configuration ID for the key provider, if applicable

        + - - + + - + - - + + - + @@ -11101,8 +11556,8 @@

        MappedPolicyObject

        -

        RotateKeyRequest

        -

        +

        CreateKeyResponse

        +

        Response to a CreateKeyRequest, containing the created asymmetric key

        FieldTypeLabelDescription
        idstringlegacybool

        The unique identifier of the policy object

        Optional + +Whether the key is a legacy key

        fqnstringmetadatacommon.MetadataMutable

        The fully qualified name of the policy object

        Common metadata + +Mutable metadata for the key

        @@ -11112,24 +11567,10 @@

        RotateKeyRequest

        - - - - - - - - - - - - - - - - + + - + @@ -11139,8 +11580,8 @@

        RotateKeyRequest

        -

        RotateKeyRequest.NewKey

        -

        Nested message for specifying the new key details

        +

        CreatePublicKeyRequest

        +

        idstring

        Current Active Key UUID

        keyKasKeyIdentifier

        Alternative way to specify the active key using KAS ID and Key ID

        new_keyRotateKeyRequest.NewKeykas_keypolicy.KasKey

        Information about the new key to be rotated in

        The created asymmetric key for a KAS.

        @@ -11150,54 +11591,24 @@

        RotateKeyRequest.NewKey

        - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - + - + @@ -11207,8 +11618,8 @@

        RotateKeyRequest.NewKey

        -

        RotateKeyResponse

        -

        Response message for the RotateKey request

        +

        CreatePublicKeyResponse

        +

        key_idkas_id string

        Required

        algorithmpolicy.Algorithm

        Required

        key_modepolicy.KeyMode

        Required

        public_key_ctxpolicy.PublicKeyCtx

        Required

        private_key_ctxpolicy.PrivateKeyCtx

        Required

        provider_config_idstringkeypolicy.KasPublicKey

        Conditionally Required. - -Validation handled by message-level CEL

        Required

        metadata common.MetadataMutable

        Common metadata fields

        Common metadata

        @@ -11218,17 +11629,10 @@

        RotateKeyResponse

        - - - - - - - - - + + - + @@ -11238,8 +11642,8 @@

        RotateKeyResponse

        -

        RotatedResources

        -

        All resources that were rotated as part of the key rotation process

        +

        DeactivatePublicKeyRequest

        +

        kas_keypolicy.KasKey

        The newly rotated Kas Key

        rotated_resourcesRotatedResourceskeypolicy.Key

        All resources that were rotated as part of the key rotation process

        @@ -11249,30 +11653,33 @@

        RotatedResources

        - - + + - - - - - - - - - - - - - + +
        rotated_out_keypolicy.KasKeyidstring

        The old key that was rotated out

        attribute_definition_mappingsChangeMappingsrepeated

        attribute_value_mappingsChangeMappingsrepeated

        + + + + + +

        DeactivatePublicKeyResponse

        +

        + + + + + + + - - - + + + @@ -11283,8 +11690,8 @@

        RotatedResources

        -

        SetBaseKeyRequest

        -

        Sets the specified key as the base key for the Key Access Server

        Note: The key must be active.

        +

        DeleteKeyAccessServerRequest

        +

        FieldTypeLabelDescription
        namespace_mappingsChangeMappingsrepeatedkeypolicy.Key

        @@ -11297,14 +11704,7 @@

        SetBaseKeyRequest

        - - - - - - - - + @@ -11314,7 +11714,7 @@

        SetBaseKeyRequest

        -

        SetBaseKeyResponse

        +

        DeleteKeyAccessServerResponse

        @@ -11325,17 +11725,41 @@

        SetBaseKeyResponse

        - - + + - + + +
        id string

        Current Key UUID tp be set as default

        keyKasKeyIdentifier

        Alternative way to specify the key using KAS ID and Key ID

        Required

        new_base_keypolicy.SimpleKasKeykey_access_serverpolicy.KeyAccessServer

        The key that was set as base

        + + + + + +

        GetBaseKeyRequest

        +

        + + + + + +

        GetBaseKeyResponse

        +

        + + + + + + + + - + - + @@ -11345,7 +11769,7 @@

        SetBaseKeyResponse

        -

        UpdateKeyAccessServerRequest

        +

        GetKeyAccessServerRequest

        @@ -11359,53 +11783,102 @@

        UpdateKeyAccessServerRe

        - + - + - + - - + + - + - - + + - + + + + +
        FieldTypeLabelDescription
        previous_base_keybase_key policy.SimpleKasKey

        The previous base key, if any

        The current base key

        id string

        Required

        Deprecated. Deprecated

        urikas_id string

        Optional

        option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field

        public_keypolicy.PublicKeynamestring

        Deprecated -Optional

        source_typepolicy.SourceTypeuristring

        Optional -Using UNSPECIFIED will result in a successful update, -but will not actually update the underlying source. -You should not update KAS's from INTERNAL/EXTERNAL -to unspecified.

        + + + + +

        Fields with deprecated option

        + + + + + + + - - + + + + + +
        NameOption
        namestringid

        true

        + + + + + +

        GetKeyAccessServerResponse

        +

        + + + + + + + + + + + - + + +
        FieldTypeLabelDescription
        key_access_serverpolicy.KeyAccessServer

        Optional

        + + + + + +

        GetKeyRequest

        +

        Retrieve an existing asymmetric key from the Key Management System

        + + + + + + + + - - + + - + - - + + @@ -11417,8 +11890,8 @@

        UpdateKeyAccessServerRe -

        UpdateKeyAccessServerResponse

        -

        +

        GetKeyResponse

        +

        Response to a GetKeyRequest, containing the requested asymmetric key

        FieldTypeLabelDescription
        metadatacommon.MetadataMutableidstring

        Optional -Common metadata

        The unique identifier of the key to retrieve

        metadata_update_behaviorcommon.MetadataUpdateEnumkeyKasKeyIdentifier

        @@ -11428,10 +11901,10 @@

        UpdateKeyAccessServerR

        - - + + - + @@ -11441,8 +11914,8 @@

        UpdateKeyAccessServerR -

        UpdateKeyRequest

        -

        Update an existing asymmetric key in the Key Management System

        +

        GetPublicKeyRequest

        +

        key_access_serverpolicy.KeyAccessServerkas_keypolicy.KasKey

        The requested asymmetric key for a KAS.

        @@ -11455,26 +11928,31 @@

        UpdateKeyRequest

        - + - - - - - +
        id string

        Required - -The unique identifier of the key to update

        metadatacommon.MetadataMutable

        Optional -Common metadata +

        -Mutable metadata for the key

        - + + + + +

        GetPublicKeyResponse

        +

        + + + + + + + - - + + - + @@ -11484,8 +11962,8 @@

        UpdateKeyRequest

        -

        UpdateKeyResponse

        -

        Response to an UpdateKeyRequest, containing the updated asymmetric key

        +

        GrantedPolicyObject

        +

        Can be namespace, attribute definition, or value

        FieldTypeLabelDescription
        metadata_update_behaviorcommon.MetadataUpdateEnumkeypolicy.Key

        The behavior for updating the metadata

        @@ -11495,10 +11973,17 @@

        UpdateKeyResponse

        - - + + - + + + + + + + + @@ -11508,8 +11993,8 @@

        UpdateKeyResponse

        -

        UpdatePublicKeyRequest

        -

        +

        KasKeyIdentifier

        +

        Nested message for specifying the active key using KAS ID and Key ID

        kas_keypolicy.KasKeyidstring

        The updated kas key

        fqnstring
        @@ -11519,27 +12004,33 @@

        UpdatePublicKeyRequest

        - + - + - - + + - + - - + + + + + + + + +
        idkas_id string

        Required

        metadatacommon.MetadataMutablenamestring

        Optional -Common metadata

        metadata_update_behaviorcommon.MetadataUpdateEnumuristring

        kidstring

        Required Key ID of the key in question

        @@ -11547,7 +12038,7 @@

        UpdatePublicKeyRequest

        -

        UpdatePublicKeyResponse

        +

        KasKeysSort

        @@ -11558,274 +12049,156 @@

        UpdatePublicKeyResponse

        - key - policy.Key + field + SortKasKeysType + +

        + + + + direction + policy.SortDirection

        - - - - - - - - -

        SortKasKeysType

        -

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        NameNumberDescription
        SORT_KAS_KEYS_TYPE_UNSPECIFIED0

        SORT_KAS_KEYS_TYPE_KEY_ID1

        SORT_KAS_KEYS_TYPE_CREATED_AT2

        SORT_KAS_KEYS_TYPE_UPDATED_AT3

        - -

        SortKeyAccessServersType

        -

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        NameNumberDescription
        SORT_KEY_ACCESS_SERVERS_TYPE_UNSPECIFIED0

        SORT_KEY_ACCESS_SERVERS_TYPE_NAME1

        SORT_KEY_ACCESS_SERVERS_TYPE_URI2

        SORT_KEY_ACCESS_SERVERS_TYPE_CREATED_AT3

        SORT_KEY_ACCESS_SERVERS_TYPE_UPDATED_AT4

        - - - - - -

        KeyAccessServerRegistryService

        -

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Method NameRequest TypeResponse TypeDescription
        ListKeyAccessServersListKeyAccessServersRequestListKeyAccessServersResponse

        GetKeyAccessServerGetKeyAccessServerRequestGetKeyAccessServerResponse

        CreateKeyAccessServerCreateKeyAccessServerRequestCreateKeyAccessServerResponse

        UpdateKeyAccessServerUpdateKeyAccessServerRequestUpdateKeyAccessServerResponse

        DeleteKeyAccessServerDeleteKeyAccessServerRequestDeleteKeyAccessServerResponse

        ListKeyAccessServerGrantsListKeyAccessServerGrantsRequestListKeyAccessServerGrantsResponse

        Deprecated

        CreateKeyCreateKeyRequestCreateKeyResponse

        KAS Key Management -Request to create a new key in the Key Access Service.

        GetKeyGetKeyRequestGetKeyResponse

        Request to retrieve a key from the Key Access Service.

        ListKeysListKeysRequestListKeysResponse

        Request to list keys in the Key Access Service.

        UpdateKeyUpdateKeyRequestUpdateKeyResponse

        Request to update a key in the Key Access Service.

        RotateKeyRotateKeyRequestRotateKeyResponse

        Request to rotate a key in the Key Access Service.

        SetBaseKeySetBaseKeyRequestSetBaseKeyResponse

        Request to set the default a default kas key.

        GetBaseKeyGetBaseKeyRequestGetBaseKeyResponse

        Get Default kas keys

        ListKeyMappingsListKeyMappingsRequestListKeyMappingsResponse

        Request to list key mappings in the Key Access Service.

        + - - -

        Methods with deprecated option

        - + + + +

        KeyAccessServerGrants

        +

        Deprecated

        + + +
        - - - - + - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        Method NameOption
        FieldTypeLabelDescription
        ListKeyAccessServerGrants

        true

        key_access_serverpolicy.KeyAccessServer

        namespace_grantsGrantedPolicyObjectrepeated

        attribute_grantsGrantedPolicyObjectrepeated

        value_grantsGrantedPolicyObjectrepeated
        + + - - -

        Methods with idempotency_level option

        - + +

        KeyAccessServersSort

        +

        + + +
        - - - - + - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + +
        Method NameOption
        FieldTypeLabelDescription
        ListKeyAccessServers

        NO_SIDE_EFFECTS

        GetKeyAccessServer

        NO_SIDE_EFFECTS

        ListKeyAccessServerGrants

        NO_SIDE_EFFECTS

        fieldSortKeyAccessServersType

        directionpolicy.SortDirection
        + + - -
        -

        policy/keymanagement/key_management.proto

        Top -
        -

        +

        KeyMapping

        +

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        kidstring

        kas_uristring

        namespace_mappingsMappedPolicyObjectrepeated

        List of namespaces mapped to the key

        attribute_mappingsMappedPolicyObjectrepeated

        List of attribute definitions mapped to the key

        value_mappingsMappedPolicyObjectrepeated

        List of attribute values mapped to the key

        + + + -

        CreateProviderConfigRequest

        -

        Provider Configuration Requests and Response Messages

        +

        ListKeyAccessServerGrantsRequest

        +

        LIST of KAS Grants returns flat response of grants to all policy objects. It

        does not employ selectors for grants to specific policy objects or build the

        attribute tree relation. If grants to a known namespace, attribute, or value

        are needed, use the respective GET request to the specific policy object.

        @@ -11835,34 +12208,40 @@

        CreateProviderConfigRe

        - + - + - - + + - + - + - + - - + + - + @@ -11872,8 +12251,8 @@

        CreateProviderConfigRe -

        CreateProviderConfigResponse

        -

        +

        ListKeyAccessServerGrantsResponse

        +

        Deprecated

        namekas_id string

        Required -The name of the key provider. (e.g. "AWS KMS Instance 1", "Google Cloud KMS Instance 2")

        Optional +Filter LIST by ID of a registered Key Access Server. +If neither is provided, grants from all registered KASs to policy attribute +objects are returned.

        config_jsonbyteskas_uristring

        Required -JSON configuration for the key provider. This is unique to individual key providers.

        Optional +Filter LIST by URI of a registered Key Access Server. +If none is provided, grants from all registered KASs to policy attribute +objects are returned.

        managerkas_name string

        Required -The type of key manager (e.g. "aws", "gcp", "azure", "opentdf.io/basic")

        Optional +Filter LIST by name of a registered Key Access Server. +If none are provided, grants from all registered KASs to policy attribute +objects are returned.

        metadatacommon.MetadataMutablepaginationpolicy.PageRequest

        Common metadata

        Optional

        @@ -11883,8 +12262,15 @@

        CreateProviderConfigR

        - - + + + + + + + + + @@ -11893,11 +12279,32 @@

        CreateProviderConfigR

        provider_configpolicy.KeyProviderConfiggrantsKeyAccessServerGrantsrepeated

        Deprecated.

        paginationpolicy.PageResponse

        + + +

        Fields with deprecated option

        + + + + + + + + + + + + + + + +
        NameOption
        grants

        true

        + + -

        DeleteProviderConfigRequest

        -

        In order to delete a provider configuration you must first delete all keys associated with the provider.

        +

        ListKeyAccessServersRequest

        +

        @@ -11907,10 +12314,21 @@

        DeleteProviderConfigRe

        - - + + - + + + + + + + + @@ -11920,7 +12338,7 @@

        DeleteProviderConfigRe -

        DeleteProviderConfigResponse

        +

        ListKeyAccessServersResponse

        @@ -11931,8 +12349,15 @@

        DeleteProviderConfigR

        - - + + + + + + + + + @@ -11944,7 +12369,7 @@

        DeleteProviderConfigR -

        GetProviderConfigRequest

        +

        ListKeyMappingsRequest

        @@ -11958,21 +12383,21 @@

        GetProviderConfigRequest<

        - + - - + + - - + + - + @@ -11982,7 +12407,7 @@

        GetProviderConfigRequest< -

        GetProviderConfigResponse

        +

        ListKeyMappingsResponse

        @@ -11993,10 +12418,17 @@

        GetProviderConfigRespons

        - - + + + + + + + + + - + @@ -12006,8 +12438,8 @@

        GetProviderConfigRespons -

        ListProviderConfigsRequest

        -

        +

        ListKeysRequest

        +

        List all asymmetric keys managed by a specific Key Access Server or with a given algorithm

        idstringpaginationpolicy.PageRequest

        Required

        Optional

        sortKeyAccessServersSortrepeated

        Optional - CONSTRAINT: max 1 item +Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC

        provider_configpolicy.KeyProviderConfigkey_access_serverspolicy.KeyAccessServerrepeated

        paginationpolicy.PageResponse

        id string

        The unique identifier of the key to retrieve

        namestringkeyKasKeyIdentifier

        managerstringpaginationpolicy.PageRequest

        Optional - filter by manager type when searching by name

        Pagination request for the list of keys

        provider_configpolicy.KeyProviderConfigkey_mappingsKeyMappingrepeated

        The list of key mappings

        paginationpolicy.PageResponse

        Pagination response for the list of keys

        @@ -12016,11 +12448,61 @@

        ListProviderConfigsRequ

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + + + @@ -12030,8 +12512,8 @@

        ListProviderConfigsRequ -

        ListProviderConfigsResponse

        -

        +

        ListKeysResponse

        +

        Response to a ListKeysRequest, containing the list of asymmetric keys and pagination information

        key_algorithmpolicy.Algorithm

        Filter keys by algorithm

        kas_idstring

        Filter keys by the KAS ID

        kas_namestring

        Filter keys by the KAS name

        kas_uristring

        Filter keys by the KAS URI

        legacybooloptional

        Optional + +Filter for legacy keys

        pagination policy.PageRequest

        Optional

        Optional + +Pagination request for the list of keys

        sortKasKeysSortrepeated

        Optional - CONSTRAINT: max 1 item +Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC

        @@ -12041,17 +12523,17 @@

        ListProviderConfigsRes

        - - + + - + - + @@ -12061,7 +12543,7 @@

        ListProviderConfigsRes -

        UpdateProviderConfigRequest

        +

        ListPublicKeyMappingRequest

        @@ -12072,46 +12554,38 @@

        UpdateProviderConfigRe

        - - - - - - - - + - - + + - + - - + + - + - - + + - + @@ -12121,7 +12595,7 @@

        UpdateProviderConfigRe -

        UpdateProviderConfigResponse

        +

        ListPublicKeyMappingResponse

        @@ -12132,8 +12606,15 @@

        UpdateProviderConfigR

        - - + + + + + + + + + @@ -12145,70 +12626,8 @@

        UpdateProviderConfigR - - - - - - -

        KeyManagementService

        +

        ListPublicKeyMappingResponse.Association

        -
        provider_configspolicy.KeyProviderConfigkas_keyspolicy.KasKey repeated

        The list of kas keys

        pagination policy.PageResponse

        Pagination response for the list of keys

        idstring

        Required

        namekas_id string

        Optional

        config_jsonbyteskas_namestring

        Optional

        managerkas_uri string

        Optional

        metadatacommon.MetadataMutablepublic_key_idstring

        Optional -Common metadata

        Optional Public Key ID

        metadata_update_behaviorcommon.MetadataUpdateEnumpaginationpolicy.PageRequest

        Optional

        provider_configpolicy.KeyProviderConfigpublic_key_mappingsListPublicKeyMappingResponse.PublicKeyMappingrepeated

        paginationpolicy.PageResponse

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Method NameRequest TypeResponse TypeDescription
        CreateProviderConfigCreateProviderConfigRequestCreateProviderConfigResponse

        Key Management -Provider Management

        GetProviderConfigGetProviderConfigRequestGetProviderConfigResponse

        ListProviderConfigsListProviderConfigsRequestListProviderConfigsResponse

        UpdateProviderConfigUpdateProviderConfigRequestUpdateProviderConfigResponse

        DeleteProviderConfigDeleteProviderConfigRequestDeleteProviderConfigResponse

        - - - - -
        -

        policy/namespaces/namespaces.proto

        Top -
        -

        - - -

        AssignKeyAccessServerToNamespaceRequest

        -

        Deprecated: utilize AssignPublicKeyToNamespaceRequest

        @@ -12218,8 +12637,15 @@

        AssignKeyAcce

        - - + + + + + + + + + @@ -12231,7 +12657,7 @@

        AssignKeyAcce -

        AssignKeyAccessServerToNamespaceResponse

        +

        ListPublicKeyMappingResponse.PublicKey

        @@ -12242,33 +12668,30 @@

        AssignKeyAcc

        - - + + - -
        namespace_key_access_serverNamespaceKeyAccessServeridstring

        fqnstring

        namespace_key_access_serverNamespaceKeyAccessServerkeypolicy.Key

        - - - - - -

        AssignPublicKeyToNamespaceRequest

        -

        Assign Key to Namespace

        - - - - - - - + + + + + + + + + + + + + - - - + + + @@ -12279,7 +12702,7 @@

        AssignPublicKeyToNa -

        AssignPublicKeyToNamespaceResponse

        +

        ListPublicKeyMappingResponse.PublicKeyMapping

        @@ -12290,12 +12713,33 @@

        AssignPublicKeyToN

        - - + + + + + + + + + + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        valuesListPublicKeyMappingResponse.Associationrepeated

        definitionsListPublicKeyMappingResponse.Associationrepeated

        namespace_keyNamespaceKeynamespacesListPublicKeyMappingResponse.Associationrepeated

        namespace_keyNamespaceKeykas_idstring

        kas_namestring

        kas_uristring

        public_keysListPublicKeyMappingResponse.PublicKeyrepeated
        @@ -12303,7 +12747,7 @@

        AssignPublicKeyToN -

        CreateNamespaceRequest

        +

        ListPublicKeysRequest

        @@ -12314,15 +12758,29 @@

        CreateNamespaceRequest

        - name + kas_id string -

        Required

        +

        Optional

        - metadata - common.MetadataMutable + kas_name + string + +

        Optional

        + + + + kas_uri + string + +

        Optional

        + + + + pagination + policy.PageRequest

        Optional

        @@ -12334,7 +12792,7 @@

        CreateNamespaceRequest

        -

        CreateNamespaceResponse

        +

        ListPublicKeysResponse

        @@ -12345,8 +12803,15 @@

        CreateNamespaceResponse

        - namespace - policy.Namespace + keys + policy.Key + repeated +

        + + + + pagination + policy.PageResponse

        @@ -12358,7 +12823,7 @@

        CreateNamespaceResponse

        -

        DeactivateNamespaceRequest

        +

        MappedPolicyObject

        @@ -12372,7 +12837,14 @@

        DeactivateNamespaceRequest id string -

        Required

        +

        The unique identifier of the policy object

        + + + + fqn + string + +

        The fully qualified name of the policy object

        @@ -12382,14 +12854,7 @@

        DeactivateNamespaceRequest -

        DeactivateNamespaceResponse

        -

        - - - - - -

        GetNamespaceRequest

        +

        RotateKeyRequest

        @@ -12403,53 +12868,32 @@

        GetNamespaceRequest

        id string -

        Deprecated. Deprecated

        +

        Current Active Key UUID

        - namespace_id - string + key + KasKeyIdentifier -

        option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field

        +

        Alternative way to specify the active key using KAS ID and Key ID

        - fqn - string + new_key + RotateKeyRequest.NewKey -

        +

        Information about the new key to be rotated in

        - - -

        Fields with deprecated option

        - - - - - - - - - - - - - - - -
        NameOption
        id

        true

        - - -

        GetNamespaceResponse

        -

        +

        RotateKeyRequest.NewKey

        +

        Nested message for specifying the new key details

        @@ -12459,53 +12903,54 @@

        GetNamespaceResponse

        - - + + - + - -
        namespacepolicy.Namespacekey_idstring

        Required

        - - - - - -

        ListNamespacesRequest

        -

        - - - - - - - + + + + + + - - + + - + - - + + - + - - - - + + + + + + + + + + + + + + + + + + @@ -12515,8 +12960,8 @@

        ListNamespacesRequest

        -

        ListNamespacesResponse

        -

        +

        RotateKeyResponse

        +

        Response message for the RotateKey request

        FieldTypeLabelDescription
        algorithmpolicy.Algorithm

        Required

        statecommon.ActiveStateEnumkey_modepolicy.KeyMode

        Optional -ACTIVE by default when not specified

        Required

        paginationpolicy.PageRequestpublic_key_ctxpolicy.PublicKeyCtx

        Optional

        Required

        sortNamespacesSortrepeated

        Optional - CONSTRAINT: max 1 item -Sort defaults: - - direction UNSPECIFIED defaults to DESC for the specified field - - field UNSPECIFIED defaults to created_at with the specified direction - - both UNSPECIFIED or sort omitted defaults to created_at DESC

        		private_key_ctxpolicy.PrivateKeyCtx

        Required

        provider_config_idstring

        Conditionally Required. + +Validation handled by message-level CEL

        metadatacommon.MetadataMutable

        Common metadata fields

        @@ -12526,17 +12971,17 @@

        ListNamespacesResponse

        - - - - + + + + - - + + - + @@ -12546,8 +12991,8 @@

        ListNamespacesResponse

        -

        NamespaceKey

        -

        +

        RotatedResources

        +

        All resources that were rotated as part of the key rotation process

        namespacespolicy.Namespacerepeated

        		kas_keypolicy.KasKey

        The newly rotated Kas Key

        paginationpolicy.PageResponserotated_resourcesRotatedResources

        All resources that were rotated as part of the key rotation process

        @@ -12557,17 +13002,31 @@

        NamespaceKey

        - - + + - + - - - - + + + + + + + + + + + + + + + + + + @@ -12577,8 +13036,8 @@

        NamespaceKey

        -

        NamespaceKeyAccessServer

        -

        Deprecated

        +

        SetBaseKeyRequest

        +

        Sets the specified key as the base key for the Key Access Server

        Note: The key must be active.

        namespace_idstringrotated_out_keypolicy.KasKey

        Required

        The old key that was rotated out

        key_idstring

        Required (The id from the Asymmetric Key object)

        		attribute_definition_mappingsChangeMappingsrepeated

        attribute_value_mappingsChangeMappingsrepeated

        namespace_mappingsChangeMappingsrepeated
        @@ -12588,17 +13047,17 @@

        NamespaceKeyAccessServer

        - + - + - - + + - + @@ -12608,7 +13067,7 @@

        NamespaceKeyAccessServer

        NamespacesSort +

        SetBaseKeyResponse

        @@ -12619,17 +13078,17 @@

        NamespacesSort

        - - + + - + - - + + - + @@ -12639,8 +13098,8 @@

        NamespacesSort

        -

        RemoveKeyAccessServerFromNamespaceRequest

        -

        Deprecated: utilize RemovePublicKeyFromNamespaceRequest

        +

        UpdateKeyAccessServerRequest

        +

        namespace_idid string

        Required

        Current Key UUID tp be set as default

        key_access_server_idstringkeyKasKeyIdentifier

        Required

        Alternative way to specify the key using KAS ID and Key ID

        fieldSortNamespacesTypenew_base_keypolicy.SimpleKasKey

        The key that was set as base

        directionpolicy.SortDirectionprevious_base_keypolicy.SimpleKasKey

        The previous base key, if any

        @@ -12650,8 +13109,56 @@

        RemoveKeyAc

        - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -12663,7 +13170,7 @@

        RemoveKeyAc -

        RemoveKeyAccessServerFromNamespaceResponse

        +

        UpdateKeyAccessServerResponse

        @@ -12674,8 +13181,8 @@

        RemoveKeyA

        - - + + @@ -12687,8 +13194,8 @@

        RemoveKeyA -

        RemovePublicKeyFromNamespaceRequest

        -

        +

        UpdateKeyRequest

        +

        Update an existing asymmetric key in the Key Management System

        namespace_key_access_serverNamespaceKeyAccessServeridstring

        Required

        uristring

        Optional

        public_keypolicy.PublicKey

        Deprecated +Optional

        source_typepolicy.SourceType

        Optional +Using UNSPECIFIED will result in a successful update, +but will not actually update the underlying source. +You should not update KAS's from INTERNAL/EXTERNAL +to unspecified.

        namestring

        Optional

        metadatacommon.MetadataMutable

        Optional +Common metadata

        metadata_update_behaviorcommon.MetadataUpdateEnum

        namespace_key_access_serverNamespaceKeyAccessServerkey_access_serverpolicy.KeyAccessServer

        @@ -12698,10 +13205,29 @@

        RemovePublicKeyFr

        - - + + - + + + + + + + + + + + + + + + @@ -12711,8 +13237,8 @@

        RemovePublicKeyFr -

        RemovePublicKeyFromNamespaceResponse

        -

        +

        UpdateKeyResponse

        +

        Response to an UpdateKeyRequest, containing the updated asymmetric key

        namespace_keyNamespaceKeyidstring

        Required + +The unique identifier of the key to update

        metadatacommon.MetadataMutable

        Optional +Common metadata + +Mutable metadata for the key

        metadata_update_behaviorcommon.MetadataUpdateEnum

        The behavior for updating the metadata

        @@ -12722,10 +13248,10 @@

        RemovePublicKeyF

        - - + + - + @@ -12735,7 +13261,7 @@

        RemovePublicKeyF -

        UpdateNamespaceRequest

        +

        UpdatePublicKeyRequest

        @@ -12756,7 +13282,8 @@

        UpdateNamespaceRequest

        - + @@ -12773,7 +13300,7 @@

        UpdateNamespaceRequest

        -

        UpdateNamespaceResponse

        +

        UpdatePublicKeyResponse

        @@ -12784,8 +13311,8 @@

        UpdateNamespaceResponse

        - - + + @@ -12799,7 +13326,7 @@

        UpdateNamespaceResponse

        -

        SortNamespacesType

        +

        SortKasKeysType

        namespace_keyNamespaceKeykas_keypolicy.KasKey

        The updated kas key

        metadata common.MetadataMutable

        Optional

        Optional +Common metadata

        namespacepolicy.Namespacekeypolicy.Key

        @@ -12808,31 +13335,66 @@

        SortNamespacesType

        - + - + - + - + + +
        SORT_NAMESPACES_TYPE_UNSPECIFIEDSORT_KAS_KEYS_TYPE_UNSPECIFIED 0

        SORT_NAMESPACES_TYPE_NAMESORT_KAS_KEYS_TYPE_KEY_ID 1

        SORT_NAMESPACES_TYPE_FQNSORT_KAS_KEYS_TYPE_CREATED_AT 2

        SORT_NAMESPACES_TYPE_CREATED_ATSORT_KAS_KEYS_TYPE_UPDATED_AT 3

        + +

        SortKeyAccessServersType

        +

        + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + + + @@ -12844,7 +13406,7 @@

        SortNamespacesType

        -

        NamespaceService

        +

        KeyAccessServerRegistryService

        NameNumberDescription
        SORT_NAMESPACES_TYPE_UPDATED_ATSORT_KEY_ACCESS_SERVERS_TYPE_UNSPECIFIED0

        SORT_KEY_ACCESS_SERVERS_TYPE_NAME1

        SORT_KEY_ACCESS_SERVERS_TYPE_URI2

        SORT_KEY_ACCESS_SERVERS_TYPE_CREATED_AT3

        SORT_KEY_ACCESS_SERVERS_TYPE_UPDATED_AT 4

        @@ -12853,68 +13415,102 @@

        NamespaceService

        - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - + + + + - - - - + + + + - - - - + + + + @@ -12934,12 +13530,7 @@

        Methods with deprecated option

        - - - - - - + @@ -12960,12 +13551,17 @@

        Methods with idempotency_level option

        - + - + + + + + + @@ -12974,224 +13570,15 @@

        Methods with idempotency_level option

        - -
        -

        policy/obligations/obligations.proto

        Top -
        -

        - - -

        AddObligationTriggerRequest

        -

        Obligation Triggers are owned by the namespace that owns the action and attribute value, which must

        be the same. In this way, a trigger can intentionally cross namespace boundaries: associating

        obligation values of a different namespace than the one that owns the action being taken or the attribute value.

        - - -
        GetNamespaceGetNamespaceRequestGetNamespaceResponseListKeyAccessServersListKeyAccessServersRequestListKeyAccessServersResponse

        ListNamespacesListNamespacesRequestListNamespacesResponseGetKeyAccessServerGetKeyAccessServerRequestGetKeyAccessServerResponse

        CreateNamespaceCreateNamespaceRequestCreateNamespaceResponseCreateKeyAccessServerCreateKeyAccessServerRequestCreateKeyAccessServerResponse

        UpdateNamespaceUpdateNamespaceRequestUpdateNamespaceResponseUpdateKeyAccessServerUpdateKeyAccessServerRequestUpdateKeyAccessServerResponse

        DeactivateNamespaceDeactivateNamespaceRequestDeactivateNamespaceResponseDeleteKeyAccessServerDeleteKeyAccessServerRequestDeleteKeyAccessServerResponse

        AssignKeyAccessServerToNamespaceAssignKeyAccessServerToNamespaceRequestAssignKeyAccessServerToNamespaceResponse

        Deprecated: utilize AssignPublicKeyToNamespace

        		ListKeyAccessServerGrantsListKeyAccessServerGrantsRequestListKeyAccessServerGrantsResponse

        Deprecated

        CreateKeyCreateKeyRequestCreateKeyResponse

        KAS Key Management +Request to create a new key in the Key Access Service.

        GetKeyGetKeyRequestGetKeyResponse

        Request to retrieve a key from the Key Access Service.

        ListKeysListKeysRequestListKeysResponse

        Request to list keys in the Key Access Service.

        UpdateKeyUpdateKeyRequestUpdateKeyResponse

        Request to update a key in the Key Access Service.

        RotateKeyRotateKeyRequestRotateKeyResponse

        Request to rotate a key in the Key Access Service.
        RemoveKeyAccessServerFromNamespaceRemoveKeyAccessServerFromNamespaceRequestRemoveKeyAccessServerFromNamespaceResponse

        Deprecated: utilize RemovePublicKeyFromNamespace

        		SetBaseKeySetBaseKeyRequestSetBaseKeyResponse

        Request to set the default a default kas key.
        AssignPublicKeyToNamespaceAssignPublicKeyToNamespaceRequestAssignPublicKeyToNamespaceResponse

        --------------------------------------* -Namespace <> Key RPCs ----------------------------------------

        		GetBaseKeyGetBaseKeyRequestGetBaseKeyResponse

        Get Default kas keys
        RemovePublicKeyFromNamespaceRemovePublicKeyFromNamespaceRequestRemovePublicKeyFromNamespaceResponse

        		ListKeyMappingsListKeyMappingsRequestListKeyMappingsResponse

        Request to list key mappings in the Key Access Service.
        AssignKeyAccessServerToNamespace

        true

        RemoveKeyAccessServerFromNamespaceListKeyAccessServerGrants

        true
        GetNamespaceListKeyAccessServers

        NO_SIDE_EFFECTS
        ListNamespacesGetKeyAccessServer

        NO_SIDE_EFFECTS

        ListKeyAccessServerGrants

        NO_SIDE_EFFECTS
        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        FieldTypeLabelDescription
        obligation_valuecommon.IdFqnIdentifier

        Required

        actioncommon.IdNameIdentifier

        Required

        attribute_valuecommon.IdFqnIdentifier

        Required

        contextpolicy.RequestContext

        Optional -The request context for this obligation value policy decisioning.

        metadatacommon.MetadataMutable

        Optional -Common metadata

        - - - - - -

        AddObligationTriggerResponse

        -

        - - - - - - - - - - - - - - - - -
        FieldTypeLabelDescription
        triggerpolicy.ObligationTrigger

        - - - - - -

        CreateObligationRequest

        -

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        FieldTypeLabelDescription
        namespace_idstring

        namespace_fqnstring

        namestring

        valuesstringrepeated

        Optional

        metadatacommon.MetadataMutable

        Optional -Common metadata

        - - - - - -

        CreateObligationResponse

        -

        - - - - - - - - - - - - - - - - -
        FieldTypeLabelDescription
        obligationpolicy.Obligation

        - - - - - -

        CreateObligationValueRequest

        -

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        FieldTypeLabelDescription
        obligation_idstring

        obligation_fqnstring

        valuestring

        triggersValueTriggerRequestrepeated

        Optional -Combination of action and attribute_value that will trigger this obligation value policy decisioning.

        metadatacommon.MetadataMutable

        Optional -Common metadata

        - - + +
        +

        policy/keymanagement/key_management.proto

        Top +
        +

        - -

        CreateObligationValueResponse

        -

        +

        CreateProviderConfigRequest

        +

        Provider Configuration Requests and Response Messages

        @@ -13201,41 +13588,34 @@

        CreateObligationValueR

        - - + + - + - -
        valuepolicy.ObligationValuenamestring

        Required +The name of the key provider. (e.g. "AWS KMS Instance 1", "Google Cloud KMS Instance 2")

        - - - - - -

        DeleteObligationRequest

        -

        - - - - - - - + + + + + + - + - + - - + + - + @@ -13245,7 +13625,7 @@

        DeleteObligationRequest

        -

        DeleteObligationResponse

        +

        CreateProviderConfigResponse

        @@ -13256,8 +13636,8 @@

        DeleteObligationResponse

        - - + + @@ -13269,8 +13649,8 @@

        DeleteObligationResponseDeleteObligationValueRequest

        -

        +

        DeleteProviderConfigRequest

        +

        In order to delete a provider configuration you must first delete all keys associated with the provider.

        FieldTypeLabelDescription
        config_jsonbytes

        Required +JSON configuration for the key provider. This is unique to individual key providers.

        idmanager string

        Required +The type of key manager (e.g. "aws", "gcp", "azure", "opentdf.io/basic")

        fqnstringmetadatacommon.MetadataMutable

        Common metadata

        obligationpolicy.Obligationprovider_configpolicy.KeyProviderConfig

        @@ -13283,14 +13663,7 @@

        DeleteObligationValueRe

        - - - - - - - - + @@ -13300,7 +13673,7 @@

        DeleteObligationValueRe -

        DeleteObligationValueResponse

        +

        DeleteProviderConfigResponse

        @@ -13311,8 +13684,8 @@

        DeleteObligationValueR

        - - + + @@ -13324,7 +13697,7 @@

        DeleteObligationValueR -

        GetObligationRequest

        +

        GetProviderConfigRequest

        @@ -13342,12 +13715,19 @@

        GetObligationRequest

        - + + + + + + + +
        id string

        fqnstring

        Required

        valuepolicy.ObligationValueprovider_configpolicy.KeyProviderConfig

        fqnname string

        managerstring

        Optional - filter by manager type when searching by name

        @@ -13355,7 +13735,7 @@

        GetObligationRequest

        -

        GetObligationResponse

        +

        GetProviderConfigResponse

        @@ -13366,8 +13746,8 @@

        GetObligationResponse

        - obligation - policy.Obligation + provider_config + policy.KeyProviderConfig

        @@ -13379,8 +13759,8 @@

        GetObligationResponse

        -

        GetObligationTriggerRequest

        -

        Triggers

        +

        ListProviderConfigsRequest

        +

        @@ -13390,10 +13770,10 @@

        GetObligationTriggerRequ

        - - + + - + @@ -13403,7 +13783,7 @@

        GetObligationTriggerRequ -

        GetObligationTriggerResponse

        +

        ListProviderConfigsResponse

        @@ -13414,8 +13794,15 @@

        GetObligationTriggerRes

        - - + + + + + + + + + @@ -13427,8 +13814,8 @@

        GetObligationTriggerRes -

        GetObligationValueRequest

        -

        Values

        +

        UpdateProviderConfigRequest

        +

        idstringpaginationpolicy.PageRequest

        Required

        Optional

        triggerpolicy.ObligationTriggerprovider_configspolicy.KeyProviderConfigrepeated

        paginationpolicy.PageResponse

        @@ -13441,13 +13828,42 @@

        GetObligationValueRequest<

        - + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -13458,7 +13874,7 @@

        GetObligationValueRequest< -

        GetObligationValueResponse

        +

        UpdateProviderConfigResponse

        @@ -13469,8 +13885,8 @@

        GetObligationValueRespons

        - - + + @@ -13482,8 +13898,70 @@

        GetObligationValueRespons -

        GetObligationValuesByFQNsRequest

        + + + + + + +

        KeyManagementService

        +
        id string

        Required

        fqnnamestring

        Optional

        config_jsonbytes

        Optional

        manager string

        Optional

        metadatacommon.MetadataMutable

        Optional +Common metadata

        metadata_update_behaviorcommon.MetadataUpdateEnum

        valuepolicy.ObligationValueprovider_configpolicy.KeyProviderConfig

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        Method NameRequest TypeResponse TypeDescription
        CreateProviderConfigCreateProviderConfigRequestCreateProviderConfigResponse

        Key Management +Provider Management

        GetProviderConfigGetProviderConfigRequestGetProviderConfigResponse

        ListProviderConfigsListProviderConfigsRequestListProviderConfigsResponse

        UpdateProviderConfigUpdateProviderConfigRequestUpdateProviderConfigResponse

        DeleteProviderConfigDeleteProviderConfigRequestDeleteProviderConfigResponse

        + + + + +
        +

        policy/namespaces/namespaces.proto

        Top +
        +

        + + +

        AssignKeyAccessServerToNamespaceRequest

        +

        Deprecated: utilize AssignPublicKeyToNamespaceRequest

        @@ -13493,9 +13971,9 @@

        GetObligationValues

        - - - + + + @@ -13506,7 +13984,7 @@

        GetObligationValues -

        GetObligationValuesByFQNsResponse

        +

        AssignKeyAccessServerToNamespaceResponse

        @@ -13517,9 +13995,9 @@

        GetObligationValue

        - - - + + + @@ -13530,8 +14008,8 @@

        GetObligationValue -

        GetObligationValuesByFQNsResponse.FqnValueMapEntry

        -

        +

        AssignPublicKeyToNamespaceRequest

        +

        Assign Key to Namespace

        fqnsstringrepeatednamespace_key_access_serverNamespaceKeyAccessServer

        fqn_value_mapGetObligationValuesByFQNsResponse.FqnValueMapEntryrepeatednamespace_key_access_serverNamespaceKeyAccessServer

        @@ -13541,15 +14019,32 @@

        G

        - - + + + +
        keystringnamespace_keyNamespaceKey

        + + + + + +

        AssignPublicKeyToNamespaceResponse

        +

        + + + + + + + + - - + + @@ -13561,7 +14056,7 @@

        G -

        GetObligationsByFQNsRequest

        +

        CreateNamespaceRequest

        @@ -13572,10 +14067,17 @@

        GetObligationsByFQNsRequ

        - + - - + + + + + + + + + @@ -13585,7 +14087,7 @@

        GetObligationsByFQNsRequ -

        GetObligationsByFQNsResponse

        +

        CreateNamespaceResponse

        @@ -13596,9 +14098,9 @@

        GetObligationsByFQNsRes

        - - - + + + @@ -13609,7 +14111,7 @@

        GetObligationsByFQNsRes -

        GetObligationsByFQNsResponse.FqnObligationMapEntry

        +

        DeactivateNamespaceRequest

        @@ -13620,17 +14122,10 @@

        G

        - + - - - - - - - - + @@ -13640,7 +14135,14 @@

        G -

        ListObligationTriggersRequest

        +

        DeactivateNamespaceResponse

        +

        + + + + + +

        GetNamespaceRequest

        @@ -13651,34 +14153,55 @@

        ListObligationTriggers

        - + - + - + - + - - + + - +
        FieldTypeLabelDescription
        valuepolicy.ObligationValuenamespace_keyNamespaceKey

        fqnsname stringrepeated

        Required

        metadatacommon.MetadataMutable

        Optional

        fqn_obligation_mapGetObligationsByFQNsResponse.FqnObligationMapEntryrepeatednamespacepolicy.Namespace

        keyid string

        valuepolicy.Obligation

        Required

        namespace_idid string

        Deprecated. Deprecated

        namespace_fqnnamespace_id string

        option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field

        paginationpolicy.PageRequestfqnstring

        Optional

        + + +

        Fields with deprecated option

        + + + + + + + + + + + + + + + +
        NameOption
        id

        true

        + + -

        ListObligationTriggersResponse

        +

        GetNamespaceResponse

        @@ -13689,15 +14212,8 @@

        ListObligationTrigger - triggers - policy.ObligationTrigger - repeated -

        - - - - pagination - policy.PageResponse + namespace + policy.Namespace

        @@ -13709,7 +14225,7 @@

        ListObligationTrigger -

        ListObligationsRequest

        +

        ListNamespacesRequest

        @@ -13720,17 +14236,11 @@

        ListObligationsRequest

        - namespace_id - string - -

        - - - - namespace_fqn - string + state + common.ActiveStateEnum -

        +

        Optional +ACTIVE by default when not specified

        @@ -13742,7 +14252,7 @@

        ListObligationsRequest

        sort - ObligationsSort + NamespacesSort repeated

        Optional - CONSTRAINT: max 1 item Sort defaults: @@ -13758,7 +14268,7 @@

        ListObligationsRequest

        -

        ListObligationsResponse

        +

        ListNamespacesResponse

        @@ -13769,8 +14279,8 @@

        ListObligationsResponse

        - obligations - policy.Obligation + namespaces + policy.Namespace repeated

        @@ -13789,7 +14299,7 @@

        ListObligationsResponse

        -

        ObligationsSort

        +

        NamespaceKey

        @@ -13800,17 +14310,17 @@

        ObligationsSort

        - field - SortObligationsType + namespace_id + string -

        +

        Required

        - direction - policy.SortDirection + key_id + string -

        +

        Required (The id from the Asymmetric Key object)

        @@ -13820,8 +14330,8 @@

        ObligationsSort

        -

        RemoveObligationTriggerRequest

        -

        +

        NamespaceKeyAccessServer

        +

        Deprecated

        @@ -13831,7 +14341,14 @@

        RemoveObligationTrigg

        - + + + + + + + + @@ -13844,7 +14361,7 @@

        RemoveObligationTrigg -

        RemoveObligationTriggerResponse

        +

        NamespacesSort

        @@ -13855,8 +14372,15 @@

        RemoveObligationTrig

        - - + + + + + + + + + @@ -13868,8 +14392,8 @@

        RemoveObligationTrig -

        UpdateObligationRequest

        -

        +

        RemoveKeyAccessServerFromNamespaceRequest

        +

        Deprecated: utilize RemovePublicKeyFromNamespaceRequest

        idnamespace_idstring

        Required

        key_access_server_id string

        Required

        triggerpolicy.ObligationTriggerfieldSortNamespacesType

        directionpolicy.SortDirection

        @@ -13879,29 +14403,8 @@

        UpdateObligationRequest

        - - - - - - - - - - - - - - - - - - - - - - - + + @@ -13913,7 +14416,7 @@

        UpdateObligationRequest

        -

        UpdateObligationResponse

        +

        RemoveKeyAccessServerFromNamespaceResponse

        @@ -13924,8 +14427,8 @@

        UpdateObligationResponse

        - - + + @@ -13937,7 +14440,7 @@

        UpdateObligationResponseUpdateObligationValueRequest

        +

        RemovePublicKeyFromNamespaceRequest

        @@ -13948,38 +14451,32 @@

        UpdateObligationValueRe

        - - - - - - - - - + + - - - - - - - - + - - - - - - + +
        idstring

        Required

        namestring

        Optional

        metadatacommon.MetadataMutable

        metadata_update_behaviorcommon.MetadataUpdateEnumnamespace_key_access_serverNamespaceKeyAccessServer

        obligationpolicy.Obligationnamespace_key_access_serverNamespaceKeyAccessServer

        idstring

        Required

        valuestringnamespace_keyNamespaceKey

        Optional

        triggersValueTriggerRequestrepeated

        Optional -Obligation Triggers provided here will replace all existing records in the database.

        metadatacommon.MetadataMutable

        Optional -Common metadata

        + + + + + +

        RemovePublicKeyFromNamespaceResponse

        +

        + + + + + + + - - + + @@ -13991,7 +14488,7 @@

        UpdateObligationValueRe -

        UpdateObligationValueResponse

        +

        UpdateNamespaceRequest

        @@ -14002,8 +14499,22 @@

        UpdateObligationValueR

        - - + + + + + + + + + + + + + + + + @@ -14015,7 +14526,7 @@

        UpdateObligationValueR -

        ValueTriggerRequest

        +

        UpdateNamespaceResponse

        @@ -14026,24 +14537,10 @@

        ValueTriggerRequest

        - - - - - - - - - - - - - - - - + + - + @@ -14055,7 +14552,7 @@

        ValueTriggerRequest

        -

        SortObligationsType

        +

        SortNamespacesType

        FieldTypeLabelDescription
        metadata_update_behaviorcommon.MetadataUpdateEnumnamespace_keyNamespaceKey

        valuepolicy.ObligationValueidstring

        Required

        metadatacommon.MetadataMutable

        Optional

        metadata_update_behaviorcommon.MetadataUpdateEnum

        actioncommon.IdNameIdentifier

        Required. The ID of the action that will trigger this obligation value policy decisioning.

        attribute_valuecommon.IdFqnIdentifier

        Required. The attribute value ID that will trigger this obligation value policy decisioning.

        contextpolicy.RequestContextnamespacepolicy.Namespace

        Optional. The request context for this obligation value policy decisioning.

        @@ -14064,31 +14561,31 @@

        SortObligationsType

        - + - + - + - + - + @@ -14100,8 +14597,8 @@

        SortObligationsType

        -

        Service

        -

        Obligation Service

        /

        +

        NamespaceService

        +

        SORT_OBLIGATIONS_TYPE_UNSPECIFIEDSORT_NAMESPACES_TYPE_UNSPECIFIED 0

        SORT_OBLIGATIONS_TYPE_NAMESORT_NAMESPACES_TYPE_NAME 1

        SORT_OBLIGATIONS_TYPE_FQNSORT_NAMESPACES_TYPE_FQN 2

        SORT_OBLIGATIONS_TYPE_CREATED_ATSORT_NAMESPACES_TYPE_CREATED_AT 3

        SORT_OBLIGATIONS_TYPE_UPDATED_ATSORT_NAMESPACES_TYPE_UPDATED_AT 4

        @@ -14109,107 +14606,67 @@

        Service

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - + + + @@ -14219,7 +14676,7 @@

        Service

        -

        Methods with idempotency_level option

        +

        Methods with deprecated option

        Method NameRequest TypeResponse TypeDescription
        ListObligationsListObligationsRequestListObligationsResponse

        GetObligationGetObligationRequestGetObligationResponse

        GetObligationsByFQNsGetObligationsByFQNsRequestGetObligationsByFQNsResponse

        CreateObligationCreateObligationRequestCreateObligationResponse

        UpdateObligationUpdateObligationRequestUpdateObligationResponse

        DeleteObligationDeleteObligationRequestDeleteObligationResponse

        GetObligationValueGetObligationValueRequestGetObligationValueResponseGetNamespaceGetNamespaceRequestGetNamespaceResponse

        GetObligationValuesByFQNsGetObligationValuesByFQNsRequestGetObligationValuesByFQNsResponseListNamespacesListNamespacesRequestListNamespacesResponse

        CreateObligationValueCreateObligationValueRequestCreateObligationValueResponseCreateNamespaceCreateNamespaceRequestCreateNamespaceResponse

        UpdateObligationValueUpdateObligationValueRequestUpdateObligationValueResponseUpdateNamespaceUpdateNamespaceRequestUpdateNamespaceResponse

        DeleteObligationValueDeleteObligationValueRequestDeleteObligationValueResponseDeactivateNamespaceDeactivateNamespaceRequestDeactivateNamespaceResponse

        GetObligationTriggerGetObligationTriggerRequestGetObligationTriggerResponse

        		AssignKeyAccessServerToNamespaceAssignKeyAccessServerToNamespaceRequestAssignKeyAccessServerToNamespaceResponse

        Deprecated: utilize AssignPublicKeyToNamespace
        AddObligationTriggerAddObligationTriggerRequestAddObligationTriggerResponse

        		RemoveKeyAccessServerFromNamespaceRemoveKeyAccessServerFromNamespaceRequestRemoveKeyAccessServerFromNamespaceResponse

        Deprecated: utilize RemovePublicKeyFromNamespace
        RemoveObligationTriggerRemoveObligationTriggerRequestRemoveObligationTriggerResponse

        		AssignPublicKeyToNamespaceAssignPublicKeyToNamespaceRequestAssignPublicKeyToNamespaceResponse

        --------------------------------------* +Namespace <> Key RPCs +---------------------------------------
        ListObligationTriggersListObligationTriggersRequestListObligationTriggersResponseRemovePublicKeyFromNamespaceRemovePublicKeyFromNamespaceRequestRemovePublicKeyFromNamespaceResponse

        @@ -14230,37 +14687,38 @@

        Methods with idempotency_level option

        - - - - - - - - - - - - + + - - + + + +
        ListObligations

        NO_SIDE_EFFECTS

        GetObligation

        NO_SIDE_EFFECTS

        GetObligationsByFQNs

        NO_SIDE_EFFECTS

        		AssignKeyAccessServerToNamespace

        true
        GetObligationValue

        NO_SIDE_EFFECTS

        		RemoveKeyAccessServerFromNamespace

        true
        + + + + +

        Methods with idempotency_level option

        + + - - + + + + - + - + @@ -14271,13 +14729,13 @@

        Methods with idempotency_level option

        -

        policy/registeredresources/registered_resources.proto

        Top +

        policy/obligations/obligations.proto

        Top

        -

        ActionAttributeValue

        -

        +

        AddObligationTriggerRequest

        +

        Obligation Triggers are owned by the namespace that owns the action and attribute value, which must

        be the same. In this way, a trigger can intentionally cross namespace boundaries: associating

        obligation values of a different namespace than the one that owns the action being taken or the attribute value.

        GetObligationValuesByFQNs

        NO_SIDE_EFFECTS

        		Method NameOption
        GetObligationTriggerGetNamespace

        NO_SIDE_EFFECTS
        ListObligationTriggersListNamespaces

        NO_SIDE_EFFECTS
        @@ -14287,29 +14745,62 @@

        ActionAttributeValue

        - - + + - + - - + + - + - - + + - + - - + + + + + + + + + + + + + + +
        action_idstringobligation_valuecommon.IdFqnIdentifier

        Required

        action_namestringactioncommon.IdNameIdentifier

        Required

        attribute_value_idstringattribute_valuecommon.IdFqnIdentifier

        Required

        attribute_value_fqnstringcontextpolicy.RequestContext

        Optional +The request context for this obligation value policy decisioning.

        metadatacommon.MetadataMutable

        Optional +Common metadata

        + + + + + +

        AddObligationTriggerResponse

        +

        + + + + + + + + + + + @@ -14321,7 +14812,7 @@

        ActionAttributeValueCreateRegisteredResourceRequest

        +

        CreateObligationRequest

        @@ -14332,33 +14823,31 @@

        CreateRegist

        - + - + - + - - + + - + - + - - + + @@ -14376,7 +14865,7 @@

        CreateRegist -

        CreateRegisteredResourceResponse

        +

        CreateObligationResponse

        @@ -14387,8 +14876,8 @@

        CreateRegis

        - - + + @@ -14400,7 +14889,7 @@

        CreateRegis -

        CreateRegisteredResourceValueRequest

        +

        CreateObligationValueRequest

        @@ -14411,26 +14900,32 @@

        CreateR

        - + - + + + + + + + + - + - - + + +Combination of action and attribute_value that will trigger this obligation value policy decisioning.

        @@ -14448,7 +14943,7 @@

        CreateR -

        CreateRegisteredResourceValueResponse

        +

        CreateObligationValueResponse

        @@ -14460,7 +14955,7 @@

        Create

        - + @@ -14472,7 +14967,7 @@

        Create -

        DeleteRegisteredResourceRequest

        +

        DeleteObligationRequest

        @@ -14486,7 +14981,14 @@

        DeleteRegist

        - + + + + + + + + @@ -14496,7 +14998,7 @@

        DeleteRegist -

        DeleteRegisteredResourceResponse

        +

        DeleteObligationResponse

        @@ -14507,8 +15009,8 @@

        DeleteRegis

        - - + + @@ -14520,7 +15022,7 @@

        DeleteRegis -

        DeleteRegisteredResourceValueRequest

        +

        DeleteObligationValueRequest

        @@ -14534,7 +15036,14 @@

        DeleteR

        - + + + + + + + + @@ -14544,7 +15053,7 @@

        DeleteR -

        DeleteRegisteredResourceValueResponse

        +

        DeleteObligationValueResponse

        @@ -14556,7 +15065,7 @@

        Delete

        - + @@ -14568,7 +15077,7 @@

        Delete -

        GetRegisteredResourceRequest

        +

        GetObligationRequest

        @@ -14586,24 +15095,58 @@

        GetRegisteredRe

        - + + +
        FieldTypeLabelDescription
        triggerpolicy.ObligationTrigger

        namenamespace_id string

        Required

        valuesnamespace_fqn stringrepeated

        Optional -Registered Resource Values (when provided) must be alphanumeric strings, allowing hyphens and underscores but not as the first or last character. -The stored value will be normalized to lower case.

        namespace_idname string

        namespace_fqnvalues string

        		repeated

        Optional

        resourcepolicy.RegisteredResourceobligationpolicy.Obligation

        resource_idobligation_id string

        Required

        obligation_fqnstring
        value string

        Required

        action_attribute_valuesActionAttributeValuetriggersValueTriggerRequest repeated

        Optional -The associated Action <> AttributeValue combinations to be utilized in authorization/entitlement decisioning -(i.e. action read -> attribute value https://example.com/attr/department/value/marketing)

        valuepolicy.RegisteredResourceValuepolicy.ObligationValue

        id string

        Required

        fqnstring
        resourcepolicy.RegisteredResourceobligationpolicy.Obligation

        id string

        Required

        fqnstring
        valuepolicy.RegisteredResourceValuepolicy.ObligationValue

        namefqn string

        + + + + + +

        GetObligationResponse

        +

        + + + + + + + + - - + + + +
        FieldTypeLabelDescription
        namespace_fqnstringobligationpolicy.Obligation

        + + + + + +

        GetObligationTriggerRequest

        +

        Triggers

        + + + + + + + + - + - + @@ -14613,7 +15156,7 @@

        GetRegisteredRe -

        GetRegisteredResourceResponse

        +

        GetObligationTriggerResponse

        @@ -14624,8 +15167,8 @@

        GetRegisteredR

        - - + + @@ -14637,8 +15180,8 @@

        GetRegisteredR -

        GetRegisteredResourceValueRequest

        -

        +

        GetObligationValueRequest

        +

        Values

        FieldTypeLabelDescription
        namespace_idid string

        Required

        resourcepolicy.RegisteredResourcetriggerpolicy.ObligationTrigger

        @@ -14668,7 +15211,7 @@

        GetRegiste -

        GetRegisteredResourceValueResponse

        +

        GetObligationValueResponse

        @@ -14680,7 +15223,7 @@

        GetRegist

        - + @@ -14692,7 +15235,7 @@

        GetRegist -

        GetRegisteredResourceValuesByFQNsRequest

        +

        GetObligationValuesByFQNsRequest

        @@ -14706,7 +15249,7 @@

        Get

        - + @@ -14716,7 +15259,7 @@

        Get -

        GetRegisteredResourceValuesByFQNsResponse

        +

        GetObligationValuesByFQNsResponse

        @@ -14728,7 +15271,7 @@

        Ge

        - + @@ -14740,7 +15283,7 @@

        Ge -

        GetRegisteredResourceValuesByFQNsResponse.FqnValueMapEntry

        +

        GetObligationValuesByFQNsResponse.FqnValueMapEntry

        @@ -14759,7 +15302,7 @@

        policy.RegisteredResourceValue +

        @@ -14771,7 +15314,7 @@

        ListRegisteredResourceValuesRequest

        +

        GetObligationsByFQNsRequest

        @@ -14782,10 +15325,96 @@

        ListRegi

        - + + + + + + + +
        valuepolicy.RegisteredResourceValuepolicy.ObligationValue

        fqns string repeated

        Required

        fqn_value_mapGetRegisteredResourceValuesByFQNsResponse.FqnValueMapEntryGetObligationValuesByFQNsResponse.FqnValueMapEntry repeated

        policy.ObligationValue

        resource_idfqnsstringrepeated

        + + + + + +

        GetObligationsByFQNsResponse

        +

        + + + + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        fqn_obligation_mapGetObligationsByFQNsResponse.FqnObligationMapEntryrepeated

        + + + + + +

        GetObligationsByFQNsResponse.FqnObligationMapEntry

        +

        + + + + + + + + + + - + + + + + + + + + + + +
        FieldTypeLabelDescription
        key string

        Optional

        valuepolicy.Obligation

        + + + + + +

        ListObligationTriggersRequest

        +

        + + + + + + + + + + + + + + + + + + + + @@ -14802,7 +15431,7 @@

        ListRegi -

        ListRegisteredResourceValuesResponse

        +

        ListObligationTriggersResponse

        @@ -14813,8 +15442,8 @@

        ListReg

        - - + + @@ -14833,7 +15462,7 @@

        ListReg -

        ListRegisteredResourcesRequest

        +

        ListObligationsRequest

        @@ -14866,7 +15495,7 @@

        ListRegistere

        - + - - + + @@ -14913,7 +15542,7 @@

        ListRegister -

        RegisteredResourcesSort

        +

        ObligationsSort

        @@ -14925,7 +15554,7 @@

        RegisteredResourcesS

        - + @@ -14944,7 +15573,55 @@

        RegisteredResourcesS -

        UpdateRegisteredResourceRequest

        +

        RemoveObligationTriggerRequest

        +

        + + +
        FieldTypeLabelDescription
        namespace_idstring

        namespace_fqnstring
        valuespolicy.RegisteredResourceValuetriggerspolicy.ObligationTrigger repeated

        sortRegisteredResourcesSortObligationsSort repeated

        Optional - CONSTRAINT: max 1 item Sort defaults: @@ -14882,7 +15511,7 @@

        ListRegistere -

        ListRegisteredResourcesResponse

        +

        ListObligationsResponse

        @@ -14893,8 +15522,8 @@

        ListRegister

        resourcespolicy.RegisteredResourceobligationspolicy.Obligation repeated

        fieldSortRegisteredResourcesTypeSortObligationsType

        + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        idstring

        Required

        + + + + + +

        RemoveObligationTriggerResponse

        +

        + + + + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        triggerpolicy.ObligationTrigger

        + + + + + +

        UpdateObligationRequest

        @@ -14972,8 +15649,7 @@

        UpdateRegist metadata common.MetadataMutable -

        Optional -Common metadata

        +

        @@ -14990,7 +15666,7 @@

        UpdateRegist -

        UpdateRegisteredResourceResponse

        +

        UpdateObligationResponse

        @@ -15001,8 +15677,8 @@

        UpdateRegis - resource - policy.RegisteredResource + obligation + policy.Obligation

        @@ -15014,7 +15690,7 @@

        UpdateRegis -

        UpdateRegisteredResourceValueRequest

        +

        UpdateObligationValueRequest

        @@ -15039,11 +15715,11 @@

        UpdateR - action_attribute_values - ActionAttributeValue + triggers + ValueTriggerRequest repeated

        Optional -Action Attribute Values provided here will replace all existing records in the database. To delete all action attribute values, set this field to an empty list.

        +Obligation Triggers provided here will replace all existing records in the database.

        @@ -15068,7 +15744,7 @@

        UpdateR -

        UpdateRegisteredResourceValueResponse

        +

        UpdateObligationValueResponse

        @@ -15080,7 +15756,7 @@

        Update value - policy.RegisteredResourceValue + policy.ObligationValue

        @@ -15092,9 +15768,47 @@

        Update +

        ValueTriggerRequest

        +

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        actioncommon.IdNameIdentifier

        Required. The ID of the action that will trigger this obligation value policy decisioning.

        attribute_valuecommon.IdFqnIdentifier

        Required. The attribute value ID that will trigger this obligation value policy decisioning.

        contextpolicy.RequestContext

        Optional. The request context for this obligation value policy decisioning.

        + + + + + -

        SortRegisteredResourcesType

        +

        SortObligationsType

        @@ -15103,29 +15817,35 @@

        SortRegisteredRe

        - + - + - + - + + + + + + +
        SORT_REGISTERED_RESOURCES_TYPE_UNSPECIFIEDSORT_OBLIGATIONS_TYPE_UNSPECIFIED 0

        SORT_REGISTERED_RESOURCES_TYPE_NAMESORT_OBLIGATIONS_TYPE_NAME 1

        SORT_REGISTERED_RESOURCES_TYPE_CREATED_ATSORT_OBLIGATIONS_TYPE_FQN 2

        SORT_REGISTERED_RESOURCES_TYPE_UPDATED_ATSORT_OBLIGATIONS_TYPE_CREATED_AT 3

        SORT_OBLIGATIONS_TYPE_UPDATED_AT4
        @@ -15133,8 +15853,8 @@

        SortRegisteredRe -

        RegisteredResourcesService

        -

        Registered Resources

        +

        Service

        +

        Obligation Service

        /

        @@ -15142,95 +15862,174 @@

        RegisteredResourc

        - - - + + + - - - + + + - - - + + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        Method NameRequest TypeResponse TypeDescription
        CreateRegisteredResourceCreateRegisteredResourceRequestCreateRegisteredResourceResponseListObligationsListObligationsRequestListObligationsResponse

        GetRegisteredResourceGetRegisteredResourceRequestGetRegisteredResourceResponseGetObligationGetObligationRequestGetObligationResponse

        ListRegisteredResourcesListRegisteredResourcesRequestListRegisteredResourcesResponseGetObligationsByFQNsGetObligationsByFQNsRequestGetObligationsByFQNsResponse

        UpdateRegisteredResourceUpdateRegisteredResourceRequestUpdateRegisteredResourceResponseCreateObligationCreateObligationRequestCreateObligationResponse

        UpdateObligationUpdateObligationRequestUpdateObligationResponse

        DeleteObligationDeleteObligationRequestDeleteObligationResponse

        GetObligationValueGetObligationValueRequestGetObligationValueResponse

        GetObligationValuesByFQNsGetObligationValuesByFQNsRequestGetObligationValuesByFQNsResponse

        CreateObligationValueCreateObligationValueRequestCreateObligationValueResponse

        UpdateObligationValueUpdateObligationValueRequestUpdateObligationValueResponse

        DeleteObligationValueDeleteObligationValueRequestDeleteObligationValueResponse

        GetObligationTriggerGetObligationTriggerRequestGetObligationTriggerResponse

        AddObligationTriggerAddObligationTriggerRequestAddObligationTriggerResponse

        RemoveObligationTriggerRemoveObligationTriggerRequestRemoveObligationTriggerResponse

        ListObligationTriggersListObligationTriggersRequestListObligationTriggersResponse

        + + + + +

        Methods with idempotency_level option

        + + + + + + + + + - - - - + + - - - - + + - - - - + + - - - - + + - - - - + + - - - - + + - - - - + + - -
        Method NameOption
        DeleteRegisteredResourceDeleteRegisteredResourceRequestDeleteRegisteredResourceResponse

        		ListObligations

        NO_SIDE_EFFECTS
        CreateRegisteredResourceValueCreateRegisteredResourceValueRequestCreateRegisteredResourceValueResponse

        		GetObligation

        NO_SIDE_EFFECTS
        GetRegisteredResourceValueGetRegisteredResourceValueRequestGetRegisteredResourceValueResponse

        		GetObligationsByFQNs

        NO_SIDE_EFFECTS
        GetRegisteredResourceValuesByFQNsGetRegisteredResourceValuesByFQNsRequestGetRegisteredResourceValuesByFQNsResponse

        		GetObligationValue

        NO_SIDE_EFFECTS
        ListRegisteredResourceValuesListRegisteredResourceValuesRequestListRegisteredResourceValuesResponse

        		GetObligationValuesByFQNs

        NO_SIDE_EFFECTS
        UpdateRegisteredResourceValueUpdateRegisteredResourceValueRequestUpdateRegisteredResourceValueResponse

        		GetObligationTrigger

        NO_SIDE_EFFECTS
        DeleteRegisteredResourceValueDeleteRegisteredResourceValueRequestDeleteRegisteredResourceValueResponse

        		ListObligationTriggers

        NO_SIDE_EFFECTS
        - + + +
        -

        policy/resourcemapping/resource_mapping.proto

        Top +

        policy/registeredresources/registered_resources.proto

        Top

        -

        CreateResourceMappingGroupRequest

        +

        ActionAttributeValue

        @@ -15241,12 +16040,50 @@

        CreateResource - namespace_id + action_id string -

        Required

        +

        + + + + action_name + string + +

        + + + + attribute_value_id + string + +

        + + + + attribute_value_fqn + string + +

        + + + + + + + +

        CreateRegisteredResourceRequest

        +

        + + + + + + + + @@ -15254,11 +16091,35 @@

        CreateResource

        + + + + + + + + + + + + + + + + + + + + + - + @@ -15268,7 +16129,7 @@

        CreateResource -

        CreateResourceMappingGroupResponse

        +

        CreateRegisteredResourceResponse

        @@ -15279,8 +16140,8 @@

        CreateResourc

        - - + + @@ -15292,7 +16153,7 @@

        CreateResourc -

        CreateResourceMappingRequest

        +

        CreateRegisteredResourceValueRequest

        @@ -15303,31 +16164,34 @@

        CreateResourceMappi

        - + - + - + - - - - + + + + - + @@ -15337,7 +16201,7 @@

        CreateResourceMappi -

        CreateResourceMappingResponse

        +

        CreateRegisteredResourceValueResponse

        @@ -15348,8 +16212,8 @@

        CreateResourceMapp

        - - + + @@ -15361,7 +16225,7 @@

        CreateResourceMapp -

        DeleteResourceMappingGroupRequest

        +

        DeleteRegisteredResourceRequest

        @@ -15385,7 +16249,7 @@

        DeleteResource -

        DeleteResourceMappingGroupResponse

        +

        DeleteRegisteredResourceResponse

        @@ -15396,8 +16260,8 @@

        DeleteResourc

        - - + + @@ -15409,7 +16273,7 @@

        DeleteResourc -

        DeleteResourceMappingRequest

        +

        DeleteRegisteredResourceValueRequest

        @@ -15433,7 +16297,7 @@

        DeleteResourceMappi -

        DeleteResourceMappingResponse

        +

        DeleteRegisteredResourceValueResponse

        @@ -15444,8 +16308,8 @@

        DeleteResourceMapp

        - - + + @@ -15457,7 +16321,7 @@

        DeleteResourceMapp -

        GetResourceMappingGroupRequest

        +

        GetRegisteredResourceRequest

        @@ -15471,7 +16335,28 @@

        GetResourceMappin

        - + + + + + + + + + + + + + + + + + + + + + + @@ -15481,7 +16366,7 @@

        GetResourceMappin -

        GetResourceMappingGroupResponse

        +

        GetRegisteredResourceResponse

        @@ -15492,8 +16377,8 @@

        GetResourceMappi

        - - + + @@ -15505,7 +16390,7 @@

        GetResourceMappi -

        GetResourceMappingRequest

        +

        GetRegisteredResourceValueRequest

        @@ -15519,7 +16404,14 @@

        GetResourceMappingRequ

        - + + + + + + + + @@ -15529,7 +16421,7 @@

        GetResourceMappingRequ -

        GetResourceMappingResponse

        +

        GetRegisteredResourceValueResponse

        @@ -15540,8 +16432,8 @@

        GetResourceMappingRes

        - - + + @@ -15553,7 +16445,7 @@

        GetResourceMappingRes -

        ListResourceMappingGroupsRequest

        +

        GetRegisteredResourceValuesByFQNsRequest

        @@ -15564,17 +16456,10 @@

        ListResourceMap

        - + - - - - - - - - - + + @@ -15584,7 +16469,7 @@

        ListResourceMap -

        ListResourceMappingGroupsResponse

        +

        GetRegisteredResourceValuesByFQNsResponse

        @@ -15595,19 +16480,12 @@

        ListResourceMa

        - - + + - - - - - - -
        FieldTypeLabelDescription
        name string

        Required

        valuesstringrepeated

        Optional +Registered Resource Values (when provided) must be alphanumeric strings, allowing hyphens and underscores but not as the first or last character. +The stored value will be normalized to lower case.

        namespace_idstring

        namespace_fqnstring

        metadata common.MetadataMutable

        Common metadata

        Optional +Common metadata

        resource_mapping_grouppolicy.ResourceMappingGroupresourcepolicy.RegisteredResource

        attribute_value_idresource_id string

        Required

        termsvalue stringrepeated

        Required

        group_idstring

        Optional

        		action_attribute_valuesActionAttributeValuerepeated

        Optional +The associated Action <> AttributeValue combinations to be utilized in authorization/entitlement decisioning +(i.e. action read -> attribute value https://example.com/attr/department/value/marketing)

        metadata common.MetadataMutable

        Optional

        Optional +Common metadata

        resource_mappingpolicy.ResourceMappingvaluepolicy.RegisteredResourceValue

        resource_mapping_grouppolicy.ResourceMappingGroupresourcepolicy.RegisteredResource

        resource_mappingpolicy.ResourceMappingvaluepolicy.RegisteredResourceValue

        id string

        Required

        namestring

        namespace_fqnstring

        namespace_idstring
        resource_mapping_grouppolicy.ResourceMappingGroupresourcepolicy.RegisteredResource

        id string

        Required

        fqnstring
        resource_mappingpolicy.ResourceMappingvaluepolicy.RegisteredResourceValue

        namespace_idfqns string

        Optional

        paginationpolicy.PageRequest

        Optional

        		repeated

        Required

        resource_mapping_groupspolicy.ResourceMappingGroupfqn_value_mapGetRegisteredResourceValuesByFQNsResponse.FqnValueMapEntry repeated

        paginationpolicy.PageResponse
        @@ -15615,7 +16493,7 @@

        ListResourceMa -

        ListResourceMappingsByGroupFqnsRequest

        +

        GetRegisteredResourceValuesByFQNsResponse.FqnValueMapEntry

        @@ -15626,11 +16504,17 @@

        ListResou - fqns - string - repeated -

        Required -Structure of the RM Group FQN is 'https://<namespace>/resm/<group name>'

        + key + string + +

        + + + + value + policy.RegisteredResourceValue + +

        @@ -15640,7 +16524,7 @@

        ListResou -

        ListResourceMappingsByGroupFqnsResponse

        +

        ListRegisteredResourceValuesRequest

        @@ -15651,10 +16535,17 @@

        ListReso - fqn_resource_mapping_groups - ListResourceMappingsByGroupFqnsResponse.FqnResourceMappingGroupsEntry - repeated -

        + resource_id + string + +

        Optional

        + + + + pagination + policy.PageRequest + +

        Optional

        @@ -15664,7 +16555,7 @@

        ListReso -

        ListResourceMappingsByGroupFqnsResponse.FqnResourceMappingGroupsEntry

        +

        ListRegisteredResourceValuesResponse

        @@ -15675,15 +16566,15 @@

        string - + values + policy.RegisteredResourceValue + repeated

        - value - ResourceMappingsByGroup + pagination + policy.PageResponse

        @@ -15695,7 +16586,7 @@

        ListResourceMappingsRequest

        +

        ListRegisteredResourcesRequest

        @@ -15706,10 +16597,17 @@

        ListResourceMappings - group_id + namespace_id string -

        Optional

        +

        + + + + namespace_fqn + string + +

        @@ -15719,6 +16617,17 @@

        ListResourceMappings

        Optional

        + + sort + RegisteredResourcesSort + repeated +

        Optional - CONSTRAINT: max 1 item +Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC

        + + @@ -15726,7 +16635,7 @@

        ListResourceMappings -

        ListResourceMappingsResponse

        +

        ListRegisteredResourcesResponse

        @@ -15737,8 +16646,8 @@

        ListResourceMapping - resource_mappings - policy.ResourceMapping + resources + policy.RegisteredResource repeated

        @@ -15757,7 +16666,7 @@

        ListResourceMapping -

        ResourceMappingsByGroup

        +

        RegisteredResourcesSort

        @@ -15768,16 +16677,16 @@

        ResourceMappingsByGroup< - group - policy.ResourceMappingGroup + field + SortRegisteredResourcesType

        - mappings - policy.ResourceMapping - repeated + direction + policy.SortDirection +

        @@ -15788,7 +16697,7 @@

        ResourceMappingsByGroup< -

        UpdateResourceMappingGroupRequest

        +

        UpdateRegisteredResourceRequest

        @@ -15805,13 +16714,6 @@

        UpdateResource

        Required

        - - namespace_id - string - -

        Optional

        - - name string @@ -15823,7 +16725,8 @@

        UpdateResource metadata common.MetadataMutable -

        Common metadata

        +

        Optional +Common metadata

        @@ -15840,7 +16743,7 @@

        UpdateResource -

        UpdateResourceMappingGroupResponse

        +

        UpdateRegisteredResourceResponse

        @@ -15851,8 +16754,8 @@

        UpdateResourc - resource_mapping_group - policy.ResourceMappingGroup + resource + policy.RegisteredResource

        @@ -15864,7 +16767,7 @@

        UpdateResourc -

        UpdateResourceMappingRequest

        +

        UpdateRegisteredResourceValueRequest

        @@ -15882,24 +16785,18 @@

        UpdateResourceMappi - attribute_value_id + value string

        Optional

        - terms - string + action_attribute_values + ActionAttributeValue repeated -

        Optional

        - - - - group_id - string - -

        Optional

        +

        Optional +Action Attribute Values provided here will replace all existing records in the database. To delete all action attribute values, set this field to an empty list.

        @@ -15907,7 +16804,7 @@

        UpdateResourceMappi common.MetadataMutable

        Optional -Common Metadata

        +Common metadata

        @@ -15924,7 +16821,7 @@

        UpdateResourceMappi -

        UpdateResourceMappingResponse

        +

        UpdateRegisteredResourceValueResponse

        @@ -15935,8 +16832,8 @@

        UpdateResourceMapp - resource_mapping - policy.ResourceMapping + value + policy.RegisteredResourceValue

        @@ -15950,149 +16847,143 @@

        UpdateResourceMapp - - - - -

        ResourceMappingService

        -

        Resource Mapping Groups

        +

        SortRegisteredResourcesType

        +

        - + - - - + + - - - + + - - - + + - - - + + - - - - - - + +
        Method NameRequest TypeResponse TypeDescription
        NameNumberDescription
        ListResourceMappingGroupsListResourceMappingGroupsRequestListResourceMappingGroupsResponseSORT_REGISTERED_RESOURCES_TYPE_UNSPECIFIED0

        GetResourceMappingGroupGetResourceMappingGroupRequestGetResourceMappingGroupResponseSORT_REGISTERED_RESOURCES_TYPE_NAME1

        CreateResourceMappingGroupCreateResourceMappingGroupRequestCreateResourceMappingGroupResponseSORT_REGISTERED_RESOURCES_TYPE_CREATED_AT2

        UpdateResourceMappingGroupUpdateResourceMappingGroupRequestUpdateResourceMappingGroupResponseSORT_REGISTERED_RESOURCES_TYPE_UPDATED_AT3

        DeleteResourceMappingGroupDeleteResourceMappingGroupRequestDeleteResourceMappingGroupResponse

        + + + + + +

        RegisteredResourcesService

        +

        Registered Resources

        + + + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - -
        Method NameRequest TypeResponse TypeDescription
        ListResourceMappingsListResourceMappingsRequestListResourceMappingsResponseCreateRegisteredResourceCreateRegisteredResourceRequestCreateRegisteredResourceResponse

        ListResourceMappingsByGroupFqnsListResourceMappingsByGroupFqnsRequestListResourceMappingsByGroupFqnsResponseGetRegisteredResourceGetRegisteredResourceRequestGetRegisteredResourceResponse

        GetResourceMappingGetResourceMappingRequestGetResourceMappingResponseListRegisteredResourcesListRegisteredResourcesRequestListRegisteredResourcesResponse

        CreateResourceMappingCreateResourceMappingRequestCreateResourceMappingResponseUpdateRegisteredResourceUpdateRegisteredResourceRequestUpdateRegisteredResourceResponse

        UpdateResourceMappingUpdateResourceMappingRequestUpdateResourceMappingResponseDeleteRegisteredResourceDeleteRegisteredResourceRequestDeleteRegisteredResourceResponse

        DeleteResourceMappingDeleteResourceMappingRequestDeleteResourceMappingResponseCreateRegisteredResourceValueCreateRegisteredResourceValueRequestCreateRegisteredResourceValueResponse

        - - - - -

        Methods with idempotency_level option

        - - - - - - - - - - - + + + + - - + + + + - - + + + + - - + + + + - - + + + + - -
        Method NameOption
        ListResourceMappingGroups

        NO_SIDE_EFFECTS

        		GetRegisteredResourceValueGetRegisteredResourceValueRequestGetRegisteredResourceValueResponse
        GetResourceMappingGroup

        NO_SIDE_EFFECTS

        		GetRegisteredResourceValuesByFQNsGetRegisteredResourceValuesByFQNsRequestGetRegisteredResourceValuesByFQNsResponse
        ListResourceMappings

        NO_SIDE_EFFECTS

        		ListRegisteredResourceValuesListRegisteredResourceValuesRequestListRegisteredResourceValuesResponse
        ListResourceMappingsByGroupFqns

        NO_SIDE_EFFECTS

        		UpdateRegisteredResourceValueUpdateRegisteredResourceValueRequestUpdateRegisteredResourceValueResponse
        GetResourceMapping

        NO_SIDE_EFFECTS

        		DeleteRegisteredResourceValueDeleteRegisteredResourceValueRequestDeleteRegisteredResourceValueResponse
        - + + +
        -

        policy/subjectmapping/subject_mapping.proto

        Top +

        policy/resourcemapping/resource_mapping.proto

        Top

        -

        CreateSubjectConditionSetRequest

        +

        CreateResourceMappingGroupRequest

        @@ -16103,24 +16994,24 @@

        CreateSubjectCon - subject_condition_set - SubjectConditionSetCreate + namespace_id + string -

        +

        Required

        - namespace_id + name string -

        +

        Required

        - namespace_fqn - string + metadata + common.MetadataMutable -

        +

        Common metadata

        @@ -16130,7 +17021,7 @@

        CreateSubjectCon -

        CreateSubjectConditionSetResponse

        +

        CreateResourceMappingGroupResponse

        @@ -16141,8 +17032,8 @@

        CreateSubjectCo - subject_condition_set - policy.SubjectConditionSet + resource_mapping_group + policy.ResourceMappingGroup

        @@ -16154,7 +17045,7 @@

        CreateSubjectCo -

        CreateSubjectMappingRequest

        +

        CreateResourceMappingRequest

        @@ -16168,46 +17059,21 @@

        CreateSubjectMappingR attribute_value_id string -

        Required -Attribute Value to be mapped to

        - - - - actions - policy.Action - repeated -

        Required -The actions permitted by subjects in this mapping

        - - - - existing_subject_condition_set_id - string - -

        Either of the following: -Reuse existing SubjectConditionSet (NOTE: prioritized over new_subject_condition_set)

        - - - - new_subject_condition_set - SubjectConditionSetCreate - -

        Create new SubjectConditionSet (NOTE: ignored if existing_subject_condition_set_id is provided)

        +

        Required

        - namespace_id + terms string - -

        Optional -Namespace ID or FQN for the subject mapping

        + repeated +

        Required

        - namespace_fqn + group_id string -

        +

        Optional

        @@ -16224,7 +17090,7 @@

        CreateSubjectMappingR -

        CreateSubjectMappingResponse

        +

        CreateResourceMappingResponse

        @@ -16235,8 +17101,8 @@

        CreateSubjectMapping - subject_mapping - policy.SubjectMapping + resource_mapping + policy.ResourceMapping

        @@ -16248,38 +17114,7 @@

        CreateSubjectMapping -

        DeleteAllUnmappedSubjectConditionSetsRequest

        -

        Prune any Subject Condition Sets not utilized within a Subject Mapping

        - - - - - -

        DeleteAllUnmappedSubjectConditionSetsResponse

        -

        - - - - - - - - - - - - - - - - -
        FieldTypeLabelDescription
        subject_condition_setspolicy.SubjectConditionSetrepeated

        Only IDs of any deleted Subject Condition Set provided

        - - - - - -

        DeleteSubjectConditionSetRequest

        +

        DeleteResourceMappingGroupRequest

        @@ -16303,7 +17138,7 @@

        DeleteSubjectCon -

        DeleteSubjectConditionSetResponse

        +

        DeleteResourceMappingGroupResponse

        @@ -16314,10 +17149,10 @@

        DeleteSubjectCo - subject_condition_set - policy.SubjectConditionSet + resource_mapping_group + policy.ResourceMappingGroup -

        Only ID of deleted Subject Condition Set provided

        +

        @@ -16327,7 +17162,7 @@

        DeleteSubjectCo -

        DeleteSubjectMappingRequest

        +

        DeleteResourceMappingRequest

        @@ -16351,7 +17186,7 @@

        DeleteSubjectMappingR -

        DeleteSubjectMappingResponse

        +

        DeleteResourceMappingResponse

        @@ -16362,10 +17197,10 @@

        DeleteSubjectMapping - subject_mapping - policy.SubjectMapping + resource_mapping + policy.ResourceMapping -

        Only ID of the updated Subject Mapping provided

        +

        @@ -16375,7 +17210,7 @@

        DeleteSubjectMapping -

        GetSubjectConditionSetRequest

        +

        GetResourceMappingGroupRequest

        @@ -16399,7 +17234,7 @@

        GetSubjectCondition -

        GetSubjectConditionSetResponse

        +

        GetResourceMappingGroupResponse

        @@ -16410,19 +17245,12 @@

        GetSubjectConditio - subject_condition_set - policy.SubjectConditionSet + resource_mapping_group + policy.ResourceMappingGroup

        - - associated_subject_mappings - policy.SubjectMapping - repeated -

        contextualized Subject Mappings associated with this SubjectConditionSet

        - - @@ -16430,7 +17258,7 @@

        GetSubjectConditio -

        GetSubjectMappingRequest

        +

        GetResourceMappingRequest

        @@ -16454,7 +17282,7 @@

        GetSubjectMappingRequest -

        GetSubjectMappingResponse

        +

        GetResourceMappingResponse

        @@ -16465,8 +17293,8 @@

        GetSubjectMappingRespon - subject_mapping - policy.SubjectMapping + resource_mapping + policy.ResourceMapping

        @@ -16478,7 +17306,7 @@

        GetSubjectMappingRespon -

        ListSubjectConditionSetsRequest

        +

        ListResourceMappingGroupsRequest

        @@ -16492,14 +17320,7 @@

        ListSubjectCondit namespace_id string -

        - - - - namespace_fqn - string - -

        +

        Optional

        @@ -16509,17 +17330,6 @@

        ListSubjectCondit

        Optional

        - - sort - SubjectConditionSetsSort - repeated -

        Optional - CONSTRAINT: max 1 item -Sort defaults: - - direction UNSPECIFIED defaults to DESC for the specified field - - field UNSPECIFIED defaults to created_at with the specified direction - - both UNSPECIFIED or sort omitted defaults to created_at DESC

        - - @@ -16527,7 +17337,7 @@

        ListSubjectCondit -

        ListSubjectConditionSetsResponse

        +

        ListResourceMappingGroupsResponse

        @@ -16538,8 +17348,8 @@

        ListSubjectCondi - subject_condition_sets - policy.SubjectConditionSet + resource_mapping_groups + policy.ResourceMappingGroup repeated

        @@ -16558,7 +17368,7 @@

        ListSubjectCondi -

        ListSubjectMappingsRequest

        +

        ListResourceMappingsByGroupFqnsRequest

        @@ -16569,35 +17379,11 @@

        ListSubjectMappingsReq - namespace_id - string - -

        - - - - namespace_fqn + fqns string - -

        - - - - pagination - policy.PageRequest - -

        Optional

        - - - - sort - SubjectMappingsSort repeated -

        Optional - CONSTRAINT: max 1 item -Sort defaults: - - direction UNSPECIFIED defaults to DESC for the specified field - - field UNSPECIFIED defaults to created_at with the specified direction - - both UNSPECIFIED or sort omitted defaults to created_at DESC

        +

        Required +Structure of the RM Group FQN is 'https://<namespace>/resm/<group name>'

        @@ -16607,7 +17393,7 @@

        ListSubjectMappingsReq -

        ListSubjectMappingsResponse

        +

        ListResourceMappingsByGroupFqnsResponse

        @@ -16618,19 +17404,12 @@

        ListSubjectMappingsRe - subject_mappings - policy.SubjectMapping + fqn_resource_mapping_groups + ListResourceMappingsByGroupFqnsResponse.FqnResourceMappingGroupsEntry repeated

        - - pagination - policy.PageResponse - -

        - - @@ -16638,8 +17417,8 @@

        ListSubjectMappingsRe -

        MatchSubjectMappingsRequest

        -

        MatchSubjectMappingsRequest liberally returns a list of SubjectMappings based on the provided SubjectProperties.

        The SubjectMappings are returned if an external selector field matches.

        +

        ListResourceMappingsByGroupFqnsResponse.FqnResourceMappingGroupsEntry

        +

        @@ -16649,33 +17428,16 @@

        MatchSubjectMappingsR

        - - - - - - - -
        subject_propertiespolicy.SubjectPropertyrepeated

        - - - - - -

        MatchSubjectMappingsResponse

        -

        - - - - - - - + + + + + - - - + + + @@ -16686,7 +17448,7 @@

        MatchSubjectMappings -

        SubjectConditionSetCreate

        +

        ListResourceMappingsRequest

        @@ -16697,18 +17459,17 @@

        SubjectConditionSetCrea

        - - - - + + + + - - + + - + @@ -16718,7 +17479,7 @@

        SubjectConditionSetCrea -

        SubjectConditionSetsSort

        +

        ListResourceMappingsResponse

        @@ -16729,15 +17490,15 @@

        SubjectConditionSetsSort

        - - - + + + - - + + @@ -16749,7 +17510,7 @@

        SubjectConditionSetsSort -

        SubjectMappingsSort

        +

        ResourceMappingsByGroup

        @@ -16760,16 +17521,16 @@

        SubjectMappingsSort

        - - + + - - - + + + @@ -16780,7 +17541,7 @@

        SubjectMappingsSort

        -

        UpdateSubjectConditionSetRequest

        +

        UpdateResourceMappingGroupRequest

        @@ -16798,11 +17559,17 @@

        UpdateSubjectCon

        - - - - + + + + + + + + + + + @@ -16826,7 +17593,7 @@

        UpdateSubjectCon -

        UpdateSubjectConditionSetResponse

        +

        UpdateResourceMappingGroupResponse

        @@ -16837,10 +17604,10 @@

        UpdateSubjectCo

        - - + + - + @@ -16850,7 +17617,7 @@

        UpdateSubjectCo -

        UpdateSubjectMappingRequest

        +

        UpdateResourceMappingRequest

        @@ -16868,26 +17635,32 @@

        UpdateSubjectMappingR

        - + - + - - + + - + + + + + + + + - + @@ -16904,7 +17677,7 @@

        UpdateSubjectMappingR -

        UpdateSubjectMappingResponse

        +

        UpdateResourceMappingResponse

        @@ -16915,10 +17688,10 @@

        UpdateSubjectMapping

        - - + + - + @@ -16930,70 +17703,12 @@

        UpdateSubjectMapping -

        SortSubjectConditionSetsType

        -

        -
        FieldTypeLabelDescription
        keystring

        subject_mappingspolicy.SubjectMappingrepeatedvalueResourceMappingsByGroup

        subject_setspolicy.SubjectSetrepeated

        Required

        		group_idstring

        Optional

        metadatacommon.MetadataMutablepaginationpolicy.PageRequest

        Optional -Common metadata

        Optional

        fieldSortSubjectConditionSetsTyperesource_mappingspolicy.ResourceMappingrepeated

        directionpolicy.SortDirectionpaginationpolicy.PageResponse

        fieldSortSubjectMappingsTypegrouppolicy.ResourceMappingGroup

        directionpolicy.SortDirectionmappingspolicy.ResourceMappingrepeated

        subject_setspolicy.SubjectSetrepeated

        Optional -If provided, replaces entire existing structure of Subject Sets, Condition Groups, & Conditions

        		namespace_idstring

        Optional

        namestring

        Optional

        subject_condition_setpolicy.SubjectConditionSetresource_mapping_grouppolicy.ResourceMappingGroup

        Only ID of updated Subject Condition Set provided

        subject_condition_set_idattribute_value_id string

        Optional -Replaces the existing SubjectConditionSet id with a new one

        Optional

        actionspolicy.Actiontermsstring repeated

        Optional -Replaces entire list of actions permitted by subjects

        Optional

        group_idstring

        Optional

        metadata common.MetadataMutable

        Common metadata

        Optional +Common Metadata

        subject_mappingpolicy.SubjectMappingresource_mappingpolicy.ResourceMapping

        Only ID of the updated Subject Mapping provided

        - - - - - - - - - - - - - - - - - - - - - - - - -
        NameNumberDescription
        SORT_SUBJECT_CONDITION_SETS_TYPE_UNSPECIFIED0

        SORT_SUBJECT_CONDITION_SETS_TYPE_CREATED_AT1

        SORT_SUBJECT_CONDITION_SETS_TYPE_UPDATED_AT2

        - -

        SortSubjectMappingsType

        -

        - - - - - - - - - - - - - - - - - - - - - - - - - -
        NameNumberDescription
        SORT_SUBJECT_MAPPINGS_TYPE_UNSPECIFIED0

        SORT_SUBJECT_MAPPINGS_TYPE_CREATED_AT1

        SORT_SUBJECT_MAPPINGS_TYPE_UPDATED_AT2

        - -

        SubjectMappingService

        -

        +

        ResourceMappingService

        +

        Resource Mapping Groups

        @@ -17001,86 +17716,79 @@

        SubjectMappingService

        - - - - - - - - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + @@ -17101,22 +17809,27 @@

        Methods with idempotency_level option

        - + - + - + - + + + + + + diff --git a/docs/openapi/authorization/authorization.openapi.yaml b/docs/openapi/authorization/authorization.openapi.yaml index 1f3648bae8..5a112b61b6 100644 --- a/docs/openapi/authorization/authorization.openapi.yaml +++ b/docs/openapi/authorization/authorization.openapi.yaml @@ -109,6 +109,65 @@ paths: $ref: '#/components/schemas/authorization.GetEntitlementsResponse' components: schemas: + authorization.DecisionResponse.Decision: + type: string + title: Decision + enum: + - DECISION_UNSPECIFIED + - DECISION_DENY + - DECISION_PERMIT + authorization.Entity.Category: + type: string + title: Category + enum: + - CATEGORY_UNSPECIFIED + - CATEGORY_SUBJECT + - CATEGORY_ENVIRONMENT + policy.Action.StandardAction: + type: string + title: StandardAction + enum: + - STANDARD_ACTION_UNSPECIFIED + - STANDARD_ACTION_DECRYPT + - STANDARD_ACTION_TRANSMIT + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + - ALGORITHM_HPQT_XWING + - ALGORITHM_HPQT_SECP256R1_MLKEM768 + - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + description: Supported key algorithms. + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + policy.SourceType: + type: string + title: SourceType + enum: + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. authorization.DecisionRequest: type: object properties: @@ -133,6 +192,7 @@ components: Example Request Get Decisions to answer the question - Do Bob (represented by entity chain ec1) and Alice (represented by entity chain ec2) have TRANSMIT authorization for 2 resources; resource1 (attr-set-1) defined by attributes foo:bar resource2 (attr-set-2) defined by attribute foo:bar, color:red ? + { "actions": [ { @@ -204,11 +264,13 @@ components: Example response for a Decision Request - Do Bob (represented by entity chain ec1) and Alice (represented by entity chain ec2) have TRANSMIT authorization for 2 resources; resource1 (attr-set-1) defined by attributes foo:bar resource2 (attr-set-2) defined by attribute foo:bar, color:red ? + Results: - bob has permitted authorization to transmit for a resource defined by attr-set-1 attributes and has a watermark obligation - bob has denied authorization to transmit a for a resource defined by attr-set-2 attributes - alice has permitted authorization to transmit for a resource defined by attr-set-1 attributes - alice has denied authorization to transmit a for a resource defined by attr-set-2 attributes + { "entityChainId": "ec1", "resourceAttributesId": "attr-set-1", @@ -232,92 +294,70 @@ components: "resourceAttributesId": "attr-set-2", "decision": "DECISION_DENY" } - authorization.DecisionResponse.Decision: - type: string - title: Decision - enum: - - DECISION_UNSPECIFIED - - DECISION_DENY - - DECISION_PERMIT authorization.Entity: type: object - allOf: + oneOf: - properties: - id: - type: string - title: id - description: ephemeral id for tracking between request and response - category: - title: category - $ref: '#/components/schemas/authorization.Entity.Category' - - oneOf: - - type: object - properties: - claims: - title: claims - $ref: '#/components/schemas/google.protobuf.Any' + claims: title: claims - required: - - claims - - type: object - properties: - clientId: - type: string - title: client_id + $ref: '#/components/schemas/google.protobuf.Any' + title: claims + required: + - claims + - properties: + clientId: + type: string title: client_id - required: - - clientId - - type: object - properties: - custom: - title: custom - $ref: '#/components/schemas/authorization.EntityCustom' + title: client_id + required: + - clientId + - properties: + custom: title: custom - required: - - custom - - type: object - properties: - emailAddress: - type: string - title: email_address - description: one of the entity options must be set + $ref: '#/components/schemas/authorization.EntityCustom' + title: custom + required: + - custom + - properties: + emailAddress: + type: string title: email_address - required: - - emailAddress - - type: object - properties: - remoteClaimsUrl: - type: string - title: remote_claims_url + description: one of the entity options must be set + title: email_address + required: + - emailAddress + - properties: + remoteClaimsUrl: + type: string title: remote_claims_url - required: - - remoteClaimsUrl - - type: object - properties: - userName: - type: string - title: user_name + title: remote_claims_url + required: + - remoteClaimsUrl + - properties: + userName: + type: string title: user_name - required: - - userName - - type: object - properties: - uuid: - type: string - title: uuid + title: user_name + required: + - userName + - properties: + uuid: + type: string title: uuid - required: - - uuid + title: uuid + required: + - uuid + properties: + id: + type: string + title: id + description: ephemeral id for tracking between request and response + category: + title: category + $ref: '#/components/schemas/authorization.Entity.Category' title: Entity additionalProperties: false description: PE (Person Entity) or NPE (Non-Person Entity) - authorization.Entity.Category: - type: string - title: Category - enum: - - CATEGORY_UNSPECIFIED - - CATEGORY_SUBJECT - - CATEGORY_ENVIRONMENT authorization.EntityChain: type: object properties: @@ -405,22 +445,22 @@ components: title: entities description: list of requested entities scope: - oneOf: - - $ref: '#/components/schemas/authorization.ResourceAttribute' - - type: "null" title: scope description: optional attribute fqn as a scope + nullable: true + $ref: '#/components/schemas/authorization.ResourceAttribute' withComprehensiveHierarchy: - type: - - boolean - - "null" + type: boolean title: with_comprehensive_hierarchy description: optional parameter to return a full list of entitlements - returns lower hierarchy attributes + nullable: true title: GetEntitlementsRequest additionalProperties: false description: |- Request to get entitlements for one or more entities for an optional attribute scope + Example: Get entitlements for bob and alice (both represented using an email address + { "entities": [ { @@ -451,6 +491,7 @@ components: additionalProperties: false description: |- Example Response for a request of : Get entitlements for bob and alice (both represented using an email address + { "entitlements": [ { @@ -522,6 +563,7 @@ components: Example Request Get Decisions by Token to answer the question - Do Bob and client1 (represented by token tok1) and Alice and client2 (represented by token tok2) have TRANSMIT authorization for 2 resources; resource1 (attr-set-1) defined by attributes foo:bar resource2 (attr-set-2) defined by attribute foo:bar, color:red ? + { "actions": [ { @@ -584,75 +626,6 @@ components: title: value title: LabelsEntry additionalProperties: false - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - details: - type: array - items: - $ref: '#/components/schemas/connect.error_details.Any' - description: A list of messages that carry the error details. There is no limit on the number of messages. - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - connect.error_details.Any: - type: object - properties: - type: - type: string - description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' - value: - type: string - format: binary - description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. - debug: - oneOf: - - type: object - title: Any - additionalProperties: true - description: Detailed error information. - discriminator: - propertyName: type - title: Debug - description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. google.protobuf.Any: type: object properties: @@ -661,6 +634,9 @@ components: value: type: string format: binary + debug: + type: object + additionalProperties: true additionalProperties: true description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. google.protobuf.BoolValue: @@ -675,8 +651,8 @@ components: google.protobuf.Timestamp: type: string examples: - - "2023-01-15T01:30:15.01Z" - - "2024-12-25T12:00:00Z" + - 1s + - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -770,65 +746,41 @@ components: ) to obtain a formatter capable of generating timestamps in this format. policy.Action: type: object - allOf: + oneOf: - properties: - id: - type: string - title: id - description: Generated uuid in database - name: + custom: type: string - title: name - namespace: - title: namespace - description: Namespace context for this action - $ref: '#/components/schemas/policy.Namespace' - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' - - oneOf: - - type: object - properties: - custom: - type: string - title: custom - description: Deprecated title: custom - required: - - custom - - type: object - properties: - standard: - title: standard - description: Deprecated - $ref: '#/components/schemas/policy.Action.StandardAction' + description: Deprecated + title: custom + required: + - custom + - properties: + standard: title: standard - required: - - standard + description: Deprecated + $ref: '#/components/schemas/policy.Action.StandardAction' + title: standard + required: + - standard + properties: + id: + type: string + title: id + description: Generated uuid in database + name: + type: string + title: name + namespace: + title: namespace + description: Namespace context for this action + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' title: Action additionalProperties: false description: An action an entity can take - policy.Action.StandardAction: - type: string - title: StandardAction - enum: - - STANDARD_ACTION_UNSPECIFIED - - STANDARD_ACTION_DECRYPT - - STANDARD_ACTION_TRANSMIT - policy.Algorithm: - type: string - title: Algorithm - enum: - - ALGORITHM_UNSPECIFIED - - ALGORITHM_RSA_2048 - - ALGORITHM_RSA_4096 - - ALGORITHM_EC_P256 - - ALGORITHM_EC_P384 - - ALGORITHM_EC_P521 - - ALGORITHM_HPQT_XWING - - ALGORITHM_HPQT_SECP256R1_MLKEM768 - - ALGORITHM_HPQT_SECP384R1_MLKEM1024 - description: Supported key algorithms. policy.KasPublicKey: type: object properties: @@ -847,7 +799,7 @@ components: alg: not: enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - 0 title: alg description: |- A known algorithm type with any additional parameters encoded. @@ -859,19 +811,6 @@ components: description: |- Deprecated A KAS public key and some associated metadata for further identifcation - policy.KasPublicKeyAlgEnum: - type: string - title: KasPublicKeyAlgEnum - enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 policy.KasPublicKeySet: type: object properties: @@ -894,9 +833,13 @@ components: uri: type: string title: uri - description: | + description: |+ Address of a KAS instance - uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') + ``` + publicKey: title: public_key description: 'Deprecated: KAS can have multiple key pairs' @@ -964,8 +907,7 @@ components: policy.PublicKey: type: object oneOf: - - type: object - properties: + - properties: cached: title: cached description: public key with additional information. Current preferred version @@ -973,14 +915,17 @@ components: title: cached required: - cached - - type: object - properties: + - properties: remote: type: string title: remote - description: | + description: |+ kas public key url - optional since can also be retrieved via public key - uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') + ``` + title: remote required: - remote @@ -1018,17 +963,50 @@ components: title: pem title: SimpleKasPublicKey additionalProperties: false - policy.SourceType: - type: string - title: SourceType + connect-protocol-version: + type: number + title: Connect-Protocol-Version enum: - - SOURCE_TYPE_UNSPECIFIED - - SOURCE_TYPE_INTERNAL - - SOURCE_TYPE_EXTERNAL - description: |- - Describes whether this kas is managed by the organization or if they imported - the kas information from an external party. These two modes are necessary in order - to encrypt a tdf dek with an external parties kas public key. + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + detail: + $ref: '#/components/schemas/google.protobuf.Any' + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' security: [] tags: - name: authorization.AuthorizationService diff --git a/docs/openapi/authorization/v2/authorization.openapi.yaml b/docs/openapi/authorization/v2/authorization.openapi.yaml index b4dbfa42d6..7e9d837275 100644 --- a/docs/openapi/authorization/v2/authorization.openapi.yaml +++ b/docs/openapi/authorization/v2/authorization.openapi.yaml @@ -37,12 +37,12 @@ paths: application/json: schema: $ref: '#/components/schemas/authorization.v2.GetDecisionResponse' - /authorization.v2.AuthorizationService/GetDecisionBulk: + /authorization.v2.AuthorizationService/GetDecisionMultiResource: post: tags: - authorization.v2.AuthorizationService - summary: GetDecisionBulk - operationId: authorization.v2.AuthorizationService.GetDecisionBulk + summary: GetDecisionMultiResource + operationId: authorization.v2.AuthorizationService.GetDecisionMultiResource parameters: - name: Connect-Protocol-Version in: header @@ -57,7 +57,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/authorization.v2.GetDecisionBulkRequest' + $ref: '#/components/schemas/authorization.v2.GetDecisionMultiResourceRequest' required: true responses: default: @@ -71,13 +71,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/authorization.v2.GetDecisionBulkResponse' - /authorization.v2.AuthorizationService/GetDecisionMultiResource: + $ref: '#/components/schemas/authorization.v2.GetDecisionMultiResourceResponse' + /authorization.v2.AuthorizationService/GetDecisionBulk: post: tags: - authorization.v2.AuthorizationService - summary: GetDecisionMultiResource - operationId: authorization.v2.AuthorizationService.GetDecisionMultiResource + summary: GetDecisionBulk + operationId: authorization.v2.AuthorizationService.GetDecisionBulk parameters: - name: Connect-Protocol-Version in: header @@ -92,7 +92,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/authorization.v2.GetDecisionMultiResourceRequest' + $ref: '#/components/schemas/authorization.v2.GetDecisionBulkRequest' required: true responses: default: @@ -106,7 +106,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/authorization.v2.GetDecisionMultiResourceResponse' + $ref: '#/components/schemas/authorization.v2.GetDecisionBulkResponse' /authorization.v2.AuthorizationService/GetEntitlements: post: tags: @@ -151,6 +151,58 @@ components: - DECISION_UNSPECIFIED - DECISION_DENY - DECISION_PERMIT + entity.Entity.Category: + type: string + title: Category + enum: + - CATEGORY_UNSPECIFIED + - CATEGORY_SUBJECT + - CATEGORY_ENVIRONMENT + policy.Action.StandardAction: + type: string + title: StandardAction + enum: + - STANDARD_ACTION_UNSPECIFIED + - STANDARD_ACTION_DECRYPT + - STANDARD_ACTION_TRANSMIT + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + - ALGORITHM_HPQT_XWING + - ALGORITHM_HPQT_SECP256R1_MLKEM768 + - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + description: Supported key algorithms. + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + policy.SourceType: + type: string + title: SourceType + enum: + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. authorization.v2.EntityEntitlements: type: object properties: @@ -191,19 +243,21 @@ components: authorization.v2.EntityIdentifier: type: object oneOf: - - type: object - properties: + - properties: entityChain: title: entity_chain - description: | + description: |+ chain of one or more entities and at most 10 - entity_chain_required // entities must be provided and between 1 and 10 in count + entities must be provided and between 1 and 10 in count: + ``` + has(this.entities) && this.entities.size() > 0 && this.entities.size() <= 10 + ``` + $ref: '#/components/schemas/entity.EntityChain' title: entity_chain required: - entityChain - - type: object - properties: + - properties: registeredResourceValueFqn: type: string title: registered_resource_value_fqn @@ -215,24 +269,30 @@ components: title: registered_resource_value_fqn required: - registeredResourceValueFqn - - type: object - properties: + - properties: token: title: token - description: | + description: |+ access token (JWT), which is used to create an entity chain (comprising one or more entities) - token_required // token must be provided + token must be provided: + ``` + has(this.jwt) && this.jwt.size() > 0 + ``` + $ref: '#/components/schemas/entity.Token' title: token required: - token - - type: object - properties: + - properties: withRequestToken: title: with_request_token - description: | + description: |+ derive the entity from the request's authorization access token JWT, rather than passing in the body - with_request_token_must_be_true // with_request_token must be true when set + with_request_token must be true when set: + ``` + this == true + ``` + $ref: '#/components/schemas/google.protobuf.BoolValue' title: with_request_token required: @@ -292,19 +352,27 @@ components: type: array items: type: string - description: | - obligation_value_fqns_valid // if provided, fulfillable_obligation_fqns must be between 1 and 50 in count with all valid FQNs + description: |+ + if provided, fulfillable_obligation_fqns must be between 1 and 50 in count with all valid FQNs: + ``` + this.size() == 0 || (this.size() <= 50 && this.all(item, item.isUri())) + ``` + title: fulfillable_obligation_fqns - description: | + description: |+ obligations (fully qualified values) the requester is capable of fulfilling i.e. https:///obl//value/ - obligation_value_fqns_valid // if provided, fulfillable_obligation_fqns must be between 1 and 50 in count with all valid FQNs + if provided, fulfillable_obligation_fqns must be between 1 and 50 in count with all valid FQNs: + ``` + this.size() == 0 || (this.size() <= 50 && this.all(item, item.isUri())) + ``` + title: GetDecisionMultiResourceRequest required: - entityIdentifier - action additionalProperties: false - description: | + description: |+ Can the identified entity/entities access? 1. one entity reference (actor) 2. one action @@ -313,7 +381,11 @@ components: If entitled, checks obligation policy: fulfillable obligations must satisfy all triggered. Note: this is a more performant bulk request for multiple resource decisions, up to 1000 per request - get_decision_multi_request.action_name_required // action.name must be provided + action.name must be provided: + ``` + has(this.action.name) + ``` + authorization.v2.GetDecisionMultiResourceResponse: type: object properties: @@ -347,27 +419,39 @@ components: type: array items: type: string - description: | - obligation_value_fqns_valid // if provided, fulfillable_obligation_fqns must be between 1 and 50 in count with all valid FQNs + description: |+ + if provided, fulfillable_obligation_fqns must be between 1 and 50 in count with all valid FQNs: + ``` + this.size() == 0 || (this.size() <= 50 && this.all(item, item.isUri())) + ``` + title: fulfillable_obligation_fqns - description: | + description: |+ obligations (fully qualified values) the requester is capable of fulfilling i.e. https:///obl//value/ - obligation_value_fqns_valid // if provided, fulfillable_obligation_fqns must be between 1 and 50 in count with all valid FQNs + if provided, fulfillable_obligation_fqns must be between 1 and 50 in count with all valid FQNs: + ``` + this.size() == 0 || (this.size() <= 50 && this.all(item, item.isUri())) + ``` + title: GetDecisionRequest required: - entityIdentifier - action - resource additionalProperties: false - description: | + description: |+ Can the identified entity/entities access? 1. one entity reference (actor) 2. one action 3. one resource If entitled, checks obligation policy: fulfillable obligations must satisfy all triggered. - get_decision_request.action_name_required // action.name must be provided + action.name must be provided: + ``` + has(this.action.name) + ``` + authorization.v2.GetDecisionResponse: type: object properties: @@ -385,13 +469,12 @@ components: description: an entity must be identified for entitlement decisioning $ref: '#/components/schemas/authorization.v2.EntityIdentifier' withComprehensiveHierarchy: - type: - - boolean - - "null" + type: boolean title: with_comprehensive_hierarchy description: |- optional parameter to return all entitled values for attribute definitions with hierarchy rules, propagating down the hierarchical values instead of returning solely the value that is directly entitled + nullable: true title: GetEntitlementsRequest required: - entityIdentifier @@ -413,35 +496,36 @@ components: additionalProperties: false authorization.v2.Resource: type: object - allOf: + oneOf: - properties: - ephemeralId: - type: string - title: ephemeral_id - description: ephemeral id for tracking between request and response - - oneOf: - - type: object - properties: - attributeValues: - title: attribute_values - description: | - a set of attribute value FQNs, such as those on a TDF, between 1 and 20 in count - attribute_values_required // if provided, resource.attribute_values must be between 1 and 20 in count with all valid FQNs - $ref: '#/components/schemas/authorization.v2.Resource.AttributeValues' + attributeValues: title: attribute_values - required: - - attributeValues - - type: object - properties: - registeredResourceValueFqn: - type: string - title: registered_resource_value_fqn - minLength: 1 - format: uri - description: fully qualified name of the registered resource value stored in platform policy + description: |+ + a set of attribute value FQNs, such as those on a TDF, between 1 and 20 in count + if provided, resource.attribute_values must be between 1 and 20 in count with all valid FQNs: + ``` + this.fqns.size() > 0 && this.fqns.size() <= 20 && this.fqns.all(item, item.isUri()) + ``` + + $ref: '#/components/schemas/authorization.v2.Resource.AttributeValues' + title: attribute_values + required: + - attributeValues + - properties: + registeredResourceValueFqn: + type: string title: registered_resource_value_fqn - required: - - registeredResourceValueFqn + minLength: 1 + format: uri + description: fully qualified name of the registered resource value stored in platform policy + title: registered_resource_value_fqn + required: + - registeredResourceValueFqn + properties: + ephemeralId: + type: string + title: ephemeral_id + description: ephemeral id for tracking between request and response title: Resource additionalProperties: false description: Either a set of attribute values (such as those on a TDF) or a registered resource value @@ -508,130 +592,49 @@ components: title: value title: LabelsEntry additionalProperties: false - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - details: - type: array - items: - $ref: '#/components/schemas/connect.error_details.Any' - description: A list of messages that carry the error details. There is no limit on the number of messages. - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - connect.error_details.Any: - type: object - properties: - type: - type: string - description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' - value: - type: string - format: binary - description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. - debug: - oneOf: - - type: object - title: Any - additionalProperties: true - description: Detailed error information. - discriminator: - propertyName: type - title: Debug - description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. entity.Entity: type: object - allOf: + oneOf: - properties: - ephemeralId: - type: string - title: ephemeral_id - description: ephemeral id for tracking between request and response - category: - title: category - $ref: '#/components/schemas/entity.Entity.Category' - - oneOf: - - type: object - properties: - claims: - title: claims - description: used by ERS claims mode - $ref: '#/components/schemas/google.protobuf.Any' + claims: title: claims - required: - - claims - - type: object - properties: - clientId: - type: string - title: client_id + description: used by ERS claims mode + $ref: '#/components/schemas/google.protobuf.Any' + title: claims + required: + - claims + - properties: + clientId: + type: string title: client_id - required: - - clientId - - type: object - properties: - emailAddress: - type: string - title: email_address + title: client_id + required: + - clientId + - properties: + emailAddress: + type: string title: email_address - required: - - emailAddress - - type: object - properties: - userName: - type: string - title: user_name + title: email_address + required: + - emailAddress + - properties: + userName: + type: string title: user_name - required: - - userName + title: user_name + required: + - userName + properties: + ephemeralId: + type: string + title: ephemeral_id + description: ephemeral id for tracking between request and response + category: + title: category + $ref: '#/components/schemas/entity.Entity.Category' title: Entity additionalProperties: false description: PE (Person Entity) or NPE (Non-Person Entity) - entity.Entity.Category: - type: string - title: Category - enum: - - CATEGORY_UNSPECIFIED - - CATEGORY_SUBJECT - - CATEGORY_ENVIRONMENT entity.EntityChain: type: object properties: @@ -670,6 +673,9 @@ components: value: type: string format: binary + debug: + type: object + additionalProperties: true additionalProperties: true description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. google.protobuf.BoolValue: @@ -684,8 +690,8 @@ components: google.protobuf.Timestamp: type: string examples: - - "2023-01-15T01:30:15.01Z" - - "2024-12-25T12:00:00Z" + - 1s + - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -779,65 +785,41 @@ components: ) to obtain a formatter capable of generating timestamps in this format. policy.Action: type: object - allOf: + oneOf: - properties: - id: + custom: type: string - title: id - description: Generated uuid in database - name: - type: string - title: name - namespace: - title: namespace - description: Namespace context for this action - $ref: '#/components/schemas/policy.Namespace' - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' - - oneOf: - - type: object - properties: - custom: - type: string - title: custom - description: Deprecated title: custom - required: - - custom - - type: object - properties: - standard: - title: standard - description: Deprecated - $ref: '#/components/schemas/policy.Action.StandardAction' + description: Deprecated + title: custom + required: + - custom + - properties: + standard: title: standard - required: - - standard + description: Deprecated + $ref: '#/components/schemas/policy.Action.StandardAction' + title: standard + required: + - standard + properties: + id: + type: string + title: id + description: Generated uuid in database + name: + type: string + title: name + namespace: + title: namespace + description: Namespace context for this action + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' title: Action additionalProperties: false description: An action an entity can take - policy.Action.StandardAction: - type: string - title: StandardAction - enum: - - STANDARD_ACTION_UNSPECIFIED - - STANDARD_ACTION_DECRYPT - - STANDARD_ACTION_TRANSMIT - policy.Algorithm: - type: string - title: Algorithm - enum: - - ALGORITHM_UNSPECIFIED - - ALGORITHM_RSA_2048 - - ALGORITHM_RSA_4096 - - ALGORITHM_EC_P256 - - ALGORITHM_EC_P384 - - ALGORITHM_EC_P521 - - ALGORITHM_HPQT_XWING - - ALGORITHM_HPQT_SECP256R1_MLKEM768 - - ALGORITHM_HPQT_SECP384R1_MLKEM1024 - description: Supported key algorithms. policy.KasPublicKey: type: object properties: @@ -856,7 +838,7 @@ components: alg: not: enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - 0 title: alg description: |- A known algorithm type with any additional parameters encoded. @@ -868,19 +850,6 @@ components: description: |- Deprecated A KAS public key and some associated metadata for further identifcation - policy.KasPublicKeyAlgEnum: - type: string - title: KasPublicKeyAlgEnum - enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 policy.KasPublicKeySet: type: object properties: @@ -903,9 +872,13 @@ components: uri: type: string title: uri - description: | + description: |+ Address of a KAS instance - uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') + ``` + publicKey: title: public_key description: 'Deprecated: KAS can have multiple key pairs' @@ -973,8 +946,7 @@ components: policy.PublicKey: type: object oneOf: - - type: object - properties: + - properties: cached: title: cached description: public key with additional information. Current preferred version @@ -982,14 +954,17 @@ components: title: cached required: - cached - - type: object - properties: + - properties: remote: type: string title: remote - description: | + description: |+ kas public key url - optional since can also be retrieved via public key - uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') + ``` + title: remote required: - remote @@ -1027,17 +1002,50 @@ components: title: pem title: SimpleKasPublicKey additionalProperties: false - policy.SourceType: - type: string - title: SourceType + connect-protocol-version: + type: number + title: Connect-Protocol-Version enum: - - SOURCE_TYPE_UNSPECIFIED - - SOURCE_TYPE_INTERNAL - - SOURCE_TYPE_EXTERNAL - description: |- - Describes whether this kas is managed by the organization or if they imported - the kas information from an external party. These two modes are necessary in order - to encrypt a tdf dek with an external parties kas public key. + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + detail: + $ref: '#/components/schemas/google.protobuf.Any' + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' security: [] tags: - name: authorization.v2.AuthorizationService diff --git a/docs/openapi/common/common.openapi.yaml b/docs/openapi/common/common.openapi.yaml index 093091b6a7..0d1e60b152 100644 --- a/docs/openapi/common/common.openapi.yaml +++ b/docs/openapi/common/common.openapi.yaml @@ -13,14 +13,15 @@ components: - ACTIVE_STATE_ENUM_INACTIVE - ACTIVE_STATE_ENUM_ANY description: 'buflint ENUM_VALUE_PREFIX: to make sure that C++ scoping rules aren''t violated when users add new enum values to an enum in a given package' + common.MetadataUpdateEnum: + type: string + title: MetadataUpdateEnum + enum: + - METADATA_UPDATE_ENUM_UNSPECIFIED + - METADATA_UPDATE_ENUM_EXTEND + - METADATA_UPDATE_ENUM_REPLACE common.IdFqnIdentifier: type: object - allOf: - - oneOf: - - required: - - id - - required: - - fqn properties: id: type: string @@ -35,12 +36,6 @@ components: additionalProperties: false common.IdNameIdentifier: type: object - allOf: - - oneOf: - - required: - - id - - required: - - name properties: id: type: string @@ -51,8 +46,12 @@ components: title: name maxLength: 253 minLength: 1 - description: | - name_format // Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case. + description: |+ + Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case.: + ``` + this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') + ``` + title: IdNameIdentifier additionalProperties: false common.Metadata: @@ -110,18 +109,11 @@ components: title: value title: LabelsEntry additionalProperties: false - common.MetadataUpdateEnum: - type: string - title: MetadataUpdateEnum - enum: - - METADATA_UPDATE_ENUM_UNSPECIFIED - - METADATA_UPDATE_ENUM_EXTEND - - METADATA_UPDATE_ENUM_REPLACE google.protobuf.Timestamp: type: string examples: - - "2023-01-15T01:30:15.01Z" - - "2024-12-25T12:00:00Z" + - 1s + - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local diff --git a/docs/openapi/entity/entity.openapi.yaml b/docs/openapi/entity/entity.openapi.yaml index 388fb1f7a3..6484c863a0 100644 --- a/docs/openapi/entity/entity.openapi.yaml +++ b/docs/openapi/entity/entity.openapi.yaml @@ -4,61 +4,56 @@ info: paths: {} components: schemas: + entity.Entity.Category: + type: string + title: Category + enum: + - CATEGORY_UNSPECIFIED + - CATEGORY_SUBJECT + - CATEGORY_ENVIRONMENT entity.Entity: type: object - allOf: + oneOf: - properties: - ephemeralId: - type: string - title: ephemeral_id - description: ephemeral id for tracking between request and response - category: - title: category - $ref: '#/components/schemas/entity.Entity.Category' - - oneOf: - - type: object - properties: - claims: - title: claims - description: used by ERS claims mode - $ref: '#/components/schemas/google.protobuf.Any' + claims: title: claims - required: - - claims - - type: object - properties: - clientId: - type: string - title: client_id + description: used by ERS claims mode + $ref: '#/components/schemas/google.protobuf.Any' + title: claims + required: + - claims + - properties: + clientId: + type: string title: client_id - required: - - clientId - - type: object - properties: - emailAddress: - type: string - title: email_address + title: client_id + required: + - clientId + - properties: + emailAddress: + type: string title: email_address - required: - - emailAddress - - type: object - properties: - userName: - type: string - title: user_name + title: email_address + required: + - emailAddress + - properties: + userName: + type: string title: user_name - required: - - userName + title: user_name + required: + - userName + properties: + ephemeralId: + type: string + title: ephemeral_id + description: ephemeral id for tracking between request and response + category: + title: category + $ref: '#/components/schemas/entity.Entity.Category' title: Entity additionalProperties: false description: PE (Person Entity) or NPE (Non-Person Entity) - entity.Entity.Category: - type: string - title: Category - enum: - - CATEGORY_UNSPECIFIED - - CATEGORY_SUBJECT - - CATEGORY_ENVIRONMENT entity.EntityChain: type: object properties: @@ -97,6 +92,9 @@ components: value: type: string format: binary + debug: + type: object + additionalProperties: true additionalProperties: true description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. security: [] diff --git a/docs/openapi/entityresolution/entity_resolution.openapi.yaml b/docs/openapi/entityresolution/entity_resolution.openapi.yaml index 6a57e3b749..ac5e8021f4 100644 --- a/docs/openapi/entityresolution/entity_resolution.openapi.yaml +++ b/docs/openapi/entityresolution/entity_resolution.openapi.yaml @@ -2,13 +2,13 @@ openapi: 3.1.0 info: title: entityresolution paths: - /entityresolution.EntityResolutionService/CreateEntityChainFromJwt: + /entityresolution.EntityResolutionService/ResolveEntities: post: tags: - entityresolution.EntityResolutionService - summary: CreateEntityChainFromJwt - description: 'Deprecated: use v2 CreateEntityChainsFromTokens instead' - operationId: entityresolution.EntityResolutionService.CreateEntityChainFromJwt + summary: ResolveEntities + description: 'Deprecated: use v2 ResolveEntities instead' + operationId: entityresolution.EntityResolutionService.ResolveEntities parameters: - name: Connect-Protocol-Version in: header @@ -23,7 +23,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/entityresolution.CreateEntityChainFromJwtRequest' + $ref: '#/components/schemas/entityresolution.ResolveEntitiesRequest' required: true responses: default: @@ -37,14 +37,14 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/entityresolution.CreateEntityChainFromJwtResponse' - /entityresolution.EntityResolutionService/ResolveEntities: + $ref: '#/components/schemas/entityresolution.ResolveEntitiesResponse' + /entityresolution.EntityResolutionService/CreateEntityChainFromJwt: post: tags: - entityresolution.EntityResolutionService - summary: ResolveEntities - description: 'Deprecated: use v2 ResolveEntities instead' - operationId: entityresolution.EntityResolutionService.ResolveEntities + summary: CreateEntityChainFromJwt + description: 'Deprecated: use v2 CreateEntityChainsFromTokens instead' + operationId: entityresolution.EntityResolutionService.CreateEntityChainFromJwt parameters: - name: Connect-Protocol-Version in: header @@ -59,7 +59,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/entityresolution.ResolveEntitiesRequest' + $ref: '#/components/schemas/entityresolution.CreateEntityChainFromJwtRequest' required: true responses: default: @@ -73,88 +73,90 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/entityresolution.ResolveEntitiesResponse' + $ref: '#/components/schemas/entityresolution.CreateEntityChainFromJwtResponse' components: schemas: + authorization.Entity.Category: + type: string + title: Category + enum: + - CATEGORY_UNSPECIFIED + - CATEGORY_SUBJECT + - CATEGORY_ENVIRONMENT + google.protobuf.NullValue: + type: string + title: NullValue + enum: + - NULL_VALUE + description: |- + `NullValue` is a singleton enumeration to represent the null value for the + `Value` type union. + + The JSON representation for `NullValue` is JSON `null`. authorization.Entity: type: object - allOf: + oneOf: - properties: - id: - type: string - title: id - description: ephemeral id for tracking between request and response - category: - title: category - $ref: '#/components/schemas/authorization.Entity.Category' - - oneOf: - - type: object - properties: - claims: - title: claims - $ref: '#/components/schemas/google.protobuf.Any' + claims: title: claims - required: - - claims - - type: object - properties: - clientId: - type: string - title: client_id + $ref: '#/components/schemas/google.protobuf.Any' + title: claims + required: + - claims + - properties: + clientId: + type: string title: client_id - required: - - clientId - - type: object - properties: - custom: - title: custom - $ref: '#/components/schemas/authorization.EntityCustom' + title: client_id + required: + - clientId + - properties: + custom: title: custom - required: - - custom - - type: object - properties: - emailAddress: - type: string - title: email_address - description: one of the entity options must be set + $ref: '#/components/schemas/authorization.EntityCustom' + title: custom + required: + - custom + - properties: + emailAddress: + type: string title: email_address - required: - - emailAddress - - type: object - properties: - remoteClaimsUrl: - type: string - title: remote_claims_url + description: one of the entity options must be set + title: email_address + required: + - emailAddress + - properties: + remoteClaimsUrl: + type: string title: remote_claims_url - required: - - remoteClaimsUrl - - type: object - properties: - userName: - type: string - title: user_name + title: remote_claims_url + required: + - remoteClaimsUrl + - properties: + userName: + type: string title: user_name - required: - - userName - - type: object - properties: - uuid: - type: string - title: uuid + title: user_name + required: + - userName + - properties: + uuid: + type: string title: uuid - required: - - uuid + title: uuid + required: + - uuid + properties: + id: + type: string + title: id + description: ephemeral id for tracking between request and response + category: + title: category + $ref: '#/components/schemas/authorization.Entity.Category' title: Entity additionalProperties: false description: PE (Person Entity) or NPE (Non-Person Entity) - authorization.Entity.Category: - type: string - title: Category - enum: - - CATEGORY_UNSPECIFIED - - CATEGORY_SUBJECT - - CATEGORY_ENVIRONMENT authorization.EntityChain: type: object properties: @@ -192,75 +194,6 @@ components: description: the token title: Token additionalProperties: false - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - details: - type: array - items: - $ref: '#/components/schemas/connect.error_details.Any' - description: A list of messages that carry the error details. There is no limit on the number of messages. - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - connect.error_details.Any: - type: object - properties: - type: - type: string - description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' - value: - type: string - format: binary - description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. - debug: - oneOf: - - type: object - title: Any - additionalProperties: true - description: Detailed error information. - discriminator: - propertyName: type - title: Debug - description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. entityresolution.CreateEntityChainFromJwtRequest: type: object properties: @@ -402,6 +335,9 @@ components: value: type: string format: binary + debug: + type: object + additionalProperties: true additionalProperties: true description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. google.protobuf.ListValue: @@ -419,16 +355,6 @@ components: `ListValue` is a wrapper around a repeated field of values. The JSON representation for `ListValue` is JSON array. - google.protobuf.NullValue: - type: string - title: NullValue - enum: - - NULL_VALUE - description: |- - `NullValue` is a singleton enumeration to represent the null value for the - `Value` type union. - - The JSON representation for `NullValue` is JSON `null`. google.protobuf.Struct: type: object additionalProperties: @@ -469,6 +395,50 @@ components: variants. Absence of any variant indicates an error. The JSON representation for `Value` is JSON value. + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + detail: + $ref: '#/components/schemas/google.protobuf.Any' + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' security: [] tags: - name: entityresolution.EntityResolutionService diff --git a/docs/openapi/entityresolution/v2/entity_resolution.openapi.yaml b/docs/openapi/entityresolution/v2/entity_resolution.openapi.yaml index 52baa90875..b8e661c75a 100644 --- a/docs/openapi/entityresolution/v2/entity_resolution.openapi.yaml +++ b/docs/openapi/entityresolution/v2/entity_resolution.openapi.yaml @@ -2,12 +2,12 @@ openapi: 3.1.0 info: title: entityresolution.v2 paths: - /entityresolution.v2.EntityResolutionService/CreateEntityChainsFromTokens: + /entityresolution.v2.EntityResolutionService/ResolveEntities: post: tags: - entityresolution.v2.EntityResolutionService - summary: CreateEntityChainsFromTokens - operationId: entityresolution.v2.EntityResolutionService.CreateEntityChainsFromTokens + summary: ResolveEntities + operationId: entityresolution.v2.EntityResolutionService.ResolveEntities parameters: - name: Connect-Protocol-Version in: header @@ -22,7 +22,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/entityresolution.v2.CreateEntityChainsFromTokensRequest' + $ref: '#/components/schemas/entityresolution.v2.ResolveEntitiesRequest' required: true responses: default: @@ -36,13 +36,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/entityresolution.v2.CreateEntityChainsFromTokensResponse' - /entityresolution.v2.EntityResolutionService/ResolveEntities: + $ref: '#/components/schemas/entityresolution.v2.ResolveEntitiesResponse' + /entityresolution.v2.EntityResolutionService/CreateEntityChainsFromTokens: post: tags: - entityresolution.v2.EntityResolutionService - summary: ResolveEntities - operationId: entityresolution.v2.EntityResolutionService.ResolveEntities + summary: CreateEntityChainsFromTokens + operationId: entityresolution.v2.EntityResolutionService.CreateEntityChainsFromTokens parameters: - name: Connect-Protocol-Version in: header @@ -57,7 +57,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/entityresolution.v2.ResolveEntitiesRequest' + $ref: '#/components/schemas/entityresolution.v2.CreateEntityChainsFromTokensRequest' required: true responses: default: @@ -71,40 +71,58 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/entityresolution.v2.ResolveEntitiesResponse' + $ref: '#/components/schemas/entityresolution.v2.CreateEntityChainsFromTokensResponse' components: schemas: + entity.Entity.Category: + type: string + title: Category + enum: + - CATEGORY_UNSPECIFIED + - CATEGORY_SUBJECT + - CATEGORY_ENVIRONMENT + google.protobuf.NullValue: + type: string + title: NullValue + enum: + - NULL_VALUE + description: |- + `NullValue` is a singleton enumeration to represent the null value for the + `Value` type union. + + The JSON representation for `NullValue` is JSON `null`. authorization.v2.Resource: type: object - allOf: + oneOf: - properties: - ephemeralId: - type: string - title: ephemeral_id - description: ephemeral id for tracking between request and response - - oneOf: - - type: object - properties: - attributeValues: - title: attribute_values - description: | - a set of attribute value FQNs, such as those on a TDF, between 1 and 20 in count - attribute_values_required // if provided, resource.attribute_values must be between 1 and 20 in count with all valid FQNs - $ref: '#/components/schemas/authorization.v2.Resource.AttributeValues' + attributeValues: title: attribute_values - required: - - attributeValues - - type: object - properties: - registeredResourceValueFqn: - type: string - title: registered_resource_value_fqn - minLength: 1 - format: uri - description: fully qualified name of the registered resource value stored in platform policy + description: |+ + a set of attribute value FQNs, such as those on a TDF, between 1 and 20 in count + if provided, resource.attribute_values must be between 1 and 20 in count with all valid FQNs: + ``` + this.fqns.size() > 0 && this.fqns.size() <= 20 && this.fqns.all(item, item.isUri()) + ``` + + $ref: '#/components/schemas/authorization.v2.Resource.AttributeValues' + title: attribute_values + required: + - attributeValues + - properties: + registeredResourceValueFqn: + type: string title: registered_resource_value_fqn - required: - - registeredResourceValueFqn + minLength: 1 + format: uri + description: fully qualified name of the registered resource value stored in platform policy + title: registered_resource_value_fqn + required: + - registeredResourceValueFqn + properties: + ephemeralId: + type: string + title: ephemeral_id + description: ephemeral id for tracking between request and response title: Resource additionalProperties: false description: Either a set of attribute values (such as those on a TDF) or a registered resource value @@ -118,130 +136,49 @@ components: title: fqns title: AttributeValues additionalProperties: false - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - details: - type: array - items: - $ref: '#/components/schemas/connect.error_details.Any' - description: A list of messages that carry the error details. There is no limit on the number of messages. - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - connect.error_details.Any: - type: object - properties: - type: - type: string - description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' - value: - type: string - format: binary - description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. - debug: - oneOf: - - type: object - title: Any - additionalProperties: true - description: Detailed error information. - discriminator: - propertyName: type - title: Debug - description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. entity.Entity: type: object - allOf: + oneOf: - properties: - ephemeralId: - type: string - title: ephemeral_id - description: ephemeral id for tracking between request and response - category: - title: category - $ref: '#/components/schemas/entity.Entity.Category' - - oneOf: - - type: object - properties: - claims: - title: claims - description: used by ERS claims mode - $ref: '#/components/schemas/google.protobuf.Any' + claims: title: claims - required: - - claims - - type: object - properties: - clientId: - type: string - title: client_id + description: used by ERS claims mode + $ref: '#/components/schemas/google.protobuf.Any' + title: claims + required: + - claims + - properties: + clientId: + type: string title: client_id - required: - - clientId - - type: object - properties: - emailAddress: - type: string - title: email_address + title: client_id + required: + - clientId + - properties: + emailAddress: + type: string title: email_address - required: - - emailAddress - - type: object - properties: - userName: - type: string - title: user_name + title: email_address + required: + - emailAddress + - properties: + userName: + type: string title: user_name - required: - - userName + title: user_name + required: + - userName + properties: + ephemeralId: + type: string + title: ephemeral_id + description: ephemeral id for tracking between request and response + category: + title: category + $ref: '#/components/schemas/entity.Entity.Category' title: Entity additionalProperties: false description: PE (Person Entity) or NPE (Non-Person Entity) - entity.Entity.Category: - type: string - title: Category - enum: - - CATEGORY_UNSPECIFIED - - CATEGORY_SUBJECT - - CATEGORY_ENVIRONMENT entity.EntityChain: type: object properties: @@ -385,6 +322,9 @@ components: value: type: string format: binary + debug: + type: object + additionalProperties: true additionalProperties: true description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. google.protobuf.ListValue: @@ -402,16 +342,6 @@ components: `ListValue` is a wrapper around a repeated field of values. The JSON representation for `ListValue` is JSON array. - google.protobuf.NullValue: - type: string - title: NullValue - enum: - - NULL_VALUE - description: |- - `NullValue` is a singleton enumeration to represent the null value for the - `Value` type union. - - The JSON representation for `NullValue` is JSON `null`. google.protobuf.Struct: type: object additionalProperties: @@ -452,6 +382,50 @@ components: variants. Absence of any variant indicates an error. The JSON representation for `Value` is JSON value. + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + detail: + $ref: '#/components/schemas/google.protobuf.Any' + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' security: [] tags: - name: entityresolution.v2.EntityResolutionService diff --git a/docs/openapi/kas/kas.openapi.yaml b/docs/openapi/kas/kas.openapi.yaml index 147aea0ddf..a357028153 100644 --- a/docs/openapi/kas/kas.openapi.yaml +++ b/docs/openapi/kas/kas.openapi.yaml @@ -2,16 +2,12 @@ openapi: 3.1.0 info: title: kas paths: - /kas.AccessService/LegacyPublicKey: + /kas.AccessService/PublicKey: post: tags: - kas.AccessService - summary: Endpoint intended for gRPC Gateway's REST endpoint to provide v1 compatibility with older TDF clients - description: |- - This endpoint is not recommended for use in new applications, prefer the v2 endpoint ('PublicKey') instead. - - buf:lint:ignore RPC_RESPONSE_STANDARD_NAME - operationId: kas.AccessService.LegacyPublicKey + summary: PublicKey + operationId: kas.AccessService.PublicKey parameters: - name: Connect-Protocol-Version in: header @@ -26,7 +22,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/kas.LegacyPublicKeyRequest' + $ref: '#/components/schemas/kas.PublicKeyRequest' required: true responses: default: @@ -40,14 +36,19 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/google.protobuf.StringValue' - deprecated: true - /kas.AccessService/PublicKey: + $ref: '#/components/schemas/kas.PublicKeyResponse' + /kas.AccessService/LegacyPublicKey: post: tags: - kas.AccessService - summary: PublicKey - operationId: kas.AccessService.PublicKey + summary: LegacyPublicKey + description: |- + Endpoint intended for gRPC Gateway's REST endpoint to provide v1 compatibility with older TDF clients + + This endpoint is not recommended for use in new applications, prefer the v2 endpoint ('PublicKey') instead. + + buf:lint:ignore RPC_RESPONSE_STANDARD_NAME + operationId: kas.AccessService.LegacyPublicKey parameters: - name: Connect-Protocol-Version in: header @@ -62,7 +63,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/kas.PublicKeyRequest' + $ref: '#/components/schemas/kas.LegacyPublicKeyRequest' required: true responses: default: @@ -76,7 +77,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/kas.PublicKeyResponse' + $ref: '#/components/schemas/google.protobuf.StringValue' + deprecated: true /kas.AccessService/Rewrap: post: tags: @@ -114,75 +116,16 @@ paths: $ref: '#/components/schemas/kas.RewrapResponse' components: schemas: - connect-protocol-version: - type: number - title: Connect-Protocol-Version + google.protobuf.NullValue: + type: string + title: NullValue enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - details: - type: array - items: - $ref: '#/components/schemas/connect.error_details.Any' - description: A list of messages that carry the error details. There is no limit on the number of messages. - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - connect.error_details.Any: - type: object - properties: - type: - type: string - description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' - value: - type: string - format: binary - description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. - debug: - oneOf: - - type: object - title: Any - additionalProperties: true - description: Detailed error information. - discriminator: - propertyName: type - title: Debug - description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. + - NULL_VALUE + description: |- + `NullValue` is a singleton enumeration to represent the null value for the + `Value` type union. + + The JSON representation for `NullValue` is JSON `null`. google.protobuf.ListValue: type: object properties: @@ -198,16 +141,6 @@ components: `ListValue` is a wrapper around a repeated field of values. The JSON representation for `ListValue` is JSON array. - google.protobuf.NullValue: - type: string - title: NullValue - enum: - - NULL_VALUE - description: |- - `NullValue` is a singleton enumeration to represent the null value for the - `Value` type union. - - The JSON representation for `NullValue` is JSON `null`. google.protobuf.StringValue: type: string description: |- @@ -357,57 +290,54 @@ components: description: Key Access Object containing cryptographic material and metadata for TDF decryption kas.KeyAccessRewrapResult: type: object - allOf: + oneOf: - properties: - metadata: - type: object - title: metadata - additionalProperties: - title: value - $ref: '#/components/schemas/google.protobuf.Value' - description: |- - Metadata associated with this KAO result (e.g., required obligations) - Optional: May contain obligation requirements or other policy metadata - Common keys: "X-Required-Obligations" with array of obligation FQNs - keyAccessObjectId: + error: type: string - title: key_access_object_id + title: error description: |- - Identifier matching the key_access_object_id from the request - Required: Always matches the ID from UnsignedRewrapRequest_WithKeyAccessObject - status: + Error message when rewrap failed + Present when status="fail" + Human-readable description of the failure reason + title: error + required: + - error + - properties: + kasWrappedKey: type: string - title: status - description: |- - Status of the rewrap operation for this KAO - Required: Always - Values: "permit" (success), "fail" (failure) - - oneOf: - - type: object - properties: - error: - type: string - title: error - description: |- - Error message when rewrap failed - Present when status="fail" - Human-readable description of the failure reason - title: error - required: - - error - - type: object - properties: - kasWrappedKey: - type: string - title: kas_wrapped_key - format: byte - description: |- - Successfully rewrapped key encrypted with the session key - Present when status="permit" - Contains the DEK encrypted with the ephemeral session key title: kas_wrapped_key - required: - - kasWrappedKey + format: byte + description: |- + Successfully rewrapped key encrypted with the session key + Present when status="permit" + Contains the DEK encrypted with the ephemeral session key + title: kas_wrapped_key + required: + - kasWrappedKey + properties: + metadata: + type: object + title: metadata + additionalProperties: + title: value + $ref: '#/components/schemas/google.protobuf.Value' + description: |- + Metadata associated with this KAO result (e.g., required obligations) + Optional: May contain obligation requirements or other policy metadata + Common keys: "X-Required-Obligations" with array of obligation FQNs + keyAccessObjectId: + type: string + title: key_access_object_id + description: |- + Identifier matching the key_access_object_id from the request + Required: Always matches the ID from UnsignedRewrapRequest_WithKeyAccessObject + status: + type: string + title: status + description: |- + Status of the rewrap operation for this KAO + Required: Always + Values: "permit" (success), "fail" (failure) title: KeyAccessRewrapResult additionalProperties: false description: Result of a key access object rewrap operation @@ -689,6 +619,63 @@ components: title: WithPolicyRequest additionalProperties: false description: Request grouping policy with associated key access objects + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + detail: + $ref: '#/components/schemas/google.protobuf.Any' + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + google.protobuf.Any: + type: object + properties: + type: + type: string + value: + type: string + format: binary + debug: + type: object + additionalProperties: true + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. security: [] tags: - name: kas.AccessService diff --git a/docs/openapi/policy/actions/actions.openapi.yaml b/docs/openapi/policy/actions/actions.openapi.yaml index b5c6f2c12b..db1d5d2a32 100644 --- a/docs/openapi/policy/actions/actions.openapi.yaml +++ b/docs/openapi/policy/actions/actions.openapi.yaml @@ -2,12 +2,12 @@ openapi: 3.1.0 info: title: policy.actions paths: - /policy.actions.ActionService/CreateAction: + /policy.actions.ActionService/GetAction: post: tags: - policy.actions.ActionService - summary: CreateAction - operationId: policy.actions.ActionService.CreateAction + summary: GetAction + operationId: policy.actions.ActionService.GetAction parameters: - name: Connect-Protocol-Version in: header @@ -22,7 +22,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.actions.CreateActionRequest' + $ref: '#/components/schemas/policy.actions.GetActionRequest' required: true responses: default: @@ -36,13 +36,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.actions.CreateActionResponse' - /policy.actions.ActionService/DeleteAction: + $ref: '#/components/schemas/policy.actions.GetActionResponse' + /policy.actions.ActionService/ListActions: post: tags: - policy.actions.ActionService - summary: DeleteAction - operationId: policy.actions.ActionService.DeleteAction + summary: ListActions + operationId: policy.actions.ActionService.ListActions parameters: - name: Connect-Protocol-Version in: header @@ -57,7 +57,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.actions.DeleteActionRequest' + $ref: '#/components/schemas/policy.actions.ListActionsRequest' required: true responses: default: @@ -71,13 +71,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.actions.DeleteActionResponse' - /policy.actions.ActionService/GetAction: + $ref: '#/components/schemas/policy.actions.ListActionsResponse' + /policy.actions.ActionService/CreateAction: post: tags: - policy.actions.ActionService - summary: GetAction - operationId: policy.actions.ActionService.GetAction + summary: CreateAction + operationId: policy.actions.ActionService.CreateAction parameters: - name: Connect-Protocol-Version in: header @@ -92,7 +92,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.actions.GetActionRequest' + $ref: '#/components/schemas/policy.actions.CreateActionRequest' required: true responses: default: @@ -106,13 +106,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.actions.GetActionResponse' - /policy.actions.ActionService/ListActions: + $ref: '#/components/schemas/policy.actions.CreateActionResponse' + /policy.actions.ActionService/UpdateAction: post: tags: - policy.actions.ActionService - summary: ListActions - operationId: policy.actions.ActionService.ListActions + summary: UpdateAction + operationId: policy.actions.ActionService.UpdateAction parameters: - name: Connect-Protocol-Version in: header @@ -127,7 +127,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.actions.ListActionsRequest' + $ref: '#/components/schemas/policy.actions.UpdateActionRequest' required: true responses: default: @@ -141,13 +141,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.actions.ListActionsResponse' - /policy.actions.ActionService/UpdateAction: + $ref: '#/components/schemas/policy.actions.UpdateActionResponse' + /policy.actions.ActionService/DeleteAction: post: tags: - policy.actions.ActionService - summary: UpdateAction - operationId: policy.actions.ActionService.UpdateAction + summary: DeleteAction + operationId: policy.actions.ActionService.DeleteAction parameters: - name: Connect-Protocol-Version in: header @@ -162,7 +162,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.actions.UpdateActionRequest' + $ref: '#/components/schemas/policy.actions.DeleteActionRequest' required: true responses: default: @@ -176,9 +176,84 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.actions.UpdateActionResponse' + $ref: '#/components/schemas/policy.actions.DeleteActionResponse' components: schemas: + common.MetadataUpdateEnum: + type: string + title: MetadataUpdateEnum + enum: + - METADATA_UPDATE_ENUM_UNSPECIFIED + - METADATA_UPDATE_ENUM_EXTEND + - METADATA_UPDATE_ENUM_REPLACE + policy.Action.StandardAction: + type: string + title: StandardAction + enum: + - STANDARD_ACTION_UNSPECIFIED + - STANDARD_ACTION_DECRYPT + - STANDARD_ACTION_TRANSMIT + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + - ALGORITHM_HPQT_XWING + - ALGORITHM_HPQT_SECP256R1_MLKEM768 + - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + description: Supported key algorithms. + policy.AttributeRuleTypeEnum: + type: string + title: AttributeRuleTypeEnum + enum: + - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED + - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF + - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF + - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY + policy.ConditionBooleanTypeEnum: + type: string + title: ConditionBooleanTypeEnum + enum: + - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED + - CONDITION_BOOLEAN_TYPE_ENUM_AND + - CONDITION_BOOLEAN_TYPE_ENUM_OR + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + policy.SourceType: + type: string + title: SourceType + enum: + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. + policy.SubjectMappingOperatorEnum: + type: string + title: SubjectMappingOperatorEnum + enum: + - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED + - SUBJECT_MAPPING_OPERATOR_ENUM_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS common.Metadata: type: object properties: @@ -234,82 +309,6 @@ components: title: value title: LabelsEntry additionalProperties: false - common.MetadataUpdateEnum: - type: string - title: MetadataUpdateEnum - enum: - - METADATA_UPDATE_ENUM_UNSPECIFIED - - METADATA_UPDATE_ENUM_EXTEND - - METADATA_UPDATE_ENUM_REPLACE - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - details: - type: array - items: - $ref: '#/components/schemas/connect.error_details.Any' - description: A list of messages that carry the error details. There is no limit on the number of messages. - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - connect.error_details.Any: - type: object - properties: - type: - type: string - description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' - value: - type: string - format: binary - description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. - debug: - oneOf: - - type: object - title: Any - additionalProperties: true - description: Detailed error information. - discriminator: - propertyName: type - title: Debug - description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. google.protobuf.BoolValue: type: boolean description: |- @@ -322,8 +321,8 @@ components: google.protobuf.Timestamp: type: string examples: - - "2023-01-15T01:30:15.01Z" - - "2024-12-25T12:00:00Z" + - 1s + - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -417,65 +416,41 @@ components: ) to obtain a formatter capable of generating timestamps in this format. policy.Action: type: object - allOf: + oneOf: - properties: - id: - type: string - title: id - description: Generated uuid in database - name: + custom: type: string - title: name - namespace: - title: namespace - description: Namespace context for this action - $ref: '#/components/schemas/policy.Namespace' - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' - - oneOf: - - type: object - properties: - custom: - type: string - title: custom - description: Deprecated title: custom - required: - - custom - - type: object - properties: - standard: - title: standard - description: Deprecated - $ref: '#/components/schemas/policy.Action.StandardAction' + description: Deprecated + title: custom + required: + - custom + - properties: + standard: title: standard - required: - - standard + description: Deprecated + $ref: '#/components/schemas/policy.Action.StandardAction' + title: standard + required: + - standard + properties: + id: + type: string + title: id + description: Generated uuid in database + name: + type: string + title: name + namespace: + title: namespace + description: Namespace context for this action + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' title: Action additionalProperties: false description: An action an entity can take - policy.Action.StandardAction: - type: string - title: StandardAction - enum: - - STANDARD_ACTION_UNSPECIFIED - - STANDARD_ACTION_DECRYPT - - STANDARD_ACTION_TRANSMIT - policy.Algorithm: - type: string - title: Algorithm - enum: - - ALGORITHM_UNSPECIFIED - - ALGORITHM_RSA_2048 - - ALGORITHM_RSA_4096 - - ALGORITHM_EC_P256 - - ALGORITHM_EC_P384 - - ALGORITHM_EC_P521 - - ALGORITHM_HPQT_XWING - - ALGORITHM_HPQT_SECP256R1_MLKEM768 - - ALGORITHM_HPQT_SECP384R1_MLKEM1024 - description: Supported key algorithms. policy.Attribute: type: object properties: @@ -532,14 +507,6 @@ components: required: - rule additionalProperties: false - policy.AttributeRuleTypeEnum: - type: string - title: AttributeRuleTypeEnum - enum: - - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED - - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF - - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF - - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY policy.Condition: type: object properties: @@ -557,6 +524,7 @@ components: type: array items: type: string + minItems: 1 title: subject_external_values minItems: 1 description: |- @@ -572,13 +540,6 @@ components: * A Condition defines a rule of - policy.ConditionBooleanTypeEnum: - type: string - title: ConditionBooleanTypeEnum - enum: - - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED - - CONDITION_BOOLEAN_TYPE_ENUM_AND - - CONDITION_BOOLEAN_TYPE_ENUM_OR policy.ConditionGroup: type: object properties: @@ -615,7 +576,7 @@ components: alg: not: enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - 0 title: alg description: |- A known algorithm type with any additional parameters encoded. @@ -627,19 +588,6 @@ components: description: |- Deprecated A KAS public key and some associated metadata for further identifcation - policy.KasPublicKeyAlgEnum: - type: string - title: KasPublicKeyAlgEnum - enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 policy.KasPublicKeySet: type: object properties: @@ -662,9 +610,13 @@ components: uri: type: string title: uri - description: | + description: |+ Address of a KAS instance - uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') + ``` + publicKey: title: public_key description: 'Deprecated: KAS can have multiple key pairs' @@ -862,8 +814,7 @@ components: policy.PublicKey: type: object oneOf: - - type: object - properties: + - properties: cached: title: cached description: public key with additional information. Current preferred version @@ -871,14 +822,17 @@ components: title: cached required: - cached - - type: object - properties: + - properties: remote: type: string title: remote - description: | + description: |+ kas public key url - optional since can also be retrieved via public key - uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') + ``` + title: remote required: - remote @@ -986,17 +940,6 @@ components: title: pem title: SimpleKasPublicKey additionalProperties: false - policy.SourceType: - type: string - title: SourceType - enum: - - SOURCE_TYPE_UNSPECIFIED - - SOURCE_TYPE_INTERNAL - - SOURCE_TYPE_EXTERNAL - description: |- - Describes whether this kas is managed by the organization or if they imported - the kas information from an external party. These two modes are necessary in order - to encrypt a tdf dek with an external parties kas public key. policy.SubjectConditionSet: type: object properties: @@ -1062,14 +1005,6 @@ components: description: |- Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute value + action(s) combination - policy.SubjectMappingOperatorEnum: - type: string - title: SubjectMappingOperatorEnum - enum: - - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED - - SUBJECT_MAPPING_OPERATOR_ENUM_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS policy.SubjectSet: type: object properties: @@ -1143,9 +1078,13 @@ components: type: string title: name maxLength: 253 - description: | + description: |+ Required - action_name_format // Action name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored action name will be normalized to lower case. + Action name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored action name will be normalized to lower case.: + ``` + this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') + ``` + namespaceId: type: string title: namespace_id @@ -1201,44 +1140,45 @@ components: additionalProperties: false policy.actions.GetActionRequest: type: object - allOf: + oneOf: - properties: - namespaceId: + id: type: string - title: namespace_id + title: id format: uuid - description: |- - Optional namespace ID to scope name-based lookup. - If omitted for name-based lookup, action search is limited to legacy (namespace_id = NULL) actions. - namespaceFqn: + title: id + required: + - id + - properties: + name: type: string - title: namespace_fqn - minLength: 1 - format: uri - description: |- - Optional namespace FQN to scope name-based lookup. - If omitted for name-based lookup, action search is limited to legacy (namespace_id = NULL) actions. - - oneOf: - - type: object - properties: - id: - type: string - title: id - format: uuid - title: id - required: - - id - - type: object - properties: - name: - type: string - title: name - maxLength: 253 - description: | - action_name_format // Action name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored action name will be normalized to lower case. title: name - required: - - name + maxLength: 253 + description: |+ + Action name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored action name will be normalized to lower case.: + ``` + this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') + ``` + + title: name + required: + - name + properties: + namespaceId: + type: string + title: namespace_id + format: uuid + description: |- + Optional namespace ID to scope name-based lookup. + If omitted for name-based lookup, action search is limited to legacy (namespace_id = NULL) actions. + namespaceFqn: + type: string + title: namespace_fqn + minLength: 1 + format: uri + description: |- + Optional namespace FQN to scope name-based lookup. + If omitted for name-based lookup, action search is limited to legacy (namespace_id = NULL) actions. title: GetActionRequest additionalProperties: false policy.actions.GetActionResponse: @@ -1305,10 +1245,14 @@ components: type: string title: name maxLength: 253 - description: | + description: |+ Optional Custom actions only: replaces the existing action name - action_name_format // Action name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored action name will be normalized to lower case. + Action name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored action name will be normalized to lower case.: + ``` + size(this) == 0 || this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') + ``` + metadata: title: metadata description: Common metadata @@ -1329,6 +1273,63 @@ components: $ref: '#/components/schemas/policy.Action' title: UpdateActionResponse additionalProperties: false + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + detail: + $ref: '#/components/schemas/google.protobuf.Any' + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + google.protobuf.Any: + type: object + properties: + type: + type: string + value: + type: string + format: binary + debug: + type: object + additionalProperties: true + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. security: [] tags: - name: policy.actions.ActionService diff --git a/docs/openapi/policy/attributes/attributes.openapi.yaml b/docs/openapi/policy/attributes/attributes.openapi.yaml index bb6c0978fe..1eb291ec16 100644 --- a/docs/openapi/policy/attributes/attributes.openapi.yaml +++ b/docs/openapi/policy/attributes/attributes.openapi.yaml @@ -2,13 +2,16 @@ openapi: 3.1.0 info: title: policy.attributes paths: - /policy.attributes.AttributesService/AssignKeyAccessServerToAttribute: + /policy.attributes.AttributesService/ListAttributes: post: tags: - policy.attributes.AttributesService - summary: AssignKeyAccessServerToAttribute - description: 'Deprecated: utilize AssignPublicKeyToAttribute' - operationId: policy.attributes.AttributesService.AssignKeyAccessServerToAttribute + summary: ListAttributes + description: |- + --------------------------------------* + Attribute RPCs + --------------------------------------- + operationId: policy.attributes.AttributesService.ListAttributes parameters: - name: Connect-Protocol-Version in: header @@ -23,7 +26,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.AssignKeyAccessServerToAttributeRequest' + $ref: '#/components/schemas/policy.attributes.ListAttributesRequest' required: true responses: default: @@ -37,15 +40,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.AssignKeyAccessServerToAttributeResponse' - deprecated: true - /policy.attributes.AttributesService/AssignKeyAccessServerToValue: + $ref: '#/components/schemas/policy.attributes.ListAttributesResponse' + /policy.attributes.AttributesService/ListAttributeValues: post: tags: - policy.attributes.AttributesService - summary: AssignKeyAccessServerToValue - description: 'Deprecated: utilize AssignPublicKeyToValue' - operationId: policy.attributes.AttributesService.AssignKeyAccessServerToValue + summary: ListAttributeValues + description: |- + Deprecated + Use GetAttribute + operationId: policy.attributes.AttributesService.ListAttributeValues parameters: - name: Connect-Protocol-Version in: header @@ -60,7 +64,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.AssignKeyAccessServerToValueRequest' + $ref: '#/components/schemas/policy.attributes.ListAttributeValuesRequest' required: true responses: default: @@ -74,14 +78,14 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.AssignKeyAccessServerToValueResponse' + $ref: '#/components/schemas/policy.attributes.ListAttributeValuesResponse' deprecated: true - /policy.attributes.AttributesService/AssignPublicKeyToAttribute: + /policy.attributes.AttributesService/GetAttribute: post: tags: - policy.attributes.AttributesService - summary: AssignPublicKeyToAttribute - operationId: policy.attributes.AttributesService.AssignPublicKeyToAttribute + summary: GetAttribute + operationId: policy.attributes.AttributesService.GetAttribute parameters: - name: Connect-Protocol-Version in: header @@ -96,7 +100,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.AssignPublicKeyToAttributeRequest' + $ref: '#/components/schemas/policy.attributes.GetAttributeRequest' required: true responses: default: @@ -110,13 +114,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.AssignPublicKeyToAttributeResponse' - /policy.attributes.AttributesService/AssignPublicKeyToValue: + $ref: '#/components/schemas/policy.attributes.GetAttributeResponse' + /policy.attributes.AttributesService/GetAttributeValuesByFqns: post: tags: - policy.attributes.AttributesService - summary: AssignPublicKeyToValue - operationId: policy.attributes.AttributesService.AssignPublicKeyToValue + summary: GetAttributeValuesByFqns + operationId: policy.attributes.AttributesService.GetAttributeValuesByFqns parameters: - name: Connect-Protocol-Version in: header @@ -131,7 +135,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.AssignPublicKeyToValueRequest' + $ref: '#/components/schemas/policy.attributes.GetAttributeValuesByFqnsRequest' required: true responses: default: @@ -145,7 +149,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.AssignPublicKeyToValueResponse' + $ref: '#/components/schemas/policy.attributes.GetAttributeValuesByFqnsResponse' /policy.attributes.AttributesService/CreateAttribute: post: tags: @@ -181,12 +185,12 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.attributes.CreateAttributeResponse' - /policy.attributes.AttributesService/CreateAttributeValue: + /policy.attributes.AttributesService/UpdateAttribute: post: tags: - policy.attributes.AttributesService - summary: CreateAttributeValue - operationId: policy.attributes.AttributesService.CreateAttributeValue + summary: UpdateAttribute + operationId: policy.attributes.AttributesService.UpdateAttribute parameters: - name: Connect-Protocol-Version in: header @@ -201,7 +205,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.CreateAttributeValueRequest' + $ref: '#/components/schemas/policy.attributes.UpdateAttributeRequest' required: true responses: default: @@ -215,7 +219,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.CreateAttributeValueResponse' + $ref: '#/components/schemas/policy.attributes.UpdateAttributeResponse' /policy.attributes.AttributesService/DeactivateAttribute: post: tags: @@ -251,12 +255,16 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.attributes.DeactivateAttributeResponse' - /policy.attributes.AttributesService/DeactivateAttributeValue: + /policy.attributes.AttributesService/GetAttributeValue: post: tags: - policy.attributes.AttributesService - summary: DeactivateAttributeValue - operationId: policy.attributes.AttributesService.DeactivateAttributeValue + summary: GetAttributeValue + description: |- + --------------------------------------* + Value RPCs + --------------------------------------- + operationId: policy.attributes.AttributesService.GetAttributeValue parameters: - name: Connect-Protocol-Version in: header @@ -271,7 +279,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.DeactivateAttributeValueRequest' + $ref: '#/components/schemas/policy.attributes.GetAttributeValueRequest' required: true responses: default: @@ -285,13 +293,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.DeactivateAttributeValueResponse' - /policy.attributes.AttributesService/GetAttribute: + $ref: '#/components/schemas/policy.attributes.GetAttributeValueResponse' + /policy.attributes.AttributesService/CreateAttributeValue: post: tags: - policy.attributes.AttributesService - summary: GetAttribute - operationId: policy.attributes.AttributesService.GetAttribute + summary: CreateAttributeValue + operationId: policy.attributes.AttributesService.CreateAttributeValue parameters: - name: Connect-Protocol-Version in: header @@ -306,7 +314,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.GetAttributeRequest' + $ref: '#/components/schemas/policy.attributes.CreateAttributeValueRequest' required: true responses: default: @@ -320,17 +328,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.GetAttributeResponse' - /policy.attributes.AttributesService/GetAttributeValue: + $ref: '#/components/schemas/policy.attributes.CreateAttributeValueResponse' + /policy.attributes.AttributesService/UpdateAttributeValue: post: tags: - policy.attributes.AttributesService - summary: GetAttributeValue - description: |- - --------------------------------------* - Value RPCs - --------------------------------------- - operationId: policy.attributes.AttributesService.GetAttributeValue + summary: UpdateAttributeValue + operationId: policy.attributes.AttributesService.UpdateAttributeValue parameters: - name: Connect-Protocol-Version in: header @@ -345,7 +349,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.GetAttributeValueRequest' + $ref: '#/components/schemas/policy.attributes.UpdateAttributeValueRequest' required: true responses: default: @@ -359,13 +363,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.GetAttributeValueResponse' - /policy.attributes.AttributesService/GetAttributeValuesByFqns: + $ref: '#/components/schemas/policy.attributes.UpdateAttributeValueResponse' + /policy.attributes.AttributesService/DeactivateAttributeValue: post: tags: - policy.attributes.AttributesService - summary: GetAttributeValuesByFqns - operationId: policy.attributes.AttributesService.GetAttributeValuesByFqns + summary: DeactivateAttributeValue + operationId: policy.attributes.AttributesService.DeactivateAttributeValue parameters: - name: Connect-Protocol-Version in: header @@ -380,7 +384,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.GetAttributeValuesByFqnsRequest' + $ref: '#/components/schemas/policy.attributes.DeactivateAttributeValueRequest' required: true responses: default: @@ -394,16 +398,14 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.GetAttributeValuesByFqnsResponse' - /policy.attributes.AttributesService/ListAttributeValues: + $ref: '#/components/schemas/policy.attributes.DeactivateAttributeValueResponse' + /policy.attributes.AttributesService/AssignKeyAccessServerToAttribute: post: tags: - policy.attributes.AttributesService - summary: ListAttributeValues - description: |- - Deprecated - Use GetAttribute - operationId: policy.attributes.AttributesService.ListAttributeValues + summary: AssignKeyAccessServerToAttribute + description: 'Deprecated: utilize AssignPublicKeyToAttribute' + operationId: policy.attributes.AttributesService.AssignKeyAccessServerToAttribute parameters: - name: Connect-Protocol-Version in: header @@ -418,7 +420,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.ListAttributeValuesRequest' + $ref: '#/components/schemas/policy.attributes.AssignKeyAccessServerToAttributeRequest' required: true responses: default: @@ -432,18 +434,15 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.ListAttributeValuesResponse' + $ref: '#/components/schemas/policy.attributes.AssignKeyAccessServerToAttributeResponse' deprecated: true - /policy.attributes.AttributesService/ListAttributes: + /policy.attributes.AttributesService/RemoveKeyAccessServerFromAttribute: post: tags: - policy.attributes.AttributesService - summary: ListAttributes - description: |- - --------------------------------------* - Attribute RPCs - --------------------------------------- - operationId: policy.attributes.AttributesService.ListAttributes + summary: RemoveKeyAccessServerFromAttribute + description: 'Deprecated: utilize RemovePublicKeyFromAttribute' + operationId: policy.attributes.AttributesService.RemoveKeyAccessServerFromAttribute parameters: - name: Connect-Protocol-Version in: header @@ -458,7 +457,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.ListAttributesRequest' + $ref: '#/components/schemas/policy.attributes.RemoveKeyAccessServerFromAttributeRequest' required: true responses: default: @@ -472,14 +471,15 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.ListAttributesResponse' - /policy.attributes.AttributesService/RemoveKeyAccessServerFromAttribute: + $ref: '#/components/schemas/policy.attributes.RemoveKeyAccessServerFromAttributeResponse' + deprecated: true + /policy.attributes.AttributesService/AssignKeyAccessServerToValue: post: tags: - policy.attributes.AttributesService - summary: RemoveKeyAccessServerFromAttribute - description: 'Deprecated: utilize RemovePublicKeyFromAttribute' - operationId: policy.attributes.AttributesService.RemoveKeyAccessServerFromAttribute + summary: AssignKeyAccessServerToValue + description: 'Deprecated: utilize AssignPublicKeyToValue' + operationId: policy.attributes.AttributesService.AssignKeyAccessServerToValue parameters: - name: Connect-Protocol-Version in: header @@ -494,7 +494,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.RemoveKeyAccessServerFromAttributeRequest' + $ref: '#/components/schemas/policy.attributes.AssignKeyAccessServerToValueRequest' required: true responses: default: @@ -508,7 +508,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.RemoveKeyAccessServerFromAttributeResponse' + $ref: '#/components/schemas/policy.attributes.AssignKeyAccessServerToValueResponse' deprecated: true /policy.attributes.AttributesService/RemoveKeyAccessServerFromValue: post: @@ -547,12 +547,12 @@ paths: schema: $ref: '#/components/schemas/policy.attributes.RemoveKeyAccessServerFromValueResponse' deprecated: true - /policy.attributes.AttributesService/RemovePublicKeyFromAttribute: + /policy.attributes.AttributesService/AssignPublicKeyToAttribute: post: tags: - policy.attributes.AttributesService - summary: RemovePublicKeyFromAttribute - operationId: policy.attributes.AttributesService.RemovePublicKeyFromAttribute + summary: AssignPublicKeyToAttribute + operationId: policy.attributes.AttributesService.AssignPublicKeyToAttribute parameters: - name: Connect-Protocol-Version in: header @@ -567,7 +567,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.RemovePublicKeyFromAttributeRequest' + $ref: '#/components/schemas/policy.attributes.AssignPublicKeyToAttributeRequest' required: true responses: default: @@ -581,13 +581,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.RemovePublicKeyFromAttributeResponse' - /policy.attributes.AttributesService/RemovePublicKeyFromValue: + $ref: '#/components/schemas/policy.attributes.AssignPublicKeyToAttributeResponse' + /policy.attributes.AttributesService/RemovePublicKeyFromAttribute: post: tags: - policy.attributes.AttributesService - summary: RemovePublicKeyFromValue - operationId: policy.attributes.AttributesService.RemovePublicKeyFromValue + summary: RemovePublicKeyFromAttribute + operationId: policy.attributes.AttributesService.RemovePublicKeyFromAttribute parameters: - name: Connect-Protocol-Version in: header @@ -602,7 +602,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.RemovePublicKeyFromValueRequest' + $ref: '#/components/schemas/policy.attributes.RemovePublicKeyFromAttributeRequest' required: true responses: default: @@ -616,13 +616,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.RemovePublicKeyFromValueResponse' - /policy.attributes.AttributesService/UpdateAttribute: + $ref: '#/components/schemas/policy.attributes.RemovePublicKeyFromAttributeResponse' + /policy.attributes.AttributesService/AssignPublicKeyToValue: post: tags: - policy.attributes.AttributesService - summary: UpdateAttribute - operationId: policy.attributes.AttributesService.UpdateAttribute + summary: AssignPublicKeyToValue + operationId: policy.attributes.AttributesService.AssignPublicKeyToValue parameters: - name: Connect-Protocol-Version in: header @@ -637,7 +637,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.UpdateAttributeRequest' + $ref: '#/components/schemas/policy.attributes.AssignPublicKeyToValueRequest' required: true responses: default: @@ -651,13 +651,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.UpdateAttributeResponse' - /policy.attributes.AttributesService/UpdateAttributeValue: + $ref: '#/components/schemas/policy.attributes.AssignPublicKeyToValueResponse' + /policy.attributes.AttributesService/RemovePublicKeyFromValue: post: tags: - policy.attributes.AttributesService - summary: UpdateAttributeValue - operationId: policy.attributes.AttributesService.UpdateAttributeValue + summary: RemovePublicKeyFromValue + operationId: policy.attributes.AttributesService.RemovePublicKeyFromValue parameters: - name: Connect-Protocol-Version in: header @@ -672,7 +672,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.UpdateAttributeValueRequest' + $ref: '#/components/schemas/policy.attributes.RemovePublicKeyFromValueRequest' required: true responses: default: @@ -686,7 +686,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.UpdateAttributeValueResponse' + $ref: '#/components/schemas/policy.attributes.RemovePublicKeyFromValueResponse' components: schemas: common.ActiveStateEnum: @@ -698,14 +698,103 @@ components: - ACTIVE_STATE_ENUM_INACTIVE - ACTIVE_STATE_ENUM_ANY description: 'buflint ENUM_VALUE_PREFIX: to make sure that C++ scoping rules aren''t violated when users add new enum values to an enum in a given package' + common.MetadataUpdateEnum: + type: string + title: MetadataUpdateEnum + enum: + - METADATA_UPDATE_ENUM_UNSPECIFIED + - METADATA_UPDATE_ENUM_EXTEND + - METADATA_UPDATE_ENUM_REPLACE + policy.Action.StandardAction: + type: string + title: StandardAction + enum: + - STANDARD_ACTION_UNSPECIFIED + - STANDARD_ACTION_DECRYPT + - STANDARD_ACTION_TRANSMIT + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + - ALGORITHM_HPQT_XWING + - ALGORITHM_HPQT_SECP256R1_MLKEM768 + - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + description: Supported key algorithms. + policy.AttributeRuleTypeEnum: + type: string + title: AttributeRuleTypeEnum + enum: + - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED + - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF + - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF + - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY + policy.ConditionBooleanTypeEnum: + type: string + title: ConditionBooleanTypeEnum + enum: + - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED + - CONDITION_BOOLEAN_TYPE_ENUM_AND + - CONDITION_BOOLEAN_TYPE_ENUM_OR + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + policy.SortDirection: + type: string + title: SortDirection + enum: + - SORT_DIRECTION_UNSPECIFIED + - SORT_DIRECTION_ASC + - SORT_DIRECTION_DESC + description: |- + Sorting direction shared across list APIs. + When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, + the endpoint's request message defines the default ordering; see the + specific List* request docs. + policy.SourceType: + type: string + title: SourceType + enum: + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. + policy.SubjectMappingOperatorEnum: + type: string + title: SubjectMappingOperatorEnum + enum: + - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED + - SUBJECT_MAPPING_OPERATOR_ENUM_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS + policy.attributes.SortAttributesType: + type: string + title: SortAttributesType + enum: + - SORT_ATTRIBUTES_TYPE_UNSPECIFIED + - SORT_ATTRIBUTES_TYPE_NAME + - SORT_ATTRIBUTES_TYPE_CREATED_AT + - SORT_ATTRIBUTES_TYPE_UPDATED_AT common.IdFqnIdentifier: type: object - allOf: - - oneOf: - - required: - - id - - required: - - fqn properties: id: type: string @@ -720,12 +809,6 @@ components: additionalProperties: false common.IdNameIdentifier: type: object - allOf: - - oneOf: - - required: - - id - - required: - - name properties: id: type: string @@ -736,8 +819,12 @@ components: title: name maxLength: 253 minLength: 1 - description: | - name_format // Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case. + description: |+ + Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case.: + ``` + this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') + ``` + title: IdNameIdentifier additionalProperties: false common.Metadata: @@ -795,82 +882,6 @@ components: title: value title: LabelsEntry additionalProperties: false - common.MetadataUpdateEnum: - type: string - title: MetadataUpdateEnum - enum: - - METADATA_UPDATE_ENUM_UNSPECIFIED - - METADATA_UPDATE_ENUM_EXTEND - - METADATA_UPDATE_ENUM_REPLACE - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - details: - type: array - items: - $ref: '#/components/schemas/connect.error_details.Any' - description: A list of messages that carry the error details. There is no limit on the number of messages. - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - connect.error_details.Any: - type: object - properties: - type: - type: string - description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' - value: - type: string - format: binary - description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. - debug: - oneOf: - - type: object - title: Any - additionalProperties: true - description: Detailed error information. - discriminator: - propertyName: type - title: Debug - description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. google.protobuf.BoolValue: type: boolean description: |- @@ -883,8 +894,8 @@ components: google.protobuf.Timestamp: type: string examples: - - "2023-01-15T01:30:15.01Z" - - "2024-12-25T12:00:00Z" + - 1s + - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -978,65 +989,41 @@ components: ) to obtain a formatter capable of generating timestamps in this format. policy.Action: type: object - allOf: + oneOf: - properties: - id: - type: string - title: id - description: Generated uuid in database - name: + custom: type: string - title: name - namespace: - title: namespace - description: Namespace context for this action - $ref: '#/components/schemas/policy.Namespace' - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' - - oneOf: - - type: object - properties: - custom: - type: string - title: custom - description: Deprecated title: custom - required: - - custom - - type: object - properties: - standard: - title: standard - description: Deprecated - $ref: '#/components/schemas/policy.Action.StandardAction' + description: Deprecated + title: custom + required: + - custom + - properties: + standard: title: standard - required: - - standard + description: Deprecated + $ref: '#/components/schemas/policy.Action.StandardAction' + title: standard + required: + - standard + properties: + id: + type: string + title: id + description: Generated uuid in database + name: + type: string + title: name + namespace: + title: namespace + description: Namespace context for this action + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' title: Action additionalProperties: false description: An action an entity can take - policy.Action.StandardAction: - type: string - title: StandardAction - enum: - - STANDARD_ACTION_UNSPECIFIED - - STANDARD_ACTION_DECRYPT - - STANDARD_ACTION_TRANSMIT - policy.Algorithm: - type: string - title: Algorithm - enum: - - ALGORITHM_UNSPECIFIED - - ALGORITHM_RSA_2048 - - ALGORITHM_RSA_4096 - - ALGORITHM_EC_P256 - - ALGORITHM_EC_P384 - - ALGORITHM_EC_P521 - - ALGORITHM_HPQT_XWING - - ALGORITHM_HPQT_SECP256R1_MLKEM768 - - ALGORITHM_HPQT_SECP384R1_MLKEM1024 - description: Supported key algorithms. policy.Attribute: type: object properties: @@ -1093,14 +1080,6 @@ components: required: - rule additionalProperties: false - policy.AttributeRuleTypeEnum: - type: string - title: AttributeRuleTypeEnum - enum: - - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED - - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF - - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF - - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY policy.Condition: type: object properties: @@ -1118,6 +1097,7 @@ components: type: array items: type: string + minItems: 1 title: subject_external_values minItems: 1 description: |- @@ -1133,13 +1113,6 @@ components: * A Condition defines a rule of - policy.ConditionBooleanTypeEnum: - type: string - title: ConditionBooleanTypeEnum - enum: - - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED - - CONDITION_BOOLEAN_TYPE_ENUM_AND - - CONDITION_BOOLEAN_TYPE_ENUM_OR policy.ConditionGroup: type: object properties: @@ -1176,7 +1149,7 @@ components: alg: not: enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - 0 title: alg description: |- A known algorithm type with any additional parameters encoded. @@ -1188,19 +1161,6 @@ components: description: |- Deprecated A KAS public key and some associated metadata for further identifcation - policy.KasPublicKeyAlgEnum: - type: string - title: KasPublicKeyAlgEnum - enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 policy.KasPublicKeySet: type: object properties: @@ -1223,9 +1183,13 @@ components: uri: type: string title: uri - description: | + description: |+ Address of a KAS instance - uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') + ``` + publicKey: title: public_key description: 'Deprecated: KAS can have multiple key pairs' @@ -1423,8 +1387,7 @@ components: policy.PublicKey: type: object oneOf: - - type: object - properties: + - properties: cached: title: cached description: public key with additional information. Current preferred version @@ -1432,14 +1395,17 @@ components: title: cached required: - cached - - type: object - properties: + - properties: remote: type: string title: remote - description: | + description: |+ kas public key url - optional since can also be retrieved via public key - uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') + ``` + title: remote required: - remote @@ -1547,29 +1513,6 @@ components: title: pem title: SimpleKasPublicKey additionalProperties: false - policy.SortDirection: - type: string - title: SortDirection - enum: - - SORT_DIRECTION_UNSPECIFIED - - SORT_DIRECTION_ASC - - SORT_DIRECTION_DESC - description: |- - Sorting direction shared across list APIs. - When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, - the endpoint's request message defines the default ordering; see the - specific List* request docs. - policy.SourceType: - type: string - title: SourceType - enum: - - SOURCE_TYPE_UNSPECIFIED - - SOURCE_TYPE_INTERNAL - - SOURCE_TYPE_EXTERNAL - description: |- - Describes whether this kas is managed by the organization or if they imported - the kas information from an external party. These two modes are necessary in order - to encrypt a tdf dek with an external parties kas public key. policy.SubjectConditionSet: type: object properties: @@ -1635,14 +1578,6 @@ components: description: |- Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute value + action(s) combination - policy.SubjectMappingOperatorEnum: - type: string - title: SubjectMappingOperatorEnum - enum: - - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED - - SUBJECT_MAPPING_OPERATOR_ENUM_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS policy.SubjectSet: type: object properties: @@ -1866,9 +1801,13 @@ components: type: string title: name maxLength: 253 - description: | + description: |+ Required - attribute_name_format // Attribute name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored attribute name will be normalized to lower case. + Attribute name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored attribute name will be normalized to lower case.: + ``` + this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') + ``` + rule: title: rule description: Required @@ -1879,6 +1818,7 @@ components: type: string maxLength: 253 pattern: ^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$ + uniqueItems: true title: values uniqueItems: true description: |- @@ -1924,9 +1864,13 @@ components: type: string title: value maxLength: 253 - description: | + description: |+ Required - attribute_value_format // Attribute value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored attribute value will be normalized to lower case. + Attribute value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored attribute value will be normalized to lower case.: + ``` + this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') + ``` + obligationTriggers: type: array items: @@ -1991,40 +1935,45 @@ components: additionalProperties: false policy.attributes.GetAttributeRequest: type: object - allOf: + oneOf: - properties: - id: + attributeId: type: string - title: id - format: uuid - description: 'Deprecated: utilize identifier' - deprecated: true - - oneOf: - - type: object - properties: - attributeId: - type: string - title: attribute_id - format: uuid - description: 'option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field' title: attribute_id - required: - - attributeId - - type: object - properties: - fqn: - type: string - title: fqn - minLength: 1 - format: uri + format: uuid + description: 'option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field' + title: attribute_id + required: + - attributeId + - properties: + fqn: + type: string title: fqn - required: - - fqn + minLength: 1 + format: uri + title: fqn + required: + - fqn + properties: + id: + type: string + title: id + format: uuid + description: 'Deprecated: utilize identifier' + deprecated: true title: GetAttributeRequest additionalProperties: false - description: | - exclusive_fields // Either use deprecated 'id' field or one of 'attribute_id' or 'fqn', but not both - required_fields // Either id or one of attribute_id or fqn must be set + description: |+ + Either use deprecated 'id' field or one of 'attribute_id' or 'fqn', but not both: + ``` + !(has(this.id) && (has(this.attribute_id) || has(this.fqn))) + ``` + + Either id or one of attribute_id or fqn must be set: + ``` + has(this.id) || has(this.attribute_id) || has(this.fqn) + ``` + policy.attributes.GetAttributeResponse: type: object properties: @@ -2035,43 +1984,48 @@ components: additionalProperties: false policy.attributes.GetAttributeValueRequest: type: object - allOf: + oneOf: - properties: - id: + fqn: type: string - title: id - format: uuid - description: 'Deprecated: utilize identifier' - deprecated: true - - oneOf: - - type: object - properties: - fqn: - type: string - title: fqn - minLength: 1 - format: uri title: fqn - required: - - fqn - - type: object - properties: - valueId: - type: string - title: value_id - format: uuid - description: 'option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field' + minLength: 1 + format: uri + title: fqn + required: + - fqn + - properties: + valueId: + type: string title: value_id - required: - - valueId + format: uuid + description: 'option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field' + title: value_id + required: + - valueId + properties: + id: + type: string + title: id + format: uuid + description: 'Deprecated: utilize identifier' + deprecated: true title: GetAttributeValueRequest additionalProperties: false - description: | + description: |+ / / Value RPC messages / - exclusive_fields // Either use deprecated 'id' field or one of 'value_id' or 'fqn', but not both - required_fields // Either id or one of value_id or fqn must be set + Either use deprecated 'id' field or one of 'value_id' or 'fqn', but not both: + ``` + !(has(this.id) && (has(this.value_id) || has(this.fqn))) + ``` + + Either id or one of value_id or fqn must be set: + ``` + has(this.id) || has(this.value_id) || has(this.fqn) + ``` + policy.attributes.GetAttributeValueResponse: type: object properties: @@ -2087,6 +2041,8 @@ components: type: array items: type: string + maxItems: 250 + minItems: 1 title: fqns maxItems: 250 minItems: 1 @@ -2284,14 +2240,6 @@ components: $ref: '#/components/schemas/policy.attributes.ValueKey' title: RemovePublicKeyFromValueResponse additionalProperties: false - policy.attributes.SortAttributesType: - type: string - title: SortAttributesType - enum: - - SORT_ATTRIBUTES_TYPE_UNSPECIFIED - - SORT_ATTRIBUTES_TYPE_NAME - - SORT_ATTRIBUTES_TYPE_CREATED_AT - - SORT_ATTRIBUTES_TYPE_UPDATED_AT policy.attributes.UpdateAttributeRequest: type: object properties: @@ -2377,6 +2325,63 @@ components: description: Required title: ValueKeyAccessServer additionalProperties: false + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + detail: + $ref: '#/components/schemas/google.protobuf.Any' + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + google.protobuf.Any: + type: object + properties: + type: + type: string + value: + type: string + format: binary + debug: + type: object + additionalProperties: true + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. security: [] tags: - name: policy.attributes.AttributesService diff --git a/docs/openapi/policy/definitionvalueentitlement/definition_value_entitlement.openapi.yaml b/docs/openapi/policy/definitionvalueentitlement/definition_value_entitlement.openapi.yaml new file mode 100644 index 0000000000..34935a878e --- /dev/null +++ b/docs/openapi/policy/definitionvalueentitlement/definition_value_entitlement.openapi.yaml @@ -0,0 +1,1472 @@ +openapi: 3.1.0 +info: + title: policy.definitionvalueentitlement +paths: + /policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/ListDefinitionValueEntitlementMappings: + post: + tags: + - policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService + summary: ListDefinitionValueEntitlementMappings + operationId: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.ListDefinitionValueEntitlementMappings + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse' + /policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/GetDefinitionValueEntitlementMapping: + post: + tags: + - policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService + summary: GetDefinitionValueEntitlementMapping + operationId: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.GetDefinitionValueEntitlementMapping + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.definitionvalueentitlement.GetDefinitionValueEntitlementMappingRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.definitionvalueentitlement.GetDefinitionValueEntitlementMappingResponse' + /policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/CreateDefinitionValueEntitlementMapping: + post: + tags: + - policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService + summary: CreateDefinitionValueEntitlementMapping + operationId: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.CreateDefinitionValueEntitlementMapping + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.definitionvalueentitlement.CreateDefinitionValueEntitlementMappingResponse' + /policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/UpdateDefinitionValueEntitlementMapping: + post: + tags: + - policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService + summary: UpdateDefinitionValueEntitlementMapping + operationId: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.UpdateDefinitionValueEntitlementMapping + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingResponse' + /policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/DeleteDefinitionValueEntitlementMapping: + post: + tags: + - policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService + summary: DeleteDefinitionValueEntitlementMapping + operationId: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.DeleteDefinitionValueEntitlementMapping + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingResponse' +components: + schemas: + common.MetadataUpdateEnum: + type: string + title: MetadataUpdateEnum + enum: + - METADATA_UPDATE_ENUM_UNSPECIFIED + - METADATA_UPDATE_ENUM_EXTEND + - METADATA_UPDATE_ENUM_REPLACE + policy.Action.StandardAction: + type: string + title: StandardAction + enum: + - STANDARD_ACTION_UNSPECIFIED + - STANDARD_ACTION_DECRYPT + - STANDARD_ACTION_TRANSMIT + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + - ALGORITHM_HPQT_XWING + - ALGORITHM_HPQT_SECP256R1_MLKEM768 + - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + description: Supported key algorithms. + policy.AttributeRuleTypeEnum: + type: string + title: AttributeRuleTypeEnum + enum: + - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED + - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF + - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF + - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY + policy.ConditionBooleanTypeEnum: + type: string + title: ConditionBooleanTypeEnum + enum: + - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED + - CONDITION_BOOLEAN_TYPE_ENUM_AND + - CONDITION_BOOLEAN_TYPE_ENUM_OR + policy.DynamicValueOperatorEnum: + type: string + title: DynamicValueOperatorEnum + enum: + - DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED + - DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN + - DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS + description: |- + Operators for dynamic, definition-level value entitlement. Unlike + SubjectMappingOperatorEnum, whose right-hand operand is a static list authored into + policy, a DynamicValueOperatorEnum's right-hand operand is the requested resource's + attribute value segment, supplied at decision time. Each value is the inversion of its + static SubjectMappingOperatorEnum counterpart. + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + policy.SortDirection: + type: string + title: SortDirection + enum: + - SORT_DIRECTION_UNSPECIFIED + - SORT_DIRECTION_ASC + - SORT_DIRECTION_DESC + description: |- + Sorting direction shared across list APIs. + When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, + the endpoint's request message defines the default ordering; see the + specific List* request docs. + policy.SourceType: + type: string + title: SourceType + enum: + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. + policy.SubjectMappingOperatorEnum: + type: string + title: SubjectMappingOperatorEnum + enum: + - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED + - SUBJECT_MAPPING_OPERATOR_ENUM_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS + policy.definitionvalueentitlement.SortDefinitionValueEntitlementMappingsType: + type: string + title: SortDefinitionValueEntitlementMappingsType + enum: + - SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED + - SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT + - SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT + common.Metadata: + type: object + properties: + createdAt: + title: created_at + description: created_at set by server (entity who created will recorded in an audit event) + $ref: '#/components/schemas/google.protobuf.Timestamp' + updatedAt: + title: updated_at + description: updated_at set by server (entity who updated will recorded in an audit event) + $ref: '#/components/schemas/google.protobuf.Timestamp' + labels: + type: object + title: labels + additionalProperties: + type: string + title: value + description: optional short description + title: Metadata + additionalProperties: false + description: Struct to uniquely identify a resource with optional additional metadata + common.Metadata.LabelsEntry: + type: object + properties: + key: + type: string + title: key + value: + type: string + title: value + title: LabelsEntry + additionalProperties: false + common.MetadataMutable: + type: object + properties: + labels: + type: object + title: labels + additionalProperties: + type: string + title: value + description: optional labels + title: MetadataMutable + additionalProperties: false + common.MetadataMutable.LabelsEntry: + type: object + properties: + key: + type: string + title: key + value: + type: string + title: value + title: LabelsEntry + additionalProperties: false + google.protobuf.BoolValue: + type: boolean + description: |- + Wrapper message for `bool`. + + The JSON representation for `BoolValue` is JSON `true` and `false`. + + Not recommended for use in new APIs, but still useful for legacy APIs and + has no plan to be removed. + google.protobuf.Timestamp: + type: string + examples: + - 1s + - 1.000340012s + format: date-time + description: |- + A Timestamp represents a point in time independent of any time zone or local + calendar, encoded as a count of seconds and fractions of seconds at + nanosecond resolution. The count is relative to an epoch at UTC midnight on + January 1, 1970, in the proleptic Gregorian calendar which extends the + Gregorian calendar backwards to year one. + + All minutes are 60 seconds long. Leap seconds are "smeared" so that no leap + second table is needed for interpretation, using a [24-hour linear + smear](https://developers.google.com/time/smear). + + The range is from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z. By + restricting to that range, we ensure that we can convert to and from [RFC + 3339](https://www.ietf.org/rfc/rfc3339.txt) date strings. + + # Examples + + Example 1: Compute Timestamp from POSIX `time()`. + + Timestamp timestamp; + timestamp.set_seconds(time(NULL)); + timestamp.set_nanos(0); + + Example 2: Compute Timestamp from POSIX `gettimeofday()`. + + struct timeval tv; + gettimeofday(&tv, NULL); + + Timestamp timestamp; + timestamp.set_seconds(tv.tv_sec); + timestamp.set_nanos(tv.tv_usec * 1000); + + Example 3: Compute Timestamp from Win32 `GetSystemTimeAsFileTime()`. + + FILETIME ft; + GetSystemTimeAsFileTime(&ft); + UINT64 ticks = (((UINT64)ft.dwHighDateTime) << 32) | ft.dwLowDateTime; + + // A Windows tick is 100 nanoseconds. Windows epoch 1601-01-01T00:00:00Z + // is 11644473600 seconds before Unix epoch 1970-01-01T00:00:00Z. + Timestamp timestamp; + timestamp.set_seconds((INT64) ((ticks / 10000000) - 11644473600LL)); + timestamp.set_nanos((INT32) ((ticks % 10000000) * 100)); + + Example 4: Compute Timestamp from Java `System.currentTimeMillis()`. + + long millis = System.currentTimeMillis(); + + Timestamp timestamp = Timestamp.newBuilder().setSeconds(millis / 1000) + .setNanos((int) ((millis % 1000) * 1000000)).build(); + + Example 5: Compute Timestamp from Java `Instant.now()`. + + Instant now = Instant.now(); + + Timestamp timestamp = + Timestamp.newBuilder().setSeconds(now.getEpochSecond()) + .setNanos(now.getNano()).build(); + + Example 6: Compute Timestamp from current time in Python. + + timestamp = Timestamp() + timestamp.GetCurrentTime() + + # JSON Mapping + + In JSON format, the Timestamp type is encoded as a string in the + [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. That is, the + format is "{year}-{month}-{day}T{hour}:{min}:{sec}[.{frac_sec}]Z" + where {year} is always expressed using four digits while {month}, {day}, + {hour}, {min}, and {sec} are zero-padded to two digits each. The fractional + seconds, which can go up to 9 digits (i.e. up to 1 nanosecond resolution), + are optional. The "Z" suffix indicates the timezone ("UTC"); the timezone + is required. A proto3 JSON serializer should always use UTC (as indicated by + "Z") when printing the Timestamp type and a proto3 JSON parser should be + able to accept both UTC and other timezones (as indicated by an offset). + + For example, "2017-01-15T01:30:15.01Z" encodes 15.01 seconds past + 01:30 UTC on January 15, 2017. + + In JavaScript, one can convert a Date object to this format using the + standard + [toISOString()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toISOString) + method. In Python, a standard `datetime.datetime` object can be converted + to this format using + [`strftime`](https://docs.python.org/2/library/time.html#time.strftime) with + the time format spec '%Y-%m-%dT%H:%M:%S.%fZ'. Likewise, in Java, one can use + the Joda Time's [`ISODateTimeFormat.dateTime()`]( + http://joda-time.sourceforge.net/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime() + ) to obtain a formatter capable of generating timestamps in this format. + policy.Action: + type: object + oneOf: + - properties: + custom: + type: string + title: custom + description: Deprecated + title: custom + required: + - custom + - properties: + standard: + title: standard + description: Deprecated + $ref: '#/components/schemas/policy.Action.StandardAction' + title: standard + required: + - standard + properties: + id: + type: string + title: id + description: Generated uuid in database + name: + type: string + title: name + namespace: + title: namespace + description: Namespace context for this action + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + title: Action + additionalProperties: false + description: An action an entity can take + policy.Attribute: + type: object + properties: + id: + type: string + title: id + namespace: + title: namespace + description: namespace of the attribute + $ref: '#/components/schemas/policy.Namespace' + name: + type: string + title: name + description: attribute name + rule: + title: rule + description: attribute rule enum + $ref: '#/components/schemas/policy.AttributeRuleTypeEnum' + values: + type: array + items: + $ref: '#/components/schemas/policy.Value' + title: values + grants: + type: array + items: + $ref: '#/components/schemas/policy.KeyAccessServer' + title: grants + description: Deprecated KAS grants for the attribute. Use kas_keys instead. + fqn: + type: string + title: fqn + active: + title: active + description: active by default until explicitly deactivated + $ref: '#/components/schemas/google.protobuf.BoolValue' + kasKeys: + type: array + items: + $ref: '#/components/schemas/policy.SimpleKasKey' + title: kas_keys + description: Keys associated with the attribute + allowTraversal: + title: allow_traversal + description: |- + Whether or not we will use the attribute definition during encryption + if the attribute value is missing. + $ref: '#/components/schemas/google.protobuf.BoolValue' + metadata: + title: metadata + description: Common metadata + $ref: '#/components/schemas/common.Metadata' + title: Attribute + required: + - rule + additionalProperties: false + policy.Condition: + type: object + properties: + subjectExternalSelectorValue: + type: string + title: subject_external_selector_value + description: |- + a selector for a field value on a flattened Entity Representation (such as + from idP/LDAP) + operator: + title: operator + description: the evaluation operator of relation + $ref: '#/components/schemas/policy.SubjectMappingOperatorEnum' + subjectExternalValues: + type: array + items: + type: string + minItems: 1 + title: subject_external_values + minItems: 1 + description: |- + list of comparison values for the result of applying the + subject_external_selector_value on a flattened Entity Representation + (Subject), evaluated by the operator + title: Condition + required: + - subjectExternalSelectorValue + - operator + additionalProperties: false + description: |- + * + A Condition defines a rule of + policy.ConditionGroup: + type: object + properties: + conditions: + type: array + items: + $ref: '#/components/schemas/policy.Condition' + title: conditions + minItems: 1 + booleanOperator: + title: boolean_operator + description: the boolean evaluation type across the conditions + $ref: '#/components/schemas/policy.ConditionBooleanTypeEnum' + title: ConditionGroup + required: + - booleanOperator + additionalProperties: false + description: A collection of Conditions evaluated by the boolean_operator provided + policy.DefinitionValueEntitlementMapping: + type: object + properties: + id: + type: string + title: id + attributeDefinition: + title: attribute_definition + description: the Attribute Definition whose values are entitled dynamically + $ref: '#/components/schemas/policy.Attribute' + valueResolver: + title: value_resolver + description: the dynamic resolver matched against the requested resource value segment + $ref: '#/components/schemas/policy.DefinitionValueResolver' + subjectConditionSet: + title: subject_condition_set + description: |- + optional static pre-gate on the entity, evaluated with normal SubjectConditionSet + semantics (no dynamic overload). When present, both the gate and the resolver must + pass for entitlement. + $ref: '#/components/schemas/policy.SubjectConditionSet' + actions: + type: array + items: + $ref: '#/components/schemas/policy.Action' + title: actions + description: the actions permitted by subjects in this mapping + namespace: + title: namespace + description: the namespace containing this mapping + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + title: DefinitionValueEntitlementMapping + additionalProperties: false + description: |- + Definition Value Entitlement Mapping: a Policy assigning permitted action(s) to + dynamically-requested values under an Attribute Definition. It raises entitlement + authority from a concrete Attribute Value to the Attribute Definition: at decision time + the value_resolver compares the requested resource value segment against the entity + representation, avoiding pre-provisioning a value + subject mapping per discrete value. + policy.DefinitionValueResolver: + type: object + properties: + subjectExternalSelectorValue: + type: string + title: subject_external_selector_value + description: |- + a selector for a field value on a flattened Entity Representation (such as from + idP/LDAP), e.g. ".patientAssignments[]" + operator: + title: operator + description: the dynamic operator comparing the selector result to the resource value segment + $ref: '#/components/schemas/policy.DynamicValueOperatorEnum' + title: DefinitionValueResolver + required: + - subjectExternalSelectorValue + - operator + additionalProperties: false + description: |- + Definition Value Resolver: the dynamic half of a DefinitionValueEntitlementMapping. It + resolves a selector against the entity representation and compares the result to the + requested resource value segment using a DynamicValueOperatorEnum. + policy.KasPublicKey: + type: object + properties: + pem: + type: string + title: pem + maxLength: 8192 + minLength: 1 + description: x509 ASN.1 content in PEM envelope, usually + kid: + type: string + title: kid + maxLength: 32 + minLength: 1 + description: A unique string identifier for this key + alg: + not: + enum: + - 0 + title: alg + description: |- + A known algorithm type with any additional parameters encoded. + To start, these may be `rsa:2048` for RSA-based wrapping and + `ec:secp256r1` for EC-based wrapping, but more formats may be added as needed. + $ref: '#/components/schemas/policy.KasPublicKeyAlgEnum' + title: KasPublicKey + additionalProperties: false + description: |- + Deprecated + A KAS public key and some associated metadata for further identifcation + policy.KasPublicKeySet: + type: object + properties: + keys: + type: array + items: + $ref: '#/components/schemas/policy.KasPublicKey' + title: keys + title: KasPublicKeySet + additionalProperties: false + description: |- + Deprecated + A list of known KAS public keys + policy.KeyAccessServer: + type: object + properties: + id: + type: string + title: id + uri: + type: string + title: uri + description: |+ + Address of a KAS instance + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') + ``` + + publicKey: + title: public_key + description: 'Deprecated: KAS can have multiple key pairs' + $ref: '#/components/schemas/policy.PublicKey' + sourceType: + title: source_type + description: 'The source of the KAS: (INTERNAL, EXTERNAL)' + $ref: '#/components/schemas/policy.SourceType' + kasKeys: + type: array + items: + $ref: '#/components/schemas/policy.SimpleKasKey' + title: kas_keys + description: Kas keys associated with this KAS + name: + type: string + title: name + description: |- + Optional + Unique name of the KAS instance + metadata: + title: metadata + description: Common metadata + $ref: '#/components/schemas/common.Metadata' + title: KeyAccessServer + additionalProperties: false + description: Key Access Server Registry + policy.Namespace: + type: object + properties: + id: + type: string + title: id + description: generated uuid in database + name: + type: string + title: name + description: |- + used to partition Attribute Definitions, support by namespace AuthN and + enable federation + fqn: + type: string + title: fqn + active: + title: active + description: active by default until explicitly deactivated + $ref: '#/components/schemas/google.protobuf.BoolValue' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + grants: + type: array + items: + $ref: '#/components/schemas/policy.KeyAccessServer' + title: grants + description: Deprecated KAS grants for the namespace. Use kas_keys instead. + kasKeys: + type: array + items: + $ref: '#/components/schemas/policy.SimpleKasKey' + title: kas_keys + description: Keys for the namespace + title: Namespace + additionalProperties: false + policy.Obligation: + type: object + properties: + id: + type: string + title: id + namespace: + title: namespace + $ref: '#/components/schemas/policy.Namespace' + name: + type: string + title: name + values: + type: array + items: + $ref: '#/components/schemas/policy.ObligationValue' + title: values + fqn: + type: string + title: fqn + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + title: Obligation + additionalProperties: false + policy.ObligationTrigger: + type: object + properties: + id: + type: string + title: id + obligationValue: + title: obligation_value + $ref: '#/components/schemas/policy.ObligationValue' + action: + title: action + $ref: '#/components/schemas/policy.Action' + attributeValue: + title: attribute_value + $ref: '#/components/schemas/policy.Value' + context: + type: array + items: + $ref: '#/components/schemas/policy.RequestContext' + title: context + namespace: + title: namespace + description: The source namespace for this trigger, derived from the attribute value and action. + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + title: ObligationTrigger + additionalProperties: false + policy.ObligationValue: + type: object + properties: + id: + type: string + title: id + obligation: + title: obligation + $ref: '#/components/schemas/policy.Obligation' + value: + type: string + title: value + triggers: + type: array + items: + $ref: '#/components/schemas/policy.ObligationTrigger' + title: triggers + fqn: + type: string + title: fqn + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + title: ObligationValue + additionalProperties: false + policy.PageRequest: + type: object + properties: + limit: + type: integer + title: limit + format: int32 + description: |- + Optional + Set to configured default limit if not provided + Maximum limit set in platform config and enforced by services + offset: + type: integer + title: offset + format: int32 + description: |- + Optional + Defaulted if not provided + title: PageRequest + additionalProperties: false + policy.PageResponse: + type: object + properties: + currentOffset: + type: integer + title: current_offset + format: int32 + description: Requested pagination offset + nextOffset: + type: integer + title: next_offset + format: int32 + description: |- + Calculated with request limit + offset or defaults + Empty when none remain after current page + total: + type: integer + title: total + format: int32 + description: Total count of entire list + title: PageResponse + additionalProperties: false + policy.PolicyEnforcementPoint: + type: object + properties: + clientId: + type: string + title: client_id + minLength: 1 + title: PolicyEnforcementPoint + additionalProperties: false + policy.PublicKey: + type: object + oneOf: + - properties: + cached: + title: cached + description: public key with additional information. Current preferred version + $ref: '#/components/schemas/policy.KasPublicKeySet' + title: cached + required: + - cached + - properties: + remote: + type: string + title: remote + description: |+ + kas public key url - optional since can also be retrieved via public key + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') + ``` + + title: remote + required: + - remote + title: PublicKey + additionalProperties: false + description: Deprecated + policy.RequestContext: + type: object + properties: + pep: + title: pep + $ref: '#/components/schemas/policy.PolicyEnforcementPoint' + title: RequestContext + required: + - pep + additionalProperties: false + description: Holds the context needed for obligation fulfillment + policy.ResourceMapping: + type: object + properties: + id: + type: string + title: id + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + attributeValue: + title: attribute_value + $ref: '#/components/schemas/policy.Value' + terms: + type: array + items: + type: string + title: terms + group: + title: group + $ref: '#/components/schemas/policy.ResourceMappingGroup' + title: ResourceMapping + required: + - attributeValue + additionalProperties: false + description: |- + Resource Mappings (aka Access Control Resource Encodings aka ACRE) are + structures supporting the mapping of Resources and Attribute Values + policy.ResourceMappingGroup: + type: object + properties: + id: + type: string + title: id + namespaceId: + type: string + title: namespace_id + description: the namespace containing the group of resource mappings + name: + type: string + title: name + description: |- + the common name for the group of resource mappings, which must be unique + per namespace + fqn: + type: string + title: fqn + description: the fully qualified name of the resource mapping group + metadata: + title: metadata + description: Common metadata + $ref: '#/components/schemas/common.Metadata' + title: ResourceMappingGroup + required: + - namespaceId + - name + additionalProperties: false + description: |- + Resource Mapping Groups are namespaced collections of Resource Mappings + associated under a common group name. + policy.SimpleKasKey: + type: object + properties: + kasUri: + type: string + title: kas_uri + description: The URL of the Key Access Server + publicKey: + title: public_key + description: The public key of the Key that belongs to the KAS + $ref: '#/components/schemas/policy.SimpleKasPublicKey' + kasId: + type: string + title: kas_id + description: The ID of the Key Access Server + title: SimpleKasKey + additionalProperties: false + policy.SimpleKasPublicKey: + type: object + properties: + algorithm: + title: algorithm + $ref: '#/components/schemas/policy.Algorithm' + kid: + type: string + title: kid + pem: + type: string + title: pem + title: SimpleKasPublicKey + additionalProperties: false + policy.SubjectConditionSet: + type: object + properties: + id: + type: string + title: id + namespace: + title: namespace + description: |- + the namespace containing this subject condition set + possible this is empty in the case a subject condition set + has not been migrated to a namespace. + $ref: '#/components/schemas/policy.Namespace' + subjectSets: + type: array + items: + $ref: '#/components/schemas/policy.SubjectSet' + title: subject_sets + minItems: 1 + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + title: SubjectConditionSet + additionalProperties: false + description: |- + A container for multiple Subject Sets, each containing Condition Groups, each + containing Conditions. Multiple Subject Sets in a SubjectConditionSet are + evaluated with AND logic. As each Subject Mapping has only one Attribute + Value, the SubjectConditionSet is reusable across multiple Subject Mappings / + Attribute Values and is an independent unit. + policy.SubjectMapping: + type: object + properties: + id: + type: string + title: id + attributeValue: + title: attribute_value + description: 'the Attribute Value mapped to; aka: "The Entity Entitlement Attribute"' + $ref: '#/components/schemas/policy.Value' + subjectConditionSet: + title: subject_condition_set + description: the reusable SubjectConditionSet mapped to the given Attribute Value + $ref: '#/components/schemas/policy.SubjectConditionSet' + actions: + type: array + items: + $ref: '#/components/schemas/policy.Action' + title: actions + description: The actions permitted by subjects in this mapping + namespace: + title: namespace + description: |- + the namespace containing this subject mapping + possible this is empty. If so that means + the Subject Mapping has not been migrated to a namespace. + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + title: SubjectMapping + additionalProperties: false + description: |- + Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute + value + action(s) combination + policy.SubjectSet: + type: object + properties: + conditionGroups: + type: array + items: + $ref: '#/components/schemas/policy.ConditionGroup' + title: condition_groups + minItems: 1 + description: multiple Condition Groups are evaluated with AND logic + title: SubjectSet + additionalProperties: false + description: A collection of Condition Groups + policy.Value: + type: object + properties: + id: + type: string + title: id + description: generated uuid in database + attribute: + title: attribute + $ref: '#/components/schemas/policy.Attribute' + value: + type: string + title: value + grants: + type: array + items: + $ref: '#/components/schemas/policy.KeyAccessServer' + title: grants + description: Deprecated KAS grants for the value. Use kas_keys instead. + fqn: + type: string + title: fqn + active: + title: active + description: active by default until explicitly deactivated + $ref: '#/components/schemas/google.protobuf.BoolValue' + subjectMappings: + type: array + items: + $ref: '#/components/schemas/policy.SubjectMapping' + title: subject_mappings + description: subject mapping + kasKeys: + type: array + items: + $ref: '#/components/schemas/policy.SimpleKasKey' + title: kas_keys + resourceMappings: + type: array + items: + $ref: '#/components/schemas/policy.ResourceMapping' + title: resource_mappings + obligations: + type: array + items: + $ref: '#/components/schemas/policy.Obligation' + title: obligations + metadata: + title: metadata + description: Common metadata + $ref: '#/components/schemas/common.Metadata' + title: Value + additionalProperties: false + policy.definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest: + type: object + properties: + attributeDefinitionId: + type: string + title: attribute_definition_id + description: |+ + Optional field must be a valid UUID: + ``` + size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') + ``` + + attributeDefinitionFqn: + type: string + title: attribute_definition_fqn + format: uri + valueResolver: + title: value_resolver + description: 'Required: the dynamic resolver comparing entity selector result to the resource value segment' + $ref: '#/components/schemas/policy.DefinitionValueResolver' + actions: + type: array + items: + $ref: '#/components/schemas/policy.Action' + title: actions + minItems: 1 + description: |+ + Required: actions permitted on a matched value + Action name or ID must not be empty if provided: + ``` + this.all(item, item.name != '' || item.id != '') + ``` + + existingSubjectConditionSetId: + type: string + title: existing_subject_condition_set_id + description: |+ + Optional static pre-gate. Reuse an existing SubjectConditionSet (prioritized) ... + Optional field must be a valid UUID: + ``` + size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') + ``` + + newSubjectConditionSet: + title: new_subject_condition_set + description: '... or create a new one (ignored if existing_subject_condition_set_id is provided)' + $ref: '#/components/schemas/policy.subjectmapping.SubjectConditionSetCreate' + namespaceId: + type: string + title: namespace_id + description: |+ + Optional: namespace ID or FQN for the mapping + Optional field must be a valid UUID: + ``` + size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') + ``` + + namespaceFqn: + type: string + title: namespace_fqn + format: uri + metadata: + title: metadata + description: Optional + $ref: '#/components/schemas/common.MetadataMutable' + title: CreateDefinitionValueEntitlementMappingRequest + required: + - valueResolver + additionalProperties: false + policy.definitionvalueentitlement.CreateDefinitionValueEntitlementMappingResponse: + type: object + properties: + definitionValueEntitlementMapping: + title: definition_value_entitlement_mapping + $ref: '#/components/schemas/policy.DefinitionValueEntitlementMapping' + title: CreateDefinitionValueEntitlementMappingResponse + additionalProperties: false + policy.definitionvalueentitlement.DefinitionValueEntitlementMappingsSort: + type: object + properties: + field: + title: field + $ref: '#/components/schemas/policy.definitionvalueentitlement.SortDefinitionValueEntitlementMappingsType' + direction: + title: direction + $ref: '#/components/schemas/policy.SortDirection' + title: DefinitionValueEntitlementMappingsSort + additionalProperties: false + policy.definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingRequest: + type: object + properties: + id: + type: string + title: id + format: uuid + description: Required + title: DeleteDefinitionValueEntitlementMappingRequest + additionalProperties: false + policy.definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingResponse: + type: object + properties: + definitionValueEntitlementMapping: + title: definition_value_entitlement_mapping + description: Only ID of the deleted mapping provided + $ref: '#/components/schemas/policy.DefinitionValueEntitlementMapping' + title: DeleteDefinitionValueEntitlementMappingResponse + additionalProperties: false + policy.definitionvalueentitlement.GetDefinitionValueEntitlementMappingRequest: + type: object + properties: + id: + type: string + title: id + format: uuid + description: Required + title: GetDefinitionValueEntitlementMappingRequest + additionalProperties: false + policy.definitionvalueentitlement.GetDefinitionValueEntitlementMappingResponse: + type: object + properties: + definitionValueEntitlementMapping: + title: definition_value_entitlement_mapping + $ref: '#/components/schemas/policy.DefinitionValueEntitlementMapping' + title: GetDefinitionValueEntitlementMappingResponse + additionalProperties: false + policy.definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest: + type: object + properties: + namespaceId: + type: string + title: namespace_id + description: |+ + Optional + Namespace ID or FQN, or Attribute Definition ID or FQN to filter by + Optional field must be a valid UUID: + ``` + size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') + ``` + + attributeDefinitionId: + type: string + title: attribute_definition_id + description: |+ + Optional field must be a valid UUID: + ``` + size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') + ``` + + pagination: + title: pagination + description: Optional + $ref: '#/components/schemas/policy.PageRequest' + sort: + type: array + items: + $ref: '#/components/schemas/policy.definitionvalueentitlement.DefinitionValueEntitlementMappingsSort' + title: sort + maxItems: 1 + description: 'Optional - CONSTRAINT: max 1 item' + title: ListDefinitionValueEntitlementMappingsRequest + additionalProperties: false + policy.definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse: + type: object + properties: + definitionValueEntitlementMappings: + type: array + items: + $ref: '#/components/schemas/policy.DefinitionValueEntitlementMapping' + title: definition_value_entitlement_mappings + pagination: + title: pagination + $ref: '#/components/schemas/policy.PageResponse' + title: ListDefinitionValueEntitlementMappingsResponse + additionalProperties: false + policy.definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest: + type: object + properties: + id: + type: string + title: id + format: uuid + description: Required + valueResolver: + title: value_resolver + description: 'Optional: replace the dynamic resolver' + $ref: '#/components/schemas/policy.DefinitionValueResolver' + subjectConditionSetId: + type: string + title: subject_condition_set_id + description: |+ + Optional: replace the static pre-gate SubjectConditionSet by id + Optional field must be a valid UUID: + ``` + size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') + ``` + + actions: + type: array + items: + $ref: '#/components/schemas/policy.Action' + title: actions + description: |+ + Optional: replace the entire list of actions + Action name or ID must not be empty if provided: + ``` + this.size() == 0 || this.all(item, item.name != '' || item.id != '') + ``` + + metadata: + title: metadata + description: Common metadata + $ref: '#/components/schemas/common.MetadataMutable' + metadataUpdateBehavior: + title: metadata_update_behavior + $ref: '#/components/schemas/common.MetadataUpdateEnum' + title: UpdateDefinitionValueEntitlementMappingRequest + additionalProperties: false + policy.definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingResponse: + type: object + properties: + definitionValueEntitlementMapping: + title: definition_value_entitlement_mapping + $ref: '#/components/schemas/policy.DefinitionValueEntitlementMapping' + title: UpdateDefinitionValueEntitlementMappingResponse + additionalProperties: false + policy.subjectmapping.SubjectConditionSetCreate: + type: object + properties: + subjectSets: + type: array + items: + $ref: '#/components/schemas/policy.SubjectSet' + title: subject_sets + minItems: 1 + description: Required + metadata: + title: metadata + description: |- + Optional + Common metadata + $ref: '#/components/schemas/common.MetadataMutable' + title: SubjectConditionSetCreate + additionalProperties: false + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + detail: + $ref: '#/components/schemas/google.protobuf.Any' + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + google.protobuf.Any: + type: object + properties: + type: + type: string + value: + type: string + format: binary + debug: + type: object + additionalProperties: true + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. +security: [] +tags: + - name: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService diff --git a/docs/openapi/policy/kasregistry/key_access_server_registry.openapi.yaml b/docs/openapi/policy/kasregistry/key_access_server_registry.openapi.yaml index 8d9f785054..a3eb12f037 100644 --- a/docs/openapi/policy/kasregistry/key_access_server_registry.openapi.yaml +++ b/docs/openapi/policy/kasregistry/key_access_server_registry.openapi.yaml @@ -2,15 +2,12 @@ openapi: 3.1.0 info: title: policy.kasregistry paths: - /policy.kasregistry.KeyAccessServerRegistryService/CreateKey: + /policy.kasregistry.KeyAccessServerRegistryService/ListKeyAccessServers: post: tags: - policy.kasregistry.KeyAccessServerRegistryService - summary: CreateKey - description: |- - KAS Key Management - Request to create a new key in the Key Access Service. - operationId: policy.kasregistry.KeyAccessServerRegistryService.CreateKey + summary: ListKeyAccessServers + operationId: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers parameters: - name: Connect-Protocol-Version in: header @@ -25,7 +22,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.CreateKeyRequest' + $ref: '#/components/schemas/policy.kasregistry.ListKeyAccessServersRequest' required: true responses: default: @@ -39,13 +36,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.CreateKeyResponse' - /policy.kasregistry.KeyAccessServerRegistryService/CreateKeyAccessServer: + $ref: '#/components/schemas/policy.kasregistry.ListKeyAccessServersResponse' + /policy.kasregistry.KeyAccessServerRegistryService/GetKeyAccessServer: post: tags: - policy.kasregistry.KeyAccessServerRegistryService - summary: CreateKeyAccessServer - operationId: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer + summary: GetKeyAccessServer + operationId: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer parameters: - name: Connect-Protocol-Version in: header @@ -60,7 +57,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.CreateKeyAccessServerRequest' + $ref: '#/components/schemas/policy.kasregistry.GetKeyAccessServerRequest' required: true responses: default: @@ -74,13 +71,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.CreateKeyAccessServerResponse' - /policy.kasregistry.KeyAccessServerRegistryService/DeleteKeyAccessServer: + $ref: '#/components/schemas/policy.kasregistry.GetKeyAccessServerResponse' + /policy.kasregistry.KeyAccessServerRegistryService/CreateKeyAccessServer: post: tags: - policy.kasregistry.KeyAccessServerRegistryService - summary: DeleteKeyAccessServer - operationId: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer + summary: CreateKeyAccessServer + operationId: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer parameters: - name: Connect-Protocol-Version in: header @@ -95,7 +92,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.DeleteKeyAccessServerRequest' + $ref: '#/components/schemas/policy.kasregistry.CreateKeyAccessServerRequest' required: true responses: default: @@ -109,14 +106,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.DeleteKeyAccessServerResponse' - /policy.kasregistry.KeyAccessServerRegistryService/GetBaseKey: + $ref: '#/components/schemas/policy.kasregistry.CreateKeyAccessServerResponse' + /policy.kasregistry.KeyAccessServerRegistryService/UpdateKeyAccessServer: post: tags: - policy.kasregistry.KeyAccessServerRegistryService - summary: GetBaseKey - description: Get Default kas keys - operationId: policy.kasregistry.KeyAccessServerRegistryService.GetBaseKey + summary: UpdateKeyAccessServer + operationId: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer parameters: - name: Connect-Protocol-Version in: header @@ -131,7 +127,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.GetBaseKeyRequest' + $ref: '#/components/schemas/policy.kasregistry.UpdateKeyAccessServerRequest' required: true responses: default: @@ -145,14 +141,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.GetBaseKeyResponse' - /policy.kasregistry.KeyAccessServerRegistryService/GetKey: + $ref: '#/components/schemas/policy.kasregistry.UpdateKeyAccessServerResponse' + /policy.kasregistry.KeyAccessServerRegistryService/DeleteKeyAccessServer: post: tags: - policy.kasregistry.KeyAccessServerRegistryService - summary: GetKey - description: Request to retrieve a key from the Key Access Service. - operationId: policy.kasregistry.KeyAccessServerRegistryService.GetKey + summary: DeleteKeyAccessServer + operationId: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer parameters: - name: Connect-Protocol-Version in: header @@ -167,7 +162,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.GetKeyRequest' + $ref: '#/components/schemas/policy.kasregistry.DeleteKeyAccessServerRequest' required: true responses: default: @@ -181,13 +176,14 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.GetKeyResponse' - /policy.kasregistry.KeyAccessServerRegistryService/GetKeyAccessServer: + $ref: '#/components/schemas/policy.kasregistry.DeleteKeyAccessServerResponse' + /policy.kasregistry.KeyAccessServerRegistryService/ListKeyAccessServerGrants: post: tags: - policy.kasregistry.KeyAccessServerRegistryService - summary: GetKeyAccessServer - operationId: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer + summary: ListKeyAccessServerGrants + description: Deprecated + operationId: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants parameters: - name: Connect-Protocol-Version in: header @@ -202,7 +198,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.GetKeyAccessServerRequest' + $ref: '#/components/schemas/policy.kasregistry.ListKeyAccessServerGrantsRequest' required: true responses: default: @@ -216,14 +212,17 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.GetKeyAccessServerResponse' - /policy.kasregistry.KeyAccessServerRegistryService/ListKeyAccessServerGrants: + $ref: '#/components/schemas/policy.kasregistry.ListKeyAccessServerGrantsResponse' + deprecated: true + /policy.kasregistry.KeyAccessServerRegistryService/CreateKey: post: tags: - policy.kasregistry.KeyAccessServerRegistryService - summary: ListKeyAccessServerGrants - description: Deprecated - operationId: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants + summary: CreateKey + description: |- + KAS Key Management + Request to create a new key in the Key Access Service. + operationId: policy.kasregistry.KeyAccessServerRegistryService.CreateKey parameters: - name: Connect-Protocol-Version in: header @@ -238,7 +237,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.ListKeyAccessServerGrantsRequest' + $ref: '#/components/schemas/policy.kasregistry.CreateKeyRequest' required: true responses: default: @@ -252,14 +251,14 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.ListKeyAccessServerGrantsResponse' - deprecated: true - /policy.kasregistry.KeyAccessServerRegistryService/ListKeyAccessServers: + $ref: '#/components/schemas/policy.kasregistry.CreateKeyResponse' + /policy.kasregistry.KeyAccessServerRegistryService/GetKey: post: tags: - policy.kasregistry.KeyAccessServerRegistryService - summary: ListKeyAccessServers - operationId: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers + summary: GetKey + description: Request to retrieve a key from the Key Access Service. + operationId: policy.kasregistry.KeyAccessServerRegistryService.GetKey parameters: - name: Connect-Protocol-Version in: header @@ -274,7 +273,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.ListKeyAccessServersRequest' + $ref: '#/components/schemas/policy.kasregistry.GetKeyRequest' required: true responses: default: @@ -288,14 +287,14 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.ListKeyAccessServersResponse' - /policy.kasregistry.KeyAccessServerRegistryService/ListKeyMappings: + $ref: '#/components/schemas/policy.kasregistry.GetKeyResponse' + /policy.kasregistry.KeyAccessServerRegistryService/ListKeys: post: tags: - policy.kasregistry.KeyAccessServerRegistryService - summary: ListKeyMappings - description: Request to list key mappings in the Key Access Service. - operationId: policy.kasregistry.KeyAccessServerRegistryService.ListKeyMappings + summary: ListKeys + description: Request to list keys in the Key Access Service. + operationId: policy.kasregistry.KeyAccessServerRegistryService.ListKeys parameters: - name: Connect-Protocol-Version in: header @@ -310,7 +309,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.ListKeyMappingsRequest' + $ref: '#/components/schemas/policy.kasregistry.ListKeysRequest' required: true responses: default: @@ -324,14 +323,14 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.ListKeyMappingsResponse' - /policy.kasregistry.KeyAccessServerRegistryService/ListKeys: + $ref: '#/components/schemas/policy.kasregistry.ListKeysResponse' + /policy.kasregistry.KeyAccessServerRegistryService/UpdateKey: post: tags: - policy.kasregistry.KeyAccessServerRegistryService - summary: ListKeys - description: Request to list keys in the Key Access Service. - operationId: policy.kasregistry.KeyAccessServerRegistryService.ListKeys + summary: UpdateKey + description: Request to update a key in the Key Access Service. + operationId: policy.kasregistry.KeyAccessServerRegistryService.UpdateKey parameters: - name: Connect-Protocol-Version in: header @@ -346,7 +345,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.ListKeysRequest' + $ref: '#/components/schemas/policy.kasregistry.UpdateKeyRequest' required: true responses: default: @@ -360,7 +359,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.ListKeysResponse' + $ref: '#/components/schemas/policy.kasregistry.UpdateKeyResponse' /policy.kasregistry.KeyAccessServerRegistryService/RotateKey: post: tags: @@ -433,13 +432,13 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.kasregistry.SetBaseKeyResponse' - /policy.kasregistry.KeyAccessServerRegistryService/UpdateKey: + /policy.kasregistry.KeyAccessServerRegistryService/GetBaseKey: post: tags: - policy.kasregistry.KeyAccessServerRegistryService - summary: UpdateKey - description: Request to update a key in the Key Access Service. - operationId: policy.kasregistry.KeyAccessServerRegistryService.UpdateKey + summary: GetBaseKey + description: Get Default kas keys + operationId: policy.kasregistry.KeyAccessServerRegistryService.GetBaseKey parameters: - name: Connect-Protocol-Version in: header @@ -454,7 +453,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.UpdateKeyRequest' + $ref: '#/components/schemas/policy.kasregistry.GetBaseKeyRequest' required: true responses: default: @@ -468,13 +467,14 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.UpdateKeyResponse' - /policy.kasregistry.KeyAccessServerRegistryService/UpdateKeyAccessServer: + $ref: '#/components/schemas/policy.kasregistry.GetBaseKeyResponse' + /policy.kasregistry.KeyAccessServerRegistryService/ListKeyMappings: post: tags: - policy.kasregistry.KeyAccessServerRegistryService - summary: UpdateKeyAccessServer - operationId: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer + summary: ListKeyMappings + description: Request to list key mappings in the Key Access Service. + operationId: policy.kasregistry.KeyAccessServerRegistryService.ListKeyMappings parameters: - name: Connect-Protocol-Version in: header @@ -489,7 +489,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.UpdateKeyAccessServerRequest' + $ref: '#/components/schemas/policy.kasregistry.ListKeyMappingsRequest' required: true responses: default: @@ -503,9 +503,101 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.UpdateKeyAccessServerResponse' + $ref: '#/components/schemas/policy.kasregistry.ListKeyMappingsResponse' components: schemas: + common.MetadataUpdateEnum: + type: string + title: MetadataUpdateEnum + enum: + - METADATA_UPDATE_ENUM_UNSPECIFIED + - METADATA_UPDATE_ENUM_EXTEND + - METADATA_UPDATE_ENUM_REPLACE + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + - ALGORITHM_HPQT_XWING + - ALGORITHM_HPQT_SECP256R1_MLKEM768 + - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + description: Supported key algorithms. + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + policy.KeyMode: + type: string + title: KeyMode + enum: + - KEY_MODE_UNSPECIFIED + - KEY_MODE_CONFIG_ROOT_KEY + - KEY_MODE_PROVIDER_ROOT_KEY + - KEY_MODE_REMOTE + - KEY_MODE_PUBLIC_KEY_ONLY + description: Describes the management and operational mode of a cryptographic key. + policy.KeyStatus: + type: string + title: KeyStatus + enum: + - KEY_STATUS_UNSPECIFIED + - KEY_STATUS_ACTIVE + - KEY_STATUS_ROTATED + description: The status of the key + policy.SortDirection: + type: string + title: SortDirection + enum: + - SORT_DIRECTION_UNSPECIFIED + - SORT_DIRECTION_ASC + - SORT_DIRECTION_DESC + description: |- + Sorting direction shared across list APIs. + When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, + the endpoint's request message defines the default ordering; see the + specific List* request docs. + policy.SourceType: + type: string + title: SourceType + enum: + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. + policy.kasregistry.SortKasKeysType: + type: string + title: SortKasKeysType + enum: + - SORT_KAS_KEYS_TYPE_UNSPECIFIED + - SORT_KAS_KEYS_TYPE_KEY_ID + - SORT_KAS_KEYS_TYPE_CREATED_AT + - SORT_KAS_KEYS_TYPE_UPDATED_AT + policy.kasregistry.SortKeyAccessServersType: + type: string + title: SortKeyAccessServersType + enum: + - SORT_KEY_ACCESS_SERVERS_TYPE_UNSPECIFIED + - SORT_KEY_ACCESS_SERVERS_TYPE_NAME + - SORT_KEY_ACCESS_SERVERS_TYPE_URI + - SORT_KEY_ACCESS_SERVERS_TYPE_CREATED_AT + - SORT_KEY_ACCESS_SERVERS_TYPE_UPDATED_AT common.Metadata: type: object properties: @@ -561,82 +653,6 @@ components: title: value title: LabelsEntry additionalProperties: false - common.MetadataUpdateEnum: - type: string - title: MetadataUpdateEnum - enum: - - METADATA_UPDATE_ENUM_UNSPECIFIED - - METADATA_UPDATE_ENUM_EXTEND - - METADATA_UPDATE_ENUM_REPLACE - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - details: - type: array - items: - $ref: '#/components/schemas/connect.error_details.Any' - description: A list of messages that carry the error details. There is no limit on the number of messages. - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - connect.error_details.Any: - type: object - properties: - type: - type: string - description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' - value: - type: string - format: binary - description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. - debug: - oneOf: - - type: object - title: Any - additionalProperties: true - description: Detailed error information. - discriminator: - propertyName: type - title: Debug - description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. google.protobuf.BoolValue: type: boolean description: |- @@ -649,8 +665,8 @@ components: google.protobuf.Timestamp: type: string examples: - - "2023-01-15T01:30:15.01Z" - - "2024-12-25T12:00:00Z" + - 1s + - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -742,20 +758,6 @@ components: the Joda Time's [`ISODateTimeFormat.dateTime()`]( http://joda-time.sourceforge.net/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime() ) to obtain a formatter capable of generating timestamps in this format. - policy.Algorithm: - type: string - title: Algorithm - enum: - - ALGORITHM_UNSPECIFIED - - ALGORITHM_RSA_2048 - - ALGORITHM_RSA_4096 - - ALGORITHM_EC_P256 - - ALGORITHM_EC_P384 - - ALGORITHM_EC_P521 - - ALGORITHM_HPQT_XWING - - ALGORITHM_HPQT_SECP256R1_MLKEM768 - - ALGORITHM_HPQT_SECP384R1_MLKEM1024 - description: Supported key algorithms. policy.AsymmetricKey: type: object properties: @@ -833,7 +835,7 @@ components: alg: not: enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - 0 title: alg description: |- A known algorithm type with any additional parameters encoded. @@ -845,19 +847,6 @@ components: description: |- Deprecated A KAS public key and some associated metadata for further identifcation - policy.KasPublicKeyAlgEnum: - type: string - title: KasPublicKeyAlgEnum - enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 policy.KasPublicKeySet: type: object properties: @@ -905,9 +894,13 @@ components: uri: type: string title: uri - description: | + description: |+ Address of a KAS instance - uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') + ``` + publicKey: title: public_key description: 'Deprecated: KAS can have multiple key pairs' @@ -935,16 +928,6 @@ components: title: KeyAccessServer additionalProperties: false description: Key Access Server Registry - policy.KeyMode: - type: string - title: KeyMode - enum: - - KEY_MODE_UNSPECIFIED - - KEY_MODE_CONFIG_ROOT_KEY - - KEY_MODE_PROVIDER_ROOT_KEY - - KEY_MODE_REMOTE - - KEY_MODE_PUBLIC_KEY_ONLY - description: Describes the management and operational mode of a cryptographic key. policy.KeyProviderConfig: type: object properties: @@ -967,14 +950,6 @@ components: $ref: '#/components/schemas/common.Metadata' title: KeyProviderConfig additionalProperties: false - policy.KeyStatus: - type: string - title: KeyStatus - enum: - - KEY_STATUS_UNSPECIFIED - - KEY_STATUS_ACTIVE - - KEY_STATUS_ROTATED - description: The status of the key policy.PageRequest: type: object properties: @@ -1034,8 +1009,7 @@ components: policy.PublicKey: type: object oneOf: - - type: object - properties: + - properties: cached: title: cached description: public key with additional information. Current preferred version @@ -1043,14 +1017,17 @@ components: title: cached required: - cached - - type: object - properties: + - properties: remote: type: string title: remote - description: | + description: |+ kas public key url - optional since can also be retrieved via public key - uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') + ``` + title: remote required: - remote @@ -1097,30 +1074,7 @@ components: type: string title: pem title: SimpleKasPublicKey - additionalProperties: false - policy.SortDirection: - type: string - title: SortDirection - enum: - - SORT_DIRECTION_UNSPECIFIED - - SORT_DIRECTION_ASC - - SORT_DIRECTION_DESC - description: |- - Sorting direction shared across list APIs. - When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, - the endpoint's request message defines the default ordering; see the - specific List* request docs. - policy.SourceType: - type: string - title: SourceType - enum: - - SOURCE_TYPE_UNSPECIFIED - - SOURCE_TYPE_INTERNAL - - SOURCE_TYPE_EXTERNAL - description: |- - Describes whether this kas is managed by the organization or if they imported - the kas information from an external party. These two modes are necessary in order - to encrypt a tdf dek with an external parties kas public key. + additionalProperties: false policy.kasregistry.ActivatePublicKeyRequest: type: object properties: @@ -1158,9 +1112,13 @@ components: uri: type: string title: uri - description: | + description: |+ Required - uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.isUri() + ``` + publicKey: title: public_key description: Deprecated @@ -1173,9 +1131,13 @@ components: type: string title: name maxLength: 253 - description: | + description: |+ Optional - kas_name_format // Registered KAS name must be an alphanumeric string, allowing hyphens, and underscores but not as the first or last character. The stored KAS name will be normalized to lower case. + Registered KAS name must be an alphanumeric string, allowing hyphens, and underscores but not as the first or last character. The stored KAS name will be normalized to lower case.: + ``` + size(this) > 0 ? this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') : true + ``` + metadata: title: metadata description: Common metadata @@ -1205,15 +1167,23 @@ components: description: Required A user-defined identifier for the key keyAlgorithm: title: key_algorithm - description: | + description: |+ Required The algorithm to be used for the key - key_algorithm_defined // The key_algorithm must be one of the defined values. + The key_algorithm must be one of the defined values.: + ``` + this in [1, 2, 3, 4, 5, 6, 7, 8] + ``` + $ref: '#/components/schemas/policy.Algorithm' keyMode: title: key_mode - description: | + description: |+ Required The mode of the key (e.g., local or external) - key_mode_defined // The key_mode must be one of the defined values (1-4). + The key_mode must be one of the defined values (1-4).: + ``` + this >= 1 && this <= 4 + ``` + $ref: '#/components/schemas/policy.KeyMode' publicKeyCtx: title: public_key_ctx @@ -1239,11 +1209,23 @@ components: required: - publicKeyCtx additionalProperties: false - description: | + description: |+ Create a new asymmetric key for the specified Key Access Server (KAS) - private_key_ctx_for_public_key_only // private_key_ctx must not be set if key_mode is KEY_MODE_PUBLIC_KEY_ONLY. - private_key_ctx_optionally_required // The wrapped_key is required if key_mode is KEY_MODE_CONFIG_ROOT_KEY or KEY_MODE_PROVIDER_ROOT_KEY. The wrapped_key must be empty if key_mode is KEY_MODE_REMOTE or KEY_MODE_PUBLIC_KEY_ONLY. - provider_config_id_optionally_required // Provider config id is required if key_mode is KEY_MODE_PROVIDER_ROOT_KEY or KEY_MODE_REMOTE. It must be empty for KEY_MODE_CONFIG_ROOT_KEY and KEY_MODE_PUBLIC_KEY_ONLY. + The wrapped_key is required if key_mode is KEY_MODE_CONFIG_ROOT_KEY or KEY_MODE_PROVIDER_ROOT_KEY. The wrapped_key must be empty if key_mode is KEY_MODE_REMOTE or KEY_MODE_PUBLIC_KEY_ONLY.: + ``` + ((this.key_mode == 1 || this.key_mode == 2) && this.private_key_ctx.wrapped_key != '') || ((this.key_mode == 3 || this.key_mode == 4) && this.private_key_ctx.wrapped_key == '') + ``` + + Provider config id is required if key_mode is KEY_MODE_PROVIDER_ROOT_KEY or KEY_MODE_REMOTE. It must be empty for KEY_MODE_CONFIG_ROOT_KEY and KEY_MODE_PUBLIC_KEY_ONLY.: + ``` + ((this.key_mode == 1 || this.key_mode == 4) && this.provider_config_id == '') || ((this.key_mode == 2 || this.key_mode == 3) && this.provider_config_id != '') + ``` + + private_key_ctx must not be set if key_mode is KEY_MODE_PUBLIC_KEY_ONLY.: + ``` + !(this.key_mode == 4 && has(this.private_key_ctx)) + ``` + policy.kasregistry.CreateKeyResponse: type: object properties: @@ -1332,49 +1314,53 @@ components: additionalProperties: false policy.kasregistry.GetKeyAccessServerRequest: type: object - allOf: + oneOf: - properties: - id: + kasId: type: string - title: id - format: uuid - description: Deprecated - deprecated: true - - oneOf: - - type: object - properties: - kasId: - type: string - title: kas_id - format: uuid - description: 'option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field' title: kas_id - required: - - kasId - - type: object - properties: - name: - type: string - title: name - minLength: 1 + format: uuid + description: 'option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field' + title: kas_id + required: + - kasId + - properties: + name: + type: string title: name - required: - - name - - type: object - properties: - uri: - type: string - title: uri - minLength: 1 - format: uri + minLength: 1 + title: name + required: + - name + - properties: + uri: + type: string title: uri - required: - - uri + minLength: 1 + format: uri + title: uri + required: + - uri + properties: + id: + type: string + title: id + format: uuid + description: Deprecated + deprecated: true title: GetKeyAccessServerRequest additionalProperties: false - description: | - exclusive_fields // Either use deprecated 'id' field or one of 'kas_id' or 'uri', but not both - required_fields // Either id or one of kas_id or uri must be set + description: |+ + Either use deprecated 'id' field or one of 'kas_id' or 'uri', but not both: + ``` + !(has(this.id) && (has(this.kas_id) || has(this.uri) || has(this.name))) + ``` + + Either id or one of kas_id or uri must be set: + ``` + has(this.id) || has(this.kas_id) || has(this.uri) || has(this.name) + ``` + policy.kasregistry.GetKeyAccessServerResponse: type: object properties: @@ -1386,8 +1372,7 @@ components: policy.kasregistry.GetKeyRequest: type: object oneOf: - - type: object - properties: + - properties: id: type: string title: id @@ -1396,8 +1381,7 @@ components: title: id required: - id - - type: object - properties: + - properties: key: title: key $ref: '#/components/schemas/policy.kasregistry.KasKeyIdentifier' @@ -1420,8 +1404,7 @@ components: policy.kasregistry.GetPublicKeyRequest: type: object oneOf: - - type: object - properties: + - properties: id: type: string title: id @@ -1453,42 +1436,38 @@ components: description: Can be namespace, attribute definition, or value policy.kasregistry.KasKeyIdentifier: type: object - allOf: + oneOf: - properties: - kid: + kasId: type: string - title: kid - minLength: 1 - description: Required Key ID of the key in question - - oneOf: - - type: object - properties: - kasId: - type: string - title: kas_id - format: uuid title: kas_id - required: - - kasId - - type: object - properties: - name: - type: string - title: name - minLength: 1 + format: uuid + title: kas_id + required: + - kasId + - properties: + name: + type: string title: name - required: - - name - - type: object - properties: - uri: - type: string - title: uri - minLength: 1 - format: uri + minLength: 1 + title: name + required: + - name + - properties: + uri: + type: string title: uri - required: - - uri + minLength: 1 + format: uri + title: uri + required: + - uri + properties: + kid: + type: string + title: kid + minLength: 1 + description: Required Key ID of the key in question title: KasKeyIdentifier additionalProperties: false description: Nested message for specifying the active key using KAS ID and Key ID @@ -1573,31 +1552,43 @@ components: kasId: type: string title: kas_id - description: | + description: |+ Optional Filter LIST by ID of a registered Key Access Server. If neither is provided, grants from all registered KASs to policy attribute objects are returned. - optional_uuid_format // Optional field must be a valid UUID + Optional field must be a valid UUID: + ``` + size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') + ``` + kasUri: type: string title: kas_uri - description: | + description: |+ Optional Filter LIST by URI of a registered Key Access Server. If none is provided, grants from all registered KASs to policy attribute objects are returned. - optional_uri_format // Optional URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + Optional URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + size(this) == 0 || this.isUri() + ``` + kasName: type: string title: kas_name maxLength: 253 - description: | + description: |+ Optional Filter LIST by name of a registered Key Access Server. If none are provided, grants from all registered KASs to policy attribute objects are returned. - kas_name_format // Registered KAS name must be an alphanumeric string, allowing hyphens, and underscores but not as the first or last character. The stored KAS name will be normalized to lower case. + Registered KAS name must be an alphanumeric string, allowing hyphens, and underscores but not as the first or last character. The stored KAS name will be normalized to lower case.: + ``` + size(this) == 0 || this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') + ``` + pagination: title: pagination description: Optional @@ -1660,31 +1651,28 @@ components: additionalProperties: false policy.kasregistry.ListKeyMappingsRequest: type: object - allOf: + oneOf: - properties: - pagination: - title: pagination - description: Pagination request for the list of keys - $ref: '#/components/schemas/policy.PageRequest' - - oneOf: - - type: object - properties: - id: - type: string - title: id - format: uuid - description: The unique identifier of the key to retrieve + id: + type: string title: id - required: - - id - - type: object - properties: - key: - title: key - $ref: '#/components/schemas/policy.kasregistry.KasKeyIdentifier' + format: uuid + description: The unique identifier of the key to retrieve + title: id + required: + - id + - properties: + key: title: key - required: - - key + $ref: '#/components/schemas/policy.kasregistry.KasKeyIdentifier' + title: key + required: + - key + properties: + pagination: + title: pagination + description: Pagination request for the list of keys + $ref: '#/components/schemas/policy.PageRequest' title: ListKeyMappingsRequest additionalProperties: false policy.kasregistry.ListKeyMappingsResponse: @@ -1704,68 +1692,67 @@ components: additionalProperties: false policy.kasregistry.ListKeysRequest: type: object - allOf: + oneOf: - properties: - keyAlgorithm: - title: key_algorithm - description: | - Filter keys by algorithm - key_algorithm_defined // The key_algorithm must be one of the defined values. - $ref: '#/components/schemas/policy.Algorithm' - legacy: - type: - - boolean - - "null" - title: legacy - description: Optional Filter for legacy keys - pagination: - title: pagination - description: Optional Pagination request for the list of keys - $ref: '#/components/schemas/policy.PageRequest' - sort: - type: array - items: - $ref: '#/components/schemas/policy.kasregistry.KasKeysSort' - title: sort - maxItems: 1 - description: |- - Optional - CONSTRAINT: max 1 item - Sort defaults: - - direction UNSPECIFIED defaults to DESC for the specified field - - field UNSPECIFIED defaults to created_at with the specified direction - - both UNSPECIFIED or sort omitted defaults to created_at DESC - - oneOf: - - type: object - properties: - kasId: - type: string - title: kas_id - format: uuid - description: Filter keys by the KAS ID + kasId: + type: string title: kas_id - required: - - kasId - - type: object - properties: - kasName: - type: string - title: kas_name - minLength: 1 - description: Filter keys by the KAS name + format: uuid + description: Filter keys by the KAS ID + title: kas_id + required: + - kasId + - properties: + kasName: + type: string title: kas_name - required: - - kasName - - type: object - properties: - kasUri: - type: string - title: kas_uri - minLength: 1 - format: uri - description: Filter keys by the KAS URI + minLength: 1 + description: Filter keys by the KAS name + title: kas_name + required: + - kasName + - properties: + kasUri: + type: string title: kas_uri - required: - - kasUri + minLength: 1 + format: uri + description: Filter keys by the KAS URI + title: kas_uri + required: + - kasUri + properties: + keyAlgorithm: + title: key_algorithm + description: |+ + Filter keys by algorithm + The key_algorithm must be one of the defined values.: + ``` + this in [0, 1, 2, 3, 4, 5, 6, 7, 8] + ``` + + $ref: '#/components/schemas/policy.Algorithm' + legacy: + type: boolean + title: legacy + description: Optional Filter for legacy keys + nullable: true + pagination: + title: pagination + description: Optional Pagination request for the list of keys + $ref: '#/components/schemas/policy.PageRequest' + sort: + type: array + items: + $ref: '#/components/schemas/policy.kasregistry.KasKeysSort' + title: sort + maxItems: 1 + description: |- + Optional - CONSTRAINT: max 1 item + Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC title: ListKeysRequest additionalProperties: false description: List all asymmetric keys managed by a specific Key Access Server or with a given algorithm @@ -1787,49 +1774,45 @@ components: description: Response to a ListKeysRequest, containing the list of asymmetric keys and pagination information policy.kasregistry.ListPublicKeyMappingRequest: type: object - allOf: + oneOf: - properties: - publicKeyId: + kasId: type: string - title: public_key_id + title: kas_id format: uuid - description: Optional Public Key ID - pagination: - title: pagination description: Optional - $ref: '#/components/schemas/policy.PageRequest' - - oneOf: - - type: object - properties: - kasId: - type: string - title: kas_id - format: uuid - description: Optional - title: kas_id - required: - - kasId - - type: object - properties: - kasName: - type: string - title: kas_name - minLength: 1 - description: Optional + title: kas_id + required: + - kasId + - properties: + kasName: + type: string title: kas_name - required: - - kasName - - type: object - properties: - kasUri: - type: string - title: kas_uri - minLength: 1 - format: uri - description: Optional + minLength: 1 + description: Optional + title: kas_name + required: + - kasName + - properties: + kasUri: + type: string title: kas_uri - required: - - kasUri + minLength: 1 + format: uri + description: Optional + title: kas_uri + required: + - kasUri + properties: + publicKeyId: + type: string + title: public_key_id + format: uuid + description: Optional Public Key ID + pagination: + title: pagination + description: Optional + $ref: '#/components/schemas/policy.PageRequest' title: ListPublicKeyMappingRequest additionalProperties: false policy.kasregistry.ListPublicKeyMappingResponse: @@ -1900,44 +1883,40 @@ components: additionalProperties: false policy.kasregistry.ListPublicKeysRequest: type: object - allOf: + oneOf: - properties: - pagination: - title: pagination - description: Optional - $ref: '#/components/schemas/policy.PageRequest' - - oneOf: - - type: object - properties: - kasId: - type: string - title: kas_id - format: uuid - description: Optional + kasId: + type: string title: kas_id - required: - - kasId - - type: object - properties: - kasName: - type: string - title: kas_name - minLength: 1 - description: Optional + format: uuid + description: Optional + title: kas_id + required: + - kasId + - properties: + kasName: + type: string title: kas_name - required: - - kasName - - type: object - properties: - kasUri: - type: string - title: kas_uri - minLength: 1 - format: uri - description: Optional + minLength: 1 + description: Optional + title: kas_name + required: + - kasName + - properties: + kasUri: + type: string title: kas_uri - required: - - kasUri + minLength: 1 + format: uri + description: Optional + title: kas_uri + required: + - kasUri + properties: + pagination: + title: pagination + description: Optional + $ref: '#/components/schemas/policy.PageRequest' title: ListPublicKeysRequest additionalProperties: false policy.kasregistry.ListPublicKeysResponse: @@ -1968,38 +1947,47 @@ components: additionalProperties: false policy.kasregistry.RotateKeyRequest: type: object - allOf: + oneOf: - properties: - newKey: - title: new_key - description: Information about the new key to be rotated in - $ref: '#/components/schemas/policy.kasregistry.RotateKeyRequest.NewKey' - - oneOf: - - type: object - properties: - id: - type: string - title: id - format: uuid - description: Current Active Key UUID + id: + type: string title: id - required: - - id - - type: object - properties: - key: - title: key - description: Alternative way to specify the active key using KAS ID and Key ID - $ref: '#/components/schemas/policy.kasregistry.KasKeyIdentifier' + format: uuid + description: Current Active Key UUID + title: id + required: + - id + - properties: + key: title: key - required: - - key + description: Alternative way to specify the active key using KAS ID and Key ID + $ref: '#/components/schemas/policy.kasregistry.KasKeyIdentifier' + title: key + required: + - key + properties: + newKey: + title: new_key + description: Information about the new key to be rotated in + $ref: '#/components/schemas/policy.kasregistry.RotateKeyRequest.NewKey' title: RotateKeyRequest additionalProperties: false - description: | - private_key_ctx_for_public_key_only // private_key_ctx must not be set if key_mode is KEY_MODE_PUBLIC_KEY_ONLY. - private_key_ctx_optionally_required // For the new key, the wrapped_key is required if key_mode is KEY_MODE_CONFIG_ROOT_KEY or KEY_MODE_PROVIDER_ROOT_KEY. The wrapped_key must be empty if key_mode is KEY_MODE_REMOTE or KEY_MODE_PUBLIC_KEY_ONLY. - provider_config_id_optionally_required // For the new key, provider config id is required if key_mode is KEY_MODE_PROVIDER_ROOT_KEY or KEY_MODE_REMOTE. It must be empty for KEY_MODE_CONFIG_ROOT_KEY and KEY_MODE_PUBLIC_KEY_ONLY. + description: |+ + For the new key, the wrapped_key is required if key_mode is KEY_MODE_CONFIG_ROOT_KEY or KEY_MODE_PROVIDER_ROOT_KEY. The wrapped_key must be empty if key_mode is KEY_MODE_REMOTE or KEY_MODE_PUBLIC_KEY_ONLY.: + ``` + ((this.new_key.key_mode == 1 || this.new_key.key_mode == 2) && this.new_key.private_key_ctx.wrapped_key != '') || ((this.new_key.key_mode == 3 || this.new_key.key_mode == 4) && this.new_key.private_key_ctx.wrapped_key == '') + ``` + + For the new key, provider config id is required if key_mode is KEY_MODE_PROVIDER_ROOT_KEY or KEY_MODE_REMOTE. It must be empty for KEY_MODE_CONFIG_ROOT_KEY and KEY_MODE_PUBLIC_KEY_ONLY.: + ``` + ((this.new_key.key_mode == 1 || this.new_key.key_mode == 4) && this.new_key.provider_config_id == '') || ((this.new_key.key_mode == 2 || this.new_key.key_mode == 3) && this.new_key.provider_config_id != '') + ``` + + private_key_ctx must not be set if key_mode is KEY_MODE_PUBLIC_KEY_ONLY.: + ``` + !(this.new_key.key_mode == 4 && has(this.new_key.private_key_ctx)) + ``` + policy.kasregistry.RotateKeyRequest.NewKey: type: object properties: @@ -2010,15 +1998,23 @@ components: description: Required algorithm: title: algorithm - description: | + description: |+ Required - key_algorithm_defined // The key_algorithm must be one of the defined values. + The key_algorithm must be one of the defined values.: + ``` + this in [1, 2, 3, 4, 5, 6, 7, 8] + ``` + $ref: '#/components/schemas/policy.Algorithm' keyMode: title: key_mode - description: | + description: |+ Required - new_key_mode_defined // The new key_mode must be one of the defined values (1-4). + The new key_mode must be one of the defined values (1-4).: + ``` + this in [1, 2, 3, 4] + ``` + $ref: '#/components/schemas/policy.KeyMode' publicKeyCtx: title: public_key_ctx @@ -2083,8 +2079,7 @@ components: policy.kasregistry.SetBaseKeyRequest: type: object oneOf: - - type: object - properties: + - properties: id: type: string title: id @@ -2093,8 +2088,7 @@ components: title: id required: - id - - type: object - properties: + - properties: key: title: key description: Alternative way to specify the key using KAS ID and Key ID @@ -2120,23 +2114,6 @@ components: $ref: '#/components/schemas/policy.SimpleKasKey' title: SetBaseKeyResponse additionalProperties: false - policy.kasregistry.SortKasKeysType: - type: string - title: SortKasKeysType - enum: - - SORT_KAS_KEYS_TYPE_UNSPECIFIED - - SORT_KAS_KEYS_TYPE_KEY_ID - - SORT_KAS_KEYS_TYPE_CREATED_AT - - SORT_KAS_KEYS_TYPE_UPDATED_AT - policy.kasregistry.SortKeyAccessServersType: - type: string - title: SortKeyAccessServersType - enum: - - SORT_KEY_ACCESS_SERVERS_TYPE_UNSPECIFIED - - SORT_KEY_ACCESS_SERVERS_TYPE_NAME - - SORT_KEY_ACCESS_SERVERS_TYPE_URI - - SORT_KEY_ACCESS_SERVERS_TYPE_CREATED_AT - - SORT_KEY_ACCESS_SERVERS_TYPE_UPDATED_AT policy.kasregistry.UpdateKeyAccessServerRequest: type: object properties: @@ -2148,9 +2125,13 @@ components: uri: type: string title: uri - description: | + description: |+ Optional - optional_uri_format // Optional URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + Optional URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + size(this) == 0 || this.isUri() + ``` + publicKey: title: public_key description: |- @@ -2170,9 +2151,13 @@ components: type: string title: name maxLength: 253 - description: | + description: |+ Optional - kas_name_format // Registered KAS name must be an alphanumeric string, allowing hyphens, and underscores but not as the first or last character. The stored KAS name will be normalized to lower case. + Registered KAS name must be an alphanumeric string, allowing hyphens, and underscores but not as the first or last character. The stored KAS name will be normalized to lower case.: + ``` + size(this) == 0 || this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') + ``` + metadata: title: metadata description: |- @@ -2212,9 +2197,13 @@ components: $ref: '#/components/schemas/common.MetadataUpdateEnum' title: UpdateKeyRequest additionalProperties: false - description: | + description: |+ Update an existing asymmetric key in the Key Management System - metadata_update_behavior // Metadata update behavior must be either APPEND or REPLACE, when updating metadata. + Metadata update behavior must be either APPEND or REPLACE, when updating metadata.: + ``` + ((!has(this.metadata)) || (has(this.metadata) && this.metadata_update_behavior != 0)) + ``` + policy.kasregistry.UpdateKeyResponse: type: object properties: @@ -2252,6 +2241,63 @@ components: $ref: '#/components/schemas/policy.Key' title: UpdatePublicKeyResponse additionalProperties: false + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + detail: + $ref: '#/components/schemas/google.protobuf.Any' + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + google.protobuf.Any: + type: object + properties: + type: + type: string + value: + type: string + format: binary + debug: + type: object + additionalProperties: true + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. security: [] tags: - name: policy.kasregistry.KeyAccessServerRegistryService diff --git a/docs/openapi/policy/keymanagement/key_management.openapi.yaml b/docs/openapi/policy/keymanagement/key_management.openapi.yaml index 94f70d9b92..61a3e433ba 100644 --- a/docs/openapi/policy/keymanagement/key_management.openapi.yaml +++ b/docs/openapi/policy/keymanagement/key_management.openapi.yaml @@ -40,12 +40,12 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.keymanagement.CreateProviderConfigResponse' - /policy.keymanagement.KeyManagementService/DeleteProviderConfig: + /policy.keymanagement.KeyManagementService/GetProviderConfig: post: tags: - policy.keymanagement.KeyManagementService - summary: DeleteProviderConfig - operationId: policy.keymanagement.KeyManagementService.DeleteProviderConfig + summary: GetProviderConfig + operationId: policy.keymanagement.KeyManagementService.GetProviderConfig parameters: - name: Connect-Protocol-Version in: header @@ -60,7 +60,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.keymanagement.DeleteProviderConfigRequest' + $ref: '#/components/schemas/policy.keymanagement.GetProviderConfigRequest' required: true responses: default: @@ -74,13 +74,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.keymanagement.DeleteProviderConfigResponse' - /policy.keymanagement.KeyManagementService/GetProviderConfig: + $ref: '#/components/schemas/policy.keymanagement.GetProviderConfigResponse' + /policy.keymanagement.KeyManagementService/ListProviderConfigs: post: tags: - policy.keymanagement.KeyManagementService - summary: GetProviderConfig - operationId: policy.keymanagement.KeyManagementService.GetProviderConfig + summary: ListProviderConfigs + operationId: policy.keymanagement.KeyManagementService.ListProviderConfigs parameters: - name: Connect-Protocol-Version in: header @@ -95,7 +95,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.keymanagement.GetProviderConfigRequest' + $ref: '#/components/schemas/policy.keymanagement.ListProviderConfigsRequest' required: true responses: default: @@ -109,13 +109,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.keymanagement.GetProviderConfigResponse' - /policy.keymanagement.KeyManagementService/ListProviderConfigs: + $ref: '#/components/schemas/policy.keymanagement.ListProviderConfigsResponse' + /policy.keymanagement.KeyManagementService/UpdateProviderConfig: post: tags: - policy.keymanagement.KeyManagementService - summary: ListProviderConfigs - operationId: policy.keymanagement.KeyManagementService.ListProviderConfigs + summary: UpdateProviderConfig + operationId: policy.keymanagement.KeyManagementService.UpdateProviderConfig parameters: - name: Connect-Protocol-Version in: header @@ -130,7 +130,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.keymanagement.ListProviderConfigsRequest' + $ref: '#/components/schemas/policy.keymanagement.UpdateProviderConfigRequest' required: true responses: default: @@ -144,13 +144,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.keymanagement.ListProviderConfigsResponse' - /policy.keymanagement.KeyManagementService/UpdateProviderConfig: + $ref: '#/components/schemas/policy.keymanagement.UpdateProviderConfigResponse' + /policy.keymanagement.KeyManagementService/DeleteProviderConfig: post: tags: - policy.keymanagement.KeyManagementService - summary: UpdateProviderConfig - operationId: policy.keymanagement.KeyManagementService.UpdateProviderConfig + summary: DeleteProviderConfig + operationId: policy.keymanagement.KeyManagementService.DeleteProviderConfig parameters: - name: Connect-Protocol-Version in: header @@ -165,7 +165,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.keymanagement.UpdateProviderConfigRequest' + $ref: '#/components/schemas/policy.keymanagement.DeleteProviderConfigRequest' required: true responses: default: @@ -179,9 +179,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.keymanagement.UpdateProviderConfigResponse' + $ref: '#/components/schemas/policy.keymanagement.DeleteProviderConfigResponse' components: schemas: + common.MetadataUpdateEnum: + type: string + title: MetadataUpdateEnum + enum: + - METADATA_UPDATE_ENUM_UNSPECIFIED + - METADATA_UPDATE_ENUM_EXTEND + - METADATA_UPDATE_ENUM_REPLACE common.Metadata: type: object properties: @@ -237,87 +244,11 @@ components: title: value title: LabelsEntry additionalProperties: false - common.MetadataUpdateEnum: - type: string - title: MetadataUpdateEnum - enum: - - METADATA_UPDATE_ENUM_UNSPECIFIED - - METADATA_UPDATE_ENUM_EXTEND - - METADATA_UPDATE_ENUM_REPLACE - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - details: - type: array - items: - $ref: '#/components/schemas/connect.error_details.Any' - description: A list of messages that carry the error details. There is no limit on the number of messages. - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - connect.error_details.Any: - type: object - properties: - type: - type: string - description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' - value: - type: string - format: binary - description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. - debug: - oneOf: - - type: object - title: Any - additionalProperties: true - description: Detailed error information. - discriminator: - propertyName: type - title: Debug - description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. google.protobuf.Timestamp: type: string examples: - - "2023-01-15T01:30:15.01Z" - - "2024-12-25T12:00:00Z" + - 1s + - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -535,31 +466,28 @@ components: additionalProperties: false policy.keymanagement.GetProviderConfigRequest: type: object - allOf: + oneOf: - properties: - manager: + id: type: string - title: manager - description: Optional - filter by manager type when searching by name - - oneOf: - - type: object - properties: - id: - type: string - title: id - format: uuid title: id - required: - - id - - type: object - properties: - name: - type: string - title: name - minLength: 1 + format: uuid + title: id + required: + - id + - properties: + name: + type: string title: name - required: - - name + minLength: 1 + title: name + required: + - name + properties: + manager: + type: string + title: manager + description: Optional - filter by manager type when searching by name title: GetProviderConfigRequest additionalProperties: false policy.keymanagement.GetProviderConfigResponse: @@ -632,6 +560,63 @@ components: $ref: '#/components/schemas/policy.KeyProviderConfig' title: UpdateProviderConfigResponse additionalProperties: false + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + detail: + $ref: '#/components/schemas/google.protobuf.Any' + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + google.protobuf.Any: + type: object + properties: + type: + type: string + value: + type: string + format: binary + debug: + type: object + additionalProperties: true + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. security: [] tags: - name: policy.keymanagement.KeyManagementService diff --git a/docs/openapi/policy/namespaces/namespaces.openapi.yaml b/docs/openapi/policy/namespaces/namespaces.openapi.yaml index 506217b193..191af3eaf6 100644 --- a/docs/openapi/policy/namespaces/namespaces.openapi.yaml +++ b/docs/openapi/policy/namespaces/namespaces.openapi.yaml @@ -2,13 +2,12 @@ openapi: 3.1.0 info: title: policy.namespaces paths: - /policy.namespaces.NamespaceService/AssignKeyAccessServerToNamespace: + /policy.namespaces.NamespaceService/GetNamespace: post: tags: - policy.namespaces.NamespaceService - summary: AssignKeyAccessServerToNamespace - description: 'Deprecated: utilize AssignPublicKeyToNamespace' - operationId: policy.namespaces.NamespaceService.AssignKeyAccessServerToNamespace + summary: GetNamespace + operationId: policy.namespaces.NamespaceService.GetNamespace parameters: - name: Connect-Protocol-Version in: header @@ -23,7 +22,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.AssignKeyAccessServerToNamespaceRequest' + $ref: '#/components/schemas/policy.namespaces.GetNamespaceRequest' required: true responses: default: @@ -37,18 +36,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.AssignKeyAccessServerToNamespaceResponse' - deprecated: true - /policy.namespaces.NamespaceService/AssignPublicKeyToNamespace: + $ref: '#/components/schemas/policy.namespaces.GetNamespaceResponse' + /policy.namespaces.NamespaceService/ListNamespaces: post: tags: - policy.namespaces.NamespaceService - summary: AssignPublicKeyToNamespace - description: |- - --------------------------------------* - Namespace <> Key RPCs - --------------------------------------- - operationId: policy.namespaces.NamespaceService.AssignPublicKeyToNamespace + summary: ListNamespaces + operationId: policy.namespaces.NamespaceService.ListNamespaces parameters: - name: Connect-Protocol-Version in: header @@ -63,7 +57,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.AssignPublicKeyToNamespaceRequest' + $ref: '#/components/schemas/policy.namespaces.ListNamespacesRequest' required: true responses: default: @@ -77,7 +71,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.AssignPublicKeyToNamespaceResponse' + $ref: '#/components/schemas/policy.namespaces.ListNamespacesResponse' /policy.namespaces.NamespaceService/CreateNamespace: post: tags: @@ -113,12 +107,12 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.namespaces.CreateNamespaceResponse' - /policy.namespaces.NamespaceService/DeactivateNamespace: + /policy.namespaces.NamespaceService/UpdateNamespace: post: tags: - policy.namespaces.NamespaceService - summary: DeactivateNamespace - operationId: policy.namespaces.NamespaceService.DeactivateNamespace + summary: UpdateNamespace + operationId: policy.namespaces.NamespaceService.UpdateNamespace parameters: - name: Connect-Protocol-Version in: header @@ -133,7 +127,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.DeactivateNamespaceRequest' + $ref: '#/components/schemas/policy.namespaces.UpdateNamespaceRequest' required: true responses: default: @@ -147,13 +141,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.DeactivateNamespaceResponse' - /policy.namespaces.NamespaceService/GetNamespace: + $ref: '#/components/schemas/policy.namespaces.UpdateNamespaceResponse' + /policy.namespaces.NamespaceService/DeactivateNamespace: post: tags: - policy.namespaces.NamespaceService - summary: GetNamespace - operationId: policy.namespaces.NamespaceService.GetNamespace + summary: DeactivateNamespace + operationId: policy.namespaces.NamespaceService.DeactivateNamespace parameters: - name: Connect-Protocol-Version in: header @@ -168,7 +162,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.GetNamespaceRequest' + $ref: '#/components/schemas/policy.namespaces.DeactivateNamespaceRequest' required: true responses: default: @@ -182,13 +176,14 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.GetNamespaceResponse' - /policy.namespaces.NamespaceService/ListNamespaces: + $ref: '#/components/schemas/policy.namespaces.DeactivateNamespaceResponse' + /policy.namespaces.NamespaceService/AssignKeyAccessServerToNamespace: post: tags: - policy.namespaces.NamespaceService - summary: ListNamespaces - operationId: policy.namespaces.NamespaceService.ListNamespaces + summary: AssignKeyAccessServerToNamespace + description: 'Deprecated: utilize AssignPublicKeyToNamespace' + operationId: policy.namespaces.NamespaceService.AssignKeyAccessServerToNamespace parameters: - name: Connect-Protocol-Version in: header @@ -203,7 +198,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.ListNamespacesRequest' + $ref: '#/components/schemas/policy.namespaces.AssignKeyAccessServerToNamespaceRequest' required: true responses: default: @@ -217,7 +212,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.ListNamespacesResponse' + $ref: '#/components/schemas/policy.namespaces.AssignKeyAccessServerToNamespaceResponse' + deprecated: true /policy.namespaces.NamespaceService/RemoveKeyAccessServerFromNamespace: post: tags: @@ -255,12 +251,16 @@ paths: schema: $ref: '#/components/schemas/policy.namespaces.RemoveKeyAccessServerFromNamespaceResponse' deprecated: true - /policy.namespaces.NamespaceService/RemovePublicKeyFromNamespace: + /policy.namespaces.NamespaceService/AssignPublicKeyToNamespace: post: tags: - policy.namespaces.NamespaceService - summary: RemovePublicKeyFromNamespace - operationId: policy.namespaces.NamespaceService.RemovePublicKeyFromNamespace + summary: AssignPublicKeyToNamespace + description: |- + --------------------------------------* + Namespace <> Key RPCs + --------------------------------------- + operationId: policy.namespaces.NamespaceService.AssignPublicKeyToNamespace parameters: - name: Connect-Protocol-Version in: header @@ -275,7 +275,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.RemovePublicKeyFromNamespaceRequest' + $ref: '#/components/schemas/policy.namespaces.AssignPublicKeyToNamespaceRequest' required: true responses: default: @@ -289,13 +289,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.RemovePublicKeyFromNamespaceResponse' - /policy.namespaces.NamespaceService/UpdateNamespace: + $ref: '#/components/schemas/policy.namespaces.AssignPublicKeyToNamespaceResponse' + /policy.namespaces.NamespaceService/RemovePublicKeyFromNamespace: post: tags: - policy.namespaces.NamespaceService - summary: UpdateNamespace - operationId: policy.namespaces.NamespaceService.UpdateNamespace + summary: RemovePublicKeyFromNamespace + operationId: policy.namespaces.NamespaceService.RemovePublicKeyFromNamespace parameters: - name: Connect-Protocol-Version in: header @@ -310,7 +310,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.UpdateNamespaceRequest' + $ref: '#/components/schemas/policy.namespaces.RemovePublicKeyFromNamespaceRequest' required: true responses: default: @@ -324,7 +324,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.UpdateNamespaceResponse' + $ref: '#/components/schemas/policy.namespaces.RemovePublicKeyFromNamespaceResponse' components: schemas: common.ActiveStateEnum: @@ -336,6 +336,72 @@ components: - ACTIVE_STATE_ENUM_INACTIVE - ACTIVE_STATE_ENUM_ANY description: 'buflint ENUM_VALUE_PREFIX: to make sure that C++ scoping rules aren''t violated when users add new enum values to an enum in a given package' + common.MetadataUpdateEnum: + type: string + title: MetadataUpdateEnum + enum: + - METADATA_UPDATE_ENUM_UNSPECIFIED + - METADATA_UPDATE_ENUM_EXTEND + - METADATA_UPDATE_ENUM_REPLACE + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + - ALGORITHM_HPQT_XWING + - ALGORITHM_HPQT_SECP256R1_MLKEM768 + - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + description: Supported key algorithms. + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + policy.SortDirection: + type: string + title: SortDirection + enum: + - SORT_DIRECTION_UNSPECIFIED + - SORT_DIRECTION_ASC + - SORT_DIRECTION_DESC + description: |- + Sorting direction shared across list APIs. + When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, + the endpoint's request message defines the default ordering; see the + specific List* request docs. + policy.SourceType: + type: string + title: SourceType + enum: + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. + policy.namespaces.SortNamespacesType: + type: string + title: SortNamespacesType + enum: + - SORT_NAMESPACES_TYPE_UNSPECIFIED + - SORT_NAMESPACES_TYPE_NAME + - SORT_NAMESPACES_TYPE_FQN + - SORT_NAMESPACES_TYPE_CREATED_AT + - SORT_NAMESPACES_TYPE_UPDATED_AT common.Metadata: type: object properties: @@ -391,82 +457,6 @@ components: title: value title: LabelsEntry additionalProperties: false - common.MetadataUpdateEnum: - type: string - title: MetadataUpdateEnum - enum: - - METADATA_UPDATE_ENUM_UNSPECIFIED - - METADATA_UPDATE_ENUM_EXTEND - - METADATA_UPDATE_ENUM_REPLACE - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - details: - type: array - items: - $ref: '#/components/schemas/connect.error_details.Any' - description: A list of messages that carry the error details. There is no limit on the number of messages. - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - connect.error_details.Any: - type: object - properties: - type: - type: string - description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' - value: - type: string - format: binary - description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. - debug: - oneOf: - - type: object - title: Any - additionalProperties: true - description: Detailed error information. - discriminator: - propertyName: type - title: Debug - description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. google.protobuf.BoolValue: type: boolean description: |- @@ -479,8 +469,8 @@ components: google.protobuf.Timestamp: type: string examples: - - "2023-01-15T01:30:15.01Z" - - "2024-12-25T12:00:00Z" + - 1s + - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -572,20 +562,6 @@ components: the Joda Time's [`ISODateTimeFormat.dateTime()`]( http://joda-time.sourceforge.net/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime() ) to obtain a formatter capable of generating timestamps in this format. - policy.Algorithm: - type: string - title: Algorithm - enum: - - ALGORITHM_UNSPECIFIED - - ALGORITHM_RSA_2048 - - ALGORITHM_RSA_4096 - - ALGORITHM_EC_P256 - - ALGORITHM_EC_P384 - - ALGORITHM_EC_P521 - - ALGORITHM_HPQT_XWING - - ALGORITHM_HPQT_SECP256R1_MLKEM768 - - ALGORITHM_HPQT_SECP384R1_MLKEM1024 - description: Supported key algorithms. policy.KasPublicKey: type: object properties: @@ -604,7 +580,7 @@ components: alg: not: enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - 0 title: alg description: |- A known algorithm type with any additional parameters encoded. @@ -616,19 +592,6 @@ components: description: |- Deprecated A KAS public key and some associated metadata for further identifcation - policy.KasPublicKeyAlgEnum: - type: string - title: KasPublicKeyAlgEnum - enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 policy.KasPublicKeySet: type: object properties: @@ -651,9 +614,13 @@ components: uri: type: string title: uri - description: | + description: |+ Address of a KAS instance - uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') + ``` + publicKey: title: public_key description: 'Deprecated: KAS can have multiple key pairs' @@ -763,8 +730,7 @@ components: policy.PublicKey: type: object oneOf: - - type: object - properties: + - properties: cached: title: cached description: public key with additional information. Current preferred version @@ -772,14 +738,17 @@ components: title: cached required: - cached - - type: object - properties: + - properties: remote: type: string title: remote - description: | + description: |+ kas public key url - optional since can also be retrieved via public key - uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') + ``` + title: remote required: - remote @@ -817,29 +786,6 @@ components: title: pem title: SimpleKasPublicKey additionalProperties: false - policy.SortDirection: - type: string - title: SortDirection - enum: - - SORT_DIRECTION_UNSPECIFIED - - SORT_DIRECTION_ASC - - SORT_DIRECTION_DESC - description: |- - Sorting direction shared across list APIs. - When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, - the endpoint's request message defines the default ordering; see the - specific List* request docs. - policy.SourceType: - type: string - title: SourceType - enum: - - SOURCE_TYPE_UNSPECIFIED - - SOURCE_TYPE_INTERNAL - - SOURCE_TYPE_EXTERNAL - description: |- - Describes whether this kas is managed by the organization or if they imported - the kas information from an external party. These two modes are necessary in order - to encrypt a tdf dek with an external parties kas public key. policy.namespaces.AssignKeyAccessServerToNamespaceRequest: type: object properties: @@ -883,9 +829,13 @@ components: type: string title: name maxLength: 253 - description: | + description: |+ Required - namespace_format // Namespace must be a valid hostname. It should include at least one dot, with each segment (label) starting and ending with an alphanumeric character. Each label must be 1 to 63 characters long, allowing hyphens but not as the first or last character. The top-level domain (the last segment after the final dot) must consist of at least two alphabetic characters. The stored namespace will be normalized to lower case. + Namespace must be a valid hostname. It should include at least one dot, with each segment (label) starting and ending with an alphanumeric character. Each label must be 1 to 63 characters long, allowing hyphens but not as the first or last character. The top-level domain (the last segment after the final dot) must consist of at least two alphabetic characters. The stored namespace will be normalized to lower case.: + ``` + this.matches('^([a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?\\.)+[a-zA-Z]{2,}$') + ``` + metadata: title: metadata description: Optional @@ -918,40 +868,45 @@ components: additionalProperties: false policy.namespaces.GetNamespaceRequest: type: object - allOf: + oneOf: - properties: - id: + fqn: type: string - title: id - format: uuid - description: Deprecated - deprecated: true - - oneOf: - - type: object - properties: - fqn: - type: string - title: fqn - minLength: 1 - format: uri title: fqn - required: - - fqn - - type: object - properties: - namespaceId: - type: string - title: namespace_id - format: uuid - description: 'option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field' + minLength: 1 + format: uri + title: fqn + required: + - fqn + - properties: + namespaceId: + type: string title: namespace_id - required: - - namespaceId + format: uuid + description: 'option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field' + title: namespace_id + required: + - namespaceId + properties: + id: + type: string + title: id + format: uuid + description: Deprecated + deprecated: true title: GetNamespaceRequest additionalProperties: false - description: | - exclusive_fields // Either use deprecated 'id' field or one of 'namespace_id' or 'fqn', but not both - required_fields // Either id or one of namespace_id or fqn must be set + description: |+ + Either use deprecated 'id' field or one of 'namespace_id' or 'fqn', but not both: + ``` + !(has(this.id) && (has(this.namespace_id) || has(this.fqn))) + ``` + + Either id or one of namespace_id or fqn must be set: + ``` + has(this.id) || has(this.namespace_id) || has(this.fqn) + ``` + policy.namespaces.GetNamespaceResponse: type: object properties: @@ -1080,15 +1035,6 @@ components: $ref: '#/components/schemas/policy.namespaces.NamespaceKey' title: RemovePublicKeyFromNamespaceResponse additionalProperties: false - policy.namespaces.SortNamespacesType: - type: string - title: SortNamespacesType - enum: - - SORT_NAMESPACES_TYPE_UNSPECIFIED - - SORT_NAMESPACES_TYPE_NAME - - SORT_NAMESPACES_TYPE_FQN - - SORT_NAMESPACES_TYPE_CREATED_AT - - SORT_NAMESPACES_TYPE_UPDATED_AT policy.namespaces.UpdateNamespaceRequest: type: object properties: @@ -1114,6 +1060,63 @@ components: $ref: '#/components/schemas/policy.Namespace' title: UpdateNamespaceResponse additionalProperties: false + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + detail: + $ref: '#/components/schemas/google.protobuf.Any' + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + google.protobuf.Any: + type: object + properties: + type: + type: string + value: + type: string + format: binary + debug: + type: object + additionalProperties: true + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. security: [] tags: - name: policy.namespaces.NamespaceService diff --git a/docs/openapi/policy/objects.openapi.yaml b/docs/openapi/policy/objects.openapi.yaml index 6bef650b76..a1debb1154 100644 --- a/docs/openapi/policy/objects.openapi.yaml +++ b/docs/openapi/policy/objects.openapi.yaml @@ -4,6 +4,105 @@ info: paths: {} components: schemas: + policy.Action.StandardAction: + type: string + title: StandardAction + enum: + - STANDARD_ACTION_UNSPECIFIED + - STANDARD_ACTION_DECRYPT + - STANDARD_ACTION_TRANSMIT + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + - ALGORITHM_HPQT_XWING + - ALGORITHM_HPQT_SECP256R1_MLKEM768 + - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + description: Supported key algorithms. + policy.AttributeRuleTypeEnum: + type: string + title: AttributeRuleTypeEnum + enum: + - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED + - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF + - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF + - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY + policy.ConditionBooleanTypeEnum: + type: string + title: ConditionBooleanTypeEnum + enum: + - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED + - CONDITION_BOOLEAN_TYPE_ENUM_AND + - CONDITION_BOOLEAN_TYPE_ENUM_OR + policy.DynamicValueOperatorEnum: + type: string + title: DynamicValueOperatorEnum + enum: + - DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED + - DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN + - DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS + description: |- + Operators for dynamic, definition-level value entitlement. Unlike + SubjectMappingOperatorEnum, whose right-hand operand is a static list authored into + policy, a DynamicValueOperatorEnum's right-hand operand is the requested resource's + attribute value segment, supplied at decision time. Each value is the inversion of its + static SubjectMappingOperatorEnum counterpart. + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + policy.KeyMode: + type: string + title: KeyMode + enum: + - KEY_MODE_UNSPECIFIED + - KEY_MODE_CONFIG_ROOT_KEY + - KEY_MODE_PROVIDER_ROOT_KEY + - KEY_MODE_REMOTE + - KEY_MODE_PUBLIC_KEY_ONLY + description: Describes the management and operational mode of a cryptographic key. + policy.KeyStatus: + type: string + title: KeyStatus + enum: + - KEY_STATUS_UNSPECIFIED + - KEY_STATUS_ACTIVE + - KEY_STATUS_ROTATED + description: The status of the key + policy.SourceType: + type: string + title: SourceType + enum: + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. + policy.SubjectMappingOperatorEnum: + type: string + title: SubjectMappingOperatorEnum + enum: + - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED + - SUBJECT_MAPPING_OPERATOR_ENUM_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS common.Metadata: type: object properties: @@ -48,8 +147,8 @@ components: google.protobuf.Timestamp: type: string examples: - - "2023-01-15T01:30:15.01Z" - - "2024-12-25T12:00:00Z" + - 1s + - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -143,65 +242,41 @@ components: ) to obtain a formatter capable of generating timestamps in this format. policy.Action: type: object - allOf: + oneOf: - properties: - id: + custom: type: string - title: id - description: Generated uuid in database - name: - type: string - title: name - namespace: - title: namespace - description: Namespace context for this action - $ref: '#/components/schemas/policy.Namespace' - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' - - oneOf: - - type: object - properties: - custom: - type: string - title: custom - description: Deprecated title: custom - required: - - custom - - type: object - properties: - standard: - title: standard - description: Deprecated - $ref: '#/components/schemas/policy.Action.StandardAction' + description: Deprecated + title: custom + required: + - custom + - properties: + standard: title: standard - required: - - standard + description: Deprecated + $ref: '#/components/schemas/policy.Action.StandardAction' + title: standard + required: + - standard + properties: + id: + type: string + title: id + description: Generated uuid in database + name: + type: string + title: name + namespace: + title: namespace + description: Namespace context for this action + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' title: Action additionalProperties: false description: An action an entity can take - policy.Action.StandardAction: - type: string - title: StandardAction - enum: - - STANDARD_ACTION_UNSPECIFIED - - STANDARD_ACTION_DECRYPT - - STANDARD_ACTION_TRANSMIT - policy.Algorithm: - type: string - title: Algorithm - enum: - - ALGORITHM_UNSPECIFIED - - ALGORITHM_RSA_2048 - - ALGORITHM_RSA_4096 - - ALGORITHM_EC_P256 - - ALGORITHM_EC_P384 - - ALGORITHM_EC_P521 - - ALGORITHM_HPQT_XWING - - ALGORITHM_HPQT_SECP256R1_MLKEM768 - - ALGORITHM_HPQT_SECP384R1_MLKEM1024 - description: Supported key algorithms. policy.AsymmetricKey: type: object properties: @@ -303,14 +378,6 @@ components: required: - rule additionalProperties: false - policy.AttributeRuleTypeEnum: - type: string - title: AttributeRuleTypeEnum - enum: - - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED - - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF - - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF - - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY policy.Condition: type: object properties: @@ -328,6 +395,7 @@ components: type: array items: type: string + minItems: 1 title: subject_external_values minItems: 1 description: |- @@ -343,13 +411,6 @@ components: * A Condition defines a rule of - policy.ConditionBooleanTypeEnum: - type: string - title: ConditionBooleanTypeEnum - enum: - - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED - - CONDITION_BOOLEAN_TYPE_ENUM_AND - - CONDITION_BOOLEAN_TYPE_ENUM_OR policy.ConditionGroup: type: object properties: @@ -368,6 +429,70 @@ components: - booleanOperator additionalProperties: false description: A collection of Conditions evaluated by the boolean_operator provided + policy.DefinitionValueEntitlementMapping: + type: object + properties: + id: + type: string + title: id + attributeDefinition: + title: attribute_definition + description: the Attribute Definition whose values are entitled dynamically + $ref: '#/components/schemas/policy.Attribute' + valueResolver: + title: value_resolver + description: the dynamic resolver matched against the requested resource value segment + $ref: '#/components/schemas/policy.DefinitionValueResolver' + subjectConditionSet: + title: subject_condition_set + description: |- + optional static pre-gate on the entity, evaluated with normal SubjectConditionSet + semantics (no dynamic overload). When present, both the gate and the resolver must + pass for entitlement. + $ref: '#/components/schemas/policy.SubjectConditionSet' + actions: + type: array + items: + $ref: '#/components/schemas/policy.Action' + title: actions + description: the actions permitted by subjects in this mapping + namespace: + title: namespace + description: the namespace containing this mapping + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + title: DefinitionValueEntitlementMapping + additionalProperties: false + description: |- + Definition Value Entitlement Mapping: a Policy assigning permitted action(s) to + dynamically-requested values under an Attribute Definition. It raises entitlement + authority from a concrete Attribute Value to the Attribute Definition: at decision time + the value_resolver compares the requested resource value segment against the entity + representation, avoiding pre-provisioning a value + subject mapping per discrete value. + policy.DefinitionValueResolver: + type: object + properties: + subjectExternalSelectorValue: + type: string + title: subject_external_selector_value + description: |- + a selector for a field value on a flattened Entity Representation (such as from + idP/LDAP), e.g. ".patientAssignments[]" + operator: + title: operator + description: the dynamic operator comparing the selector result to the resource value segment + $ref: '#/components/schemas/policy.DynamicValueOperatorEnum' + title: DefinitionValueResolver + required: + - subjectExternalSelectorValue + - operator + additionalProperties: false + description: |- + Definition Value Resolver: the dynamic half of a DefinitionValueEntitlementMapping. It + resolves a selector against the entity representation and compares the result to the + requested resource value segment using a DynamicValueOperatorEnum. policy.KasKey: type: object properties: @@ -400,7 +525,7 @@ components: alg: not: enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - 0 title: alg description: |- A known algorithm type with any additional parameters encoded. @@ -412,19 +537,6 @@ components: description: |- Deprecated A KAS public key and some associated metadata for further identifcation - policy.KasPublicKeyAlgEnum: - type: string - title: KasPublicKeyAlgEnum - enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 policy.KasPublicKeySet: type: object properties: @@ -472,9 +584,13 @@ components: uri: type: string title: uri - description: | + description: |+ Address of a KAS instance - uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') + ``` + publicKey: title: public_key description: 'Deprecated: KAS can have multiple key pairs' @@ -502,16 +618,6 @@ components: title: KeyAccessServer additionalProperties: false description: Key Access Server Registry - policy.KeyMode: - type: string - title: KeyMode - enum: - - KEY_MODE_UNSPECIFIED - - KEY_MODE_CONFIG_ROOT_KEY - - KEY_MODE_PROVIDER_ROOT_KEY - - KEY_MODE_REMOTE - - KEY_MODE_PUBLIC_KEY_ONLY - description: Describes the management and operational mode of a cryptographic key. policy.KeyProviderConfig: type: object properties: @@ -534,14 +640,6 @@ components: $ref: '#/components/schemas/common.Metadata' title: KeyProviderConfig additionalProperties: false - policy.KeyStatus: - type: string - title: KeyStatus - enum: - - KEY_STATUS_UNSPECIFIED - - KEY_STATUS_ACTIVE - - KEY_STATUS_ROTATED - description: The status of the key policy.Namespace: type: object properties: @@ -684,8 +782,7 @@ components: policy.PublicKey: type: object oneOf: - - type: object - properties: + - properties: cached: title: cached description: public key with additional information. Current preferred version @@ -693,14 +790,17 @@ components: title: cached required: - cached - - type: object - properties: + - properties: remote: type: string title: remote - description: | + description: |+ kas public key url - optional since can also be retrieved via public key - uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') + ``` + title: remote required: - remote @@ -885,17 +985,6 @@ components: title: pem title: SimpleKasPublicKey additionalProperties: false - policy.SourceType: - type: string - title: SourceType - enum: - - SOURCE_TYPE_UNSPECIFIED - - SOURCE_TYPE_INTERNAL - - SOURCE_TYPE_EXTERNAL - description: |- - Describes whether this kas is managed by the organization or if they imported - the kas information from an external party. These two modes are necessary in order - to encrypt a tdf dek with an external parties kas public key. policy.SubjectConditionSet: type: object properties: @@ -961,14 +1050,6 @@ components: description: |- Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute value + action(s) combination - policy.SubjectMappingOperatorEnum: - type: string - title: SubjectMappingOperatorEnum - enum: - - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED - - SUBJECT_MAPPING_OPERATOR_ENUM_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS policy.SubjectProperty: type: object properties: @@ -989,6 +1070,7 @@ components: authoritative source such as an IDP (Identity Provider) or User Store. Examples include such ADFS/LDAP, OKTA, etc. For now, a valid property must contain both a selector expression & a resulting value. + The external_selector_value is a specifier to select a value from a flattened external representation of an Entity (such as from idP/LDAP), and the external_value is the value selected by the external_selector_value on that diff --git a/docs/openapi/policy/obligations/obligations.openapi.yaml b/docs/openapi/policy/obligations/obligations.openapi.yaml index 946d6ce813..154701d935 100644 --- a/docs/openapi/policy/obligations/obligations.openapi.yaml +++ b/docs/openapi/policy/obligations/obligations.openapi.yaml @@ -2,12 +2,12 @@ openapi: 3.1.0 info: title: policy.obligations paths: - /policy.obligations.Service/AddObligationTrigger: + /policy.obligations.Service/ListObligations: post: tags: - policy.obligations.Service - summary: AddObligationTrigger - operationId: policy.obligations.Service.AddObligationTrigger + summary: ListObligations + operationId: policy.obligations.Service.ListObligations parameters: - name: Connect-Protocol-Version in: header @@ -22,7 +22,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.AddObligationTriggerRequest' + $ref: '#/components/schemas/policy.obligations.ListObligationsRequest' required: true responses: default: @@ -36,13 +36,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.AddObligationTriggerResponse' - /policy.obligations.Service/CreateObligation: + $ref: '#/components/schemas/policy.obligations.ListObligationsResponse' + /policy.obligations.Service/GetObligation: post: tags: - policy.obligations.Service - summary: CreateObligation - operationId: policy.obligations.Service.CreateObligation + summary: GetObligation + operationId: policy.obligations.Service.GetObligation parameters: - name: Connect-Protocol-Version in: header @@ -57,7 +57,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.CreateObligationRequest' + $ref: '#/components/schemas/policy.obligations.GetObligationRequest' required: true responses: default: @@ -71,13 +71,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.CreateObligationResponse' - /policy.obligations.Service/CreateObligationValue: + $ref: '#/components/schemas/policy.obligations.GetObligationResponse' + /policy.obligations.Service/GetObligationsByFQNs: post: tags: - policy.obligations.Service - summary: CreateObligationValue - operationId: policy.obligations.Service.CreateObligationValue + summary: GetObligationsByFQNs + operationId: policy.obligations.Service.GetObligationsByFQNs parameters: - name: Connect-Protocol-Version in: header @@ -92,7 +92,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.CreateObligationValueRequest' + $ref: '#/components/schemas/policy.obligations.GetObligationsByFQNsRequest' required: true responses: default: @@ -106,13 +106,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.CreateObligationValueResponse' - /policy.obligations.Service/DeleteObligation: + $ref: '#/components/schemas/policy.obligations.GetObligationsByFQNsResponse' + /policy.obligations.Service/CreateObligation: post: tags: - policy.obligations.Service - summary: DeleteObligation - operationId: policy.obligations.Service.DeleteObligation + summary: CreateObligation + operationId: policy.obligations.Service.CreateObligation parameters: - name: Connect-Protocol-Version in: header @@ -127,7 +127,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.DeleteObligationRequest' + $ref: '#/components/schemas/policy.obligations.CreateObligationRequest' required: true responses: default: @@ -141,13 +141,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.DeleteObligationResponse' - /policy.obligations.Service/DeleteObligationValue: + $ref: '#/components/schemas/policy.obligations.CreateObligationResponse' + /policy.obligations.Service/UpdateObligation: post: tags: - policy.obligations.Service - summary: DeleteObligationValue - operationId: policy.obligations.Service.DeleteObligationValue + summary: UpdateObligation + operationId: policy.obligations.Service.UpdateObligation parameters: - name: Connect-Protocol-Version in: header @@ -162,7 +162,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.DeleteObligationValueRequest' + $ref: '#/components/schemas/policy.obligations.UpdateObligationRequest' required: true responses: default: @@ -176,13 +176,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.DeleteObligationValueResponse' - /policy.obligations.Service/GetObligation: + $ref: '#/components/schemas/policy.obligations.UpdateObligationResponse' + /policy.obligations.Service/DeleteObligation: post: tags: - policy.obligations.Service - summary: GetObligation - operationId: policy.obligations.Service.GetObligation + summary: DeleteObligation + operationId: policy.obligations.Service.DeleteObligation parameters: - name: Connect-Protocol-Version in: header @@ -197,7 +197,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.GetObligationRequest' + $ref: '#/components/schemas/policy.obligations.DeleteObligationRequest' required: true responses: default: @@ -211,13 +211,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.GetObligationResponse' - /policy.obligations.Service/GetObligationTrigger: + $ref: '#/components/schemas/policy.obligations.DeleteObligationResponse' + /policy.obligations.Service/GetObligationValue: post: tags: - policy.obligations.Service - summary: GetObligationTrigger - operationId: policy.obligations.Service.GetObligationTrigger + summary: GetObligationValue + operationId: policy.obligations.Service.GetObligationValue parameters: - name: Connect-Protocol-Version in: header @@ -232,7 +232,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.GetObligationTriggerRequest' + $ref: '#/components/schemas/policy.obligations.GetObligationValueRequest' required: true responses: default: @@ -246,13 +246,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.GetObligationTriggerResponse' - /policy.obligations.Service/GetObligationValue: + $ref: '#/components/schemas/policy.obligations.GetObligationValueResponse' + /policy.obligations.Service/GetObligationValuesByFQNs: post: tags: - policy.obligations.Service - summary: GetObligationValue - operationId: policy.obligations.Service.GetObligationValue + summary: GetObligationValuesByFQNs + operationId: policy.obligations.Service.GetObligationValuesByFQNs parameters: - name: Connect-Protocol-Version in: header @@ -267,7 +267,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.GetObligationValueRequest' + $ref: '#/components/schemas/policy.obligations.GetObligationValuesByFQNsRequest' required: true responses: default: @@ -281,13 +281,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.GetObligationValueResponse' - /policy.obligations.Service/GetObligationValuesByFQNs: + $ref: '#/components/schemas/policy.obligations.GetObligationValuesByFQNsResponse' + /policy.obligations.Service/CreateObligationValue: post: tags: - policy.obligations.Service - summary: GetObligationValuesByFQNs - operationId: policy.obligations.Service.GetObligationValuesByFQNs + summary: CreateObligationValue + operationId: policy.obligations.Service.CreateObligationValue parameters: - name: Connect-Protocol-Version in: header @@ -302,7 +302,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.GetObligationValuesByFQNsRequest' + $ref: '#/components/schemas/policy.obligations.CreateObligationValueRequest' required: true responses: default: @@ -316,13 +316,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.GetObligationValuesByFQNsResponse' - /policy.obligations.Service/GetObligationsByFQNs: + $ref: '#/components/schemas/policy.obligations.CreateObligationValueResponse' + /policy.obligations.Service/UpdateObligationValue: post: tags: - policy.obligations.Service - summary: GetObligationsByFQNs - operationId: policy.obligations.Service.GetObligationsByFQNs + summary: UpdateObligationValue + operationId: policy.obligations.Service.UpdateObligationValue parameters: - name: Connect-Protocol-Version in: header @@ -337,7 +337,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.GetObligationsByFQNsRequest' + $ref: '#/components/schemas/policy.obligations.UpdateObligationValueRequest' required: true responses: default: @@ -351,13 +351,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.GetObligationsByFQNsResponse' - /policy.obligations.Service/ListObligationTriggers: + $ref: '#/components/schemas/policy.obligations.UpdateObligationValueResponse' + /policy.obligations.Service/DeleteObligationValue: post: tags: - policy.obligations.Service - summary: ListObligationTriggers - operationId: policy.obligations.Service.ListObligationTriggers + summary: DeleteObligationValue + operationId: policy.obligations.Service.DeleteObligationValue parameters: - name: Connect-Protocol-Version in: header @@ -372,7 +372,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.ListObligationTriggersRequest' + $ref: '#/components/schemas/policy.obligations.DeleteObligationValueRequest' required: true responses: default: @@ -386,13 +386,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.ListObligationTriggersResponse' - /policy.obligations.Service/ListObligations: + $ref: '#/components/schemas/policy.obligations.DeleteObligationValueResponse' + /policy.obligations.Service/GetObligationTrigger: post: tags: - policy.obligations.Service - summary: ListObligations - operationId: policy.obligations.Service.ListObligations + summary: GetObligationTrigger + operationId: policy.obligations.Service.GetObligationTrigger parameters: - name: Connect-Protocol-Version in: header @@ -407,7 +407,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.ListObligationsRequest' + $ref: '#/components/schemas/policy.obligations.GetObligationTriggerRequest' required: true responses: default: @@ -421,13 +421,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.ListObligationsResponse' - /policy.obligations.Service/RemoveObligationTrigger: + $ref: '#/components/schemas/policy.obligations.GetObligationTriggerResponse' + /policy.obligations.Service/AddObligationTrigger: post: tags: - policy.obligations.Service - summary: RemoveObligationTrigger - operationId: policy.obligations.Service.RemoveObligationTrigger + summary: AddObligationTrigger + operationId: policy.obligations.Service.AddObligationTrigger parameters: - name: Connect-Protocol-Version in: header @@ -442,7 +442,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.RemoveObligationTriggerRequest' + $ref: '#/components/schemas/policy.obligations.AddObligationTriggerRequest' required: true responses: default: @@ -456,13 +456,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.RemoveObligationTriggerResponse' - /policy.obligations.Service/UpdateObligation: + $ref: '#/components/schemas/policy.obligations.AddObligationTriggerResponse' + /policy.obligations.Service/RemoveObligationTrigger: post: tags: - policy.obligations.Service - summary: UpdateObligation - operationId: policy.obligations.Service.UpdateObligation + summary: RemoveObligationTrigger + operationId: policy.obligations.Service.RemoveObligationTrigger parameters: - name: Connect-Protocol-Version in: header @@ -477,7 +477,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.UpdateObligationRequest' + $ref: '#/components/schemas/policy.obligations.RemoveObligationTriggerRequest' required: true responses: default: @@ -491,13 +491,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.UpdateObligationResponse' - /policy.obligations.Service/UpdateObligationValue: + $ref: '#/components/schemas/policy.obligations.RemoveObligationTriggerResponse' + /policy.obligations.Service/ListObligationTriggers: post: tags: - policy.obligations.Service - summary: UpdateObligationValue - operationId: policy.obligations.Service.UpdateObligationValue + summary: ListObligationTriggers + operationId: policy.obligations.Service.ListObligationTriggers parameters: - name: Connect-Protocol-Version in: header @@ -512,7 +512,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.UpdateObligationValueRequest' + $ref: '#/components/schemas/policy.obligations.ListObligationTriggersRequest' required: true responses: default: @@ -526,17 +526,107 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.UpdateObligationValueResponse' + $ref: '#/components/schemas/policy.obligations.ListObligationTriggersResponse' components: schemas: + common.MetadataUpdateEnum: + type: string + title: MetadataUpdateEnum + enum: + - METADATA_UPDATE_ENUM_UNSPECIFIED + - METADATA_UPDATE_ENUM_EXTEND + - METADATA_UPDATE_ENUM_REPLACE + policy.Action.StandardAction: + type: string + title: StandardAction + enum: + - STANDARD_ACTION_UNSPECIFIED + - STANDARD_ACTION_DECRYPT + - STANDARD_ACTION_TRANSMIT + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + - ALGORITHM_HPQT_XWING + - ALGORITHM_HPQT_SECP256R1_MLKEM768 + - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + description: Supported key algorithms. + policy.AttributeRuleTypeEnum: + type: string + title: AttributeRuleTypeEnum + enum: + - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED + - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF + - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF + - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY + policy.ConditionBooleanTypeEnum: + type: string + title: ConditionBooleanTypeEnum + enum: + - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED + - CONDITION_BOOLEAN_TYPE_ENUM_AND + - CONDITION_BOOLEAN_TYPE_ENUM_OR + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + policy.SortDirection: + type: string + title: SortDirection + enum: + - SORT_DIRECTION_UNSPECIFIED + - SORT_DIRECTION_ASC + - SORT_DIRECTION_DESC + description: |- + Sorting direction shared across list APIs. + When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, + the endpoint's request message defines the default ordering; see the + specific List* request docs. + policy.SourceType: + type: string + title: SourceType + enum: + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. + policy.SubjectMappingOperatorEnum: + type: string + title: SubjectMappingOperatorEnum + enum: + - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED + - SUBJECT_MAPPING_OPERATOR_ENUM_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS + policy.obligations.SortObligationsType: + type: string + title: SortObligationsType + enum: + - SORT_OBLIGATIONS_TYPE_UNSPECIFIED + - SORT_OBLIGATIONS_TYPE_NAME + - SORT_OBLIGATIONS_TYPE_FQN + - SORT_OBLIGATIONS_TYPE_CREATED_AT + - SORT_OBLIGATIONS_TYPE_UPDATED_AT common.IdFqnIdentifier: type: object - allOf: - - oneOf: - - required: - - id - - required: - - fqn properties: id: type: string @@ -551,12 +641,6 @@ components: additionalProperties: false common.IdNameIdentifier: type: object - allOf: - - oneOf: - - required: - - id - - required: - - name properties: id: type: string @@ -567,8 +651,12 @@ components: title: name maxLength: 253 minLength: 1 - description: | - name_format // Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case. + description: |+ + Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case.: + ``` + this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') + ``` + title: IdNameIdentifier additionalProperties: false common.Metadata: @@ -626,82 +714,6 @@ components: title: value title: LabelsEntry additionalProperties: false - common.MetadataUpdateEnum: - type: string - title: MetadataUpdateEnum - enum: - - METADATA_UPDATE_ENUM_UNSPECIFIED - - METADATA_UPDATE_ENUM_EXTEND - - METADATA_UPDATE_ENUM_REPLACE - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - details: - type: array - items: - $ref: '#/components/schemas/connect.error_details.Any' - description: A list of messages that carry the error details. There is no limit on the number of messages. - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - connect.error_details.Any: - type: object - properties: - type: - type: string - description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' - value: - type: string - format: binary - description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. - debug: - oneOf: - - type: object - title: Any - additionalProperties: true - description: Detailed error information. - discriminator: - propertyName: type - title: Debug - description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. google.protobuf.BoolValue: type: boolean description: |- @@ -714,8 +726,8 @@ components: google.protobuf.Timestamp: type: string examples: - - "2023-01-15T01:30:15.01Z" - - "2024-12-25T12:00:00Z" + - 1s + - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -809,65 +821,41 @@ components: ) to obtain a formatter capable of generating timestamps in this format. policy.Action: type: object - allOf: + oneOf: - properties: - id: - type: string - title: id - description: Generated uuid in database - name: + custom: type: string - title: name - namespace: - title: namespace - description: Namespace context for this action - $ref: '#/components/schemas/policy.Namespace' - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' - - oneOf: - - type: object - properties: - custom: - type: string - title: custom - description: Deprecated title: custom - required: - - custom - - type: object - properties: - standard: - title: standard - description: Deprecated - $ref: '#/components/schemas/policy.Action.StandardAction' + description: Deprecated + title: custom + required: + - custom + - properties: + standard: title: standard - required: - - standard + description: Deprecated + $ref: '#/components/schemas/policy.Action.StandardAction' + title: standard + required: + - standard + properties: + id: + type: string + title: id + description: Generated uuid in database + name: + type: string + title: name + namespace: + title: namespace + description: Namespace context for this action + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' title: Action additionalProperties: false description: An action an entity can take - policy.Action.StandardAction: - type: string - title: StandardAction - enum: - - STANDARD_ACTION_UNSPECIFIED - - STANDARD_ACTION_DECRYPT - - STANDARD_ACTION_TRANSMIT - policy.Algorithm: - type: string - title: Algorithm - enum: - - ALGORITHM_UNSPECIFIED - - ALGORITHM_RSA_2048 - - ALGORITHM_RSA_4096 - - ALGORITHM_EC_P256 - - ALGORITHM_EC_P384 - - ALGORITHM_EC_P521 - - ALGORITHM_HPQT_XWING - - ALGORITHM_HPQT_SECP256R1_MLKEM768 - - ALGORITHM_HPQT_SECP384R1_MLKEM1024 - description: Supported key algorithms. policy.Attribute: type: object properties: @@ -924,14 +912,6 @@ components: required: - rule additionalProperties: false - policy.AttributeRuleTypeEnum: - type: string - title: AttributeRuleTypeEnum - enum: - - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED - - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF - - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF - - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY policy.Condition: type: object properties: @@ -949,6 +929,7 @@ components: type: array items: type: string + minItems: 1 title: subject_external_values minItems: 1 description: |- @@ -964,13 +945,6 @@ components: * A Condition defines a rule of - policy.ConditionBooleanTypeEnum: - type: string - title: ConditionBooleanTypeEnum - enum: - - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED - - CONDITION_BOOLEAN_TYPE_ENUM_AND - - CONDITION_BOOLEAN_TYPE_ENUM_OR policy.ConditionGroup: type: object properties: @@ -1007,7 +981,7 @@ components: alg: not: enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - 0 title: alg description: |- A known algorithm type with any additional parameters encoded. @@ -1019,19 +993,6 @@ components: description: |- Deprecated A KAS public key and some associated metadata for further identifcation - policy.KasPublicKeyAlgEnum: - type: string - title: KasPublicKeyAlgEnum - enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 policy.KasPublicKeySet: type: object properties: @@ -1054,9 +1015,13 @@ components: uri: type: string title: uri - description: | + description: |+ Address of a KAS instance - uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') + ``` + publicKey: title: public_key description: 'Deprecated: KAS can have multiple key pairs' @@ -1254,8 +1219,7 @@ components: policy.PublicKey: type: object oneOf: - - type: object - properties: + - properties: cached: title: cached description: public key with additional information. Current preferred version @@ -1263,14 +1227,17 @@ components: title: cached required: - cached - - type: object - properties: + - properties: remote: type: string title: remote - description: | + description: |+ kas public key url - optional since can also be retrieved via public key - uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') + ``` + title: remote required: - remote @@ -1378,29 +1345,6 @@ components: title: pem title: SimpleKasPublicKey additionalProperties: false - policy.SortDirection: - type: string - title: SortDirection - enum: - - SORT_DIRECTION_UNSPECIFIED - - SORT_DIRECTION_ASC - - SORT_DIRECTION_DESC - description: |- - Sorting direction shared across list APIs. - When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, - the endpoint's request message defines the default ordering; see the - specific List* request docs. - policy.SourceType: - type: string - title: SourceType - enum: - - SOURCE_TYPE_UNSPECIFIED - - SOURCE_TYPE_INTERNAL - - SOURCE_TYPE_EXTERNAL - description: |- - Describes whether this kas is managed by the organization or if they imported - the kas information from an external party. These two modes are necessary in order - to encrypt a tdf dek with an external parties kas public key. policy.SubjectConditionSet: type: object properties: @@ -1466,14 +1410,6 @@ components: description: |- Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute value + action(s) combination - policy.SubjectMappingOperatorEnum: - type: string - title: SubjectMappingOperatorEnum - enum: - - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED - - SUBJECT_MAPPING_OPERATOR_ENUM_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS policy.SubjectSet: type: object properties: @@ -1587,12 +1523,6 @@ components: additionalProperties: false policy.obligations.CreateObligationRequest: type: object - allOf: - - oneOf: - - required: - - namespaceId - - required: - - namespaceFqn properties: namespaceId: type: string @@ -1607,14 +1537,19 @@ components: type: string title: name maxLength: 253 - description: | - obligation_name_format // Obligation name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case. + description: |+ + Obligation name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case.: + ``` + this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') + ``` + values: type: array items: type: string maxLength: 253 pattern: ^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$ + uniqueItems: true title: values uniqueItems: true description: Optional @@ -1638,12 +1573,6 @@ components: additionalProperties: false policy.obligations.CreateObligationValueRequest: type: object - allOf: - - oneOf: - - required: - - obligationId - - required: - - obligationFqn properties: obligationId: type: string @@ -1658,8 +1587,12 @@ components: type: string title: value maxLength: 253 - description: | - obligation_value_format // Obligation value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored value will be normalized to lower case. + description: |+ + Obligation value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored value will be normalized to lower case.: + ``` + this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') + ``` + triggers: type: array items: @@ -1688,12 +1621,6 @@ components: additionalProperties: false policy.obligations.DeleteObligationRequest: type: object - allOf: - - oneOf: - - required: - - id - - required: - - fqn properties: id: type: string @@ -1716,12 +1643,6 @@ components: additionalProperties: false policy.obligations.DeleteObligationValueRequest: type: object - allOf: - - oneOf: - - required: - - id - - required: - - fqn properties: id: type: string @@ -1744,12 +1665,6 @@ components: additionalProperties: false policy.obligations.GetObligationRequest: type: object - allOf: - - oneOf: - - required: - - id - - required: - - fqn properties: id: type: string @@ -1791,12 +1706,6 @@ components: additionalProperties: false policy.obligations.GetObligationValueRequest: type: object - allOf: - - oneOf: - - required: - - id - - required: - - fqn properties: id: type: string @@ -1827,6 +1736,9 @@ components: type: string minLength: 1 format: uri + maxItems: 250 + minItems: 1 + uniqueItems: true title: fqns maxItems: 250 minItems: 1 @@ -1864,6 +1776,9 @@ components: type: string minLength: 1 format: uri + maxItems: 250 + minItems: 1 + uniqueItems: true title: fqns maxItems: 250 minItems: 1 @@ -1995,15 +1910,6 @@ components: $ref: '#/components/schemas/policy.ObligationTrigger' title: RemoveObligationTriggerResponse additionalProperties: false - policy.obligations.SortObligationsType: - type: string - title: SortObligationsType - enum: - - SORT_OBLIGATIONS_TYPE_UNSPECIFIED - - SORT_OBLIGATIONS_TYPE_NAME - - SORT_OBLIGATIONS_TYPE_FQN - - SORT_OBLIGATIONS_TYPE_CREATED_AT - - SORT_OBLIGATIONS_TYPE_UPDATED_AT policy.obligations.UpdateObligationRequest: type: object properties: @@ -2016,9 +1922,13 @@ components: type: string title: name maxLength: 253 - description: | + description: |+ Optional - obligation_name_format // Obligation name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case. + Obligation name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case.: + ``` + size(this) > 0 ? this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') : true + ``` + metadata: title: metadata $ref: '#/components/schemas/common.MetadataMutable' @@ -2047,9 +1957,13 @@ components: type: string title: value maxLength: 253 - description: | + description: |+ Optional - obligation_value_format // Obligation value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored value will be normalized to lower case. + Obligation value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored value will be normalized to lower case.: + ``` + size(this) > 0 ? this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') : true + ``` + triggers: type: array items: @@ -2097,6 +2011,63 @@ components: - action - attributeValue additionalProperties: false + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + detail: + $ref: '#/components/schemas/google.protobuf.Any' + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + google.protobuf.Any: + type: object + properties: + type: + type: string + value: + type: string + format: binary + debug: + type: object + additionalProperties: true + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. security: [] tags: - name: policy.obligations.Service diff --git a/docs/openapi/policy/registeredresources/registered_resources.openapi.yaml b/docs/openapi/policy/registeredresources/registered_resources.openapi.yaml index c22280f626..9c761fa78d 100644 --- a/docs/openapi/policy/registeredresources/registered_resources.openapi.yaml +++ b/docs/openapi/policy/registeredresources/registered_resources.openapi.yaml @@ -37,12 +37,12 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.registeredresources.CreateRegisteredResourceResponse' - /policy.registeredresources.RegisteredResourcesService/CreateRegisteredResourceValue: + /policy.registeredresources.RegisteredResourcesService/GetRegisteredResource: post: tags: - policy.registeredresources.RegisteredResourcesService - summary: CreateRegisteredResourceValue - operationId: policy.registeredresources.RegisteredResourcesService.CreateRegisteredResourceValue + summary: GetRegisteredResource + operationId: policy.registeredresources.RegisteredResourcesService.GetRegisteredResource parameters: - name: Connect-Protocol-Version in: header @@ -57,7 +57,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.CreateRegisteredResourceValueRequest' + $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceRequest' required: true responses: default: @@ -71,13 +71,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.CreateRegisteredResourceValueResponse' - /policy.registeredresources.RegisteredResourcesService/DeleteRegisteredResource: + $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceResponse' + /policy.registeredresources.RegisteredResourcesService/ListRegisteredResources: post: tags: - policy.registeredresources.RegisteredResourcesService - summary: DeleteRegisteredResource - operationId: policy.registeredresources.RegisteredResourcesService.DeleteRegisteredResource + summary: ListRegisteredResources + operationId: policy.registeredresources.RegisteredResourcesService.ListRegisteredResources parameters: - name: Connect-Protocol-Version in: header @@ -92,7 +92,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.DeleteRegisteredResourceRequest' + $ref: '#/components/schemas/policy.registeredresources.ListRegisteredResourcesRequest' required: true responses: default: @@ -106,13 +106,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.DeleteRegisteredResourceResponse' - /policy.registeredresources.RegisteredResourcesService/DeleteRegisteredResourceValue: + $ref: '#/components/schemas/policy.registeredresources.ListRegisteredResourcesResponse' + /policy.registeredresources.RegisteredResourcesService/UpdateRegisteredResource: post: tags: - policy.registeredresources.RegisteredResourcesService - summary: DeleteRegisteredResourceValue - operationId: policy.registeredresources.RegisteredResourcesService.DeleteRegisteredResourceValue + summary: UpdateRegisteredResource + operationId: policy.registeredresources.RegisteredResourcesService.UpdateRegisteredResource parameters: - name: Connect-Protocol-Version in: header @@ -127,7 +127,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.DeleteRegisteredResourceValueRequest' + $ref: '#/components/schemas/policy.registeredresources.UpdateRegisteredResourceRequest' required: true responses: default: @@ -141,13 +141,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.DeleteRegisteredResourceValueResponse' - /policy.registeredresources.RegisteredResourcesService/GetRegisteredResource: + $ref: '#/components/schemas/policy.registeredresources.UpdateRegisteredResourceResponse' + /policy.registeredresources.RegisteredResourcesService/DeleteRegisteredResource: post: tags: - policy.registeredresources.RegisteredResourcesService - summary: GetRegisteredResource - operationId: policy.registeredresources.RegisteredResourcesService.GetRegisteredResource + summary: DeleteRegisteredResource + operationId: policy.registeredresources.RegisteredResourcesService.DeleteRegisteredResource parameters: - name: Connect-Protocol-Version in: header @@ -162,7 +162,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceRequest' + $ref: '#/components/schemas/policy.registeredresources.DeleteRegisteredResourceRequest' required: true responses: default: @@ -176,13 +176,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceResponse' - /policy.registeredresources.RegisteredResourcesService/GetRegisteredResourceValue: + $ref: '#/components/schemas/policy.registeredresources.DeleteRegisteredResourceResponse' + /policy.registeredresources.RegisteredResourcesService/CreateRegisteredResourceValue: post: tags: - policy.registeredresources.RegisteredResourcesService - summary: GetRegisteredResourceValue - operationId: policy.registeredresources.RegisteredResourcesService.GetRegisteredResourceValue + summary: CreateRegisteredResourceValue + operationId: policy.registeredresources.RegisteredResourcesService.CreateRegisteredResourceValue parameters: - name: Connect-Protocol-Version in: header @@ -197,7 +197,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceValueRequest' + $ref: '#/components/schemas/policy.registeredresources.CreateRegisteredResourceValueRequest' required: true responses: default: @@ -211,13 +211,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceValueResponse' - /policy.registeredresources.RegisteredResourcesService/GetRegisteredResourceValuesByFQNs: + $ref: '#/components/schemas/policy.registeredresources.CreateRegisteredResourceValueResponse' + /policy.registeredresources.RegisteredResourcesService/GetRegisteredResourceValue: post: tags: - policy.registeredresources.RegisteredResourcesService - summary: GetRegisteredResourceValuesByFQNs - operationId: policy.registeredresources.RegisteredResourcesService.GetRegisteredResourceValuesByFQNs + summary: GetRegisteredResourceValue + operationId: policy.registeredresources.RegisteredResourcesService.GetRegisteredResourceValue parameters: - name: Connect-Protocol-Version in: header @@ -232,7 +232,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceValuesByFQNsRequest' + $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceValueRequest' required: true responses: default: @@ -246,13 +246,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceValuesByFQNsResponse' - /policy.registeredresources.RegisteredResourcesService/ListRegisteredResourceValues: + $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceValueResponse' + /policy.registeredresources.RegisteredResourcesService/GetRegisteredResourceValuesByFQNs: post: tags: - policy.registeredresources.RegisteredResourcesService - summary: ListRegisteredResourceValues - operationId: policy.registeredresources.RegisteredResourcesService.ListRegisteredResourceValues + summary: GetRegisteredResourceValuesByFQNs + operationId: policy.registeredresources.RegisteredResourcesService.GetRegisteredResourceValuesByFQNs parameters: - name: Connect-Protocol-Version in: header @@ -267,7 +267,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.ListRegisteredResourceValuesRequest' + $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceValuesByFQNsRequest' required: true responses: default: @@ -281,13 +281,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.ListRegisteredResourceValuesResponse' - /policy.registeredresources.RegisteredResourcesService/ListRegisteredResources: + $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceValuesByFQNsResponse' + /policy.registeredresources.RegisteredResourcesService/ListRegisteredResourceValues: post: tags: - policy.registeredresources.RegisteredResourcesService - summary: ListRegisteredResources - operationId: policy.registeredresources.RegisteredResourcesService.ListRegisteredResources + summary: ListRegisteredResourceValues + operationId: policy.registeredresources.RegisteredResourcesService.ListRegisteredResourceValues parameters: - name: Connect-Protocol-Version in: header @@ -302,7 +302,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.ListRegisteredResourcesRequest' + $ref: '#/components/schemas/policy.registeredresources.ListRegisteredResourceValuesRequest' required: true responses: default: @@ -316,13 +316,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.ListRegisteredResourcesResponse' - /policy.registeredresources.RegisteredResourcesService/UpdateRegisteredResource: + $ref: '#/components/schemas/policy.registeredresources.ListRegisteredResourceValuesResponse' + /policy.registeredresources.RegisteredResourcesService/UpdateRegisteredResourceValue: post: tags: - policy.registeredresources.RegisteredResourcesService - summary: UpdateRegisteredResource - operationId: policy.registeredresources.RegisteredResourcesService.UpdateRegisteredResource + summary: UpdateRegisteredResourceValue + operationId: policy.registeredresources.RegisteredResourcesService.UpdateRegisteredResourceValue parameters: - name: Connect-Protocol-Version in: header @@ -337,7 +337,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.UpdateRegisteredResourceRequest' + $ref: '#/components/schemas/policy.registeredresources.UpdateRegisteredResourceValueRequest' required: true responses: default: @@ -351,13 +351,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.UpdateRegisteredResourceResponse' - /policy.registeredresources.RegisteredResourcesService/UpdateRegisteredResourceValue: + $ref: '#/components/schemas/policy.registeredresources.UpdateRegisteredResourceValueResponse' + /policy.registeredresources.RegisteredResourcesService/DeleteRegisteredResourceValue: post: tags: - policy.registeredresources.RegisteredResourcesService - summary: UpdateRegisteredResourceValue - operationId: policy.registeredresources.RegisteredResourcesService.UpdateRegisteredResourceValue + summary: DeleteRegisteredResourceValue + operationId: policy.registeredresources.RegisteredResourcesService.DeleteRegisteredResourceValue parameters: - name: Connect-Protocol-Version in: header @@ -372,7 +372,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.UpdateRegisteredResourceValueRequest' + $ref: '#/components/schemas/policy.registeredresources.DeleteRegisteredResourceValueRequest' required: true responses: default: @@ -386,9 +386,104 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.UpdateRegisteredResourceValueResponse' + $ref: '#/components/schemas/policy.registeredresources.DeleteRegisteredResourceValueResponse' components: schemas: + common.MetadataUpdateEnum: + type: string + title: MetadataUpdateEnum + enum: + - METADATA_UPDATE_ENUM_UNSPECIFIED + - METADATA_UPDATE_ENUM_EXTEND + - METADATA_UPDATE_ENUM_REPLACE + policy.Action.StandardAction: + type: string + title: StandardAction + enum: + - STANDARD_ACTION_UNSPECIFIED + - STANDARD_ACTION_DECRYPT + - STANDARD_ACTION_TRANSMIT + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + - ALGORITHM_HPQT_XWING + - ALGORITHM_HPQT_SECP256R1_MLKEM768 + - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + description: Supported key algorithms. + policy.AttributeRuleTypeEnum: + type: string + title: AttributeRuleTypeEnum + enum: + - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED + - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF + - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF + - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY + policy.ConditionBooleanTypeEnum: + type: string + title: ConditionBooleanTypeEnum + enum: + - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED + - CONDITION_BOOLEAN_TYPE_ENUM_AND + - CONDITION_BOOLEAN_TYPE_ENUM_OR + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + policy.SortDirection: + type: string + title: SortDirection + enum: + - SORT_DIRECTION_UNSPECIFIED + - SORT_DIRECTION_ASC + - SORT_DIRECTION_DESC + description: |- + Sorting direction shared across list APIs. + When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, + the endpoint's request message defines the default ordering; see the + specific List* request docs. + policy.SourceType: + type: string + title: SourceType + enum: + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. + policy.SubjectMappingOperatorEnum: + type: string + title: SubjectMappingOperatorEnum + enum: + - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED + - SUBJECT_MAPPING_OPERATOR_ENUM_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS + policy.registeredresources.SortRegisteredResourcesType: + type: string + title: SortRegisteredResourcesType + enum: + - SORT_REGISTERED_RESOURCES_TYPE_UNSPECIFIED + - SORT_REGISTERED_RESOURCES_TYPE_NAME + - SORT_REGISTERED_RESOURCES_TYPE_CREATED_AT + - SORT_REGISTERED_RESOURCES_TYPE_UPDATED_AT common.Metadata: type: object properties: @@ -444,82 +539,6 @@ components: title: value title: LabelsEntry additionalProperties: false - common.MetadataUpdateEnum: - type: string - title: MetadataUpdateEnum - enum: - - METADATA_UPDATE_ENUM_UNSPECIFIED - - METADATA_UPDATE_ENUM_EXTEND - - METADATA_UPDATE_ENUM_REPLACE - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - details: - type: array - items: - $ref: '#/components/schemas/connect.error_details.Any' - description: A list of messages that carry the error details. There is no limit on the number of messages. - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - connect.error_details.Any: - type: object - properties: - type: - type: string - description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' - value: - type: string - format: binary - description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. - debug: - oneOf: - - type: object - title: Any - additionalProperties: true - description: Detailed error information. - discriminator: - propertyName: type - title: Debug - description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. google.protobuf.BoolValue: type: boolean description: |- @@ -532,8 +551,8 @@ components: google.protobuf.Timestamp: type: string examples: - - "2023-01-15T01:30:15.01Z" - - "2024-12-25T12:00:00Z" + - 1s + - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -627,65 +646,41 @@ components: ) to obtain a formatter capable of generating timestamps in this format. policy.Action: type: object - allOf: + oneOf: - properties: - id: - type: string - title: id - description: Generated uuid in database - name: + custom: type: string - title: name - namespace: - title: namespace - description: Namespace context for this action - $ref: '#/components/schemas/policy.Namespace' - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' - - oneOf: - - type: object - properties: - custom: - type: string - title: custom - description: Deprecated title: custom - required: - - custom - - type: object - properties: - standard: - title: standard - description: Deprecated - $ref: '#/components/schemas/policy.Action.StandardAction' + description: Deprecated + title: custom + required: + - custom + - properties: + standard: title: standard - required: - - standard + description: Deprecated + $ref: '#/components/schemas/policy.Action.StandardAction' + title: standard + required: + - standard + properties: + id: + type: string + title: id + description: Generated uuid in database + name: + type: string + title: name + namespace: + title: namespace + description: Namespace context for this action + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' title: Action additionalProperties: false description: An action an entity can take - policy.Action.StandardAction: - type: string - title: StandardAction - enum: - - STANDARD_ACTION_UNSPECIFIED - - STANDARD_ACTION_DECRYPT - - STANDARD_ACTION_TRANSMIT - policy.Algorithm: - type: string - title: Algorithm - enum: - - ALGORITHM_UNSPECIFIED - - ALGORITHM_RSA_2048 - - ALGORITHM_RSA_4096 - - ALGORITHM_EC_P256 - - ALGORITHM_EC_P384 - - ALGORITHM_EC_P521 - - ALGORITHM_HPQT_XWING - - ALGORITHM_HPQT_SECP256R1_MLKEM768 - - ALGORITHM_HPQT_SECP384R1_MLKEM1024 - description: Supported key algorithms. policy.Attribute: type: object properties: @@ -742,14 +737,6 @@ components: required: - rule additionalProperties: false - policy.AttributeRuleTypeEnum: - type: string - title: AttributeRuleTypeEnum - enum: - - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED - - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF - - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF - - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY policy.Condition: type: object properties: @@ -767,6 +754,7 @@ components: type: array items: type: string + minItems: 1 title: subject_external_values minItems: 1 description: |- @@ -782,13 +770,6 @@ components: * A Condition defines a rule of - policy.ConditionBooleanTypeEnum: - type: string - title: ConditionBooleanTypeEnum - enum: - - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED - - CONDITION_BOOLEAN_TYPE_ENUM_AND - - CONDITION_BOOLEAN_TYPE_ENUM_OR policy.ConditionGroup: type: object properties: @@ -825,7 +806,7 @@ components: alg: not: enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - 0 title: alg description: |- A known algorithm type with any additional parameters encoded. @@ -837,19 +818,6 @@ components: description: |- Deprecated A KAS public key and some associated metadata for further identifcation - policy.KasPublicKeyAlgEnum: - type: string - title: KasPublicKeyAlgEnum - enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 policy.KasPublicKeySet: type: object properties: @@ -872,9 +840,13 @@ components: uri: type: string title: uri - description: | + description: |+ Address of a KAS instance - uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') + ``` + publicKey: title: public_key description: 'Deprecated: KAS can have multiple key pairs' @@ -1072,8 +1044,7 @@ components: policy.PublicKey: type: object oneOf: - - type: object - properties: + - properties: cached: title: cached description: public key with additional information. Current preferred version @@ -1081,14 +1052,17 @@ components: title: cached required: - cached - - type: object - properties: + - properties: remote: type: string title: remote - description: | + description: |+ kas public key url - optional since can also be retrieved via public key - uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') + ``` + title: remote required: - remote @@ -1263,29 +1237,6 @@ components: title: pem title: SimpleKasPublicKey additionalProperties: false - policy.SortDirection: - type: string - title: SortDirection - enum: - - SORT_DIRECTION_UNSPECIFIED - - SORT_DIRECTION_ASC - - SORT_DIRECTION_DESC - description: |- - Sorting direction shared across list APIs. - When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, - the endpoint's request message defines the default ordering; see the - specific List* request docs. - policy.SourceType: - type: string - title: SourceType - enum: - - SOURCE_TYPE_UNSPECIFIED - - SOURCE_TYPE_INTERNAL - - SOURCE_TYPE_EXTERNAL - description: |- - Describes whether this kas is managed by the organization or if they imported - the kas information from an external party. These two modes are necessary in order - to encrypt a tdf dek with an external parties kas public key. policy.SubjectConditionSet: type: object properties: @@ -1351,14 +1302,6 @@ components: description: |- Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute value + action(s) combination - policy.SubjectMappingOperatorEnum: - type: string - title: SubjectMappingOperatorEnum - enum: - - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED - - SUBJECT_MAPPING_OPERATOR_ENUM_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS policy.SubjectSet: type: object properties: @@ -1429,8 +1372,7 @@ components: type: object allOf: - oneOf: - - type: object - properties: + - properties: actionId: type: string title: action_id @@ -1438,20 +1380,22 @@ components: title: action_id required: - actionId - - type: object - properties: + - properties: actionName: type: string title: action_name maxLength: 253 - description: | - action_name_format // Action name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored action name will be normalized to lower case. + description: |+ + Action name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored action name will be normalized to lower case.: + ``` + this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') + ``` + title: action_name required: - actionName - oneOf: - - type: object - properties: + - properties: attributeValueFqn: type: string title: attribute_value_fqn @@ -1460,8 +1404,7 @@ components: title: attribute_value_fqn required: - attributeValueFqn - - type: object - properties: + - properties: attributeValueId: type: string title: attribute_value_id @@ -1478,15 +1421,20 @@ components: type: string title: name maxLength: 253 - description: | + description: |+ Required - rr_name_format // Registered Resource Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case. + Registered Resource Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case.: + ``` + this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') + ``` + values: type: array items: type: string maxLength: 253 pattern: ^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$ + uniqueItems: true title: values uniqueItems: true description: |- @@ -1532,9 +1480,13 @@ components: type: string title: value maxLength: 253 - description: | + description: |+ Required - rr_value_format // Registered Resource Value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored value will be normalized to lower case. + Registered Resource Value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored value will be normalized to lower case.: + ``` + this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') + ``` + actionAttributeValues: type: array items: @@ -1600,38 +1552,39 @@ components: additionalProperties: false policy.registeredresources.GetRegisteredResourceRequest: type: object - allOf: + oneOf: - properties: - namespaceFqn: - type: string - title: namespace_fqn - minLength: 1 - format: uri - namespaceId: + id: type: string - title: namespace_id - format: uuid - - oneOf: - - type: object - properties: - id: - type: string - title: id - format: uuid title: id - required: - - id - - type: object - properties: - name: - type: string - title: name - maxLength: 253 - description: | - rr_name_format // Registered Resource Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case. + format: uuid + title: id + required: + - id + - properties: + name: + type: string title: name - required: - - name + maxLength: 253 + description: |+ + Registered Resource Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case.: + ``` + size(this) > 0 ? this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') : true + ``` + + title: name + required: + - name + properties: + namespaceFqn: + type: string + title: namespace_fqn + minLength: 1 + format: uri + namespaceId: + type: string + title: namespace_id + format: uuid title: GetRegisteredResourceRequest additionalProperties: false policy.registeredresources.GetRegisteredResourceResponse: @@ -1645,8 +1598,7 @@ components: policy.registeredresources.GetRegisteredResourceValueRequest: type: object oneOf: - - type: object - properties: + - properties: fqn: type: string title: fqn @@ -1655,8 +1607,7 @@ components: title: fqn required: - fqn - - type: object - properties: + - properties: id: type: string title: id @@ -1683,6 +1634,8 @@ components: type: string minLength: 1 format: uri + minItems: 1 + uniqueItems: true title: fqns minItems: 1 uniqueItems: true @@ -1717,9 +1670,13 @@ components: resourceId: type: string title: resource_id - description: | + description: |+ Optional - optional_uuid_format // Optional field must be a valid UUID + Optional field must be a valid UUID: + ``` + size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') + ``` + pagination: title: pagination description: Optional @@ -1793,14 +1750,6 @@ components: $ref: '#/components/schemas/policy.SortDirection' title: RegisteredResourcesSort additionalProperties: false - policy.registeredresources.SortRegisteredResourcesType: - type: string - title: SortRegisteredResourcesType - enum: - - SORT_REGISTERED_RESOURCES_TYPE_UNSPECIFIED - - SORT_REGISTERED_RESOURCES_TYPE_NAME - - SORT_REGISTERED_RESOURCES_TYPE_CREATED_AT - - SORT_REGISTERED_RESOURCES_TYPE_UPDATED_AT policy.registeredresources.UpdateRegisteredResourceRequest: type: object properties: @@ -1813,9 +1762,13 @@ components: type: string title: name maxLength: 253 - description: | + description: |+ Optional - rr_name_format // Registered Resource Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case. + Registered Resource Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case.: + ``` + size(this) > 0 ? this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') : true + ``` + metadata: title: metadata description: |- @@ -1847,9 +1800,13 @@ components: type: string title: value maxLength: 253 - description: | + description: |+ Optional - rr_value_format // Registered Resource Value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored value will be normalized to lower case. + Registered Resource Value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored value will be normalized to lower case.: + ``` + size(this) > 0 ? this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') : true + ``` + actionAttributeValues: type: array items: @@ -1877,6 +1834,63 @@ components: $ref: '#/components/schemas/policy.RegisteredResourceValue' title: UpdateRegisteredResourceValueResponse additionalProperties: false + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + detail: + $ref: '#/components/schemas/google.protobuf.Any' + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + google.protobuf.Any: + type: object + properties: + type: + type: string + value: + type: string + format: binary + debug: + type: object + additionalProperties: true + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. security: [] tags: - name: policy.registeredresources.RegisteredResourcesService diff --git a/docs/openapi/policy/resourcemapping/resource_mapping.openapi.yaml b/docs/openapi/policy/resourcemapping/resource_mapping.openapi.yaml index 7928a38a98..c49765740a 100644 --- a/docs/openapi/policy/resourcemapping/resource_mapping.openapi.yaml +++ b/docs/openapi/policy/resourcemapping/resource_mapping.openapi.yaml @@ -2,12 +2,12 @@ openapi: 3.1.0 info: title: policy.resourcemapping paths: - /policy.resourcemapping.ResourceMappingService/CreateResourceMapping: + /policy.resourcemapping.ResourceMappingService/ListResourceMappingGroups: post: tags: - policy.resourcemapping.ResourceMappingService - summary: CreateResourceMapping - operationId: policy.resourcemapping.ResourceMappingService.CreateResourceMapping + summary: ListResourceMappingGroups + operationId: policy.resourcemapping.ResourceMappingService.ListResourceMappingGroups parameters: - name: Connect-Protocol-Version in: header @@ -22,7 +22,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.CreateResourceMappingRequest' + $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingGroupsRequest' required: true responses: default: @@ -36,13 +36,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.CreateResourceMappingResponse' - /policy.resourcemapping.ResourceMappingService/CreateResourceMappingGroup: + $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingGroupsResponse' + /policy.resourcemapping.ResourceMappingService/GetResourceMappingGroup: post: tags: - policy.resourcemapping.ResourceMappingService - summary: CreateResourceMappingGroup - operationId: policy.resourcemapping.ResourceMappingService.CreateResourceMappingGroup + summary: GetResourceMappingGroup + operationId: policy.resourcemapping.ResourceMappingService.GetResourceMappingGroup parameters: - name: Connect-Protocol-Version in: header @@ -57,7 +57,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.CreateResourceMappingGroupRequest' + $ref: '#/components/schemas/policy.resourcemapping.GetResourceMappingGroupRequest' required: true responses: default: @@ -71,13 +71,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.CreateResourceMappingGroupResponse' - /policy.resourcemapping.ResourceMappingService/DeleteResourceMapping: + $ref: '#/components/schemas/policy.resourcemapping.GetResourceMappingGroupResponse' + /policy.resourcemapping.ResourceMappingService/CreateResourceMappingGroup: post: tags: - policy.resourcemapping.ResourceMappingService - summary: DeleteResourceMapping - operationId: policy.resourcemapping.ResourceMappingService.DeleteResourceMapping + summary: CreateResourceMappingGroup + operationId: policy.resourcemapping.ResourceMappingService.CreateResourceMappingGroup parameters: - name: Connect-Protocol-Version in: header @@ -92,7 +92,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.DeleteResourceMappingRequest' + $ref: '#/components/schemas/policy.resourcemapping.CreateResourceMappingGroupRequest' required: true responses: default: @@ -106,13 +106,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.DeleteResourceMappingResponse' - /policy.resourcemapping.ResourceMappingService/DeleteResourceMappingGroup: + $ref: '#/components/schemas/policy.resourcemapping.CreateResourceMappingGroupResponse' + /policy.resourcemapping.ResourceMappingService/UpdateResourceMappingGroup: post: tags: - policy.resourcemapping.ResourceMappingService - summary: DeleteResourceMappingGroup - operationId: policy.resourcemapping.ResourceMappingService.DeleteResourceMappingGroup + summary: UpdateResourceMappingGroup + operationId: policy.resourcemapping.ResourceMappingService.UpdateResourceMappingGroup parameters: - name: Connect-Protocol-Version in: header @@ -127,7 +127,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.DeleteResourceMappingGroupRequest' + $ref: '#/components/schemas/policy.resourcemapping.UpdateResourceMappingGroupRequest' required: true responses: default: @@ -141,13 +141,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.DeleteResourceMappingGroupResponse' - /policy.resourcemapping.ResourceMappingService/GetResourceMapping: + $ref: '#/components/schemas/policy.resourcemapping.UpdateResourceMappingGroupResponse' + /policy.resourcemapping.ResourceMappingService/DeleteResourceMappingGroup: post: tags: - policy.resourcemapping.ResourceMappingService - summary: GetResourceMapping - operationId: policy.resourcemapping.ResourceMappingService.GetResourceMapping + summary: DeleteResourceMappingGroup + operationId: policy.resourcemapping.ResourceMappingService.DeleteResourceMappingGroup parameters: - name: Connect-Protocol-Version in: header @@ -162,7 +162,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.GetResourceMappingRequest' + $ref: '#/components/schemas/policy.resourcemapping.DeleteResourceMappingGroupRequest' required: true responses: default: @@ -176,13 +176,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.GetResourceMappingResponse' - /policy.resourcemapping.ResourceMappingService/GetResourceMappingGroup: + $ref: '#/components/schemas/policy.resourcemapping.DeleteResourceMappingGroupResponse' + /policy.resourcemapping.ResourceMappingService/ListResourceMappings: post: tags: - policy.resourcemapping.ResourceMappingService - summary: GetResourceMappingGroup - operationId: policy.resourcemapping.ResourceMappingService.GetResourceMappingGroup + summary: ListResourceMappings + operationId: policy.resourcemapping.ResourceMappingService.ListResourceMappings parameters: - name: Connect-Protocol-Version in: header @@ -197,7 +197,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.GetResourceMappingGroupRequest' + $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingsRequest' required: true responses: default: @@ -211,13 +211,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.GetResourceMappingGroupResponse' - /policy.resourcemapping.ResourceMappingService/ListResourceMappingGroups: + $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingsResponse' + /policy.resourcemapping.ResourceMappingService/ListResourceMappingsByGroupFqns: post: tags: - policy.resourcemapping.ResourceMappingService - summary: ListResourceMappingGroups - operationId: policy.resourcemapping.ResourceMappingService.ListResourceMappingGroups + summary: ListResourceMappingsByGroupFqns + operationId: policy.resourcemapping.ResourceMappingService.ListResourceMappingsByGroupFqns parameters: - name: Connect-Protocol-Version in: header @@ -232,7 +232,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingGroupsRequest' + $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingsByGroupFqnsRequest' required: true responses: default: @@ -246,13 +246,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingGroupsResponse' - /policy.resourcemapping.ResourceMappingService/ListResourceMappings: + $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingsByGroupFqnsResponse' + /policy.resourcemapping.ResourceMappingService/GetResourceMapping: post: tags: - policy.resourcemapping.ResourceMappingService - summary: ListResourceMappings - operationId: policy.resourcemapping.ResourceMappingService.ListResourceMappings + summary: GetResourceMapping + operationId: policy.resourcemapping.ResourceMappingService.GetResourceMapping parameters: - name: Connect-Protocol-Version in: header @@ -267,7 +267,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingsRequest' + $ref: '#/components/schemas/policy.resourcemapping.GetResourceMappingRequest' required: true responses: default: @@ -281,13 +281,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingsResponse' - /policy.resourcemapping.ResourceMappingService/ListResourceMappingsByGroupFqns: + $ref: '#/components/schemas/policy.resourcemapping.GetResourceMappingResponse' + /policy.resourcemapping.ResourceMappingService/CreateResourceMapping: post: tags: - policy.resourcemapping.ResourceMappingService - summary: ListResourceMappingsByGroupFqns - operationId: policy.resourcemapping.ResourceMappingService.ListResourceMappingsByGroupFqns + summary: CreateResourceMapping + operationId: policy.resourcemapping.ResourceMappingService.CreateResourceMapping parameters: - name: Connect-Protocol-Version in: header @@ -302,7 +302,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingsByGroupFqnsRequest' + $ref: '#/components/schemas/policy.resourcemapping.CreateResourceMappingRequest' required: true responses: default: @@ -316,7 +316,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingsByGroupFqnsResponse' + $ref: '#/components/schemas/policy.resourcemapping.CreateResourceMappingResponse' /policy.resourcemapping.ResourceMappingService/UpdateResourceMapping: post: tags: @@ -352,12 +352,12 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.resourcemapping.UpdateResourceMappingResponse' - /policy.resourcemapping.ResourceMappingService/UpdateResourceMappingGroup: + /policy.resourcemapping.ResourceMappingService/DeleteResourceMapping: post: tags: - policy.resourcemapping.ResourceMappingService - summary: UpdateResourceMappingGroup - operationId: policy.resourcemapping.ResourceMappingService.UpdateResourceMappingGroup + summary: DeleteResourceMapping + operationId: policy.resourcemapping.ResourceMappingService.DeleteResourceMapping parameters: - name: Connect-Protocol-Version in: header @@ -372,7 +372,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.UpdateResourceMappingGroupRequest' + $ref: '#/components/schemas/policy.resourcemapping.DeleteResourceMappingRequest' required: true responses: default: @@ -386,9 +386,84 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.UpdateResourceMappingGroupResponse' + $ref: '#/components/schemas/policy.resourcemapping.DeleteResourceMappingResponse' components: schemas: + common.MetadataUpdateEnum: + type: string + title: MetadataUpdateEnum + enum: + - METADATA_UPDATE_ENUM_UNSPECIFIED + - METADATA_UPDATE_ENUM_EXTEND + - METADATA_UPDATE_ENUM_REPLACE + policy.Action.StandardAction: + type: string + title: StandardAction + enum: + - STANDARD_ACTION_UNSPECIFIED + - STANDARD_ACTION_DECRYPT + - STANDARD_ACTION_TRANSMIT + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + - ALGORITHM_HPQT_XWING + - ALGORITHM_HPQT_SECP256R1_MLKEM768 + - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + description: Supported key algorithms. + policy.AttributeRuleTypeEnum: + type: string + title: AttributeRuleTypeEnum + enum: + - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED + - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF + - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF + - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY + policy.ConditionBooleanTypeEnum: + type: string + title: ConditionBooleanTypeEnum + enum: + - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED + - CONDITION_BOOLEAN_TYPE_ENUM_AND + - CONDITION_BOOLEAN_TYPE_ENUM_OR + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + policy.SourceType: + type: string + title: SourceType + enum: + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. + policy.SubjectMappingOperatorEnum: + type: string + title: SubjectMappingOperatorEnum + enum: + - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED + - SUBJECT_MAPPING_OPERATOR_ENUM_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS common.Metadata: type: object properties: @@ -444,82 +519,6 @@ components: title: value title: LabelsEntry additionalProperties: false - common.MetadataUpdateEnum: - type: string - title: MetadataUpdateEnum - enum: - - METADATA_UPDATE_ENUM_UNSPECIFIED - - METADATA_UPDATE_ENUM_EXTEND - - METADATA_UPDATE_ENUM_REPLACE - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - details: - type: array - items: - $ref: '#/components/schemas/connect.error_details.Any' - description: A list of messages that carry the error details. There is no limit on the number of messages. - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - connect.error_details.Any: - type: object - properties: - type: - type: string - description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' - value: - type: string - format: binary - description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. - debug: - oneOf: - - type: object - title: Any - additionalProperties: true - description: Detailed error information. - discriminator: - propertyName: type - title: Debug - description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. google.protobuf.BoolValue: type: boolean description: |- @@ -532,8 +531,8 @@ components: google.protobuf.Timestamp: type: string examples: - - "2023-01-15T01:30:15.01Z" - - "2024-12-25T12:00:00Z" + - 1s + - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -627,65 +626,41 @@ components: ) to obtain a formatter capable of generating timestamps in this format. policy.Action: type: object - allOf: + oneOf: - properties: - id: - type: string - title: id - description: Generated uuid in database - name: + custom: type: string - title: name - namespace: - title: namespace - description: Namespace context for this action - $ref: '#/components/schemas/policy.Namespace' - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' - - oneOf: - - type: object - properties: - custom: - type: string - title: custom - description: Deprecated title: custom - required: - - custom - - type: object - properties: - standard: - title: standard - description: Deprecated - $ref: '#/components/schemas/policy.Action.StandardAction' + description: Deprecated + title: custom + required: + - custom + - properties: + standard: title: standard - required: - - standard + description: Deprecated + $ref: '#/components/schemas/policy.Action.StandardAction' + title: standard + required: + - standard + properties: + id: + type: string + title: id + description: Generated uuid in database + name: + type: string + title: name + namespace: + title: namespace + description: Namespace context for this action + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' title: Action additionalProperties: false description: An action an entity can take - policy.Action.StandardAction: - type: string - title: StandardAction - enum: - - STANDARD_ACTION_UNSPECIFIED - - STANDARD_ACTION_DECRYPT - - STANDARD_ACTION_TRANSMIT - policy.Algorithm: - type: string - title: Algorithm - enum: - - ALGORITHM_UNSPECIFIED - - ALGORITHM_RSA_2048 - - ALGORITHM_RSA_4096 - - ALGORITHM_EC_P256 - - ALGORITHM_EC_P384 - - ALGORITHM_EC_P521 - - ALGORITHM_HPQT_XWING - - ALGORITHM_HPQT_SECP256R1_MLKEM768 - - ALGORITHM_HPQT_SECP384R1_MLKEM1024 - description: Supported key algorithms. policy.Attribute: type: object properties: @@ -742,14 +717,6 @@ components: required: - rule additionalProperties: false - policy.AttributeRuleTypeEnum: - type: string - title: AttributeRuleTypeEnum - enum: - - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED - - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF - - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF - - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY policy.Condition: type: object properties: @@ -767,6 +734,7 @@ components: type: array items: type: string + minItems: 1 title: subject_external_values minItems: 1 description: |- @@ -782,13 +750,6 @@ components: * A Condition defines a rule of - policy.ConditionBooleanTypeEnum: - type: string - title: ConditionBooleanTypeEnum - enum: - - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED - - CONDITION_BOOLEAN_TYPE_ENUM_AND - - CONDITION_BOOLEAN_TYPE_ENUM_OR policy.ConditionGroup: type: object properties: @@ -825,7 +786,7 @@ components: alg: not: enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - 0 title: alg description: |- A known algorithm type with any additional parameters encoded. @@ -837,19 +798,6 @@ components: description: |- Deprecated A KAS public key and some associated metadata for further identifcation - policy.KasPublicKeyAlgEnum: - type: string - title: KasPublicKeyAlgEnum - enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 policy.KasPublicKeySet: type: object properties: @@ -872,9 +820,13 @@ components: uri: type: string title: uri - description: | + description: |+ Address of a KAS instance - uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') + ``` + publicKey: title: public_key description: 'Deprecated: KAS can have multiple key pairs' @@ -1072,8 +1024,7 @@ components: policy.PublicKey: type: object oneOf: - - type: object - properties: + - properties: cached: title: cached description: public key with additional information. Current preferred version @@ -1081,14 +1032,17 @@ components: title: cached required: - cached - - type: object - properties: + - properties: remote: type: string title: remote - description: | + description: |+ kas public key url - optional since can also be retrieved via public key - uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') + ``` + title: remote required: - remote @@ -1196,17 +1150,6 @@ components: title: pem title: SimpleKasPublicKey additionalProperties: false - policy.SourceType: - type: string - title: SourceType - enum: - - SOURCE_TYPE_UNSPECIFIED - - SOURCE_TYPE_INTERNAL - - SOURCE_TYPE_EXTERNAL - description: |- - Describes whether this kas is managed by the organization or if they imported - the kas information from an external party. These two modes are necessary in order - to encrypt a tdf dek with an external parties kas public key. policy.SubjectConditionSet: type: object properties: @@ -1272,14 +1215,6 @@ components: description: |- Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute value + action(s) combination - policy.SubjectMappingOperatorEnum: - type: string - title: SubjectMappingOperatorEnum - enum: - - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED - - SUBJECT_MAPPING_OPERATOR_ENUM_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS policy.SubjectSet: type: object properties: @@ -1386,6 +1321,8 @@ components: type: array items: type: string + maxItems: 1000 + minItems: 1 title: terms maxItems: 1000 minItems: 1 @@ -1393,9 +1330,13 @@ components: groupId: type: string title: group_id - description: | + description: |+ Optional - optional_uuid_format // Optional field must be a valid UUID + Optional field must be a valid UUID: + ``` + size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') + ``` + metadata: title: metadata description: Optional @@ -1488,9 +1429,13 @@ components: namespaceId: type: string title: namespace_id - description: | + description: |+ Optional - optional_uuid_format // Optional field must be a valid UUID + Optional field must be a valid UUID: + ``` + size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') + ``` + pagination: title: pagination description: Optional @@ -1517,6 +1462,7 @@ components: type: array items: type: string + minItems: 1 title: fqns minItems: 1 description: |- @@ -1552,9 +1498,13 @@ components: groupId: type: string title: group_id - description: | + description: |+ Optional - optional_uuid_format // Optional field must be a valid UUID + Optional field must be a valid UUID: + ``` + size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') + ``` + pagination: title: pagination description: Optional @@ -1598,16 +1548,24 @@ components: namespaceId: type: string title: namespace_id - description: | + description: |+ Optional - optional_uuid_format // Optional field must be a valid UUID + Optional field must be a valid UUID: + ``` + size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') + ``` + name: type: string title: name maxLength: 253 - description: | + description: |+ Optional - optional_name_format // Optional field must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored group name will be normalized to lower case. + Optional field must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored group name will be normalized to lower case.: + ``` + size(this) == 0 || this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') + ``` + metadata: title: metadata description: Common metadata @@ -1636,22 +1594,31 @@ components: attributeValueId: type: string title: attribute_value_id - description: | + description: |+ Optional - optional_uuid_format // Optional field must be a valid UUID + Optional field must be a valid UUID: + ``` + size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') + ``` + terms: type: array items: type: string + maxItems: 1000 title: terms maxItems: 1000 description: Optional groupId: type: string title: group_id - description: | + description: |+ Optional - optional_uuid_format // Optional field must be a valid UUID + Optional field must be a valid UUID: + ``` + size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') + ``` + metadata: title: metadata description: |- @@ -1671,6 +1638,63 @@ components: $ref: '#/components/schemas/policy.ResourceMapping' title: UpdateResourceMappingResponse additionalProperties: false + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + detail: + $ref: '#/components/schemas/google.protobuf.Any' + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + google.protobuf.Any: + type: object + properties: + type: + type: string + value: + type: string + format: binary + debug: + type: object + additionalProperties: true + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. security: [] tags: - name: policy.resourcemapping.ResourceMappingService diff --git a/docs/openapi/policy/selectors.openapi.yaml b/docs/openapi/policy/selectors.openapi.yaml index 65cc330d4a..8b885a5a41 100644 --- a/docs/openapi/policy/selectors.openapi.yaml +++ b/docs/openapi/policy/selectors.openapi.yaml @@ -4,6 +4,18 @@ info: paths: {} components: schemas: + policy.SortDirection: + type: string + title: SortDirection + enum: + - SORT_DIRECTION_UNSPECIFIED + - SORT_DIRECTION_ASC + - SORT_DIRECTION_DESC + description: |- + Sorting direction shared across list APIs. + When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, + the endpoint's request message defines the default ordering; see the + specific List* request docs. policy.AttributeDefinitionSelector: type: object properties: @@ -152,16 +164,4 @@ components: description: Total count of entire list title: PageResponse additionalProperties: false - policy.SortDirection: - type: string - title: SortDirection - enum: - - SORT_DIRECTION_UNSPECIFIED - - SORT_DIRECTION_ASC - - SORT_DIRECTION_DESC - description: |- - Sorting direction shared across list APIs. - When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, - the endpoint's request message defines the default ordering; see the - specific List* request docs. security: [] diff --git a/docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml b/docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml index 10e2ebeb84..1608ae7962 100644 --- a/docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml +++ b/docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml @@ -2,12 +2,13 @@ openapi: 3.1.0 info: title: policy.subjectmapping paths: - /policy.subjectmapping.SubjectMappingService/CreateSubjectConditionSet: + /policy.subjectmapping.SubjectMappingService/MatchSubjectMappings: post: tags: - policy.subjectmapping.SubjectMappingService - summary: CreateSubjectConditionSet - operationId: policy.subjectmapping.SubjectMappingService.CreateSubjectConditionSet + summary: MatchSubjectMappings + description: Find matching Subject Mappings for a given Subject + operationId: policy.subjectmapping.SubjectMappingService.MatchSubjectMappings parameters: - name: Connect-Protocol-Version in: header @@ -22,7 +23,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.CreateSubjectConditionSetRequest' + $ref: '#/components/schemas/policy.subjectmapping.MatchSubjectMappingsRequest' required: true responses: default: @@ -36,13 +37,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.CreateSubjectConditionSetResponse' - /policy.subjectmapping.SubjectMappingService/CreateSubjectMapping: + $ref: '#/components/schemas/policy.subjectmapping.MatchSubjectMappingsResponse' + /policy.subjectmapping.SubjectMappingService/ListSubjectMappings: post: tags: - policy.subjectmapping.SubjectMappingService - summary: CreateSubjectMapping - operationId: policy.subjectmapping.SubjectMappingService.CreateSubjectMapping + summary: ListSubjectMappings + operationId: policy.subjectmapping.SubjectMappingService.ListSubjectMappings parameters: - name: Connect-Protocol-Version in: header @@ -57,7 +58,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.CreateSubjectMappingRequest' + $ref: '#/components/schemas/policy.subjectmapping.ListSubjectMappingsRequest' required: true responses: default: @@ -71,13 +72,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.CreateSubjectMappingResponse' - /policy.subjectmapping.SubjectMappingService/DeleteAllUnmappedSubjectConditionSets: + $ref: '#/components/schemas/policy.subjectmapping.ListSubjectMappingsResponse' + /policy.subjectmapping.SubjectMappingService/GetSubjectMapping: post: tags: - policy.subjectmapping.SubjectMappingService - summary: DeleteAllUnmappedSubjectConditionSets - operationId: policy.subjectmapping.SubjectMappingService.DeleteAllUnmappedSubjectConditionSets + summary: GetSubjectMapping + operationId: policy.subjectmapping.SubjectMappingService.GetSubjectMapping parameters: - name: Connect-Protocol-Version in: header @@ -92,7 +93,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest' + $ref: '#/components/schemas/policy.subjectmapping.GetSubjectMappingRequest' required: true responses: default: @@ -106,13 +107,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse' - /policy.subjectmapping.SubjectMappingService/DeleteSubjectConditionSet: + $ref: '#/components/schemas/policy.subjectmapping.GetSubjectMappingResponse' + /policy.subjectmapping.SubjectMappingService/CreateSubjectMapping: post: tags: - policy.subjectmapping.SubjectMappingService - summary: DeleteSubjectConditionSet - operationId: policy.subjectmapping.SubjectMappingService.DeleteSubjectConditionSet + summary: CreateSubjectMapping + operationId: policy.subjectmapping.SubjectMappingService.CreateSubjectMapping parameters: - name: Connect-Protocol-Version in: header @@ -127,7 +128,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.DeleteSubjectConditionSetRequest' + $ref: '#/components/schemas/policy.subjectmapping.CreateSubjectMappingRequest' required: true responses: default: @@ -141,13 +142,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.DeleteSubjectConditionSetResponse' - /policy.subjectmapping.SubjectMappingService/DeleteSubjectMapping: + $ref: '#/components/schemas/policy.subjectmapping.CreateSubjectMappingResponse' + /policy.subjectmapping.SubjectMappingService/UpdateSubjectMapping: post: tags: - policy.subjectmapping.SubjectMappingService - summary: DeleteSubjectMapping - operationId: policy.subjectmapping.SubjectMappingService.DeleteSubjectMapping + summary: UpdateSubjectMapping + operationId: policy.subjectmapping.SubjectMappingService.UpdateSubjectMapping parameters: - name: Connect-Protocol-Version in: header @@ -162,7 +163,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.DeleteSubjectMappingRequest' + $ref: '#/components/schemas/policy.subjectmapping.UpdateSubjectMappingRequest' required: true responses: default: @@ -176,13 +177,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.DeleteSubjectMappingResponse' - /policy.subjectmapping.SubjectMappingService/GetSubjectConditionSet: + $ref: '#/components/schemas/policy.subjectmapping.UpdateSubjectMappingResponse' + /policy.subjectmapping.SubjectMappingService/DeleteSubjectMapping: post: tags: - policy.subjectmapping.SubjectMappingService - summary: GetSubjectConditionSet - operationId: policy.subjectmapping.SubjectMappingService.GetSubjectConditionSet + summary: DeleteSubjectMapping + operationId: policy.subjectmapping.SubjectMappingService.DeleteSubjectMapping parameters: - name: Connect-Protocol-Version in: header @@ -197,7 +198,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.GetSubjectConditionSetRequest' + $ref: '#/components/schemas/policy.subjectmapping.DeleteSubjectMappingRequest' required: true responses: default: @@ -211,13 +212,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.GetSubjectConditionSetResponse' - /policy.subjectmapping.SubjectMappingService/GetSubjectMapping: + $ref: '#/components/schemas/policy.subjectmapping.DeleteSubjectMappingResponse' + /policy.subjectmapping.SubjectMappingService/ListSubjectConditionSets: post: tags: - policy.subjectmapping.SubjectMappingService - summary: GetSubjectMapping - operationId: policy.subjectmapping.SubjectMappingService.GetSubjectMapping + summary: ListSubjectConditionSets + operationId: policy.subjectmapping.SubjectMappingService.ListSubjectConditionSets parameters: - name: Connect-Protocol-Version in: header @@ -232,7 +233,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.GetSubjectMappingRequest' + $ref: '#/components/schemas/policy.subjectmapping.ListSubjectConditionSetsRequest' required: true responses: default: @@ -246,13 +247,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.GetSubjectMappingResponse' - /policy.subjectmapping.SubjectMappingService/ListSubjectConditionSets: + $ref: '#/components/schemas/policy.subjectmapping.ListSubjectConditionSetsResponse' + /policy.subjectmapping.SubjectMappingService/GetSubjectConditionSet: post: tags: - policy.subjectmapping.SubjectMappingService - summary: ListSubjectConditionSets - operationId: policy.subjectmapping.SubjectMappingService.ListSubjectConditionSets + summary: GetSubjectConditionSet + operationId: policy.subjectmapping.SubjectMappingService.GetSubjectConditionSet parameters: - name: Connect-Protocol-Version in: header @@ -267,7 +268,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.ListSubjectConditionSetsRequest' + $ref: '#/components/schemas/policy.subjectmapping.GetSubjectConditionSetRequest' required: true responses: default: @@ -281,13 +282,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.ListSubjectConditionSetsResponse' - /policy.subjectmapping.SubjectMappingService/ListSubjectMappings: + $ref: '#/components/schemas/policy.subjectmapping.GetSubjectConditionSetResponse' + /policy.subjectmapping.SubjectMappingService/CreateSubjectConditionSet: post: tags: - policy.subjectmapping.SubjectMappingService - summary: ListSubjectMappings - operationId: policy.subjectmapping.SubjectMappingService.ListSubjectMappings + summary: CreateSubjectConditionSet + operationId: policy.subjectmapping.SubjectMappingService.CreateSubjectConditionSet parameters: - name: Connect-Protocol-Version in: header @@ -302,7 +303,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.ListSubjectMappingsRequest' + $ref: '#/components/schemas/policy.subjectmapping.CreateSubjectConditionSetRequest' required: true responses: default: @@ -316,14 +317,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.ListSubjectMappingsResponse' - /policy.subjectmapping.SubjectMappingService/MatchSubjectMappings: + $ref: '#/components/schemas/policy.subjectmapping.CreateSubjectConditionSetResponse' + /policy.subjectmapping.SubjectMappingService/UpdateSubjectConditionSet: post: tags: - policy.subjectmapping.SubjectMappingService - summary: MatchSubjectMappings - description: Find matching Subject Mappings for a given Subject - operationId: policy.subjectmapping.SubjectMappingService.MatchSubjectMappings + summary: UpdateSubjectConditionSet + operationId: policy.subjectmapping.SubjectMappingService.UpdateSubjectConditionSet parameters: - name: Connect-Protocol-Version in: header @@ -338,7 +338,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.MatchSubjectMappingsRequest' + $ref: '#/components/schemas/policy.subjectmapping.UpdateSubjectConditionSetRequest' required: true responses: default: @@ -352,13 +352,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.MatchSubjectMappingsResponse' - /policy.subjectmapping.SubjectMappingService/UpdateSubjectConditionSet: + $ref: '#/components/schemas/policy.subjectmapping.UpdateSubjectConditionSetResponse' + /policy.subjectmapping.SubjectMappingService/DeleteSubjectConditionSet: post: tags: - policy.subjectmapping.SubjectMappingService - summary: UpdateSubjectConditionSet - operationId: policy.subjectmapping.SubjectMappingService.UpdateSubjectConditionSet + summary: DeleteSubjectConditionSet + operationId: policy.subjectmapping.SubjectMappingService.DeleteSubjectConditionSet parameters: - name: Connect-Protocol-Version in: header @@ -373,7 +373,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.UpdateSubjectConditionSetRequest' + $ref: '#/components/schemas/policy.subjectmapping.DeleteSubjectConditionSetRequest' required: true responses: default: @@ -387,13 +387,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.UpdateSubjectConditionSetResponse' - /policy.subjectmapping.SubjectMappingService/UpdateSubjectMapping: + $ref: '#/components/schemas/policy.subjectmapping.DeleteSubjectConditionSetResponse' + /policy.subjectmapping.SubjectMappingService/DeleteAllUnmappedSubjectConditionSets: post: tags: - policy.subjectmapping.SubjectMappingService - summary: UpdateSubjectMapping - operationId: policy.subjectmapping.SubjectMappingService.UpdateSubjectMapping + summary: DeleteAllUnmappedSubjectConditionSets + operationId: policy.subjectmapping.SubjectMappingService.DeleteAllUnmappedSubjectConditionSets parameters: - name: Connect-Protocol-Version in: header @@ -408,7 +408,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.UpdateSubjectMappingRequest' + $ref: '#/components/schemas/policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest' required: true responses: default: @@ -422,9 +422,110 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.UpdateSubjectMappingResponse' + $ref: '#/components/schemas/policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse' components: schemas: + common.MetadataUpdateEnum: + type: string + title: MetadataUpdateEnum + enum: + - METADATA_UPDATE_ENUM_UNSPECIFIED + - METADATA_UPDATE_ENUM_EXTEND + - METADATA_UPDATE_ENUM_REPLACE + policy.Action.StandardAction: + type: string + title: StandardAction + enum: + - STANDARD_ACTION_UNSPECIFIED + - STANDARD_ACTION_DECRYPT + - STANDARD_ACTION_TRANSMIT + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + - ALGORITHM_HPQT_XWING + - ALGORITHM_HPQT_SECP256R1_MLKEM768 + - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + description: Supported key algorithms. + policy.AttributeRuleTypeEnum: + type: string + title: AttributeRuleTypeEnum + enum: + - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED + - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF + - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF + - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY + policy.ConditionBooleanTypeEnum: + type: string + title: ConditionBooleanTypeEnum + enum: + - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED + - CONDITION_BOOLEAN_TYPE_ENUM_AND + - CONDITION_BOOLEAN_TYPE_ENUM_OR + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + policy.SortDirection: + type: string + title: SortDirection + enum: + - SORT_DIRECTION_UNSPECIFIED + - SORT_DIRECTION_ASC + - SORT_DIRECTION_DESC + description: |- + Sorting direction shared across list APIs. + When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, + the endpoint's request message defines the default ordering; see the + specific List* request docs. + policy.SourceType: + type: string + title: SourceType + enum: + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. + policy.SubjectMappingOperatorEnum: + type: string + title: SubjectMappingOperatorEnum + enum: + - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED + - SUBJECT_MAPPING_OPERATOR_ENUM_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS + policy.subjectmapping.SortSubjectConditionSetsType: + type: string + title: SortSubjectConditionSetsType + enum: + - SORT_SUBJECT_CONDITION_SETS_TYPE_UNSPECIFIED + - SORT_SUBJECT_CONDITION_SETS_TYPE_CREATED_AT + - SORT_SUBJECT_CONDITION_SETS_TYPE_UPDATED_AT + policy.subjectmapping.SortSubjectMappingsType: + type: string + title: SortSubjectMappingsType + enum: + - SORT_SUBJECT_MAPPINGS_TYPE_UNSPECIFIED + - SORT_SUBJECT_MAPPINGS_TYPE_CREATED_AT + - SORT_SUBJECT_MAPPINGS_TYPE_UPDATED_AT common.Metadata: type: object properties: @@ -480,82 +581,6 @@ components: title: value title: LabelsEntry additionalProperties: false - common.MetadataUpdateEnum: - type: string - title: MetadataUpdateEnum - enum: - - METADATA_UPDATE_ENUM_UNSPECIFIED - - METADATA_UPDATE_ENUM_EXTEND - - METADATA_UPDATE_ENUM_REPLACE - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - details: - type: array - items: - $ref: '#/components/schemas/connect.error_details.Any' - description: A list of messages that carry the error details. There is no limit on the number of messages. - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - connect.error_details.Any: - type: object - properties: - type: - type: string - description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' - value: - type: string - format: binary - description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. - debug: - oneOf: - - type: object - title: Any - additionalProperties: true - description: Detailed error information. - discriminator: - propertyName: type - title: Debug - description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. google.protobuf.BoolValue: type: boolean description: |- @@ -568,8 +593,8 @@ components: google.protobuf.Timestamp: type: string examples: - - "2023-01-15T01:30:15.01Z" - - "2024-12-25T12:00:00Z" + - 1s + - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -663,65 +688,41 @@ components: ) to obtain a formatter capable of generating timestamps in this format. policy.Action: type: object - allOf: + oneOf: - properties: - id: - type: string - title: id - description: Generated uuid in database - name: + custom: type: string - title: name - namespace: - title: namespace - description: Namespace context for this action - $ref: '#/components/schemas/policy.Namespace' - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' - - oneOf: - - type: object - properties: - custom: - type: string - title: custom - description: Deprecated title: custom - required: - - custom - - type: object - properties: - standard: - title: standard - description: Deprecated - $ref: '#/components/schemas/policy.Action.StandardAction' + description: Deprecated + title: custom + required: + - custom + - properties: + standard: title: standard - required: - - standard + description: Deprecated + $ref: '#/components/schemas/policy.Action.StandardAction' + title: standard + required: + - standard + properties: + id: + type: string + title: id + description: Generated uuid in database + name: + type: string + title: name + namespace: + title: namespace + description: Namespace context for this action + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' title: Action additionalProperties: false description: An action an entity can take - policy.Action.StandardAction: - type: string - title: StandardAction - enum: - - STANDARD_ACTION_UNSPECIFIED - - STANDARD_ACTION_DECRYPT - - STANDARD_ACTION_TRANSMIT - policy.Algorithm: - type: string - title: Algorithm - enum: - - ALGORITHM_UNSPECIFIED - - ALGORITHM_RSA_2048 - - ALGORITHM_RSA_4096 - - ALGORITHM_EC_P256 - - ALGORITHM_EC_P384 - - ALGORITHM_EC_P521 - - ALGORITHM_HPQT_XWING - - ALGORITHM_HPQT_SECP256R1_MLKEM768 - - ALGORITHM_HPQT_SECP384R1_MLKEM1024 - description: Supported key algorithms. policy.Attribute: type: object properties: @@ -778,14 +779,6 @@ components: required: - rule additionalProperties: false - policy.AttributeRuleTypeEnum: - type: string - title: AttributeRuleTypeEnum - enum: - - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED - - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF - - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF - - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY policy.Condition: type: object properties: @@ -803,6 +796,7 @@ components: type: array items: type: string + minItems: 1 title: subject_external_values minItems: 1 description: |- @@ -818,13 +812,6 @@ components: * A Condition defines a rule of - policy.ConditionBooleanTypeEnum: - type: string - title: ConditionBooleanTypeEnum - enum: - - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED - - CONDITION_BOOLEAN_TYPE_ENUM_AND - - CONDITION_BOOLEAN_TYPE_ENUM_OR policy.ConditionGroup: type: object properties: @@ -861,7 +848,7 @@ components: alg: not: enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - 0 title: alg description: |- A known algorithm type with any additional parameters encoded. @@ -873,19 +860,6 @@ components: description: |- Deprecated A KAS public key and some associated metadata for further identifcation - policy.KasPublicKeyAlgEnum: - type: string - title: KasPublicKeyAlgEnum - enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 policy.KasPublicKeySet: type: object properties: @@ -908,9 +882,13 @@ components: uri: type: string title: uri - description: | + description: |+ Address of a KAS instance - uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') + ``` + publicKey: title: public_key description: 'Deprecated: KAS can have multiple key pairs' @@ -1108,8 +1086,7 @@ components: policy.PublicKey: type: object oneOf: - - type: object - properties: + - properties: cached: title: cached description: public key with additional information. Current preferred version @@ -1117,14 +1094,17 @@ components: title: cached required: - cached - - type: object - properties: + - properties: remote: type: string title: remote - description: | + description: |+ kas public key url - optional since can also be retrieved via public key - uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') + ``` + title: remote required: - remote @@ -1232,29 +1212,6 @@ components: title: pem title: SimpleKasPublicKey additionalProperties: false - policy.SortDirection: - type: string - title: SortDirection - enum: - - SORT_DIRECTION_UNSPECIFIED - - SORT_DIRECTION_ASC - - SORT_DIRECTION_DESC - description: |- - Sorting direction shared across list APIs. - When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, - the endpoint's request message defines the default ordering; see the - specific List* request docs. - policy.SourceType: - type: string - title: SourceType - enum: - - SOURCE_TYPE_UNSPECIFIED - - SOURCE_TYPE_INTERNAL - - SOURCE_TYPE_EXTERNAL - description: |- - Describes whether this kas is managed by the organization or if they imported - the kas information from an external party. These two modes are necessary in order - to encrypt a tdf dek with an external parties kas public key. policy.SubjectConditionSet: type: object properties: @@ -1320,14 +1277,6 @@ components: description: |- Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute value + action(s) combination - policy.SubjectMappingOperatorEnum: - type: string - title: SubjectMappingOperatorEnum - enum: - - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED - - SUBJECT_MAPPING_OPERATOR_ENUM_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS policy.SubjectProperty: type: object properties: @@ -1348,6 +1297,7 @@ components: authoritative source such as an IDP (Identity Provider) or User Store. Examples include such ADFS/LDAP, OKTA, etc. For now, a valid property must contain both a selector expression & a resulting value. + The external_selector_value is a specifier to select a value from a flattened external representation of an Entity (such as from idP/LDAP), and the external_value is the value selected by the external_selector_value on that @@ -1461,17 +1411,25 @@ components: $ref: '#/components/schemas/policy.Action' title: actions minItems: 1 - description: | + description: |+ Required The actions permitted by subjects in this mapping - action_name_or_id_not_empty // Action name or ID must not be empty if provided + Action name or ID must not be empty if provided: + ``` + this.all(item, item.name != '' || item.id != '') + ``` + existingSubjectConditionSetId: type: string title: existing_subject_condition_set_id - description: | + description: |+ Either of the following: Reuse existing SubjectConditionSet (NOTE: prioritized over new_subject_condition_set) - optional_uuid_format // Optional field must be a valid UUID + Optional field must be a valid UUID: + ``` + size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') + ``` + newSubjectConditionSet: title: new_subject_condition_set description: 'Create new SubjectConditionSet (NOTE: ignored if existing_subject_condition_set_id is provided)' @@ -1708,20 +1666,6 @@ components: title: subject_mappings title: MatchSubjectMappingsResponse additionalProperties: false - policy.subjectmapping.SortSubjectConditionSetsType: - type: string - title: SortSubjectConditionSetsType - enum: - - SORT_SUBJECT_CONDITION_SETS_TYPE_UNSPECIFIED - - SORT_SUBJECT_CONDITION_SETS_TYPE_CREATED_AT - - SORT_SUBJECT_CONDITION_SETS_TYPE_UPDATED_AT - policy.subjectmapping.SortSubjectMappingsType: - type: string - title: SortSubjectMappingsType - enum: - - SORT_SUBJECT_MAPPINGS_TYPE_UNSPECIFIED - - SORT_SUBJECT_MAPPINGS_TYPE_CREATED_AT - - SORT_SUBJECT_MAPPINGS_TYPE_UPDATED_AT policy.subjectmapping.SubjectConditionSetCreate: type: object properties: @@ -1807,19 +1751,27 @@ components: subjectConditionSetId: type: string title: subject_condition_set_id - description: | + description: |+ Optional Replaces the existing SubjectConditionSet id with a new one - optional_uuid_format // Optional field must be a valid UUID + Optional field must be a valid UUID: + ``` + size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') + ``` + actions: type: array items: $ref: '#/components/schemas/policy.Action' title: actions - description: | + description: |+ Optional Replaces entire list of actions permitted by subjects - action_name_or_id_not_empty // Action name or ID must not be empty if provided + Action name or ID must not be empty if provided: + ``` + this.size() == 0 || this.all(item, item.name != '' || item.id != '') + ``` + metadata: title: metadata description: Common metadata @@ -1838,6 +1790,63 @@ components: $ref: '#/components/schemas/policy.SubjectMapping' title: UpdateSubjectMappingResponse additionalProperties: false + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + detail: + $ref: '#/components/schemas/google.protobuf.Any' + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + google.protobuf.Any: + type: object + properties: + type: + type: string + value: + type: string + format: binary + debug: + type: object + additionalProperties: true + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. security: [] tags: - name: policy.subjectmapping.SubjectMappingService diff --git a/docs/openapi/policy/unsafe/unsafe.openapi.yaml b/docs/openapi/policy/unsafe/unsafe.openapi.yaml index 168c60f735..279b0154a6 100644 --- a/docs/openapi/policy/unsafe/unsafe.openapi.yaml +++ b/docs/openapi/policy/unsafe/unsafe.openapi.yaml @@ -2,12 +2,16 @@ openapi: 3.1.0 info: title: policy.unsafe paths: - /policy.unsafe.UnsafeService/UnsafeDeleteAttribute: + /policy.unsafe.UnsafeService/UnsafeUpdateNamespace: post: tags: - policy.unsafe.UnsafeService - summary: UnsafeDeleteAttribute - operationId: policy.unsafe.UnsafeService.UnsafeDeleteAttribute + summary: UnsafeUpdateNamespace + description: |- + --------------------------------------* + Namespace RPCs + --------------------------------------- + operationId: policy.unsafe.UnsafeService.UnsafeUpdateNamespace parameters: - name: Connect-Protocol-Version in: header @@ -22,7 +26,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteAttributeRequest' + $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateNamespaceRequest' required: true responses: default: @@ -36,13 +40,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteAttributeResponse' - /policy.unsafe.UnsafeService/UnsafeDeleteAttributeValue: + $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateNamespaceResponse' + /policy.unsafe.UnsafeService/UnsafeReactivateNamespace: post: tags: - policy.unsafe.UnsafeService - summary: UnsafeDeleteAttributeValue - operationId: policy.unsafe.UnsafeService.UnsafeDeleteAttributeValue + summary: UnsafeReactivateNamespace + operationId: policy.unsafe.UnsafeService.UnsafeReactivateNamespace parameters: - name: Connect-Protocol-Version in: header @@ -57,7 +61,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteAttributeValueRequest' + $ref: '#/components/schemas/policy.unsafe.UnsafeReactivateNamespaceRequest' required: true responses: default: @@ -71,17 +75,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteAttributeValueResponse' - /policy.unsafe.UnsafeService/UnsafeDeleteKasKey: + $ref: '#/components/schemas/policy.unsafe.UnsafeReactivateNamespaceResponse' + /policy.unsafe.UnsafeService/UnsafeDeleteNamespace: post: tags: - policy.unsafe.UnsafeService - summary: UnsafeDeleteKasKey - description: |- - --------------------------------------* - Kas Key RPCs - --------------------------------------- - operationId: policy.unsafe.UnsafeService.UnsafeDeleteKasKey + summary: UnsafeDeleteNamespace + operationId: policy.unsafe.UnsafeService.UnsafeDeleteNamespace parameters: - name: Connect-Protocol-Version in: header @@ -96,7 +96,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteKasKeyRequest' + $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteNamespaceRequest' required: true responses: default: @@ -110,13 +110,17 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteKasKeyResponse' - /policy.unsafe.UnsafeService/UnsafeDeleteNamespace: + $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteNamespaceResponse' + /policy.unsafe.UnsafeService/UnsafeUpdateAttribute: post: tags: - policy.unsafe.UnsafeService - summary: UnsafeDeleteNamespace - operationId: policy.unsafe.UnsafeService.UnsafeDeleteNamespace + summary: UnsafeUpdateAttribute + description: |- + --------------------------------------* + Attribute RPCs + --------------------------------------- + operationId: policy.unsafe.UnsafeService.UnsafeUpdateAttribute parameters: - name: Connect-Protocol-Version in: header @@ -131,7 +135,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteNamespaceRequest' + $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateAttributeRequest' required: true responses: default: @@ -145,7 +149,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteNamespaceResponse' + $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateAttributeResponse' /policy.unsafe.UnsafeService/UnsafeReactivateAttribute: post: tags: @@ -181,12 +185,12 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.unsafe.UnsafeReactivateAttributeResponse' - /policy.unsafe.UnsafeService/UnsafeReactivateAttributeValue: + /policy.unsafe.UnsafeService/UnsafeDeleteAttribute: post: tags: - policy.unsafe.UnsafeService - summary: UnsafeReactivateAttributeValue - operationId: policy.unsafe.UnsafeService.UnsafeReactivateAttributeValue + summary: UnsafeDeleteAttribute + operationId: policy.unsafe.UnsafeService.UnsafeDeleteAttribute parameters: - name: Connect-Protocol-Version in: header @@ -201,7 +205,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeReactivateAttributeValueRequest' + $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteAttributeRequest' required: true responses: default: @@ -215,13 +219,17 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeReactivateAttributeValueResponse' - /policy.unsafe.UnsafeService/UnsafeReactivateNamespace: + $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteAttributeResponse' + /policy.unsafe.UnsafeService/UnsafeUpdateAttributeValue: post: tags: - policy.unsafe.UnsafeService - summary: UnsafeReactivateNamespace - operationId: policy.unsafe.UnsafeService.UnsafeReactivateNamespace + summary: UnsafeUpdateAttributeValue + description: |- + --------------------------------------* + Value RPCs + --------------------------------------- + operationId: policy.unsafe.UnsafeService.UnsafeUpdateAttributeValue parameters: - name: Connect-Protocol-Version in: header @@ -236,7 +244,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeReactivateNamespaceRequest' + $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateAttributeValueRequest' required: true responses: default: @@ -250,17 +258,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeReactivateNamespaceResponse' - /policy.unsafe.UnsafeService/UnsafeUpdateAttribute: + $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateAttributeValueResponse' + /policy.unsafe.UnsafeService/UnsafeReactivateAttributeValue: post: tags: - policy.unsafe.UnsafeService - summary: UnsafeUpdateAttribute - description: |- - --------------------------------------* - Attribute RPCs - --------------------------------------- - operationId: policy.unsafe.UnsafeService.UnsafeUpdateAttribute + summary: UnsafeReactivateAttributeValue + operationId: policy.unsafe.UnsafeService.UnsafeReactivateAttributeValue parameters: - name: Connect-Protocol-Version in: header @@ -275,7 +279,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateAttributeRequest' + $ref: '#/components/schemas/policy.unsafe.UnsafeReactivateAttributeValueRequest' required: true responses: default: @@ -289,17 +293,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateAttributeResponse' - /policy.unsafe.UnsafeService/UnsafeUpdateAttributeValue: + $ref: '#/components/schemas/policy.unsafe.UnsafeReactivateAttributeValueResponse' + /policy.unsafe.UnsafeService/UnsafeDeleteAttributeValue: post: tags: - policy.unsafe.UnsafeService - summary: UnsafeUpdateAttributeValue - description: |- - --------------------------------------* - Value RPCs - --------------------------------------- - operationId: policy.unsafe.UnsafeService.UnsafeUpdateAttributeValue + summary: UnsafeDeleteAttributeValue + operationId: policy.unsafe.UnsafeService.UnsafeDeleteAttributeValue parameters: - name: Connect-Protocol-Version in: header @@ -314,7 +314,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateAttributeValueRequest' + $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteAttributeValueRequest' required: true responses: default: @@ -328,17 +328,17 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateAttributeValueResponse' - /policy.unsafe.UnsafeService/UnsafeUpdateNamespace: + $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteAttributeValueResponse' + /policy.unsafe.UnsafeService/UnsafeDeleteKasKey: post: tags: - policy.unsafe.UnsafeService - summary: UnsafeUpdateNamespace + summary: UnsafeDeleteKasKey description: |- --------------------------------------* - Namespace RPCs + Kas Key RPCs --------------------------------------- - operationId: policy.unsafe.UnsafeService.UnsafeUpdateNamespace + operationId: policy.unsafe.UnsafeService.UnsafeDeleteKasKey parameters: - name: Connect-Protocol-Version in: header @@ -353,7 +353,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateNamespaceRequest' + $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteKasKeyRequest' required: true responses: default: @@ -367,9 +367,95 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateNamespaceResponse' + $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteKasKeyResponse' components: schemas: + policy.Action.StandardAction: + type: string + title: StandardAction + enum: + - STANDARD_ACTION_UNSPECIFIED + - STANDARD_ACTION_DECRYPT + - STANDARD_ACTION_TRANSMIT + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + - ALGORITHM_HPQT_XWING + - ALGORITHM_HPQT_SECP256R1_MLKEM768 + - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + description: Supported key algorithms. + policy.AttributeRuleTypeEnum: + type: string + title: AttributeRuleTypeEnum + enum: + - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED + - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF + - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF + - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY + policy.ConditionBooleanTypeEnum: + type: string + title: ConditionBooleanTypeEnum + enum: + - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED + - CONDITION_BOOLEAN_TYPE_ENUM_AND + - CONDITION_BOOLEAN_TYPE_ENUM_OR + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + policy.KeyMode: + type: string + title: KeyMode + enum: + - KEY_MODE_UNSPECIFIED + - KEY_MODE_CONFIG_ROOT_KEY + - KEY_MODE_PROVIDER_ROOT_KEY + - KEY_MODE_REMOTE + - KEY_MODE_PUBLIC_KEY_ONLY + description: Describes the management and operational mode of a cryptographic key. + policy.KeyStatus: + type: string + title: KeyStatus + enum: + - KEY_STATUS_UNSPECIFIED + - KEY_STATUS_ACTIVE + - KEY_STATUS_ROTATED + description: The status of the key + policy.SourceType: + type: string + title: SourceType + enum: + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. + policy.SubjectMappingOperatorEnum: + type: string + title: SubjectMappingOperatorEnum + enum: + - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED + - SUBJECT_MAPPING_OPERATOR_ENUM_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS common.Metadata: type: object properties: @@ -402,75 +488,6 @@ components: title: value title: LabelsEntry additionalProperties: false - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - details: - type: array - items: - $ref: '#/components/schemas/connect.error_details.Any' - description: A list of messages that carry the error details. There is no limit on the number of messages. - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - connect.error_details.Any: - type: object - properties: - type: - type: string - description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' - value: - type: string - format: binary - description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. - debug: - oneOf: - - type: object - title: Any - additionalProperties: true - description: Detailed error information. - discriminator: - propertyName: type - title: Debug - description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. google.protobuf.BoolValue: type: boolean description: |- @@ -483,8 +500,8 @@ components: google.protobuf.Timestamp: type: string examples: - - "2023-01-15T01:30:15.01Z" - - "2024-12-25T12:00:00Z" + - 1s + - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -578,65 +595,41 @@ components: ) to obtain a formatter capable of generating timestamps in this format. policy.Action: type: object - allOf: + oneOf: - properties: - id: + custom: type: string - title: id - description: Generated uuid in database - name: - type: string - title: name - namespace: - title: namespace - description: Namespace context for this action - $ref: '#/components/schemas/policy.Namespace' - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' - - oneOf: - - type: object - properties: - custom: - type: string - title: custom - description: Deprecated title: custom - required: - - custom - - type: object - properties: - standard: - title: standard - description: Deprecated - $ref: '#/components/schemas/policy.Action.StandardAction' + description: Deprecated + title: custom + required: + - custom + - properties: + standard: title: standard - required: - - standard + description: Deprecated + $ref: '#/components/schemas/policy.Action.StandardAction' + title: standard + required: + - standard + properties: + id: + type: string + title: id + description: Generated uuid in database + name: + type: string + title: name + namespace: + title: namespace + description: Namespace context for this action + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' title: Action additionalProperties: false description: An action an entity can take - policy.Action.StandardAction: - type: string - title: StandardAction - enum: - - STANDARD_ACTION_UNSPECIFIED - - STANDARD_ACTION_DECRYPT - - STANDARD_ACTION_TRANSMIT - policy.Algorithm: - type: string - title: Algorithm - enum: - - ALGORITHM_UNSPECIFIED - - ALGORITHM_RSA_2048 - - ALGORITHM_RSA_4096 - - ALGORITHM_EC_P256 - - ALGORITHM_EC_P384 - - ALGORITHM_EC_P521 - - ALGORITHM_HPQT_XWING - - ALGORITHM_HPQT_SECP256R1_MLKEM768 - - ALGORITHM_HPQT_SECP384R1_MLKEM1024 - description: Supported key algorithms. policy.AsymmetricKey: type: object properties: @@ -738,14 +731,6 @@ components: required: - rule additionalProperties: false - policy.AttributeRuleTypeEnum: - type: string - title: AttributeRuleTypeEnum - enum: - - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED - - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF - - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF - - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY policy.Condition: type: object properties: @@ -763,6 +748,7 @@ components: type: array items: type: string + minItems: 1 title: subject_external_values minItems: 1 description: |- @@ -778,13 +764,6 @@ components: * A Condition defines a rule of - policy.ConditionBooleanTypeEnum: - type: string - title: ConditionBooleanTypeEnum - enum: - - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED - - CONDITION_BOOLEAN_TYPE_ENUM_AND - - CONDITION_BOOLEAN_TYPE_ENUM_OR policy.ConditionGroup: type: object properties: @@ -835,7 +814,7 @@ components: alg: not: enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - 0 title: alg description: |- A known algorithm type with any additional parameters encoded. @@ -847,19 +826,6 @@ components: description: |- Deprecated A KAS public key and some associated metadata for further identifcation - policy.KasPublicKeyAlgEnum: - type: string - title: KasPublicKeyAlgEnum - enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 policy.KasPublicKeySet: type: object properties: @@ -882,9 +848,13 @@ components: uri: type: string title: uri - description: | + description: |+ Address of a KAS instance - uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') + ``` + publicKey: title: public_key description: 'Deprecated: KAS can have multiple key pairs' @@ -912,16 +882,6 @@ components: title: KeyAccessServer additionalProperties: false description: Key Access Server Registry - policy.KeyMode: - type: string - title: KeyMode - enum: - - KEY_MODE_UNSPECIFIED - - KEY_MODE_CONFIG_ROOT_KEY - - KEY_MODE_PROVIDER_ROOT_KEY - - KEY_MODE_REMOTE - - KEY_MODE_PUBLIC_KEY_ONLY - description: Describes the management and operational mode of a cryptographic key. policy.KeyProviderConfig: type: object properties: @@ -944,14 +904,6 @@ components: $ref: '#/components/schemas/common.Metadata' title: KeyProviderConfig additionalProperties: false - policy.KeyStatus: - type: string - title: KeyStatus - enum: - - KEY_STATUS_UNSPECIFIED - - KEY_STATUS_ACTIVE - - KEY_STATUS_ROTATED - description: The status of the key policy.Namespace: type: object properties: @@ -1094,8 +1046,7 @@ components: policy.PublicKey: type: object oneOf: - - type: object - properties: + - properties: cached: title: cached description: public key with additional information. Current preferred version @@ -1103,14 +1054,17 @@ components: title: cached required: - cached - - type: object - properties: + - properties: remote: type: string title: remote - description: | + description: |+ kas public key url - optional since can also be retrieved via public key - uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') + ``` + title: remote required: - remote @@ -1228,17 +1182,6 @@ components: title: pem title: SimpleKasPublicKey additionalProperties: false - policy.SourceType: - type: string - title: SourceType - enum: - - SOURCE_TYPE_UNSPECIFIED - - SOURCE_TYPE_INTERNAL - - SOURCE_TYPE_EXTERNAL - description: |- - Describes whether this kas is managed by the organization or if they imported - the kas information from an external party. These two modes are necessary in order - to encrypt a tdf dek with an external parties kas public key. policy.SubjectConditionSet: type: object properties: @@ -1304,14 +1247,6 @@ components: description: |- Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute value + action(s) combination - policy.SubjectMappingOperatorEnum: - type: string - title: SubjectMappingOperatorEnum - enum: - - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED - - SUBJECT_MAPPING_OPERATOR_ENUM_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS policy.SubjectSet: type: object properties: @@ -1590,11 +1525,15 @@ components: type: string title: name maxLength: 253 - description: | + description: |+ Optional WARNING!! Updating the name of an Attribute will retroactively alter access to existing TDFs of the old and new Attribute name. - attribute_name_format // Attribute name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored attribute name will be normalized to lower case. + Attribute name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored attribute name will be normalized to lower case.: + ``` + size(this) > 0 ? this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') : true + ``` + rule: title: rule description: |- @@ -1647,9 +1586,13 @@ components: type: string title: value maxLength: 253 - description: | + description: |+ Required - value_format // Attribute Value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored attribute value will be normalized to lower case. + Attribute Value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored attribute value will be normalized to lower case.: + ``` + this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') + ``` + title: UnsafeUpdateAttributeValueRequest additionalProperties: false description: |- @@ -1675,9 +1618,13 @@ components: type: string title: name maxLength: 253 - description: | + description: |+ Required - namespace_name_format // Namespace must be a valid hostname. It should include at least one dot, with each segment (label) starting and ending with an alphanumeric character. Each label must be 1 to 63 characters long, allowing hyphens but not as the first or last character. The top-level domain (the last segment after the final dot) must consist of at least two alphabetic characters. The stored namespace will be normalized to lower case. + Namespace must be a valid hostname. It should include at least one dot, with each segment (label) starting and ending with an alphanumeric character. Each label must be 1 to 63 characters long, allowing hyphens but not as the first or last character. The top-level domain (the last segment after the final dot) must consist of at least two alphabetic characters. The stored namespace will be normalized to lower case.: + ``` + this.matches('^([a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?\\.)+[a-zA-Z]{2,}$') + ``` + title: UnsafeUpdateNamespaceRequest additionalProperties: false description: |- @@ -1692,6 +1639,63 @@ components: $ref: '#/components/schemas/policy.Namespace' title: UnsafeUpdateNamespaceResponse additionalProperties: false + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + detail: + $ref: '#/components/schemas/google.protobuf.Any' + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + google.protobuf.Any: + type: object + properties: + type: + type: string + value: + type: string + format: binary + debug: + type: object + additionalProperties: true + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. security: [] tags: - name: policy.unsafe.UnsafeService diff --git a/docs/openapi/wellknownconfiguration/wellknown_configuration.openapi.yaml b/docs/openapi/wellknownconfiguration/wellknown_configuration.openapi.yaml index 203cf0b27e..ad18ddfa64 100644 --- a/docs/openapi/wellknownconfiguration/wellknown_configuration.openapi.yaml +++ b/docs/openapi/wellknownconfiguration/wellknown_configuration.openapi.yaml @@ -39,75 +39,16 @@ paths: $ref: '#/components/schemas/wellknownconfiguration.GetWellKnownConfigurationResponse' components: schemas: - connect-protocol-version: - type: number - title: Connect-Protocol-Version + google.protobuf.NullValue: + type: string + title: NullValue enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - details: - type: array - items: - $ref: '#/components/schemas/connect.error_details.Any' - description: A list of messages that carry the error details. There is no limit on the number of messages. - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - connect.error_details.Any: - type: object - properties: - type: - type: string - description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' - value: - type: string - format: binary - description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. - debug: - oneOf: - - type: object - title: Any - additionalProperties: true - description: Detailed error information. - discriminator: - propertyName: type - title: Debug - description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. + - NULL_VALUE + description: |- + `NullValue` is a singleton enumeration to represent the null value for the + `Value` type union. + + The JSON representation for `NullValue` is JSON `null`. google.protobuf.ListValue: type: object properties: @@ -123,16 +64,6 @@ components: `ListValue` is a wrapper around a repeated field of values. The JSON representation for `ListValue` is JSON array. - google.protobuf.NullValue: - type: string - title: NullValue - enum: - - NULL_VALUE - description: |- - `NullValue` is a singleton enumeration to represent the null value for the - `Value` type union. - - The JSON representation for `NullValue` is JSON `null`. google.protobuf.Struct: type: object additionalProperties: @@ -207,6 +138,63 @@ components: $ref: '#/components/schemas/google.protobuf.Struct' title: ConfigurationEntry additionalProperties: false + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + detail: + $ref: '#/components/schemas/google.protobuf.Any' + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + google.protobuf.Any: + type: object + properties: + type: + type: string + value: + type: string + format: binary + debug: + type: object + additionalProperties: true + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. security: [] tags: - name: wellknownconfiguration.WellKnownService diff --git a/protocol/go/policy/definitionvalueentitlement/definition_value_entitlement.pb.go b/protocol/go/policy/definitionvalueentitlement/definition_value_entitlement.pb.go new file mode 100644 index 0000000000..c3df1f758f --- /dev/null +++ b/protocol/go/policy/definitionvalueentitlement/definition_value_entitlement.pb.go @@ -0,0 +1,1365 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.33.0 +// protoc (unknown) +// source: policy/definitionvalueentitlement/definition_value_entitlement.proto + +package definitionvalueentitlement + +import ( + _ "buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go/buf/validate" + common "github.com/opentdf/platform/protocol/go/common" + policy "github.com/opentdf/platform/protocol/go/policy" + subjectmapping "github.com/opentdf/platform/protocol/go/policy/subjectmapping" + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +type SortDefinitionValueEntitlementMappingsType int32 + +const ( + SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED SortDefinitionValueEntitlementMappingsType = 0 + SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT SortDefinitionValueEntitlementMappingsType = 1 + SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT SortDefinitionValueEntitlementMappingsType = 2 +) + +// Enum value maps for SortDefinitionValueEntitlementMappingsType. +var ( + SortDefinitionValueEntitlementMappingsType_name = map[int32]string{ + 0: "SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED", + 1: "SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT", + 2: "SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT", + } + SortDefinitionValueEntitlementMappingsType_value = map[string]int32{ + "SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED": 0, + "SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT": 1, + "SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT": 2, + } +) + +func (x SortDefinitionValueEntitlementMappingsType) Enum() *SortDefinitionValueEntitlementMappingsType { + p := new(SortDefinitionValueEntitlementMappingsType) + *p = x + return p +} + +func (x SortDefinitionValueEntitlementMappingsType) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (SortDefinitionValueEntitlementMappingsType) Descriptor() protoreflect.EnumDescriptor { + return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_enumTypes[0].Descriptor() +} + +func (SortDefinitionValueEntitlementMappingsType) Type() protoreflect.EnumType { + return &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_enumTypes[0] +} + +func (x SortDefinitionValueEntitlementMappingsType) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// Deprecated: Use SortDefinitionValueEntitlementMappingsType.Descriptor instead. +func (SortDefinitionValueEntitlementMappingsType) EnumDescriptor() ([]byte, []int) { + return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescGZIP(), []int{0} +} + +type GetDefinitionValueEntitlementMappingRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Required + Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` +} + +func (x *GetDefinitionValueEntitlementMappingRequest) Reset() { + *x = GetDefinitionValueEntitlementMappingRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *GetDefinitionValueEntitlementMappingRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetDefinitionValueEntitlementMappingRequest) ProtoMessage() {} + +func (x *GetDefinitionValueEntitlementMappingRequest) ProtoReflect() protoreflect.Message { + mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[0] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetDefinitionValueEntitlementMappingRequest.ProtoReflect.Descriptor instead. +func (*GetDefinitionValueEntitlementMappingRequest) Descriptor() ([]byte, []int) { + return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescGZIP(), []int{0} +} + +func (x *GetDefinitionValueEntitlementMappingRequest) GetId() string { + if x != nil { + return x.Id + } + return "" +} + +type GetDefinitionValueEntitlementMappingResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + DefinitionValueEntitlementMapping *policy.DefinitionValueEntitlementMapping `protobuf:"bytes,1,opt,name=definition_value_entitlement_mapping,json=definitionValueEntitlementMapping,proto3" json:"definition_value_entitlement_mapping,omitempty"` +} + +func (x *GetDefinitionValueEntitlementMappingResponse) Reset() { + *x = GetDefinitionValueEntitlementMappingResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *GetDefinitionValueEntitlementMappingResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetDefinitionValueEntitlementMappingResponse) ProtoMessage() {} + +func (x *GetDefinitionValueEntitlementMappingResponse) ProtoReflect() protoreflect.Message { + mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[1] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetDefinitionValueEntitlementMappingResponse.ProtoReflect.Descriptor instead. +func (*GetDefinitionValueEntitlementMappingResponse) Descriptor() ([]byte, []int) { + return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescGZIP(), []int{1} +} + +func (x *GetDefinitionValueEntitlementMappingResponse) GetDefinitionValueEntitlementMapping() *policy.DefinitionValueEntitlementMapping { + if x != nil { + return x.DefinitionValueEntitlementMapping + } + return nil +} + +type DefinitionValueEntitlementMappingsSort struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Field SortDefinitionValueEntitlementMappingsType `protobuf:"varint,1,opt,name=field,proto3,enum=policy.definitionvalueentitlement.SortDefinitionValueEntitlementMappingsType" json:"field,omitempty"` + Direction policy.SortDirection `protobuf:"varint,2,opt,name=direction,proto3,enum=policy.SortDirection" json:"direction,omitempty"` +} + +func (x *DefinitionValueEntitlementMappingsSort) Reset() { + *x = DefinitionValueEntitlementMappingsSort{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *DefinitionValueEntitlementMappingsSort) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DefinitionValueEntitlementMappingsSort) ProtoMessage() {} + +func (x *DefinitionValueEntitlementMappingsSort) ProtoReflect() protoreflect.Message { + mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[2] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DefinitionValueEntitlementMappingsSort.ProtoReflect.Descriptor instead. +func (*DefinitionValueEntitlementMappingsSort) Descriptor() ([]byte, []int) { + return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescGZIP(), []int{2} +} + +func (x *DefinitionValueEntitlementMappingsSort) GetField() SortDefinitionValueEntitlementMappingsType { + if x != nil { + return x.Field + } + return SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED +} + +func (x *DefinitionValueEntitlementMappingsSort) GetDirection() policy.SortDirection { + if x != nil { + return x.Direction + } + return policy.SortDirection(0) +} + +type ListDefinitionValueEntitlementMappingsRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Optional + // Namespace ID or FQN, or Attribute Definition ID or FQN to filter by + NamespaceId string `protobuf:"bytes,1,opt,name=namespace_id,json=namespaceId,proto3" json:"namespace_id,omitempty"` + AttributeDefinitionId string `protobuf:"bytes,2,opt,name=attribute_definition_id,json=attributeDefinitionId,proto3" json:"attribute_definition_id,omitempty"` + // Optional + Pagination *policy.PageRequest `protobuf:"bytes,10,opt,name=pagination,proto3" json:"pagination,omitempty"` + // Optional - CONSTRAINT: max 1 item + Sort []*DefinitionValueEntitlementMappingsSort `protobuf:"bytes,11,rep,name=sort,proto3" json:"sort,omitempty"` +} + +func (x *ListDefinitionValueEntitlementMappingsRequest) Reset() { + *x = ListDefinitionValueEntitlementMappingsRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ListDefinitionValueEntitlementMappingsRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ListDefinitionValueEntitlementMappingsRequest) ProtoMessage() {} + +func (x *ListDefinitionValueEntitlementMappingsRequest) ProtoReflect() protoreflect.Message { + mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[3] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ListDefinitionValueEntitlementMappingsRequest.ProtoReflect.Descriptor instead. +func (*ListDefinitionValueEntitlementMappingsRequest) Descriptor() ([]byte, []int) { + return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescGZIP(), []int{3} +} + +func (x *ListDefinitionValueEntitlementMappingsRequest) GetNamespaceId() string { + if x != nil { + return x.NamespaceId + } + return "" +} + +func (x *ListDefinitionValueEntitlementMappingsRequest) GetAttributeDefinitionId() string { + if x != nil { + return x.AttributeDefinitionId + } + return "" +} + +func (x *ListDefinitionValueEntitlementMappingsRequest) GetPagination() *policy.PageRequest { + if x != nil { + return x.Pagination + } + return nil +} + +func (x *ListDefinitionValueEntitlementMappingsRequest) GetSort() []*DefinitionValueEntitlementMappingsSort { + if x != nil { + return x.Sort + } + return nil +} + +type ListDefinitionValueEntitlementMappingsResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + DefinitionValueEntitlementMappings []*policy.DefinitionValueEntitlementMapping `protobuf:"bytes,1,rep,name=definition_value_entitlement_mappings,json=definitionValueEntitlementMappings,proto3" json:"definition_value_entitlement_mappings,omitempty"` + Pagination *policy.PageResponse `protobuf:"bytes,10,opt,name=pagination,proto3" json:"pagination,omitempty"` +} + +func (x *ListDefinitionValueEntitlementMappingsResponse) Reset() { + *x = ListDefinitionValueEntitlementMappingsResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[4] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ListDefinitionValueEntitlementMappingsResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ListDefinitionValueEntitlementMappingsResponse) ProtoMessage() {} + +func (x *ListDefinitionValueEntitlementMappingsResponse) ProtoReflect() protoreflect.Message { + mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[4] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ListDefinitionValueEntitlementMappingsResponse.ProtoReflect.Descriptor instead. +func (*ListDefinitionValueEntitlementMappingsResponse) Descriptor() ([]byte, []int) { + return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescGZIP(), []int{4} +} + +func (x *ListDefinitionValueEntitlementMappingsResponse) GetDefinitionValueEntitlementMappings() []*policy.DefinitionValueEntitlementMapping { + if x != nil { + return x.DefinitionValueEntitlementMappings + } + return nil +} + +func (x *ListDefinitionValueEntitlementMappingsResponse) GetPagination() *policy.PageResponse { + if x != nil { + return x.Pagination + } + return nil +} + +type CreateDefinitionValueEntitlementMappingRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + AttributeDefinitionId string `protobuf:"bytes,1,opt,name=attribute_definition_id,json=attributeDefinitionId,proto3" json:"attribute_definition_id,omitempty"` + AttributeDefinitionFqn string `protobuf:"bytes,2,opt,name=attribute_definition_fqn,json=attributeDefinitionFqn,proto3" json:"attribute_definition_fqn,omitempty"` + // Required: the dynamic resolver comparing entity selector result to the resource value segment + ValueResolver *policy.DefinitionValueResolver `protobuf:"bytes,3,opt,name=value_resolver,json=valueResolver,proto3" json:"value_resolver,omitempty"` + // Required: actions permitted on a matched value + Actions []*policy.Action `protobuf:"bytes,4,rep,name=actions,proto3" json:"actions,omitempty"` + // Optional static pre-gate. Reuse an existing SubjectConditionSet (prioritized) ... + ExistingSubjectConditionSetId string `protobuf:"bytes,5,opt,name=existing_subject_condition_set_id,json=existingSubjectConditionSetId,proto3" json:"existing_subject_condition_set_id,omitempty"` + // ... or create a new one (ignored if existing_subject_condition_set_id is provided) + NewSubjectConditionSet *subjectmapping.SubjectConditionSetCreate `protobuf:"bytes,6,opt,name=new_subject_condition_set,json=newSubjectConditionSet,proto3" json:"new_subject_condition_set,omitempty"` + // Optional: namespace ID or FQN for the mapping + NamespaceId string `protobuf:"bytes,7,opt,name=namespace_id,json=namespaceId,proto3" json:"namespace_id,omitempty"` + NamespaceFqn string `protobuf:"bytes,8,opt,name=namespace_fqn,json=namespaceFqn,proto3" json:"namespace_fqn,omitempty"` + // Optional + Metadata *common.MetadataMutable `protobuf:"bytes,100,opt,name=metadata,proto3" json:"metadata,omitempty"` +} + +func (x *CreateDefinitionValueEntitlementMappingRequest) Reset() { + *x = CreateDefinitionValueEntitlementMappingRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[5] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *CreateDefinitionValueEntitlementMappingRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*CreateDefinitionValueEntitlementMappingRequest) ProtoMessage() {} + +func (x *CreateDefinitionValueEntitlementMappingRequest) ProtoReflect() protoreflect.Message { + mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[5] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use CreateDefinitionValueEntitlementMappingRequest.ProtoReflect.Descriptor instead. +func (*CreateDefinitionValueEntitlementMappingRequest) Descriptor() ([]byte, []int) { + return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescGZIP(), []int{5} +} + +func (x *CreateDefinitionValueEntitlementMappingRequest) GetAttributeDefinitionId() string { + if x != nil { + return x.AttributeDefinitionId + } + return "" +} + +func (x *CreateDefinitionValueEntitlementMappingRequest) GetAttributeDefinitionFqn() string { + if x != nil { + return x.AttributeDefinitionFqn + } + return "" +} + +func (x *CreateDefinitionValueEntitlementMappingRequest) GetValueResolver() *policy.DefinitionValueResolver { + if x != nil { + return x.ValueResolver + } + return nil +} + +func (x *CreateDefinitionValueEntitlementMappingRequest) GetActions() []*policy.Action { + if x != nil { + return x.Actions + } + return nil +} + +func (x *CreateDefinitionValueEntitlementMappingRequest) GetExistingSubjectConditionSetId() string { + if x != nil { + return x.ExistingSubjectConditionSetId + } + return "" +} + +func (x *CreateDefinitionValueEntitlementMappingRequest) GetNewSubjectConditionSet() *subjectmapping.SubjectConditionSetCreate { + if x != nil { + return x.NewSubjectConditionSet + } + return nil +} + +func (x *CreateDefinitionValueEntitlementMappingRequest) GetNamespaceId() string { + if x != nil { + return x.NamespaceId + } + return "" +} + +func (x *CreateDefinitionValueEntitlementMappingRequest) GetNamespaceFqn() string { + if x != nil { + return x.NamespaceFqn + } + return "" +} + +func (x *CreateDefinitionValueEntitlementMappingRequest) GetMetadata() *common.MetadataMutable { + if x != nil { + return x.Metadata + } + return nil +} + +type CreateDefinitionValueEntitlementMappingResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + DefinitionValueEntitlementMapping *policy.DefinitionValueEntitlementMapping `protobuf:"bytes,1,opt,name=definition_value_entitlement_mapping,json=definitionValueEntitlementMapping,proto3" json:"definition_value_entitlement_mapping,omitempty"` +} + +func (x *CreateDefinitionValueEntitlementMappingResponse) Reset() { + *x = CreateDefinitionValueEntitlementMappingResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[6] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *CreateDefinitionValueEntitlementMappingResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*CreateDefinitionValueEntitlementMappingResponse) ProtoMessage() {} + +func (x *CreateDefinitionValueEntitlementMappingResponse) ProtoReflect() protoreflect.Message { + mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[6] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use CreateDefinitionValueEntitlementMappingResponse.ProtoReflect.Descriptor instead. +func (*CreateDefinitionValueEntitlementMappingResponse) Descriptor() ([]byte, []int) { + return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescGZIP(), []int{6} +} + +func (x *CreateDefinitionValueEntitlementMappingResponse) GetDefinitionValueEntitlementMapping() *policy.DefinitionValueEntitlementMapping { + if x != nil { + return x.DefinitionValueEntitlementMapping + } + return nil +} + +type UpdateDefinitionValueEntitlementMappingRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Required + Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` + // Optional: replace the dynamic resolver + ValueResolver *policy.DefinitionValueResolver `protobuf:"bytes,2,opt,name=value_resolver,json=valueResolver,proto3" json:"value_resolver,omitempty"` + // Optional: replace the static pre-gate SubjectConditionSet by id + SubjectConditionSetId string `protobuf:"bytes,3,opt,name=subject_condition_set_id,json=subjectConditionSetId,proto3" json:"subject_condition_set_id,omitempty"` + // Optional: replace the entire list of actions + Actions []*policy.Action `protobuf:"bytes,4,rep,name=actions,proto3" json:"actions,omitempty"` + // Common metadata + Metadata *common.MetadataMutable `protobuf:"bytes,100,opt,name=metadata,proto3" json:"metadata,omitempty"` + MetadataUpdateBehavior common.MetadataUpdateEnum `protobuf:"varint,101,opt,name=metadata_update_behavior,json=metadataUpdateBehavior,proto3,enum=common.MetadataUpdateEnum" json:"metadata_update_behavior,omitempty"` +} + +func (x *UpdateDefinitionValueEntitlementMappingRequest) Reset() { + *x = UpdateDefinitionValueEntitlementMappingRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[7] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *UpdateDefinitionValueEntitlementMappingRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*UpdateDefinitionValueEntitlementMappingRequest) ProtoMessage() {} + +func (x *UpdateDefinitionValueEntitlementMappingRequest) ProtoReflect() protoreflect.Message { + mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[7] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use UpdateDefinitionValueEntitlementMappingRequest.ProtoReflect.Descriptor instead. +func (*UpdateDefinitionValueEntitlementMappingRequest) Descriptor() ([]byte, []int) { + return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescGZIP(), []int{7} +} + +func (x *UpdateDefinitionValueEntitlementMappingRequest) GetId() string { + if x != nil { + return x.Id + } + return "" +} + +func (x *UpdateDefinitionValueEntitlementMappingRequest) GetValueResolver() *policy.DefinitionValueResolver { + if x != nil { + return x.ValueResolver + } + return nil +} + +func (x *UpdateDefinitionValueEntitlementMappingRequest) GetSubjectConditionSetId() string { + if x != nil { + return x.SubjectConditionSetId + } + return "" +} + +func (x *UpdateDefinitionValueEntitlementMappingRequest) GetActions() []*policy.Action { + if x != nil { + return x.Actions + } + return nil +} + +func (x *UpdateDefinitionValueEntitlementMappingRequest) GetMetadata() *common.MetadataMutable { + if x != nil { + return x.Metadata + } + return nil +} + +func (x *UpdateDefinitionValueEntitlementMappingRequest) GetMetadataUpdateBehavior() common.MetadataUpdateEnum { + if x != nil { + return x.MetadataUpdateBehavior + } + return common.MetadataUpdateEnum(0) +} + +type UpdateDefinitionValueEntitlementMappingResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + DefinitionValueEntitlementMapping *policy.DefinitionValueEntitlementMapping `protobuf:"bytes,1,opt,name=definition_value_entitlement_mapping,json=definitionValueEntitlementMapping,proto3" json:"definition_value_entitlement_mapping,omitempty"` +} + +func (x *UpdateDefinitionValueEntitlementMappingResponse) Reset() { + *x = UpdateDefinitionValueEntitlementMappingResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[8] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *UpdateDefinitionValueEntitlementMappingResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*UpdateDefinitionValueEntitlementMappingResponse) ProtoMessage() {} + +func (x *UpdateDefinitionValueEntitlementMappingResponse) ProtoReflect() protoreflect.Message { + mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[8] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use UpdateDefinitionValueEntitlementMappingResponse.ProtoReflect.Descriptor instead. +func (*UpdateDefinitionValueEntitlementMappingResponse) Descriptor() ([]byte, []int) { + return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescGZIP(), []int{8} +} + +func (x *UpdateDefinitionValueEntitlementMappingResponse) GetDefinitionValueEntitlementMapping() *policy.DefinitionValueEntitlementMapping { + if x != nil { + return x.DefinitionValueEntitlementMapping + } + return nil +} + +type DeleteDefinitionValueEntitlementMappingRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Required + Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` +} + +func (x *DeleteDefinitionValueEntitlementMappingRequest) Reset() { + *x = DeleteDefinitionValueEntitlementMappingRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[9] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *DeleteDefinitionValueEntitlementMappingRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DeleteDefinitionValueEntitlementMappingRequest) ProtoMessage() {} + +func (x *DeleteDefinitionValueEntitlementMappingRequest) ProtoReflect() protoreflect.Message { + mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[9] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DeleteDefinitionValueEntitlementMappingRequest.ProtoReflect.Descriptor instead. +func (*DeleteDefinitionValueEntitlementMappingRequest) Descriptor() ([]byte, []int) { + return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescGZIP(), []int{9} +} + +func (x *DeleteDefinitionValueEntitlementMappingRequest) GetId() string { + if x != nil { + return x.Id + } + return "" +} + +type DeleteDefinitionValueEntitlementMappingResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Only ID of the deleted mapping provided + DefinitionValueEntitlementMapping *policy.DefinitionValueEntitlementMapping `protobuf:"bytes,1,opt,name=definition_value_entitlement_mapping,json=definitionValueEntitlementMapping,proto3" json:"definition_value_entitlement_mapping,omitempty"` +} + +func (x *DeleteDefinitionValueEntitlementMappingResponse) Reset() { + *x = DeleteDefinitionValueEntitlementMappingResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[10] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *DeleteDefinitionValueEntitlementMappingResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DeleteDefinitionValueEntitlementMappingResponse) ProtoMessage() {} + +func (x *DeleteDefinitionValueEntitlementMappingResponse) ProtoReflect() protoreflect.Message { + mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[10] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DeleteDefinitionValueEntitlementMappingResponse.ProtoReflect.Descriptor instead. +func (*DeleteDefinitionValueEntitlementMappingResponse) Descriptor() ([]byte, []int) { + return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescGZIP(), []int{10} +} + +func (x *DeleteDefinitionValueEntitlementMappingResponse) GetDefinitionValueEntitlementMapping() *policy.DefinitionValueEntitlementMapping { + if x != nil { + return x.DefinitionValueEntitlementMapping + } + return nil +} + +var File_policy_definitionvalueentitlement_definition_value_entitlement_proto protoreflect.FileDescriptor + +var file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDesc = []byte{ + 0x0a, 0x44, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, + 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, + 0x65, 0x6e, 0x74, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, + 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, + 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x21, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, + 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, + 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x1a, 0x1b, 0x62, 0x75, 0x66, 0x2f, 0x76, + 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, + 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x13, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2f, 0x63, + 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x14, 0x70, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x2f, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x1a, 0x16, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, + 0x6f, 0x72, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x2b, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0x2f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x2f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x47, 0x0a, 0x2b, 0x47, 0x65, 0x74, 0x44, 0x65, 0x66, + 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, + 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, 0x02, 0x69, 0x64, 0x22, + 0xaa, 0x01, 0x0a, 0x2c, 0x47, 0x65, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, + 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, + 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, + 0x12, 0x7a, 0x0a, 0x24, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, + 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, + 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, + 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, + 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, + 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x21, 0x64, 0x65, 0x66, 0x69, 0x6e, + 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, + 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x22, 0xd6, 0x01, 0x0a, + 0x26, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, + 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x73, 0x53, 0x6f, 0x72, 0x74, 0x12, 0x6d, 0x0a, 0x05, 0x66, 0x69, 0x65, 0x6c, 0x64, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x4d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, + 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x6f, 0x72, 0x74, 0x44, + 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, + 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x73, 0x54, 0x79, 0x70, 0x65, 0x42, 0x08, 0xba, 0x48, 0x05, 0x82, 0x01, 0x02, 0x10, 0x01, 0x52, + 0x05, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x12, 0x3d, 0x0a, 0x09, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, + 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x15, 0x2e, 0x70, 0x6f, 0x6c, 0x69, + 0x63, 0x79, 0x2e, 0x53, 0x6f, 0x72, 0x74, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, + 0x42, 0x08, 0xba, 0x48, 0x05, 0x82, 0x01, 0x02, 0x10, 0x01, 0x52, 0x09, 0x64, 0x69, 0x72, 0x65, + 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x96, 0x05, 0x0a, 0x2d, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x65, + 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, + 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, + 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0xd7, 0x01, 0x0a, 0x0c, 0x6e, 0x61, 0x6d, 0x65, + 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, + 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, + 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, + 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, + 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, + 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, + 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, + 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, + 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, + 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, + 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, + 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, + 0x32, 0x7d, 0x27, 0x29, 0x52, 0x0b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x49, + 0x64, 0x12, 0xec, 0x01, 0x0a, 0x17, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, + 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, + 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, + 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, + 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, + 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, + 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, + 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, + 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, + 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, + 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, + 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, + 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, + 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x15, 0x61, 0x74, 0x74, 0x72, 0x69, + 0x62, 0x75, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x64, + 0x12, 0x33, 0x0a, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0a, + 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x61, + 0x67, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x52, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x67, 0x0a, 0x04, 0x73, 0x6f, 0x72, 0x74, 0x18, 0x0b, 0x20, + 0x03, 0x28, 0x0b, 0x32, 0x49, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x65, 0x66, + 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, + 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, + 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, + 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x53, 0x6f, 0x72, 0x74, 0x42, 0x08, + 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, 0x10, 0x01, 0x52, 0x04, 0x73, 0x6f, 0x72, 0x74, 0x22, 0xe4, + 0x01, 0x0a, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, + 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, + 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, + 0x65, 0x12, 0x7c, 0x0a, 0x25, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, + 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, + 0x74, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, + 0x32, 0x29, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, + 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, + 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x22, 0x64, 0x65, 0x66, + 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, + 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, + 0x34, 0x0a, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0a, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x61, 0x67, + 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x52, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xda, 0x0a, 0x0a, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, + 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, + 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, + 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0xec, 0x01, 0x0a, 0x17, 0x61, 0x74, 0x74, + 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, + 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, + 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, + 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, + 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, + 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, + 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, + 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, + 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, + 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, + 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, + 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, + 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, + 0x52, 0x15, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, + 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x64, 0x12, 0x44, 0x0a, 0x18, 0x61, 0x74, 0x74, 0x72, 0x69, + 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, + 0x66, 0x71, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x0a, 0xba, 0x48, 0x07, 0x72, 0x05, + 0x10, 0x00, 0x88, 0x01, 0x01, 0x52, 0x16, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, + 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x71, 0x6e, 0x12, 0x4e, 0x0a, + 0x0e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x18, + 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, + 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, + 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x0d, + 0x76, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x12, 0xb8, 0x01, + 0x0a, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, + 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x42, + 0x8d, 0x01, 0xba, 0x48, 0x89, 0x01, 0xba, 0x01, 0x80, 0x01, 0x0a, 0x1b, 0x61, 0x63, 0x74, 0x69, + 0x6f, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x5f, 0x6f, 0x72, 0x5f, 0x69, 0x64, 0x5f, 0x6e, 0x6f, + 0x74, 0x5f, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x12, 0x2f, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20, + 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x6f, 0x72, 0x20, 0x49, 0x44, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, + 0x6e, 0x6f, 0x74, 0x20, 0x62, 0x65, 0x20, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x20, 0x69, 0x66, 0x20, + 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x64, 0x1a, 0x30, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x61, + 0x6c, 0x6c, 0x28, 0x69, 0x74, 0x65, 0x6d, 0x2c, 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x6e, 0x61, + 0x6d, 0x65, 0x20, 0x21, 0x3d, 0x20, 0x27, 0x27, 0x20, 0x7c, 0x7c, 0x20, 0x69, 0x74, 0x65, 0x6d, + 0x2e, 0x69, 0x64, 0x20, 0x21, 0x3d, 0x20, 0x27, 0x27, 0x29, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, + 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0xfe, 0x01, 0x0a, 0x21, 0x65, 0x78, 0x69, + 0x73, 0x74, 0x69, 0x6e, 0x67, 0x5f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x63, 0x6f, + 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x05, + 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, + 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, + 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, + 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, + 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, + 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, + 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, + 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, + 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, + 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, + 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, + 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x1d, 0x65, 0x78, 0x69, 0x73, + 0x74, 0x69, 0x6e, 0x67, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, + 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x49, 0x64, 0x12, 0x6b, 0x0a, 0x19, 0x6e, 0x65, 0x77, + 0x5f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, + 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x70, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, + 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, + 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x52, 0x16, + 0x6e, 0x65, 0x77, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, + 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0xd7, 0x01, 0x0a, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, + 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, + 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, + 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, + 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, + 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, + 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, + 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, + 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, + 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, + 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, + 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, + 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, + 0x7d, 0x27, 0x29, 0x52, 0x0b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x49, 0x64, + 0x12, 0x2f, 0x0a, 0x0d, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x66, 0x71, + 0x6e, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x42, 0x0a, 0xba, 0x48, 0x07, 0x72, 0x05, 0x10, 0x00, + 0x88, 0x01, 0x01, 0x52, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x46, 0x71, + 0x6e, 0x12, 0x33, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, + 0x61, 0x64, 0x61, 0x74, 0x61, 0x4d, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x08, 0x6d, 0x65, + 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x3a, 0x3a, 0xba, 0x48, 0x37, 0x22, 0x35, 0x0a, 0x17, 0x61, + 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, + 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x0a, 0x18, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, + 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x66, 0x71, 0x6e, + 0x10, 0x01, 0x22, 0xad, 0x01, 0x0a, 0x2f, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, + 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, + 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, + 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x7a, 0x0a, 0x24, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, + 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65, 0x6e, 0x74, 0x69, 0x74, + 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x65, + 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, + 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, + 0x21, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, + 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x22, 0xd7, 0x05, 0x0a, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, + 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, + 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, 0x02, 0x69, 0x64, 0x12, + 0x46, 0x0a, 0x0e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, + 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, + 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x52, 0x0d, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x52, + 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x12, 0xed, 0x01, 0x0a, 0x18, 0x73, 0x75, 0x62, 0x6a, + 0x65, 0x63, 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, + 0x74, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, + 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, + 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, + 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, + 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, + 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, + 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, + 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, + 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, + 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, + 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, + 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, + 0x52, 0x15, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, + 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x49, 0x64, 0x12, 0xc7, 0x01, 0x0a, 0x07, 0x61, 0x63, 0x74, 0x69, + 0x6f, 0x6e, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, + 0x63, 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x9c, 0x01, 0xba, 0x48, 0x98, 0x01, + 0xba, 0x01, 0x94, 0x01, 0x0a, 0x1b, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, + 0x65, 0x5f, 0x6f, 0x72, 0x5f, 0x69, 0x64, 0x5f, 0x6e, 0x6f, 0x74, 0x5f, 0x65, 0x6d, 0x70, 0x74, + 0x79, 0x12, 0x2f, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x6f, + 0x72, 0x20, 0x49, 0x44, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x6e, 0x6f, 0x74, 0x20, 0x62, 0x65, + 0x20, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x20, 0x69, 0x66, 0x20, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, + 0x65, 0x64, 0x1a, 0x44, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x29, 0x20, + 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x61, 0x6c, 0x6c, + 0x28, 0x69, 0x74, 0x65, 0x6d, 0x2c, 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x6e, 0x61, 0x6d, 0x65, + 0x20, 0x21, 0x3d, 0x20, 0x27, 0x27, 0x20, 0x7c, 0x7c, 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x69, + 0x64, 0x20, 0x21, 0x3d, 0x20, 0x27, 0x27, 0x29, 0x52, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, + 0x73, 0x12, 0x33, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, + 0x61, 0x64, 0x61, 0x74, 0x61, 0x4d, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x08, 0x6d, 0x65, + 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x54, 0x0a, 0x18, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, + 0x74, 0x61, 0x5f, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, + 0x6f, 0x72, 0x18, 0x65, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1a, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, + 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, + 0x45, 0x6e, 0x75, 0x6d, 0x52, 0x16, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x55, 0x70, + 0x64, 0x61, 0x74, 0x65, 0x42, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x22, 0xad, 0x01, 0x0a, + 0x2f, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, + 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, + 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, + 0x12, 0x7a, 0x0a, 0x24, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, + 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, + 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, + 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, + 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, + 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x21, 0x64, 0x65, 0x66, 0x69, 0x6e, + 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, + 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x22, 0x4a, 0x0a, 0x2e, + 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, + 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, + 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, + 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, + 0x03, 0xb0, 0x01, 0x01, 0x52, 0x02, 0x69, 0x64, 0x22, 0xad, 0x01, 0x0a, 0x2f, 0x44, 0x65, 0x6c, + 0x65, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, + 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, + 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x7a, 0x0a, 0x24, + 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, + 0x5f, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x6d, 0x61, 0x70, + 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x70, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x2e, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, + 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, + 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x21, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, + 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, + 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2a, 0xed, 0x01, 0x0a, 0x2a, 0x53, 0x6f, 0x72, + 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, + 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, 0x3f, 0x0a, 0x3b, 0x53, 0x4f, 0x52, 0x54, 0x5f, + 0x44, 0x45, 0x46, 0x49, 0x4e, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x56, 0x41, 0x4c, 0x55, 0x45, + 0x5f, 0x45, 0x4e, 0x54, 0x49, 0x54, 0x4c, 0x45, 0x4d, 0x45, 0x4e, 0x54, 0x5f, 0x4d, 0x41, 0x50, + 0x50, 0x49, 0x4e, 0x47, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, + 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x3e, 0x0a, 0x3a, 0x53, 0x4f, 0x52, 0x54, + 0x5f, 0x44, 0x45, 0x46, 0x49, 0x4e, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x56, 0x41, 0x4c, 0x55, + 0x45, 0x5f, 0x45, 0x4e, 0x54, 0x49, 0x54, 0x4c, 0x45, 0x4d, 0x45, 0x4e, 0x54, 0x5f, 0x4d, 0x41, + 0x50, 0x50, 0x49, 0x4e, 0x47, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x52, 0x45, 0x41, + 0x54, 0x45, 0x44, 0x5f, 0x41, 0x54, 0x10, 0x01, 0x12, 0x3e, 0x0a, 0x3a, 0x53, 0x4f, 0x52, 0x54, + 0x5f, 0x44, 0x45, 0x46, 0x49, 0x4e, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x56, 0x41, 0x4c, 0x55, + 0x45, 0x5f, 0x45, 0x4e, 0x54, 0x49, 0x54, 0x4c, 0x45, 0x4d, 0x45, 0x4e, 0x54, 0x5f, 0x4d, 0x41, + 0x50, 0x50, 0x49, 0x4e, 0x47, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x50, 0x44, 0x41, + 0x54, 0x45, 0x44, 0x5f, 0x41, 0x54, 0x10, 0x02, 0x32, 0xcd, 0x08, 0x0a, 0x28, 0x44, 0x65, 0x66, + 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, + 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x53, 0x65, + 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0xd2, 0x01, 0x0a, 0x26, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x65, + 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, + 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, + 0x12, 0x50, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, + 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, + 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, + 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, + 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, + 0x73, 0x74, 0x1a, 0x51, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x65, 0x66, 0x69, + 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, 0x74, + 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, + 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, + 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x73, + 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x03, 0x90, 0x02, 0x01, 0x12, 0xcc, 0x01, 0x0a, 0x24, 0x47, + 0x65, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, + 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, + 0x69, 0x6e, 0x67, 0x12, 0x4e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x65, 0x66, + 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, + 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, + 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, + 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x1a, 0x4f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x65, 0x66, + 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, + 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, + 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, + 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, + 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x03, 0x90, 0x02, 0x01, 0x12, 0xd2, 0x01, 0x0a, 0x27, 0x43, 0x72, + 0x65, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, + 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, + 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x51, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, + 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, + 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, + 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, + 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, + 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x52, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, + 0x65, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x43, 0x72, 0x65, + 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, + 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, + 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0xd2, + 0x01, 0x0a, 0x27, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, + 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, + 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x51, 0x2e, 0x70, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, + 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x55, + 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, + 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, + 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x52, 0x2e, + 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, + 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, + 0x74, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, + 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, + 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, + 0x65, 0x22, 0x00, 0x12, 0xd2, 0x01, 0x0a, 0x27, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x65, + 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, + 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, + 0x51, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, + 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, + 0x65, 0x6e, 0x74, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, + 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, + 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, + 0x73, 0x74, 0x1a, 0x52, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x65, 0x66, 0x69, + 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, 0x74, + 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x65, 0x66, + 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, + 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, + 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0xb8, 0x02, 0x0a, 0x25, 0x63, 0x6f, 0x6d, + 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, + 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, + 0x6e, 0x74, 0x42, 0x1f, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, + 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x50, 0x72, + 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x49, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, + 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, + 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x70, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, + 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, + 0xa2, 0x02, 0x03, 0x50, 0x44, 0x58, 0xaa, 0x02, 0x21, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, + 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0xca, 0x02, 0x21, 0x50, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x5c, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, + 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0xe2, 0x02, + 0x2d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, + 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, + 0x6e, 0x74, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, + 0x22, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x3a, 0x3a, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, + 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, + 0x65, 0x6e, 0x74, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescOnce sync.Once + file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescData = file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDesc +) + +func file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescGZIP() []byte { + file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescOnce.Do(func() { + file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescData = protoimpl.X.CompressGZIP(file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescData) + }) + return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescData +} + +var file_policy_definitionvalueentitlement_definition_value_entitlement_proto_enumTypes = make([]protoimpl.EnumInfo, 1) +var file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes = make([]protoimpl.MessageInfo, 11) +var file_policy_definitionvalueentitlement_definition_value_entitlement_proto_goTypes = []interface{}{ + (SortDefinitionValueEntitlementMappingsType)(0), // 0: policy.definitionvalueentitlement.SortDefinitionValueEntitlementMappingsType + (*GetDefinitionValueEntitlementMappingRequest)(nil), // 1: policy.definitionvalueentitlement.GetDefinitionValueEntitlementMappingRequest + (*GetDefinitionValueEntitlementMappingResponse)(nil), // 2: policy.definitionvalueentitlement.GetDefinitionValueEntitlementMappingResponse + (*DefinitionValueEntitlementMappingsSort)(nil), // 3: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingsSort + (*ListDefinitionValueEntitlementMappingsRequest)(nil), // 4: policy.definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest + (*ListDefinitionValueEntitlementMappingsResponse)(nil), // 5: policy.definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse + (*CreateDefinitionValueEntitlementMappingRequest)(nil), // 6: policy.definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest + (*CreateDefinitionValueEntitlementMappingResponse)(nil), // 7: policy.definitionvalueentitlement.CreateDefinitionValueEntitlementMappingResponse + (*UpdateDefinitionValueEntitlementMappingRequest)(nil), // 8: policy.definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest + (*UpdateDefinitionValueEntitlementMappingResponse)(nil), // 9: policy.definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingResponse + (*DeleteDefinitionValueEntitlementMappingRequest)(nil), // 10: policy.definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingRequest + (*DeleteDefinitionValueEntitlementMappingResponse)(nil), // 11: policy.definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingResponse + (*policy.DefinitionValueEntitlementMapping)(nil), // 12: policy.DefinitionValueEntitlementMapping + (policy.SortDirection)(0), // 13: policy.SortDirection + (*policy.PageRequest)(nil), // 14: policy.PageRequest + (*policy.PageResponse)(nil), // 15: policy.PageResponse + (*policy.DefinitionValueResolver)(nil), // 16: policy.DefinitionValueResolver + (*policy.Action)(nil), // 17: policy.Action + (*subjectmapping.SubjectConditionSetCreate)(nil), // 18: policy.subjectmapping.SubjectConditionSetCreate + (*common.MetadataMutable)(nil), // 19: common.MetadataMutable + (common.MetadataUpdateEnum)(0), // 20: common.MetadataUpdateEnum +} +var file_policy_definitionvalueentitlement_definition_value_entitlement_proto_depIdxs = []int32{ + 12, // 0: policy.definitionvalueentitlement.GetDefinitionValueEntitlementMappingResponse.definition_value_entitlement_mapping:type_name -> policy.DefinitionValueEntitlementMapping + 0, // 1: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingsSort.field:type_name -> policy.definitionvalueentitlement.SortDefinitionValueEntitlementMappingsType + 13, // 2: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingsSort.direction:type_name -> policy.SortDirection + 14, // 3: policy.definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest.pagination:type_name -> policy.PageRequest + 3, // 4: policy.definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest.sort:type_name -> policy.definitionvalueentitlement.DefinitionValueEntitlementMappingsSort + 12, // 5: policy.definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse.definition_value_entitlement_mappings:type_name -> policy.DefinitionValueEntitlementMapping + 15, // 6: policy.definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse.pagination:type_name -> policy.PageResponse + 16, // 7: policy.definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest.value_resolver:type_name -> policy.DefinitionValueResolver + 17, // 8: policy.definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest.actions:type_name -> policy.Action + 18, // 9: policy.definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest.new_subject_condition_set:type_name -> policy.subjectmapping.SubjectConditionSetCreate + 19, // 10: policy.definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest.metadata:type_name -> common.MetadataMutable + 12, // 11: policy.definitionvalueentitlement.CreateDefinitionValueEntitlementMappingResponse.definition_value_entitlement_mapping:type_name -> policy.DefinitionValueEntitlementMapping + 16, // 12: policy.definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest.value_resolver:type_name -> policy.DefinitionValueResolver + 17, // 13: policy.definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest.actions:type_name -> policy.Action + 19, // 14: policy.definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest.metadata:type_name -> common.MetadataMutable + 20, // 15: policy.definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum + 12, // 16: policy.definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingResponse.definition_value_entitlement_mapping:type_name -> policy.DefinitionValueEntitlementMapping + 12, // 17: policy.definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingResponse.definition_value_entitlement_mapping:type_name -> policy.DefinitionValueEntitlementMapping + 4, // 18: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.ListDefinitionValueEntitlementMappings:input_type -> policy.definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest + 1, // 19: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.GetDefinitionValueEntitlementMapping:input_type -> policy.definitionvalueentitlement.GetDefinitionValueEntitlementMappingRequest + 6, // 20: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.CreateDefinitionValueEntitlementMapping:input_type -> policy.definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest + 8, // 21: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.UpdateDefinitionValueEntitlementMapping:input_type -> policy.definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest + 10, // 22: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.DeleteDefinitionValueEntitlementMapping:input_type -> policy.definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingRequest + 5, // 23: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.ListDefinitionValueEntitlementMappings:output_type -> policy.definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse + 2, // 24: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.GetDefinitionValueEntitlementMapping:output_type -> policy.definitionvalueentitlement.GetDefinitionValueEntitlementMappingResponse + 7, // 25: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.CreateDefinitionValueEntitlementMapping:output_type -> policy.definitionvalueentitlement.CreateDefinitionValueEntitlementMappingResponse + 9, // 26: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.UpdateDefinitionValueEntitlementMapping:output_type -> policy.definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingResponse + 11, // 27: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.DeleteDefinitionValueEntitlementMapping:output_type -> policy.definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingResponse + 23, // [23:28] is the sub-list for method output_type + 18, // [18:23] is the sub-list for method input_type + 18, // [18:18] is the sub-list for extension type_name + 18, // [18:18] is the sub-list for extension extendee + 0, // [0:18] is the sub-list for field type_name +} + +func init() { file_policy_definitionvalueentitlement_definition_value_entitlement_proto_init() } +func file_policy_definitionvalueentitlement_definition_value_entitlement_proto_init() { + if File_policy_definitionvalueentitlement_definition_value_entitlement_proto != nil { + return + } + if !protoimpl.UnsafeEnabled { + file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*GetDefinitionValueEntitlementMappingRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*GetDefinitionValueEntitlementMappingResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*DefinitionValueEntitlementMappingsSort); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ListDefinitionValueEntitlementMappingsRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ListDefinitionValueEntitlementMappingsResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*CreateDefinitionValueEntitlementMappingRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*CreateDefinitionValueEntitlementMappingResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*UpdateDefinitionValueEntitlementMappingRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*UpdateDefinitionValueEntitlementMappingResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*DeleteDefinitionValueEntitlementMappingRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*DeleteDefinitionValueEntitlementMappingResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDesc, + NumEnums: 1, + NumMessages: 11, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_policy_definitionvalueentitlement_definition_value_entitlement_proto_goTypes, + DependencyIndexes: file_policy_definitionvalueentitlement_definition_value_entitlement_proto_depIdxs, + EnumInfos: file_policy_definitionvalueentitlement_definition_value_entitlement_proto_enumTypes, + MessageInfos: file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes, + }.Build() + File_policy_definitionvalueentitlement_definition_value_entitlement_proto = out.File + file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDesc = nil + file_policy_definitionvalueentitlement_definition_value_entitlement_proto_goTypes = nil + file_policy_definitionvalueentitlement_definition_value_entitlement_proto_depIdxs = nil +} diff --git a/protocol/go/policy/definitionvalueentitlement/definition_value_entitlement_grpc.pb.go b/protocol/go/policy/definitionvalueentitlement/definition_value_entitlement_grpc.pb.go new file mode 100644 index 0000000000..7aff532c33 --- /dev/null +++ b/protocol/go/policy/definitionvalueentitlement/definition_value_entitlement_grpc.pb.go @@ -0,0 +1,258 @@ +// Code generated by protoc-gen-go-grpc. DO NOT EDIT. +// versions: +// - protoc-gen-go-grpc v1.3.0 +// - protoc (unknown) +// source: policy/definitionvalueentitlement/definition_value_entitlement.proto + +package definitionvalueentitlement + +import ( + context "context" + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" +) + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +// Requires gRPC-Go v1.32.0 or later. +const _ = grpc.SupportPackageIsVersion7 + +const ( + DefinitionValueEntitlementMappingService_ListDefinitionValueEntitlementMappings_FullMethodName = "/policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/ListDefinitionValueEntitlementMappings" + DefinitionValueEntitlementMappingService_GetDefinitionValueEntitlementMapping_FullMethodName = "/policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/GetDefinitionValueEntitlementMapping" + DefinitionValueEntitlementMappingService_CreateDefinitionValueEntitlementMapping_FullMethodName = "/policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/CreateDefinitionValueEntitlementMapping" + DefinitionValueEntitlementMappingService_UpdateDefinitionValueEntitlementMapping_FullMethodName = "/policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/UpdateDefinitionValueEntitlementMapping" + DefinitionValueEntitlementMappingService_DeleteDefinitionValueEntitlementMapping_FullMethodName = "/policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/DeleteDefinitionValueEntitlementMapping" +) + +// DefinitionValueEntitlementMappingServiceClient is the client API for DefinitionValueEntitlementMappingService service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. +type DefinitionValueEntitlementMappingServiceClient interface { + ListDefinitionValueEntitlementMappings(ctx context.Context, in *ListDefinitionValueEntitlementMappingsRequest, opts ...grpc.CallOption) (*ListDefinitionValueEntitlementMappingsResponse, error) + GetDefinitionValueEntitlementMapping(ctx context.Context, in *GetDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*GetDefinitionValueEntitlementMappingResponse, error) + CreateDefinitionValueEntitlementMapping(ctx context.Context, in *CreateDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*CreateDefinitionValueEntitlementMappingResponse, error) + UpdateDefinitionValueEntitlementMapping(ctx context.Context, in *UpdateDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*UpdateDefinitionValueEntitlementMappingResponse, error) + DeleteDefinitionValueEntitlementMapping(ctx context.Context, in *DeleteDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*DeleteDefinitionValueEntitlementMappingResponse, error) +} + +type definitionValueEntitlementMappingServiceClient struct { + cc grpc.ClientConnInterface +} + +func NewDefinitionValueEntitlementMappingServiceClient(cc grpc.ClientConnInterface) DefinitionValueEntitlementMappingServiceClient { + return &definitionValueEntitlementMappingServiceClient{cc} +} + +func (c *definitionValueEntitlementMappingServiceClient) ListDefinitionValueEntitlementMappings(ctx context.Context, in *ListDefinitionValueEntitlementMappingsRequest, opts ...grpc.CallOption) (*ListDefinitionValueEntitlementMappingsResponse, error) { + out := new(ListDefinitionValueEntitlementMappingsResponse) + err := c.cc.Invoke(ctx, DefinitionValueEntitlementMappingService_ListDefinitionValueEntitlementMappings_FullMethodName, in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *definitionValueEntitlementMappingServiceClient) GetDefinitionValueEntitlementMapping(ctx context.Context, in *GetDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*GetDefinitionValueEntitlementMappingResponse, error) { + out := new(GetDefinitionValueEntitlementMappingResponse) + err := c.cc.Invoke(ctx, DefinitionValueEntitlementMappingService_GetDefinitionValueEntitlementMapping_FullMethodName, in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *definitionValueEntitlementMappingServiceClient) CreateDefinitionValueEntitlementMapping(ctx context.Context, in *CreateDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*CreateDefinitionValueEntitlementMappingResponse, error) { + out := new(CreateDefinitionValueEntitlementMappingResponse) + err := c.cc.Invoke(ctx, DefinitionValueEntitlementMappingService_CreateDefinitionValueEntitlementMapping_FullMethodName, in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *definitionValueEntitlementMappingServiceClient) UpdateDefinitionValueEntitlementMapping(ctx context.Context, in *UpdateDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*UpdateDefinitionValueEntitlementMappingResponse, error) { + out := new(UpdateDefinitionValueEntitlementMappingResponse) + err := c.cc.Invoke(ctx, DefinitionValueEntitlementMappingService_UpdateDefinitionValueEntitlementMapping_FullMethodName, in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *definitionValueEntitlementMappingServiceClient) DeleteDefinitionValueEntitlementMapping(ctx context.Context, in *DeleteDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*DeleteDefinitionValueEntitlementMappingResponse, error) { + out := new(DeleteDefinitionValueEntitlementMappingResponse) + err := c.cc.Invoke(ctx, DefinitionValueEntitlementMappingService_DeleteDefinitionValueEntitlementMapping_FullMethodName, in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +// DefinitionValueEntitlementMappingServiceServer is the server API for DefinitionValueEntitlementMappingService service. +// All implementations must embed UnimplementedDefinitionValueEntitlementMappingServiceServer +// for forward compatibility +type DefinitionValueEntitlementMappingServiceServer interface { + ListDefinitionValueEntitlementMappings(context.Context, *ListDefinitionValueEntitlementMappingsRequest) (*ListDefinitionValueEntitlementMappingsResponse, error) + GetDefinitionValueEntitlementMapping(context.Context, *GetDefinitionValueEntitlementMappingRequest) (*GetDefinitionValueEntitlementMappingResponse, error) + CreateDefinitionValueEntitlementMapping(context.Context, *CreateDefinitionValueEntitlementMappingRequest) (*CreateDefinitionValueEntitlementMappingResponse, error) + UpdateDefinitionValueEntitlementMapping(context.Context, *UpdateDefinitionValueEntitlementMappingRequest) (*UpdateDefinitionValueEntitlementMappingResponse, error) + DeleteDefinitionValueEntitlementMapping(context.Context, *DeleteDefinitionValueEntitlementMappingRequest) (*DeleteDefinitionValueEntitlementMappingResponse, error) + mustEmbedUnimplementedDefinitionValueEntitlementMappingServiceServer() +} + +// UnimplementedDefinitionValueEntitlementMappingServiceServer must be embedded to have forward compatible implementations. +type UnimplementedDefinitionValueEntitlementMappingServiceServer struct { +} + +func (UnimplementedDefinitionValueEntitlementMappingServiceServer) ListDefinitionValueEntitlementMappings(context.Context, *ListDefinitionValueEntitlementMappingsRequest) (*ListDefinitionValueEntitlementMappingsResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method ListDefinitionValueEntitlementMappings not implemented") +} +func (UnimplementedDefinitionValueEntitlementMappingServiceServer) GetDefinitionValueEntitlementMapping(context.Context, *GetDefinitionValueEntitlementMappingRequest) (*GetDefinitionValueEntitlementMappingResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method GetDefinitionValueEntitlementMapping not implemented") +} +func (UnimplementedDefinitionValueEntitlementMappingServiceServer) CreateDefinitionValueEntitlementMapping(context.Context, *CreateDefinitionValueEntitlementMappingRequest) (*CreateDefinitionValueEntitlementMappingResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method CreateDefinitionValueEntitlementMapping not implemented") +} +func (UnimplementedDefinitionValueEntitlementMappingServiceServer) UpdateDefinitionValueEntitlementMapping(context.Context, *UpdateDefinitionValueEntitlementMappingRequest) (*UpdateDefinitionValueEntitlementMappingResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method UpdateDefinitionValueEntitlementMapping not implemented") +} +func (UnimplementedDefinitionValueEntitlementMappingServiceServer) DeleteDefinitionValueEntitlementMapping(context.Context, *DeleteDefinitionValueEntitlementMappingRequest) (*DeleteDefinitionValueEntitlementMappingResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method DeleteDefinitionValueEntitlementMapping not implemented") +} +func (UnimplementedDefinitionValueEntitlementMappingServiceServer) mustEmbedUnimplementedDefinitionValueEntitlementMappingServiceServer() { +} + +// UnsafeDefinitionValueEntitlementMappingServiceServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to DefinitionValueEntitlementMappingServiceServer will +// result in compilation errors. +type UnsafeDefinitionValueEntitlementMappingServiceServer interface { + mustEmbedUnimplementedDefinitionValueEntitlementMappingServiceServer() +} + +func RegisterDefinitionValueEntitlementMappingServiceServer(s grpc.ServiceRegistrar, srv DefinitionValueEntitlementMappingServiceServer) { + s.RegisterService(&DefinitionValueEntitlementMappingService_ServiceDesc, srv) +} + +func _DefinitionValueEntitlementMappingService_ListDefinitionValueEntitlementMappings_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(ListDefinitionValueEntitlementMappingsRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(DefinitionValueEntitlementMappingServiceServer).ListDefinitionValueEntitlementMappings(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: DefinitionValueEntitlementMappingService_ListDefinitionValueEntitlementMappings_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(DefinitionValueEntitlementMappingServiceServer).ListDefinitionValueEntitlementMappings(ctx, req.(*ListDefinitionValueEntitlementMappingsRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _DefinitionValueEntitlementMappingService_GetDefinitionValueEntitlementMapping_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(GetDefinitionValueEntitlementMappingRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(DefinitionValueEntitlementMappingServiceServer).GetDefinitionValueEntitlementMapping(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: DefinitionValueEntitlementMappingService_GetDefinitionValueEntitlementMapping_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(DefinitionValueEntitlementMappingServiceServer).GetDefinitionValueEntitlementMapping(ctx, req.(*GetDefinitionValueEntitlementMappingRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _DefinitionValueEntitlementMappingService_CreateDefinitionValueEntitlementMapping_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(CreateDefinitionValueEntitlementMappingRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(DefinitionValueEntitlementMappingServiceServer).CreateDefinitionValueEntitlementMapping(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: DefinitionValueEntitlementMappingService_CreateDefinitionValueEntitlementMapping_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(DefinitionValueEntitlementMappingServiceServer).CreateDefinitionValueEntitlementMapping(ctx, req.(*CreateDefinitionValueEntitlementMappingRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _DefinitionValueEntitlementMappingService_UpdateDefinitionValueEntitlementMapping_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(UpdateDefinitionValueEntitlementMappingRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(DefinitionValueEntitlementMappingServiceServer).UpdateDefinitionValueEntitlementMapping(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: DefinitionValueEntitlementMappingService_UpdateDefinitionValueEntitlementMapping_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(DefinitionValueEntitlementMappingServiceServer).UpdateDefinitionValueEntitlementMapping(ctx, req.(*UpdateDefinitionValueEntitlementMappingRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _DefinitionValueEntitlementMappingService_DeleteDefinitionValueEntitlementMapping_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(DeleteDefinitionValueEntitlementMappingRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(DefinitionValueEntitlementMappingServiceServer).DeleteDefinitionValueEntitlementMapping(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: DefinitionValueEntitlementMappingService_DeleteDefinitionValueEntitlementMapping_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(DefinitionValueEntitlementMappingServiceServer).DeleteDefinitionValueEntitlementMapping(ctx, req.(*DeleteDefinitionValueEntitlementMappingRequest)) + } + return interceptor(ctx, in, info, handler) +} + +// DefinitionValueEntitlementMappingService_ServiceDesc is the grpc.ServiceDesc for DefinitionValueEntitlementMappingService service. +// It's only intended for direct use with grpc.RegisterService, +// and not to be introspected or modified (even as a copy) +var DefinitionValueEntitlementMappingService_ServiceDesc = grpc.ServiceDesc{ + ServiceName: "policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService", + HandlerType: (*DefinitionValueEntitlementMappingServiceServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "ListDefinitionValueEntitlementMappings", + Handler: _DefinitionValueEntitlementMappingService_ListDefinitionValueEntitlementMappings_Handler, + }, + { + MethodName: "GetDefinitionValueEntitlementMapping", + Handler: _DefinitionValueEntitlementMappingService_GetDefinitionValueEntitlementMapping_Handler, + }, + { + MethodName: "CreateDefinitionValueEntitlementMapping", + Handler: _DefinitionValueEntitlementMappingService_CreateDefinitionValueEntitlementMapping_Handler, + }, + { + MethodName: "UpdateDefinitionValueEntitlementMapping", + Handler: _DefinitionValueEntitlementMappingService_UpdateDefinitionValueEntitlementMapping_Handler, + }, + { + MethodName: "DeleteDefinitionValueEntitlementMapping", + Handler: _DefinitionValueEntitlementMappingService_DeleteDefinitionValueEntitlementMapping_Handler, + }, + }, + Streams: []grpc.StreamDesc{}, + Metadata: "policy/definitionvalueentitlement/definition_value_entitlement.proto", +} diff --git a/protocol/go/policy/definitionvalueentitlement/definitionvalueentitlementconnect/definition_value_entitlement.connect.go b/protocol/go/policy/definitionvalueentitlement/definitionvalueentitlementconnect/definition_value_entitlement.connect.go new file mode 100644 index 0000000000..0e12ffe6a9 --- /dev/null +++ b/protocol/go/policy/definitionvalueentitlement/definitionvalueentitlementconnect/definition_value_entitlement.connect.go @@ -0,0 +1,245 @@ +// Code generated by protoc-gen-connect-go. DO NOT EDIT. +// +// Source: policy/definitionvalueentitlement/definition_value_entitlement.proto + +package definitionvalueentitlementconnect + +import ( + connect "connectrpc.com/connect" + context "context" + errors "errors" + definitionvalueentitlement "github.com/opentdf/platform/protocol/go/policy/definitionvalueentitlement" + http "net/http" + strings "strings" +) + +// This is a compile-time assertion to ensure that this generated file and the connect package are +// compatible. If you get a compiler error that this constant is not defined, this code was +// generated with a version of connect newer than the one compiled into your binary. You can fix the +// problem by either regenerating this code with an older version of connect or updating the connect +// version compiled into your binary. +const _ = connect.IsAtLeastVersion1_13_0 + +const ( + // DefinitionValueEntitlementMappingServiceName is the fully-qualified name of the + // DefinitionValueEntitlementMappingService service. + DefinitionValueEntitlementMappingServiceName = "policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService" +) + +// These constants are the fully-qualified names of the RPCs defined in this package. They're +// exposed at runtime as Spec.Procedure and as the final two segments of the HTTP route. +// +// Note that these are different from the fully-qualified method names used by +// google.golang.org/protobuf/reflect/protoreflect. To convert from these constants to +// reflection-formatted method names, remove the leading slash and convert the remaining slash to a +// period. +const ( + // DefinitionValueEntitlementMappingServiceListDefinitionValueEntitlementMappingsProcedure is the + // fully-qualified name of the DefinitionValueEntitlementMappingService's + // ListDefinitionValueEntitlementMappings RPC. + DefinitionValueEntitlementMappingServiceListDefinitionValueEntitlementMappingsProcedure = "/policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/ListDefinitionValueEntitlementMappings" + // DefinitionValueEntitlementMappingServiceGetDefinitionValueEntitlementMappingProcedure is the + // fully-qualified name of the DefinitionValueEntitlementMappingService's + // GetDefinitionValueEntitlementMapping RPC. + DefinitionValueEntitlementMappingServiceGetDefinitionValueEntitlementMappingProcedure = "/policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/GetDefinitionValueEntitlementMapping" + // DefinitionValueEntitlementMappingServiceCreateDefinitionValueEntitlementMappingProcedure is the + // fully-qualified name of the DefinitionValueEntitlementMappingService's + // CreateDefinitionValueEntitlementMapping RPC. + DefinitionValueEntitlementMappingServiceCreateDefinitionValueEntitlementMappingProcedure = "/policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/CreateDefinitionValueEntitlementMapping" + // DefinitionValueEntitlementMappingServiceUpdateDefinitionValueEntitlementMappingProcedure is the + // fully-qualified name of the DefinitionValueEntitlementMappingService's + // UpdateDefinitionValueEntitlementMapping RPC. + DefinitionValueEntitlementMappingServiceUpdateDefinitionValueEntitlementMappingProcedure = "/policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/UpdateDefinitionValueEntitlementMapping" + // DefinitionValueEntitlementMappingServiceDeleteDefinitionValueEntitlementMappingProcedure is the + // fully-qualified name of the DefinitionValueEntitlementMappingService's + // DeleteDefinitionValueEntitlementMapping RPC. + DefinitionValueEntitlementMappingServiceDeleteDefinitionValueEntitlementMappingProcedure = "/policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/DeleteDefinitionValueEntitlementMapping" +) + +// DefinitionValueEntitlementMappingServiceClient is a client for the +// policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService service. +type DefinitionValueEntitlementMappingServiceClient interface { + ListDefinitionValueEntitlementMappings(context.Context, *connect.Request[definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest]) (*connect.Response[definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse], error) + GetDefinitionValueEntitlementMapping(context.Context, *connect.Request[definitionvalueentitlement.GetDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.GetDefinitionValueEntitlementMappingResponse], error) + CreateDefinitionValueEntitlementMapping(context.Context, *connect.Request[definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.CreateDefinitionValueEntitlementMappingResponse], error) + UpdateDefinitionValueEntitlementMapping(context.Context, *connect.Request[definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingResponse], error) + DeleteDefinitionValueEntitlementMapping(context.Context, *connect.Request[definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingResponse], error) +} + +// NewDefinitionValueEntitlementMappingServiceClient constructs a client for the +// policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService service. By default, +// it uses the Connect protocol with the binary Protobuf Codec, asks for gzipped responses, and +// sends uncompressed requests. To use the gRPC or gRPC-Web protocols, supply the connect.WithGRPC() +// or connect.WithGRPCWeb() options. +// +// The URL supplied here should be the base URL for the Connect or gRPC server (for example, +// http://api.acme.com or https://acme.com/grpc). +func NewDefinitionValueEntitlementMappingServiceClient(httpClient connect.HTTPClient, baseURL string, opts ...connect.ClientOption) DefinitionValueEntitlementMappingServiceClient { + baseURL = strings.TrimRight(baseURL, "/") + definitionValueEntitlementMappingServiceMethods := definitionvalueentitlement.File_policy_definitionvalueentitlement_definition_value_entitlement_proto.Services().ByName("DefinitionValueEntitlementMappingService").Methods() + return &definitionValueEntitlementMappingServiceClient{ + listDefinitionValueEntitlementMappings: connect.NewClient[definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest, definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse]( + httpClient, + baseURL+DefinitionValueEntitlementMappingServiceListDefinitionValueEntitlementMappingsProcedure, + connect.WithSchema(definitionValueEntitlementMappingServiceMethods.ByName("ListDefinitionValueEntitlementMappings")), + connect.WithIdempotency(connect.IdempotencyNoSideEffects), + connect.WithClientOptions(opts...), + ), + getDefinitionValueEntitlementMapping: connect.NewClient[definitionvalueentitlement.GetDefinitionValueEntitlementMappingRequest, definitionvalueentitlement.GetDefinitionValueEntitlementMappingResponse]( + httpClient, + baseURL+DefinitionValueEntitlementMappingServiceGetDefinitionValueEntitlementMappingProcedure, + connect.WithSchema(definitionValueEntitlementMappingServiceMethods.ByName("GetDefinitionValueEntitlementMapping")), + connect.WithIdempotency(connect.IdempotencyNoSideEffects), + connect.WithClientOptions(opts...), + ), + createDefinitionValueEntitlementMapping: connect.NewClient[definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest, definitionvalueentitlement.CreateDefinitionValueEntitlementMappingResponse]( + httpClient, + baseURL+DefinitionValueEntitlementMappingServiceCreateDefinitionValueEntitlementMappingProcedure, + connect.WithSchema(definitionValueEntitlementMappingServiceMethods.ByName("CreateDefinitionValueEntitlementMapping")), + connect.WithClientOptions(opts...), + ), + updateDefinitionValueEntitlementMapping: connect.NewClient[definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest, definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingResponse]( + httpClient, + baseURL+DefinitionValueEntitlementMappingServiceUpdateDefinitionValueEntitlementMappingProcedure, + connect.WithSchema(definitionValueEntitlementMappingServiceMethods.ByName("UpdateDefinitionValueEntitlementMapping")), + connect.WithClientOptions(opts...), + ), + deleteDefinitionValueEntitlementMapping: connect.NewClient[definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingRequest, definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingResponse]( + httpClient, + baseURL+DefinitionValueEntitlementMappingServiceDeleteDefinitionValueEntitlementMappingProcedure, + connect.WithSchema(definitionValueEntitlementMappingServiceMethods.ByName("DeleteDefinitionValueEntitlementMapping")), + connect.WithClientOptions(opts...), + ), + } +} + +// definitionValueEntitlementMappingServiceClient implements +// DefinitionValueEntitlementMappingServiceClient. +type definitionValueEntitlementMappingServiceClient struct { + listDefinitionValueEntitlementMappings *connect.Client[definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest, definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse] + getDefinitionValueEntitlementMapping *connect.Client[definitionvalueentitlement.GetDefinitionValueEntitlementMappingRequest, definitionvalueentitlement.GetDefinitionValueEntitlementMappingResponse] + createDefinitionValueEntitlementMapping *connect.Client[definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest, definitionvalueentitlement.CreateDefinitionValueEntitlementMappingResponse] + updateDefinitionValueEntitlementMapping *connect.Client[definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest, definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingResponse] + deleteDefinitionValueEntitlementMapping *connect.Client[definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingRequest, definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingResponse] +} + +// ListDefinitionValueEntitlementMappings calls +// policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.ListDefinitionValueEntitlementMappings. +func (c *definitionValueEntitlementMappingServiceClient) ListDefinitionValueEntitlementMappings(ctx context.Context, req *connect.Request[definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest]) (*connect.Response[definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse], error) { + return c.listDefinitionValueEntitlementMappings.CallUnary(ctx, req) +} + +// GetDefinitionValueEntitlementMapping calls +// policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.GetDefinitionValueEntitlementMapping. +func (c *definitionValueEntitlementMappingServiceClient) GetDefinitionValueEntitlementMapping(ctx context.Context, req *connect.Request[definitionvalueentitlement.GetDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.GetDefinitionValueEntitlementMappingResponse], error) { + return c.getDefinitionValueEntitlementMapping.CallUnary(ctx, req) +} + +// CreateDefinitionValueEntitlementMapping calls +// policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.CreateDefinitionValueEntitlementMapping. +func (c *definitionValueEntitlementMappingServiceClient) CreateDefinitionValueEntitlementMapping(ctx context.Context, req *connect.Request[definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.CreateDefinitionValueEntitlementMappingResponse], error) { + return c.createDefinitionValueEntitlementMapping.CallUnary(ctx, req) +} + +// UpdateDefinitionValueEntitlementMapping calls +// policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.UpdateDefinitionValueEntitlementMapping. +func (c *definitionValueEntitlementMappingServiceClient) UpdateDefinitionValueEntitlementMapping(ctx context.Context, req *connect.Request[definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingResponse], error) { + return c.updateDefinitionValueEntitlementMapping.CallUnary(ctx, req) +} + +// DeleteDefinitionValueEntitlementMapping calls +// policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.DeleteDefinitionValueEntitlementMapping. +func (c *definitionValueEntitlementMappingServiceClient) DeleteDefinitionValueEntitlementMapping(ctx context.Context, req *connect.Request[definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingResponse], error) { + return c.deleteDefinitionValueEntitlementMapping.CallUnary(ctx, req) +} + +// DefinitionValueEntitlementMappingServiceHandler is an implementation of the +// policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService service. +type DefinitionValueEntitlementMappingServiceHandler interface { + ListDefinitionValueEntitlementMappings(context.Context, *connect.Request[definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest]) (*connect.Response[definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse], error) + GetDefinitionValueEntitlementMapping(context.Context, *connect.Request[definitionvalueentitlement.GetDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.GetDefinitionValueEntitlementMappingResponse], error) + CreateDefinitionValueEntitlementMapping(context.Context, *connect.Request[definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.CreateDefinitionValueEntitlementMappingResponse], error) + UpdateDefinitionValueEntitlementMapping(context.Context, *connect.Request[definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingResponse], error) + DeleteDefinitionValueEntitlementMapping(context.Context, *connect.Request[definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingResponse], error) +} + +// NewDefinitionValueEntitlementMappingServiceHandler builds an HTTP handler from the service +// implementation. It returns the path on which to mount the handler and the handler itself. +// +// By default, handlers support the Connect, gRPC, and gRPC-Web protocols with the binary Protobuf +// and JSON codecs. They also support gzip compression. +func NewDefinitionValueEntitlementMappingServiceHandler(svc DefinitionValueEntitlementMappingServiceHandler, opts ...connect.HandlerOption) (string, http.Handler) { + definitionValueEntitlementMappingServiceMethods := definitionvalueentitlement.File_policy_definitionvalueentitlement_definition_value_entitlement_proto.Services().ByName("DefinitionValueEntitlementMappingService").Methods() + definitionValueEntitlementMappingServiceListDefinitionValueEntitlementMappingsHandler := connect.NewUnaryHandler( + DefinitionValueEntitlementMappingServiceListDefinitionValueEntitlementMappingsProcedure, + svc.ListDefinitionValueEntitlementMappings, + connect.WithSchema(definitionValueEntitlementMappingServiceMethods.ByName("ListDefinitionValueEntitlementMappings")), + connect.WithIdempotency(connect.IdempotencyNoSideEffects), + connect.WithHandlerOptions(opts...), + ) + definitionValueEntitlementMappingServiceGetDefinitionValueEntitlementMappingHandler := connect.NewUnaryHandler( + DefinitionValueEntitlementMappingServiceGetDefinitionValueEntitlementMappingProcedure, + svc.GetDefinitionValueEntitlementMapping, + connect.WithSchema(definitionValueEntitlementMappingServiceMethods.ByName("GetDefinitionValueEntitlementMapping")), + connect.WithIdempotency(connect.IdempotencyNoSideEffects), + connect.WithHandlerOptions(opts...), + ) + definitionValueEntitlementMappingServiceCreateDefinitionValueEntitlementMappingHandler := connect.NewUnaryHandler( + DefinitionValueEntitlementMappingServiceCreateDefinitionValueEntitlementMappingProcedure, + svc.CreateDefinitionValueEntitlementMapping, + connect.WithSchema(definitionValueEntitlementMappingServiceMethods.ByName("CreateDefinitionValueEntitlementMapping")), + connect.WithHandlerOptions(opts...), + ) + definitionValueEntitlementMappingServiceUpdateDefinitionValueEntitlementMappingHandler := connect.NewUnaryHandler( + DefinitionValueEntitlementMappingServiceUpdateDefinitionValueEntitlementMappingProcedure, + svc.UpdateDefinitionValueEntitlementMapping, + connect.WithSchema(definitionValueEntitlementMappingServiceMethods.ByName("UpdateDefinitionValueEntitlementMapping")), + connect.WithHandlerOptions(opts...), + ) + definitionValueEntitlementMappingServiceDeleteDefinitionValueEntitlementMappingHandler := connect.NewUnaryHandler( + DefinitionValueEntitlementMappingServiceDeleteDefinitionValueEntitlementMappingProcedure, + svc.DeleteDefinitionValueEntitlementMapping, + connect.WithSchema(definitionValueEntitlementMappingServiceMethods.ByName("DeleteDefinitionValueEntitlementMapping")), + connect.WithHandlerOptions(opts...), + ) + return "/policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + switch r.URL.Path { + case DefinitionValueEntitlementMappingServiceListDefinitionValueEntitlementMappingsProcedure: + definitionValueEntitlementMappingServiceListDefinitionValueEntitlementMappingsHandler.ServeHTTP(w, r) + case DefinitionValueEntitlementMappingServiceGetDefinitionValueEntitlementMappingProcedure: + definitionValueEntitlementMappingServiceGetDefinitionValueEntitlementMappingHandler.ServeHTTP(w, r) + case DefinitionValueEntitlementMappingServiceCreateDefinitionValueEntitlementMappingProcedure: + definitionValueEntitlementMappingServiceCreateDefinitionValueEntitlementMappingHandler.ServeHTTP(w, r) + case DefinitionValueEntitlementMappingServiceUpdateDefinitionValueEntitlementMappingProcedure: + definitionValueEntitlementMappingServiceUpdateDefinitionValueEntitlementMappingHandler.ServeHTTP(w, r) + case DefinitionValueEntitlementMappingServiceDeleteDefinitionValueEntitlementMappingProcedure: + definitionValueEntitlementMappingServiceDeleteDefinitionValueEntitlementMappingHandler.ServeHTTP(w, r) + default: + http.NotFound(w, r) + } + }) +} + +// UnimplementedDefinitionValueEntitlementMappingServiceHandler returns CodeUnimplemented from all +// methods. +type UnimplementedDefinitionValueEntitlementMappingServiceHandler struct{} + +func (UnimplementedDefinitionValueEntitlementMappingServiceHandler) ListDefinitionValueEntitlementMappings(context.Context, *connect.Request[definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest]) (*connect.Response[definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse], error) { + return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.ListDefinitionValueEntitlementMappings is not implemented")) +} + +func (UnimplementedDefinitionValueEntitlementMappingServiceHandler) GetDefinitionValueEntitlementMapping(context.Context, *connect.Request[definitionvalueentitlement.GetDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.GetDefinitionValueEntitlementMappingResponse], error) { + return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.GetDefinitionValueEntitlementMapping is not implemented")) +} + +func (UnimplementedDefinitionValueEntitlementMappingServiceHandler) CreateDefinitionValueEntitlementMapping(context.Context, *connect.Request[definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.CreateDefinitionValueEntitlementMappingResponse], error) { + return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.CreateDefinitionValueEntitlementMapping is not implemented")) +} + +func (UnimplementedDefinitionValueEntitlementMappingServiceHandler) UpdateDefinitionValueEntitlementMapping(context.Context, *connect.Request[definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingResponse], error) { + return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.UpdateDefinitionValueEntitlementMapping is not implemented")) +} + +func (UnimplementedDefinitionValueEntitlementMappingServiceHandler) DeleteDefinitionValueEntitlementMapping(context.Context, *connect.Request[definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingResponse], error) { + return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.DeleteDefinitionValueEntitlementMapping is not implemented")) +} diff --git a/protocol/go/policy/objects.pb.go b/protocol/go/policy/objects.pb.go index b9eda84a37..33dd09b721 100644 --- a/protocol/go/policy/objects.pb.go +++ b/protocol/go/policy/objects.pb.go @@ -180,6 +180,64 @@ func (ConditionBooleanTypeEnum) EnumDescriptor() ([]byte, []int) { return file_policy_objects_proto_rawDescGZIP(), []int{2} } +// Operators for dynamic, definition-level value entitlement. Unlike +// SubjectMappingOperatorEnum, whose right-hand operand is a static list authored into +// policy, a DynamicValueOperatorEnum's right-hand operand is the requested resource's +// attribute value segment, supplied at decision time. Each value is the inversion of its +// static SubjectMappingOperatorEnum counterpart. +type DynamicValueOperatorEnum int32 + +const ( + DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED DynamicValueOperatorEnum = 0 + // true when the requested resource value segment equals one of the values resolved by + // the selector against the entity representation (inversion of IN) + DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN DynamicValueOperatorEnum = 1 + // true when one of the selector-resolved entity values contains the requested resource + // value segment as a substring (inversion of IN_CONTAINS) + DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS DynamicValueOperatorEnum = 2 +) + +// Enum value maps for DynamicValueOperatorEnum. +var ( + DynamicValueOperatorEnum_name = map[int32]string{ + 0: "DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED", + 1: "DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN", + 2: "DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS", + } + DynamicValueOperatorEnum_value = map[string]int32{ + "DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED": 0, + "DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN": 1, + "DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS": 2, + } +) + +func (x DynamicValueOperatorEnum) Enum() *DynamicValueOperatorEnum { + p := new(DynamicValueOperatorEnum) + *p = x + return p +} + +func (x DynamicValueOperatorEnum) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (DynamicValueOperatorEnum) Descriptor() protoreflect.EnumDescriptor { + return file_policy_objects_proto_enumTypes[3].Descriptor() +} + +func (DynamicValueOperatorEnum) Type() protoreflect.EnumType { + return &file_policy_objects_proto_enumTypes[3] +} + +func (x DynamicValueOperatorEnum) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// Deprecated: Use DynamicValueOperatorEnum.Descriptor instead. +func (DynamicValueOperatorEnum) EnumDescriptor() ([]byte, []int) { + return file_policy_objects_proto_rawDescGZIP(), []int{3} +} + // Describes whether this kas is managed by the organization or if they imported // the kas information from an external party. These two modes are necessary in order // to encrypt a tdf dek with an external parties kas public key. @@ -218,11 +276,11 @@ func (x SourceType) String() string { } func (SourceType) Descriptor() protoreflect.EnumDescriptor { - return file_policy_objects_proto_enumTypes[3].Descriptor() + return file_policy_objects_proto_enumTypes[4].Descriptor() } func (SourceType) Type() protoreflect.EnumType { - return &file_policy_objects_proto_enumTypes[3] + return &file_policy_objects_proto_enumTypes[4] } func (x SourceType) Number() protoreflect.EnumNumber { @@ -231,7 +289,7 @@ func (x SourceType) Number() protoreflect.EnumNumber { // Deprecated: Use SourceType.Descriptor instead. func (SourceType) EnumDescriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{3} + return file_policy_objects_proto_rawDescGZIP(), []int{4} } type KasPublicKeyAlgEnum int32 @@ -285,11 +343,11 @@ func (x KasPublicKeyAlgEnum) String() string { } func (KasPublicKeyAlgEnum) Descriptor() protoreflect.EnumDescriptor { - return file_policy_objects_proto_enumTypes[4].Descriptor() + return file_policy_objects_proto_enumTypes[5].Descriptor() } func (KasPublicKeyAlgEnum) Type() protoreflect.EnumType { - return &file_policy_objects_proto_enumTypes[4] + return &file_policy_objects_proto_enumTypes[5] } func (x KasPublicKeyAlgEnum) Number() protoreflect.EnumNumber { @@ -298,7 +356,7 @@ func (x KasPublicKeyAlgEnum) Number() protoreflect.EnumNumber { // Deprecated: Use KasPublicKeyAlgEnum.Descriptor instead. func (KasPublicKeyAlgEnum) EnumDescriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{4} + return file_policy_objects_proto_rawDescGZIP(), []int{5} } // Supported key algorithms. @@ -353,11 +411,11 @@ func (x Algorithm) String() string { } func (Algorithm) Descriptor() protoreflect.EnumDescriptor { - return file_policy_objects_proto_enumTypes[5].Descriptor() + return file_policy_objects_proto_enumTypes[6].Descriptor() } func (Algorithm) Type() protoreflect.EnumType { - return &file_policy_objects_proto_enumTypes[5] + return &file_policy_objects_proto_enumTypes[6] } func (x Algorithm) Number() protoreflect.EnumNumber { @@ -366,7 +424,7 @@ func (x Algorithm) Number() protoreflect.EnumNumber { // Deprecated: Use Algorithm.Descriptor instead. func (Algorithm) EnumDescriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{5} + return file_policy_objects_proto_rawDescGZIP(), []int{6} } // The status of the key @@ -403,11 +461,11 @@ func (x KeyStatus) String() string { } func (KeyStatus) Descriptor() protoreflect.EnumDescriptor { - return file_policy_objects_proto_enumTypes[6].Descriptor() + return file_policy_objects_proto_enumTypes[7].Descriptor() } func (KeyStatus) Type() protoreflect.EnumType { - return &file_policy_objects_proto_enumTypes[6] + return &file_policy_objects_proto_enumTypes[7] } func (x KeyStatus) Number() protoreflect.EnumNumber { @@ -416,7 +474,7 @@ func (x KeyStatus) Number() protoreflect.EnumNumber { // Deprecated: Use KeyStatus.Descriptor instead. func (KeyStatus) EnumDescriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{6} + return file_policy_objects_proto_rawDescGZIP(), []int{7} } // Describes the management and operational mode of a cryptographic key. @@ -472,11 +530,11 @@ func (x KeyMode) String() string { } func (KeyMode) Descriptor() protoreflect.EnumDescriptor { - return file_policy_objects_proto_enumTypes[7].Descriptor() + return file_policy_objects_proto_enumTypes[8].Descriptor() } func (KeyMode) Type() protoreflect.EnumType { - return &file_policy_objects_proto_enumTypes[7] + return &file_policy_objects_proto_enumTypes[8] } func (x KeyMode) Number() protoreflect.EnumNumber { @@ -485,7 +543,7 @@ func (x KeyMode) Number() protoreflect.EnumNumber { // Deprecated: Use KeyMode.Descriptor instead. func (KeyMode) EnumDescriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{7} + return file_policy_objects_proto_rawDescGZIP(), []int{8} } type Action_StandardAction int32 @@ -525,11 +583,11 @@ func (x Action_StandardAction) String() string { } func (Action_StandardAction) Descriptor() protoreflect.EnumDescriptor { - return file_policy_objects_proto_enumTypes[8].Descriptor() + return file_policy_objects_proto_enumTypes[9].Descriptor() } func (Action_StandardAction) Type() protoreflect.EnumType { - return &file_policy_objects_proto_enumTypes[8] + return &file_policy_objects_proto_enumTypes[9] } func (x Action_StandardAction) Number() protoreflect.EnumNumber { @@ -1331,6 +1389,174 @@ func (x *SubjectMapping) GetMetadata() *common.Metadata { return nil } +// Definition Value Resolver: the dynamic half of a DefinitionValueEntitlementMapping. It +// resolves a selector against the entity representation and compares the result to the +// requested resource value segment using a DynamicValueOperatorEnum. +type DefinitionValueResolver struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // a selector for a field value on a flattened Entity Representation (such as from + // idP/LDAP), e.g. ".patientAssignments[]" + SubjectExternalSelectorValue string `protobuf:"bytes,1,opt,name=subject_external_selector_value,json=subjectExternalSelectorValue,proto3" json:"subject_external_selector_value,omitempty"` + // the dynamic operator comparing the selector result to the resource value segment + Operator DynamicValueOperatorEnum `protobuf:"varint,2,opt,name=operator,proto3,enum=policy.DynamicValueOperatorEnum" json:"operator,omitempty"` +} + +func (x *DefinitionValueResolver) Reset() { + *x = DefinitionValueResolver{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_objects_proto_msgTypes[8] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *DefinitionValueResolver) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DefinitionValueResolver) ProtoMessage() {} + +func (x *DefinitionValueResolver) ProtoReflect() protoreflect.Message { + mi := &file_policy_objects_proto_msgTypes[8] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DefinitionValueResolver.ProtoReflect.Descriptor instead. +func (*DefinitionValueResolver) Descriptor() ([]byte, []int) { + return file_policy_objects_proto_rawDescGZIP(), []int{8} +} + +func (x *DefinitionValueResolver) GetSubjectExternalSelectorValue() string { + if x != nil { + return x.SubjectExternalSelectorValue + } + return "" +} + +func (x *DefinitionValueResolver) GetOperator() DynamicValueOperatorEnum { + if x != nil { + return x.Operator + } + return DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED +} + +// Definition Value Entitlement Mapping: a Policy assigning permitted action(s) to +// dynamically-requested values under an Attribute Definition. It raises entitlement +// authority from a concrete Attribute Value to the Attribute Definition: at decision time +// the value_resolver compares the requested resource value segment against the entity +// representation, avoiding pre-provisioning a value + subject mapping per discrete value. +type DefinitionValueEntitlementMapping struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` + // the Attribute Definition whose values are entitled dynamically + AttributeDefinition *Attribute `protobuf:"bytes,2,opt,name=attribute_definition,json=attributeDefinition,proto3" json:"attribute_definition,omitempty"` + // the dynamic resolver matched against the requested resource value segment + ValueResolver *DefinitionValueResolver `protobuf:"bytes,3,opt,name=value_resolver,json=valueResolver,proto3" json:"value_resolver,omitempty"` + // optional static pre-gate on the entity, evaluated with normal SubjectConditionSet + // semantics (no dynamic overload). When present, both the gate and the resolver must + // pass for entitlement. + SubjectConditionSet *SubjectConditionSet `protobuf:"bytes,4,opt,name=subject_condition_set,json=subjectConditionSet,proto3" json:"subject_condition_set,omitempty"` + // the actions permitted by subjects in this mapping + Actions []*Action `protobuf:"bytes,5,rep,name=actions,proto3" json:"actions,omitempty"` + // the namespace containing this mapping + Namespace *Namespace `protobuf:"bytes,6,opt,name=namespace,proto3" json:"namespace,omitempty"` + Metadata *common.Metadata `protobuf:"bytes,100,opt,name=metadata,proto3" json:"metadata,omitempty"` +} + +func (x *DefinitionValueEntitlementMapping) Reset() { + *x = DefinitionValueEntitlementMapping{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_objects_proto_msgTypes[9] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *DefinitionValueEntitlementMapping) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DefinitionValueEntitlementMapping) ProtoMessage() {} + +func (x *DefinitionValueEntitlementMapping) ProtoReflect() protoreflect.Message { + mi := &file_policy_objects_proto_msgTypes[9] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DefinitionValueEntitlementMapping.ProtoReflect.Descriptor instead. +func (*DefinitionValueEntitlementMapping) Descriptor() ([]byte, []int) { + return file_policy_objects_proto_rawDescGZIP(), []int{9} +} + +func (x *DefinitionValueEntitlementMapping) GetId() string { + if x != nil { + return x.Id + } + return "" +} + +func (x *DefinitionValueEntitlementMapping) GetAttributeDefinition() *Attribute { + if x != nil { + return x.AttributeDefinition + } + return nil +} + +func (x *DefinitionValueEntitlementMapping) GetValueResolver() *DefinitionValueResolver { + if x != nil { + return x.ValueResolver + } + return nil +} + +func (x *DefinitionValueEntitlementMapping) GetSubjectConditionSet() *SubjectConditionSet { + if x != nil { + return x.SubjectConditionSet + } + return nil +} + +func (x *DefinitionValueEntitlementMapping) GetActions() []*Action { + if x != nil { + return x.Actions + } + return nil +} + +func (x *DefinitionValueEntitlementMapping) GetNamespace() *Namespace { + if x != nil { + return x.Namespace + } + return nil +} + +func (x *DefinitionValueEntitlementMapping) GetMetadata() *common.Metadata { + if x != nil { + return x.Metadata + } + return nil +} + // * // A Condition defines a rule of @@ -1353,7 +1579,7 @@ type Condition struct { func (x *Condition) Reset() { *x = Condition{} if protoimpl.UnsafeEnabled { - mi := &file_policy_objects_proto_msgTypes[8] + mi := &file_policy_objects_proto_msgTypes[10] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1366,7 +1592,7 @@ func (x *Condition) String() string { func (*Condition) ProtoMessage() {} func (x *Condition) ProtoReflect() protoreflect.Message { - mi := &file_policy_objects_proto_msgTypes[8] + mi := &file_policy_objects_proto_msgTypes[10] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1379,7 +1605,7 @@ func (x *Condition) ProtoReflect() protoreflect.Message { // Deprecated: Use Condition.ProtoReflect.Descriptor instead. func (*Condition) Descriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{8} + return file_policy_objects_proto_rawDescGZIP(), []int{10} } func (x *Condition) GetSubjectExternalSelectorValue() string { @@ -1417,7 +1643,7 @@ type ConditionGroup struct { func (x *ConditionGroup) Reset() { *x = ConditionGroup{} if protoimpl.UnsafeEnabled { - mi := &file_policy_objects_proto_msgTypes[9] + mi := &file_policy_objects_proto_msgTypes[11] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1430,7 +1656,7 @@ func (x *ConditionGroup) String() string { func (*ConditionGroup) ProtoMessage() {} func (x *ConditionGroup) ProtoReflect() protoreflect.Message { - mi := &file_policy_objects_proto_msgTypes[9] + mi := &file_policy_objects_proto_msgTypes[11] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1443,7 +1669,7 @@ func (x *ConditionGroup) ProtoReflect() protoreflect.Message { // Deprecated: Use ConditionGroup.ProtoReflect.Descriptor instead. func (*ConditionGroup) Descriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{9} + return file_policy_objects_proto_rawDescGZIP(), []int{11} } func (x *ConditionGroup) GetConditions() []*Condition { @@ -1473,7 +1699,7 @@ type SubjectSet struct { func (x *SubjectSet) Reset() { *x = SubjectSet{} if protoimpl.UnsafeEnabled { - mi := &file_policy_objects_proto_msgTypes[10] + mi := &file_policy_objects_proto_msgTypes[12] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1486,7 +1712,7 @@ func (x *SubjectSet) String() string { func (*SubjectSet) ProtoMessage() {} func (x *SubjectSet) ProtoReflect() protoreflect.Message { - mi := &file_policy_objects_proto_msgTypes[10] + mi := &file_policy_objects_proto_msgTypes[12] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1499,7 +1725,7 @@ func (x *SubjectSet) ProtoReflect() protoreflect.Message { // Deprecated: Use SubjectSet.ProtoReflect.Descriptor instead. func (*SubjectSet) Descriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{10} + return file_policy_objects_proto_rawDescGZIP(), []int{12} } func (x *SubjectSet) GetConditionGroups() []*ConditionGroup { @@ -1531,7 +1757,7 @@ type SubjectConditionSet struct { func (x *SubjectConditionSet) Reset() { *x = SubjectConditionSet{} if protoimpl.UnsafeEnabled { - mi := &file_policy_objects_proto_msgTypes[11] + mi := &file_policy_objects_proto_msgTypes[13] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1544,7 +1770,7 @@ func (x *SubjectConditionSet) String() string { func (*SubjectConditionSet) ProtoMessage() {} func (x *SubjectConditionSet) ProtoReflect() protoreflect.Message { - mi := &file_policy_objects_proto_msgTypes[11] + mi := &file_policy_objects_proto_msgTypes[13] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1557,7 +1783,7 @@ func (x *SubjectConditionSet) ProtoReflect() protoreflect.Message { // Deprecated: Use SubjectConditionSet.ProtoReflect.Descriptor instead. func (*SubjectConditionSet) Descriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{11} + return file_policy_objects_proto_rawDescGZIP(), []int{13} } func (x *SubjectConditionSet) GetId() string { @@ -1610,7 +1836,7 @@ type SubjectProperty struct { func (x *SubjectProperty) Reset() { *x = SubjectProperty{} if protoimpl.UnsafeEnabled { - mi := &file_policy_objects_proto_msgTypes[12] + mi := &file_policy_objects_proto_msgTypes[14] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1623,7 +1849,7 @@ func (x *SubjectProperty) String() string { func (*SubjectProperty) ProtoMessage() {} func (x *SubjectProperty) ProtoReflect() protoreflect.Message { - mi := &file_policy_objects_proto_msgTypes[12] + mi := &file_policy_objects_proto_msgTypes[14] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1636,7 +1862,7 @@ func (x *SubjectProperty) ProtoReflect() protoreflect.Message { // Deprecated: Use SubjectProperty.ProtoReflect.Descriptor instead. func (*SubjectProperty) Descriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{12} + return file_policy_objects_proto_rawDescGZIP(), []int{14} } func (x *SubjectProperty) GetExternalSelectorValue() string { @@ -1675,7 +1901,7 @@ type ResourceMappingGroup struct { func (x *ResourceMappingGroup) Reset() { *x = ResourceMappingGroup{} if protoimpl.UnsafeEnabled { - mi := &file_policy_objects_proto_msgTypes[13] + mi := &file_policy_objects_proto_msgTypes[15] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1688,7 +1914,7 @@ func (x *ResourceMappingGroup) String() string { func (*ResourceMappingGroup) ProtoMessage() {} func (x *ResourceMappingGroup) ProtoReflect() protoreflect.Message { - mi := &file_policy_objects_proto_msgTypes[13] + mi := &file_policy_objects_proto_msgTypes[15] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1701,7 +1927,7 @@ func (x *ResourceMappingGroup) ProtoReflect() protoreflect.Message { // Deprecated: Use ResourceMappingGroup.ProtoReflect.Descriptor instead. func (*ResourceMappingGroup) Descriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{13} + return file_policy_objects_proto_rawDescGZIP(), []int{15} } func (x *ResourceMappingGroup) GetId() string { @@ -1756,7 +1982,7 @@ type ResourceMapping struct { func (x *ResourceMapping) Reset() { *x = ResourceMapping{} if protoimpl.UnsafeEnabled { - mi := &file_policy_objects_proto_msgTypes[14] + mi := &file_policy_objects_proto_msgTypes[16] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1769,7 +1995,7 @@ func (x *ResourceMapping) String() string { func (*ResourceMapping) ProtoMessage() {} func (x *ResourceMapping) ProtoReflect() protoreflect.Message { - mi := &file_policy_objects_proto_msgTypes[14] + mi := &file_policy_objects_proto_msgTypes[16] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1782,7 +2008,7 @@ func (x *ResourceMapping) ProtoReflect() protoreflect.Message { // Deprecated: Use ResourceMapping.ProtoReflect.Descriptor instead. func (*ResourceMapping) Descriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{14} + return file_policy_objects_proto_rawDescGZIP(), []int{16} } func (x *ResourceMapping) GetId() string { @@ -1845,7 +2071,7 @@ type KeyAccessServer struct { func (x *KeyAccessServer) Reset() { *x = KeyAccessServer{} if protoimpl.UnsafeEnabled { - mi := &file_policy_objects_proto_msgTypes[15] + mi := &file_policy_objects_proto_msgTypes[17] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1858,7 +2084,7 @@ func (x *KeyAccessServer) String() string { func (*KeyAccessServer) ProtoMessage() {} func (x *KeyAccessServer) ProtoReflect() protoreflect.Message { - mi := &file_policy_objects_proto_msgTypes[15] + mi := &file_policy_objects_proto_msgTypes[17] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1871,7 +2097,7 @@ func (x *KeyAccessServer) ProtoReflect() protoreflect.Message { // Deprecated: Use KeyAccessServer.ProtoReflect.Descriptor instead. func (*KeyAccessServer) Descriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{15} + return file_policy_objects_proto_rawDescGZIP(), []int{17} } func (x *KeyAccessServer) GetId() string { @@ -1941,7 +2167,7 @@ type Key struct { func (x *Key) Reset() { *x = Key{} if protoimpl.UnsafeEnabled { - mi := &file_policy_objects_proto_msgTypes[16] + mi := &file_policy_objects_proto_msgTypes[18] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1954,7 +2180,7 @@ func (x *Key) String() string { func (*Key) ProtoMessage() {} func (x *Key) ProtoReflect() protoreflect.Message { - mi := &file_policy_objects_proto_msgTypes[16] + mi := &file_policy_objects_proto_msgTypes[18] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1967,7 +2193,7 @@ func (x *Key) ProtoReflect() protoreflect.Message { // Deprecated: Use Key.ProtoReflect.Descriptor instead. func (*Key) Descriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{16} + return file_policy_objects_proto_rawDescGZIP(), []int{18} } func (x *Key) GetId() string { @@ -2032,7 +2258,7 @@ type KasPublicKey struct { func (x *KasPublicKey) Reset() { *x = KasPublicKey{} if protoimpl.UnsafeEnabled { - mi := &file_policy_objects_proto_msgTypes[17] + mi := &file_policy_objects_proto_msgTypes[19] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -2045,7 +2271,7 @@ func (x *KasPublicKey) String() string { func (*KasPublicKey) ProtoMessage() {} func (x *KasPublicKey) ProtoReflect() protoreflect.Message { - mi := &file_policy_objects_proto_msgTypes[17] + mi := &file_policy_objects_proto_msgTypes[19] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -2058,7 +2284,7 @@ func (x *KasPublicKey) ProtoReflect() protoreflect.Message { // Deprecated: Use KasPublicKey.ProtoReflect.Descriptor instead. func (*KasPublicKey) Descriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{17} + return file_policy_objects_proto_rawDescGZIP(), []int{19} } func (x *KasPublicKey) GetPem() string { @@ -2095,7 +2321,7 @@ type KasPublicKeySet struct { func (x *KasPublicKeySet) Reset() { *x = KasPublicKeySet{} if protoimpl.UnsafeEnabled { - mi := &file_policy_objects_proto_msgTypes[18] + mi := &file_policy_objects_proto_msgTypes[20] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -2108,7 +2334,7 @@ func (x *KasPublicKeySet) String() string { func (*KasPublicKeySet) ProtoMessage() {} func (x *KasPublicKeySet) ProtoReflect() protoreflect.Message { - mi := &file_policy_objects_proto_msgTypes[18] + mi := &file_policy_objects_proto_msgTypes[20] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -2121,7 +2347,7 @@ func (x *KasPublicKeySet) ProtoReflect() protoreflect.Message { // Deprecated: Use KasPublicKeySet.ProtoReflect.Descriptor instead. func (*KasPublicKeySet) Descriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{18} + return file_policy_objects_proto_rawDescGZIP(), []int{20} } func (x *KasPublicKeySet) GetKeys() []*KasPublicKey { @@ -2147,7 +2373,7 @@ type PublicKey struct { func (x *PublicKey) Reset() { *x = PublicKey{} if protoimpl.UnsafeEnabled { - mi := &file_policy_objects_proto_msgTypes[19] + mi := &file_policy_objects_proto_msgTypes[21] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -2160,7 +2386,7 @@ func (x *PublicKey) String() string { func (*PublicKey) ProtoMessage() {} func (x *PublicKey) ProtoReflect() protoreflect.Message { - mi := &file_policy_objects_proto_msgTypes[19] + mi := &file_policy_objects_proto_msgTypes[21] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -2173,7 +2399,7 @@ func (x *PublicKey) ProtoReflect() protoreflect.Message { // Deprecated: Use PublicKey.ProtoReflect.Descriptor instead. func (*PublicKey) Descriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{19} + return file_policy_objects_proto_rawDescGZIP(), []int{21} } func (m *PublicKey) GetPublicKey() isPublicKey_PublicKey { @@ -2231,7 +2457,7 @@ type RegisteredResource struct { func (x *RegisteredResource) Reset() { *x = RegisteredResource{} if protoimpl.UnsafeEnabled { - mi := &file_policy_objects_proto_msgTypes[20] + mi := &file_policy_objects_proto_msgTypes[22] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -2244,7 +2470,7 @@ func (x *RegisteredResource) String() string { func (*RegisteredResource) ProtoMessage() {} func (x *RegisteredResource) ProtoReflect() protoreflect.Message { - mi := &file_policy_objects_proto_msgTypes[20] + mi := &file_policy_objects_proto_msgTypes[22] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -2257,7 +2483,7 @@ func (x *RegisteredResource) ProtoReflect() protoreflect.Message { // Deprecated: Use RegisteredResource.ProtoReflect.Descriptor instead. func (*RegisteredResource) Descriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{20} + return file_policy_objects_proto_rawDescGZIP(), []int{22} } func (x *RegisteredResource) GetId() string { @@ -2312,7 +2538,7 @@ type RegisteredResourceValue struct { func (x *RegisteredResourceValue) Reset() { *x = RegisteredResourceValue{} if protoimpl.UnsafeEnabled { - mi := &file_policy_objects_proto_msgTypes[21] + mi := &file_policy_objects_proto_msgTypes[23] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -2325,7 +2551,7 @@ func (x *RegisteredResourceValue) String() string { func (*RegisteredResourceValue) ProtoMessage() {} func (x *RegisteredResourceValue) ProtoReflect() protoreflect.Message { - mi := &file_policy_objects_proto_msgTypes[21] + mi := &file_policy_objects_proto_msgTypes[23] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -2338,7 +2564,7 @@ func (x *RegisteredResourceValue) ProtoReflect() protoreflect.Message { // Deprecated: Use RegisteredResourceValue.ProtoReflect.Descriptor instead. func (*RegisteredResourceValue) Descriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{21} + return file_policy_objects_proto_rawDescGZIP(), []int{23} } func (x *RegisteredResourceValue) GetId() string { @@ -2394,7 +2620,7 @@ type PolicyEnforcementPoint struct { func (x *PolicyEnforcementPoint) Reset() { *x = PolicyEnforcementPoint{} if protoimpl.UnsafeEnabled { - mi := &file_policy_objects_proto_msgTypes[22] + mi := &file_policy_objects_proto_msgTypes[24] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -2407,7 +2633,7 @@ func (x *PolicyEnforcementPoint) String() string { func (*PolicyEnforcementPoint) ProtoMessage() {} func (x *PolicyEnforcementPoint) ProtoReflect() protoreflect.Message { - mi := &file_policy_objects_proto_msgTypes[22] + mi := &file_policy_objects_proto_msgTypes[24] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -2420,7 +2646,7 @@ func (x *PolicyEnforcementPoint) ProtoReflect() protoreflect.Message { // Deprecated: Use PolicyEnforcementPoint.ProtoReflect.Descriptor instead. func (*PolicyEnforcementPoint) Descriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{22} + return file_policy_objects_proto_rawDescGZIP(), []int{24} } func (x *PolicyEnforcementPoint) GetClientId() string { @@ -2442,7 +2668,7 @@ type RequestContext struct { func (x *RequestContext) Reset() { *x = RequestContext{} if protoimpl.UnsafeEnabled { - mi := &file_policy_objects_proto_msgTypes[23] + mi := &file_policy_objects_proto_msgTypes[25] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -2455,7 +2681,7 @@ func (x *RequestContext) String() string { func (*RequestContext) ProtoMessage() {} func (x *RequestContext) ProtoReflect() protoreflect.Message { - mi := &file_policy_objects_proto_msgTypes[23] + mi := &file_policy_objects_proto_msgTypes[25] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -2468,7 +2694,7 @@ func (x *RequestContext) ProtoReflect() protoreflect.Message { // Deprecated: Use RequestContext.ProtoReflect.Descriptor instead. func (*RequestContext) Descriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{23} + return file_policy_objects_proto_rawDescGZIP(), []int{25} } func (x *RequestContext) GetPep() *PolicyEnforcementPoint { @@ -2494,7 +2720,7 @@ type Obligation struct { func (x *Obligation) Reset() { *x = Obligation{} if protoimpl.UnsafeEnabled { - mi := &file_policy_objects_proto_msgTypes[24] + mi := &file_policy_objects_proto_msgTypes[26] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -2507,7 +2733,7 @@ func (x *Obligation) String() string { func (*Obligation) ProtoMessage() {} func (x *Obligation) ProtoReflect() protoreflect.Message { - mi := &file_policy_objects_proto_msgTypes[24] + mi := &file_policy_objects_proto_msgTypes[26] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -2520,7 +2746,7 @@ func (x *Obligation) ProtoReflect() protoreflect.Message { // Deprecated: Use Obligation.ProtoReflect.Descriptor instead. func (*Obligation) Descriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{24} + return file_policy_objects_proto_rawDescGZIP(), []int{26} } func (x *Obligation) GetId() string { @@ -2581,7 +2807,7 @@ type ObligationValue struct { func (x *ObligationValue) Reset() { *x = ObligationValue{} if protoimpl.UnsafeEnabled { - mi := &file_policy_objects_proto_msgTypes[25] + mi := &file_policy_objects_proto_msgTypes[27] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -2594,7 +2820,7 @@ func (x *ObligationValue) String() string { func (*ObligationValue) ProtoMessage() {} func (x *ObligationValue) ProtoReflect() protoreflect.Message { - mi := &file_policy_objects_proto_msgTypes[25] + mi := &file_policy_objects_proto_msgTypes[27] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -2607,7 +2833,7 @@ func (x *ObligationValue) ProtoReflect() protoreflect.Message { // Deprecated: Use ObligationValue.ProtoReflect.Descriptor instead. func (*ObligationValue) Descriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{25} + return file_policy_objects_proto_rawDescGZIP(), []int{27} } func (x *ObligationValue) GetId() string { @@ -2670,7 +2896,7 @@ type ObligationTrigger struct { func (x *ObligationTrigger) Reset() { *x = ObligationTrigger{} if protoimpl.UnsafeEnabled { - mi := &file_policy_objects_proto_msgTypes[26] + mi := &file_policy_objects_proto_msgTypes[28] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -2683,7 +2909,7 @@ func (x *ObligationTrigger) String() string { func (*ObligationTrigger) ProtoMessage() {} func (x *ObligationTrigger) ProtoReflect() protoreflect.Message { - mi := &file_policy_objects_proto_msgTypes[26] + mi := &file_policy_objects_proto_msgTypes[28] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -2696,7 +2922,7 @@ func (x *ObligationTrigger) ProtoReflect() protoreflect.Message { // Deprecated: Use ObligationTrigger.ProtoReflect.Descriptor instead. func (*ObligationTrigger) Descriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{26} + return file_policy_objects_proto_rawDescGZIP(), []int{28} } func (x *ObligationTrigger) GetId() string { @@ -2761,7 +2987,7 @@ type KasKey struct { func (x *KasKey) Reset() { *x = KasKey{} if protoimpl.UnsafeEnabled { - mi := &file_policy_objects_proto_msgTypes[27] + mi := &file_policy_objects_proto_msgTypes[29] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -2774,7 +3000,7 @@ func (x *KasKey) String() string { func (*KasKey) ProtoMessage() {} func (x *KasKey) ProtoReflect() protoreflect.Message { - mi := &file_policy_objects_proto_msgTypes[27] + mi := &file_policy_objects_proto_msgTypes[29] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -2787,7 +3013,7 @@ func (x *KasKey) ProtoReflect() protoreflect.Message { // Deprecated: Use KasKey.ProtoReflect.Descriptor instead. func (*KasKey) Descriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{27} + return file_policy_objects_proto_rawDescGZIP(), []int{29} } func (x *KasKey) GetKasId() string { @@ -2823,7 +3049,7 @@ type PublicKeyCtx struct { func (x *PublicKeyCtx) Reset() { *x = PublicKeyCtx{} if protoimpl.UnsafeEnabled { - mi := &file_policy_objects_proto_msgTypes[28] + mi := &file_policy_objects_proto_msgTypes[30] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -2836,7 +3062,7 @@ func (x *PublicKeyCtx) String() string { func (*PublicKeyCtx) ProtoMessage() {} func (x *PublicKeyCtx) ProtoReflect() protoreflect.Message { - mi := &file_policy_objects_proto_msgTypes[28] + mi := &file_policy_objects_proto_msgTypes[30] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -2849,7 +3075,7 @@ func (x *PublicKeyCtx) ProtoReflect() protoreflect.Message { // Deprecated: Use PublicKeyCtx.ProtoReflect.Descriptor instead. func (*PublicKeyCtx) Descriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{28} + return file_policy_objects_proto_rawDescGZIP(), []int{30} } func (x *PublicKeyCtx) GetPem() string { @@ -2873,7 +3099,7 @@ type PrivateKeyCtx struct { func (x *PrivateKeyCtx) Reset() { *x = PrivateKeyCtx{} if protoimpl.UnsafeEnabled { - mi := &file_policy_objects_proto_msgTypes[29] + mi := &file_policy_objects_proto_msgTypes[31] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -2886,7 +3112,7 @@ func (x *PrivateKeyCtx) String() string { func (*PrivateKeyCtx) ProtoMessage() {} func (x *PrivateKeyCtx) ProtoReflect() protoreflect.Message { - mi := &file_policy_objects_proto_msgTypes[29] + mi := &file_policy_objects_proto_msgTypes[31] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -2899,7 +3125,7 @@ func (x *PrivateKeyCtx) ProtoReflect() protoreflect.Message { // Deprecated: Use PrivateKeyCtx.ProtoReflect.Descriptor instead. func (*PrivateKeyCtx) Descriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{29} + return file_policy_objects_proto_rawDescGZIP(), []int{31} } func (x *PrivateKeyCtx) GetKeyId() string { @@ -2946,7 +3172,7 @@ type AsymmetricKey struct { func (x *AsymmetricKey) Reset() { *x = AsymmetricKey{} if protoimpl.UnsafeEnabled { - mi := &file_policy_objects_proto_msgTypes[30] + mi := &file_policy_objects_proto_msgTypes[32] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -2959,7 +3185,7 @@ func (x *AsymmetricKey) String() string { func (*AsymmetricKey) ProtoMessage() {} func (x *AsymmetricKey) ProtoReflect() protoreflect.Message { - mi := &file_policy_objects_proto_msgTypes[30] + mi := &file_policy_objects_proto_msgTypes[32] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -2972,7 +3198,7 @@ func (x *AsymmetricKey) ProtoReflect() protoreflect.Message { // Deprecated: Use AsymmetricKey.ProtoReflect.Descriptor instead. func (*AsymmetricKey) Descriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{30} + return file_policy_objects_proto_rawDescGZIP(), []int{32} } func (x *AsymmetricKey) GetId() string { @@ -3063,7 +3289,7 @@ type SymmetricKey struct { func (x *SymmetricKey) Reset() { *x = SymmetricKey{} if protoimpl.UnsafeEnabled { - mi := &file_policy_objects_proto_msgTypes[31] + mi := &file_policy_objects_proto_msgTypes[33] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -3076,7 +3302,7 @@ func (x *SymmetricKey) String() string { func (*SymmetricKey) ProtoMessage() {} func (x *SymmetricKey) ProtoReflect() protoreflect.Message { - mi := &file_policy_objects_proto_msgTypes[31] + mi := &file_policy_objects_proto_msgTypes[33] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -3089,7 +3315,7 @@ func (x *SymmetricKey) ProtoReflect() protoreflect.Message { // Deprecated: Use SymmetricKey.ProtoReflect.Descriptor instead. func (*SymmetricKey) Descriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{31} + return file_policy_objects_proto_rawDescGZIP(), []int{33} } func (x *SymmetricKey) GetId() string { @@ -3156,7 +3382,7 @@ type RegisteredResourceValue_ActionAttributeValue struct { func (x *RegisteredResourceValue_ActionAttributeValue) Reset() { *x = RegisteredResourceValue_ActionAttributeValue{} if protoimpl.UnsafeEnabled { - mi := &file_policy_objects_proto_msgTypes[32] + mi := &file_policy_objects_proto_msgTypes[34] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -3169,7 +3395,7 @@ func (x *RegisteredResourceValue_ActionAttributeValue) String() string { func (*RegisteredResourceValue_ActionAttributeValue) ProtoMessage() {} func (x *RegisteredResourceValue_ActionAttributeValue) ProtoReflect() protoreflect.Message { - mi := &file_policy_objects_proto_msgTypes[32] + mi := &file_policy_objects_proto_msgTypes[34] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -3182,7 +3408,7 @@ func (x *RegisteredResourceValue_ActionAttributeValue) ProtoReflect() protorefle // Deprecated: Use RegisteredResourceValue_ActionAttributeValue.ProtoReflect.Descriptor instead. func (*RegisteredResourceValue_ActionAttributeValue) Descriptor() ([]byte, []int) { - return file_policy_objects_proto_rawDescGZIP(), []int{21, 0} + return file_policy_objects_proto_rawDescGZIP(), []int{23, 0} } func (x *RegisteredResourceValue_ActionAttributeValue) GetId() string { @@ -3367,452 +3593,501 @@ var file_policy_objects_proto_rawDesc = []byte{ 0x61, 0x63, 0x65, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, - 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0xe9, 0x01, 0x0a, - 0x09, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x4d, 0x0a, 0x1f, 0x73, 0x75, - 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x73, - 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x09, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x1c, 0x73, 0x75, 0x62, - 0x6a, 0x65, 0x63, 0x74, 0x45, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x53, 0x65, 0x6c, 0x65, - 0x63, 0x74, 0x6f, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x4b, 0x0a, 0x08, 0x6f, 0x70, 0x65, - 0x72, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x22, 0x2e, 0x70, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, - 0x69, 0x6e, 0x67, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x45, 0x6e, 0x75, 0x6d, 0x42, - 0x0b, 0xba, 0x48, 0x08, 0xc8, 0x01, 0x01, 0x82, 0x01, 0x02, 0x10, 0x01, 0x52, 0x08, 0x6f, 0x70, - 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x40, 0x0a, 0x17, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, - 0x74, 0x5f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, - 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, 0x08, - 0x01, 0x52, 0x15, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x45, 0x78, 0x74, 0x65, 0x72, 0x6e, - 0x61, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x22, 0xa7, 0x01, 0x0a, 0x0e, 0x43, 0x6f, 0x6e, - 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x12, 0x3b, 0x0a, 0x0a, 0x63, - 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, - 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, - 0x6f, 0x6e, 0x42, 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x0a, 0x63, 0x6f, - 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x58, 0x0a, 0x10, 0x62, 0x6f, 0x6f, 0x6c, - 0x65, 0x61, 0x6e, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, - 0x28, 0x0e, 0x32, 0x20, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x43, 0x6f, 0x6e, 0x64, - 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x6f, 0x6f, 0x6c, 0x65, 0x61, 0x6e, 0x54, 0x79, 0x70, 0x65, - 0x45, 0x6e, 0x75, 0x6d, 0x42, 0x0b, 0xba, 0x48, 0x08, 0xc8, 0x01, 0x01, 0x82, 0x01, 0x02, 0x10, - 0x01, 0x52, 0x0f, 0x62, 0x6f, 0x6f, 0x6c, 0x65, 0x61, 0x6e, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, - 0x6f, 0x72, 0x22, 0x59, 0x0a, 0x0a, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x53, 0x65, 0x74, - 0x12, 0x4b, 0x0a, 0x10, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x67, 0x72, - 0x6f, 0x75, 0x70, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x47, 0x72, 0x6f, - 0x75, 0x70, 0x42, 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x0f, 0x63, 0x6f, - 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x22, 0xc5, 0x01, - 0x0a, 0x13, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, - 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x2f, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, - 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x52, 0x09, 0x6e, 0x61, 0x6d, - 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x3f, 0x0a, 0x0c, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, - 0x74, 0x5f, 0x73, 0x65, 0x74, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x53, 0x65, 0x74, - 0x42, 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x0b, 0x73, 0x75, 0x62, 0x6a, - 0x65, 0x63, 0x74, 0x53, 0x65, 0x74, 0x73, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, - 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, - 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, - 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x7c, 0x0a, 0x0f, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x50, 0x72, 0x6f, 0x70, 0x65, 0x72, 0x74, 0x79, 0x12, 0x42, 0x0a, 0x17, 0x65, 0x78, 0x74, 0x65, - 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x5f, 0x76, 0x61, - 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x0a, 0xba, 0x48, 0x07, 0xc8, 0x01, - 0x01, 0x72, 0x02, 0x10, 0x01, 0x52, 0x15, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x53, - 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x25, 0x0a, 0x0e, - 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x56, 0x61, - 0x6c, 0x75, 0x65, 0x22, 0xad, 0x01, 0x0a, 0x14, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, - 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x12, 0x0e, 0x0a, 0x02, - 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x29, 0x0a, 0x0c, - 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, - 0x28, 0x09, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x0b, 0x6e, 0x61, 0x6d, 0x65, - 0x73, 0x70, 0x61, 0x63, 0x65, 0x49, 0x64, 0x12, 0x1a, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, - 0x03, 0x20, 0x01, 0x28, 0x09, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x04, 0x6e, - 0x61, 0x6d, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x66, 0x71, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x03, 0x66, 0x71, 0x6e, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, - 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, - 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, - 0x61, 0x74, 0x61, 0x22, 0xd9, 0x01, 0x0a, 0x0f, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, - 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, - 0x61, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, - 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, - 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x3e, 0x0a, 0x0f, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, - 0x74, 0x65, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0d, - 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x42, 0x06, 0xba, - 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x0e, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, - 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x74, 0x65, 0x72, 0x6d, 0x73, 0x18, 0x04, - 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x74, 0x65, 0x72, 0x6d, 0x73, 0x12, 0x32, 0x0a, 0x05, 0x67, - 0x72, 0x6f, 0x75, 0x70, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4d, 0x61, 0x70, 0x70, - 0x69, 0x6e, 0x67, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x52, 0x05, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x22, - 0x85, 0x05, 0x0a, 0x0f, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, - 0x76, 0x65, 0x72, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x02, 0x69, 0x64, 0x12, 0x87, 0x03, 0x0a, 0x03, 0x75, 0x72, 0x69, 0x18, 0x02, 0x20, 0x01, 0x28, - 0x09, 0x42, 0xf4, 0x02, 0xba, 0x48, 0xf0, 0x02, 0xba, 0x01, 0xec, 0x02, 0x0a, 0x0a, 0x75, 0x72, - 0x69, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0xcf, 0x01, 0x55, 0x52, 0x49, 0x20, 0x6d, - 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, - 0x52, 0x4c, 0x20, 0x28, 0x65, 0x2e, 0x67, 0x2e, 0x2c, 0x20, 0x27, 0x68, 0x74, 0x74, 0x70, 0x73, - 0x3a, 0x2f, 0x2f, 0x64, 0x65, 0x6d, 0x6f, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x27, 0x29, 0x20, 0x66, - 0x6f, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x20, 0x62, 0x79, 0x20, 0x61, 0x64, 0x64, 0x69, 0x74, - 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x73, 0x65, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x20, - 0x45, 0x61, 0x63, 0x68, 0x20, 0x73, 0x65, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x20, 0x6d, 0x75, 0x73, - 0x74, 0x20, 0x73, 0x74, 0x61, 0x72, 0x74, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x65, 0x6e, 0x64, 0x20, - 0x77, 0x69, 0x74, 0x68, 0x20, 0x61, 0x6e, 0x20, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x6e, 0x75, 0x6d, - 0x65, 0x72, 0x69, 0x63, 0x20, 0x63, 0x68, 0x61, 0x72, 0x61, 0x63, 0x74, 0x65, 0x72, 0x2c, 0x20, - 0x63, 0x61, 0x6e, 0x20, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20, 0x68, 0x79, 0x70, 0x68, - 0x65, 0x6e, 0x73, 0x2c, 0x20, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x6e, 0x75, 0x6d, 0x65, 0x72, 0x69, - 0x63, 0x20, 0x63, 0x68, 0x61, 0x72, 0x61, 0x63, 0x74, 0x65, 0x72, 0x73, 0x2c, 0x20, 0x61, 0x6e, - 0x64, 0x20, 0x73, 0x6c, 0x61, 0x73, 0x68, 0x65, 0x73, 0x2e, 0x1a, 0x8b, 0x01, 0x74, 0x68, 0x69, - 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5e, 0x68, 0x74, 0x74, 0x70, - 0x73, 0x3f, 0x3a, 0x2f, 0x2f, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, - 0x28, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5c, 0x5c, 0x2d, 0x5d, 0x7b, - 0x30, 0x2c, 0x36, 0x31, 0x7d, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, - 0x29, 0x3f, 0x28, 0x5c, 0x5c, 0x2e, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, - 0x5d, 0x28, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5c, 0x5c, 0x2d, 0x5d, - 0x7b, 0x30, 0x2c, 0x36, 0x31, 0x7d, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, - 0x5d, 0x29, 0x3f, 0x29, 0x2a, 0x28, 0x3a, 0x5b, 0x30, 0x2d, 0x39, 0x5d, 0x2b, 0x29, 0x3f, 0x28, - 0x2f, 0x2e, 0x2a, 0x29, 0x3f, 0x24, 0x27, 0x29, 0x52, 0x03, 0x75, 0x72, 0x69, 0x12, 0x30, 0x0a, - 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, - 0x63, 0x4b, 0x65, 0x79, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, - 0x33, 0x0a, 0x0b, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x04, - 0x20, 0x01, 0x28, 0x0e, 0x32, 0x12, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x6f, - 0x75, 0x72, 0x63, 0x65, 0x54, 0x79, 0x70, 0x65, 0x52, 0x0a, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, - 0x54, 0x79, 0x70, 0x65, 0x12, 0x2f, 0x0a, 0x08, 0x6b, 0x61, 0x73, 0x5f, 0x6b, 0x65, 0x79, 0x73, - 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, - 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x52, 0x07, 0x6b, 0x61, - 0x73, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x14, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, - 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, - 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, - 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x97, 0x02, 0x0a, 0x03, 0x4b, 0x65, 0x79, 0x12, - 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, - 0x37, 0x0a, 0x09, 0x69, 0x73, 0x5f, 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, 0x18, 0x02, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x08, - 0x69, 0x73, 0x41, 0x63, 0x74, 0x69, 0x76, 0x65, 0x12, 0x39, 0x0a, 0x0a, 0x77, 0x61, 0x73, 0x5f, - 0x6d, 0x61, 0x70, 0x70, 0x65, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, - 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, - 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x09, 0x77, 0x61, 0x73, 0x4d, 0x61, 0x70, - 0x70, 0x65, 0x64, 0x12, 0x33, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, - 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x09, 0x70, - 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x29, 0x0a, 0x03, 0x6b, 0x61, 0x73, 0x18, - 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, - 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x03, - 0x6b, 0x61, 0x73, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, - 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, - 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, - 0x61, 0x22, 0x84, 0x01, 0x0a, 0x0c, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, - 0x65, 0x79, 0x12, 0x1c, 0x0a, 0x03, 0x70, 0x65, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, - 0x0a, 0xba, 0x48, 0x07, 0x72, 0x05, 0x10, 0x01, 0x18, 0x80, 0x40, 0x52, 0x03, 0x70, 0x65, 0x6d, - 0x12, 0x1b, 0x0a, 0x03, 0x6b, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x09, 0xba, - 0x48, 0x06, 0x72, 0x04, 0x10, 0x01, 0x18, 0x20, 0x52, 0x03, 0x6b, 0x69, 0x64, 0x12, 0x39, 0x0a, - 0x03, 0x61, 0x6c, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1b, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, - 0x41, 0x6c, 0x67, 0x45, 0x6e, 0x75, 0x6d, 0x42, 0x0a, 0xba, 0x48, 0x07, 0x82, 0x01, 0x04, 0x10, - 0x01, 0x20, 0x00, 0x52, 0x03, 0x61, 0x6c, 0x67, 0x22, 0x3b, 0x0a, 0x0f, 0x4b, 0x61, 0x73, 0x50, - 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x53, 0x65, 0x74, 0x12, 0x28, 0x0a, 0x04, 0x6b, - 0x65, 0x79, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, - 0x04, 0x6b, 0x65, 0x79, 0x73, 0x22, 0xe0, 0x03, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, - 0x4b, 0x65, 0x79, 0x12, 0x84, 0x03, 0x0a, 0x06, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x09, 0x42, 0xe9, 0x02, 0xba, 0x48, 0xe5, 0x02, 0xba, 0x01, 0xe1, 0x02, 0x0a, - 0x0a, 0x75, 0x72, 0x69, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0xcf, 0x01, 0x55, 0x52, - 0x49, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, - 0x64, 0x20, 0x55, 0x52, 0x4c, 0x20, 0x28, 0x65, 0x2e, 0x67, 0x2e, 0x2c, 0x20, 0x27, 0x68, 0x74, - 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x64, 0x65, 0x6d, 0x6f, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x27, - 0x29, 0x20, 0x66, 0x6f, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x20, 0x62, 0x79, 0x20, 0x61, 0x64, - 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x73, 0x65, 0x67, 0x6d, 0x65, 0x6e, 0x74, - 0x73, 0x2e, 0x20, 0x45, 0x61, 0x63, 0x68, 0x20, 0x73, 0x65, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x20, - 0x6d, 0x75, 0x73, 0x74, 0x20, 0x73, 0x74, 0x61, 0x72, 0x74, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x65, - 0x6e, 0x64, 0x20, 0x77, 0x69, 0x74, 0x68, 0x20, 0x61, 0x6e, 0x20, 0x61, 0x6c, 0x70, 0x68, 0x61, - 0x6e, 0x75, 0x6d, 0x65, 0x72, 0x69, 0x63, 0x20, 0x63, 0x68, 0x61, 0x72, 0x61, 0x63, 0x74, 0x65, - 0x72, 0x2c, 0x20, 0x63, 0x61, 0x6e, 0x20, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20, 0x68, - 0x79, 0x70, 0x68, 0x65, 0x6e, 0x73, 0x2c, 0x20, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x6e, 0x75, 0x6d, - 0x65, 0x72, 0x69, 0x63, 0x20, 0x63, 0x68, 0x61, 0x72, 0x61, 0x63, 0x74, 0x65, 0x72, 0x73, 0x2c, - 0x20, 0x61, 0x6e, 0x64, 0x20, 0x73, 0x6c, 0x61, 0x73, 0x68, 0x65, 0x73, 0x2e, 0x1a, 0x80, 0x01, - 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5e, 0x68, - 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, - 0x39, 0x5d, 0x28, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5c, 0x5c, 0x2d, - 0x5d, 0x7b, 0x30, 0x2c, 0x36, 0x31, 0x7d, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, - 0x39, 0x5d, 0x29, 0x3f, 0x28, 0x5c, 0x5c, 0x2e, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, - 0x2d, 0x39, 0x5d, 0x28, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5c, 0x5c, - 0x2d, 0x5d, 0x7b, 0x30, 0x2c, 0x36, 0x31, 0x7d, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, - 0x2d, 0x39, 0x5d, 0x29, 0x3f, 0x29, 0x2a, 0x28, 0x2f, 0x2e, 0x2a, 0x29, 0x3f, 0x24, 0x27, 0x29, - 0x48, 0x00, 0x52, 0x06, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x12, 0x31, 0x0a, 0x06, 0x63, 0x61, - 0x63, 0x68, 0x65, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, - 0x53, 0x65, 0x74, 0x48, 0x00, 0x52, 0x06, 0x63, 0x61, 0x63, 0x68, 0x65, 0x64, 0x42, 0x0c, 0x0a, - 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x4a, 0x04, 0x08, 0x02, 0x10, - 0x03, 0x52, 0x05, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x22, 0xd0, 0x01, 0x0a, 0x12, 0x52, 0x65, 0x67, - 0x69, 0x73, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, - 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, - 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, - 0x61, 0x6d, 0x65, 0x12, 0x37, 0x0a, 0x06, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x18, 0x03, 0x20, - 0x03, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x52, 0x65, 0x67, - 0x69, 0x73, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x56, - 0x61, 0x6c, 0x75, 0x65, 0x52, 0x06, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x12, 0x2f, 0x0a, 0x09, - 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, - 0x63, 0x65, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x2c, 0x0a, - 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, - 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0xdc, 0x03, 0x0a, 0x17, - 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, - 0x63, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, - 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x36, 0x0a, - 0x08, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x1a, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, - 0x72, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x08, 0x72, 0x65, 0x73, - 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x6c, 0x0a, 0x17, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, - 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x73, - 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x34, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, - 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, - 0x63, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x41, 0x74, - 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x15, 0x61, 0x63, - 0x74, 0x69, 0x6f, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, - 0x75, 0x65, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x66, 0x71, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x03, 0x66, 0x71, 0x6e, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, - 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, - 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, - 0x61, 0x74, 0x61, 0x1a, 0xb4, 0x01, 0x0a, 0x14, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x41, 0x74, - 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x0e, 0x0a, 0x02, - 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x26, 0x0a, 0x06, - 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, 0x61, 0x63, - 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x36, 0x0a, 0x0f, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, - 0x65, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0d, 0x2e, - 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0e, 0x61, 0x74, - 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x2c, 0x0a, 0x08, - 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, - 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, - 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x3e, 0x0a, 0x16, 0x50, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x45, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x50, - 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x24, 0x0a, 0x09, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x69, - 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xba, 0x48, 0x04, 0x72, 0x02, 0x10, 0x01, - 0x52, 0x08, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49, 0x64, 0x22, 0x4a, 0x0a, 0x0e, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x12, 0x38, 0x0a, 0x03, - 0x70, 0x65, 0x70, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x2e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x45, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65, - 0x6d, 0x65, 0x6e, 0x74, 0x50, 0x6f, 0x69, 0x6e, 0x74, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, - 0x01, 0x52, 0x03, 0x70, 0x65, 0x70, 0x22, 0xd2, 0x01, 0x0a, 0x0a, 0x4f, 0x62, 0x6c, 0x69, 0x67, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x2f, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, - 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x52, 0x09, 0x6e, 0x61, 0x6d, - 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x2f, 0x0a, 0x06, 0x76, 0x61, - 0x6c, 0x75, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x4f, 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, - 0x6c, 0x75, 0x65, 0x52, 0x06, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x66, - 0x71, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x66, 0x71, 0x6e, 0x12, 0x2c, 0x0a, - 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, - 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0xe2, 0x01, 0x0a, 0x0f, - 0x4f, 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, - 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, - 0x32, 0x0a, 0x0a, 0x6f, 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4f, 0x62, 0x6c, - 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0a, 0x6f, 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, - 0x69, 0x6f, 0x6e, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x03, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x35, 0x0a, 0x08, 0x74, 0x72, 0x69, - 0x67, 0x67, 0x65, 0x72, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x70, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4f, 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, - 0x72, 0x69, 0x67, 0x67, 0x65, 0x72, 0x52, 0x08, 0x74, 0x72, 0x69, 0x67, 0x67, 0x65, 0x72, 0x73, - 0x12, 0x10, 0x0a, 0x03, 0x66, 0x71, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x66, - 0x71, 0x6e, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, + 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0xb3, 0x01, 0x0a, + 0x17, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, + 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x12, 0x4d, 0x0a, 0x1f, 0x73, 0x75, 0x62, 0x6a, + 0x65, 0x63, 0x74, 0x5f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x73, 0x65, 0x6c, + 0x65, 0x63, 0x74, 0x6f, 0x72, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x1c, 0x73, 0x75, 0x62, 0x6a, 0x65, + 0x63, 0x74, 0x45, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, + 0x6f, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x49, 0x0a, 0x08, 0x6f, 0x70, 0x65, 0x72, 0x61, + 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x20, 0x2e, 0x70, 0x6f, 0x6c, 0x69, + 0x63, 0x79, 0x2e, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4f, + 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x45, 0x6e, 0x75, 0x6d, 0x42, 0x0b, 0xba, 0x48, 0x08, + 0xc8, 0x01, 0x01, 0x82, 0x01, 0x02, 0x10, 0x01, 0x52, 0x08, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, + 0x6f, 0x72, 0x22, 0x9b, 0x03, 0x0a, 0x21, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, + 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, + 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x44, 0x0a, 0x14, 0x61, 0x74, 0x74, 0x72, + 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x52, 0x13, 0x61, 0x74, 0x74, 0x72, 0x69, + 0x62, 0x75, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x46, + 0x0a, 0x0e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, + 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, + 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x52, 0x0d, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, + 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x12, 0x4f, 0x0a, 0x15, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, + 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x18, + 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, + 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, + 0x65, 0x74, 0x52, 0x13, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, + 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0x28, 0x0a, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, + 0x6e, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, + 0x73, 0x12, 0x2f, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x06, + 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4e, 0x61, + 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, + 0x63, 0x65, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, - 0x22, 0xd8, 0x02, 0x0a, 0x11, 0x4f, 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, - 0x72, 0x69, 0x67, 0x67, 0x65, 0x72, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x42, 0x0a, 0x10, 0x6f, 0x62, 0x6c, 0x69, 0x67, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, - 0x32, 0x17, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4f, 0x62, 0x6c, 0x69, 0x67, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0f, 0x6f, 0x62, 0x6c, 0x69, 0x67, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x26, 0x0a, 0x06, 0x61, 0x63, - 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, - 0x6f, 0x6e, 0x12, 0x36, 0x0a, 0x0f, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, - 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0d, 0x2e, 0x70, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0e, 0x61, 0x74, 0x74, 0x72, - 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x30, 0x0a, 0x07, 0x63, 0x6f, - 0x6e, 0x74, 0x65, 0x78, 0x74, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x70, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x74, - 0x65, 0x78, 0x74, 0x52, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x12, 0x2f, 0x0a, 0x09, - 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, - 0x63, 0x65, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x2c, 0x0a, + 0x22, 0xe9, 0x01, 0x0a, 0x09, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x4d, + 0x0a, 0x1f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, + 0x61, 0x6c, 0x5f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x5f, 0x76, 0x61, 0x6c, 0x75, + 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, + 0x1c, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x45, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, + 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x4b, 0x0a, + 0x08, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, + 0x22, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x45, + 0x6e, 0x75, 0x6d, 0x42, 0x0b, 0xba, 0x48, 0x08, 0xc8, 0x01, 0x01, 0x82, 0x01, 0x02, 0x10, 0x01, + 0x52, 0x08, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x40, 0x0a, 0x17, 0x73, 0x75, + 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x76, + 0x61, 0x6c, 0x75, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, + 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x15, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x45, 0x78, + 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x22, 0xa7, 0x01, 0x0a, + 0x0e, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x12, + 0x3b, 0x0a, 0x0a, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, + 0x03, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x43, 0x6f, 0x6e, + 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, + 0x52, 0x0a, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x58, 0x0a, 0x10, + 0x62, 0x6f, 0x6f, 0x6c, 0x65, 0x61, 0x6e, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x20, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x6f, 0x6f, 0x6c, 0x65, 0x61, 0x6e, + 0x54, 0x79, 0x70, 0x65, 0x45, 0x6e, 0x75, 0x6d, 0x42, 0x0b, 0xba, 0x48, 0x08, 0xc8, 0x01, 0x01, + 0x82, 0x01, 0x02, 0x10, 0x01, 0x52, 0x0f, 0x62, 0x6f, 0x6f, 0x6c, 0x65, 0x61, 0x6e, 0x4f, 0x70, + 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x22, 0x59, 0x0a, 0x0a, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, + 0x74, 0x53, 0x65, 0x74, 0x12, 0x4b, 0x0a, 0x10, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, + 0x6e, 0x5f, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, + 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, + 0x6e, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x42, 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, + 0x52, 0x0f, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x47, 0x72, 0x6f, 0x75, 0x70, + 0x73, 0x22, 0xc5, 0x01, 0x0a, 0x13, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, + 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x2f, 0x0a, 0x09, 0x6e, 0x61, 0x6d, + 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x52, + 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x3f, 0x0a, 0x0c, 0x73, 0x75, + 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x73, 0x65, 0x74, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, + 0x32, 0x12, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, + 0x74, 0x53, 0x65, 0x74, 0x42, 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x0b, + 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x53, 0x65, 0x74, 0x73, 0x12, 0x2c, 0x0a, 0x08, 0x6d, + 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, + 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, + 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x7c, 0x0a, 0x0f, 0x53, 0x75, 0x62, + 0x6a, 0x65, 0x63, 0x74, 0x50, 0x72, 0x6f, 0x70, 0x65, 0x72, 0x74, 0x79, 0x12, 0x42, 0x0a, 0x17, + 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, + 0x72, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x0a, 0xba, + 0x48, 0x07, 0xc8, 0x01, 0x01, 0x72, 0x02, 0x10, 0x01, 0x52, 0x15, 0x65, 0x78, 0x74, 0x65, 0x72, + 0x6e, 0x61, 0x6c, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, + 0x12, 0x25, 0x0a, 0x0e, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x76, 0x61, 0x6c, + 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, + 0x61, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x22, 0xad, 0x01, 0x0a, 0x14, 0x52, 0x65, 0x73, 0x6f, + 0x75, 0x72, 0x63, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x47, 0x72, 0x6f, 0x75, 0x70, + 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, + 0x12, 0x29, 0x0a, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x0b, + 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x49, 0x64, 0x12, 0x1a, 0x0a, 0x04, 0x6e, + 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, + 0x01, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x66, 0x71, 0x6e, 0x18, 0x04, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x66, 0x71, 0x6e, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, + 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, + 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, + 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0xd9, 0x01, 0x0a, 0x0f, 0x52, 0x65, 0x73, 0x6f, + 0x75, 0x72, 0x63, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x0e, 0x0a, 0x02, 0x69, + 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x2c, 0x0a, 0x08, 0x6d, + 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, + 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, + 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x3e, 0x0a, 0x0f, 0x61, 0x74, 0x74, + 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x03, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x0d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x56, 0x61, 0x6c, 0x75, + 0x65, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x0e, 0x61, 0x74, 0x74, 0x72, 0x69, + 0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x74, 0x65, 0x72, + 0x6d, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x74, 0x65, 0x72, 0x6d, 0x73, 0x12, + 0x32, 0x0a, 0x05, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, + 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, + 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x52, 0x05, 0x67, 0x72, + 0x6f, 0x75, 0x70, 0x22, 0x85, 0x05, 0x0a, 0x0f, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, + 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x87, 0x03, 0x0a, 0x03, 0x75, 0x72, 0x69, 0x18, + 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0xf4, 0x02, 0xba, 0x48, 0xf0, 0x02, 0xba, 0x01, 0xec, 0x02, + 0x0a, 0x0a, 0x75, 0x72, 0x69, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0xcf, 0x01, 0x55, + 0x52, 0x49, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, + 0x69, 0x64, 0x20, 0x55, 0x52, 0x4c, 0x20, 0x28, 0x65, 0x2e, 0x67, 0x2e, 0x2c, 0x20, 0x27, 0x68, + 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x64, 0x65, 0x6d, 0x6f, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, + 0x27, 0x29, 0x20, 0x66, 0x6f, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x20, 0x62, 0x79, 0x20, 0x61, + 0x64, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x73, 0x65, 0x67, 0x6d, 0x65, 0x6e, + 0x74, 0x73, 0x2e, 0x20, 0x45, 0x61, 0x63, 0x68, 0x20, 0x73, 0x65, 0x67, 0x6d, 0x65, 0x6e, 0x74, + 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x73, 0x74, 0x61, 0x72, 0x74, 0x20, 0x61, 0x6e, 0x64, 0x20, + 0x65, 0x6e, 0x64, 0x20, 0x77, 0x69, 0x74, 0x68, 0x20, 0x61, 0x6e, 0x20, 0x61, 0x6c, 0x70, 0x68, + 0x61, 0x6e, 0x75, 0x6d, 0x65, 0x72, 0x69, 0x63, 0x20, 0x63, 0x68, 0x61, 0x72, 0x61, 0x63, 0x74, + 0x65, 0x72, 0x2c, 0x20, 0x63, 0x61, 0x6e, 0x20, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20, + 0x68, 0x79, 0x70, 0x68, 0x65, 0x6e, 0x73, 0x2c, 0x20, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x6e, 0x75, + 0x6d, 0x65, 0x72, 0x69, 0x63, 0x20, 0x63, 0x68, 0x61, 0x72, 0x61, 0x63, 0x74, 0x65, 0x72, 0x73, + 0x2c, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x73, 0x6c, 0x61, 0x73, 0x68, 0x65, 0x73, 0x2e, 0x1a, 0x8b, + 0x01, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5e, + 0x68, 0x74, 0x74, 0x70, 0x73, 0x3f, 0x3a, 0x2f, 0x2f, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, + 0x30, 0x2d, 0x39, 0x5d, 0x28, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5c, + 0x5c, 0x2d, 0x5d, 0x7b, 0x30, 0x2c, 0x36, 0x31, 0x7d, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, + 0x30, 0x2d, 0x39, 0x5d, 0x29, 0x3f, 0x28, 0x5c, 0x5c, 0x2e, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, + 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x28, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, + 0x5c, 0x5c, 0x2d, 0x5d, 0x7b, 0x30, 0x2c, 0x36, 0x31, 0x7d, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, + 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x29, 0x3f, 0x29, 0x2a, 0x28, 0x3a, 0x5b, 0x30, 0x2d, 0x39, 0x5d, + 0x2b, 0x29, 0x3f, 0x28, 0x2f, 0x2e, 0x2a, 0x29, 0x3f, 0x24, 0x27, 0x29, 0x52, 0x03, 0x75, 0x72, + 0x69, 0x12, 0x30, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, + 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, + 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, + 0x4b, 0x65, 0x79, 0x12, 0x33, 0x0a, 0x0b, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x74, 0x79, + 0x70, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x12, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0x2e, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x54, 0x79, 0x70, 0x65, 0x52, 0x0a, 0x73, 0x6f, + 0x75, 0x72, 0x63, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x2f, 0x0a, 0x08, 0x6b, 0x61, 0x73, 0x5f, + 0x6b, 0x65, 0x79, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x2e, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, + 0x52, 0x07, 0x6b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, + 0x65, 0x18, 0x14, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, - 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x61, 0x0a, 0x06, 0x4b, - 0x61, 0x73, 0x4b, 0x65, 0x79, 0x12, 0x15, 0x0a, 0x06, 0x6b, 0x61, 0x73, 0x5f, 0x69, 0x64, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6b, 0x61, 0x73, 0x49, 0x64, 0x12, 0x27, 0x0a, 0x03, - 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x70, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x2e, 0x41, 0x73, 0x79, 0x6d, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x4b, 0x65, 0x79, - 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x17, 0x0a, 0x07, 0x6b, 0x61, 0x73, 0x5f, 0x75, 0x72, 0x69, - 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6b, 0x61, 0x73, 0x55, 0x72, 0x69, 0x22, 0x29, - 0x0a, 0x0c, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x12, 0x19, - 0x0a, 0x03, 0x70, 0x65, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xba, 0x48, 0x04, - 0x72, 0x02, 0x10, 0x01, 0x52, 0x03, 0x70, 0x65, 0x6d, 0x22, 0x50, 0x0a, 0x0d, 0x50, 0x72, 0x69, - 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x12, 0x1e, 0x0a, 0x06, 0x6b, 0x65, - 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xba, 0x48, 0x04, 0x72, - 0x02, 0x10, 0x01, 0x52, 0x05, 0x6b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x77, 0x72, - 0x61, 0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x0a, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x22, 0xd1, 0x03, 0x0a, 0x0d, - 0x41, 0x73, 0x79, 0x6d, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x0e, 0x0a, - 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x15, 0x0a, - 0x06, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6b, - 0x65, 0x79, 0x49, 0x64, 0x12, 0x36, 0x0a, 0x0d, 0x6b, 0x65, 0x79, 0x5f, 0x61, 0x6c, 0x67, 0x6f, - 0x72, 0x69, 0x74, 0x68, 0x6d, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x11, 0x2e, 0x70, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x52, 0x0c, - 0x6b, 0x65, 0x79, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x30, 0x0a, 0x0a, - 0x6b, 0x65, 0x79, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, - 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x53, 0x74, 0x61, - 0x74, 0x75, 0x73, 0x52, 0x09, 0x6b, 0x65, 0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x2a, - 0x0a, 0x08, 0x6b, 0x65, 0x79, 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0e, - 0x32, 0x0f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x4d, 0x6f, 0x64, - 0x65, 0x52, 0x07, 0x6b, 0x65, 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x3a, 0x0a, 0x0e, 0x70, 0x75, - 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x63, 0x74, 0x78, 0x18, 0x06, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x75, 0x62, 0x6c, - 0x69, 0x63, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x52, 0x0c, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, - 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x12, 0x3d, 0x0a, 0x0f, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, - 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x63, 0x74, 0x78, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x15, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, - 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x52, 0x0d, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, - 0x65, 0x79, 0x43, 0x74, 0x78, 0x12, 0x42, 0x0a, 0x0f, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, - 0x72, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, - 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x50, 0x72, 0x6f, 0x76, 0x69, - 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0e, 0x70, 0x72, 0x6f, 0x76, 0x69, - 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x16, 0x0a, 0x06, 0x6c, 0x65, 0x67, - 0x61, 0x63, 0x79, 0x18, 0x09, 0x20, 0x01, 0x28, 0x08, 0x52, 0x06, 0x6c, 0x65, 0x67, 0x61, 0x63, - 0x79, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, + 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x97, 0x02, 0x0a, 0x03, + 0x4b, 0x65, 0x79, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x02, 0x69, 0x64, 0x12, 0x37, 0x0a, 0x09, 0x69, 0x73, 0x5f, 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, + 0x75, 0x65, 0x52, 0x08, 0x69, 0x73, 0x41, 0x63, 0x74, 0x69, 0x76, 0x65, 0x12, 0x39, 0x0a, 0x0a, + 0x77, 0x61, 0x73, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x65, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, + 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x09, 0x77, 0x61, + 0x73, 0x4d, 0x61, 0x70, 0x70, 0x65, 0x64, 0x12, 0x33, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, + 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, + 0x79, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x29, 0x0a, 0x03, + 0x6b, 0x61, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x70, 0x6f, 0x6c, 0x69, + 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, + 0x65, 0x72, 0x52, 0x03, 0x6b, 0x61, 0x73, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, + 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, + 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, + 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x84, 0x01, 0x0a, 0x0c, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, + 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x1c, 0x0a, 0x03, 0x70, 0x65, 0x6d, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x09, 0x42, 0x0a, 0xba, 0x48, 0x07, 0x72, 0x05, 0x10, 0x01, 0x18, 0x80, 0x40, 0x52, + 0x03, 0x70, 0x65, 0x6d, 0x12, 0x1b, 0x0a, 0x03, 0x6b, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, + 0x09, 0x42, 0x09, 0xba, 0x48, 0x06, 0x72, 0x04, 0x10, 0x01, 0x18, 0x20, 0x52, 0x03, 0x6b, 0x69, + 0x64, 0x12, 0x39, 0x0a, 0x03, 0x61, 0x6c, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1b, + 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, + 0x63, 0x4b, 0x65, 0x79, 0x41, 0x6c, 0x67, 0x45, 0x6e, 0x75, 0x6d, 0x42, 0x0a, 0xba, 0x48, 0x07, + 0x82, 0x01, 0x04, 0x10, 0x01, 0x20, 0x00, 0x52, 0x03, 0x61, 0x6c, 0x67, 0x22, 0x3b, 0x0a, 0x0f, + 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x53, 0x65, 0x74, 0x12, + 0x28, 0x0a, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, + 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, + 0x4b, 0x65, 0x79, 0x52, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x22, 0xe0, 0x03, 0x0a, 0x09, 0x50, 0x75, + 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x84, 0x03, 0x0a, 0x06, 0x72, 0x65, 0x6d, 0x6f, + 0x74, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0xe9, 0x02, 0xba, 0x48, 0xe5, 0x02, 0xba, + 0x01, 0xe1, 0x02, 0x0a, 0x0a, 0x75, 0x72, 0x69, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, + 0xcf, 0x01, 0x55, 0x52, 0x49, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, + 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x52, 0x4c, 0x20, 0x28, 0x65, 0x2e, 0x67, 0x2e, 0x2c, + 0x20, 0x27, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x64, 0x65, 0x6d, 0x6f, 0x2e, 0x63, + 0x6f, 0x6d, 0x2f, 0x27, 0x29, 0x20, 0x66, 0x6f, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x20, 0x62, + 0x79, 0x20, 0x61, 0x64, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x73, 0x65, 0x67, + 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x20, 0x45, 0x61, 0x63, 0x68, 0x20, 0x73, 0x65, 0x67, 0x6d, + 0x65, 0x6e, 0x74, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x73, 0x74, 0x61, 0x72, 0x74, 0x20, 0x61, + 0x6e, 0x64, 0x20, 0x65, 0x6e, 0x64, 0x20, 0x77, 0x69, 0x74, 0x68, 0x20, 0x61, 0x6e, 0x20, 0x61, + 0x6c, 0x70, 0x68, 0x61, 0x6e, 0x75, 0x6d, 0x65, 0x72, 0x69, 0x63, 0x20, 0x63, 0x68, 0x61, 0x72, + 0x61, 0x63, 0x74, 0x65, 0x72, 0x2c, 0x20, 0x63, 0x61, 0x6e, 0x20, 0x63, 0x6f, 0x6e, 0x74, 0x61, + 0x69, 0x6e, 0x20, 0x68, 0x79, 0x70, 0x68, 0x65, 0x6e, 0x73, 0x2c, 0x20, 0x61, 0x6c, 0x70, 0x68, + 0x61, 0x6e, 0x75, 0x6d, 0x65, 0x72, 0x69, 0x63, 0x20, 0x63, 0x68, 0x61, 0x72, 0x61, 0x63, 0x74, + 0x65, 0x72, 0x73, 0x2c, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x73, 0x6c, 0x61, 0x73, 0x68, 0x65, 0x73, + 0x2e, 0x1a, 0x80, 0x01, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, + 0x28, 0x27, 0x5e, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x5b, 0x61, 0x2d, 0x7a, 0x41, + 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x28, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, + 0x39, 0x5c, 0x5c, 0x2d, 0x5d, 0x7b, 0x30, 0x2c, 0x36, 0x31, 0x7d, 0x5b, 0x61, 0x2d, 0x7a, 0x41, + 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x29, 0x3f, 0x28, 0x5c, 0x5c, 0x2e, 0x5b, 0x61, 0x2d, 0x7a, + 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x28, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, + 0x2d, 0x39, 0x5c, 0x5c, 0x2d, 0x5d, 0x7b, 0x30, 0x2c, 0x36, 0x31, 0x7d, 0x5b, 0x61, 0x2d, 0x7a, + 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x29, 0x3f, 0x29, 0x2a, 0x28, 0x2f, 0x2e, 0x2a, 0x29, + 0x3f, 0x24, 0x27, 0x29, 0x48, 0x00, 0x52, 0x06, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x12, 0x31, + 0x0a, 0x06, 0x63, 0x61, 0x63, 0x68, 0x65, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, + 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, + 0x63, 0x4b, 0x65, 0x79, 0x53, 0x65, 0x74, 0x48, 0x00, 0x52, 0x06, 0x63, 0x61, 0x63, 0x68, 0x65, + 0x64, 0x42, 0x0c, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x4a, + 0x04, 0x08, 0x02, 0x10, 0x03, 0x52, 0x05, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x22, 0xd0, 0x01, 0x0a, + 0x12, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, + 0x72, 0x63, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x37, 0x0a, 0x06, 0x76, 0x61, 0x6c, 0x75, 0x65, + 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, + 0x72, 0x63, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x06, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x73, + 0x12, 0x2f, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x04, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4e, 0x61, 0x6d, + 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, + 0x65, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, - 0x9e, 0x02, 0x0a, 0x0c, 0x53, 0x79, 0x6d, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x4b, 0x65, 0x79, + 0xdc, 0x03, 0x0a, 0x17, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52, 0x65, + 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, + 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x14, 0x0a, 0x05, 0x76, + 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, + 0x65, 0x12, 0x36, 0x0a, 0x08, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x18, 0x03, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x52, 0x65, 0x67, + 0x69, 0x73, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, + 0x08, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x6c, 0x0a, 0x17, 0x61, 0x63, 0x74, + 0x69, 0x6f, 0x6e, 0x5f, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x76, 0x61, + 0x6c, 0x75, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x34, 0x2e, 0x70, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52, 0x65, + 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x2e, 0x41, 0x63, 0x74, 0x69, + 0x6f, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, + 0x52, 0x15, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, + 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x66, 0x71, 0x6e, 0x18, 0x05, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x66, 0x71, 0x6e, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, + 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, + 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, + 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x1a, 0xb4, 0x01, 0x0a, 0x14, 0x41, 0x63, 0x74, 0x69, + 0x6f, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, - 0x12, 0x15, 0x0a, 0x06, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x05, 0x6b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x30, 0x0a, 0x0a, 0x6b, 0x65, 0x79, 0x5f, 0x73, - 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x11, 0x2e, 0x70, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x09, - 0x6b, 0x65, 0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x2a, 0x0a, 0x08, 0x6b, 0x65, 0x79, - 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x0f, 0x2e, 0x70, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x52, 0x07, 0x6b, 0x65, - 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x17, 0x0a, 0x07, 0x6b, 0x65, 0x79, 0x5f, 0x63, 0x74, 0x78, - 0x18, 0x05, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x6b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x12, 0x42, - 0x0a, 0x0f, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, - 0x67, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x2e, 0x4b, 0x65, 0x79, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, - 0x69, 0x67, 0x52, 0x0e, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, - 0x69, 0x67, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, - 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, - 0x2a, 0xb3, 0x01, 0x0a, 0x15, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x52, 0x75, - 0x6c, 0x65, 0x54, 0x79, 0x70, 0x65, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x28, 0x0a, 0x24, 0x41, 0x54, - 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, - 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, - 0x45, 0x44, 0x10, 0x00, 0x12, 0x23, 0x0a, 0x1f, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, - 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, - 0x5f, 0x41, 0x4c, 0x4c, 0x5f, 0x4f, 0x46, 0x10, 0x01, 0x12, 0x23, 0x0a, 0x1f, 0x41, 0x54, 0x54, - 0x52, 0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, - 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x41, 0x4e, 0x59, 0x5f, 0x4f, 0x46, 0x10, 0x02, 0x12, 0x26, - 0x0a, 0x22, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, - 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x48, 0x49, 0x45, 0x52, 0x41, - 0x52, 0x43, 0x48, 0x59, 0x10, 0x03, 0x2a, 0xca, 0x01, 0x0a, 0x1a, 0x53, 0x75, 0x62, 0x6a, 0x65, - 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, - 0x72, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x2d, 0x0a, 0x29, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, - 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, + 0x12, 0x26, 0x0a, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, + 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x36, 0x0a, 0x0f, 0x61, 0x74, 0x74, 0x72, + 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x0d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, + 0x52, 0x0e, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, + 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, + 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x3e, + 0x0a, 0x16, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x45, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x6d, + 0x65, 0x6e, 0x74, 0x50, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x24, 0x0a, 0x09, 0x63, 0x6c, 0x69, 0x65, + 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xba, 0x48, 0x04, + 0x72, 0x02, 0x10, 0x01, 0x52, 0x08, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49, 0x64, 0x22, 0x4a, + 0x0a, 0x0e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, + 0x12, 0x38, 0x0a, 0x03, 0x70, 0x65, 0x70, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1e, 0x2e, + 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x45, 0x6e, 0x66, + 0x6f, 0x72, 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x50, 0x6f, 0x69, 0x6e, 0x74, 0x42, 0x06, 0xba, + 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x03, 0x70, 0x65, 0x70, 0x22, 0xd2, 0x01, 0x0a, 0x0a, 0x4f, + 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x2f, 0x0a, 0x09, 0x6e, 0x61, 0x6d, + 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x52, + 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, + 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x2f, + 0x0a, 0x06, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x17, + 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4f, 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, 0x69, + 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x06, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x12, + 0x10, 0x0a, 0x03, 0x66, 0x71, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x66, 0x71, + 0x6e, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, + 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, + 0xe2, 0x01, 0x0a, 0x0f, 0x4f, 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, + 0x6c, 0x75, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x02, 0x69, 0x64, 0x12, 0x32, 0x0a, 0x0a, 0x6f, 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x4f, 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0a, 0x6f, 0x62, 0x6c, + 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, + 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x35, 0x0a, + 0x08, 0x74, 0x72, 0x69, 0x67, 0x67, 0x65, 0x72, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, + 0x19, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4f, 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x54, 0x72, 0x69, 0x67, 0x67, 0x65, 0x72, 0x52, 0x08, 0x74, 0x72, 0x69, 0x67, + 0x67, 0x65, 0x72, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x66, 0x71, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x03, 0x66, 0x71, 0x6e, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, + 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, + 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, + 0x64, 0x61, 0x74, 0x61, 0x22, 0xd8, 0x02, 0x0a, 0x11, 0x4f, 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x54, 0x72, 0x69, 0x67, 0x67, 0x65, 0x72, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x42, 0x0a, 0x10, 0x6f, 0x62, + 0x6c, 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4f, 0x62, + 0x6c, 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0f, 0x6f, + 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x26, + 0x0a, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0e, + 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, + 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x36, 0x0a, 0x0f, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, + 0x75, 0x74, 0x65, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x0d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0e, + 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x30, + 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, + 0x16, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, + 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x52, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, + 0x12, 0x2f, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x0b, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4e, 0x61, 0x6d, + 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, + 0x65, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, + 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, + 0x61, 0x0a, 0x06, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x12, 0x15, 0x0a, 0x06, 0x6b, 0x61, 0x73, + 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6b, 0x61, 0x73, 0x49, 0x64, + 0x12, 0x27, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, + 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x73, 0x79, 0x6d, 0x6d, 0x65, 0x74, 0x72, 0x69, + 0x63, 0x4b, 0x65, 0x79, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x17, 0x0a, 0x07, 0x6b, 0x61, 0x73, + 0x5f, 0x75, 0x72, 0x69, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6b, 0x61, 0x73, 0x55, + 0x72, 0x69, 0x22, 0x29, 0x0a, 0x0c, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x43, + 0x74, 0x78, 0x12, 0x19, 0x0a, 0x03, 0x70, 0x65, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, + 0x07, 0xba, 0x48, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x03, 0x70, 0x65, 0x6d, 0x22, 0x50, 0x0a, + 0x0d, 0x50, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x12, 0x1e, + 0x0a, 0x06, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, + 0xba, 0x48, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x05, 0x6b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x1f, + 0x0a, 0x0b, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x0a, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x22, + 0xd1, 0x03, 0x0a, 0x0d, 0x41, 0x73, 0x79, 0x6d, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x4b, 0x65, + 0x79, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, + 0x64, 0x12, 0x15, 0x0a, 0x06, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x05, 0x6b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x36, 0x0a, 0x0d, 0x6b, 0x65, 0x79, 0x5f, + 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, + 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, + 0x68, 0x6d, 0x52, 0x0c, 0x6b, 0x65, 0x79, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, + 0x12, 0x30, 0x0a, 0x0a, 0x6b, 0x65, 0x79, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x04, + 0x20, 0x01, 0x28, 0x0e, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, + 0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x09, 0x6b, 0x65, 0x79, 0x53, 0x74, 0x61, 0x74, + 0x75, 0x73, 0x12, 0x2a, 0x0a, 0x08, 0x6b, 0x65, 0x79, 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x05, + 0x20, 0x01, 0x28, 0x0e, 0x32, 0x0f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, + 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x52, 0x07, 0x6b, 0x65, 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x3a, + 0x0a, 0x0e, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x63, 0x74, 0x78, + 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x52, 0x0c, 0x70, 0x75, + 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x12, 0x3d, 0x0a, 0x0f, 0x70, 0x72, + 0x69, 0x76, 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x63, 0x74, 0x78, 0x18, 0x07, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x72, 0x69, + 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x52, 0x0d, 0x70, 0x72, 0x69, 0x76, + 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x12, 0x42, 0x0a, 0x0f, 0x70, 0x72, 0x6f, + 0x76, 0x69, 0x64, 0x65, 0x72, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x08, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x50, + 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0e, 0x70, + 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x16, 0x0a, + 0x06, 0x6c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x18, 0x09, 0x20, 0x01, 0x28, 0x08, 0x52, 0x06, 0x6c, + 0x65, 0x67, 0x61, 0x63, 0x79, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, + 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, + 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, + 0x61, 0x74, 0x61, 0x22, 0x9e, 0x02, 0x0a, 0x0c, 0x53, 0x79, 0x6d, 0x6d, 0x65, 0x74, 0x72, 0x69, + 0x63, 0x4b, 0x65, 0x79, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x02, 0x69, 0x64, 0x12, 0x15, 0x0a, 0x06, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x30, 0x0a, 0x0a, 0x6b, + 0x65, 0x79, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, + 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x53, 0x74, 0x61, 0x74, + 0x75, 0x73, 0x52, 0x09, 0x6b, 0x65, 0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x2a, 0x0a, + 0x08, 0x6b, 0x65, 0x79, 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, + 0x0f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x4d, 0x6f, 0x64, 0x65, + 0x52, 0x07, 0x6b, 0x65, 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x17, 0x0a, 0x07, 0x6b, 0x65, 0x79, + 0x5f, 0x63, 0x74, 0x78, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x6b, 0x65, 0x79, 0x43, + 0x74, 0x78, 0x12, 0x42, 0x0a, 0x0f, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x5f, 0x63, + 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, + 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0e, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, + 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, + 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, + 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, + 0x64, 0x61, 0x74, 0x61, 0x2a, 0xb3, 0x01, 0x0a, 0x15, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, + 0x74, 0x65, 0x52, 0x75, 0x6c, 0x65, 0x54, 0x79, 0x70, 0x65, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x28, + 0x0a, 0x24, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, + 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, + 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x23, 0x0a, 0x1f, 0x41, 0x54, 0x54, 0x52, + 0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, + 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x41, 0x4c, 0x4c, 0x5f, 0x4f, 0x46, 0x10, 0x01, 0x12, 0x23, 0x0a, + 0x1f, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, 0x5f, + 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x41, 0x4e, 0x59, 0x5f, 0x4f, 0x46, + 0x10, 0x02, 0x12, 0x26, 0x0a, 0x22, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, + 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x48, + 0x49, 0x45, 0x52, 0x41, 0x52, 0x43, 0x48, 0x59, 0x10, 0x03, 0x2a, 0xca, 0x01, 0x0a, 0x1a, 0x53, + 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x4f, 0x70, 0x65, + 0x72, 0x61, 0x74, 0x6f, 0x72, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x2d, 0x0a, 0x29, 0x53, 0x55, 0x42, + 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, + 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, + 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x24, 0x0a, 0x20, 0x53, 0x55, 0x42, 0x4a, + 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, + 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x49, 0x4e, 0x10, 0x01, 0x12, 0x28, + 0x0a, 0x24, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, + 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, + 0x4e, 0x4f, 0x54, 0x5f, 0x49, 0x4e, 0x10, 0x02, 0x12, 0x2d, 0x0a, 0x29, 0x53, 0x55, 0x42, 0x4a, + 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, + 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x49, 0x4e, 0x5f, 0x43, 0x4f, 0x4e, + 0x54, 0x41, 0x49, 0x4e, 0x53, 0x10, 0x03, 0x2a, 0x90, 0x01, 0x0a, 0x18, 0x43, 0x6f, 0x6e, 0x64, + 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x6f, 0x6f, 0x6c, 0x65, 0x61, 0x6e, 0x54, 0x79, 0x70, 0x65, + 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x2b, 0x0a, 0x27, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, + 0x4e, 0x5f, 0x42, 0x4f, 0x4f, 0x4c, 0x45, 0x41, 0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, + 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, + 0x00, 0x12, 0x23, 0x0a, 0x1f, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x42, + 0x4f, 0x4f, 0x4c, 0x45, 0x41, 0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, + 0x5f, 0x41, 0x4e, 0x44, 0x10, 0x01, 0x12, 0x22, 0x0a, 0x1e, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, + 0x49, 0x4f, 0x4e, 0x5f, 0x42, 0x4f, 0x4f, 0x4c, 0x45, 0x41, 0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, + 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x4f, 0x52, 0x10, 0x02, 0x2a, 0xb6, 0x01, 0x0a, 0x18, 0x44, + 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4f, 0x70, 0x65, 0x72, 0x61, + 0x74, 0x6f, 0x72, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x2b, 0x0a, 0x27, 0x44, 0x59, 0x4e, 0x41, 0x4d, + 0x49, 0x43, 0x5f, 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, - 0x45, 0x44, 0x10, 0x00, 0x12, 0x24, 0x0a, 0x20, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, - 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, - 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x49, 0x4e, 0x10, 0x01, 0x12, 0x28, 0x0a, 0x24, 0x53, 0x55, - 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x50, - 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x4e, 0x4f, 0x54, 0x5f, - 0x49, 0x4e, 0x10, 0x02, 0x12, 0x2d, 0x0a, 0x29, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, - 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, - 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x49, 0x4e, 0x5f, 0x43, 0x4f, 0x4e, 0x54, 0x41, 0x49, 0x4e, - 0x53, 0x10, 0x03, 0x2a, 0x90, 0x01, 0x0a, 0x18, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, - 0x6e, 0x42, 0x6f, 0x6f, 0x6c, 0x65, 0x61, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x45, 0x6e, 0x75, 0x6d, - 0x12, 0x2b, 0x0a, 0x27, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x42, 0x4f, - 0x4f, 0x4c, 0x45, 0x41, 0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, - 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x23, 0x0a, - 0x1f, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x42, 0x4f, 0x4f, 0x4c, 0x45, - 0x41, 0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x41, 0x4e, 0x44, - 0x10, 0x01, 0x12, 0x22, 0x0a, 0x1e, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, - 0x42, 0x4f, 0x4f, 0x4c, 0x45, 0x41, 0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, - 0x4d, 0x5f, 0x4f, 0x52, 0x10, 0x02, 0x2a, 0x5d, 0x0a, 0x0a, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, - 0x54, 0x79, 0x70, 0x65, 0x12, 0x1b, 0x0a, 0x17, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, 0x54, - 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, - 0x00, 0x12, 0x18, 0x0a, 0x14, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, - 0x5f, 0x49, 0x4e, 0x54, 0x45, 0x52, 0x4e, 0x41, 0x4c, 0x10, 0x01, 0x12, 0x18, 0x0a, 0x14, 0x53, - 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x58, 0x54, 0x45, 0x52, - 0x4e, 0x41, 0x4c, 0x10, 0x02, 0x2a, 0x9b, 0x03, 0x0a, 0x13, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, - 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x41, 0x6c, 0x67, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x27, 0x0a, - 0x23, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, - 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, - 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x24, 0x0a, 0x20, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, - 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, - 0x4d, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x10, 0x01, 0x12, 0x24, 0x0a, 0x20, - 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, - 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x34, 0x30, 0x39, 0x36, - 0x10, 0x02, 0x12, 0x28, 0x0a, 0x24, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, - 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x45, 0x43, - 0x5f, 0x53, 0x45, 0x43, 0x50, 0x32, 0x35, 0x36, 0x52, 0x31, 0x10, 0x05, 0x12, 0x28, 0x0a, 0x24, - 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, - 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x33, - 0x38, 0x34, 0x52, 0x31, 0x10, 0x06, 0x12, 0x28, 0x0a, 0x24, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, - 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, - 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x35, 0x32, 0x31, 0x52, 0x31, 0x10, 0x07, - 0x12, 0x26, 0x0a, 0x22, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, - 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x48, 0x50, 0x51, 0x54, - 0x5f, 0x58, 0x57, 0x49, 0x4e, 0x47, 0x10, 0x0a, 0x12, 0x33, 0x0a, 0x2f, 0x4b, 0x41, 0x53, 0x5f, - 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, - 0x4e, 0x55, 0x4d, 0x5f, 0x48, 0x50, 0x51, 0x54, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x32, 0x35, 0x36, - 0x52, 0x31, 0x5f, 0x4d, 0x4c, 0x4b, 0x45, 0x4d, 0x37, 0x36, 0x38, 0x10, 0x0b, 0x12, 0x34, 0x0a, - 0x30, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, - 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x48, 0x50, 0x51, 0x54, 0x5f, 0x53, 0x45, - 0x43, 0x50, 0x33, 0x38, 0x34, 0x52, 0x31, 0x5f, 0x4d, 0x4c, 0x4b, 0x45, 0x4d, 0x31, 0x30, 0x32, - 0x34, 0x10, 0x0c, 0x2a, 0x84, 0x02, 0x0a, 0x09, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, - 0x6d, 0x12, 0x19, 0x0a, 0x15, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x55, - 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x16, 0x0a, 0x12, - 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x32, 0x30, - 0x34, 0x38, 0x10, 0x01, 0x12, 0x16, 0x0a, 0x12, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, - 0x4d, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x34, 0x30, 0x39, 0x36, 0x10, 0x02, 0x12, 0x15, 0x0a, 0x11, - 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x50, 0x32, 0x35, - 0x36, 0x10, 0x03, 0x12, 0x15, 0x0a, 0x11, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, - 0x5f, 0x45, 0x43, 0x5f, 0x50, 0x33, 0x38, 0x34, 0x10, 0x04, 0x12, 0x15, 0x0a, 0x11, 0x41, 0x4c, - 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x50, 0x35, 0x32, 0x31, 0x10, - 0x05, 0x12, 0x18, 0x0a, 0x14, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x48, - 0x50, 0x51, 0x54, 0x5f, 0x58, 0x57, 0x49, 0x4e, 0x47, 0x10, 0x06, 0x12, 0x25, 0x0a, 0x21, 0x41, - 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x48, 0x50, 0x51, 0x54, 0x5f, 0x53, 0x45, - 0x43, 0x50, 0x32, 0x35, 0x36, 0x52, 0x31, 0x5f, 0x4d, 0x4c, 0x4b, 0x45, 0x4d, 0x37, 0x36, 0x38, - 0x10, 0x07, 0x12, 0x26, 0x0a, 0x22, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, - 0x48, 0x50, 0x51, 0x54, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x33, 0x38, 0x34, 0x52, 0x31, 0x5f, 0x4d, - 0x4c, 0x4b, 0x45, 0x4d, 0x31, 0x30, 0x32, 0x34, 0x10, 0x08, 0x2a, 0x56, 0x0a, 0x09, 0x4b, 0x65, - 0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x1a, 0x0a, 0x16, 0x4b, 0x45, 0x59, 0x5f, 0x53, - 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, - 0x44, 0x10, 0x00, 0x12, 0x15, 0x0a, 0x11, 0x4b, 0x45, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, - 0x53, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x56, 0x45, 0x10, 0x01, 0x12, 0x16, 0x0a, 0x12, 0x4b, 0x45, - 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x52, 0x4f, 0x54, 0x41, 0x54, 0x45, 0x44, - 0x10, 0x02, 0x2a, 0x94, 0x01, 0x0a, 0x07, 0x4b, 0x65, 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x18, - 0x0a, 0x14, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, - 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x4b, 0x45, 0x59, 0x5f, - 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x43, 0x4f, 0x4e, 0x46, 0x49, 0x47, 0x5f, 0x52, 0x4f, 0x4f, 0x54, - 0x5f, 0x4b, 0x45, 0x59, 0x10, 0x01, 0x12, 0x1e, 0x0a, 0x1a, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f, - 0x44, 0x45, 0x5f, 0x50, 0x52, 0x4f, 0x56, 0x49, 0x44, 0x45, 0x52, 0x5f, 0x52, 0x4f, 0x4f, 0x54, - 0x5f, 0x4b, 0x45, 0x59, 0x10, 0x02, 0x12, 0x13, 0x0a, 0x0f, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f, - 0x44, 0x45, 0x5f, 0x52, 0x45, 0x4d, 0x4f, 0x54, 0x45, 0x10, 0x03, 0x12, 0x1c, 0x0a, 0x18, 0x4b, - 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, - 0x45, 0x59, 0x5f, 0x4f, 0x4e, 0x4c, 0x59, 0x10, 0x04, 0x42, 0x82, 0x01, 0x0a, 0x0a, 0x63, 0x6f, - 0x6d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x42, 0x0c, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x2e, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, - 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, - 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, - 0x6f, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0xa2, 0x02, 0x03, 0x50, 0x58, 0x58, 0xaa, 0x02, - 0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0xca, 0x02, 0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0xe2, 0x02, 0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, - 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x62, 0x06, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x45, 0x44, 0x10, 0x00, 0x12, 0x31, 0x0a, 0x2d, 0x44, 0x59, 0x4e, 0x41, 0x4d, 0x49, 0x43, 0x5f, + 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, + 0x4e, 0x55, 0x4d, 0x5f, 0x52, 0x45, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, 0x56, 0x41, 0x4c, + 0x55, 0x45, 0x5f, 0x49, 0x4e, 0x10, 0x01, 0x12, 0x3a, 0x0a, 0x36, 0x44, 0x59, 0x4e, 0x41, 0x4d, + 0x49, 0x43, 0x5f, 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, + 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x52, 0x45, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, + 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x49, 0x4e, 0x5f, 0x43, 0x4f, 0x4e, 0x54, 0x41, 0x49, 0x4e, + 0x53, 0x10, 0x02, 0x2a, 0x5d, 0x0a, 0x0a, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x54, 0x79, 0x70, + 0x65, 0x12, 0x1b, 0x0a, 0x17, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, + 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x18, + 0x0a, 0x14, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x49, 0x4e, + 0x54, 0x45, 0x52, 0x4e, 0x41, 0x4c, 0x10, 0x01, 0x12, 0x18, 0x0a, 0x14, 0x53, 0x4f, 0x55, 0x52, + 0x43, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x58, 0x54, 0x45, 0x52, 0x4e, 0x41, 0x4c, + 0x10, 0x02, 0x2a, 0x9b, 0x03, 0x0a, 0x13, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, + 0x4b, 0x65, 0x79, 0x41, 0x6c, 0x67, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x27, 0x0a, 0x23, 0x4b, 0x41, + 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, + 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, + 0x44, 0x10, 0x00, 0x12, 0x24, 0x0a, 0x20, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, + 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x52, + 0x53, 0x41, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x10, 0x01, 0x12, 0x24, 0x0a, 0x20, 0x4b, 0x41, 0x53, + 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, + 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x34, 0x30, 0x39, 0x36, 0x10, 0x02, 0x12, + 0x28, 0x0a, 0x24, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, + 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x53, 0x45, + 0x43, 0x50, 0x32, 0x35, 0x36, 0x52, 0x31, 0x10, 0x05, 0x12, 0x28, 0x0a, 0x24, 0x4b, 0x41, 0x53, + 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, + 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x33, 0x38, 0x34, 0x52, + 0x31, 0x10, 0x06, 0x12, 0x28, 0x0a, 0x24, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, + 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x45, + 0x43, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x35, 0x32, 0x31, 0x52, 0x31, 0x10, 0x07, 0x12, 0x26, 0x0a, + 0x22, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, + 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x48, 0x50, 0x51, 0x54, 0x5f, 0x58, 0x57, + 0x49, 0x4e, 0x47, 0x10, 0x0a, 0x12, 0x33, 0x0a, 0x2f, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, + 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, + 0x5f, 0x48, 0x50, 0x51, 0x54, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x32, 0x35, 0x36, 0x52, 0x31, 0x5f, + 0x4d, 0x4c, 0x4b, 0x45, 0x4d, 0x37, 0x36, 0x38, 0x10, 0x0b, 0x12, 0x34, 0x0a, 0x30, 0x4b, 0x41, + 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, + 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x48, 0x50, 0x51, 0x54, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x33, + 0x38, 0x34, 0x52, 0x31, 0x5f, 0x4d, 0x4c, 0x4b, 0x45, 0x4d, 0x31, 0x30, 0x32, 0x34, 0x10, 0x0c, + 0x2a, 0x84, 0x02, 0x0a, 0x09, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x19, + 0x0a, 0x15, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, + 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x16, 0x0a, 0x12, 0x41, 0x4c, 0x47, + 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x10, + 0x01, 0x12, 0x16, 0x0a, 0x12, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x52, + 0x53, 0x41, 0x5f, 0x34, 0x30, 0x39, 0x36, 0x10, 0x02, 0x12, 0x15, 0x0a, 0x11, 0x41, 0x4c, 0x47, + 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x50, 0x32, 0x35, 0x36, 0x10, 0x03, + 0x12, 0x15, 0x0a, 0x11, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x45, 0x43, + 0x5f, 0x50, 0x33, 0x38, 0x34, 0x10, 0x04, 0x12, 0x15, 0x0a, 0x11, 0x41, 0x4c, 0x47, 0x4f, 0x52, + 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x50, 0x35, 0x32, 0x31, 0x10, 0x05, 0x12, 0x18, + 0x0a, 0x14, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x48, 0x50, 0x51, 0x54, + 0x5f, 0x58, 0x57, 0x49, 0x4e, 0x47, 0x10, 0x06, 0x12, 0x25, 0x0a, 0x21, 0x41, 0x4c, 0x47, 0x4f, + 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x48, 0x50, 0x51, 0x54, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x32, + 0x35, 0x36, 0x52, 0x31, 0x5f, 0x4d, 0x4c, 0x4b, 0x45, 0x4d, 0x37, 0x36, 0x38, 0x10, 0x07, 0x12, + 0x26, 0x0a, 0x22, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x48, 0x50, 0x51, + 0x54, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x33, 0x38, 0x34, 0x52, 0x31, 0x5f, 0x4d, 0x4c, 0x4b, 0x45, + 0x4d, 0x31, 0x30, 0x32, 0x34, 0x10, 0x08, 0x2a, 0x56, 0x0a, 0x09, 0x4b, 0x65, 0x79, 0x53, 0x74, + 0x61, 0x74, 0x75, 0x73, 0x12, 0x1a, 0x0a, 0x16, 0x4b, 0x45, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, + 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, + 0x12, 0x15, 0x0a, 0x11, 0x4b, 0x45, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x41, + 0x43, 0x54, 0x49, 0x56, 0x45, 0x10, 0x01, 0x12, 0x16, 0x0a, 0x12, 0x4b, 0x45, 0x59, 0x5f, 0x53, + 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x52, 0x4f, 0x54, 0x41, 0x54, 0x45, 0x44, 0x10, 0x02, 0x2a, + 0x94, 0x01, 0x0a, 0x07, 0x4b, 0x65, 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x18, 0x0a, 0x14, 0x4b, + 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, + 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44, + 0x45, 0x5f, 0x43, 0x4f, 0x4e, 0x46, 0x49, 0x47, 0x5f, 0x52, 0x4f, 0x4f, 0x54, 0x5f, 0x4b, 0x45, + 0x59, 0x10, 0x01, 0x12, 0x1e, 0x0a, 0x1a, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, + 0x50, 0x52, 0x4f, 0x56, 0x49, 0x44, 0x45, 0x52, 0x5f, 0x52, 0x4f, 0x4f, 0x54, 0x5f, 0x4b, 0x45, + 0x59, 0x10, 0x02, 0x12, 0x13, 0x0a, 0x0f, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, + 0x52, 0x45, 0x4d, 0x4f, 0x54, 0x45, 0x10, 0x03, 0x12, 0x1c, 0x0a, 0x18, 0x4b, 0x45, 0x59, 0x5f, + 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, + 0x4f, 0x4e, 0x4c, 0x59, 0x10, 0x04, 0x42, 0x82, 0x01, 0x0a, 0x0a, 0x63, 0x6f, 0x6d, 0x2e, 0x70, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x42, 0x0c, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x73, 0x50, 0x72, + 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x2e, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, + 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, + 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x70, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0xa2, 0x02, 0x03, 0x50, 0x58, 0x58, 0xaa, 0x02, 0x06, 0x50, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0xca, 0x02, 0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0xe2, 0x02, 0x12, + 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, + 0x74, 0x61, 0xea, 0x02, 0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x33, } var ( @@ -3827,148 +4102,158 @@ func file_policy_objects_proto_rawDescGZIP() []byte { return file_policy_objects_proto_rawDescData } -var file_policy_objects_proto_enumTypes = make([]protoimpl.EnumInfo, 9) -var file_policy_objects_proto_msgTypes = make([]protoimpl.MessageInfo, 33) +var file_policy_objects_proto_enumTypes = make([]protoimpl.EnumInfo, 10) +var file_policy_objects_proto_msgTypes = make([]protoimpl.MessageInfo, 35) var file_policy_objects_proto_goTypes = []interface{}{ - (AttributeRuleTypeEnum)(0), // 0: policy.AttributeRuleTypeEnum - (SubjectMappingOperatorEnum)(0), // 1: policy.SubjectMappingOperatorEnum - (ConditionBooleanTypeEnum)(0), // 2: policy.ConditionBooleanTypeEnum - (SourceType)(0), // 3: policy.SourceType - (KasPublicKeyAlgEnum)(0), // 4: policy.KasPublicKeyAlgEnum - (Algorithm)(0), // 5: policy.Algorithm - (KeyStatus)(0), // 6: policy.KeyStatus - (KeyMode)(0), // 7: policy.KeyMode - (Action_StandardAction)(0), // 8: policy.Action.StandardAction - (*SimpleKasPublicKey)(nil), // 9: policy.SimpleKasPublicKey - (*SimpleKasKey)(nil), // 10: policy.SimpleKasKey - (*KeyProviderConfig)(nil), // 11: policy.KeyProviderConfig - (*Namespace)(nil), // 12: policy.Namespace - (*Attribute)(nil), // 13: policy.Attribute - (*Value)(nil), // 14: policy.Value - (*Action)(nil), // 15: policy.Action - (*SubjectMapping)(nil), // 16: policy.SubjectMapping - (*Condition)(nil), // 17: policy.Condition - (*ConditionGroup)(nil), // 18: policy.ConditionGroup - (*SubjectSet)(nil), // 19: policy.SubjectSet - (*SubjectConditionSet)(nil), // 20: policy.SubjectConditionSet - (*SubjectProperty)(nil), // 21: policy.SubjectProperty - (*ResourceMappingGroup)(nil), // 22: policy.ResourceMappingGroup - (*ResourceMapping)(nil), // 23: policy.ResourceMapping - (*KeyAccessServer)(nil), // 24: policy.KeyAccessServer - (*Key)(nil), // 25: policy.Key - (*KasPublicKey)(nil), // 26: policy.KasPublicKey - (*KasPublicKeySet)(nil), // 27: policy.KasPublicKeySet - (*PublicKey)(nil), // 28: policy.PublicKey - (*RegisteredResource)(nil), // 29: policy.RegisteredResource - (*RegisteredResourceValue)(nil), // 30: policy.RegisteredResourceValue - (*PolicyEnforcementPoint)(nil), // 31: policy.PolicyEnforcementPoint - (*RequestContext)(nil), // 32: policy.RequestContext - (*Obligation)(nil), // 33: policy.Obligation - (*ObligationValue)(nil), // 34: policy.ObligationValue - (*ObligationTrigger)(nil), // 35: policy.ObligationTrigger - (*KasKey)(nil), // 36: policy.KasKey - (*PublicKeyCtx)(nil), // 37: policy.PublicKeyCtx - (*PrivateKeyCtx)(nil), // 38: policy.PrivateKeyCtx - (*AsymmetricKey)(nil), // 39: policy.AsymmetricKey - (*SymmetricKey)(nil), // 40: policy.SymmetricKey - (*RegisteredResourceValue_ActionAttributeValue)(nil), // 41: policy.RegisteredResourceValue.ActionAttributeValue - (*common.Metadata)(nil), // 42: common.Metadata - (*wrapperspb.BoolValue)(nil), // 43: google.protobuf.BoolValue + (AttributeRuleTypeEnum)(0), // 0: policy.AttributeRuleTypeEnum + (SubjectMappingOperatorEnum)(0), // 1: policy.SubjectMappingOperatorEnum + (ConditionBooleanTypeEnum)(0), // 2: policy.ConditionBooleanTypeEnum + (DynamicValueOperatorEnum)(0), // 3: policy.DynamicValueOperatorEnum + (SourceType)(0), // 4: policy.SourceType + (KasPublicKeyAlgEnum)(0), // 5: policy.KasPublicKeyAlgEnum + (Algorithm)(0), // 6: policy.Algorithm + (KeyStatus)(0), // 7: policy.KeyStatus + (KeyMode)(0), // 8: policy.KeyMode + (Action_StandardAction)(0), // 9: policy.Action.StandardAction + (*SimpleKasPublicKey)(nil), // 10: policy.SimpleKasPublicKey + (*SimpleKasKey)(nil), // 11: policy.SimpleKasKey + (*KeyProviderConfig)(nil), // 12: policy.KeyProviderConfig + (*Namespace)(nil), // 13: policy.Namespace + (*Attribute)(nil), // 14: policy.Attribute + (*Value)(nil), // 15: policy.Value + (*Action)(nil), // 16: policy.Action + (*SubjectMapping)(nil), // 17: policy.SubjectMapping + (*DefinitionValueResolver)(nil), // 18: policy.DefinitionValueResolver + (*DefinitionValueEntitlementMapping)(nil), // 19: policy.DefinitionValueEntitlementMapping + (*Condition)(nil), // 20: policy.Condition + (*ConditionGroup)(nil), // 21: policy.ConditionGroup + (*SubjectSet)(nil), // 22: policy.SubjectSet + (*SubjectConditionSet)(nil), // 23: policy.SubjectConditionSet + (*SubjectProperty)(nil), // 24: policy.SubjectProperty + (*ResourceMappingGroup)(nil), // 25: policy.ResourceMappingGroup + (*ResourceMapping)(nil), // 26: policy.ResourceMapping + (*KeyAccessServer)(nil), // 27: policy.KeyAccessServer + (*Key)(nil), // 28: policy.Key + (*KasPublicKey)(nil), // 29: policy.KasPublicKey + (*KasPublicKeySet)(nil), // 30: policy.KasPublicKeySet + (*PublicKey)(nil), // 31: policy.PublicKey + (*RegisteredResource)(nil), // 32: policy.RegisteredResource + (*RegisteredResourceValue)(nil), // 33: policy.RegisteredResourceValue + (*PolicyEnforcementPoint)(nil), // 34: policy.PolicyEnforcementPoint + (*RequestContext)(nil), // 35: policy.RequestContext + (*Obligation)(nil), // 36: policy.Obligation + (*ObligationValue)(nil), // 37: policy.ObligationValue + (*ObligationTrigger)(nil), // 38: policy.ObligationTrigger + (*KasKey)(nil), // 39: policy.KasKey + (*PublicKeyCtx)(nil), // 40: policy.PublicKeyCtx + (*PrivateKeyCtx)(nil), // 41: policy.PrivateKeyCtx + (*AsymmetricKey)(nil), // 42: policy.AsymmetricKey + (*SymmetricKey)(nil), // 43: policy.SymmetricKey + (*RegisteredResourceValue_ActionAttributeValue)(nil), // 44: policy.RegisteredResourceValue.ActionAttributeValue + (*common.Metadata)(nil), // 45: common.Metadata + (*wrapperspb.BoolValue)(nil), // 46: google.protobuf.BoolValue } var file_policy_objects_proto_depIdxs = []int32{ - 5, // 0: policy.SimpleKasPublicKey.algorithm:type_name -> policy.Algorithm - 9, // 1: policy.SimpleKasKey.public_key:type_name -> policy.SimpleKasPublicKey - 42, // 2: policy.KeyProviderConfig.metadata:type_name -> common.Metadata - 43, // 3: policy.Namespace.active:type_name -> google.protobuf.BoolValue - 42, // 4: policy.Namespace.metadata:type_name -> common.Metadata - 24, // 5: policy.Namespace.grants:type_name -> policy.KeyAccessServer - 10, // 6: policy.Namespace.kas_keys:type_name -> policy.SimpleKasKey - 12, // 7: policy.Attribute.namespace:type_name -> policy.Namespace + 6, // 0: policy.SimpleKasPublicKey.algorithm:type_name -> policy.Algorithm + 10, // 1: policy.SimpleKasKey.public_key:type_name -> policy.SimpleKasPublicKey + 45, // 2: policy.KeyProviderConfig.metadata:type_name -> common.Metadata + 46, // 3: policy.Namespace.active:type_name -> google.protobuf.BoolValue + 45, // 4: policy.Namespace.metadata:type_name -> common.Metadata + 27, // 5: policy.Namespace.grants:type_name -> policy.KeyAccessServer + 11, // 6: policy.Namespace.kas_keys:type_name -> policy.SimpleKasKey + 13, // 7: policy.Attribute.namespace:type_name -> policy.Namespace 0, // 8: policy.Attribute.rule:type_name -> policy.AttributeRuleTypeEnum - 14, // 9: policy.Attribute.values:type_name -> policy.Value - 24, // 10: policy.Attribute.grants:type_name -> policy.KeyAccessServer - 43, // 11: policy.Attribute.active:type_name -> google.protobuf.BoolValue - 10, // 12: policy.Attribute.kas_keys:type_name -> policy.SimpleKasKey - 43, // 13: policy.Attribute.allow_traversal:type_name -> google.protobuf.BoolValue - 42, // 14: policy.Attribute.metadata:type_name -> common.Metadata - 13, // 15: policy.Value.attribute:type_name -> policy.Attribute - 24, // 16: policy.Value.grants:type_name -> policy.KeyAccessServer - 43, // 17: policy.Value.active:type_name -> google.protobuf.BoolValue - 16, // 18: policy.Value.subject_mappings:type_name -> policy.SubjectMapping - 10, // 19: policy.Value.kas_keys:type_name -> policy.SimpleKasKey - 23, // 20: policy.Value.resource_mappings:type_name -> policy.ResourceMapping - 33, // 21: policy.Value.obligations:type_name -> policy.Obligation - 42, // 22: policy.Value.metadata:type_name -> common.Metadata - 8, // 23: policy.Action.standard:type_name -> policy.Action.StandardAction - 12, // 24: policy.Action.namespace:type_name -> policy.Namespace - 42, // 25: policy.Action.metadata:type_name -> common.Metadata - 14, // 26: policy.SubjectMapping.attribute_value:type_name -> policy.Value - 20, // 27: policy.SubjectMapping.subject_condition_set:type_name -> policy.SubjectConditionSet - 15, // 28: policy.SubjectMapping.actions:type_name -> policy.Action - 12, // 29: policy.SubjectMapping.namespace:type_name -> policy.Namespace - 42, // 30: policy.SubjectMapping.metadata:type_name -> common.Metadata - 1, // 31: policy.Condition.operator:type_name -> policy.SubjectMappingOperatorEnum - 17, // 32: policy.ConditionGroup.conditions:type_name -> policy.Condition - 2, // 33: policy.ConditionGroup.boolean_operator:type_name -> policy.ConditionBooleanTypeEnum - 18, // 34: policy.SubjectSet.condition_groups:type_name -> policy.ConditionGroup - 12, // 35: policy.SubjectConditionSet.namespace:type_name -> policy.Namespace - 19, // 36: policy.SubjectConditionSet.subject_sets:type_name -> policy.SubjectSet - 42, // 37: policy.SubjectConditionSet.metadata:type_name -> common.Metadata - 42, // 38: policy.ResourceMappingGroup.metadata:type_name -> common.Metadata - 42, // 39: policy.ResourceMapping.metadata:type_name -> common.Metadata - 14, // 40: policy.ResourceMapping.attribute_value:type_name -> policy.Value - 22, // 41: policy.ResourceMapping.group:type_name -> policy.ResourceMappingGroup - 28, // 42: policy.KeyAccessServer.public_key:type_name -> policy.PublicKey - 3, // 43: policy.KeyAccessServer.source_type:type_name -> policy.SourceType - 10, // 44: policy.KeyAccessServer.kas_keys:type_name -> policy.SimpleKasKey - 42, // 45: policy.KeyAccessServer.metadata:type_name -> common.Metadata - 43, // 46: policy.Key.is_active:type_name -> google.protobuf.BoolValue - 43, // 47: policy.Key.was_mapped:type_name -> google.protobuf.BoolValue - 26, // 48: policy.Key.public_key:type_name -> policy.KasPublicKey - 24, // 49: policy.Key.kas:type_name -> policy.KeyAccessServer - 42, // 50: policy.Key.metadata:type_name -> common.Metadata - 4, // 51: policy.KasPublicKey.alg:type_name -> policy.KasPublicKeyAlgEnum - 26, // 52: policy.KasPublicKeySet.keys:type_name -> policy.KasPublicKey - 27, // 53: policy.PublicKey.cached:type_name -> policy.KasPublicKeySet - 30, // 54: policy.RegisteredResource.values:type_name -> policy.RegisteredResourceValue - 12, // 55: policy.RegisteredResource.namespace:type_name -> policy.Namespace - 42, // 56: policy.RegisteredResource.metadata:type_name -> common.Metadata - 29, // 57: policy.RegisteredResourceValue.resource:type_name -> policy.RegisteredResource - 41, // 58: policy.RegisteredResourceValue.action_attribute_values:type_name -> policy.RegisteredResourceValue.ActionAttributeValue - 42, // 59: policy.RegisteredResourceValue.metadata:type_name -> common.Metadata - 31, // 60: policy.RequestContext.pep:type_name -> policy.PolicyEnforcementPoint - 12, // 61: policy.Obligation.namespace:type_name -> policy.Namespace - 34, // 62: policy.Obligation.values:type_name -> policy.ObligationValue - 42, // 63: policy.Obligation.metadata:type_name -> common.Metadata - 33, // 64: policy.ObligationValue.obligation:type_name -> policy.Obligation - 35, // 65: policy.ObligationValue.triggers:type_name -> policy.ObligationTrigger - 42, // 66: policy.ObligationValue.metadata:type_name -> common.Metadata - 34, // 67: policy.ObligationTrigger.obligation_value:type_name -> policy.ObligationValue - 15, // 68: policy.ObligationTrigger.action:type_name -> policy.Action - 14, // 69: policy.ObligationTrigger.attribute_value:type_name -> policy.Value - 32, // 70: policy.ObligationTrigger.context:type_name -> policy.RequestContext - 12, // 71: policy.ObligationTrigger.namespace:type_name -> policy.Namespace - 42, // 72: policy.ObligationTrigger.metadata:type_name -> common.Metadata - 39, // 73: policy.KasKey.key:type_name -> policy.AsymmetricKey - 5, // 74: policy.AsymmetricKey.key_algorithm:type_name -> policy.Algorithm - 6, // 75: policy.AsymmetricKey.key_status:type_name -> policy.KeyStatus - 7, // 76: policy.AsymmetricKey.key_mode:type_name -> policy.KeyMode - 37, // 77: policy.AsymmetricKey.public_key_ctx:type_name -> policy.PublicKeyCtx - 38, // 78: policy.AsymmetricKey.private_key_ctx:type_name -> policy.PrivateKeyCtx - 11, // 79: policy.AsymmetricKey.provider_config:type_name -> policy.KeyProviderConfig - 42, // 80: policy.AsymmetricKey.metadata:type_name -> common.Metadata - 6, // 81: policy.SymmetricKey.key_status:type_name -> policy.KeyStatus - 7, // 82: policy.SymmetricKey.key_mode:type_name -> policy.KeyMode - 11, // 83: policy.SymmetricKey.provider_config:type_name -> policy.KeyProviderConfig - 42, // 84: policy.SymmetricKey.metadata:type_name -> common.Metadata - 15, // 85: policy.RegisteredResourceValue.ActionAttributeValue.action:type_name -> policy.Action - 14, // 86: policy.RegisteredResourceValue.ActionAttributeValue.attribute_value:type_name -> policy.Value - 42, // 87: policy.RegisteredResourceValue.ActionAttributeValue.metadata:type_name -> common.Metadata - 88, // [88:88] is the sub-list for method output_type - 88, // [88:88] is the sub-list for method input_type - 88, // [88:88] is the sub-list for extension type_name - 88, // [88:88] is the sub-list for extension extendee - 0, // [0:88] is the sub-list for field type_name + 15, // 9: policy.Attribute.values:type_name -> policy.Value + 27, // 10: policy.Attribute.grants:type_name -> policy.KeyAccessServer + 46, // 11: policy.Attribute.active:type_name -> google.protobuf.BoolValue + 11, // 12: policy.Attribute.kas_keys:type_name -> policy.SimpleKasKey + 46, // 13: policy.Attribute.allow_traversal:type_name -> google.protobuf.BoolValue + 45, // 14: policy.Attribute.metadata:type_name -> common.Metadata + 14, // 15: policy.Value.attribute:type_name -> policy.Attribute + 27, // 16: policy.Value.grants:type_name -> policy.KeyAccessServer + 46, // 17: policy.Value.active:type_name -> google.protobuf.BoolValue + 17, // 18: policy.Value.subject_mappings:type_name -> policy.SubjectMapping + 11, // 19: policy.Value.kas_keys:type_name -> policy.SimpleKasKey + 26, // 20: policy.Value.resource_mappings:type_name -> policy.ResourceMapping + 36, // 21: policy.Value.obligations:type_name -> policy.Obligation + 45, // 22: policy.Value.metadata:type_name -> common.Metadata + 9, // 23: policy.Action.standard:type_name -> policy.Action.StandardAction + 13, // 24: policy.Action.namespace:type_name -> policy.Namespace + 45, // 25: policy.Action.metadata:type_name -> common.Metadata + 15, // 26: policy.SubjectMapping.attribute_value:type_name -> policy.Value + 23, // 27: policy.SubjectMapping.subject_condition_set:type_name -> policy.SubjectConditionSet + 16, // 28: policy.SubjectMapping.actions:type_name -> policy.Action + 13, // 29: policy.SubjectMapping.namespace:type_name -> policy.Namespace + 45, // 30: policy.SubjectMapping.metadata:type_name -> common.Metadata + 3, // 31: policy.DefinitionValueResolver.operator:type_name -> policy.DynamicValueOperatorEnum + 14, // 32: policy.DefinitionValueEntitlementMapping.attribute_definition:type_name -> policy.Attribute + 18, // 33: policy.DefinitionValueEntitlementMapping.value_resolver:type_name -> policy.DefinitionValueResolver + 23, // 34: policy.DefinitionValueEntitlementMapping.subject_condition_set:type_name -> policy.SubjectConditionSet + 16, // 35: policy.DefinitionValueEntitlementMapping.actions:type_name -> policy.Action + 13, // 36: policy.DefinitionValueEntitlementMapping.namespace:type_name -> policy.Namespace + 45, // 37: policy.DefinitionValueEntitlementMapping.metadata:type_name -> common.Metadata + 1, // 38: policy.Condition.operator:type_name -> policy.SubjectMappingOperatorEnum + 20, // 39: policy.ConditionGroup.conditions:type_name -> policy.Condition + 2, // 40: policy.ConditionGroup.boolean_operator:type_name -> policy.ConditionBooleanTypeEnum + 21, // 41: policy.SubjectSet.condition_groups:type_name -> policy.ConditionGroup + 13, // 42: policy.SubjectConditionSet.namespace:type_name -> policy.Namespace + 22, // 43: policy.SubjectConditionSet.subject_sets:type_name -> policy.SubjectSet + 45, // 44: policy.SubjectConditionSet.metadata:type_name -> common.Metadata + 45, // 45: policy.ResourceMappingGroup.metadata:type_name -> common.Metadata + 45, // 46: policy.ResourceMapping.metadata:type_name -> common.Metadata + 15, // 47: policy.ResourceMapping.attribute_value:type_name -> policy.Value + 25, // 48: policy.ResourceMapping.group:type_name -> policy.ResourceMappingGroup + 31, // 49: policy.KeyAccessServer.public_key:type_name -> policy.PublicKey + 4, // 50: policy.KeyAccessServer.source_type:type_name -> policy.SourceType + 11, // 51: policy.KeyAccessServer.kas_keys:type_name -> policy.SimpleKasKey + 45, // 52: policy.KeyAccessServer.metadata:type_name -> common.Metadata + 46, // 53: policy.Key.is_active:type_name -> google.protobuf.BoolValue + 46, // 54: policy.Key.was_mapped:type_name -> google.protobuf.BoolValue + 29, // 55: policy.Key.public_key:type_name -> policy.KasPublicKey + 27, // 56: policy.Key.kas:type_name -> policy.KeyAccessServer + 45, // 57: policy.Key.metadata:type_name -> common.Metadata + 5, // 58: policy.KasPublicKey.alg:type_name -> policy.KasPublicKeyAlgEnum + 29, // 59: policy.KasPublicKeySet.keys:type_name -> policy.KasPublicKey + 30, // 60: policy.PublicKey.cached:type_name -> policy.KasPublicKeySet + 33, // 61: policy.RegisteredResource.values:type_name -> policy.RegisteredResourceValue + 13, // 62: policy.RegisteredResource.namespace:type_name -> policy.Namespace + 45, // 63: policy.RegisteredResource.metadata:type_name -> common.Metadata + 32, // 64: policy.RegisteredResourceValue.resource:type_name -> policy.RegisteredResource + 44, // 65: policy.RegisteredResourceValue.action_attribute_values:type_name -> policy.RegisteredResourceValue.ActionAttributeValue + 45, // 66: policy.RegisteredResourceValue.metadata:type_name -> common.Metadata + 34, // 67: policy.RequestContext.pep:type_name -> policy.PolicyEnforcementPoint + 13, // 68: policy.Obligation.namespace:type_name -> policy.Namespace + 37, // 69: policy.Obligation.values:type_name -> policy.ObligationValue + 45, // 70: policy.Obligation.metadata:type_name -> common.Metadata + 36, // 71: policy.ObligationValue.obligation:type_name -> policy.Obligation + 38, // 72: policy.ObligationValue.triggers:type_name -> policy.ObligationTrigger + 45, // 73: policy.ObligationValue.metadata:type_name -> common.Metadata + 37, // 74: policy.ObligationTrigger.obligation_value:type_name -> policy.ObligationValue + 16, // 75: policy.ObligationTrigger.action:type_name -> policy.Action + 15, // 76: policy.ObligationTrigger.attribute_value:type_name -> policy.Value + 35, // 77: policy.ObligationTrigger.context:type_name -> policy.RequestContext + 13, // 78: policy.ObligationTrigger.namespace:type_name -> policy.Namespace + 45, // 79: policy.ObligationTrigger.metadata:type_name -> common.Metadata + 42, // 80: policy.KasKey.key:type_name -> policy.AsymmetricKey + 6, // 81: policy.AsymmetricKey.key_algorithm:type_name -> policy.Algorithm + 7, // 82: policy.AsymmetricKey.key_status:type_name -> policy.KeyStatus + 8, // 83: policy.AsymmetricKey.key_mode:type_name -> policy.KeyMode + 40, // 84: policy.AsymmetricKey.public_key_ctx:type_name -> policy.PublicKeyCtx + 41, // 85: policy.AsymmetricKey.private_key_ctx:type_name -> policy.PrivateKeyCtx + 12, // 86: policy.AsymmetricKey.provider_config:type_name -> policy.KeyProviderConfig + 45, // 87: policy.AsymmetricKey.metadata:type_name -> common.Metadata + 7, // 88: policy.SymmetricKey.key_status:type_name -> policy.KeyStatus + 8, // 89: policy.SymmetricKey.key_mode:type_name -> policy.KeyMode + 12, // 90: policy.SymmetricKey.provider_config:type_name -> policy.KeyProviderConfig + 45, // 91: policy.SymmetricKey.metadata:type_name -> common.Metadata + 16, // 92: policy.RegisteredResourceValue.ActionAttributeValue.action:type_name -> policy.Action + 15, // 93: policy.RegisteredResourceValue.ActionAttributeValue.attribute_value:type_name -> policy.Value + 45, // 94: policy.RegisteredResourceValue.ActionAttributeValue.metadata:type_name -> common.Metadata + 95, // [95:95] is the sub-list for method output_type + 95, // [95:95] is the sub-list for method input_type + 95, // [95:95] is the sub-list for extension type_name + 95, // [95:95] is the sub-list for extension extendee + 0, // [0:95] is the sub-list for field type_name } func init() { file_policy_objects_proto_init() } @@ -4074,7 +4359,7 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*Condition); i { + switch v := v.(*DefinitionValueResolver); i { case 0: return &v.state case 1: @@ -4086,7 +4371,7 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ConditionGroup); i { + switch v := v.(*DefinitionValueEntitlementMapping); i { case 0: return &v.state case 1: @@ -4098,7 +4383,7 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*SubjectSet); i { + switch v := v.(*Condition); i { case 0: return &v.state case 1: @@ -4110,7 +4395,7 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[11].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*SubjectConditionSet); i { + switch v := v.(*ConditionGroup); i { case 0: return &v.state case 1: @@ -4122,7 +4407,7 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[12].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*SubjectProperty); i { + switch v := v.(*SubjectSet); i { case 0: return &v.state case 1: @@ -4134,7 +4419,7 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ResourceMappingGroup); i { + switch v := v.(*SubjectConditionSet); i { case 0: return &v.state case 1: @@ -4146,7 +4431,7 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[14].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ResourceMapping); i { + switch v := v.(*SubjectProperty); i { case 0: return &v.state case 1: @@ -4158,7 +4443,7 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[15].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*KeyAccessServer); i { + switch v := v.(*ResourceMappingGroup); i { case 0: return &v.state case 1: @@ -4170,7 +4455,7 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[16].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*Key); i { + switch v := v.(*ResourceMapping); i { case 0: return &v.state case 1: @@ -4182,7 +4467,7 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[17].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*KasPublicKey); i { + switch v := v.(*KeyAccessServer); i { case 0: return &v.state case 1: @@ -4194,7 +4479,7 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[18].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*KasPublicKeySet); i { + switch v := v.(*Key); i { case 0: return &v.state case 1: @@ -4206,7 +4491,7 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[19].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*PublicKey); i { + switch v := v.(*KasPublicKey); i { case 0: return &v.state case 1: @@ -4218,7 +4503,7 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[20].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*RegisteredResource); i { + switch v := v.(*KasPublicKeySet); i { case 0: return &v.state case 1: @@ -4230,7 +4515,7 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[21].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*RegisteredResourceValue); i { + switch v := v.(*PublicKey); i { case 0: return &v.state case 1: @@ -4242,7 +4527,7 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[22].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*PolicyEnforcementPoint); i { + switch v := v.(*RegisteredResource); i { case 0: return &v.state case 1: @@ -4254,7 +4539,7 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[23].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*RequestContext); i { + switch v := v.(*RegisteredResourceValue); i { case 0: return &v.state case 1: @@ -4266,7 +4551,7 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[24].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*Obligation); i { + switch v := v.(*PolicyEnforcementPoint); i { case 0: return &v.state case 1: @@ -4278,7 +4563,7 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[25].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ObligationValue); i { + switch v := v.(*RequestContext); i { case 0: return &v.state case 1: @@ -4290,7 +4575,7 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[26].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ObligationTrigger); i { + switch v := v.(*Obligation); i { case 0: return &v.state case 1: @@ -4302,7 +4587,7 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[27].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*KasKey); i { + switch v := v.(*ObligationValue); i { case 0: return &v.state case 1: @@ -4314,7 +4599,7 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[28].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*PublicKeyCtx); i { + switch v := v.(*ObligationTrigger); i { case 0: return &v.state case 1: @@ -4326,7 +4611,7 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[29].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*PrivateKeyCtx); i { + switch v := v.(*KasKey); i { case 0: return &v.state case 1: @@ -4338,7 +4623,7 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[30].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*AsymmetricKey); i { + switch v := v.(*PublicKeyCtx); i { case 0: return &v.state case 1: @@ -4350,7 +4635,7 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[31].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*SymmetricKey); i { + switch v := v.(*PrivateKeyCtx); i { case 0: return &v.state case 1: @@ -4362,6 +4647,30 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[32].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*AsymmetricKey); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_objects_proto_msgTypes[33].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*SymmetricKey); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_objects_proto_msgTypes[34].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*RegisteredResourceValue_ActionAttributeValue); i { case 0: return &v.state @@ -4378,7 +4687,7 @@ func file_policy_objects_proto_init() { (*Action_Standard)(nil), (*Action_Custom)(nil), } - file_policy_objects_proto_msgTypes[19].OneofWrappers = []interface{}{ + file_policy_objects_proto_msgTypes[21].OneofWrappers = []interface{}{ (*PublicKey_Remote)(nil), (*PublicKey_Cached)(nil), } @@ -4387,8 +4696,8 @@ func file_policy_objects_proto_init() { File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_policy_objects_proto_rawDesc, - NumEnums: 9, - NumMessages: 33, + NumEnums: 10, + NumMessages: 35, NumExtensions: 0, NumServices: 0, }, diff --git a/sdk/codegen/main.go b/sdk/codegen/main.go index f917a9e5fc..457c791c7e 100644 --- a/sdk/codegen/main.go +++ b/sdk/codegen/main.go @@ -66,6 +66,10 @@ var clientsToGenerateList = []runner.ClientsToGenerate{ GrpcClientInterface: "SubjectMappingServiceClient", GrpcPackagePath: "github.com/opentdf/platform/protocol/go/policy/subjectmapping", }, + { + GrpcClientInterface: "DefinitionValueEntitlementMappingServiceClient", + GrpcPackagePath: "github.com/opentdf/platform/protocol/go/policy/definitionvalueentitlement", + }, { GrpcClientInterface: "UnsafeServiceClient", GrpcPackagePath: "github.com/opentdf/platform/protocol/go/policy/unsafe", diff --git a/sdk/sdk.go b/sdk/sdk.go index fa809e6e12..c31f643e1a 100644 --- a/sdk/sdk.go +++ b/sdk/sdk.go @@ -82,23 +82,24 @@ func setPackageLogger(logger *slog.Logger) { type SDK struct { config *kasKeyCache - conn *ConnectRPCConnection - tokenSource auth.AccessTokenSource - Actions sdkconnect.ActionServiceClient - Attributes sdkconnect.AttributesServiceClient - Authorization sdkconnect.AuthorizationServiceClient - AuthorizationV2 sdkconnect.AuthorizationServiceClientV2 - EntityResoution sdkconnect.EntityResolutionServiceClient - EntityResolutionV2 sdkconnect.EntityResolutionServiceClientV2 - KeyAccessServerRegistry sdkconnect.KeyAccessServerRegistryServiceClient - Namespaces sdkconnect.NamespaceServiceClient - Obligations sdkconnect.ObligationsServiceClient - RegisteredResources sdkconnect.RegisteredResourcesServiceClient - ResourceMapping sdkconnect.ResourceMappingServiceClient - SubjectMapping sdkconnect.SubjectMappingServiceClient - Unsafe sdkconnect.UnsafeServiceClient - KeyManagement sdkconnect.KeyManagementServiceClient - wellknownConfiguration sdkconnect.WellKnownServiceClient + conn *ConnectRPCConnection + tokenSource auth.AccessTokenSource + Actions sdkconnect.ActionServiceClient + Attributes sdkconnect.AttributesServiceClient + Authorization sdkconnect.AuthorizationServiceClient + AuthorizationV2 sdkconnect.AuthorizationServiceClientV2 + EntityResoution sdkconnect.EntityResolutionServiceClient + EntityResolutionV2 sdkconnect.EntityResolutionServiceClientV2 + KeyAccessServerRegistry sdkconnect.KeyAccessServerRegistryServiceClient + Namespaces sdkconnect.NamespaceServiceClient + Obligations sdkconnect.ObligationsServiceClient + RegisteredResources sdkconnect.RegisteredResourcesServiceClient + ResourceMapping sdkconnect.ResourceMappingServiceClient + SubjectMapping sdkconnect.SubjectMappingServiceClient + DefinitionValueEntitlementMapping sdkconnect.DefinitionValueEntitlementMappingServiceClient + Unsafe sdkconnect.UnsafeServiceClient + KeyManagement sdkconnect.KeyManagementServiceClient + wellknownConfiguration sdkconnect.WellKnownServiceClient } func New(platformEndpoint string, opts ...Option) (*SDK, error) { @@ -218,25 +219,26 @@ func New(platformEndpoint string, opts ...Option) (*SDK, error) { } return &SDK{ - config: *cfg, - kasKeyCache: newKasKeyCache(), - conn: &ConnectRPCConnection{Client: platformConn.Client, Endpoint: platformConn.Endpoint, Options: platformConn.Options}, - tokenSource: accessTokenSource, - Actions: sdkconnect.NewActionServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), - Attributes: sdkconnect.NewAttributesServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), - Namespaces: sdkconnect.NewNamespaceServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), - Obligations: sdkconnect.NewObligationsServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), - RegisteredResources: sdkconnect.NewRegisteredResourcesServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), - ResourceMapping: sdkconnect.NewResourceMappingServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), - SubjectMapping: sdkconnect.NewSubjectMappingServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), - Unsafe: sdkconnect.NewUnsafeServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), - KeyAccessServerRegistry: sdkconnect.NewKeyAccessServerRegistryServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), - Authorization: sdkconnect.NewAuthorizationServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), - AuthorizationV2: sdkconnect.NewAuthorizationServiceClientV2ConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), - EntityResoution: sdkconnect.NewEntityResolutionServiceClientConnectWrapper(ersConn.Client, ersConn.Endpoint, ersConn.Options...), - EntityResolutionV2: sdkconnect.NewEntityResolutionServiceClientV2ConnectWrapper(ersConn.Client, ersConn.Endpoint, ersConn.Options...), - KeyManagement: sdkconnect.NewKeyManagementServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), - wellknownConfiguration: sdkconnect.NewWellKnownServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + config: *cfg, + kasKeyCache: newKasKeyCache(), + conn: &ConnectRPCConnection{Client: platformConn.Client, Endpoint: platformConn.Endpoint, Options: platformConn.Options}, + tokenSource: accessTokenSource, + Actions: sdkconnect.NewActionServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + Attributes: sdkconnect.NewAttributesServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + Namespaces: sdkconnect.NewNamespaceServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + Obligations: sdkconnect.NewObligationsServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + RegisteredResources: sdkconnect.NewRegisteredResourcesServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + ResourceMapping: sdkconnect.NewResourceMappingServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + SubjectMapping: sdkconnect.NewSubjectMappingServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + DefinitionValueEntitlementMapping: sdkconnect.NewDefinitionValueEntitlementMappingServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + Unsafe: sdkconnect.NewUnsafeServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + KeyAccessServerRegistry: sdkconnect.NewKeyAccessServerRegistryServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + Authorization: sdkconnect.NewAuthorizationServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + AuthorizationV2: sdkconnect.NewAuthorizationServiceClientV2ConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + EntityResoution: sdkconnect.NewEntityResolutionServiceClientConnectWrapper(ersConn.Client, ersConn.Endpoint, ersConn.Options...), + EntityResolutionV2: sdkconnect.NewEntityResolutionServiceClientV2ConnectWrapper(ersConn.Client, ersConn.Endpoint, ersConn.Options...), + KeyManagement: sdkconnect.NewKeyManagementServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + wellknownConfiguration: sdkconnect.NewWellKnownServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), }, nil } diff --git a/sdk/sdkconnect/definitionvalueentitlement.go b/sdk/sdkconnect/definitionvalueentitlement.go new file mode 100644 index 0000000000..f52ed58f03 --- /dev/null +++ b/sdk/sdkconnect/definitionvalueentitlement.go @@ -0,0 +1,70 @@ +// Wrapper for DefinitionValueEntitlementMappingServiceClient (generated code) DO NOT EDIT +package sdkconnect + +import ( + "connectrpc.com/connect" + "context" + "github.com/opentdf/platform/protocol/go/policy/definitionvalueentitlement" + "github.com/opentdf/platform/protocol/go/policy/definitionvalueentitlement/definitionvalueentitlementconnect" +) + +type DefinitionValueEntitlementMappingServiceClientConnectWrapper struct { + definitionvalueentitlementconnect.DefinitionValueEntitlementMappingServiceClient +} + +func NewDefinitionValueEntitlementMappingServiceClientConnectWrapper(httpClient connect.HTTPClient, baseURL string, opts ...connect.ClientOption) *DefinitionValueEntitlementMappingServiceClientConnectWrapper { + return &DefinitionValueEntitlementMappingServiceClientConnectWrapper{DefinitionValueEntitlementMappingServiceClient: definitionvalueentitlementconnect.NewDefinitionValueEntitlementMappingServiceClient(httpClient, baseURL, opts...)} +} + +type DefinitionValueEntitlementMappingServiceClient interface { + ListDefinitionValueEntitlementMappings(ctx context.Context, req *definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest) (*definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse, error) + GetDefinitionValueEntitlementMapping(ctx context.Context, req *definitionvalueentitlement.GetDefinitionValueEntitlementMappingRequest) (*definitionvalueentitlement.GetDefinitionValueEntitlementMappingResponse, error) + CreateDefinitionValueEntitlementMapping(ctx context.Context, req *definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest) (*definitionvalueentitlement.CreateDefinitionValueEntitlementMappingResponse, error) + UpdateDefinitionValueEntitlementMapping(ctx context.Context, req *definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest) (*definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingResponse, error) + DeleteDefinitionValueEntitlementMapping(ctx context.Context, req *definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingRequest) (*definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingResponse, error) +} + +func (w *DefinitionValueEntitlementMappingServiceClientConnectWrapper) ListDefinitionValueEntitlementMappings(ctx context.Context, req *definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest) (*definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse, error) { + // Wrap Connect RPC client request + res, err := w.DefinitionValueEntitlementMappingServiceClient.ListDefinitionValueEntitlementMappings(ctx, connect.NewRequest(req)) + if res == nil { + return nil, err + } + return res.Msg, err +} + +func (w *DefinitionValueEntitlementMappingServiceClientConnectWrapper) GetDefinitionValueEntitlementMapping(ctx context.Context, req *definitionvalueentitlement.GetDefinitionValueEntitlementMappingRequest) (*definitionvalueentitlement.GetDefinitionValueEntitlementMappingResponse, error) { + // Wrap Connect RPC client request + res, err := w.DefinitionValueEntitlementMappingServiceClient.GetDefinitionValueEntitlementMapping(ctx, connect.NewRequest(req)) + if res == nil { + return nil, err + } + return res.Msg, err +} + +func (w *DefinitionValueEntitlementMappingServiceClientConnectWrapper) CreateDefinitionValueEntitlementMapping(ctx context.Context, req *definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest) (*definitionvalueentitlement.CreateDefinitionValueEntitlementMappingResponse, error) { + // Wrap Connect RPC client request + res, err := w.DefinitionValueEntitlementMappingServiceClient.CreateDefinitionValueEntitlementMapping(ctx, connect.NewRequest(req)) + if res == nil { + return nil, err + } + return res.Msg, err +} + +func (w *DefinitionValueEntitlementMappingServiceClientConnectWrapper) UpdateDefinitionValueEntitlementMapping(ctx context.Context, req *definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest) (*definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingResponse, error) { + // Wrap Connect RPC client request + res, err := w.DefinitionValueEntitlementMappingServiceClient.UpdateDefinitionValueEntitlementMapping(ctx, connect.NewRequest(req)) + if res == nil { + return nil, err + } + return res.Msg, err +} + +func (w *DefinitionValueEntitlementMappingServiceClientConnectWrapper) DeleteDefinitionValueEntitlementMapping(ctx context.Context, req *definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingRequest) (*definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingResponse, error) { + // Wrap Connect RPC client request + res, err := w.DefinitionValueEntitlementMappingServiceClient.DeleteDefinitionValueEntitlementMapping(ctx, connect.NewRequest(req)) + if res == nil { + return nil, err + } + return res.Msg, err +} diff --git a/service/authorization/v2/cache.go b/service/authorization/v2/cache.go index 57db585676..d028309d5f 100644 --- a/service/authorization/v2/cache.go +++ b/service/authorization/v2/cache.go @@ -14,10 +14,11 @@ import ( ) const ( - attributesCacheKey = "attributes_cache_key" - subjectMappingsCacheKey = "subject_mappings_cache_key" - registeredResourcesCacheKey = "registered_resources_cache_key" - obligationsCacheKey = "obligations_cache_key" + attributesCacheKey = "attributes_cache_key" + subjectMappingsCacheKey = "subject_mappings_cache_key" + definitionValueEntitlementMappingsCacheKey = "definition_value_entitlement_mappings_cache_key" + registeredResourcesCacheKey = "registered_resources_cache_key" + obligationsCacheKey = "obligations_cache_key" ) var ( @@ -60,10 +61,11 @@ type EntitlementPolicyCache struct { // The EntitlementPolicy struct holds all the cached entitlement policy, as generics allow one // data type per service cache instance. type EntitlementPolicy struct { - Attributes []*policy.Attribute - SubjectMappings []*policy.SubjectMapping - RegisteredResources []*policy.RegisteredResource - Obligations []*policy.Obligation + Attributes []*policy.Attribute + SubjectMappings []*policy.SubjectMapping + DefinitionValueEntitlementMappings []*policy.DefinitionValueEntitlementMapping + RegisteredResources []*policy.RegisteredResource + Obligations []*policy.Obligation } // NewEntitlementPolicyCache holds a platform-provided cache client and manages a periodic refresh of @@ -178,6 +180,10 @@ func (c *EntitlementPolicyCache) Refresh(ctx context.Context) error { if err != nil { return err } + definitionValueEntitlementMappings, err := c.retriever.ListAllDefinitionValueEntitlementMappings(ctx) + if err != nil { + return err + } registeredResources, err := c.retriever.ListAllRegisteredResources(ctx) if err != nil { return err @@ -200,6 +206,12 @@ func (c *EntitlementPolicyCache) Refresh(ctx context.Context) error { return errors.Join(ErrFailedToSet, err) } + err = c.cacheClient.Set(ctx, definitionValueEntitlementMappingsCacheKey, definitionValueEntitlementMappings, authzCacheTags) + if err != nil { + c.isCacheFilled = false + return errors.Join(ErrFailedToSet, err) + } + err = c.cacheClient.Set(ctx, registeredResourcesCacheKey, registeredResources, authzCacheTags) if err != nil { c.isCacheFilled = false @@ -270,6 +282,28 @@ func (c *EntitlementPolicyCache) ListAllSubjectMappings(ctx context.Context) ([] return subjectMappings, nil } +// ListAllDefinitionValueEntitlementMappings returns the cached dynamic value entitlement mappings, or none on a cache miss +func (c *EntitlementPolicyCache) ListAllDefinitionValueEntitlementMappings(ctx context.Context) ([]*policy.DefinitionValueEntitlementMapping, error) { + var ( + mappings []*policy.DefinitionValueEntitlementMapping + ok bool + ) + + cached, err := c.cacheClient.Get(ctx, definitionValueEntitlementMappingsCacheKey) + if err != nil { + if errors.Is(err, cache.ErrCacheMiss) { + return mappings, nil + } + return nil, fmt.Errorf("%w, definition value entitlement mappings: %w", ErrFailedToGet, err) + } + + mappings, ok = cached.([]*policy.DefinitionValueEntitlementMapping) + if !ok { + return nil, fmt.Errorf("%w: %T", ErrCachedTypeNotExpected, mappings) + } + return mappings, nil +} + // ListAllRegisteredResources returns the cached registered resources, or none in the event of a cache miss func (c *EntitlementPolicyCache) ListAllRegisteredResources(ctx context.Context) ([]*policy.RegisteredResource, error) { var ( diff --git a/service/internal/access/v2/dynamicentitlement/attribute_rule.go b/service/internal/access/v2/dynamicentitlement/attribute_rule.go deleted file mode 100644 index d0b4ffabff..0000000000 --- a/service/internal/access/v2/dynamicentitlement/attribute_rule.go +++ /dev/null @@ -1,86 +0,0 @@ -package dynamicentitlement - -import ( - "fmt" - "strings" - - "github.com/opentdf/platform/lib/flattening" - "github.com/opentdf/platform/protocol/go/policy" -) - -// AttributeRule mirrors the conceptual attribute-definition rule set -// (policy.AttributeRuleTypeEnum: ANY_OF / ALL_OF / HIERARCHY) extended with RuleDynamic -// for Option C, "a different attribute rule". -// -// A definition marked RuleDynamic entitles its values by selector match rather than by -// static per-value subject mappings. RuleAnyOf / RuleAllOf / RuleHierarchy are also -// modeled here because the driver needs a combination rule when a single resource -// carries multiple values under one definition (see entitle.go Decide). -type AttributeRule int - -const ( - RuleUnspecified AttributeRule = iota - RuleAnyOf - RuleAllOf - RuleHierarchy - RuleDynamic -) - -func (r AttributeRule) String() string { - switch r { - case RuleAnyOf: - return "ANY_OF" - case RuleAllOf: - return "ALL_OF" - case RuleHierarchy: - return "HIERARCHY" - case RuleDynamic: - return "DYNAMIC" - case RuleUnspecified: - return "UNSPECIFIED" - default: - return fmt.Sprintf("AttributeRule(%d)", int(r)) - } -} - -// DynamicRuleDefinition is Option C. Rather than a separate mapping object, the -// AttributeDefinition itself carries the dynamic intent (Rule == RuleDynamic) plus the -// selector/operator/actions inline. -// -// Modeling dynamic as a rule VALUE surfaces a structural tension captured in ADR 0005: -// the rule slot already encodes how multiple values on one definition COMBINE -// (ANY_OF / ALL_OF / HIERARCHY). Spending that slot on RuleDynamic — which describes how -// values are ENTITLED — conflates two orthogonal axes, so a dynamic definition can no -// longer also state its combination semantics. Here, RuleDynamic combines as ANY_OF by -// default (see Decide). -type DynamicRuleDefinition struct { - AttributeDefinitionFQN string - Rule AttributeRule // expected RuleDynamic - Selector string - Operator DynamicOperator - Actions []*policy.Action - Canonicalizer Canonicalizer -} - -var _ Mapping = (*DynamicRuleDefinition)(nil) - -// DefinitionFQN implements Mapping. -func (d *DynamicRuleDefinition) DefinitionFQN() string { - return strings.ToLower(d.AttributeDefinitionFQN) -} - -// EntitledActions implements Mapping. It only entitles when the definition is actually -// marked RuleDynamic, demonstrating that the rule value gates the behavior. -func (d *DynamicRuleDefinition) EntitledActions(entity flattening.Flattened, segment string) ([]*policy.Action, error) { - if d.Rule != RuleDynamic { - return nil, nil - } - matched, err := evaluateDynamicMatch(d.Operator, entity, d.Selector, segment, d.Canonicalizer) - if err != nil { - return nil, err - } - if !matched { - return nil, nil - } - return d.Actions, nil -} diff --git a/service/internal/access/v2/dynamicentitlement/core.go b/service/internal/access/v2/dynamicentitlement/core.go deleted file mode 100644 index a86e5f2483..0000000000 --- a/service/internal/access/v2/dynamicentitlement/core.go +++ /dev/null @@ -1,150 +0,0 @@ -package dynamicentitlement - -import ( - "errors" - "fmt" - "strings" - - "github.com/opentdf/platform/lib/flattening" - "github.com/opentdf/platform/lib/identifier" -) - -// DynamicOperator enumerates the comparison semantics for dynamic, definition-level -// entitlement. Unlike policy.SubjectMappingOperatorEnum — whose right-hand operand is a -// STATIC list authored into policy (policy.Condition.subject_external_values) — a -// DynamicOperator's right-hand operand is supplied at decision time from the resource's -// attribute value segment. Each value below is the inversion of its static counterpart. -type DynamicOperator int - -const ( - // OperatorUnspecified is the zero value and is always an error to evaluate. - OperatorUnspecified DynamicOperator = iota - // ResourceValueIn is true when the resource value segment exactly matches one of the - // values produced by resolving the selector against the entity representation. It is - // the inversion of SUBJECT_MAPPING_OPERATOR_ENUM_IN. - ResourceValueIn - // ResourceValueInContains is true when any selector-resolved entity value contains - // the resource value segment as a substring. It is the inversion of - // SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS. - ResourceValueInContains -) - -func (o DynamicOperator) String() string { - switch o { - case ResourceValueIn: - return "RESOURCE_VALUE_IN" - case ResourceValueInContains: - return "RESOURCE_VALUE_IN_CONTAINS" - case OperatorUnspecified: - return "UNSPECIFIED" - default: - return fmt.Sprintf("DynamicOperator(%d)", int(o)) - } -} - -// Canonicalizer normalizes a single identifier token prior to comparison. External -// systems (EHRs, IdPs) frequently disagree with policy on case and surrounding -// whitespace; without a canonicalization step the same logical ID fails to match. This -// is the normalization/canonicalization concern raised by @biscoe916 on ADR#266. The -// default lowercases and trims; deployments needing more (e.g. Unicode NFC folding) -// supply their own. -type Canonicalizer func(string) string - -// DefaultCanonicalizer lowercases and trims surrounding whitespace. It matches the -// case-insensitivity that lib/identifier already applies to FQNs (identifier.Parse -// lowercases), so the resource side and entity side land in the same space. -func DefaultCanonicalizer(s string) string { - return strings.ToLower(strings.TrimSpace(s)) -} - -// fqnAmbiguousChars are characters that must never appear in an attribute value segment -// because they collide with FQN structure or URL encoding (raised by @jentfoo on -// ADR#266). Even if the value character set is loosened for dynamic values — e.g. to -// admit '@' for email-like identifiers — these remain forbidden as the safety floor. -const fqnAmbiguousChars = "/.%\x00" - -// maxASCII is the highest ASCII code point; runes above it are rejected in value -// segments to avoid Unicode confusables and normalization hazards. -const maxASCII = 127 - -var ( - // ErrUnspecifiedOperator indicates a mapping was evaluated with the zero operator. - ErrUnspecifiedOperator = errors.New("dynamicentitlement: unspecified dynamic operator") - // ErrUnsupportedOperator indicates an operator value with no evaluation semantics. - ErrUnsupportedOperator = errors.New("dynamicentitlement: unsupported dynamic operator") - // ErrAmbiguousValueSegment indicates a value segment contains characters that are - // unsafe in an attribute value FQN. - ErrAmbiguousValueSegment = errors.New("dynamicentitlement: attribute value segment contains FQN-ambiguous characters") - // ErrNotValueFQN indicates an FQN that is not a concrete attribute value FQN. - ErrNotValueFQN = errors.New("dynamicentitlement: not a value FQN") -) - -// parseResourceValue splits a concrete attribute value FQN into its parent definition -// FQN and the value segment, reusing lib/identifier so the spike inherits the exact FQN -// grammar (and character-set validation) used by policy today. Both returned strings are -// lowercased, matching identifier.Parse behavior. -func parseResourceValue(valueFQN string) (string, string, error) { - parsed, err := identifier.Parse[*identifier.FullyQualifiedAttribute](valueFQN) - if err != nil { - return "", "", fmt.Errorf("parsing resource value FQN %q: %w", valueFQN, err) - } - if parsed.Value == "" { - return "", "", fmt.Errorf("%w: %q", ErrNotValueFQN, valueFQN) - } - def := &identifier.FullyQualifiedAttribute{Namespace: parsed.Namespace, Name: parsed.Name} - return def.FQN(), parsed.Value, nil -} - -// validateValueSegment is the reusable safety floor for a value segment. lib/identifier -// already enforces a strict alphanumeric+[-_] set today; this function expresses the -// minimum that must survive ANY future loosening of that set (e.g. to support emails or -// dotted IDs): reject FQN-structural characters, percent-encoding, NUL, and non-ASCII. -func validateValueSegment(segment string) error { - if segment == "" { - return fmt.Errorf("%w: empty segment", ErrAmbiguousValueSegment) - } - if strings.ContainsAny(segment, fqnAmbiguousChars) { - return fmt.Errorf("%w: %q", ErrAmbiguousValueSegment, segment) - } - for _, r := range segment { - if r > maxASCII { - return fmt.Errorf("%w: non-ASCII rune in %q", ErrAmbiguousValueSegment, segment) - } - } - return nil -} - -// evaluateDynamicMatch reports whether resourceSegment is entitled given the values -// produced by resolving selector against the (already flattened) entity, under the -// supplied operator. canon is applied to both sides before comparison; a nil canon falls -// back to DefaultCanonicalizer. -// -// This is the single shared mechanic every option in the spike depends on. -func evaluateDynamicMatch(op DynamicOperator, entity flattening.Flattened, selector, resourceSegment string, canon Canonicalizer) (bool, error) { - if canon == nil { - canon = DefaultCanonicalizer - } - entityValues := flattening.GetFromFlattened(entity, selector) - target := canon(resourceSegment) - - switch op { - case ResourceValueIn: - for _, ev := range entityValues { - if canon(fmt.Sprintf("%v", ev)) == target { - return true, nil - } - } - return false, nil - case ResourceValueInContains: - for _, ev := range entityValues { - if strings.Contains(canon(fmt.Sprintf("%v", ev)), target) { - return true, nil - } - } - return false, nil - case OperatorUnspecified: - return false, ErrUnspecifiedOperator - default: - return false, fmt.Errorf("%w: %s", ErrUnsupportedOperator, op) - } -} diff --git a/service/internal/access/v2/dynamicentitlement/core_test.go b/service/internal/access/v2/dynamicentitlement/core_test.go deleted file mode 100644 index 581012d897..0000000000 --- a/service/internal/access/v2/dynamicentitlement/core_test.go +++ /dev/null @@ -1,106 +0,0 @@ -package dynamicentitlement - -import ( - "testing" - - "github.com/opentdf/platform/lib/flattening" - "github.com/opentdf/platform/protocol/go/entityresolution" - "github.com/opentdf/platform/protocol/go/policy" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - "google.golang.org/protobuf/types/known/structpb" -) - -// --- shared test helpers --- - -func entityRep(t *testing.T, props map[string]interface{}) *entityresolution.EntityRepresentation { - t.Helper() - s, err := structpb.NewStruct(props) - require.NoError(t, err) - return &entityresolution.EntityRepresentation{ - OriginalId: "entity-1", - AdditionalProps: []*structpb.Struct{s}, - } -} - -func actions(names ...string) []*policy.Action { - out := make([]*policy.Action, 0, len(names)) - for _, n := range names { - out = append(out, &policy.Action{Name: n}) - } - return out -} - -func actionNames(acts []*policy.Action) []string { - out := make([]string, 0, len(acts)) - for _, a := range acts { - out = append(out, a.GetName()) - } - return out -} - -// --- core mechanic tests --- - -func TestParseResourceValue(t *testing.T) { - def, seg, err := parseResourceValue("https://hospital.co/attr/mrn/value/mrn-123") - require.NoError(t, err) - assert.Equal(t, "https://hospital.co/attr/mrn", def) - assert.Equal(t, "mrn-123", seg) - - // case is normalized to lowercase, matching lib/identifier behavior - def, seg, err = parseResourceValue("https://hospital.co/attr/MRN/value/MRN-123") - require.NoError(t, err) - assert.Equal(t, "https://hospital.co/attr/mrn", def) - assert.Equal(t, "mrn-123", seg) - - // a definition FQN (no /value/) is not a value FQN - _, _, err = parseResourceValue("https://hospital.co/attr/mrn") - require.ErrorIs(t, err, ErrNotValueFQN) - - // an email-like value is rejected by the current (strict) identifier character set — - // a finding: today's value grammar cannot represent emails/dotted IDs. - _, _, err = parseResourceValue("https://acme.co/attr/owner/value/user@acme.co") - require.Error(t, err) -} - -func TestValidateValueSegment(t *testing.T) { - for _, s := range []string{"mrn-123", "abc", "a_b-c", "123", "acct-42"} { - require.NoError(t, validateValueSegment(s), s) - } - // FQN-structural chars, percent-encoding, NUL, and non-ASCII are always forbidden. - for _, s := range []string{"", "a/b", "a.b", "a%2Fb", "a\x00b", "naïve"} { - require.ErrorIs(t, validateValueSegment(s), ErrAmbiguousValueSegment, s) - } -} - -func TestEvaluateDynamicMatchOperatorErrors(t *testing.T) { - f, err := flattening.Flatten(map[string]interface{}{"a": "b"}) - require.NoError(t, err) - - _, err = evaluateDynamicMatch(OperatorUnspecified, f, ".a", "b", nil) - require.ErrorIs(t, err, ErrUnspecifiedOperator) - - _, err = evaluateDynamicMatch(DynamicOperator(99), f, ".a", "b", nil) - require.ErrorIs(t, err, ErrUnsupportedOperator) -} - -func TestEvaluateDynamicMatchSemantics(t *testing.T) { - f, err := flattening.Flatten(map[string]interface{}{ - "scalar": "mrn-123", - "list": []interface{}{"a", "prefix-team-suffix"}, - }) - require.NoError(t, err) - - got, err := evaluateDynamicMatch(ResourceValueIn, f, ".scalar", "mrn-123", nil) - require.NoError(t, err) - assert.True(t, got) - - got, err = evaluateDynamicMatch(ResourceValueIn, f, ".scalar", "mrn-999", nil) - require.NoError(t, err) - assert.False(t, got) - - // substring semantics: "team" is contained in "prefix-team-suffix" - got, err = evaluateDynamicMatch(ResourceValueInContains, f, ".list[]", "team", nil) - require.NoError(t, err) - assert.True(t, got) -} diff --git a/service/internal/access/v2/dynamicentitlement/doc.go b/service/internal/access/v2/dynamicentitlement/doc.go deleted file mode 100644 index cae87fb9d2..0000000000 --- a/service/internal/access/v2/dynamicentitlement/doc.go +++ /dev/null @@ -1,44 +0,0 @@ -// Package dynamicentitlement is a SPIKE / proof-of-concept for entitling dynamic -// attribute values at the AttributeDefinition level, exploring DSPX-2754. -// -// It is NOT wired into any live decision path. It exists to evaluate, with working -// code and tests, the options the architecture team deferred to an implementation -// spike in the dynamic-attribute-value ADR (virtru-corp/adr#266): -// -// - reuse the existing SubjectMapping / SubjectConditionSet primitive, -// - introduce a new primitive (DefinitionValueEntitlementMapping), -// - introduce a new attribute rule, or -// - introduce a new comparison operator. -// -// # The problem -// -// Today, entitling a highly dynamic / high-cardinality value (medical record numbers, -// account IDs, emails) means duplicating every value as an AttributeValue plus a -// per-value SubjectMapping + SubjectConditionSet, kept constantly in sync with an -// external system of record. The ADR proposes raising the condition-set authority up -// to the AttributeDefinition so one mapping (selector + operator + actions) resolves -// entitlement to concrete value FQNs dynamically. -// -// # The shared mechanic -// -// Existing condition evaluation compares an entity's selector result against a STATIC -// list authored into policy (policy.Condition.subject_external_values; see -// subjectmappingbuiltin.EvaluateCondition). The dynamic case INVERTS this: the -// right-hand operand is the resource's value segment (e.g. "mrn-123" parsed from -// .../value/mrn-123), known only at decision time, tested for membership in the -// entity's selector-resolved set (e.g. .patientAssignments -> ["mrn-123","mrn-789"]). -// -// All four options share that one comparison (see core.go). They differ only in their -// container, schema, and admin UX. This package implements the comparison once and -// wraps it three ways (reuse_subjectmapping.go, new_primitive.go, attribute_rule.go), -// driven by a common entitlement/decision driver (entitle.go), so the trade-offs can -// be compared on real behavior rather than prose. -// -// Findings are summarized in service/policy/adr/0005-dynamic-attribute-value-entitlements-spike.md. -// -// # Out of scope -// -// No proto, codegen, database, sqlc, service-handler, or PDP changes — the ADR states -// primitive names and schema are still subject to change, so persistence/wire plumbing -// would be premature churn. POC-only Go types stand in for would-be proto additions. -package dynamicentitlement diff --git a/service/internal/access/v2/dynamicentitlement/entitle.go b/service/internal/access/v2/dynamicentitlement/entitle.go deleted file mode 100644 index 1461a52a3d..0000000000 --- a/service/internal/access/v2/dynamicentitlement/entitle.go +++ /dev/null @@ -1,181 +0,0 @@ -package dynamicentitlement - -import ( - "errors" - "fmt" - "sort" - "strings" - - "github.com/opentdf/platform/lib/flattening" - "github.com/opentdf/platform/protocol/go/entityresolution" - "github.com/opentdf/platform/protocol/go/policy" -) - -// Mapping is the common behavior shared by all three option shapes -// (DefinitionScopedSubjectMapping, DefinitionValueEntitlementMapping, -// DynamicRuleDefinition). Implementing one interface across all three lets the driver -// and the tests treat them uniformly, which is what makes the options directly -// comparable. -type Mapping interface { - // DefinitionFQN returns the lowercased parent attribute definition FQN the mapping - // is scoped to. - DefinitionFQN() string - // EntitledActions returns the actions entitled on a resource value segment for a - // single flattened entity representation, or nil when there is no match. - EntitledActions(entity flattening.Flattened, segment string) ([]*policy.Action, error) -} - -var ( - // ErrHierarchyUnsupported indicates dynamic entitlement was requested for a - // HIERARCHY definition, which requires statically ordered values. - ErrHierarchyUnsupported = errors.New("dynamicentitlement: HIERARCHY rule is incompatible with dynamic value entitlement") - // ErrCoexistence indicates a definition has both a value-level (static) subject - // mapping and a dynamic mapping, which the ADR forbids. - ErrCoexistence = errors.New("dynamicentitlement: a definition cannot have both a value-level subject mapping and a dynamic mapping") -) - -// Entitle resolves the set of actions entitled to an entity on a single concrete -// resource value FQN, across all supplied dynamic mappings scoped to that value's parent -// definition. Mappings scoped to other definitions are ignored, which keeps entitlement -// from leaking across definitions/namespaces that happen to share a value segment -// (the pass-through-value collision concern raised by @jakedoublev). -func Entitle(mappings []Mapping, entityRep *entityresolution.EntityRepresentation, resourceValueFQN string) ([]*policy.Action, error) { - defFQN, segment, err := parseResourceValue(resourceValueFQN) - if err != nil { - return nil, err - } - if err := validateValueSegment(segment); err != nil { - return nil, err - } - - flats, err := flattenEntity(entityRep) - if err != nil { - return nil, err - } - - actionsByName := map[string]*policy.Action{} - for _, m := range mappings { - if !strings.EqualFold(m.DefinitionFQN(), defFQN) { - continue - } - for _, flat := range flats { - acts, err := m.EntitledActions(flat, segment) - if err != nil { - return nil, err - } - for _, a := range acts { - actionsByName[strings.ToLower(a.GetName())] = a - } - } - } - return sortedActions(actionsByName), nil -} - -// Decide applies a definition's combination rule across one or more concrete resource -// value FQNs under a single definition and reports whether action is granted. It mirrors -// the production PDP rules in service/internal/access/v2/evaluate.go (anyOfRule / -// allOfRule) so the spike exercises multi-value resources (ADR decision-flow step 6). -// -// RuleDynamic combines as ANY_OF (see the conflation note on DynamicRuleDefinition). -// RuleHierarchy is rejected outright. -func Decide(mappings []Mapping, entityRep *entityresolution.EntityRepresentation, rule AttributeRule, action string, resourceValueFQNs []string) (bool, error) { - if len(resourceValueFQNs) == 0 { - return false, nil - } - - switch rule { - case RuleAnyOf, RuleDynamic: - for _, fqn := range resourceValueFQNs { - ok, err := actionEntitled(mappings, entityRep, action, fqn) - if err != nil { - return false, err - } - if ok { - return true, nil - } - } - return false, nil - case RuleAllOf: - for _, fqn := range resourceValueFQNs { - ok, err := actionEntitled(mappings, entityRep, action, fqn) - if err != nil { - return false, err - } - if !ok { - return false, nil - } - } - return true, nil - case RuleHierarchy: - return false, ErrHierarchyUnsupported - case RuleUnspecified: - return false, errors.New("dynamicentitlement: unspecified rule") - default: - return false, fmt.Errorf("dynamicentitlement: unsupported rule: %s", rule) - } -} - -func actionEntitled(mappings []Mapping, entityRep *entityresolution.EntityRepresentation, action, resourceValueFQN string) (bool, error) { - acts, err := Entitle(mappings, entityRep, resourceValueFQN) - if err != nil { - return false, err - } - for _, a := range acts { - if strings.EqualFold(a.GetName(), action) { - return true, nil - } - } - return false, nil -} - -// ValidateNoCoexistence enforces the ADR's API rule that a definition cannot carry both -// a value-level (static) subject mapping and a dynamic mapping. A real implementation -// would enforce this in the policy service CRUD layer; here it is a standalone check so -// the rule can be exercised by tests. -func ValidateNoCoexistence(definitionFQN string, hasValueLevelSubjectMapping bool, dynamicMappings []Mapping) error { - if !hasValueLevelSubjectMapping { - return nil - } - for _, m := range dynamicMappings { - if strings.EqualFold(m.DefinitionFQN(), strings.ToLower(definitionFQN)) { - return fmt.Errorf("%w: %s", ErrCoexistence, strings.ToLower(definitionFQN)) - } - } - return nil -} - -// ValidateRule rejects rules that are incompatible with dynamic value entitlement. -func ValidateRule(rule AttributeRule) error { - if rule == RuleHierarchy { - return ErrHierarchyUnsupported - } - return nil -} - -func flattenEntity(er *entityresolution.EntityRepresentation) ([]flattening.Flattened, error) { - var out []flattening.Flattened - for _, props := range er.GetAdditionalProps() { - f, err := flattening.Flatten(props.AsMap()) - if err != nil { - return nil, fmt.Errorf("flattening entity representation: %w", err) - } - out = append(out, f) - } - return out, nil -} - -func sortedActions(byName map[string]*policy.Action) []*policy.Action { - if len(byName) == 0 { - return nil - } - names := make([]string, 0, len(byName)) - for n := range byName { - names = append(names, n) - } - sort.Strings(names) - out := make([]*policy.Action, 0, len(names)) - for _, n := range names { - out = append(out, byName[n]) - } - return out -} diff --git a/service/internal/access/v2/dynamicentitlement/entitle_test.go b/service/internal/access/v2/dynamicentitlement/entitle_test.go deleted file mode 100644 index 8903de3306..0000000000 --- a/service/internal/access/v2/dynamicentitlement/entitle_test.go +++ /dev/null @@ -1,102 +0,0 @@ -package dynamicentitlement - -import ( - "testing" - - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" -) - -// TestCrossDefinitionNoLeak verifies entitlement is scoped to the value's parent -// definition: the same pass-through segment under a different definition is NOT granted. -// This is the cross-definition/namespace collision concern raised by @jakedoublev. -func TestCrossDefinitionNoLeak(t *testing.T) { - er := entityRep(t, map[string]interface{}{"assignments": []interface{}{"shared-1"}}) - mA := &DefinitionValueEntitlementMapping{ - AttributeDefinitionFQN: "https://a.co/attr/x", - Selector: ".assignments[]", - Operator: ResourceValueIn, - Actions: actions("read"), - } - - got, err := Entitle([]Mapping{mA}, er, "https://a.co/attr/x/value/shared-1") - require.NoError(t, err) - assert.Equal(t, []string{"read"}, actionNames(got)) - - // same value segment, different definition -> no entitlement (no leak) - got, err = Entitle([]Mapping{mA}, er, "https://b.co/attr/y/value/shared-1") - require.NoError(t, err) - assert.Empty(t, got) -} - -// TestDecideMultiValue exercises a single resource carrying multiple values under one -// definition (ADR decision-flow step 6), across the ANY_OF / ALL_OF combination rules. -func TestDecideMultiValue(t *testing.T) { - const def = "https://hospital.co/attr/mrn" - er := entityRep(t, map[string]interface{}{"patientAssignments": []interface{}{"mrn-123"}}) - m := &DefinitionValueEntitlementMapping{ - AttributeDefinitionFQN: def, Selector: ".patientAssignments[]", - Operator: ResourceValueIn, Actions: actions("read"), - } - values := []string{def + "/value/mrn-123", def + "/value/mrn-999"} // entity has only mrn-123 - - anyOf, err := Decide([]Mapping{m}, er, RuleAnyOf, "read", values) - require.NoError(t, err) - assert.True(t, anyOf, "ANY_OF: one matched value suffices") - - allOf, err := Decide([]Mapping{m}, er, RuleAllOf, "read", values) - require.NoError(t, err) - assert.False(t, allOf, "ALL_OF: mrn-999 is not entitled") - - dynamic, err := Decide([]Mapping{m}, er, RuleDynamic, "read", values) - require.NoError(t, err) - assert.True(t, dynamic, "RuleDynamic combines as ANY_OF by default") - - _, err = Decide([]Mapping{m}, er, RuleHierarchy, "read", values) - require.ErrorIs(t, err, ErrHierarchyUnsupported) -} - -// TestValidators covers the two API-enforcement findings: no coexistence with -// value-level subject mappings, and HIERARCHY rejection. -func TestValidators(t *testing.T) { - const def = "https://hospital.co/attr/mrn" - m := &DefinitionValueEntitlementMapping{AttributeDefinitionFQN: def, Selector: ".x", Operator: ResourceValueIn} - - require.ErrorIs(t, ValidateNoCoexistence(def, true, []Mapping{m}), ErrCoexistence) - require.NoError(t, ValidateNoCoexistence(def, false, []Mapping{m})) - require.NoError(t, ValidateNoCoexistence("https://other.co/attr/z", true, []Mapping{m})) - - require.ErrorIs(t, ValidateRule(RuleHierarchy), ErrHierarchyUnsupported) - require.NoError(t, ValidateRule(RuleAnyOf)) -} - -// TestEntitleRejectsBadResourceFQN ensures a non-value or character-unsafe FQN is -// rejected before evaluation. -func TestEntitleRejectsBadResourceFQN(t *testing.T) { - er := entityRep(t, map[string]interface{}{"a": "b"}) - - _, err := Entitle(nil, er, "https://acme.co/attr/owner/value/user@acme.co") - require.Error(t, err) - - _, err = Entitle(nil, er, "https://acme.co/attr/owner") // not a value FQN - require.ErrorIs(t, err, ErrNotValueFQN) -} - -// TestDirectEntitlementOverlap demonstrates the migration story (@biscoe916 Q1): a -// direct entitlement is effectively a (value FQN, actions) pair sourced from ERS at -// decision time. The dynamic mapping reproduces the identical grant from a single -// policy artifact, without per-value records. -func TestDirectEntitlementOverlap(t *testing.T) { - const def = "https://acme.co/attr/account" - const valueFQN = def + "/value/acct-42" - er := entityRep(t, map[string]interface{}{"accounts": []interface{}{"acct-42"}}) - - m := &DefinitionValueEntitlementMapping{ - AttributeDefinitionFQN: def, Selector: ".accounts[]", - Operator: ResourceValueIn, Actions: actions("read"), - } - got, err := Entitle([]Mapping{m}, er, valueFQN) - require.NoError(t, err) - // equivalent to a direct entitlement record {attribute_value_fqn: valueFQN, actions:[read]} - assert.Equal(t, []string{"read"}, actionNames(got)) -} diff --git a/service/internal/access/v2/dynamicentitlement/new_primitive.go b/service/internal/access/v2/dynamicentitlement/new_primitive.go deleted file mode 100644 index 99005f9336..0000000000 --- a/service/internal/access/v2/dynamicentitlement/new_primitive.go +++ /dev/null @@ -1,53 +0,0 @@ -package dynamicentitlement - -import ( - "strings" - - "github.com/opentdf/platform/lib/flattening" - "github.com/opentdf/platform/protocol/go/policy" -) - -// DefinitionValueEntitlementMapping is the spike's purpose-built primitive — Option B, -// "new primitive". It raises condition-set authority to the AttributeDefinition: a -// single mapping resolves entitlement for every concrete value FQN under the definition. -// -// Compared with Option A (reuse_subjectmapping.go) it carries exactly the four fields -// the dynamic case needs and nothing it does not: there is no static -// subject_external_values to overload, and the operator field is typed to the dynamic -// operators only, so an admin cannot author a nonsensical static/dynamic mix. This is -// the model the ADR sketched as DefinitionValueEntitlementMapping. -type DefinitionValueEntitlementMapping struct { - // AttributeDefinitionFQN is the parent definition this mapping is scoped to, - // e.g. "https://hospital.co/attr/mrn". - AttributeDefinitionFQN string - // Selector is the flattened entity-representation selector, e.g. ".medicalRecordNumber" - // or ".patientAssignments[]" for an array field. - Selector string - // Operator is the dynamic comparison applied between the selector result and the - // resource value segment (initially ResourceValueIn). - Operator DynamicOperator - // Actions are granted on the concrete value FQN when the comparison matches. - Actions []*policy.Action - // Canonicalizer optionally overrides DefaultCanonicalizer. - Canonicalizer Canonicalizer -} - -var _ Mapping = (*DefinitionValueEntitlementMapping)(nil) - -// DefinitionFQN implements Mapping. -func (m *DefinitionValueEntitlementMapping) DefinitionFQN() string { - return strings.ToLower(m.AttributeDefinitionFQN) -} - -// EntitledActions implements Mapping: it resolves the selector against the entity and, -// on a match, returns the mapped actions for the given resource value segment. -func (m *DefinitionValueEntitlementMapping) EntitledActions(entity flattening.Flattened, segment string) ([]*policy.Action, error) { - matched, err := evaluateDynamicMatch(m.Operator, entity, m.Selector, segment, m.Canonicalizer) - if err != nil { - return nil, err - } - if !matched { - return nil, nil - } - return m.Actions, nil -} diff --git a/service/internal/access/v2/dynamicentitlement/options_test.go b/service/internal/access/v2/dynamicentitlement/options_test.go deleted file mode 100644 index e65d6c9bdb..0000000000 --- a/service/internal/access/v2/dynamicentitlement/options_test.go +++ /dev/null @@ -1,181 +0,0 @@ -package dynamicentitlement - -import ( - "testing" - - "github.com/opentdf/platform/protocol/go/policy" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" -) - -// dynamicSCS builds a reused SubjectConditionSet with a single dynamic condition: one -// subject set, one AND condition group, one condition whose subject_external_values -// carries the ResourceValuePlaceholder sentinel. -func dynamicSCS(selector string) *policy.SubjectConditionSet { - return &policy.SubjectConditionSet{ - SubjectSets: []*policy.SubjectSet{{ - ConditionGroups: []*policy.ConditionGroup{{ - BooleanOperator: policy.ConditionBooleanTypeEnum_CONDITION_BOOLEAN_TYPE_ENUM_AND, - Conditions: []*policy.Condition{{ - SubjectExternalSelectorValue: selector, - Operator: policy.SubjectMappingOperatorEnum_SUBJECT_MAPPING_OPERATOR_ENUM_IN, - SubjectExternalValues: []string{ResourceValuePlaceholder}, - }}, - }}, - }}, - } -} - -// shapeFactory builds each option shape from the same inputs so the identical scenarios -// can be replayed across all three, which is what makes the options directly comparable. -type shapeFactory struct { - name string - make func(defFQN, selector string, op DynamicOperator, acts []*policy.Action) Mapping -} - -func allShapes() []shapeFactory { - return []shapeFactory{ - {"new_primitive", func(def, sel string, op DynamicOperator, acts []*policy.Action) Mapping { - return &DefinitionValueEntitlementMapping{ - AttributeDefinitionFQN: def, Selector: sel, Operator: op, Actions: acts, - } - }}, - {"attribute_rule", func(def, sel string, op DynamicOperator, acts []*policy.Action) Mapping { - return &DynamicRuleDefinition{ - AttributeDefinitionFQN: def, Rule: RuleDynamic, Selector: sel, Operator: op, Actions: acts, - } - }}, - {"reuse_subjectmapping", func(def, sel string, op DynamicOperator, acts []*policy.Action) Mapping { - return &DefinitionScopedSubjectMapping{ - AttributeDefinitionFQN: def, Operator: op, Actions: acts, SubjectConditionSet: dynamicSCS(sel), - } - }}, - } -} - -// TestMRNExampleAcrossAllShapes replays the ADR#266 worked example (patient / provider / -// nurse rows) against every option shape, proving they produce identical decisioning. -func TestMRNExampleAcrossAllShapes(t *testing.T) { - const def = "https://hospital.co/attr/mrn" - const resource = "https://hospital.co/attr/mrn/value/mrn-123" - - cases := []struct { - name string - selector string - props map[string]interface{} - acts []string - wantMatch bool - }{ - { - name: "patient", - selector: ".medicalRecordNumber", - props: map[string]interface{}{"medicalRecordNumber": "mrn-123"}, - acts: []string{"read", "update_profile"}, - wantMatch: true, - }, - { - name: "provider", - selector: ".patientAssignments[]", - props: map[string]interface{}{"patientAssignments": []interface{}{"mrn-123", "mrn-789"}}, - acts: []string{"read", "write_order", "update_chart"}, - wantMatch: true, - }, - { - name: "nurse", - selector: ".careTeamAssignments[]", - props: map[string]interface{}{"careTeamAssignments": []interface{}{"mrn-123"}}, - acts: []string{"read", "update_chart"}, - wantMatch: true, - }, - { - name: "unassigned provider", - selector: ".patientAssignments[]", - props: map[string]interface{}{"patientAssignments": []interface{}{"mrn-456"}}, - acts: []string{"read"}, - wantMatch: false, - }, - } - - for _, shape := range allShapes() { - for _, tc := range cases { - t.Run(shape.name+"/"+tc.name, func(t *testing.T) { - m := shape.make(def, tc.selector, ResourceValueIn, actions(tc.acts...)) - got, err := Entitle([]Mapping{m}, entityRep(t, tc.props), resource) - require.NoError(t, err) - if tc.wantMatch { - assert.ElementsMatch(t, tc.acts, actionNames(got)) - } else { - assert.Empty(t, got) - } - }) - } - } -} - -// TestCanonicalization exercises the normalization concern (@biscoe916): the external -// system reports a differently-cased ID. The default canonicalizer matches; a no-op -// canonicalizer does not. -func TestCanonicalization(t *testing.T) { - const def = "https://hospital.co/attr/mrn" - const resource = "https://hospital.co/attr/mrn/value/mrn-123" - er := entityRep(t, map[string]interface{}{"medicalRecordNumber": "MRN-123"}) - - m := &DefinitionValueEntitlementMapping{ - AttributeDefinitionFQN: def, Selector: ".medicalRecordNumber", - Operator: ResourceValueIn, Actions: actions("read"), - } - got, err := Entitle([]Mapping{m}, er, resource) - require.NoError(t, err) - assert.Equal(t, []string{"read"}, actionNames(got)) - - m.Canonicalizer = func(s string) string { return s } // no-op: case now matters - got, err = Entitle([]Mapping{m}, er, resource) - require.NoError(t, err) - assert.Empty(t, got) -} - -// TestReuseStaticAndDynamicConditions shows Option A's distinguishing capability: a -// reused SubjectConditionSet can mix a STATIC condition (department check, evaluated by -// the existing subjectmappingbuiltin leaf evaluator) with a DYNAMIC condition (resource -// MRN in the entity's assignments). -func TestReuseStaticAndDynamicConditions(t *testing.T) { - const def = "https://hospital.co/attr/mrn" - const resource = def + "/value/mrn-123" - - scs := &policy.SubjectConditionSet{ - SubjectSets: []*policy.SubjectSet{{ - ConditionGroups: []*policy.ConditionGroup{{ - BooleanOperator: policy.ConditionBooleanTypeEnum_CONDITION_BOOLEAN_TYPE_ENUM_AND, - Conditions: []*policy.Condition{ - { - SubjectExternalSelectorValue: ".department", - Operator: policy.SubjectMappingOperatorEnum_SUBJECT_MAPPING_OPERATOR_ENUM_IN, - SubjectExternalValues: []string{"cardiology"}, - }, - { - SubjectExternalSelectorValue: ".patientAssignments[]", - Operator: policy.SubjectMappingOperatorEnum_SUBJECT_MAPPING_OPERATOR_ENUM_IN, - SubjectExternalValues: []string{ResourceValuePlaceholder}, - }, - }, - }}, - }}, - } - m := &DefinitionScopedSubjectMapping{AttributeDefinitionFQN: def, SubjectConditionSet: scs, Actions: actions("read")} - - // cardiology provider assigned to mrn-123 -> both conditions pass - got, err := Entitle([]Mapping{m}, entityRep(t, map[string]interface{}{ - "department": "cardiology", - "patientAssignments": []interface{}{"mrn-123"}, - }), resource) - require.NoError(t, err) - assert.Equal(t, []string{"read"}, actionNames(got)) - - // wrong department -> static condition fails -> no entitlement - got, err = Entitle([]Mapping{m}, entityRep(t, map[string]interface{}{ - "department": "oncology", - "patientAssignments": []interface{}{"mrn-123"}, - }), resource) - require.NoError(t, err) - assert.Empty(t, got) -} diff --git a/service/internal/access/v2/dynamicentitlement/reuse_subjectmapping.go b/service/internal/access/v2/dynamicentitlement/reuse_subjectmapping.go deleted file mode 100644 index acc7198c57..0000000000 --- a/service/internal/access/v2/dynamicentitlement/reuse_subjectmapping.go +++ /dev/null @@ -1,155 +0,0 @@ -package dynamicentitlement - -import ( - "errors" - "fmt" - "strings" - - "github.com/opentdf/platform/lib/flattening" - "github.com/opentdf/platform/protocol/go/policy" - smbuiltin "github.com/opentdf/platform/service/internal/subjectmappingbuiltin" -) - -// ResourceValuePlaceholder is the sentinel an admin places in a reused -// policy.Condition.subject_external_values list to signal that the right-hand operand is -// the resource value segment rather than a static value. -// -// The fact that a sentinel is REQUIRED is itself a spike finding: the existing -// SubjectConditionSet schema has nowhere to express "this condition is dynamic", so -// Option A must overload an existing field. See ADR 0005. -const ResourceValuePlaceholder = "${resource.value}" - -// DefinitionScopedSubjectMapping is Option A — "reuse Subject Mappings". It is the -// existing policy.SubjectConditionSet primitive re-scoped from an AttributeValue to an -// AttributeDefinition. It genuinely reuses the existing evaluator: static conditions go -// through subjectmappingbuiltin.EvaluateCondition unchanged, while a condition whose -// subject_external_values contains ResourceValuePlaceholder is routed to the shared -// dynamic core. The AND/OR subject-set / condition-group walk mirrors -// subjectmappingbuiltin.EvaluateSubjectSet. -// -// This shape supports mixed static + dynamic conditions, but at the cost of the sentinel -// overload above and a near-duplicate group walk (the production walk is hard-wired to -// the static leaf evaluator) — both captured as findings. -type DefinitionScopedSubjectMapping struct { - // AttributeDefinitionFQN is the parent definition this mapping is scoped to. - AttributeDefinitionFQN string - // SubjectConditionSet is the reused, unmodified policy primitive. - SubjectConditionSet *policy.SubjectConditionSet - // Operator is the dynamic operator applied to placeholder conditions. When - // OperatorUnspecified, it is derived from each placeholder condition's static - // SubjectMappingOperatorEnum (IN -> ResourceValueIn, IN_CONTAINS -> ResourceValueInContains). - Operator DynamicOperator - // Actions are granted when the condition set matches. - Actions []*policy.Action - // Canonicalizer optionally overrides DefaultCanonicalizer. - Canonicalizer Canonicalizer -} - -var _ Mapping = (*DefinitionScopedSubjectMapping)(nil) - -// DefinitionFQN implements Mapping. -func (m *DefinitionScopedSubjectMapping) DefinitionFQN() string { - return strings.ToLower(m.AttributeDefinitionFQN) -} - -// EntitledActions implements Mapping. Subject sets AND together (mirroring -// subjectmappingbuiltin.EvaluateSubjectMappings); on full match the mapped actions are -// returned. -func (m *DefinitionScopedSubjectMapping) EntitledActions(entity flattening.Flattened, segment string) ([]*policy.Action, error) { - scs := m.SubjectConditionSet - if scs == nil { - return nil, nil - } - for _, ss := range scs.GetSubjectSets() { - ok, err := m.evaluateSubjectSet(ss, entity, segment) - if err != nil { - return nil, err - } - if !ok { - return nil, nil - } - } - return m.Actions, nil -} - -func (m *DefinitionScopedSubjectMapping) evaluateSubjectSet(ss *policy.SubjectSet, entity flattening.Flattened, segment string) (bool, error) { - // condition groups AND together - for _, cg := range ss.GetConditionGroups() { - ok, err := m.evaluateConditionGroup(cg, entity, segment) - if err != nil { - return false, err - } - if !ok { - return false, nil - } - } - return true, nil -} - -func (m *DefinitionScopedSubjectMapping) evaluateConditionGroup(cg *policy.ConditionGroup, entity flattening.Flattened, segment string) (bool, error) { - switch cg.GetBooleanOperator() { - case policy.ConditionBooleanTypeEnum_CONDITION_BOOLEAN_TYPE_ENUM_AND: - for _, c := range cg.GetConditions() { - ok, err := m.evaluateCondition(c, entity, segment) - if err != nil { - return false, err - } - if !ok { - return false, nil - } - } - return true, nil - case policy.ConditionBooleanTypeEnum_CONDITION_BOOLEAN_TYPE_ENUM_OR: - for _, c := range cg.GetConditions() { - ok, err := m.evaluateCondition(c, entity, segment) - if err != nil { - return false, err - } - if ok { - return true, nil - } - } - return false, nil - case policy.ConditionBooleanTypeEnum_CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED: - return false, errors.New("unspecified condition group boolean operator") - default: - return false, fmt.Errorf("unsupported condition group boolean operator: %s", cg.GetBooleanOperator()) - } -} - -// evaluateCondition routes dynamic (placeholder) conditions to the shared core and -// static conditions to the existing, reused leaf evaluator. -func (m *DefinitionScopedSubjectMapping) evaluateCondition(c *policy.Condition, entity flattening.Flattened, segment string) (bool, error) { - if !conditionIsDynamic(c) { - return smbuiltin.EvaluateCondition(c, entity) - } - op := m.Operator - if op == OperatorUnspecified { - op = dynamicFromStatic(c.GetOperator()) - } - return evaluateDynamicMatch(op, entity, c.GetSubjectExternalSelectorValue(), segment, m.Canonicalizer) -} - -func conditionIsDynamic(c *policy.Condition) bool { - for _, v := range c.GetSubjectExternalValues() { - if v == ResourceValuePlaceholder { - return true - } - } - return false -} - -// dynamicFromStatic maps a static SubjectMappingOperatorEnum to its dynamic inversion. -func dynamicFromStatic(op policy.SubjectMappingOperatorEnum) DynamicOperator { - switch op { - case policy.SubjectMappingOperatorEnum_SUBJECT_MAPPING_OPERATOR_ENUM_IN: - return ResourceValueIn - case policy.SubjectMappingOperatorEnum_SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS: - return ResourceValueInContains - case policy.SubjectMappingOperatorEnum_SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN, - policy.SubjectMappingOperatorEnum_SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED: - return OperatorUnspecified - default: - return OperatorUnspecified - } -} diff --git a/service/internal/access/v2/helpers.go b/service/internal/access/v2/helpers.go index decb42f2c3..92f79239f8 100644 --- a/service/internal/access/v2/helpers.go +++ b/service/internal/access/v2/helpers.go @@ -13,14 +13,16 @@ import ( "github.com/opentdf/platform/protocol/go/policy" attrs "github.com/opentdf/platform/protocol/go/policy/attributes" "github.com/opentdf/platform/service/internal/access/v2/obligations" + "github.com/opentdf/platform/service/internal/subjectmappingbuiltin" "github.com/opentdf/platform/service/logger" ) var ( - ErrInvalidSubjectMapping = errors.New("access: invalid subject mapping") - ErrInvalidAttributeDefinition = errors.New("access: invalid attribute definition") - ErrInvalidRegisteredResource = errors.New("access: invalid registered resource") - ErrInvalidRegisteredResourceValue = errors.New("access: invalid registered resource value") + ErrInvalidSubjectMapping = errors.New("access: invalid subject mapping") + ErrInvalidAttributeDefinition = errors.New("access: invalid attribute definition") + ErrInvalidRegisteredResource = errors.New("access: invalid registered resource") + ErrInvalidRegisteredResourceValue = errors.New("access: invalid registered resource value") + ErrInvalidDefinitionValueEntitlementMapping = errors.New("access: invalid definition value entitlement mapping") ) // getDefinition parses the value FQN and uses it to retrieve the definition from the provided definitions map @@ -197,6 +199,8 @@ func getResourceDecisionableAttributes( entitleableAttributesByValueFQN map[string]*attrs.GetAttributeValuesByFqnsResponse_AttributeAndValue, // this is needed to support direct entitlement ad-hoc attribute values entitleableAttributesByDefinitionFQN map[string]*policy.Attribute, + // definitions carrying a dynamic value entitlement mapping also support synthetic values + dynamicMappingsByDefinitionFQN subjectmappingbuiltin.DefinitionValueEntitlementMappingsByDefinitionFQN, // action *policy.Action, resources []*authz.Resource, allowDirectEntitlements bool, @@ -251,24 +255,32 @@ func getResourceDecisionableAttributes( attributeAndValue, ok := entitleableAttributesByValueFQN[attrValueFQN] if !ok { - // if the attribute value FQN is not found, then check if direct entitlements with synthetic values are enabled (experimental) - if !allowDirectEntitlements { - // if disabled, add to not found list and skip to next attribute value FQN + // The value FQN is not a concrete policy value. A synthetic value is created + // when either direct entitlements are enabled (experimental) OR the parent + // definition carries a dynamic value entitlement mapping (DSPX-2754), since + // dynamic mappings entitle values that are not pre-provisioned in policy. + parentDefinition, err := getDefinition(attrValueFQN, entitleableAttributesByDefinitionFQN) + hasDynamicMapping := false + if err == nil { + _, hasDynamicMapping = dynamicMappingsByDefinitionFQN[parentDefinition.GetFqn()] + } + + if !allowDirectEntitlements && !hasDynamicMapping { + // neither path enabled for this value: add to not found list and skip notFoundFQNs = append(notFoundFQNs, attrValueFQN) continue } - - // now process direct entitlement that only exists at attribute definition level - logger.DebugContext(ctx, "processing direct entitlement for resource decisionable attribute value", slog.String("attribute_value_fqn", attrValueFQN)) - - // try to find the definition by extracting partial FQN from direct entitlement synthetic value FQN - parentDefinition, err := getDefinition(attrValueFQN, entitleableAttributesByDefinitionFQN) if err != nil { - // if definition not found, add to not found list and skip to next attribute value FQN + // definition not found: add to not found list and skip notFoundFQNs = append(notFoundFQNs, attrValueFQN) continue } + logger.DebugContext(ctx, "processing synthetic value for resource decisionable attribute value", + slog.String("attribute_value_fqn", attrValueFQN), + slog.Bool("has_dynamic_mapping", hasDynamicMapping), + ) + // Extract the value part from the FQN // FQN format: https:///attr//value/ parsedAttrValueFQN, err := identifier.Parse[*identifier.FullyQualifiedAttribute](attrValueFQN) diff --git a/service/internal/access/v2/helpers_test.go b/service/internal/access/v2/helpers_test.go index 3862c6f8b0..149eaa108a 100644 --- a/service/internal/access/v2/helpers_test.go +++ b/service/internal/access/v2/helpers_test.go @@ -1147,6 +1147,7 @@ func Test_getResourceDecisionableAttributes(t *testing.T) { nil, // registered resources are not used by direct entitlements nil, // direct entitlements will not be in entitleableAttributesByValueFQN map, due to synthetic values entitleableAttributesByDefinitionFQN, + nil, // no definition value entitlement mappings resources, true, // allow direct entitlements ) @@ -1173,6 +1174,7 @@ func Test_getResourceDecisionableAttributes(t *testing.T) { nil, // registered resources are not used by direct entitlements nil, // direct entitlements will not be in entitleableAttributesByValueFQN map, due to synthetic values entitleableAttributesByDefinitionFQN, + nil, // no definition value entitlement mappings resources, true, // allow direct entitlements ) @@ -1195,6 +1197,7 @@ func Test_getResourceDecisionableAttributes(t *testing.T) { nil, // registered resources are not used by direct entitlements nil, // direct entitlements will not be in entitleableAttributesByValueFQN map, due to synthetic values entitleableAttributesByDefinitionFQN, + nil, // no definition value entitlement mappings resources, false, // disable direct entitlements ) diff --git a/service/internal/access/v2/just_in_time_pdp.go b/service/internal/access/v2/just_in_time_pdp.go index d90addfd4a..e24590e8a7 100644 --- a/service/internal/access/v2/just_in_time_pdp.go +++ b/service/internal/access/v2/just_in_time_pdp.go @@ -91,8 +91,12 @@ func NewJustInTimePDP( if err != nil { return nil, fmt.Errorf("failed to fetch all obligations: %w", err) } + allDefinitionValueEntitlementMappings, err := store.ListAllDefinitionValueEntitlementMappings(ctx) + if err != nil { + return nil, fmt.Errorf("failed to fetch all definition value entitlement mappings: %w", err) + } - pdp, err := NewPolicyDecisionPoint(ctx, log, allAttributes, allSubjectMappings, allRegisteredResources, allowDirectEntitlements, namespacedPolicy) + pdp, err := NewPolicyDecisionPointWithDefinitionValueEntitlementMappings(ctx, log, allAttributes, allSubjectMappings, allDefinitionValueEntitlementMappings, allRegisteredResources, allowDirectEntitlements, namespacedPolicy) if err != nil { return nil, fmt.Errorf("failed to create new policy decision point: %w", err) } diff --git a/service/internal/access/v2/pdp.go b/service/internal/access/v2/pdp.go index 784ea6988e..71d2cec80a 100644 --- a/service/internal/access/v2/pdp.go +++ b/service/internal/access/v2/pdp.go @@ -61,6 +61,7 @@ type PolicyDecisionPoint struct { allEntitleableAttributesByValueFQN map[string]*attrs.GetAttributeValuesByFqnsResponse_AttributeAndValue allRegisteredResourceValuesByFQN map[string]*policy.RegisteredResourceValue allAttributesByDefinitionFQN map[string]*policy.Attribute + dynamicMappingsByDefinitionFQN subjectmappingbuiltin.DefinitionValueEntitlementMappingsByDefinitionFQN allowDirectEntitlements bool namespacedPolicy bool } @@ -85,6 +86,31 @@ func NewPolicyDecisionPoint( allRegisteredResources []*policy.RegisteredResource, allowDirectEntitlements bool, namespacedPolicy bool, +) (*PolicyDecisionPoint, error) { + return NewPolicyDecisionPointWithDefinitionValueEntitlementMappings( + ctx, + l, + allAttributeDefinitions, + allSubjectMappings, + nil, + allRegisteredResources, + allowDirectEntitlements, + namespacedPolicy, + ) +} + +// NewPolicyDecisionPointWithDefinitionValueEntitlementMappings is NewPolicyDecisionPoint +// plus the dynamic, definition-level value entitlement mappings (DSPX-2754). The mappings +// argument may be nil/empty when the feature is unused. +func NewPolicyDecisionPointWithDefinitionValueEntitlementMappings( + ctx context.Context, + l *logger.Logger, + allAttributeDefinitions []*policy.Attribute, + allSubjectMappings []*policy.SubjectMapping, + allDefinitionValueEntitlementMappings []*policy.DefinitionValueEntitlementMapping, + allRegisteredResources []*policy.RegisteredResource, + allowDirectEntitlements bool, + namespacedPolicy bool, ) (*PolicyDecisionPoint, error) { var err error @@ -160,6 +186,43 @@ func NewPolicyDecisionPoint( allEntitleableAttributesByValueFQN[mappedValueFQN] = mapped } + dynamicMappingsByDefinitionFQN := make(subjectmappingbuiltin.DefinitionValueEntitlementMappingsByDefinitionFQN) + for _, mapping := range allDefinitionValueEntitlementMappings { + if err := validateDefinitionValueEntitlementMapping(mapping); err != nil { + l.WarnContext(ctx, + "invalid definition value entitlement mapping - skipping", + slog.Any("definition_value_entitlement_mapping", mapping), + slog.Any("error", err), + ) + continue + } + + if namespacedPolicy { + ns := mapping.GetNamespace() + if ns == nil || (ns.GetId() == "" && ns.GetFqn() == "") { + l.TraceContext(ctx, + "unnamespaced definition value entitlement mapping in strict namespaced-policy mode - skipping", + slog.String("reason", "definition_value_entitlement_mapping_namespace_missing"), + slog.String("definition_value_entitlement_mapping_id", mapping.GetId()), + slog.String("attribute_definition_fqn", mapping.GetAttributeDefinition().GetFqn()), + ) + continue + } + } + + definitionFQN := mapping.GetAttributeDefinition().GetFqn() + if _, ok := allAttributesByDefinitionFQN[definitionFQN]; !ok { + l.WarnContext(ctx, + "definition value entitlement mapping references unknown attribute definition - skipping", + slog.String("definition_value_entitlement_mapping_id", mapping.GetId()), + slog.String("attribute_definition_fqn", definitionFQN), + ) + continue + } + + dynamicMappingsByDefinitionFQN[definitionFQN] = append(dynamicMappingsByDefinitionFQN[definitionFQN], mapping) + } + allRegisteredResourceValuesByFQN := make(map[string]*policy.RegisteredResourceValue) for _, rr := range allRegisteredResources { if err := validateRegisteredResource(rr); err != nil { @@ -192,12 +255,13 @@ func NewPolicyDecisionPoint( } pdp := &PolicyDecisionPoint{ - l, - allEntitleableAttributesByValueFQN, - allRegisteredResourceValuesByFQN, - allAttributesByDefinitionFQN, - allowDirectEntitlements, - namespacedPolicy, + logger: l, + allEntitleableAttributesByValueFQN: allEntitleableAttributesByValueFQN, + allRegisteredResourceValuesByFQN: allRegisteredResourceValuesByFQN, + allAttributesByDefinitionFQN: allAttributesByDefinitionFQN, + dynamicMappingsByDefinitionFQN: dynamicMappingsByDefinitionFQN, + allowDirectEntitlements: allowDirectEntitlements, + namespacedPolicy: namespacedPolicy, } return pdp, nil } @@ -245,6 +309,7 @@ func (p *PolicyDecisionPoint) GetDecision( p.allRegisteredResourceValuesByFQN, p.allEntitleableAttributesByValueFQN, p.allAttributesByDefinitionFQN, /* action, */ + p.dynamicMappingsByDefinitionFQN, resources, p.allowDirectEntitlements, ) @@ -301,6 +366,24 @@ func (p *PolicyDecisionPoint) GetDecision( } } + // Evaluate dynamic, definition-level value entitlement mappings (DSPX-2754) and merge + // their results into the entitled FQNs before rule evaluation. + if len(p.dynamicMappingsByDefinitionFQN) > 0 { + dynamicEntitledFQNsToActions, err := subjectmappingbuiltin.EvaluateDefinitionValueEntitlementMappingsWithActions( + p.dynamicMappingsByDefinitionFQN, + decisionableAttributes, + entityRepresentation, + l.Logger, + ) + if err != nil { + return nil, nil, fmt.Errorf("error evaluating definition value entitlement mappings: %w", err) + } + for fqn, actions := range dynamicEntitledFQNsToActions { + entitledFQNsToActions[fqn] = append(entitledFQNsToActions[fqn], actions...) + } + l.DebugContext(ctx, "evaluated definition value entitlement mappings", slog.Any("dynamic_entitled_value_fqns_to_actions", dynamicEntitledFQNsToActions)) + } + decision := &Decision{ AllPermitted: true, Results: make([]ResourceDecision, len(resources)), @@ -355,6 +438,7 @@ func (p *PolicyDecisionPoint) GetDecisionRegisteredResource( p.allRegisteredResourceValuesByFQN, p.allEntitleableAttributesByValueFQN, p.allAttributesByDefinitionFQN, /*action, */ + p.dynamicMappingsByDefinitionFQN, resources, p.allowDirectEntitlements, ) diff --git a/service/internal/access/v2/policy_store.go b/service/internal/access/v2/policy_store.go index f9381e9262..3f9033718b 100644 --- a/service/internal/access/v2/policy_store.go +++ b/service/internal/access/v2/policy_store.go @@ -7,6 +7,7 @@ import ( "github.com/opentdf/platform/protocol/go/common" "github.com/opentdf/platform/protocol/go/policy" attrs "github.com/opentdf/platform/protocol/go/policy/attributes" + "github.com/opentdf/platform/protocol/go/policy/definitionvalueentitlement" "github.com/opentdf/platform/protocol/go/policy/obligations" "github.com/opentdf/platform/protocol/go/policy/registeredresources" "github.com/opentdf/platform/protocol/go/policy/subjectmapping" @@ -17,6 +18,7 @@ import ( type EntitlementPolicyStore interface { ListAllAttributes(ctx context.Context) ([]*policy.Attribute, error) ListAllSubjectMappings(ctx context.Context) ([]*policy.SubjectMapping, error) + ListAllDefinitionValueEntitlementMappings(ctx context.Context) ([]*policy.DefinitionValueEntitlementMapping, error) ListAllRegisteredResources(ctx context.Context) ([]*policy.RegisteredResource, error) ListAllObligations(ctx context.Context) ([]*policy.Obligation, error) IsEnabled() bool @@ -24,10 +26,11 @@ type EntitlementPolicyStore interface { } var ( - ErrFailedToFetchAttributes = errors.New("failed to fetch attributes from policy service") - ErrFailedToFetchSubjectMappings = errors.New("failed to fetch subject mappings from policy service") - ErrFailedToFetchRegisteredResources = errors.New("failed to fetch registered resources from policy service") - ErrFailedToFetchObligations = errors.New("failed to fetch obligations from policy service") + ErrFailedToFetchAttributes = errors.New("failed to fetch attributes from policy service") + ErrFailedToFetchSubjectMappings = errors.New("failed to fetch subject mappings from policy service") + ErrFailedToFetchDefinitionValueEntitlementMappings = errors.New("failed to fetch definition value entitlement mappings from policy service") + ErrFailedToFetchRegisteredResources = errors.New("failed to fetch registered resources from policy service") + ErrFailedToFetchObligations = errors.New("failed to fetch obligations from policy service") ) // EntitlementPolicyRetriever satisfies the EntitlementPolicyStore interface and fetches fresh @@ -103,6 +106,32 @@ func (p *EntitlementPolicyRetriever) ListAllSubjectMappings(ctx context.Context) return smList, nil } +func (p *EntitlementPolicyRetriever) ListAllDefinitionValueEntitlementMappings(ctx context.Context) ([]*policy.DefinitionValueEntitlementMapping, error) { + // If quantity exceeds maximum list pagination, all are needed to determine entitlements + var nextOffset int32 + mappingsList := make([]*policy.DefinitionValueEntitlementMapping, 0) + + for { + listed, err := p.SDK.DefinitionValueEntitlementMapping.ListDefinitionValueEntitlementMappings(ctx, &definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest{ + // defer to service default for limit pagination + Pagination: &policy.PageRequest{ + Offset: nextOffset, + }, + }) + if err != nil { + return nil, errors.Join(ErrFailedToFetchDefinitionValueEntitlementMappings, err) + } + + nextOffset = listed.GetPagination().GetNextOffset() + mappingsList = append(mappingsList, listed.GetDefinitionValueEntitlementMappings()...) + + if nextOffset <= 0 { + break + } + } + return mappingsList, nil +} + func (p *EntitlementPolicyRetriever) ListAllRegisteredResources(ctx context.Context) ([]*policy.RegisteredResource, error) { // If quantity of registered resources exceeds maximum list pagination, all are needed to determine entitlements var nextOffset int32 diff --git a/service/internal/access/v2/validators.go b/service/internal/access/v2/validators.go index fff3d6e451..08f5b68c48 100644 --- a/service/internal/access/v2/validators.go +++ b/service/internal/access/v2/validators.go @@ -127,6 +127,40 @@ func validateAttribute(attribute *policy.Attribute) error { return nil } +// validateDefinitionValueEntitlementMapping validates a dynamic value entitlement mapping +// is usable for an entitlement decision. +// +// mapping: +// +// - must not be nil +// - must reference an attribute definition with a non-empty FQN +// - the definition must not be HIERARCHY (ordered static values are incompatible) +// - must have a value resolver with a selector and a specified operator +// - must have at least one action +func validateDefinitionValueEntitlementMapping(mapping *policy.DefinitionValueEntitlementMapping) error { + if mapping == nil { + return fmt.Errorf("definition value entitlement mapping is nil: %w", ErrInvalidDefinitionValueEntitlementMapping) + } + def := mapping.GetAttributeDefinition() + if def == nil || def.GetFqn() == "" { + return fmt.Errorf("mapping's attribute definition is missing: %w", ErrInvalidDefinitionValueEntitlementMapping) + } + if def.GetRule() == policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY { + return fmt.Errorf("HIERARCHY definitions are not supported for dynamic value entitlement: %w", ErrInvalidDefinitionValueEntitlementMapping) + } + resolver := mapping.GetValueResolver() + if resolver == nil || resolver.GetSubjectExternalSelectorValue() == "" { + return fmt.Errorf("mapping's value resolver selector is empty: %w", ErrInvalidDefinitionValueEntitlementMapping) + } + if resolver.GetOperator() == policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED { + return fmt.Errorf("mapping's value resolver operator is unspecified: %w", ErrInvalidDefinitionValueEntitlementMapping) + } + if len(mapping.GetActions()) == 0 { + return fmt.Errorf("mapping's actions are empty: %w", ErrInvalidDefinitionValueEntitlementMapping) + } + return nil +} + // validateRegisteredResource validates the registered resource is valid for an entitlement decision // // registered resource: diff --git a/service/internal/subjectmappingbuiltin/definition_value_entitlement_builtin.go b/service/internal/subjectmappingbuiltin/definition_value_entitlement_builtin.go new file mode 100644 index 0000000000..1d7d1fd6da --- /dev/null +++ b/service/internal/subjectmappingbuiltin/definition_value_entitlement_builtin.go @@ -0,0 +1,148 @@ +package subjectmappingbuiltin + +import ( + "errors" + "fmt" + "log/slog" + "strings" + + "github.com/opentdf/platform/lib/flattening" + "github.com/opentdf/platform/lib/identifier" + entityresolutionV2 "github.com/opentdf/platform/protocol/go/entityresolution/v2" + "github.com/opentdf/platform/protocol/go/policy" + "github.com/opentdf/platform/protocol/go/policy/attributes" +) + +// DefinitionValueEntitlementMappingsByDefinitionFQN indexes dynamic mappings by their +// parent attribute definition FQN for O(1) lookup during decisioning. +type DefinitionValueEntitlementMappingsByDefinitionFQN map[string][]*policy.DefinitionValueEntitlementMapping + +// EvaluateDefinitionValueEntitlementMappingsWithActions resolves the dynamic, definition +// level entitlement mappings for the resources under evaluation. For each decisionable +// attribute value it finds the mappings on the value's parent definition, runs the +// optional static SubjectConditionSet gate, then compares the requested resource value +// segment against the entity representation via the mapping's resolver. On a match the +// mapping's actions are entitled on that concrete value FQN. +// +// The output shape matches EvaluateSubjectMappingsWithActions so the PDP can merge the +// two results uniformly before rule evaluation. +func EvaluateDefinitionValueEntitlementMappingsWithActions( + mappingsByDefinitionFQN DefinitionValueEntitlementMappingsByDefinitionFQN, + decisionableAttributes map[string]*attributes.GetAttributeValuesByFqnsResponse_AttributeAndValue, + entityRepresentation *entityresolutionV2.EntityRepresentation, + l *slog.Logger, +) (AttributeValueFQNsToActions, error) { + entitlementsSet := make(AttributeValueFQNsToActions) + if len(mappingsByDefinitionFQN) == 0 { + return entitlementsSet, nil + } + + for _, entity := range entityRepresentation.GetAdditionalProps() { + flattenedEntity, err := flattening.Flatten(entity.AsMap()) + if err != nil { + return nil, fmt.Errorf("failure to flatten entity in definition value entitlement builtin: %w", err) + } + + for valueFQN, attributeAndValue := range decisionableAttributes { + definitionFQN := attributeAndValue.GetAttribute().GetFqn() + mappings := mappingsByDefinitionFQN[definitionFQN] + if len(mappings) == 0 { + continue + } + + segment, err := resourceValueSegment(valueFQN, attributeAndValue.GetValue()) + if err != nil { + return nil, err + } + + // mappings on the same definition are OR-ed together + for _, mapping := range mappings { + matched, err := evaluateDefinitionValueEntitlementMapping(mapping, flattenedEntity, segment) + if err != nil { + return nil, err + } + if !matched { + continue + } + if _, ok := entitlementsSet[valueFQN]; !ok { + entitlementsSet[valueFQN] = make([]*policy.Action, 0) + } + entitlementsSet[valueFQN] = append( + entitlementsSet[valueFQN], + dedupeSubjectMappingActions(mapping.GetActions(), l)..., + ) + } + } + } + + return entitlementsSet, nil +} + +// evaluateDefinitionValueEntitlementMapping returns true when the optional static gate +// passes (if present) AND the dynamic resolver matches the resource value segment. +func evaluateDefinitionValueEntitlementMapping( + mapping *policy.DefinitionValueEntitlementMapping, + entity flattening.Flattened, + segment string, +) (bool, error) { + // optional static pre-gate: all subject sets AND together with normal semantics + for _, subjectSet := range mapping.GetSubjectConditionSet().GetSubjectSets() { + ok, err := EvaluateSubjectSet(subjectSet, entity) + if err != nil { + return false, err + } + if !ok { + return false, nil + } + } + + return evaluateValueResolver(mapping.GetValueResolver(), entity, segment) +} + +// evaluateValueResolver compares the resource value segment against the entity values +// resolved by the selector, applying the dynamic operator. Both sides are canonicalized +// (lowercased + trimmed) so external systems that disagree with policy on case still match. +func evaluateValueResolver(resolver *policy.DefinitionValueResolver, entity flattening.Flattened, segment string) (bool, error) { + selector := resolver.GetSubjectExternalSelectorValue() + entityValues := flattening.GetFromFlattened(entity, selector) + target := canonicalizeValueSegment(segment) + + switch resolver.GetOperator() { + case policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN: + for _, ev := range entityValues { + if canonicalizeValueSegment(fmt.Sprintf("%v", ev)) == target { + return true, nil + } + } + return false, nil + case policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS: + for _, ev := range entityValues { + if strings.Contains(canonicalizeValueSegment(fmt.Sprintf("%v", ev)), target) { + return true, nil + } + } + return false, nil + case policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED: + return false, errors.New("unspecified dynamic value operator") + default: + return false, fmt.Errorf("unsupported dynamic value operator: %s", resolver.GetOperator()) + } +} + +func canonicalizeValueSegment(s string) string { + return strings.ToLower(strings.TrimSpace(s)) +} + +// resourceValueSegment returns the concrete value segment for a resource value FQN, +// preferring the value already parsed onto the policy.Value and falling back to parsing +// the FQN. +func resourceValueSegment(valueFQN string, value *policy.Value) (string, error) { + if v := value.GetValue(); v != "" { + return v, nil + } + parsed, err := identifier.Parse[*identifier.FullyQualifiedAttribute](valueFQN) + if err != nil { + return "", fmt.Errorf("parsing resource value FQN %q: %w", valueFQN, err) + } + return parsed.Value, nil +} diff --git a/service/internal/subjectmappingbuiltin/definition_value_entitlement_builtin_test.go b/service/internal/subjectmappingbuiltin/definition_value_entitlement_builtin_test.go new file mode 100644 index 0000000000..2dbe256e85 --- /dev/null +++ b/service/internal/subjectmappingbuiltin/definition_value_entitlement_builtin_test.go @@ -0,0 +1,179 @@ +package subjectmappingbuiltin + +import ( + "log/slog" + "testing" + + entityresolutionV2 "github.com/opentdf/platform/protocol/go/entityresolution/v2" + "github.com/opentdf/platform/protocol/go/policy" + "github.com/opentdf/platform/protocol/go/policy/attributes" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "google.golang.org/protobuf/types/known/structpb" +) + +func dvemEntityRep(t *testing.T, props map[string]interface{}) *entityresolutionV2.EntityRepresentation { + t.Helper() + s, err := structpb.NewStruct(props) + require.NoError(t, err) + return &entityresolutionV2.EntityRepresentation{ + OriginalId: "entity-1", + AdditionalProps: []*structpb.Struct{s}, + } +} + +func dvemActions(names ...string) []*policy.Action { + out := make([]*policy.Action, 0, len(names)) + for _, n := range names { + out = append(out, &policy.Action{Name: n}) + } + return out +} + +func dvemActionNames(acts []*policy.Action) []string { + out := make([]string, 0, len(acts)) + for _, a := range acts { + out = append(out, a.GetName()) + } + return out +} + +func dvemDecisionable(defFQN, valueFQN, segment string) map[string]*attributes.GetAttributeValuesByFqnsResponse_AttributeAndValue { + return map[string]*attributes.GetAttributeValuesByFqnsResponse_AttributeAndValue{ + valueFQN: { + Value: &policy.Value{Fqn: valueFQN, Value: segment}, + Attribute: &policy.Attribute{Fqn: defFQN}, + }, + } +} + +func dvemMapping(defFQN, selector string, op policy.DynamicValueOperatorEnum, scs *policy.SubjectConditionSet, actionNames ...string) *policy.DefinitionValueEntitlementMapping { + return &policy.DefinitionValueEntitlementMapping{ + AttributeDefinition: &policy.Attribute{Fqn: defFQN}, + ValueResolver: &policy.DefinitionValueResolver{ + SubjectExternalSelectorValue: selector, + Operator: op, + }, + SubjectConditionSet: scs, + Actions: dvemActions(actionNames...), + } +} + +// TestEvaluateDefinitionValueEntitlementMappings_MRNExample replays the ADR#266 worked +// example (patient / provider / nurse) against the production evaluator. +func TestEvaluateDefinitionValueEntitlementMappings_MRNExample(t *testing.T) { + const def = "https://hospital.co/attr/mrn" + const valueFQN = "https://hospital.co/attr/mrn/value/mrn-123" + + cases := []struct { + name string + selector string + props map[string]interface{} + acts []string + wantMatch bool + }{ + {"patient", ".medicalRecordNumber", map[string]interface{}{"medicalRecordNumber": "mrn-123"}, []string{"read", "update_profile"}, true}, + {"provider", ".patientAssignments[]", map[string]interface{}{"patientAssignments": []interface{}{"mrn-123", "mrn-789"}}, []string{"read", "write_order", "update_chart"}, true}, + {"nurse", ".careTeamAssignments[]", map[string]interface{}{"careTeamAssignments": []interface{}{"mrn-123"}}, []string{"read", "update_chart"}, true}, + {"unassigned", ".patientAssignments[]", map[string]interface{}{"patientAssignments": []interface{}{"mrn-456"}}, []string{"read"}, false}, + } + + for _, tc := range cases { + t.Run(tc.name, func(t *testing.T) { + mapping := dvemMapping(def, tc.selector, policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN, nil, tc.acts...) + byDef := DefinitionValueEntitlementMappingsByDefinitionFQN{def: {mapping}} + + got, err := EvaluateDefinitionValueEntitlementMappingsWithActions(byDef, dvemDecisionable(def, valueFQN, "mrn-123"), dvemEntityRep(t, tc.props), slog.Default()) + require.NoError(t, err) + if tc.wantMatch { + assert.ElementsMatch(t, tc.acts, dvemActionNames(got[valueFQN])) + } else { + assert.Empty(t, got[valueFQN]) + } + }) + } +} + +// TestEvaluateDefinitionValueEntitlementMappings_Canonicalization covers the external +// system case-mismatch concern: the IdP reports MRN-123, policy stores mrn-123. +func TestEvaluateDefinitionValueEntitlementMappings_Canonicalization(t *testing.T) { + const def = "https://hospital.co/attr/mrn" + const valueFQN = "https://hospital.co/attr/mrn/value/mrn-123" + mapping := dvemMapping(def, ".medicalRecordNumber", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN, nil, "read") + byDef := DefinitionValueEntitlementMappingsByDefinitionFQN{def: {mapping}} + + got, err := EvaluateDefinitionValueEntitlementMappingsWithActions(byDef, dvemDecisionable(def, valueFQN, "mrn-123"), dvemEntityRep(t, map[string]interface{}{"medicalRecordNumber": "MRN-123"}), slog.Default()) + require.NoError(t, err) + assert.Equal(t, []string{"read"}, dvemActionNames(got[valueFQN])) +} + +// TestEvaluateDefinitionValueEntitlementMappings_InContains covers the substring operator. +func TestEvaluateDefinitionValueEntitlementMappings_InContains(t *testing.T) { + const def = "https://acme.co/attr/group" + const valueFQN = "https://acme.co/attr/group/value/team" + mapping := dvemMapping(def, ".groups[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS, nil, "read") + byDef := DefinitionValueEntitlementMappingsByDefinitionFQN{def: {mapping}} + + got, err := EvaluateDefinitionValueEntitlementMappingsWithActions(byDef, dvemDecisionable(def, valueFQN, "team"), dvemEntityRep(t, map[string]interface{}{"groups": []interface{}{"prefix-team-suffix"}}), slog.Default()) + require.NoError(t, err) + assert.Equal(t, []string{"read"}, dvemActionNames(got[valueFQN])) +} + +// TestEvaluateDefinitionValueEntitlementMappings_StaticGate covers the optional static +// SubjectConditionSet pre-gate combined with the dynamic resolver. +func TestEvaluateDefinitionValueEntitlementMappings_StaticGate(t *testing.T) { + const def = "https://hospital.co/attr/mrn" + const valueFQN = "https://hospital.co/attr/mrn/value/mrn-123" + + scs := &policy.SubjectConditionSet{ + SubjectSets: []*policy.SubjectSet{{ + ConditionGroups: []*policy.ConditionGroup{{ + BooleanOperator: policy.ConditionBooleanTypeEnum_CONDITION_BOOLEAN_TYPE_ENUM_AND, + Conditions: []*policy.Condition{{ + SubjectExternalSelectorValue: ".department", + Operator: policy.SubjectMappingOperatorEnum_SUBJECT_MAPPING_OPERATOR_ENUM_IN, + SubjectExternalValues: []string{"cardiology"}, + }}, + }}, + }}, + } + mapping := dvemMapping(def, ".patientAssignments[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN, scs, "read") + byDef := DefinitionValueEntitlementMappingsByDefinitionFQN{def: {mapping}} + + // cardiology provider assigned to mrn-123 -> gate + resolver pass + got, err := EvaluateDefinitionValueEntitlementMappingsWithActions(byDef, dvemDecisionable(def, valueFQN, "mrn-123"), dvemEntityRep(t, map[string]interface{}{ + "department": "cardiology", + "patientAssignments": []interface{}{"mrn-123"}, + }), slog.Default()) + require.NoError(t, err) + assert.Equal(t, []string{"read"}, dvemActionNames(got[valueFQN])) + + // wrong department -> static gate fails -> no entitlement + got, err = EvaluateDefinitionValueEntitlementMappingsWithActions(byDef, dvemDecisionable(def, valueFQN, "mrn-123"), dvemEntityRep(t, map[string]interface{}{ + "department": "oncology", + "patientAssignments": []interface{}{"mrn-123"}, + }), slog.Default()) + require.NoError(t, err) + assert.Empty(t, got[valueFQN]) +} + +// TestEvaluateDefinitionValueEntitlementMappings_CrossDefinitionNoLeak verifies a mapping +// only applies to its own definition: the same value segment under a different definition +// is not entitled. +func TestEvaluateDefinitionValueEntitlementMappings_CrossDefinitionNoLeak(t *testing.T) { + const defA = "https://a.co/attr/x" + const defB = "https://b.co/attr/y" + mapping := dvemMapping(defA, ".assignments[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN, nil, "read") + byDef := DefinitionValueEntitlementMappingsByDefinitionFQN{defA: {mapping}} + entity := dvemEntityRep(t, map[string]interface{}{"assignments": []interface{}{"shared-1"}}) + + // under definition A -> entitled + gotA, err := EvaluateDefinitionValueEntitlementMappingsWithActions(byDef, dvemDecisionable(defA, defA+"/value/shared-1", "shared-1"), entity, slog.Default()) + require.NoError(t, err) + assert.Equal(t, []string{"read"}, dvemActionNames(gotA[defA+"/value/shared-1"])) + + // same segment under definition B -> not entitled + gotB, err := EvaluateDefinitionValueEntitlementMappingsWithActions(byDef, dvemDecisionable(defB, defB+"/value/shared-1", "shared-1"), entity, slog.Default()) + require.NoError(t, err) + assert.Empty(t, gotB[defB+"/value/shared-1"]) +} diff --git a/service/logger/audit/constants.go b/service/logger/audit/constants.go index 9a0bb2db1b..cf3fe5eabe 100644 --- a/service/logger/audit/constants.go +++ b/service/logger/audit/constants.go @@ -32,6 +32,7 @@ const ( ObjectTypeKasAttributeDefinitionKeyAssignment ObjectTypeKasAttributeValueKeyAssignment ObjectTypeKasAttributeNamespaceKeyAssignment + ObjectTypeDefinitionValueEntitlementMapping ) func (ot ObjectType) String() string { @@ -61,6 +62,7 @@ func (ot ObjectType) String() string { "kas_attribute_definition_key_assignment", "kas_attribute_value_key_assignment", "kas_attribute_namespace_key_assignment", + "definition_value_entitlement_mapping", }[ot] } diff --git a/service/policy/adr/0005-dynamic-attribute-value-entitlements-spike.md b/service/policy/adr/0005-dynamic-attribute-value-entitlements-spike.md index 240d907f0f..09724f3d6e 100644 --- a/service/policy/adr/0005-dynamic-attribute-value-entitlements-spike.md +++ b/service/policy/adr/0005-dynamic-attribute-value-entitlements-spike.md @@ -8,10 +8,14 @@ chose a definition-level dynamic entitlement model (its Option 3) but **explicit implementation spike** the question of *how* to model it. This document records what that spike ([DSPX-2754](https://virtru.atlassian.net/browse/DSPX-2754)) found. -The spike code lives in [`service/internal/access/v2/dynamicentitlement`](../../internal/access/v2/dynamicentitlement) -and is **not wired into any live decision path**. It is a throwaway proof-of-concept whose purpose is to -make the options below comparable on real behavior. No protos, database, sqlc, service handlers, or PDP -code were changed, because the source ADR states primitive names and schema are still subject to change. +The original spike prototyped all three options as a throwaway package to make them comparable on real +behavior. The recommendation below (a new primitive carrying a new operator) is now implemented as +production code: the `DefinitionValueEntitlementMapping` primitive +([`service/policy/objects.proto`](../objects.proto)), its dedicated service +([`service/policy/definitionvalueentitlement`](../definitionvalueentitlement)), DB layer, and the +decision-time evaluator +([`service/internal/subjectmappingbuiltin/definition_value_entitlement_builtin.go`](../../internal/subjectmappingbuiltin/definition_value_entitlement_builtin.go)) +wired into the PDP. The findings below record why that shape was chosen over the alternatives. ## Context diff --git a/service/policy/db/actions.sql.go b/service/policy/db/actions.sql.go index e3648ce58b..2af93bba93 100644 --- a/service/policy/db/actions.sql.go +++ b/service/policy/db/actions.sql.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.31.0 +// sqlc v1.30.0 // source: actions.sql package db diff --git a/service/policy/db/attribute_fqn.sql.go b/service/policy/db/attribute_fqn.sql.go index 6765e8ef51..ad4ed6b043 100644 --- a/service/policy/db/attribute_fqn.sql.go +++ b/service/policy/db/attribute_fqn.sql.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.31.0 +// sqlc v1.30.0 // source: attribute_fqn.sql package db diff --git a/service/policy/db/attribute_values.sql.go b/service/policy/db/attribute_values.sql.go index 1611d803a1..792d6b213e 100644 --- a/service/policy/db/attribute_values.sql.go +++ b/service/policy/db/attribute_values.sql.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.31.0 +// sqlc v1.30.0 // source: attribute_values.sql package db diff --git a/service/policy/db/attributes.sql.go b/service/policy/db/attributes.sql.go index a7a235a25f..f134a84562 100644 --- a/service/policy/db/attributes.sql.go +++ b/service/policy/db/attributes.sql.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.31.0 +// sqlc v1.30.0 // source: attributes.sql package db diff --git a/service/policy/db/copyfrom.go b/service/policy/db/copyfrom.go index e89a426d77..07ec0ceaf7 100644 --- a/service/policy/db/copyfrom.go +++ b/service/policy/db/copyfrom.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.31.0 +// sqlc v1.30.0 // source: copyfrom.go package db diff --git a/service/policy/db/db.go b/service/policy/db/db.go index d24a61d024..95f1a604c9 100644 --- a/service/policy/db/db.go +++ b/service/policy/db/db.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.31.0 +// sqlc v1.30.0 package db diff --git a/service/policy/db/definition_value_entitlement_mappings.go b/service/policy/db/definition_value_entitlement_mappings.go new file mode 100644 index 0000000000..08fc2fdd5a --- /dev/null +++ b/service/policy/db/definition_value_entitlement_mappings.go @@ -0,0 +1,397 @@ +package db + +import ( + "context" + "encoding/json" + "errors" + "fmt" + + "github.com/jackc/pgx/v5/pgtype" + "github.com/opentdf/platform/protocol/go/common" + "github.com/opentdf/platform/protocol/go/policy" + "github.com/opentdf/platform/protocol/go/policy/attributes" + "github.com/opentdf/platform/protocol/go/policy/definitionvalueentitlement" + "github.com/opentdf/platform/service/pkg/db" +) + +type definitionValueEntitlementMappingRow struct { + id string + attributeDefinitionID string + subjectExternalSelectorValue string + operator int16 + subjectConditionSetID pgtype.UUID + actions interface{} + metadata []byte + namespace interface{} +} + +func (c PolicyDBClient) CreateDefinitionValueEntitlementMapping(ctx context.Context, r *definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest) (*policy.DefinitionValueEntitlementMapping, error) { + resolver := r.GetValueResolver() + if resolver.GetOperator() == policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED { + return nil, errors.Join(db.ErrEnumValueInvalid, errors.New("value_resolver.operator must be specified")) + } + + attr, err := c.resolveDefinitionValueEntitlementMappingAttribute(ctx, r.GetAttributeDefinitionId(), r.GetAttributeDefinitionFqn()) + if err != nil { + return nil, err + } + if err := validateDefinitionValueEntitlementMappingAttribute(attr); err != nil { + return nil, err + } + + // Enforce no-coexistence: a definition cannot have both value-level subject mappings + // and a dynamic value entitlement mapping (DSPX-2754 / ADR 0005). + if err := c.ensureNoValueSubjectMappingCoexistence(ctx, attr.GetId()); err != nil { + return nil, err + } + + resolvedNamespaceID, err := c.resolveNamespace(ctx, r.GetNamespaceId(), r.GetNamespaceFqn()) + if err != nil { + return nil, err + } + parsedNamespaceID := pgtypeUUID(resolvedNamespaceID) + + actionIDs, err := c.resolveSubjectMappingActions(ctx, r.GetActions(), parsedNamespaceID) + if err != nil { + return nil, err + } + + scs, err := c.resolveDefinitionValueEntitlementMappingSubjectConditionSet(ctx, r, resolvedNamespaceID) + if err != nil { + return nil, err + } + + if err := c.validateDefinitionValueEntitlementMappingNamespaceConsistency(ctx, resolvedNamespaceID, attr, actionIDs, scs); err != nil { + return nil, err + } + + metadataJSON, _, err := db.MarshalCreateMetadata(r.GetMetadata()) + if err != nil { + return nil, db.WrapIfKnownInvalidQueryErr(err) + } + + createdID, err := c.queries.createDefinitionValueEntitlementMapping(ctx, createDefinitionValueEntitlementMappingParams{ + AttributeDefinitionID: attr.GetId(), + SubjectExternalSelectorValue: resolver.GetSubjectExternalSelectorValue(), + Operator: int16(resolver.GetOperator()), + Metadata: metadataJSON, + SubjectConditionSetID: pgtypeUUID(scs.GetId()), + NamespaceID: parsedNamespaceID, + ActionIds: actionIDs, + }) + if err != nil { + return nil, db.WrapIfKnownInvalidQueryErr(err) + } + + return c.GetDefinitionValueEntitlementMapping(ctx, createdID) +} + +func (c PolicyDBClient) GetDefinitionValueEntitlementMapping(ctx context.Context, id string) (*policy.DefinitionValueEntitlementMapping, error) { + row, err := c.queries.getDefinitionValueEntitlementMapping(ctx, id) + if err != nil { + return nil, db.WrapIfKnownInvalidQueryErr(err) + } + if row.ID == "" { + return nil, db.ErrNotFound + } + + return c.hydrateDefinitionValueEntitlementMapping(ctx, definitionValueEntitlementMappingRow{ + id: row.ID, + attributeDefinitionID: row.AttributeDefinitionID, + subjectExternalSelectorValue: row.SubjectExternalSelectorValue, + operator: row.Operator, + subjectConditionSetID: row.SubjectConditionSetID, + actions: row.Actions, + metadata: row.Metadata, + namespace: row.Namespace, + }) +} + +func (c PolicyDBClient) ListDefinitionValueEntitlementMappings(ctx context.Context, r *definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest) (*definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse, error) { + limit, offset := c.getRequestedLimitOffset(r.GetPagination()) + + maxLimit := c.listCfg.limitMax + if maxLimit > 0 && limit > maxLimit { + return nil, db.ErrListLimitTooLarge + } + + sortField, sortDirection := GetDefinitionValueEntitlementMappingsSortParams(r.GetSort()) + + rows, err := c.queries.listDefinitionValueEntitlementMappings(ctx, listDefinitionValueEntitlementMappingsParams{ + NamespaceID: pgtypeUUID(r.GetNamespaceId()), + AttributeDefinitionID: pgtypeUUID(r.GetAttributeDefinitionId()), + Limit: limit, + Offset: offset, + SortField: sortField, + SortDirection: sortDirection, + }) + if err != nil { + return nil, db.WrapIfKnownInvalidQueryErr(err) + } + + mappings := make([]*policy.DefinitionValueEntitlementMapping, len(rows)) + for i, row := range rows { + mapping, err := c.hydrateDefinitionValueEntitlementMapping(ctx, definitionValueEntitlementMappingRow{ + id: row.ID, + attributeDefinitionID: row.AttributeDefinitionID, + subjectExternalSelectorValue: row.SubjectExternalSelectorValue, + operator: row.Operator, + subjectConditionSetID: row.SubjectConditionSetID, + actions: row.Actions, + metadata: row.Metadata, + namespace: row.Namespace, + }) + if err != nil { + return nil, err + } + mappings[i] = mapping + } + + var ( + total int32 + nextOffset int32 + ) + if len(rows) > 0 { + total = int32(rows[0].Total) + nextOffset = getNextOffset(offset, limit, total) + } + + return &definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse{ + DefinitionValueEntitlementMappings: mappings, + Pagination: &policy.PageResponse{ + CurrentOffset: offset, + Total: total, + NextOffset: nextOffset, + }, + }, nil +} + +func (c PolicyDBClient) UpdateDefinitionValueEntitlementMapping(ctx context.Context, r *definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest) (*policy.DefinitionValueEntitlementMapping, error) { + id := r.GetId() + before, err := c.GetDefinitionValueEntitlementMapping(ctx, id) + if err != nil || before == nil { + return nil, db.WrapIfKnownInvalidQueryErr(err) + } + + metadataJSON, _, err := db.MarshalUpdateMetadata(r.GetMetadata(), r.GetMetadataUpdateBehavior(), func() (*common.Metadata, error) { + return before.GetMetadata(), nil + }) + if err != nil { + return nil, err + } + + updateParams := updateDefinitionValueEntitlementMappingParams{ + ID: id, + Metadata: metadataJSON, + SubjectConditionSetID: pgtypeUUID(r.GetSubjectConditionSetId()), + } + + if resolver := r.GetValueResolver(); resolver != nil { + if resolver.GetOperator() == policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED { + return nil, errors.Join(db.ErrEnumValueInvalid, errors.New("value_resolver.operator must be specified")) + } + updateParams.SubjectExternalSelectorValue = pgtypeText(resolver.GetSubjectExternalSelectorValue()) + updateParams.Operator = pgtype.Int2{Int16: int16(resolver.GetOperator()), Valid: true} + } + + targetNamespaceID := before.GetNamespace().GetId() + if actions := r.GetActions(); actions != nil { + actionIDs, err := c.resolveSubjectMappingActions(ctx, actions, pgtypeUUID(targetNamespaceID)) + if err != nil { + return nil, err + } + updateParams.ActionIds = actionIDs + } + + count, err := c.queries.updateDefinitionValueEntitlementMapping(ctx, updateParams) + if err != nil { + return nil, db.WrapIfKnownInvalidQueryErr(err) + } + if count == 0 { + return nil, db.ErrNotFound + } + + return c.GetDefinitionValueEntitlementMapping(ctx, id) +} + +func (c PolicyDBClient) DeleteDefinitionValueEntitlementMapping(ctx context.Context, id string) (*policy.DefinitionValueEntitlementMapping, error) { + count, err := c.queries.deleteDefinitionValueEntitlementMapping(ctx, id) + if err != nil { + return nil, db.WrapIfKnownInvalidQueryErr(err) + } + if count == 0 { + return nil, db.ErrNotFound + } + + return &policy.DefinitionValueEntitlementMapping{Id: id}, nil +} + +func (c PolicyDBClient) hydrateDefinitionValueEntitlementMapping(ctx context.Context, row definitionValueEntitlementMappingRow) (*policy.DefinitionValueEntitlementMapping, error) { + metadata := &common.Metadata{} + if err := unmarshalMetadata(row.metadata, metadata); err != nil { + return nil, err + } + + actionsBytes, err := json.Marshal(row.actions) + if err != nil { + return nil, fmt.Errorf("failed to marshal definition value entitlement mapping actions from interface{}: %w", err) + } + actions := []*policy.Action{} + if err := unmarshalActionsProto(actionsBytes, &actions); err != nil { + return nil, err + } + + attr, err := c.GetAttribute(ctx, row.attributeDefinitionID) + if err != nil { + return nil, err + } + + namespace, err := hydrateNamespaceFromInterface(row.namespace) + if err != nil { + return nil, err + } + + mapping := &policy.DefinitionValueEntitlementMapping{ + Id: row.id, + AttributeDefinition: attr, + ValueResolver: &policy.DefinitionValueResolver{ + SubjectExternalSelectorValue: row.subjectExternalSelectorValue, + Operator: policy.DynamicValueOperatorEnum(row.operator), + }, + Actions: actions, + Namespace: namespace, + Metadata: metadata, + } + + // Optional static pre-gate. + if row.subjectConditionSetID.Valid { + scs, err := c.GetSubjectConditionSet(ctx, UUIDToString(row.subjectConditionSetID)) + if err != nil { + return nil, err + } + mapping.SubjectConditionSet = scs + } + + return mapping, nil +} + +func (c PolicyDBClient) resolveDefinitionValueEntitlementMappingAttribute(ctx context.Context, id, fqn string) (*policy.Attribute, error) { + switch { + case id != "": + return c.GetAttribute(ctx, id) + case fqn != "": + return c.GetAttribute(ctx, &attributes.GetAttributeRequest_Fqn{Fqn: fqn}) + default: + return nil, db.WrapIfKnownInvalidQueryErr( + errors.Join(db.ErrMissingValue, errors.New("either an attribute definition ID or FQN is required")), + ) + } +} + +func validateDefinitionValueEntitlementMappingAttribute(attr *policy.Attribute) error { + switch attr.GetRule() { + case policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF, + policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF: + return nil + case policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY: + return errors.Join(db.ErrEnumValueInvalid, errors.New("definition value entitlement mappings do not support HIERARCHY attributes")) + case policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED: + fallthrough + default: + return errors.Join(db.ErrEnumValueInvalid, errors.New("definition value entitlement mappings require ALL_OF or ANY_OF attributes")) + } +} + +// ensureNoValueSubjectMappingCoexistence rejects creation of a dynamic mapping when the +// definition's values already carry value-level subject mappings. +func (c PolicyDBClient) ensureNoValueSubjectMappingCoexistence(ctx context.Context, definitionID string) error { + count, err := c.queries.countValueSubjectMappingsByDefinitionID(ctx, definitionID) + if err != nil { + return db.WrapIfKnownInvalidQueryErr(err) + } + if count > 0 { + return errors.Join(db.ErrRestrictViolation, + fmt.Errorf("attribute definition [%s] already has value-level subject mappings; it cannot also have a definition value entitlement mapping", definitionID)) + } + return nil +} + +// ensureNoDefinitionValueEntitlementMappingCoexistence rejects creation of a value-level +// subject mapping when the value's parent definition already has a dynamic value +// entitlement mapping. +func (c PolicyDBClient) ensureNoDefinitionValueEntitlementMappingCoexistence(ctx context.Context, attributeValueID string) error { + if attributeValueID == "" { + return nil + } + definitionID, err := c.queries.getAttributeDefinitionIDByValueID(ctx, attributeValueID) + if err != nil { + return db.WrapIfKnownInvalidQueryErr(err) + } + count, err := c.queries.countDefinitionValueEntitlementMappingsByDefinitionID(ctx, definitionID) + if err != nil { + return db.WrapIfKnownInvalidQueryErr(err) + } + if count > 0 { + return errors.Join(db.ErrRestrictViolation, + fmt.Errorf("attribute definition [%s] has a definition value entitlement mapping; it cannot also have value-level subject mappings", definitionID)) + } + return nil +} + +func (c PolicyDBClient) resolveDefinitionValueEntitlementMappingSubjectConditionSet( + ctx context.Context, + r *definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest, + namespaceID string, +) (*policy.SubjectConditionSet, error) { + switch { + case r.GetExistingSubjectConditionSetId() != "": + scs, err := c.GetSubjectConditionSet(ctx, r.GetExistingSubjectConditionSetId()) + if err != nil { + return nil, db.WrapIfKnownInvalidQueryErr(err) + } + return scs, nil + case r.GetNewSubjectConditionSet() != nil: + scs, err := c.CreateSubjectConditionSet(ctx, r.GetNewSubjectConditionSet(), namespaceID, "") + if err != nil { + return nil, db.WrapIfKnownInvalidQueryErr(err) + } + return scs, nil + default: + // The static pre-gate is optional; no SubjectConditionSet is a valid state. + return nil, nil //nolint:nilnil // optional pre-gate: nil SCS with nil error is intentional + } +} + +func (c PolicyDBClient) validateDefinitionValueEntitlementMappingNamespaceConsistency( + ctx context.Context, + targetNsID string, + attr *policy.Attribute, + actionIDs []string, + scs *policy.SubjectConditionSet, +) error { + if targetNsID != "" && attr.GetNamespace().GetId() != targetNsID { + return errors.Join(db.ErrNamespaceMismatch, + fmt.Errorf("attribute definition namespace [%s] does not match the specified definition value entitlement mapping namespace [%s]", attr.GetNamespace().GetId(), targetNsID)) + } + + if len(actionIDs) > 0 { + actionRows, err := c.queries.getActionsByIDs(ctx, actionIDs) + if err != nil { + return db.WrapIfKnownInvalidQueryErr(err) + } + for _, a := range actionRows { + actionNsID := UUIDToString(a.NamespaceID) + if actionNsID != targetNsID { + return errors.Join(db.ErrNamespaceMismatch, + fmt.Errorf("action [%s] namespace [%s] does not match the specified definition value entitlement mapping namespace [%s]", a.ID, actionNsID, targetNsID)) + } + } + } + + if scs != nil && scs.GetNamespace().GetId() != targetNsID { + return errors.Join(db.ErrNamespaceMismatch, + fmt.Errorf("subject condition set [%s] namespace [%s] does not match the specified definition value entitlement mapping namespace [%s]", scs.GetId(), scs.GetNamespace().GetId(), targetNsID)) + } + + return nil +} diff --git a/service/policy/db/definition_value_entitlement_mappings.sql.go b/service/policy/db/definition_value_entitlement_mappings.sql.go new file mode 100644 index 0000000000..a43b170abb --- /dev/null +++ b/service/policy/db/definition_value_entitlement_mappings.sql.go @@ -0,0 +1,606 @@ +// Code generated by sqlc. DO NOT EDIT. +// versions: +// sqlc v1.30.0 +// source: definition_value_entitlement_mappings.sql + +package db + +import ( + "context" + + "github.com/jackc/pgx/v5/pgtype" +) + +const countDefinitionValueEntitlementMappingsByDefinitionID = `-- name: countDefinitionValueEntitlementMappingsByDefinitionID :one +SELECT COUNT(id) +FROM definition_value_entitlement_mappings +WHERE attribute_definition_id = $1 +` + +// Counts dynamic value entitlement mappings on the given definition. Used to enforce +// no-coexistence from the subject-mapping create path. +// +// SELECT COUNT(id) +// FROM definition_value_entitlement_mappings +// WHERE attribute_definition_id = $1 +func (q *Queries) countDefinitionValueEntitlementMappingsByDefinitionID(ctx context.Context, attributeDefinitionID string) (int64, error) { + row := q.db.QueryRow(ctx, countDefinitionValueEntitlementMappingsByDefinitionID, attributeDefinitionID) + var count int64 + err := row.Scan(&count) + return count, err +} + +const countValueSubjectMappingsByDefinitionID = `-- name: countValueSubjectMappingsByDefinitionID :one +SELECT COUNT(sm.id) +FROM subject_mappings sm +JOIN attribute_values av ON sm.attribute_value_id = av.id +WHERE av.attribute_definition_id = $1 +` + +// Counts value-level subject mappings whose attribute value belongs to the given +// definition. Used to enforce no-coexistence with dynamic value entitlement mappings. +// +// SELECT COUNT(sm.id) +// FROM subject_mappings sm +// JOIN attribute_values av ON sm.attribute_value_id = av.id +// WHERE av.attribute_definition_id = $1 +func (q *Queries) countValueSubjectMappingsByDefinitionID(ctx context.Context, attributeDefinitionID string) (int64, error) { + row := q.db.QueryRow(ctx, countValueSubjectMappingsByDefinitionID, attributeDefinitionID) + var count int64 + err := row.Scan(&count) + return count, err +} + +const createDefinitionValueEntitlementMapping = `-- name: createDefinitionValueEntitlementMapping :one +WITH inserted_mapping AS ( + INSERT INTO definition_value_entitlement_mappings ( + attribute_definition_id, + subject_external_selector_value, + operator, + metadata, + subject_condition_set_id, + namespace_id + ) + VALUES ( + $1, + $2, + $3, + $4, + $5::uuid, + $6::uuid + ) + RETURNING id +), +inserted_actions AS ( + INSERT INTO definition_value_entitlement_mapping_actions (definition_value_entitlement_mapping_id, action_id) + SELECT + (SELECT id FROM inserted_mapping), + unnest($7::uuid[]) +) +SELECT id FROM inserted_mapping +` + +type createDefinitionValueEntitlementMappingParams struct { + AttributeDefinitionID string `json:"attribute_definition_id"` + SubjectExternalSelectorValue string `json:"subject_external_selector_value"` + Operator int16 `json:"operator"` + Metadata []byte `json:"metadata"` + SubjectConditionSetID pgtype.UUID `json:"subject_condition_set_id"` + NamespaceID pgtype.UUID `json:"namespace_id"` + ActionIds []string `json:"action_ids"` +} + +// createDefinitionValueEntitlementMapping +// +// WITH inserted_mapping AS ( +// INSERT INTO definition_value_entitlement_mappings ( +// attribute_definition_id, +// subject_external_selector_value, +// operator, +// metadata, +// subject_condition_set_id, +// namespace_id +// ) +// VALUES ( +// $1, +// $2, +// $3, +// $4, +// $5::uuid, +// $6::uuid +// ) +// RETURNING id +// ), +// inserted_actions AS ( +// INSERT INTO definition_value_entitlement_mapping_actions (definition_value_entitlement_mapping_id, action_id) +// SELECT +// (SELECT id FROM inserted_mapping), +// unnest($7::uuid[]) +// ) +// SELECT id FROM inserted_mapping +func (q *Queries) createDefinitionValueEntitlementMapping(ctx context.Context, arg createDefinitionValueEntitlementMappingParams) (string, error) { + row := q.db.QueryRow(ctx, createDefinitionValueEntitlementMapping, + arg.AttributeDefinitionID, + arg.SubjectExternalSelectorValue, + arg.Operator, + arg.Metadata, + arg.SubjectConditionSetID, + arg.NamespaceID, + arg.ActionIds, + ) + var id string + err := row.Scan(&id) + return id, err +} + +const deleteDefinitionValueEntitlementMapping = `-- name: deleteDefinitionValueEntitlementMapping :execrows +DELETE FROM definition_value_entitlement_mappings WHERE id = $1 +` + +// deleteDefinitionValueEntitlementMapping +// +// DELETE FROM definition_value_entitlement_mappings WHERE id = $1 +func (q *Queries) deleteDefinitionValueEntitlementMapping(ctx context.Context, id string) (int64, error) { + result, err := q.db.Exec(ctx, deleteDefinitionValueEntitlementMapping, id) + if err != nil { + return 0, err + } + return result.RowsAffected(), nil +} + +const getAttributeDefinitionIDByValueID = `-- name: getAttributeDefinitionIDByValueID :one +SELECT attribute_definition_id +FROM attribute_values +WHERE id = $1 +` + +// getAttributeDefinitionIDByValueID +// +// SELECT attribute_definition_id +// FROM attribute_values +// WHERE id = $1 +func (q *Queries) getAttributeDefinitionIDByValueID(ctx context.Context, id string) (string, error) { + row := q.db.QueryRow(ctx, getAttributeDefinitionIDByValueID, id) + var attribute_definition_id string + err := row.Scan(&attribute_definition_id) + return attribute_definition_id, err +} + +const getDefinitionValueEntitlementMapping = `-- name: getDefinitionValueEntitlementMapping :one +WITH mapping_actions AS ( + SELECT + dvm.action_id, + dvm.definition_value_entitlement_mapping_id, + JSONB_BUILD_OBJECT( + 'id', a.id, + 'name', a.name, + 'namespace', CASE WHEN a.namespace_id IS NULL THEN NULL + ELSE JSONB_BUILD_OBJECT('id', ans.id, 'name', ans.name, 'fqn', ans_fqns.fqn) + END + ) AS action + FROM definition_value_entitlement_mapping_actions dvm + JOIN actions a ON dvm.action_id = a.id + LEFT JOIN attribute_namespaces ans ON ans.id = a.namespace_id + LEFT JOIN attribute_fqns ans_fqns ON ans_fqns.namespace_id = ans.id AND ans_fqns.attribute_id IS NULL AND ans_fqns.value_id IS NULL + WHERE dvm.definition_value_entitlement_mapping_id = $1 +), +definition_actions AS ( + SELECT + definition_value_entitlement_mapping_id, + COALESCE(JSONB_AGG(action), '[]'::JSONB) AS actions + FROM mapping_actions + GROUP BY definition_value_entitlement_mapping_id +) +SELECT + dvem.id, + dvem.attribute_definition_id, + dvem.subject_external_selector_value, + dvem.operator, + dvem.subject_condition_set_id, + COALESCE(da.actions, '[]'::JSONB) AS actions, + JSON_STRIP_NULLS(JSON_BUILD_OBJECT('labels', dvem.metadata -> 'labels', 'created_at', dvem.created_at, 'updated_at', dvem.updated_at)) AS metadata, + CASE + WHEN dvem.namespace_id IS NULL THEN NULL + ELSE JSON_BUILD_OBJECT('id', m_ns.id, 'name', m_ns.name, 'fqn', m_ns_fqns.fqn) + END AS namespace +FROM definition_value_entitlement_mappings dvem +LEFT JOIN definition_actions da ON dvem.id = da.definition_value_entitlement_mapping_id +LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id +LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL +WHERE dvem.id = $1 +` + +type getDefinitionValueEntitlementMappingRow struct { + ID string `json:"id"` + AttributeDefinitionID string `json:"attribute_definition_id"` + SubjectExternalSelectorValue string `json:"subject_external_selector_value"` + Operator int16 `json:"operator"` + SubjectConditionSetID pgtype.UUID `json:"subject_condition_set_id"` + Actions interface{} `json:"actions"` + Metadata []byte `json:"metadata"` + Namespace interface{} `json:"namespace"` +} + +// getDefinitionValueEntitlementMapping +// +// WITH mapping_actions AS ( +// SELECT +// dvm.action_id, +// dvm.definition_value_entitlement_mapping_id, +// JSONB_BUILD_OBJECT( +// 'id', a.id, +// 'name', a.name, +// 'namespace', CASE WHEN a.namespace_id IS NULL THEN NULL +// ELSE JSONB_BUILD_OBJECT('id', ans.id, 'name', ans.name, 'fqn', ans_fqns.fqn) +// END +// ) AS action +// FROM definition_value_entitlement_mapping_actions dvm +// JOIN actions a ON dvm.action_id = a.id +// LEFT JOIN attribute_namespaces ans ON ans.id = a.namespace_id +// LEFT JOIN attribute_fqns ans_fqns ON ans_fqns.namespace_id = ans.id AND ans_fqns.attribute_id IS NULL AND ans_fqns.value_id IS NULL +// WHERE dvm.definition_value_entitlement_mapping_id = $1 +// ), +// definition_actions AS ( +// SELECT +// definition_value_entitlement_mapping_id, +// COALESCE(JSONB_AGG(action), '[]'::JSONB) AS actions +// FROM mapping_actions +// GROUP BY definition_value_entitlement_mapping_id +// ) +// SELECT +// dvem.id, +// dvem.attribute_definition_id, +// dvem.subject_external_selector_value, +// dvem.operator, +// dvem.subject_condition_set_id, +// COALESCE(da.actions, '[]'::JSONB) AS actions, +// JSON_STRIP_NULLS(JSON_BUILD_OBJECT('labels', dvem.metadata -> 'labels', 'created_at', dvem.created_at, 'updated_at', dvem.updated_at)) AS metadata, +// CASE +// WHEN dvem.namespace_id IS NULL THEN NULL +// ELSE JSON_BUILD_OBJECT('id', m_ns.id, 'name', m_ns.name, 'fqn', m_ns_fqns.fqn) +// END AS namespace +// FROM definition_value_entitlement_mappings dvem +// LEFT JOIN definition_actions da ON dvem.id = da.definition_value_entitlement_mapping_id +// LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id +// LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL +// WHERE dvem.id = $1 +func (q *Queries) getDefinitionValueEntitlementMapping(ctx context.Context, id string) (getDefinitionValueEntitlementMappingRow, error) { + row := q.db.QueryRow(ctx, getDefinitionValueEntitlementMapping, id) + var i getDefinitionValueEntitlementMappingRow + err := row.Scan( + &i.ID, + &i.AttributeDefinitionID, + &i.SubjectExternalSelectorValue, + &i.Operator, + &i.SubjectConditionSetID, + &i.Actions, + &i.Metadata, + &i.Namespace, + ) + return i, err +} + +const listDefinitionValueEntitlementMappings = `-- name: listDefinitionValueEntitlementMappings :many + +WITH params AS ( + SELECT + COALESCE(NULLIF($6::text, ''), 'created_at') AS resolved_field, + COALESCE(NULLIF($7::text, ''), 'DESC') AS resolved_direction +), +mapping_actions AS ( + SELECT + dvm.action_id, + dvm.definition_value_entitlement_mapping_id, + JSONB_BUILD_OBJECT( + 'id', a.id, + 'name', a.name, + 'namespace', CASE WHEN a.namespace_id IS NULL THEN NULL + ELSE JSONB_BUILD_OBJECT('id', ans.id, 'name', ans.name, 'fqn', ans_fqns.fqn) + END + ) AS action + FROM definition_value_entitlement_mapping_actions dvm + JOIN actions a ON dvm.action_id = a.id + LEFT JOIN attribute_namespaces ans ON ans.id = a.namespace_id + LEFT JOIN attribute_fqns ans_fqns ON ans_fqns.namespace_id = ans.id AND ans_fqns.attribute_id IS NULL AND ans_fqns.value_id IS NULL +), +definition_actions AS ( + SELECT + definition_value_entitlement_mapping_id, + COALESCE(JSONB_AGG(action), '[]'::JSONB) AS actions + FROM mapping_actions + GROUP BY definition_value_entitlement_mapping_id +), +counted AS ( + SELECT COUNT(dvem.id) AS total + FROM definition_value_entitlement_mappings dvem + LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id + LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL + WHERE + ($1::uuid IS NULL OR dvem.namespace_id = $1::uuid) + AND ($2::text IS NULL OR m_ns_fqns.fqn = $2::text) + AND ($3::uuid IS NULL OR dvem.attribute_definition_id = $3::uuid) +) +SELECT + dvem.id, + dvem.attribute_definition_id, + dvem.subject_external_selector_value, + dvem.operator, + dvem.subject_condition_set_id, + COALESCE(da.actions, '[]'::JSONB) AS actions, + JSON_STRIP_NULLS(JSON_BUILD_OBJECT('labels', dvem.metadata -> 'labels', 'created_at', dvem.created_at, 'updated_at', dvem.updated_at)) AS metadata, + CASE + WHEN dvem.namespace_id IS NULL THEN NULL + ELSE JSON_BUILD_OBJECT('id', m_ns.id, 'name', m_ns.name, 'fqn', m_ns_fqns.fqn) + END AS namespace, + counted.total +FROM definition_value_entitlement_mappings dvem +CROSS JOIN counted +CROSS JOIN params p +LEFT JOIN definition_actions da ON dvem.id = da.definition_value_entitlement_mapping_id +LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id +LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL +WHERE + ($1::uuid IS NULL OR dvem.namespace_id = $1::uuid) + AND ($2::text IS NULL OR m_ns_fqns.fqn = $2::text) + AND ($3::uuid IS NULL OR dvem.attribute_definition_id = $3::uuid) +GROUP BY + dvem.id, + da.actions, + dvem.metadata, dvem.created_at, dvem.updated_at, + m_ns.id, m_ns.name, m_ns_fqns.fqn, + counted.total, + p.resolved_field, p.resolved_direction +ORDER BY + CASE WHEN p.resolved_field = 'created_at' AND p.resolved_direction = 'ASC' THEN dvem.created_at END ASC, + CASE WHEN p.resolved_field = 'created_at' AND p.resolved_direction = 'DESC' THEN dvem.created_at END DESC, + CASE WHEN p.resolved_field = 'updated_at' AND p.resolved_direction = 'ASC' THEN dvem.updated_at END ASC, + CASE WHEN p.resolved_field = 'updated_at' AND p.resolved_direction = 'DESC' THEN dvem.updated_at END DESC, + dvem.id ASC +LIMIT $5 +OFFSET $4 +` + +type listDefinitionValueEntitlementMappingsParams struct { + NamespaceID pgtype.UUID `json:"namespace_id"` + NamespaceFqn pgtype.Text `json:"namespace_fqn"` + AttributeDefinitionID pgtype.UUID `json:"attribute_definition_id"` + Offset int32 `json:"offset_"` + Limit int32 `json:"limit_"` + SortField string `json:"sort_field"` + SortDirection string `json:"sort_direction"` +} + +type listDefinitionValueEntitlementMappingsRow struct { + ID string `json:"id"` + AttributeDefinitionID string `json:"attribute_definition_id"` + SubjectExternalSelectorValue string `json:"subject_external_selector_value"` + Operator int16 `json:"operator"` + SubjectConditionSetID pgtype.UUID `json:"subject_condition_set_id"` + Actions interface{} `json:"actions"` + Metadata []byte `json:"metadata"` + Namespace interface{} `json:"namespace"` + Total int64 `json:"total"` +} + +// -------------------------------------------------------------- +// DEFINITION VALUE ENTITLEMENT MAPPINGS +// -------------------------------------------------------------- +// +// WITH params AS ( +// SELECT +// COALESCE(NULLIF($6::text, ''), 'created_at') AS resolved_field, +// COALESCE(NULLIF($7::text, ''), 'DESC') AS resolved_direction +// ), +// mapping_actions AS ( +// SELECT +// dvm.action_id, +// dvm.definition_value_entitlement_mapping_id, +// JSONB_BUILD_OBJECT( +// 'id', a.id, +// 'name', a.name, +// 'namespace', CASE WHEN a.namespace_id IS NULL THEN NULL +// ELSE JSONB_BUILD_OBJECT('id', ans.id, 'name', ans.name, 'fqn', ans_fqns.fqn) +// END +// ) AS action +// FROM definition_value_entitlement_mapping_actions dvm +// JOIN actions a ON dvm.action_id = a.id +// LEFT JOIN attribute_namespaces ans ON ans.id = a.namespace_id +// LEFT JOIN attribute_fqns ans_fqns ON ans_fqns.namespace_id = ans.id AND ans_fqns.attribute_id IS NULL AND ans_fqns.value_id IS NULL +// ), +// definition_actions AS ( +// SELECT +// definition_value_entitlement_mapping_id, +// COALESCE(JSONB_AGG(action), '[]'::JSONB) AS actions +// FROM mapping_actions +// GROUP BY definition_value_entitlement_mapping_id +// ), +// counted AS ( +// SELECT COUNT(dvem.id) AS total +// FROM definition_value_entitlement_mappings dvem +// LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id +// LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL +// WHERE +// ($1::uuid IS NULL OR dvem.namespace_id = $1::uuid) +// AND ($2::text IS NULL OR m_ns_fqns.fqn = $2::text) +// AND ($3::uuid IS NULL OR dvem.attribute_definition_id = $3::uuid) +// ) +// SELECT +// dvem.id, +// dvem.attribute_definition_id, +// dvem.subject_external_selector_value, +// dvem.operator, +// dvem.subject_condition_set_id, +// COALESCE(da.actions, '[]'::JSONB) AS actions, +// JSON_STRIP_NULLS(JSON_BUILD_OBJECT('labels', dvem.metadata -> 'labels', 'created_at', dvem.created_at, 'updated_at', dvem.updated_at)) AS metadata, +// CASE +// WHEN dvem.namespace_id IS NULL THEN NULL +// ELSE JSON_BUILD_OBJECT('id', m_ns.id, 'name', m_ns.name, 'fqn', m_ns_fqns.fqn) +// END AS namespace, +// counted.total +// FROM definition_value_entitlement_mappings dvem +// CROSS JOIN counted +// CROSS JOIN params p +// LEFT JOIN definition_actions da ON dvem.id = da.definition_value_entitlement_mapping_id +// LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id +// LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL +// WHERE +// ($1::uuid IS NULL OR dvem.namespace_id = $1::uuid) +// AND ($2::text IS NULL OR m_ns_fqns.fqn = $2::text) +// AND ($3::uuid IS NULL OR dvem.attribute_definition_id = $3::uuid) +// GROUP BY +// dvem.id, +// da.actions, +// dvem.metadata, dvem.created_at, dvem.updated_at, +// m_ns.id, m_ns.name, m_ns_fqns.fqn, +// counted.total, +// p.resolved_field, p.resolved_direction +// ORDER BY +// CASE WHEN p.resolved_field = 'created_at' AND p.resolved_direction = 'ASC' THEN dvem.created_at END ASC, +// CASE WHEN p.resolved_field = 'created_at' AND p.resolved_direction = 'DESC' THEN dvem.created_at END DESC, +// CASE WHEN p.resolved_field = 'updated_at' AND p.resolved_direction = 'ASC' THEN dvem.updated_at END ASC, +// CASE WHEN p.resolved_field = 'updated_at' AND p.resolved_direction = 'DESC' THEN dvem.updated_at END DESC, +// dvem.id ASC +// LIMIT $5 +// OFFSET $4 +func (q *Queries) listDefinitionValueEntitlementMappings(ctx context.Context, arg listDefinitionValueEntitlementMappingsParams) ([]listDefinitionValueEntitlementMappingsRow, error) { + rows, err := q.db.Query(ctx, listDefinitionValueEntitlementMappings, + arg.NamespaceID, + arg.NamespaceFqn, + arg.AttributeDefinitionID, + arg.Offset, + arg.Limit, + arg.SortField, + arg.SortDirection, + ) + if err != nil { + return nil, err + } + defer rows.Close() + var items []listDefinitionValueEntitlementMappingsRow + for rows.Next() { + var i listDefinitionValueEntitlementMappingsRow + if err := rows.Scan( + &i.ID, + &i.AttributeDefinitionID, + &i.SubjectExternalSelectorValue, + &i.Operator, + &i.SubjectConditionSetID, + &i.Actions, + &i.Metadata, + &i.Namespace, + &i.Total, + ); err != nil { + return nil, err + } + items = append(items, i) + } + if err := rows.Err(); err != nil { + return nil, err + } + return items, nil +} + +const updateDefinitionValueEntitlementMapping = `-- name: updateDefinitionValueEntitlementMapping :execrows +WITH + mapping_update AS ( + UPDATE definition_value_entitlement_mappings + SET + metadata = COALESCE($1::JSONB, metadata), + subject_external_selector_value = COALESCE($2::TEXT, subject_external_selector_value), + operator = COALESCE($3::SMALLINT, operator), + subject_condition_set_id = COALESCE($4::UUID, subject_condition_set_id) + WHERE id = $5 + RETURNING id + ), + action_delete AS ( + DELETE FROM definition_value_entitlement_mapping_actions + WHERE + definition_value_entitlement_mapping_id = $5 + AND $6::UUID[] IS NOT NULL + AND action_id NOT IN (SELECT unnest($6::UUID[])) + ), + action_insert AS ( + INSERT INTO definition_value_entitlement_mapping_actions (definition_value_entitlement_mapping_id, action_id) + SELECT + $5, + a + FROM unnest($6::UUID[]) AS a + WHERE + $6::UUID[] IS NOT NULL + AND NOT EXISTS ( + SELECT 1 + FROM definition_value_entitlement_mapping_actions + WHERE definition_value_entitlement_mapping_id = $5 AND action_id = a + ) + ), + update_count AS ( + SELECT COUNT(*) AS cnt + FROM mapping_update + ) +SELECT cnt +FROM update_count +` + +type updateDefinitionValueEntitlementMappingParams struct { + Metadata []byte `json:"metadata"` + SubjectExternalSelectorValue pgtype.Text `json:"subject_external_selector_value"` + Operator pgtype.Int2 `json:"operator"` + SubjectConditionSetID pgtype.UUID `json:"subject_condition_set_id"` + ID string `json:"id"` + ActionIds []string `json:"action_ids"` +} + +// updateDefinitionValueEntitlementMapping +// +// WITH +// mapping_update AS ( +// UPDATE definition_value_entitlement_mappings +// SET +// metadata = COALESCE($1::JSONB, metadata), +// subject_external_selector_value = COALESCE($2::TEXT, subject_external_selector_value), +// operator = COALESCE($3::SMALLINT, operator), +// subject_condition_set_id = COALESCE($4::UUID, subject_condition_set_id) +// WHERE id = $5 +// RETURNING id +// ), +// action_delete AS ( +// DELETE FROM definition_value_entitlement_mapping_actions +// WHERE +// definition_value_entitlement_mapping_id = $5 +// AND $6::UUID[] IS NOT NULL +// AND action_id NOT IN (SELECT unnest($6::UUID[])) +// ), +// action_insert AS ( +// INSERT INTO definition_value_entitlement_mapping_actions (definition_value_entitlement_mapping_id, action_id) +// SELECT +// $5, +// a +// FROM unnest($6::UUID[]) AS a +// WHERE +// $6::UUID[] IS NOT NULL +// AND NOT EXISTS ( +// SELECT 1 +// FROM definition_value_entitlement_mapping_actions +// WHERE definition_value_entitlement_mapping_id = $5 AND action_id = a +// ) +// ), +// update_count AS ( +// SELECT COUNT(*) AS cnt +// FROM mapping_update +// ) +// SELECT cnt +// FROM update_count +func (q *Queries) updateDefinitionValueEntitlementMapping(ctx context.Context, arg updateDefinitionValueEntitlementMappingParams) (int64, error) { + result, err := q.db.Exec(ctx, updateDefinitionValueEntitlementMapping, + arg.Metadata, + arg.SubjectExternalSelectorValue, + arg.Operator, + arg.SubjectConditionSetID, + arg.ID, + arg.ActionIds, + ) + if err != nil { + return 0, err + } + return result.RowsAffected(), nil +} diff --git a/service/policy/db/key_access_server_registry.sql.go b/service/policy/db/key_access_server_registry.sql.go index f7b709306f..399449936a 100644 --- a/service/policy/db/key_access_server_registry.sql.go +++ b/service/policy/db/key_access_server_registry.sql.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.31.0 +// sqlc v1.30.0 // source: key_access_server_registry.sql package db diff --git a/service/policy/db/key_management.sql.go b/service/policy/db/key_management.sql.go index eae00e6412..2a0bcdf8af 100644 --- a/service/policy/db/key_management.sql.go +++ b/service/policy/db/key_management.sql.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.31.0 +// sqlc v1.30.0 // source: key_management.sql package db diff --git a/service/policy/db/migrations/20260604000000_add_definition_value_entitlement_mappings.sql b/service/policy/db/migrations/20260604000000_add_definition_value_entitlement_mappings.sql new file mode 100644 index 0000000000..3997b8b31d --- /dev/null +++ b/service/policy/db/migrations/20260604000000_add_definition_value_entitlement_mappings.sql @@ -0,0 +1,62 @@ +-- +goose Up +-- +goose StatementBegin + +-- Definition Value Entitlement Mappings raise entitlement authority from a concrete +-- attribute value to the attribute definition. A single mapping resolves entitlement for +-- dynamically-requested values under the definition by comparing the requested resource +-- value segment against the entity representation (the value_resolver), optionally gated +-- by a static SubjectConditionSet. +CREATE TABLE IF NOT EXISTS definition_value_entitlement_mappings ( + id UUID PRIMARY KEY DEFAULT gen_random_uuid(), + attribute_definition_id UUID NOT NULL REFERENCES attribute_definitions(id) ON DELETE CASCADE, + -- value_resolver: selector against the flattened entity representation + dynamic operator + subject_external_selector_value TEXT NOT NULL, + operator SMALLINT NOT NULL, + -- optional static pre-gate, evaluated with normal SubjectConditionSet semantics + subject_condition_set_id UUID REFERENCES subject_condition_set(id) ON DELETE CASCADE, + namespace_id UUID REFERENCES attribute_namespaces(id) ON DELETE CASCADE, + metadata JSONB, + created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP, + updated_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP +); + +COMMENT ON TABLE definition_value_entitlement_mappings IS 'Definition-scoped dynamic value entitlement mappings (DSPX-2754)'; +COMMENT ON COLUMN definition_value_entitlement_mappings.subject_external_selector_value IS 'Selector resolved against the entity representation, compared to the requested resource value segment'; +COMMENT ON COLUMN definition_value_entitlement_mappings.operator IS 'policy.DynamicValueOperatorEnum value'; + +CREATE TRIGGER definition_value_entitlement_mappings_updated_at + BEFORE UPDATE ON definition_value_entitlement_mappings + FOR EACH ROW + EXECUTE FUNCTION update_updated_at(); + +CREATE TABLE IF NOT EXISTS definition_value_entitlement_mapping_actions ( + definition_value_entitlement_mapping_id UUID NOT NULL REFERENCES definition_value_entitlement_mappings(id) ON DELETE CASCADE, + action_id UUID NOT NULL REFERENCES actions(id) ON DELETE CASCADE, + PRIMARY KEY (definition_value_entitlement_mapping_id, action_id) +); + +CREATE INDEX idx_definition_value_entitlement_mappings_definition_id + ON definition_value_entitlement_mappings(attribute_definition_id); +CREATE INDEX idx_definition_value_entitlement_mappings_scs_id + ON definition_value_entitlement_mappings(subject_condition_set_id); +CREATE INDEX idx_definition_value_entitlement_mappings_namespace_id + ON definition_value_entitlement_mappings(namespace_id); +CREATE INDEX idx_definition_value_entitlement_mapping_actions_mapping_action + ON definition_value_entitlement_mapping_actions(definition_value_entitlement_mapping_id, action_id); + +-- +goose StatementEnd + +-- +goose Down +-- +goose StatementBegin + +DROP INDEX IF EXISTS idx_definition_value_entitlement_mapping_actions_mapping_action; +DROP INDEX IF EXISTS idx_definition_value_entitlement_mappings_namespace_id; +DROP INDEX IF EXISTS idx_definition_value_entitlement_mappings_scs_id; +DROP INDEX IF EXISTS idx_definition_value_entitlement_mappings_definition_id; + +DROP TABLE IF EXISTS definition_value_entitlement_mapping_actions; + +DROP TRIGGER IF EXISTS definition_value_entitlement_mappings_updated_at ON definition_value_entitlement_mappings; +DROP TABLE IF EXISTS definition_value_entitlement_mappings; + +-- +goose StatementEnd diff --git a/service/policy/db/models.go b/service/policy/db/models.go index fb0616f43f..9b8f16e38f 100644 --- a/service/policy/db/models.go +++ b/service/policy/db/models.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.31.0 +// sqlc v1.30.0 package db @@ -234,6 +234,26 @@ type BaseKey struct { KeyAccessServerKeyID pgtype.UUID `json:"key_access_server_key_id"` } +// Definition-scoped dynamic value entitlement mappings (DSPX-2754) +type DefinitionValueEntitlementMapping struct { + ID string `json:"id"` + AttributeDefinitionID string `json:"attribute_definition_id"` + // Selector resolved against the entity representation, compared to the requested resource value segment + SubjectExternalSelectorValue string `json:"subject_external_selector_value"` + // policy.DynamicValueOperatorEnum value + Operator int16 `json:"operator"` + SubjectConditionSetID pgtype.UUID `json:"subject_condition_set_id"` + NamespaceID pgtype.UUID `json:"namespace_id"` + Metadata []byte `json:"metadata"` + CreatedAt pgtype.Timestamptz `json:"created_at"` + UpdatedAt pgtype.Timestamptz `json:"updated_at"` +} + +type DefinitionValueEntitlementMappingAction struct { + DefinitionValueEntitlementMappingID string `json:"definition_value_entitlement_mapping_id"` + ActionID string `json:"action_id"` +} + // Table to store the known registrations of key access servers (KASs) type KeyAccessServer struct { // Primary key for the table diff --git a/service/policy/db/namespaces.sql.go b/service/policy/db/namespaces.sql.go index 7bb3937313..655ac654a0 100644 --- a/service/policy/db/namespaces.sql.go +++ b/service/policy/db/namespaces.sql.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.31.0 +// sqlc v1.30.0 // source: namespaces.sql package db diff --git a/service/policy/db/obligations.sql.go b/service/policy/db/obligations.sql.go index 893dcea627..433d76beb4 100644 --- a/service/policy/db/obligations.sql.go +++ b/service/policy/db/obligations.sql.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.31.0 +// sqlc v1.30.0 // source: obligations.sql package db @@ -557,9 +557,8 @@ RETURNING id // RETURNING id func (q *Queries) deleteObligationTrigger(ctx context.Context, id string) (string, error) { row := q.db.QueryRow(ctx, deleteObligationTrigger, id) - var id_2 string - err := row.Scan(&id_2) - return id_2, err + err := row.Scan(&id) + return id, err } const deleteObligationValue = `-- name: deleteObligationValue :one diff --git a/service/policy/db/queries/definition_value_entitlement_mappings.sql b/service/policy/db/queries/definition_value_entitlement_mappings.sql new file mode 100644 index 0000000000..6d9c8c6c30 --- /dev/null +++ b/service/policy/db/queries/definition_value_entitlement_mappings.sql @@ -0,0 +1,215 @@ +---------------------------------------------------------------- +-- DEFINITION VALUE ENTITLEMENT MAPPINGS +---------------------------------------------------------------- + +-- name: listDefinitionValueEntitlementMappings :many +WITH params AS ( + SELECT + COALESCE(NULLIF(@sort_field::text, ''), 'created_at') AS resolved_field, + COALESCE(NULLIF(@sort_direction::text, ''), 'DESC') AS resolved_direction +), +mapping_actions AS ( + SELECT + dvm.action_id, + dvm.definition_value_entitlement_mapping_id, + JSONB_BUILD_OBJECT( + 'id', a.id, + 'name', a.name, + 'namespace', CASE WHEN a.namespace_id IS NULL THEN NULL + ELSE JSONB_BUILD_OBJECT('id', ans.id, 'name', ans.name, 'fqn', ans_fqns.fqn) + END + ) AS action + FROM definition_value_entitlement_mapping_actions dvm + JOIN actions a ON dvm.action_id = a.id + LEFT JOIN attribute_namespaces ans ON ans.id = a.namespace_id + LEFT JOIN attribute_fqns ans_fqns ON ans_fqns.namespace_id = ans.id AND ans_fqns.attribute_id IS NULL AND ans_fqns.value_id IS NULL +), +definition_actions AS ( + SELECT + definition_value_entitlement_mapping_id, + COALESCE(JSONB_AGG(action), '[]'::JSONB) AS actions + FROM mapping_actions + GROUP BY definition_value_entitlement_mapping_id +), +counted AS ( + SELECT COUNT(dvem.id) AS total + FROM definition_value_entitlement_mappings dvem + LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id + LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL + WHERE + (sqlc.narg('namespace_id')::uuid IS NULL OR dvem.namespace_id = sqlc.narg('namespace_id')::uuid) + AND (sqlc.narg('namespace_fqn')::text IS NULL OR m_ns_fqns.fqn = sqlc.narg('namespace_fqn')::text) + AND (sqlc.narg('attribute_definition_id')::uuid IS NULL OR dvem.attribute_definition_id = sqlc.narg('attribute_definition_id')::uuid) +) +SELECT + dvem.id, + dvem.attribute_definition_id, + dvem.subject_external_selector_value, + dvem.operator, + dvem.subject_condition_set_id, + COALESCE(da.actions, '[]'::JSONB) AS actions, + JSON_STRIP_NULLS(JSON_BUILD_OBJECT('labels', dvem.metadata -> 'labels', 'created_at', dvem.created_at, 'updated_at', dvem.updated_at)) AS metadata, + CASE + WHEN dvem.namespace_id IS NULL THEN NULL + ELSE JSON_BUILD_OBJECT('id', m_ns.id, 'name', m_ns.name, 'fqn', m_ns_fqns.fqn) + END AS namespace, + counted.total +FROM definition_value_entitlement_mappings dvem +CROSS JOIN counted +CROSS JOIN params p +LEFT JOIN definition_actions da ON dvem.id = da.definition_value_entitlement_mapping_id +LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id +LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL +WHERE + (sqlc.narg('namespace_id')::uuid IS NULL OR dvem.namespace_id = sqlc.narg('namespace_id')::uuid) + AND (sqlc.narg('namespace_fqn')::text IS NULL OR m_ns_fqns.fqn = sqlc.narg('namespace_fqn')::text) + AND (sqlc.narg('attribute_definition_id')::uuid IS NULL OR dvem.attribute_definition_id = sqlc.narg('attribute_definition_id')::uuid) +GROUP BY + dvem.id, + da.actions, + dvem.metadata, dvem.created_at, dvem.updated_at, + m_ns.id, m_ns.name, m_ns_fqns.fqn, + counted.total, + p.resolved_field, p.resolved_direction +ORDER BY + CASE WHEN p.resolved_field = 'created_at' AND p.resolved_direction = 'ASC' THEN dvem.created_at END ASC, + CASE WHEN p.resolved_field = 'created_at' AND p.resolved_direction = 'DESC' THEN dvem.created_at END DESC, + CASE WHEN p.resolved_field = 'updated_at' AND p.resolved_direction = 'ASC' THEN dvem.updated_at END ASC, + CASE WHEN p.resolved_field = 'updated_at' AND p.resolved_direction = 'DESC' THEN dvem.updated_at END DESC, + dvem.id ASC +LIMIT @limit_ +OFFSET @offset_; + +-- name: getDefinitionValueEntitlementMapping :one +WITH mapping_actions AS ( + SELECT + dvm.action_id, + dvm.definition_value_entitlement_mapping_id, + JSONB_BUILD_OBJECT( + 'id', a.id, + 'name', a.name, + 'namespace', CASE WHEN a.namespace_id IS NULL THEN NULL + ELSE JSONB_BUILD_OBJECT('id', ans.id, 'name', ans.name, 'fqn', ans_fqns.fqn) + END + ) AS action + FROM definition_value_entitlement_mapping_actions dvm + JOIN actions a ON dvm.action_id = a.id + LEFT JOIN attribute_namespaces ans ON ans.id = a.namespace_id + LEFT JOIN attribute_fqns ans_fqns ON ans_fqns.namespace_id = ans.id AND ans_fqns.attribute_id IS NULL AND ans_fqns.value_id IS NULL + WHERE dvm.definition_value_entitlement_mapping_id = @id +), +definition_actions AS ( + SELECT + definition_value_entitlement_mapping_id, + COALESCE(JSONB_AGG(action), '[]'::JSONB) AS actions + FROM mapping_actions + GROUP BY definition_value_entitlement_mapping_id +) +SELECT + dvem.id, + dvem.attribute_definition_id, + dvem.subject_external_selector_value, + dvem.operator, + dvem.subject_condition_set_id, + COALESCE(da.actions, '[]'::JSONB) AS actions, + JSON_STRIP_NULLS(JSON_BUILD_OBJECT('labels', dvem.metadata -> 'labels', 'created_at', dvem.created_at, 'updated_at', dvem.updated_at)) AS metadata, + CASE + WHEN dvem.namespace_id IS NULL THEN NULL + ELSE JSON_BUILD_OBJECT('id', m_ns.id, 'name', m_ns.name, 'fqn', m_ns_fqns.fqn) + END AS namespace +FROM definition_value_entitlement_mappings dvem +LEFT JOIN definition_actions da ON dvem.id = da.definition_value_entitlement_mapping_id +LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id +LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL +WHERE dvem.id = @id; + +-- name: createDefinitionValueEntitlementMapping :one +WITH inserted_mapping AS ( + INSERT INTO definition_value_entitlement_mappings ( + attribute_definition_id, + subject_external_selector_value, + operator, + metadata, + subject_condition_set_id, + namespace_id + ) + VALUES ( + @attribute_definition_id, + @subject_external_selector_value, + @operator, + @metadata, + sqlc.narg('subject_condition_set_id')::uuid, + sqlc.narg('namespace_id')::uuid + ) + RETURNING id +), +inserted_actions AS ( + INSERT INTO definition_value_entitlement_mapping_actions (definition_value_entitlement_mapping_id, action_id) + SELECT + (SELECT id FROM inserted_mapping), + unnest(sqlc.arg('action_ids')::uuid[]) +) +SELECT id FROM inserted_mapping; + +-- name: updateDefinitionValueEntitlementMapping :execrows +WITH + mapping_update AS ( + UPDATE definition_value_entitlement_mappings + SET + metadata = COALESCE(sqlc.narg('metadata')::JSONB, metadata), + subject_external_selector_value = COALESCE(sqlc.narg('subject_external_selector_value')::TEXT, subject_external_selector_value), + operator = COALESCE(sqlc.narg('operator')::SMALLINT, operator), + subject_condition_set_id = COALESCE(sqlc.narg('subject_condition_set_id')::UUID, subject_condition_set_id) + WHERE id = sqlc.arg('id') + RETURNING id + ), + action_delete AS ( + DELETE FROM definition_value_entitlement_mapping_actions + WHERE + definition_value_entitlement_mapping_id = sqlc.arg('id') + AND sqlc.narg('action_ids')::UUID[] IS NOT NULL + AND action_id NOT IN (SELECT unnest(sqlc.narg('action_ids')::UUID[])) + ), + action_insert AS ( + INSERT INTO definition_value_entitlement_mapping_actions (definition_value_entitlement_mapping_id, action_id) + SELECT + sqlc.arg('id'), + a + FROM unnest(sqlc.narg('action_ids')::UUID[]) AS a + WHERE + sqlc.narg('action_ids')::UUID[] IS NOT NULL + AND NOT EXISTS ( + SELECT 1 + FROM definition_value_entitlement_mapping_actions + WHERE definition_value_entitlement_mapping_id = sqlc.arg('id') AND action_id = a + ) + ), + update_count AS ( + SELECT COUNT(*) AS cnt + FROM mapping_update + ) +SELECT cnt +FROM update_count; + +-- name: deleteDefinitionValueEntitlementMapping :execrows +DELETE FROM definition_value_entitlement_mappings WHERE id = $1; + +-- name: countValueSubjectMappingsByDefinitionID :one +-- Counts value-level subject mappings whose attribute value belongs to the given +-- definition. Used to enforce no-coexistence with dynamic value entitlement mappings. +SELECT COUNT(sm.id) +FROM subject_mappings sm +JOIN attribute_values av ON sm.attribute_value_id = av.id +WHERE av.attribute_definition_id = $1; + +-- name: countDefinitionValueEntitlementMappingsByDefinitionID :one +-- Counts dynamic value entitlement mappings on the given definition. Used to enforce +-- no-coexistence from the subject-mapping create path. +SELECT COUNT(id) +FROM definition_value_entitlement_mappings +WHERE attribute_definition_id = $1; + +-- name: getAttributeDefinitionIDByValueID :one +SELECT attribute_definition_id +FROM attribute_values +WHERE id = $1; diff --git a/service/policy/db/registered_resources.sql.go b/service/policy/db/registered_resources.sql.go index f2d85ee96b..d26fbb13ba 100644 --- a/service/policy/db/registered_resources.sql.go +++ b/service/policy/db/registered_resources.sql.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.31.0 +// sqlc v1.30.0 // source: registered_resources.sql package db diff --git a/service/policy/db/resource_mapping.sql.go b/service/policy/db/resource_mapping.sql.go index 06313547d9..61ec1eb663 100644 --- a/service/policy/db/resource_mapping.sql.go +++ b/service/policy/db/resource_mapping.sql.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.31.0 +// sqlc v1.30.0 // source: resource_mapping.sql package db diff --git a/service/policy/db/subject_mappings.go b/service/policy/db/subject_mappings.go index 6153629e5a..a2c978d91f 100644 --- a/service/policy/db/subject_mappings.go +++ b/service/policy/db/subject_mappings.go @@ -264,6 +264,13 @@ func (c PolicyDBClient) DeleteAllUnmappedSubjectConditionSets(ctx context.Contex // If a new subject condition set is provided, it will be created. The existing subject condition set id takes precedence. func (c PolicyDBClient) CreateSubjectMapping(ctx context.Context, s *subjectmapping.CreateSubjectMappingRequest) (*policy.SubjectMapping, error) { attributeValueID := s.GetAttributeValueId() + + // Enforce no-coexistence: a value-level subject mapping cannot be created on a + // definition that already has a dynamic value entitlement mapping (DSPX-2754 / ADR 0005). + if err := c.ensureNoDefinitionValueEntitlementMappingCoexistence(ctx, attributeValueID); err != nil { + return nil, err + } + resolvedNamespaceID, err := c.resolveNamespace(ctx, s.GetNamespaceId(), s.GetNamespaceFqn()) if err != nil { return nil, err diff --git a/service/policy/db/subject_mappings.sql.go b/service/policy/db/subject_mappings.sql.go index 259e84114b..0323b0e398 100644 --- a/service/policy/db/subject_mappings.sql.go +++ b/service/policy/db/subject_mappings.sql.go @@ -1,6 +1,6 @@ // Code generated by sqlc. DO NOT EDIT. // versions: -// sqlc v1.31.0 +// sqlc v1.30.0 // source: subject_mappings.sql package db diff --git a/service/policy/db/utils.go b/service/policy/db/utils.go index 7e43fd63cd..27f3f4041f 100644 --- a/service/policy/db/utils.go +++ b/service/policy/db/utils.go @@ -10,6 +10,7 @@ import ( "github.com/opentdf/platform/protocol/go/common" "github.com/opentdf/platform/protocol/go/policy" "github.com/opentdf/platform/protocol/go/policy/attributes" + "github.com/opentdf/platform/protocol/go/policy/definitionvalueentitlement" "github.com/opentdf/platform/protocol/go/policy/kasregistry" "github.com/opentdf/platform/protocol/go/policy/namespaces" "github.com/opentdf/platform/protocol/go/policy/obligations" @@ -404,6 +405,26 @@ func GetSubjectMappingsSortParams(sort []*subjectmapping.SubjectMappingsSort) (s return getSubjectMappingsSortField(sort[0].GetField()), getSortDirection(sort[0].GetDirection()) } +func getDefinitionValueEntitlementMappingsSortField(field definitionvalueentitlement.SortDefinitionValueEntitlementMappingsType) string { + switch field { + case definitionvalueentitlement.SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT: + return sortFieldCreatedAt + case definitionvalueentitlement.SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT: + return sortFieldUpdatedAt + case definitionvalueentitlement.SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED: + fallthrough + default: + return "" + } +} + +func GetDefinitionValueEntitlementMappingsSortParams(sort []*definitionvalueentitlement.DefinitionValueEntitlementMappingsSort) (string, string) { + if len(sort) == 0 { + return "", "" + } + return getDefinitionValueEntitlementMappingsSortField(sort[0].GetField()), getSortDirection(sort[0].GetDirection()) +} + func UUIDToString(uuid pgtype.UUID) string { if !uuid.Valid { return "" diff --git a/service/policy/definitionvalueentitlement/definition_value_entitlement.go b/service/policy/definitionvalueentitlement/definition_value_entitlement.go new file mode 100644 index 0000000000..b027fecd5d --- /dev/null +++ b/service/policy/definitionvalueentitlement/definition_value_entitlement.go @@ -0,0 +1,189 @@ +package definitionvalueentitlement + +import ( + "context" + "errors" + "fmt" + "log/slog" + + "connectrpc.com/connect" + dvem "github.com/opentdf/platform/protocol/go/policy/definitionvalueentitlement" + "github.com/opentdf/platform/protocol/go/policy/definitionvalueentitlement/definitionvalueentitlementconnect" + "github.com/opentdf/platform/service/logger" + "github.com/opentdf/platform/service/logger/audit" + "github.com/opentdf/platform/service/pkg/config" + "github.com/opentdf/platform/service/pkg/db" + "github.com/opentdf/platform/service/pkg/serviceregistry" + policyconfig "github.com/opentdf/platform/service/policy/config" + policydb "github.com/opentdf/platform/service/policy/db" +) + +type DefinitionValueEntitlementMappingService struct { //nolint:revive // descriptive name mirrors the policy object + dbClient policydb.PolicyDBClient + logger *logger.Logger + config *policyconfig.Config +} + +func OnConfigUpdate(svc *DefinitionValueEntitlementMappingService) serviceregistry.OnConfigUpdateHook { + return func(_ context.Context, cfg config.ServiceConfig) error { + sharedCfg, err := policyconfig.GetSharedPolicyConfig(cfg) + if err != nil { + return fmt.Errorf("failed to get shared policy config: %w", err) + } + svc.config = sharedCfg + svc.dbClient = policydb.NewClient(svc.dbClient.Client, svc.logger, int32(sharedCfg.ListRequestLimitMax), int32(sharedCfg.ListRequestLimitDefault)) + svc.logger.Info("definition value entitlement mapping service config reloaded") + return nil + } +} + +func NewRegistration(ns string, dbRegister serviceregistry.DBRegister) *serviceregistry.Service[definitionvalueentitlementconnect.DefinitionValueEntitlementMappingServiceHandler] { + svc := new(DefinitionValueEntitlementMappingService) + onUpdateConfigHook := OnConfigUpdate(svc) + + return &serviceregistry.Service[definitionvalueentitlementconnect.DefinitionValueEntitlementMappingServiceHandler]{ + Close: svc.Close, + ServiceOptions: serviceregistry.ServiceOptions[definitionvalueentitlementconnect.DefinitionValueEntitlementMappingServiceHandler]{ + Namespace: ns, + DB: dbRegister, + ServiceDesc: &dvem.DefinitionValueEntitlementMappingService_ServiceDesc, + ConnectRPCFunc: definitionvalueentitlementconnect.NewDefinitionValueEntitlementMappingServiceHandler, + OnConfigUpdate: onUpdateConfigHook, + RegisterFunc: func(srp serviceregistry.RegistrationParams) (definitionvalueentitlementconnect.DefinitionValueEntitlementMappingServiceHandler, serviceregistry.HandlerServer) { + logger := srp.Logger + cfg, err := policyconfig.GetSharedPolicyConfig(srp.Config) + if err != nil { + logger.Error("error getting definition value entitlement mapping service policy config", slog.String("error", err.Error())) + panic(err) + } + + svc.logger = logger + svc.dbClient = policydb.NewClient(srp.DBClient, logger, int32(cfg.ListRequestLimitMax), int32(cfg.ListRequestLimitDefault)) + svc.config = cfg + return svc, nil + }, + }, + } +} + +// Close gracefully shuts down the service, closing the database client. +func (s *DefinitionValueEntitlementMappingService) Close() { + s.logger.Info("gracefully shutting down definition value entitlement mapping service") + s.dbClient.Close() +} + +func (s DefinitionValueEntitlementMappingService) CreateDefinitionValueEntitlementMapping(ctx context.Context, + req *connect.Request[dvem.CreateDefinitionValueEntitlementMappingRequest], +) (*connect.Response[dvem.CreateDefinitionValueEntitlementMappingResponse], error) { + rsp := &dvem.CreateDefinitionValueEntitlementMappingResponse{} + s.logger.DebugContext(ctx, "creating definition value entitlement mapping") + if s.config.NamespacedPolicy && req.Msg.GetNamespaceId() == "" && req.Msg.GetNamespaceFqn() == "" { + return nil, connect.NewError(connect.CodeInvalidArgument, errors.New("either namespace_id or namespace_fqn must be provided")) + } + + auditParams := audit.PolicyEventParams{ + ActionType: audit.ActionTypeCreate, + ObjectType: audit.ObjectTypeDefinitionValueEntitlementMapping, + } + + // Creation may involve action or SubjectConditionSet creation, so use a transaction. + err := s.dbClient.RunInTx(ctx, func(txClient *policydb.PolicyDBClient) error { + mapping, err := txClient.CreateDefinitionValueEntitlementMapping(ctx, req.Msg) + if err != nil { + s.logger.Audit.PolicyCRUDFailure(ctx, auditParams) + return err + } + + auditParams.ObjectID = mapping.GetId() + auditParams.Original = mapping + s.logger.Audit.PolicyCRUDSuccess(ctx, auditParams) + + rsp.DefinitionValueEntitlementMapping = mapping + return nil + }) + if err != nil { + return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextCreationFailed, slog.String("definitionValueEntitlementMapping", req.Msg.String())) + } + return connect.NewResponse(rsp), nil +} + +func (s DefinitionValueEntitlementMappingService) ListDefinitionValueEntitlementMappings(ctx context.Context, + req *connect.Request[dvem.ListDefinitionValueEntitlementMappingsRequest], +) (*connect.Response[dvem.ListDefinitionValueEntitlementMappingsResponse], error) { + s.logger.DebugContext(ctx, "listing definition value entitlement mappings") + + rsp, err := s.dbClient.ListDefinitionValueEntitlementMappings(ctx, req.Msg) + if err != nil { + return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextListRetrievalFailed) + } + return connect.NewResponse(rsp), nil +} + +func (s DefinitionValueEntitlementMappingService) GetDefinitionValueEntitlementMapping(ctx context.Context, + req *connect.Request[dvem.GetDefinitionValueEntitlementMappingRequest], +) (*connect.Response[dvem.GetDefinitionValueEntitlementMappingResponse], error) { + s.logger.DebugContext(ctx, "getting definition value entitlement mapping", slog.String("id", req.Msg.GetId())) + + mapping, err := s.dbClient.GetDefinitionValueEntitlementMapping(ctx, req.Msg.GetId()) + if err != nil { + return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextGetRetrievalFailed, slog.String("id", req.Msg.GetId())) + } + return connect.NewResponse(&dvem.GetDefinitionValueEntitlementMappingResponse{DefinitionValueEntitlementMapping: mapping}), nil +} + +func (s DefinitionValueEntitlementMappingService) UpdateDefinitionValueEntitlementMapping(ctx context.Context, + req *connect.Request[dvem.UpdateDefinitionValueEntitlementMappingRequest], +) (*connect.Response[dvem.UpdateDefinitionValueEntitlementMappingResponse], error) { + rsp := &dvem.UpdateDefinitionValueEntitlementMappingResponse{} + id := req.Msg.GetId() + s.logger.DebugContext(ctx, "updating definition value entitlement mapping", slog.String("id", id)) + + auditParams := audit.PolicyEventParams{ + ActionType: audit.ActionTypeUpdate, + ObjectType: audit.ObjectTypeDefinitionValueEntitlementMapping, + ObjectID: id, + } + + original, err := s.dbClient.GetDefinitionValueEntitlementMapping(ctx, id) + if err != nil { + s.logger.Audit.PolicyCRUDFailure(ctx, auditParams) + return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextGetRetrievalFailed, slog.String("id", id)) + } + + updated, err := s.dbClient.UpdateDefinitionValueEntitlementMapping(ctx, req.Msg) + if err != nil { + s.logger.Audit.PolicyCRUDFailure(ctx, auditParams) + return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextUpdateFailed, slog.String("id", id), slog.String("definitionValueEntitlementMapping", req.Msg.String())) + } + + auditParams.Original = original + auditParams.Updated = updated + s.logger.Audit.PolicyCRUDSuccess(ctx, auditParams) + + rsp.DefinitionValueEntitlementMapping = updated + return connect.NewResponse(rsp), nil +} + +func (s DefinitionValueEntitlementMappingService) DeleteDefinitionValueEntitlementMapping(ctx context.Context, + req *connect.Request[dvem.DeleteDefinitionValueEntitlementMappingRequest], +) (*connect.Response[dvem.DeleteDefinitionValueEntitlementMappingResponse], error) { + rsp := &dvem.DeleteDefinitionValueEntitlementMappingResponse{} + id := req.Msg.GetId() + s.logger.DebugContext(ctx, "deleting definition value entitlement mapping", slog.String("id", id)) + + auditParams := audit.PolicyEventParams{ + ActionType: audit.ActionTypeDelete, + ObjectType: audit.ObjectTypeDefinitionValueEntitlementMapping, + ObjectID: id, + } + + deleted, err := s.dbClient.DeleteDefinitionValueEntitlementMapping(ctx, id) + if err != nil { + s.logger.Audit.PolicyCRUDFailure(ctx, auditParams) + return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextDeletionFailed, slog.String("id", id)) + } + + s.logger.Audit.PolicyCRUDSuccess(ctx, auditParams) + rsp.DefinitionValueEntitlementMapping = deleted + return connect.NewResponse(rsp), nil +} diff --git a/service/policy/definitionvalueentitlement/definition_value_entitlement.proto b/service/policy/definitionvalueentitlement/definition_value_entitlement.proto new file mode 100644 index 0000000000..c03d0f581b --- /dev/null +++ b/service/policy/definitionvalueentitlement/definition_value_entitlement.proto @@ -0,0 +1,168 @@ +syntax = "proto3"; + +package policy.definitionvalueentitlement; + +import "buf/validate/validate.proto"; +import "common/common.proto"; +import "policy/objects.proto"; +import "policy/selectors.proto"; +import "policy/subjectmapping/subject_mapping.proto"; + +/* + Definition Value Entitlement Mapping CRUD operations +*/ + +message GetDefinitionValueEntitlementMappingRequest { + // Required + string id = 1 [(buf.validate.field).string.uuid = true]; +} +message GetDefinitionValueEntitlementMappingResponse { + policy.DefinitionValueEntitlementMapping definition_value_entitlement_mapping = 1; +} + +enum SortDefinitionValueEntitlementMappingsType { + SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED = 0; + SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT = 1; + SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT = 2; +} + +message DefinitionValueEntitlementMappingsSort { + SortDefinitionValueEntitlementMappingsType field = 1 [(buf.validate.field).enum.defined_only = true]; + policy.SortDirection direction = 2 [(buf.validate.field).enum.defined_only = true]; +} + +message ListDefinitionValueEntitlementMappingsRequest { + // Optional + // Namespace ID or FQN, or Attribute Definition ID or FQN to filter by + string namespace_id = 1 [(buf.validate.field).cel = { + id: "optional_uuid_format" + message: "Optional field must be a valid UUID" + expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" + }]; + string attribute_definition_id = 2 [(buf.validate.field).cel = { + id: "optional_uuid_format" + message: "Optional field must be a valid UUID" + expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" + }]; + + // Optional + policy.PageRequest pagination = 10; + + // Optional - CONSTRAINT: max 1 item + repeated DefinitionValueEntitlementMappingsSort sort = 11 [(buf.validate.field).repeated.max_items = 1]; +} +message ListDefinitionValueEntitlementMappingsResponse { + repeated policy.DefinitionValueEntitlementMapping definition_value_entitlement_mappings = 1; + + policy.PageResponse pagination = 10; +} + +message CreateDefinitionValueEntitlementMappingRequest { + // Required: Attribute Definition ID or FQN to scope the mapping to + option (buf.validate.message).oneof = { + fields: ["attribute_definition_id", "attribute_definition_fqn"] + required: true + }; + string attribute_definition_id = 1 [(buf.validate.field).cel = { + id: "optional_uuid_format" + message: "Optional field must be a valid UUID" + expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" + }]; + string attribute_definition_fqn = 2 [ + (buf.validate.field).string = { + min_len: 0 + uri: true + } + ]; + + // Required: the dynamic resolver comparing entity selector result to the resource value segment + policy.DefinitionValueResolver value_resolver = 3 [(buf.validate.field).required = true]; + + // Required: actions permitted on a matched value + repeated policy.Action actions = 4 [ + (buf.validate.field).repeated.min_items = 1, + (buf.validate.field).cel = { + id: "action_name_or_id_not_empty" + message: "Action name or ID must not be empty if provided" + expression: "this.all(item, item.name != '' || item.id != '')" + } + ]; + + // Optional static pre-gate. Reuse an existing SubjectConditionSet (prioritized) ... + string existing_subject_condition_set_id = 5 [(buf.validate.field).cel = { + id: "optional_uuid_format" + message: "Optional field must be a valid UUID" + expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" + }]; + // ... or create a new one (ignored if existing_subject_condition_set_id is provided) + policy.subjectmapping.SubjectConditionSetCreate new_subject_condition_set = 6; + + // Optional: namespace ID or FQN for the mapping + string namespace_id = 7 [(buf.validate.field).cel = { + id: "optional_uuid_format" + message: "Optional field must be a valid UUID" + expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" + }]; + string namespace_fqn = 8 [ + (buf.validate.field).string = { + min_len: 0 + uri: true + } + ]; + + // Optional + common.MetadataMutable metadata = 100; +} +message CreateDefinitionValueEntitlementMappingResponse { + policy.DefinitionValueEntitlementMapping definition_value_entitlement_mapping = 1; +} + +message UpdateDefinitionValueEntitlementMappingRequest { + // Required + string id = 1 [(buf.validate.field).string.uuid = true]; + + // Optional: replace the dynamic resolver + policy.DefinitionValueResolver value_resolver = 2; + + // Optional: replace the static pre-gate SubjectConditionSet by id + string subject_condition_set_id = 3 [(buf.validate.field).cel = { + id: "optional_uuid_format" + message: "Optional field must be a valid UUID" + expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" + }]; + + // Optional: replace the entire list of actions + repeated policy.Action actions = 4 [(buf.validate.field).cel = { + id: "action_name_or_id_not_empty" + message: "Action name or ID must not be empty if provided" + expression: "this.size() == 0 || this.all(item, item.name != '' || item.id != '')" + }]; + + // Common metadata + common.MetadataMutable metadata = 100; + common.MetadataUpdateEnum metadata_update_behavior = 101; +} +message UpdateDefinitionValueEntitlementMappingResponse { + policy.DefinitionValueEntitlementMapping definition_value_entitlement_mapping = 1; +} + +message DeleteDefinitionValueEntitlementMappingRequest { + // Required + string id = 1 [(buf.validate.field).string.uuid = true]; +} +message DeleteDefinitionValueEntitlementMappingResponse { + // Only ID of the deleted mapping provided + policy.DefinitionValueEntitlementMapping definition_value_entitlement_mapping = 1; +} + +service DefinitionValueEntitlementMappingService { + rpc ListDefinitionValueEntitlementMappings(ListDefinitionValueEntitlementMappingsRequest) returns (ListDefinitionValueEntitlementMappingsResponse) { + option idempotency_level = NO_SIDE_EFFECTS; + } + rpc GetDefinitionValueEntitlementMapping(GetDefinitionValueEntitlementMappingRequest) returns (GetDefinitionValueEntitlementMappingResponse) { + option idempotency_level = NO_SIDE_EFFECTS; + } + rpc CreateDefinitionValueEntitlementMapping(CreateDefinitionValueEntitlementMappingRequest) returns (CreateDefinitionValueEntitlementMappingResponse) {} + rpc UpdateDefinitionValueEntitlementMapping(UpdateDefinitionValueEntitlementMappingRequest) returns (UpdateDefinitionValueEntitlementMappingResponse) {} + rpc DeleteDefinitionValueEntitlementMapping(DeleteDefinitionValueEntitlementMappingRequest) returns (DeleteDefinitionValueEntitlementMappingResponse) {} +} diff --git a/service/policy/objects.proto b/service/policy/objects.proto index 3e6ee4d794..cc61258168 100644 --- a/service/policy/objects.proto +++ b/service/policy/objects.proto @@ -180,6 +180,21 @@ enum ConditionBooleanTypeEnum { CONDITION_BOOLEAN_TYPE_ENUM_OR = 2; } +// Operators for dynamic, definition-level value entitlement. Unlike +// SubjectMappingOperatorEnum, whose right-hand operand is a static list authored into +// policy, a DynamicValueOperatorEnum's right-hand operand is the requested resource's +// attribute value segment, supplied at decision time. Each value is the inversion of its +// static SubjectMappingOperatorEnum counterpart. +enum DynamicValueOperatorEnum { + DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED = 0; + // true when the requested resource value segment equals one of the values resolved by + // the selector against the entity representation (inversion of IN) + DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN = 1; + // true when one of the selector-resolved entity values contains the requested resource + // value segment as a substring (inversion of IN_CONTAINS) + DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS = 2; +} + /* Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute value + action(s) combination @@ -204,6 +219,53 @@ message SubjectMapping { common.Metadata metadata = 100; } +/* + Definition Value Resolver: the dynamic half of a DefinitionValueEntitlementMapping. It + resolves a selector against the entity representation and compares the result to the + requested resource value segment using a DynamicValueOperatorEnum. +*/ +message DefinitionValueResolver { + // a selector for a field value on a flattened Entity Representation (such as from + // idP/LDAP), e.g. ".patientAssignments[]" + string subject_external_selector_value = 1 [(buf.validate.field).required = true]; + + // the dynamic operator comparing the selector result to the resource value segment + DynamicValueOperatorEnum operator = 2 [ + (buf.validate.field).enum.defined_only = true, + (buf.validate.field).required = true + ]; +} + +/* + Definition Value Entitlement Mapping: a Policy assigning permitted action(s) to + dynamically-requested values under an Attribute Definition. It raises entitlement + authority from a concrete Attribute Value to the Attribute Definition: at decision time + the value_resolver compares the requested resource value segment against the entity + representation, avoiding pre-provisioning a value + subject mapping per discrete value. +*/ +message DefinitionValueEntitlementMapping { + string id = 1; + + // the Attribute Definition whose values are entitled dynamically + Attribute attribute_definition = 2; + + // the dynamic resolver matched against the requested resource value segment + DefinitionValueResolver value_resolver = 3; + + // optional static pre-gate on the entity, evaluated with normal SubjectConditionSet + // semantics (no dynamic overload). When present, both the gate and the resolver must + // pass for entitlement. + SubjectConditionSet subject_condition_set = 4; + + // the actions permitted by subjects in this mapping + repeated Action actions = 5; + + // the namespace containing this mapping + Namespace namespace = 6; + + common.Metadata metadata = 100; +} + /** A Condition defines a rule of diff --git a/service/policy/policy.go b/service/policy/policy.go index 4e1f479454..fa2b1386f4 100644 --- a/service/policy/policy.go +++ b/service/policy/policy.go @@ -7,6 +7,7 @@ import ( "github.com/opentdf/platform/service/policy/actions" "github.com/opentdf/platform/service/policy/attributes" "github.com/opentdf/platform/service/policy/db/migrations" + "github.com/opentdf/platform/service/policy/definitionvalueentitlement" "github.com/opentdf/platform/service/policy/kasregistry" "github.com/opentdf/platform/service/policy/keymanagement" "github.com/opentdf/platform/service/policy/namespaces" @@ -36,6 +37,7 @@ func NewRegistrations() []serviceregistry.IService { namespaces.NewRegistration(namespace, dbRegister), resourcemapping.NewRegistration(namespace, dbRegister), subjectmapping.NewRegistration(namespace, dbRegister), + definitionvalueentitlement.NewRegistration(namespace, dbRegister), kasregistry.NewRegistration(namespace, dbRegister), unsafe.NewRegistration(namespace, dbRegister), actions.NewRegistration(namespace, dbRegister), From 96a4a906f6d33961a40db03036a4425a0c4782e6 Mon Sep 17 00:00:00 2001 From: Krish Suchak Date: Fri, 5 Jun 2026 13:21:06 -0400 Subject: [PATCH 4/8] test(policy): DSPX-3498 harden dynamic attribute value entitlement - Reverse HIERARCHY guard: reject UnsafeUpdateAttribute rule change to HIERARCHY when the definition has a dynamic value entitlement mapping (symmetric with the create-time guard). - PDP decision test: ANY_OF permit / ALL_OF deny when a resource carries two dynamic values under one definition and the entity is entitled to one. - Integration tests (testcontainers): CRUD, optional static gate, HIERARCHY rejection, no-coexistence both directions, reverse rule guard, list. Refs: DSPX-3498, DSPX-2754 Signed-off-by: Krish Suchak --- ...inition_value_entitlement_mappings_test.go | 236 ++++++++++++++++++ .../internal/access/v2/pdp_dynamic_test.go | 86 +++++++ service/policy/db/attributes.go | 14 ++ 3 files changed, 336 insertions(+) create mode 100644 service/integration/definition_value_entitlement_mappings_test.go create mode 100644 service/internal/access/v2/pdp_dynamic_test.go diff --git a/service/integration/definition_value_entitlement_mappings_test.go b/service/integration/definition_value_entitlement_mappings_test.go new file mode 100644 index 0000000000..8e55835537 --- /dev/null +++ b/service/integration/definition_value_entitlement_mappings_test.go @@ -0,0 +1,236 @@ +package integration + +import ( + "context" + "log/slog" + "testing" + + "github.com/opentdf/platform/protocol/go/policy" + "github.com/opentdf/platform/protocol/go/policy/attributes" + "github.com/opentdf/platform/protocol/go/policy/definitionvalueentitlement" + "github.com/opentdf/platform/protocol/go/policy/subjectmapping" + "github.com/opentdf/platform/protocol/go/policy/unsafe" + "github.com/opentdf/platform/service/internal/fixtures" + policydb "github.com/opentdf/platform/service/policy/db" + "github.com/stretchr/testify/suite" +) + +type DefinitionValueEntitlementMappingsSuite struct { + suite.Suite + f fixtures.Fixtures + db fixtures.DBInterface + //nolint:containedctx // Only used for test suite + ctx context.Context +} + +func (s *DefinitionValueEntitlementMappingsSuite) SetupSuite() { + slog.Info("setting up db.DefinitionValueEntitlementMappings test suite") + s.ctx = context.Background() + c := *Config + c.DB.Schema = "test_opentdf_def_value_entitlement_mappings" + s.db = fixtures.NewDBInterface(s.ctx, c) + s.f = fixtures.NewFixture(s.db) + s.f.Provision(s.ctx) +} + +func (s *DefinitionValueEntitlementMappingsSuite) TearDownSuite() { + slog.Info("tearing down db.DefinitionValueEntitlementMappings test suite") + s.f.TearDown(s.ctx) +} + +func TestDefinitionValueEntitlementMappingsSuite(t *testing.T) { + if testing.Short() { + t.Skip("skipping definition_value_entitlement_mappings integration tests") + } + suite.Run(t, new(DefinitionValueEntitlementMappingsSuite)) +} + +func (s *DefinitionValueEntitlementMappingsSuite) TestCreateAndGet() { + attr := s.createDefinition("dvem_create_ok", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF) + + created, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest{ + AttributeDefinitionId: attr.GetId(), + ValueResolver: s.resolver(".patientAssignments[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN), + Actions: []*policy.Action{s.readAction()}, + }) + s.Require().NoError(err) + s.Require().NotEmpty(created.GetId()) + + got, err := s.db.PolicyClient.GetDefinitionValueEntitlementMapping(s.ctx, created.GetId()) + s.Require().NoError(err) + s.Equal(attr.GetId(), got.GetAttributeDefinition().GetId()) + s.Equal(".patientAssignments[]", got.GetValueResolver().GetSubjectExternalSelectorValue()) + s.Equal(policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN, got.GetValueResolver().GetOperator()) + s.Len(got.GetActions(), 1) + s.Nil(got.GetSubjectConditionSet(), "optional static pre-gate omitted") +} + +func (s *DefinitionValueEntitlementMappingsSuite) TestCreateWithStaticGate() { + attr := s.createDefinition("dvem_create_gate", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF) + + created, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest{ + AttributeDefinitionId: attr.GetId(), + ValueResolver: s.resolver(".patientAssignments[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN), + Actions: []*policy.Action{s.readAction()}, + NewSubjectConditionSet: s.sampleSCSCreate(), + }) + s.Require().NoError(err) + + got, err := s.db.PolicyClient.GetDefinitionValueEntitlementMapping(s.ctx, created.GetId()) + s.Require().NoError(err) + s.Require().NotNil(got.GetSubjectConditionSet(), "static pre-gate should be hydrated") + s.NotEmpty(got.GetSubjectConditionSet().GetSubjectSets()) +} + +func (s *DefinitionValueEntitlementMappingsSuite) TestRejectsHierarchyDefinition() { + attr := s.createDefinition("dvem_hierarchy", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY) + + _, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest{ + AttributeDefinitionId: attr.GetId(), + ValueResolver: s.resolver(".x[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN), + Actions: []*policy.Action{s.readAction()}, + }) + s.Require().Error(err, "HIERARCHY definitions must be rejected") +} + +func (s *DefinitionValueEntitlementMappingsSuite) TestNoCoexistence_SubjectMappingThenDynamic() { + attr := s.createDefinition("dvem_coexist_fwd", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF) + val, err := s.db.PolicyClient.CreateAttributeValue(s.ctx, attr.GetId(), &attributes.CreateAttributeValueRequest{Value: "v1"}) + s.Require().NoError(err) + + _, err = s.db.PolicyClient.CreateSubjectMapping(s.ctx, &subjectmapping.CreateSubjectMappingRequest{ + AttributeValueId: val.GetId(), + Actions: []*policy.Action{s.readAction()}, + NewSubjectConditionSet: s.sampleSCSCreate(), + }) + s.Require().NoError(err) + + // definition now has a value-level subject mapping; a dynamic mapping must be rejected + _, err = s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest{ + AttributeDefinitionId: attr.GetId(), + ValueResolver: s.resolver(".x[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN), + Actions: []*policy.Action{s.readAction()}, + }) + s.Require().Error(err, "dynamic mapping must not coexist with value-level subject mappings") +} + +func (s *DefinitionValueEntitlementMappingsSuite) TestNoCoexistence_DynamicThenSubjectMapping() { + attr := s.createDefinition("dvem_coexist_rev", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF) + + _, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest{ + AttributeDefinitionId: attr.GetId(), + ValueResolver: s.resolver(".x[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN), + Actions: []*policy.Action{s.readAction()}, + }) + s.Require().NoError(err) + + val, err := s.db.PolicyClient.CreateAttributeValue(s.ctx, attr.GetId(), &attributes.CreateAttributeValueRequest{Value: "v1"}) + s.Require().NoError(err) + + // definition now has a dynamic mapping; a value-level subject mapping must be rejected + _, err = s.db.PolicyClient.CreateSubjectMapping(s.ctx, &subjectmapping.CreateSubjectMappingRequest{ + AttributeValueId: val.GetId(), + Actions: []*policy.Action{s.readAction()}, + NewSubjectConditionSet: s.sampleSCSCreate(), + }) + s.Require().Error(err, "value-level subject mapping must not coexist with a dynamic mapping") +} + +func (s *DefinitionValueEntitlementMappingsSuite) TestRejectsRuleChangeToHierarchy() { + attr := s.createDefinition("dvem_rule_guard", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF) + + _, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest{ + AttributeDefinitionId: attr.GetId(), + ValueResolver: s.resolver(".x[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN), + Actions: []*policy.Action{s.readAction()}, + }) + s.Require().NoError(err) + + _, err = s.db.PolicyClient.UnsafeUpdateAttribute(s.ctx, &unsafe.UnsafeUpdateAttributeRequest{ + Id: attr.GetId(), + Rule: policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY, + }) + s.Require().Error(err, "changing the rule to HIERARCHY must be rejected when a dynamic mapping exists") +} + +func (s *DefinitionValueEntitlementMappingsSuite) TestUpdateAndDelete() { + attr := s.createDefinition("dvem_update_delete", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF) + + created, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest{ + AttributeDefinitionId: attr.GetId(), + ValueResolver: s.resolver(".patientAssignments[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN), + Actions: []*policy.Action{s.readAction()}, + }) + s.Require().NoError(err) + + updated, err := s.db.PolicyClient.UpdateDefinitionValueEntitlementMapping(s.ctx, &definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest{ + Id: created.GetId(), + ValueResolver: s.resolver(".accounts[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS), + }) + s.Require().NoError(err) + s.Equal(".accounts[]", updated.GetValueResolver().GetSubjectExternalSelectorValue()) + s.Equal(policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS, updated.GetValueResolver().GetOperator()) + + _, err = s.db.PolicyClient.DeleteDefinitionValueEntitlementMapping(s.ctx, created.GetId()) + s.Require().NoError(err) + + _, err = s.db.PolicyClient.GetDefinitionValueEntitlementMapping(s.ctx, created.GetId()) + s.Require().Error(err, "mapping should be gone after delete") +} + +func (s *DefinitionValueEntitlementMappingsSuite) TestListByDefinition() { + attr := s.createDefinition("dvem_list", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF) + _, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest{ + AttributeDefinitionId: attr.GetId(), + ValueResolver: s.resolver(".patientAssignments[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN), + Actions: []*policy.Action{s.readAction()}, + }) + s.Require().NoError(err) + + resp, err := s.db.PolicyClient.ListDefinitionValueEntitlementMappings(s.ctx, &definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest{ + AttributeDefinitionId: attr.GetId(), + }) + s.Require().NoError(err) + s.Require().Len(resp.GetDefinitionValueEntitlementMappings(), 1) + s.Equal(attr.GetId(), resp.GetDefinitionValueEntitlementMappings()[0].GetAttributeDefinition().GetId()) +} + +// createDefinition makes a fresh attribute under the example.com namespace with no values +// or subject mappings, so each test controls its own coexistence state. +func (s *DefinitionValueEntitlementMappingsSuite) createDefinition(name string, rule policy.AttributeRuleTypeEnum) *policy.Attribute { + nsID := s.f.GetNamespaceKey("example.com").ID + attr, err := s.db.PolicyClient.CreateAttribute(s.ctx, &attributes.CreateAttributeRequest{ + Name: name, + NamespaceId: nsID, + Rule: rule, + }) + s.Require().NoError(err) + s.Require().NotNil(attr) + return attr +} + +func (s *DefinitionValueEntitlementMappingsSuite) readAction() *policy.Action { + return s.f.GetStandardAction(policydb.ActionRead.String()) +} + +func (s *DefinitionValueEntitlementMappingsSuite) resolver(selector string, op policy.DynamicValueOperatorEnum) *policy.DefinitionValueResolver { + return &policy.DefinitionValueResolver{ + SubjectExternalSelectorValue: selector, + Operator: op, + } +} + +func (s *DefinitionValueEntitlementMappingsSuite) sampleSCSCreate() *subjectmapping.SubjectConditionSetCreate { + return &subjectmapping.SubjectConditionSetCreate{ + SubjectSets: []*policy.SubjectSet{{ + ConditionGroups: []*policy.ConditionGroup{{ + BooleanOperator: policy.ConditionBooleanTypeEnum_CONDITION_BOOLEAN_TYPE_ENUM_AND, + Conditions: []*policy.Condition{{ + SubjectExternalSelectorValue: ".department", + Operator: policy.SubjectMappingOperatorEnum_SUBJECT_MAPPING_OPERATOR_ENUM_IN, + SubjectExternalValues: []string{"cardiology"}, + }}, + }}, + }}, + } +} diff --git a/service/internal/access/v2/pdp_dynamic_test.go b/service/internal/access/v2/pdp_dynamic_test.go new file mode 100644 index 0000000000..0244c777eb --- /dev/null +++ b/service/internal/access/v2/pdp_dynamic_test.go @@ -0,0 +1,86 @@ +package access + +import ( + authz "github.com/opentdf/platform/protocol/go/authorization/v2" + "github.com/opentdf/platform/protocol/go/policy" +) + +// Test_GetDecision_DefinitionValueEntitlementMapping_MultiValue exercises the full +// GetDecision path for dynamic, definition-level value entitlement (DSPX-2754), focused on +// the multi-value rule semantics: a single resource carries two dynamic values under one +// definition while the entity is entitled to only one. ANY_OF should permit, ALL_OF deny. +func (s *PDPTestSuite) Test_GetDecision_DefinitionValueEntitlementMapping_MultiValue() { + const ns = "hospital.co" + defFQN := createAttrFQN(ns, "mrn") + v123 := createAttrValueFQN(ns, "mrn", "mrn-123") + v456 := createAttrValueFQN(ns, "mrn", "mrn-456") + namespace := &policy.Namespace{Name: ns, Fqn: "https://" + ns} + + buildPDP := func(rule policy.AttributeRuleTypeEnum) *PolicyDecisionPoint { + // A dynamic definition has no statically provisioned values. + attr := &policy.Attribute{ + Fqn: defFQN, + Rule: rule, + Namespace: namespace, + } + mapping := &policy.DefinitionValueEntitlementMapping{ + AttributeDefinition: attr, + ValueResolver: &policy.DefinitionValueResolver{ + SubjectExternalSelectorValue: ".properties.patientAssignments[]", + Operator: policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN, + }, + Actions: []*policy.Action{testActionRead}, + Namespace: namespace, + } + pdp, err := NewPolicyDecisionPointWithDefinitionValueEntitlementMappings( + s.T().Context(), + s.logger, + []*policy.Attribute{attr}, + []*policy.SubjectMapping{}, + []*policy.DefinitionValueEntitlementMapping{mapping}, + nil, + false, // allowDirectEntitlements: dynamic mappings synthesize values on their own + false, // namespacedPolicy + ) + s.Require().NoError(err) + s.Require().NotNil(pdp) + return pdp + } + + // Entity is assigned mrn-123 only (entitled to one of the two requested values). + entityOne := s.createEntityWithProps("provider-1", map[string]interface{}{ + "patientAssignments": []interface{}{"mrn-123"}, + }) + // Single resource carrying BOTH dynamic values under the one definition. + resourceBothValues := []*authz.Resource{createAttributeValueResource("resource-1", v123, v456)} + + s.Run("ANY_OF permits when entitled to one of two dynamic values", func() { + pdp := buildPDP(policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF) + decision, entitlements, err := pdp.GetDecision(s.T().Context(), entityOne, testActionRead, resourceBothValues) + s.Require().NoError(err) + s.Require().NotNil(decision) + s.True(decision.AllPermitted, "ANY_OF: one entitled dynamic value suffices") + s.Contains(entitlements, v123, "should be entitled to the matched dynamic value") + s.NotContains(entitlements, v456, "should not be entitled to the unmatched dynamic value") + s.Require().Contains(entitlements[v123], testActionRead) + }) + + s.Run("ALL_OF denies when entitled to only one of two dynamic values", func() { + pdp := buildPDP(policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF) + decision, _, err := pdp.GetDecision(s.T().Context(), entityOne, testActionRead, resourceBothValues) + s.Require().NoError(err) + s.Require().NotNil(decision) + s.False(decision.AllPermitted, "ALL_OF: mrn-456 is not entitled, so the resource is denied") + }) + + s.Run("ALL_OF permits when entitled to both dynamic values", func() { + entityBoth := s.createEntityWithProps("provider-2", map[string]interface{}{ + "patientAssignments": []interface{}{"mrn-123", "mrn-456"}, + }) + pdp := buildPDP(policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF) + decision, _, err := pdp.GetDecision(s.T().Context(), entityBoth, testActionRead, resourceBothValues) + s.Require().NoError(err) + s.Require().NotNil(decision) + s.True(decision.AllPermitted, "ALL_OF: both dynamic values are entitled") + }) +} diff --git a/service/policy/db/attributes.go b/service/policy/db/attributes.go index 3fb9c47e57..2e5ac88872 100644 --- a/service/policy/db/attributes.go +++ b/service/policy/db/attributes.go @@ -461,6 +461,20 @@ func (c PolicyDBClient) UnsafeUpdateAttribute(ctx context.Context, r *unsafe.Uns } } + // Guard the reverse of validateDefinitionValueEntitlementMappingAttribute: a definition + // with a dynamic value entitlement mapping cannot be changed to HIERARCHY, which requires + // statically ordered values incompatible with pass-through dynamic values (DSPX-2754). + if rule == policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY && before.GetRule() != policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY { + dynamicCount, err := c.queries.countDefinitionValueEntitlementMappingsByDefinitionID(ctx, id) + if err != nil { + return nil, db.WrapIfKnownInvalidQueryErr(err) + } + if dynamicCount > 0 { + return nil, errors.Join(db.ErrRestrictViolation, + fmt.Errorf("attribute definition [%s] has a definition value entitlement mapping; its rule cannot be changed to HIERARCHY", id)) + } + } + // Handle case where rule is not actually being updated ruleString := "" if rule != policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED { From fac8e817d903036a4c1da7fdb58811db58b9fb9c Mon Sep 17 00:00:00 2001 From: Krish Suchak Date: Fri, 5 Jun 2026 14:12:19 -0400 Subject: [PATCH 5/8] suggestions --- service/authorization/v2/cache.go | 2 +- service/internal/access/v2/helpers.go | 13 +++++-------- .../definition_value_entitlement_builtin.go | 8 +++++++- .../db/definition_value_entitlement_mappings.go | 2 +- ...00_add_definition_value_entitlement_mappings.sql | 5 ++--- 5 files changed, 16 insertions(+), 14 deletions(-) diff --git a/service/authorization/v2/cache.go b/service/authorization/v2/cache.go index d028309d5f..66701d4a60 100644 --- a/service/authorization/v2/cache.go +++ b/service/authorization/v2/cache.go @@ -299,7 +299,7 @@ func (c *EntitlementPolicyCache) ListAllDefinitionValueEntitlementMappings(ctx c mappings, ok = cached.([]*policy.DefinitionValueEntitlementMapping) if !ok { - return nil, fmt.Errorf("%w: %T", ErrCachedTypeNotExpected, mappings) + return nil, fmt.Errorf("%w: %T", ErrCachedTypeNotExpected, cached) } return mappings, nil } diff --git a/service/internal/access/v2/helpers.go b/service/internal/access/v2/helpers.go index 92f79239f8..33ccbe0910 100644 --- a/service/internal/access/v2/helpers.go +++ b/service/internal/access/v2/helpers.go @@ -260,21 +260,18 @@ func getResourceDecisionableAttributes( // definition carries a dynamic value entitlement mapping (DSPX-2754), since // dynamic mappings entitle values that are not pre-provisioned in policy. parentDefinition, err := getDefinition(attrValueFQN, entitleableAttributesByDefinitionFQN) - hasDynamicMapping := false - if err == nil { - _, hasDynamicMapping = dynamicMappingsByDefinitionFQN[parentDefinition.GetFqn()] + if err != nil { + // definition not found: add to not found list and skip + notFoundFQNs = append(notFoundFQNs, attrValueFQN) + continue } + _, hasDynamicMapping := dynamicMappingsByDefinitionFQN[parentDefinition.GetFqn()] if !allowDirectEntitlements && !hasDynamicMapping { // neither path enabled for this value: add to not found list and skip notFoundFQNs = append(notFoundFQNs, attrValueFQN) continue } - if err != nil { - // definition not found: add to not found list and skip - notFoundFQNs = append(notFoundFQNs, attrValueFQN) - continue - } logger.DebugContext(ctx, "processing synthetic value for resource decisionable attribute value", slog.String("attribute_value_fqn", attrValueFQN), diff --git a/service/internal/subjectmappingbuiltin/definition_value_entitlement_builtin.go b/service/internal/subjectmappingbuiltin/definition_value_entitlement_builtin.go index 1d7d1fd6da..210e30818a 100644 --- a/service/internal/subjectmappingbuiltin/definition_value_entitlement_builtin.go +++ b/service/internal/subjectmappingbuiltin/definition_value_entitlement_builtin.go @@ -33,7 +33,7 @@ func EvaluateDefinitionValueEntitlementMappingsWithActions( l *slog.Logger, ) (AttributeValueFQNsToActions, error) { entitlementsSet := make(AttributeValueFQNsToActions) - if len(mappingsByDefinitionFQN) == 0 { + if len(mappingsByDefinitionFQN) == 0 || entityRepresentation == nil { return entitlementsSet, nil } @@ -110,6 +110,9 @@ func evaluateValueResolver(resolver *policy.DefinitionValueResolver, entity flat switch resolver.GetOperator() { case policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN: for _, ev := range entityValues { + if ev == nil { + continue + } if canonicalizeValueSegment(fmt.Sprintf("%v", ev)) == target { return true, nil } @@ -117,6 +120,9 @@ func evaluateValueResolver(resolver *policy.DefinitionValueResolver, entity flat return false, nil case policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS: for _, ev := range entityValues { + if ev == nil { + continue + } if strings.Contains(canonicalizeValueSegment(fmt.Sprintf("%v", ev)), target) { return true, nil } diff --git a/service/policy/db/definition_value_entitlement_mappings.go b/service/policy/db/definition_value_entitlement_mappings.go index 08fc2fdd5a..737de6b8a9 100644 --- a/service/policy/db/definition_value_entitlement_mappings.go +++ b/service/policy/db/definition_value_entitlement_mappings.go @@ -169,7 +169,7 @@ func (c PolicyDBClient) ListDefinitionValueEntitlementMappings(ctx context.Conte func (c PolicyDBClient) UpdateDefinitionValueEntitlementMapping(ctx context.Context, r *definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest) (*policy.DefinitionValueEntitlementMapping, error) { id := r.GetId() before, err := c.GetDefinitionValueEntitlementMapping(ctx, id) - if err != nil || before == nil { + if err != nil { return nil, db.WrapIfKnownInvalidQueryErr(err) } diff --git a/service/policy/db/migrations/20260604000000_add_definition_value_entitlement_mappings.sql b/service/policy/db/migrations/20260604000000_add_definition_value_entitlement_mappings.sql index 3997b8b31d..5c0a78f6f3 100644 --- a/service/policy/db/migrations/20260604000000_add_definition_value_entitlement_mappings.sql +++ b/service/policy/db/migrations/20260604000000_add_definition_value_entitlement_mappings.sql @@ -41,15 +41,14 @@ CREATE INDEX idx_definition_value_entitlement_mappings_scs_id ON definition_value_entitlement_mappings(subject_condition_set_id); CREATE INDEX idx_definition_value_entitlement_mappings_namespace_id ON definition_value_entitlement_mappings(namespace_id); -CREATE INDEX idx_definition_value_entitlement_mapping_actions_mapping_action - ON definition_value_entitlement_mapping_actions(definition_value_entitlement_mapping_id, action_id); +-- No separate index on definition_value_entitlement_mapping_actions: its composite +-- PRIMARY KEY (definition_value_entitlement_mapping_id, action_id) already covers lookups. -- +goose StatementEnd -- +goose Down -- +goose StatementBegin -DROP INDEX IF EXISTS idx_definition_value_entitlement_mapping_actions_mapping_action; DROP INDEX IF EXISTS idx_definition_value_entitlement_mappings_namespace_id; DROP INDEX IF EXISTS idx_definition_value_entitlement_mappings_scs_id; DROP INDEX IF EXISTS idx_definition_value_entitlement_mappings_definition_id; From d8b65b971a604780f90f7115d8f6cff30c153d32 Mon Sep 17 00:00:00 2001 From: Krish Suchak Date: Fri, 5 Jun 2026 15:06:35 -0400 Subject: [PATCH 6/8] refactor(policy): fold dynamic value entitlement into SubjectMappingService Move the DefinitionValueEntitlementMapping CRUD RPCs/messages from a dedicated service+package into the existing policy.subjectmapping package / SubjectMappingService. A brand-new proto package added an import path absent from the released protocol/go, which broke the per-module 'go mod tidy' CI check (that step does not use the go workspace). Reusing the already-published subjectmapping package removes the new import path so go mod tidy passes in a single PR, and drops the long dedicated package name. The object name DefinitionValueEntitlementMapping is kept. Refs: DSPX-3498, DSPX-2754 Signed-off-by: Krish Suchak --- docs/grpc/index.html | 6813 ++++++++--------- .../authorization/authorization.openapi.yaml | 439 +- .../v2/authorization.openapi.yaml | 538 +- docs/openapi/common/common.openapi.yaml | 38 +- docs/openapi/entity/entity.openapi.yaml | 88 +- .../entity_resolution.openapi.yaml | 284 +- .../v2/entity_resolution.openapi.yaml | 294 +- docs/openapi/kas/kas.openapi.yaml | 265 +- .../policy/actions/actions.openapi.yaml | 497 +- .../policy/attributes/attributes.openapi.yaml | 755 +- .../definition_value_entitlement.openapi.yaml | 1472 ---- .../key_access_server_registry.openapi.yaml | 1096 ++- .../keymanagement/key_management.openapi.yaml | 223 +- .../policy/namespaces/namespaces.openapi.yaml | 437 +- docs/openapi/policy/objects.openapi.yaml | 286 +- .../obligations/obligations.openapi.yaml | 651 +- .../registered_resources.openapi.yaml | 630 +- .../resource_mapping.openapi.yaml | 524 +- docs/openapi/policy/selectors.openapi.yaml | 24 +- .../subject_mapping.openapi.yaml | 1012 ++- .../openapi/policy/unsafe/unsafe.openapi.yaml | 526 +- .../wellknown_configuration.openapi.yaml | 144 +- .../definition_value_entitlement.pb.go | 1365 ---- .../definition_value_entitlement_grpc.pb.go | 258 - .../definition_value_entitlement.connect.go | 245 - .../subjectmapping/subject_mapping.pb.go | 2156 ++++-- .../subjectmapping/subject_mapping_grpc.pb.go | 209 +- .../subject_mapping.connect.go | 178 +- sdk/codegen/main.go | 4 - sdk/sdk.go | 2 - sdk/sdkconnect/definitionvalueentitlement.go | 70 - sdk/sdkconnect/subjectmapping.go | 50 + ...inition_value_entitlement_mappings_test.go | 21 +- service/internal/access/v2/policy_store.go | 3 +- ...amic-attribute-value-entitlements-spike.md | 4 +- .../definition_value_entitlement_mappings.go | 12 +- service/policy/db/utils.go | 11 +- .../definition_value_entitlement.go | 189 - .../definition_value_entitlement.proto | 168 - service/policy/policy.go | 2 - .../policy/subjectmapping/subject_mapping.go | 120 + .../subjectmapping/subject_mapping.proto | 162 + 42 files changed, 10417 insertions(+), 11848 deletions(-) delete mode 100644 docs/openapi/policy/definitionvalueentitlement/definition_value_entitlement.openapi.yaml delete mode 100644 protocol/go/policy/definitionvalueentitlement/definition_value_entitlement.pb.go delete mode 100644 protocol/go/policy/definitionvalueentitlement/definition_value_entitlement_grpc.pb.go delete mode 100644 protocol/go/policy/definitionvalueentitlement/definitionvalueentitlementconnect/definition_value_entitlement.connect.go delete mode 100644 sdk/sdkconnect/definitionvalueentitlement.go delete mode 100644 service/policy/definitionvalueentitlement/definition_value_entitlement.go delete mode 100644 service/policy/definitionvalueentitlement/definition_value_entitlement.proto diff --git a/docs/grpc/index.html b/docs/grpc/index.html index 352c9bd474..69b44f5f3f 100644 --- a/docs/grpc/index.html +++ b/docs/grpc/index.html @@ -1079,200 +1079,6 @@

        Table of Contents

        -
      • - policy/subjectmapping/subject_mapping.proto - -
        • - - -
      • - policy/definitionvalueentitlement/definition_value_entitlement.proto - -
        • - -
      • policy/kasregistry/key_access_server_registry.proto +
        • + + +
      • + policy/unsafe/unsafe.proto + +
        • + + +
      • + wellknownconfiguration/wellknown_configuration.proto + +
        • + +
      • Scalar Value Types
        • @@ -9751,12 +9736,12 @@

        Methods with idempotency_level option

        -

        policy/subjectmapping/subject_mapping.proto

        Top +

        policy/kasregistry/key_access_server_registry.proto

        Top

        -

        CreateSubjectConditionSetRequest

        +

        ActivatePublicKeyRequest

        @@ -9767,21 +9752,7 @@

        CreateSubjectCon

        - - - - - - - - - - - - - - - + @@ -9794,7 +9765,7 @@

        CreateSubjectCon -

        CreateSubjectConditionSetResponse

        +

        ActivatePublicKeyResponse

        @@ -9805,8 +9776,8 @@

        CreateSubjectCo

        - - + + @@ -9818,8 +9789,8 @@

        CreateSubjectCo -

        CreateSubjectMappingRequest

        -

        +

        ChangeMappings

        +

        Simplified information about the resources that were rotated as part of the key rotation process.

        Method NameRequest TypeResponse TypeDescription
        MatchSubjectMappingsMatchSubjectMappingsRequestMatchSubjectMappingsResponse

        Find matching Subject Mappings for a given Subject

        ListSubjectMappingsListSubjectMappingsRequestListSubjectMappingsResponseListResourceMappingGroupsListResourceMappingGroupsRequestListResourceMappingGroupsResponse

        GetSubjectMappingGetSubjectMappingRequestGetSubjectMappingResponseGetResourceMappingGroupGetResourceMappingGroupRequestGetResourceMappingGroupResponse

        CreateSubjectMappingCreateSubjectMappingRequestCreateSubjectMappingResponseCreateResourceMappingGroupCreateResourceMappingGroupRequestCreateResourceMappingGroupResponse

        UpdateSubjectMappingUpdateSubjectMappingRequestUpdateSubjectMappingResponseUpdateResourceMappingGroupUpdateResourceMappingGroupRequestUpdateResourceMappingGroupResponse

        DeleteSubjectMappingDeleteSubjectMappingRequestDeleteSubjectMappingResponseDeleteResourceMappingGroupDeleteResourceMappingGroupRequestDeleteResourceMappingGroupResponse

        ListSubjectConditionSetsListSubjectConditionSetsRequestListSubjectConditionSetsResponseListResourceMappingsListResourceMappingsRequestListResourceMappingsResponse

        GetSubjectConditionSetGetSubjectConditionSetRequestGetSubjectConditionSetResponseListResourceMappingsByGroupFqnsListResourceMappingsByGroupFqnsRequestListResourceMappingsByGroupFqnsResponse

        CreateSubjectConditionSetCreateSubjectConditionSetRequestCreateSubjectConditionSetResponseGetResourceMappingGetResourceMappingRequestGetResourceMappingResponse

        UpdateSubjectConditionSetUpdateSubjectConditionSetRequestUpdateSubjectConditionSetResponseCreateResourceMappingCreateResourceMappingRequestCreateResourceMappingResponse

        DeleteSubjectConditionSetDeleteSubjectConditionSetRequestDeleteSubjectConditionSetResponseUpdateResourceMappingUpdateResourceMappingRequestUpdateResourceMappingResponse

        DeleteAllUnmappedSubjectConditionSetsDeleteAllUnmappedSubjectConditionSetsRequestDeleteAllUnmappedSubjectConditionSetsResponseDeleteResourceMappingDeleteResourceMappingRequestDeleteResourceMappingResponse

        ListSubjectMappingsListResourceMappingGroups

        NO_SIDE_EFFECTS
        GetSubjectMappingGetResourceMappingGroup

        NO_SIDE_EFFECTS
        ListSubjectConditionSetsListResourceMappings

        NO_SIDE_EFFECTS
        GetSubjectConditionSetListResourceMappingsByGroupFqns

        NO_SIDE_EFFECTS

        GetResourceMapping

        NO_SIDE_EFFECTS
        subject_condition_setSubjectConditionSetCreate

        namespace_idstring

        namespace_fqnid string

        subject_condition_setpolicy.SubjectConditionSetkeypolicy.Key

        @@ -9829,56 +9800,69 @@

        CreateSubjectMappingR

        - + - + - - - - + + + + + +
        attribute_value_idid string

        Required -Attribute Value to be mapped to

        actionspolicy.Actionrepeated

        Required -The actions permitted by subjects in this mapping

        		fqnstring
        + + + + + +

        CreateKeyAccessServerRequest

        +

        + + + + + + + + - + - + - - + + - + - - + + - + - + - + - + @@ -9888,7 +9872,7 @@

        CreateSubjectMappingR -

        CreateSubjectMappingResponse

        +

        CreateKeyAccessServerResponse

        @@ -9899,8 +9883,8 @@

        CreateSubjectMapping

        - - + + @@ -9912,15 +9896,8 @@

        CreateSubjectMapping -

        DeleteAllUnmappedSubjectConditionSetsRequest

        -

        Prune any Subject Condition Sets not utilized within a Subject Mapping

        - - - - - -

        DeleteAllUnmappedSubjectConditionSetsResponse

        -

        +

        CreateKeyRequest

        +

        Create a new asymmetric key for the specified Key Access Server (KAS)

        FieldTypeLabelDescription
        existing_subject_condition_set_iduri string

        Either of the following: -Reuse existing SubjectConditionSet (NOTE: prioritized over new_subject_condition_set)

        Required

        new_subject_condition_setSubjectConditionSetCreatepublic_keypolicy.PublicKey

        Create new SubjectConditionSet (NOTE: ignored if existing_subject_condition_set_id is provided)

        Deprecated

        namespace_idstringsource_typepolicy.SourceType

        Optional -Namespace ID or FQN for the subject mapping

        Optional

        namespace_fqnname string

        Optional

        metadata common.MetadataMutable

        Optional

        Common metadata

        subject_mappingpolicy.SubjectMappingkey_access_serverpolicy.KeyAccessServer

        @@ -9930,10 +9907,84 @@

        Del

        - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -9943,8 +9994,8 @@

        Del -

        DeleteSubjectConditionSetRequest

        -

        +

        CreateKeyResponse

        +

        Response to a CreateKeyRequest, containing the created asymmetric key

        subject_condition_setspolicy.SubjectConditionSetrepeated

        Only IDs of any deleted Subject Condition Set provided

        		kas_idstring

        Required + +The unique identifier of the Key Access Server

        key_idstring

        Required + +A user-defined identifier for the key

        key_algorithmpolicy.Algorithm

        Required + +The algorithm to be used for the key

        key_modepolicy.KeyMode

        Required + +The mode of the key (e.g., local or external)

        public_key_ctxpolicy.PublicKeyCtx

        Required + +Context or additional data specific to the public key, based on the key provider implementation

        private_key_ctxpolicy.PrivateKeyCtx

        Conditionally Required + +Context or additional data specific to the private key, based on the key provider implementation

        provider_config_idstring

        Optional + +Configuration ID for the key provider, if applicable

        legacybool

        Optional + +Whether the key is a legacy key

        metadatacommon.MetadataMutable

        Common metadata + +Mutable metadata for the key

        @@ -9954,10 +10005,10 @@

        DeleteSubjectCon

        - - + + - + @@ -9967,7 +10018,7 @@

        DeleteSubjectCon -

        DeleteSubjectConditionSetResponse

        +

        CreatePublicKeyRequest

        @@ -9978,10 +10029,24 @@

        DeleteSubjectCo

        - - + + - + + + + + + + + + + + + + + + @@ -9991,7 +10056,7 @@

        DeleteSubjectCo -

        DeleteSubjectMappingRequest

        +

        CreatePublicKeyResponse

        @@ -10002,10 +10067,10 @@

        DeleteSubjectMappingR

        - - + + - + @@ -10015,7 +10080,7 @@

        DeleteSubjectMappingR -

        DeleteSubjectMappingResponse

        +

        DeactivatePublicKeyRequest

        @@ -10026,10 +10091,10 @@

        DeleteSubjectMapping

        - - + + - + @@ -10039,7 +10104,7 @@

        DeleteSubjectMapping -

        GetSubjectConditionSetRequest

        +

        DeactivatePublicKeyResponse

        @@ -10050,10 +10115,10 @@

        GetSubjectCondition

        - - + + - + @@ -10063,7 +10128,7 @@

        GetSubjectCondition -

        GetSubjectConditionSetResponse

        +

        DeleteKeyAccessServerRequest

        @@ -10074,17 +10139,10 @@

        GetSubjectConditio

        - - + + - - - - - - - - + @@ -10094,7 +10152,7 @@

        GetSubjectConditio -

        GetSubjectMappingRequest

        +

        DeleteKeyAccessServerResponse

        @@ -10105,10 +10163,10 @@

        GetSubjectMappingRequest

        - - + + - + @@ -10118,7 +10176,14 @@

        GetSubjectMappingRequest -

        GetSubjectMappingResponse

        +

        GetBaseKeyRequest

        +

        + + + + + +

        GetBaseKeyResponse

        @@ -10129,10 +10194,10 @@

        GetSubjectMappingRespon

        - - + + - + @@ -10142,7 +10207,7 @@

        GetSubjectMappingRespon -

        ListSubjectConditionSetsRequest

        +

        GetKeyAccessServerRequest

        @@ -10153,45 +10218,62 @@

        ListSubjectCondit

        - + - + - + - + - - + + - + - - - - + + + +
        idstringkas_keypolicy.KasKey

        Required

        The created asymmetric key for a KAS.

        subject_condition_setpolicy.SubjectConditionSetkas_idstring

        Only ID of deleted Subject Condition Set provided

        Required

        keypolicy.KasPublicKey

        Required

        metadatacommon.MetadataMutable

        Common metadata

        idstringkeypolicy.Key

        Required

        subject_mappingpolicy.SubjectMappingidstring

        Only ID of the updated Subject Mapping provided

        idstringkeypolicy.Key

        Required

        subject_condition_setpolicy.SubjectConditionSetidstring

        associated_subject_mappingspolicy.SubjectMappingrepeated

        contextualized Subject Mappings associated with this SubjectConditionSet

        Required

        idstringkey_access_serverpolicy.KeyAccessServer

        Required

        subject_mappingpolicy.SubjectMappingbase_keypolicy.SimpleKasKey

        The current base key

        namespace_idid string

        Deprecated. Deprecated

        namespace_fqnkas_id string

        option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field

        paginationpolicy.PageRequestnamestring

        Optional

        sortSubjectConditionSetsSortrepeated

        Optional - CONSTRAINT: max 1 item -Sort defaults: - - direction UNSPECIFIED defaults to DESC for the specified field - - field UNSPECIFIED defaults to created_at with the specified direction - - both UNSPECIFIED or sort omitted defaults to created_at DESC

        		uristring
        + + +

        Fields with deprecated option

        + + + + + + + + + + + + + + + +
        NameOption
        id

        true

        + + -

        ListSubjectConditionSetsResponse

        +

        GetKeyAccessServerResponse

        @@ -10202,15 +10284,8 @@

        ListSubjectCondi - subject_condition_sets - policy.SubjectConditionSet - repeated -

        - - - - pagination - policy.PageResponse + key_access_server + policy.KeyAccessServer

        @@ -10222,8 +10297,8 @@

        ListSubjectCondi -

        ListSubjectMappingsRequest

        -

        +

        GetKeyRequest

        +

        Retrieve an existing asymmetric key from the Key Management System

        @@ -10233,37 +10308,19 @@

        ListSubjectMappingsReq

        - + - + - - + + - - - - - - - - - - - - - -
        namespace_idid string

        The unique identifier of the key to retrieve

        namespace_fqnstringkeyKasKeyIdentifier

        paginationpolicy.PageRequest

        Optional

        sortSubjectMappingsSortrepeated

        Optional - CONSTRAINT: max 1 item -Sort defaults: - - direction UNSPECIFIED defaults to DESC for the specified field - - field UNSPECIFIED defaults to created_at with the specified direction - - both UNSPECIFIED or sort omitted defaults to created_at DESC

        @@ -10271,8 +10328,8 @@

        ListSubjectMappingsReq -

        ListSubjectMappingsResponse

        -

        +

        GetKeyResponse

        +

        Response to a GetKeyRequest, containing the requested asymmetric key

        @@ -10282,17 +10339,10 @@

        ListSubjectMappingsRe

        - - - - - - - - - + + - + @@ -10302,8 +10352,8 @@

        ListSubjectMappingsRe -

        MatchSubjectMappingsRequest

        -

        MatchSubjectMappingsRequest liberally returns a list of SubjectMappings based on the provided SubjectProperties.

        The SubjectMappings are returned if an external selector field matches.

        +

        GetPublicKeyRequest

        +

        subject_mappingspolicy.SubjectMappingrepeated

        paginationpolicy.PageResponsekas_keypolicy.KasKey

        The requested asymmetric key for a KAS.

        @@ -10313,9 +10363,9 @@

        MatchSubjectMappingsR

        - - - + + + @@ -10326,7 +10376,7 @@

        MatchSubjectMappingsR -

        MatchSubjectMappingsResponse

        +

        GetPublicKeyResponse

        @@ -10337,9 +10387,9 @@

        MatchSubjectMappings

        - - - + + + @@ -10350,8 +10400,8 @@

        MatchSubjectMappings -

        SubjectConditionSetCreate

        -

        +

        GrantedPolicyObject

        +

        Can be namespace, attribute definition, or value

        subject_propertiespolicy.SubjectPropertyrepeatedidstring

        subject_mappingspolicy.SubjectMappingrepeatedkeypolicy.Key

        @@ -10361,18 +10411,17 @@

        SubjectConditionSetCrea

        - - - - + + + + - - + + - + @@ -10382,8 +10431,8 @@

        SubjectConditionSetCrea -

        SubjectConditionSetsSort

        -

        +

        KasKeyIdentifier

        +

        Nested message for specifying the active key using KAS ID and Key ID

        subject_setspolicy.SubjectSetrepeated

        Required

        		idstring
        metadatacommon.MetadataMutablefqnstring

        Optional -Common metadata

        @@ -10393,19 +10442,33 @@

        SubjectConditionSetsSort

        - - + + - - + + + + + + + + + + + + + + + +
        fieldSortSubjectConditionSetsTypekas_idstring

        directionpolicy.SortDirectionnamestring

        uristring

        kidstring

        Required Key ID of the key in question

        @@ -10413,7 +10476,7 @@

        SubjectConditionSetsSort -

        SubjectMappingsSort

        +

        KasKeysSort

        @@ -10425,7 +10488,7 @@

        SubjectMappingsSort

        field - SortSubjectMappingsType + SortKasKeysType

        @@ -10444,8 +10507,8 @@

        SubjectMappingsSort

        -

        UpdateSubjectConditionSetRequest

        -

        +

        KeyAccessServerGrants

        +

        Deprecated

        @@ -10455,31 +10518,30 @@

        UpdateSubjectCon

        - - + + - + - - + + - + - - - - + + + + - - - + + + @@ -10490,7 +10552,7 @@

        UpdateSubjectCon -

        UpdateSubjectConditionSetResponse

        +

        KeyAccessServersSort

        @@ -10501,10 +10563,17 @@

        UpdateSubjectCo

        - - + + - + + + + + + + + @@ -10514,7 +10583,7 @@

        UpdateSubjectCo -

        UpdateSubjectMappingRequest

        +

        KeyMapping

        @@ -10525,40 +10594,38 @@

        UpdateSubjectMappingR

        - + - + - + - + - - + + - + - - - - + + + + - - - - + + + + @@ -10568,8 +10635,8 @@

        UpdateSubjectMappingR -

        UpdateSubjectMappingResponse

        -

        +

        ListKeyAccessServerGrantsRequest

        +

        LIST of KAS Grants returns flat response of grants to all policy objects. It

        does not employ selectors for grants to specific policy objects or build the

        attribute tree relation. If grants to a known namespace, attribute, or value

        are needed, use the respective GET request to the specific policy object.

        idstringkey_access_serverpolicy.KeyAccessServer

        Required

        subject_setspolicy.SubjectSetnamespace_grantsGrantedPolicyObject repeated

        Optional -If provided, replaces entire existing structure of Subject Sets, Condition Groups, & Conditions

        metadatacommon.MetadataMutable

        Common metadata

        		attribute_grantsGrantedPolicyObjectrepeated
        metadata_update_behaviorcommon.MetadataUpdateEnumvalue_grantsGrantedPolicyObjectrepeated

        subject_condition_setpolicy.SubjectConditionSetfieldSortKeyAccessServersType

        Only ID of updated Subject Condition Set provided

        directionpolicy.SortDirection
        idkid string

        Required

        subject_condition_set_idkas_uri string

        Optional -Replaces the existing SubjectConditionSet id with a new one

        actionspolicy.Actionnamespace_mappingsMappedPolicyObject repeated

        Optional -Replaces entire list of actions permitted by subjects

        List of namespaces mapped to the key

        metadatacommon.MetadataMutable

        Common metadata

        		attribute_mappingsMappedPolicyObjectrepeated

        List of attribute definitions mapped to the key

        metadata_update_behaviorcommon.MetadataUpdateEnum

        		value_mappingsMappedPolicyObjectrepeated

        List of attribute values mapped to the key

        @@ -10579,10 +10646,40 @@

        UpdateSubjectMapping

        - - + + - + + + + + + + + + + + + + + + + + + + + + + @@ -10592,212 +10689,8 @@

        UpdateSubjectMapping - - -

        SortSubjectConditionSetsType

        -

        -
        subject_mappingpolicy.SubjectMappingkas_idstring

        Only ID of the updated Subject Mapping provided

        Optional +Filter LIST by ID of a registered Key Access Server. +If neither is provided, grants from all registered KASs to policy attribute +objects are returned.

        kas_uristring

        Optional +Filter LIST by URI of a registered Key Access Server. +If none is provided, grants from all registered KASs to policy attribute +objects are returned.

        kas_namestring

        Optional +Filter LIST by name of a registered Key Access Server. +If none are provided, grants from all registered KASs to policy attribute +objects are returned.

        paginationpolicy.PageRequest

        Optional

        - - - - - - - - - - - - - - - - - - - - - - - - -
        NameNumberDescription
        SORT_SUBJECT_CONDITION_SETS_TYPE_UNSPECIFIED0

        SORT_SUBJECT_CONDITION_SETS_TYPE_CREATED_AT1

        SORT_SUBJECT_CONDITION_SETS_TYPE_UPDATED_AT2

        - -

        SortSubjectMappingsType

        -

        - - - - - - - - - - - - - - - - - - - - - - - - - -
        NameNumberDescription
        SORT_SUBJECT_MAPPINGS_TYPE_UNSPECIFIED0

        SORT_SUBJECT_MAPPINGS_TYPE_CREATED_AT1

        SORT_SUBJECT_MAPPINGS_TYPE_UPDATED_AT2

        - - - - - -

        SubjectMappingService

        -

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Method NameRequest TypeResponse TypeDescription
        MatchSubjectMappingsMatchSubjectMappingsRequestMatchSubjectMappingsResponse

        Find matching Subject Mappings for a given Subject

        ListSubjectMappingsListSubjectMappingsRequestListSubjectMappingsResponse

        GetSubjectMappingGetSubjectMappingRequestGetSubjectMappingResponse

        CreateSubjectMappingCreateSubjectMappingRequestCreateSubjectMappingResponse

        UpdateSubjectMappingUpdateSubjectMappingRequestUpdateSubjectMappingResponse

        DeleteSubjectMappingDeleteSubjectMappingRequestDeleteSubjectMappingResponse

        ListSubjectConditionSetsListSubjectConditionSetsRequestListSubjectConditionSetsResponse

        GetSubjectConditionSetGetSubjectConditionSetRequestGetSubjectConditionSetResponse

        CreateSubjectConditionSetCreateSubjectConditionSetRequestCreateSubjectConditionSetResponse

        UpdateSubjectConditionSetUpdateSubjectConditionSetRequestUpdateSubjectConditionSetResponse

        DeleteSubjectConditionSetDeleteSubjectConditionSetRequestDeleteSubjectConditionSetResponse

        DeleteAllUnmappedSubjectConditionSetsDeleteAllUnmappedSubjectConditionSetsRequestDeleteAllUnmappedSubjectConditionSetsResponse

        - - - - -

        Methods with idempotency_level option

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Method NameOption
        ListSubjectMappings

        NO_SIDE_EFFECTS

        GetSubjectMapping

        NO_SIDE_EFFECTS

        ListSubjectConditionSets

        NO_SIDE_EFFECTS

        GetSubjectConditionSet

        NO_SIDE_EFFECTS

        - - - - -
        -

        policy/definitionvalueentitlement/definition_value_entitlement.proto

        Top -
        -

        - - -

        CreateDefinitionValueEntitlementMappingRequest

        -

        +

        ListKeyAccessServerGrantsResponse

        +

        Deprecated

        @@ -10807,179 +10700,48 @@

        string -

        - - - - - - - - - - - - - - - - - - - - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

        attribute_definition_fqnstring

        value_resolverpolicy.DefinitionValueResolver

        Required: the dynamic resolver comparing entity selector result to the resource value segment

        actionspolicy.ActiongrantsKeyAccessServerGrants repeated

        Required: actions permitted on a matched value

        existing_subject_condition_set_idstring

        Optional static pre-gate. Reuse an existing SubjectConditionSet (prioritized) ...

        new_subject_condition_setpolicy.subjectmapping.SubjectConditionSetCreate

        ... or create a new one (ignored if existing_subject_condition_set_id is provided)

        namespace_idstring

        Optional: namespace ID or FQN for the mapping

        namespace_fqnstring

        metadatacommon.MetadataMutable

        Optional

        - - - - - -

        CreateDefinitionValueEntitlementMappingResponse

        -

        - - - - - - - - - - - - - - - - -
        FieldTypeLabelDescription
        definition_value_entitlement_mappingpolicy.DefinitionValueEntitlementMapping

        - - - - - -

        DefinitionValueEntitlementMappingsSort

        -

        - - - - - - - - - - - - - - - - - - - - - - - -
        FieldTypeLabelDescription
        fieldSortDefinitionValueEntitlementMappingsType

        directionpolicy.SortDirection

        - - - - - -

        DeleteDefinitionValueEntitlementMappingRequest

        -

        - - - - - - - - - - - - - + - -
        FieldTypeLabelDescription
        idstring

        Required

        Deprecated.

        - - - - - -

        DeleteDefinitionValueEntitlementMappingResponse

        -

        - - - - - - - - - - + + - +
        FieldTypeLabelDescription
        definition_value_entitlement_mappingpolicy.DefinitionValueEntitlementMappingpaginationpolicy.PageResponse

        Only ID of the deleted mapping provided

        + + +

        Fields with deprecated option

        + + + + + + + + + + + + + + + +
        NameOption
        grants

        true

        + + -

        GetDefinitionValueEntitlementMappingRequest

        +

        ListKeyAccessServersRequest

        @@ -10990,10 +10752,21 @@

        string + pagination + policy.PageRequest -

        Required

        +

        Optional

        + + + + sort + KeyAccessServersSort + repeated +

        Optional - CONSTRAINT: max 1 item +Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC

        @@ -11003,7 +10776,7 @@

        GetDefinitionValueEntitlementMappingResponse

        +

        ListKeyAccessServersResponse

        @@ -11014,8 +10787,15 @@

        policy.DefinitionValueEntitlementMapping + key_access_servers + policy.KeyAccessServer + repeated +

        + + + + pagination + policy.PageResponse

        @@ -11027,7 +10807,7 @@

        ListDefinitionValueEntitlementMappingsRequest

        +

        ListKeyMappingsRequest

        @@ -11038,16 +10818,15 @@

        string -

        Optional -Namespace ID or FQN, or Attribute Definition ID or FQN to filter by

        +

        The unique identifier of the key to retrieve

        - attribute_definition_id - string + key + KasKeyIdentifier

        @@ -11056,14 +10835,7 @@

        policy.PageRequest -

        Optional

        - - - - sort - DefinitionValueEntitlementMappingsSort - repeated -

        Optional - CONSTRAINT: max 1 item

        +

        Pagination request for the list of keys

        @@ -11073,7 +10845,7 @@

        ListDefinitionValueEntitlementMappingsResponse

        +

        ListKeyMappingsResponse

        @@ -11084,17 +10856,17 @@

        policy.DefinitionValueEntitlementMapping + key_mappings + KeyMapping repeated -

        +

        The list of key mappings

        pagination policy.PageResponse -

        +

        Pagination response for the list of keys

        @@ -11104,8 +10876,8 @@

        UpdateDefinitionValueEntitlementMappingRequest

        -

        +

        ListKeysRequest

        +

        List all asymmetric keys managed by a specific Key Access Server or with a given algorithm

        @@ -11115,45 +10887,60 @@

        policy.Algorithm +

        + + + + + - + - - + + - + - + - + - - - - + + + + - - + + - + - - - - + + + + @@ -11163,8 +10950,8 @@

        UpdateDefinitionValueEntitlementMappingResponse

        -

        +

        ListKeysResponse

        +

        Response to a ListKeysRequest, containing the list of asymmetric keys and pagination information

        Filter keys by algorithm

        kas_id string

        Required

        Filter keys by the KAS ID

        value_resolverpolicy.DefinitionValueResolverkas_namestring

        Optional: replace the dynamic resolver

        Filter keys by the KAS name

        subject_condition_set_idkas_uri string

        Optional: replace the static pre-gate SubjectConditionSet by id

        Filter keys by the KAS URI

        actionspolicy.Actionrepeated

        Optional: replace the entire list of actions

        		legacybooloptional

        Optional + +Filter for legacy keys

        metadatacommon.MetadataMutablepaginationpolicy.PageRequest

        Common metadata

        Optional + +Pagination request for the list of keys

        metadata_update_behaviorcommon.MetadataUpdateEnum

        		sortKasKeysSortrepeated

        Optional - CONSTRAINT: max 1 item +Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC

        @@ -11174,10 +10961,17 @@

        policy.DefinitionValueEntitlementMapping +

        + + + + + + + + - + @@ -11187,123 +10981,7 @@

        SortDefinitionValueEntitlementMappingsType

        -

        -
        kas_keyspolicy.KasKeyrepeated

        The list of kas keys

        paginationpolicy.PageResponse

        Pagination response for the list of keys

        - - - - - - - - - - - - - - - - - - - - - - - - -
        NameNumberDescription
        SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED0

        SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT1

        SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT2

        - - - - - -

        DefinitionValueEntitlementMappingService

        -

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Method NameRequest TypeResponse TypeDescription
        ListDefinitionValueEntitlementMappingsListDefinitionValueEntitlementMappingsRequestListDefinitionValueEntitlementMappingsResponse

        GetDefinitionValueEntitlementMappingGetDefinitionValueEntitlementMappingRequestGetDefinitionValueEntitlementMappingResponse

        CreateDefinitionValueEntitlementMappingCreateDefinitionValueEntitlementMappingRequestCreateDefinitionValueEntitlementMappingResponse

        UpdateDefinitionValueEntitlementMappingUpdateDefinitionValueEntitlementMappingRequestUpdateDefinitionValueEntitlementMappingResponse

        DeleteDefinitionValueEntitlementMappingDeleteDefinitionValueEntitlementMappingRequestDeleteDefinitionValueEntitlementMappingResponse

        - - - - -

        Methods with idempotency_level option

        - - - - - - - - - - - - - - - - - - - - -
        Method NameOption
        ListDefinitionValueEntitlementMappings

        NO_SIDE_EFFECTS

        GetDefinitionValueEntitlementMapping

        NO_SIDE_EFFECTS

        - - - - -
        -

        policy/kasregistry/key_access_server_registry.proto

        Top -
        -

        - - -

        ActivatePublicKeyRequest

        +

        ListPublicKeyMappingRequest

        @@ -11314,10 +10992,38 @@

        ActivatePublicKeyRequest - id + kas_id string -

        +

        Optional

        + + + + kas_name + string + +

        Optional

        + + + + kas_uri + string + +

        Optional

        + + + + public_key_id + string + +

        Optional Public Key ID

        + + + + pagination + policy.PageRequest + +

        Optional

        @@ -11327,7 +11033,7 @@

        ActivatePublicKeyRequestActivatePublicKeyResponse

        +

        ListPublicKeyMappingResponse

        @@ -11338,8 +11044,15 @@

        ActivatePublicKeyResponse< - key - policy.Key + public_key_mappings + ListPublicKeyMappingResponse.PublicKeyMapping + repeated +

        + + + + pagination + policy.PageResponse

        @@ -11351,8 +11064,8 @@

        ActivatePublicKeyResponse< -

        ChangeMappings

        -

        Simplified information about the resources that were rotated as part of the key rotation process.

        +

        ListPublicKeyMappingResponse.Association

        +

        @@ -11382,7 +11095,7 @@

        ChangeMappings

        -

        CreateKeyAccessServerRequest

        +

        ListPublicKeyMappingResponse.PublicKey

        @@ -11393,38 +11106,31 @@

        CreateKeyAccessServerRe

        - - - - - - - - - + + - + - - - - + + + + - - - - + + + + - - - - + + + + @@ -11434,7 +11140,7 @@

        CreateKeyAccessServerRe -

        CreateKeyAccessServerResponse

        +

        ListPublicKeyMappingResponse.PublicKeyMapping

        @@ -11445,12 +11151,33 @@

        CreateKeyAccessServerR

        - - + + + + + + + + + + + + + + + + + + + + + + +
        uristring

        Required

        public_keypolicy.PublicKeykeypolicy.Key

        Deprecated

        source_typepolicy.SourceType

        Optional

        		valuesListPublicKeyMappingResponse.Associationrepeated
        namestring

        Optional

        		definitionsListPublicKeyMappingResponse.Associationrepeated
        metadatacommon.MetadataMutable

        Common metadata

        		namespacesListPublicKeyMappingResponse.Associationrepeated
        key_access_serverpolicy.KeyAccessServerkas_idstring

        kas_namestring

        kas_uristring

        public_keysListPublicKeyMappingResponse.PublicKeyrepeated
        @@ -11458,8 +11185,8 @@

        CreateKeyAccessServerR -

        CreateKeyRequest

        -

        Create a new asymmetric key for the specified Key Access Server (KAS)

        +

        ListPublicKeysRequest

        +

        @@ -11472,81 +11199,90 @@

        CreateKeyRequest

        - + - + - + - - + + - + - - + + - + - - - - - +
        kas_id string

        Required - -The unique identifier of the Key Access Server

        Optional

        key_idkas_name string

        Required - -A user-defined identifier for the key

        Optional

        key_algorithmpolicy.Algorithmkas_uristring

        Required - -The algorithm to be used for the key

        Optional

        key_modepolicy.KeyModepaginationpolicy.PageRequest

        Required - -The mode of the key (e.g., local or external)

        Optional

        public_key_ctxpolicy.PublicKeyCtx

        Required +

        -Context or additional data specific to the public key, based on the key provider implementation

        - + + + + +

        ListPublicKeysResponse

        +

        + + + + + + + - - - - + + + + - - + + - + + +
        FieldTypeLabelDescription
        private_key_ctxpolicy.PrivateKeyCtx

        Conditionally Required - -Context or additional data specific to the private key, based on the key provider implementation

        		keyspolicy.Keyrepeated
        provider_config_idstringpaginationpolicy.PageResponse

        Optional - -Configuration ID for the key provider, if applicable

        + + + + + +

        MappedPolicyObject

        +

        + + + + + + + + - - + + - + - - + + - + @@ -11556,8 +11292,8 @@

        CreateKeyRequest

        -

        CreateKeyResponse

        -

        Response to a CreateKeyRequest, containing the created asymmetric key

        +

        RotateKeyRequest

        +

        FieldTypeLabelDescription
        legacyboolidstring

        Optional - -Whether the key is a legacy key

        The unique identifier of the policy object

        metadatacommon.MetadataMutablefqnstring

        Common metadata - -Mutable metadata for the key

        The fully qualified name of the policy object

        @@ -11567,10 +11303,24 @@

        CreateKeyResponse

        - - + + - + + + + + + + + + + + + + + + @@ -11580,8 +11330,8 @@

        CreateKeyResponse

        -

        CreatePublicKeyRequest

        -

        +

        RotateKeyRequest.NewKey

        +

        Nested message for specifying the new key details

        kas_keypolicy.KasKeyidstring

        The created asymmetric key for a KAS.

        Current Active Key UUID

        keyKasKeyIdentifier

        Alternative way to specify the active key using KAS ID and Key ID

        new_keyRotateKeyRequest.NewKey

        Information about the new key to be rotated in

        @@ -11591,24 +11341,54 @@

        CreatePublicKeyRequest

        - - + + + + + + + + + + + + + + + + - - + + + + + + + + + + + + + + + + - + @@ -11618,8 +11398,8 @@

        CreatePublicKeyRequest

        -

        CreatePublicKeyResponse

        -

        +

        RotateKeyResponse

        +

        Response message for the RotateKey request

        kas_idstringkey_idstring

        Required

        algorithmpolicy.Algorithm

        Required

        key_modepolicy.KeyMode

        Required

        keypolicy.KasPublicKeypublic_key_ctxpolicy.PublicKeyCtx

        Required

        private_key_ctxpolicy.PrivateKeyCtx

        Required

        provider_config_idstring

        Conditionally Required. + +Validation handled by message-level CEL

        metadata common.MetadataMutable

        Common metadata

        Common metadata fields

        @@ -11629,10 +11409,17 @@

        CreatePublicKeyResponse

        - - + + - + + + + + + + + @@ -11642,8 +11429,8 @@

        CreatePublicKeyResponse

        -

        DeactivatePublicKeyRequest

        -

        +

        RotatedResources

        +

        All resources that were rotated as part of the key rotation process

        keypolicy.Keykas_keypolicy.KasKey

        The newly rotated Kas Key

        rotated_resourcesRotatedResources

        All resources that were rotated as part of the key rotation process

        @@ -11653,33 +11440,30 @@

        DeactivatePublicKeyReques

        - - + + + + + + + + + - -
        idstringrotated_out_keypolicy.KasKey

        The old key that was rotated out

        attribute_definition_mappingsChangeMappingsrepeated

        - - - - - -

        DeactivatePublicKeyResponse

        -

        - - - - - - - + + + + + + - - - + + + @@ -11690,8 +11474,8 @@

        DeactivatePublicKeyRespo -

        DeleteKeyAccessServerRequest

        -

        +

        SetBaseKeyRequest

        +

        Sets the specified key as the base key for the Key Access Server

        Note: The key must be active.

        FieldTypeLabelDescription
        attribute_value_mappingsChangeMappingsrepeated

        keypolicy.Keynamespace_mappingsChangeMappingsrepeated

        @@ -11704,31 +11488,14 @@

        DeleteKeyAccessServerRe

        - + - -
        id string

        Required

        Current Key UUID tp be set as default

        - - - - - -

        DeleteKeyAccessServerResponse

        -

        - - - - - - - - - - + + - + @@ -11738,14 +11505,7 @@

        DeleteKeyAccessServerR -

        GetBaseKeyRequest

        -

        - - - - - -

        GetBaseKeyResponse

        +

        SetBaseKeyResponse

        @@ -11756,10 +11516,17 @@

        GetBaseKeyResponse

        - + - + + + + + + + + @@ -11769,7 +11536,7 @@

        GetBaseKeyResponse

        -

        GetKeyAccessServerRequest

        +

        UpdateKeyAccessServerRequest

        @@ -11783,71 +11550,53 @@

        GetKeyAccessServerRequest<

        - + - + - + - - + + - + - - + + - + - -
        FieldTypeLabelDescription
        key_access_serverpolicy.KeyAccessServerkeyKasKeyIdentifier

        Alternative way to specify the key using KAS ID and Key ID

        base_keynew_base_key policy.SimpleKasKey

        The current base key

        The key that was set as base

        previous_base_keypolicy.SimpleKasKey

        The previous base key, if any

        id string

        Deprecated. Deprecated

        Required

        kas_iduri string

        option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field

        Optional

        namestringpublic_keypolicy.PublicKey

        Deprecated +Optional

        uristringsource_typepolicy.SourceType

        Optional +Using UNSPECIFIED will result in a successful update, +but will not actually update the underlying source. +You should not update KAS's from INTERNAL/EXTERNAL +to unspecified.

        - - - - -

        Fields with deprecated option

        - - - - + + + + - - - - + + + + - -
        NameOptionnamestring

        Optional

        id

        true

        		metadatacommon.MetadataMutable

        Optional +Common metadata

        - - - - - -

        GetKeyAccessServerResponse

        -

        - - - - - - - - - - + + @@ -11859,8 +11608,8 @@

        GetKeyAccessServerRespons -

        GetKeyRequest

        -

        Retrieve an existing asymmetric key from the Key Management System

        +

        UpdateKeyAccessServerResponse

        +

        FieldTypeLabelDescription
        key_access_serverpolicy.KeyAccessServermetadata_update_behaviorcommon.MetadataUpdateEnum

        @@ -11870,15 +11619,8 @@

        GetKeyRequest

        - - - - - - - - - + + @@ -11890,8 +11632,8 @@

        GetKeyRequest

        -

        GetKeyResponse

        -

        Response to a GetKeyRequest, containing the requested asymmetric key

        +

        UpdateKeyRequest

        +

        Update an existing asymmetric key in the Key Management System

        idstring

        The unique identifier of the key to retrieve

        keyKasKeyIdentifierkey_access_serverpolicy.KeyAccessServer

        @@ -11901,34 +11643,29 @@

        GetKeyResponse

        - - + + - + - -
        kas_keypolicy.KasKeyidstring

        The requested asymmetric key for a KAS.

        Required + +The unique identifier of the key to update

        - - - - - -

        GetPublicKeyRequest

        -

        - - - - - - - + + + + + + - - + + - + @@ -11938,8 +11675,8 @@

        GetPublicKeyRequest

        -

        GetPublicKeyResponse

        -

        +

        UpdateKeyResponse

        +

        Response to an UpdateKeyRequest, containing the updated asymmetric key

        FieldTypeLabelDescription
        metadatacommon.MetadataMutable

        Optional +Common metadata + +Mutable metadata for the key

        idstringmetadata_update_behaviorcommon.MetadataUpdateEnum

        The behavior for updating the metadata

        @@ -11949,10 +11686,10 @@

        GetPublicKeyResponse

        - - + + - + @@ -11962,8 +11699,8 @@

        GetPublicKeyResponse

        -

        GrantedPolicyObject

        -

        Can be namespace, attribute definition, or value

        +

        UpdatePublicKeyRequest

        +

        keypolicy.Keykas_keypolicy.KasKey

        The updated kas key

        @@ -11976,12 +11713,20 @@

        GrantedPolicyObject

        - + - - + + + + + + + + + @@ -11993,8 +11738,8 @@

        GrantedPolicyObject

        -

        KasKeyIdentifier

        -

        Nested message for specifying the active key using KAS ID and Key ID

        +

        UpdatePublicKeyResponse

        +

        id string

        Required

        fqnstringmetadatacommon.MetadataMutable

        Optional +Common metadata

        metadata_update_behaviorcommon.MetadataUpdateEnum

        @@ -12004,33 +11749,12 @@

        KasKeyIdentifier

        - - - - - - - - - - - - - - - - + + - - - - - - -
        kas_idstring

        namestring

        uristringkeypolicy.Key

        kidstring

        Required Key ID of the key in question

        @@ -12038,167 +11762,261 @@

        KasKeyIdentifier

        -

        KasKeysSort

        + + +

        SortKasKeysType

        +

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        NameNumberDescription
        SORT_KAS_KEYS_TYPE_UNSPECIFIED0

        SORT_KAS_KEYS_TYPE_KEY_ID1

        SORT_KAS_KEYS_TYPE_CREATED_AT2

        SORT_KAS_KEYS_TYPE_UPDATED_AT3

        + +

        SortKeyAccessServersType

        +

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        NameNumberDescription
        SORT_KEY_ACCESS_SERVERS_TYPE_UNSPECIFIED0

        SORT_KEY_ACCESS_SERVERS_TYPE_NAME1

        SORT_KEY_ACCESS_SERVERS_TYPE_URI2

        SORT_KEY_ACCESS_SERVERS_TYPE_CREATED_AT3

        SORT_KEY_ACCESS_SERVERS_TYPE_UPDATED_AT4

        + + + + + +

        KeyAccessServerRegistryService

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        Method NameRequest TypeResponse TypeDescription
        ListKeyAccessServersListKeyAccessServersRequestListKeyAccessServersResponse

        GetKeyAccessServerGetKeyAccessServerRequestGetKeyAccessServerResponse

        CreateKeyAccessServerCreateKeyAccessServerRequestCreateKeyAccessServerResponse

        UpdateKeyAccessServerUpdateKeyAccessServerRequestUpdateKeyAccessServerResponse

        DeleteKeyAccessServerDeleteKeyAccessServerRequestDeleteKeyAccessServerResponse

        ListKeyAccessServerGrantsListKeyAccessServerGrantsRequestListKeyAccessServerGrantsResponse

        Deprecated

        CreateKeyCreateKeyRequestCreateKeyResponse

        KAS Key Management +Request to create a new key in the Key Access Service.

        GetKeyGetKeyRequestGetKeyResponse

        Request to retrieve a key from the Key Access Service.

        ListKeysListKeysRequestListKeysResponse

        Request to list keys in the Key Access Service.

        UpdateKeyUpdateKeyRequestUpdateKeyResponse

        Request to update a key in the Key Access Service.

        RotateKeyRotateKeyRequestRotateKeyResponse

        Request to rotate a key in the Key Access Service.

        SetBaseKeySetBaseKeyRequestSetBaseKeyResponse

        Request to set the default a default kas key.

        GetBaseKeyGetBaseKeyRequestGetBaseKeyResponse

        Get Default kas keys

        ListKeyMappingsListKeyMappingsRequestListKeyMappingsResponse

        Request to list key mappings in the Key Access Service.

        - - - - - - - - - - - - - - - - - - - - - -
        FieldTypeLabelDescription
        fieldSortKasKeysType

        directionpolicy.SortDirection

        - - - - -

        KeyAccessServerGrants

        -

        Deprecated

        - - - + +

        Methods with deprecated option

        +
        - + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + +
        FieldTypeLabelDescription
        Method NameOption
        key_access_serverpolicy.KeyAccessServer

        namespace_grantsGrantedPolicyObjectrepeated

        attribute_grantsGrantedPolicyObjectrepeated

        value_grantsGrantedPolicyObjectrepeated

        ListKeyAccessServerGrants

        true
        - - - - -

        KeyAccessServersSort

        -

        - - + + +

        Methods with idempotency_level option

        +
        - + + + + - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        Method NameOption
        fieldSortKeyAccessServersType

        directionpolicy.SortDirection

        ListKeyAccessServers

        NO_SIDE_EFFECTS

        GetKeyAccessServer

        NO_SIDE_EFFECTS

        ListKeyAccessServerGrants

        NO_SIDE_EFFECTS
        - - + -

        KeyMapping

        -

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        FieldTypeLabelDescription
        kidstring

        kas_uristring

        namespace_mappingsMappedPolicyObjectrepeated

        List of namespaces mapped to the key

        attribute_mappingsMappedPolicyObjectrepeated

        List of attribute definitions mapped to the key

        value_mappingsMappedPolicyObjectrepeated

        List of attribute values mapped to the key

        - - +
        +

        policy/keymanagement/key_management.proto

        Top +
        +

        - -

        ListKeyAccessServerGrantsRequest

        -

        LIST of KAS Grants returns flat response of grants to all policy objects. It

        does not employ selectors for grants to specific policy objects or build the

        attribute tree relation. If grants to a known namespace, attribute, or value

        are needed, use the respective GET request to the specific policy object.

        +

        CreateProviderConfigRequest

        +

        Provider Configuration Requests and Response Messages

        @@ -12208,40 +12026,34 @@

        ListKeyAccessServer

        - + - + - - + + - + - + - + - - + + - + @@ -12251,8 +12063,8 @@

        ListKeyAccessServer -

        ListKeyAccessServerGrantsResponse

        -

        Deprecated

        +

        CreateProviderConfigResponse

        +

        kas_idname string

        Optional -Filter LIST by ID of a registered Key Access Server. -If neither is provided, grants from all registered KASs to policy attribute -objects are returned.

        Required +The name of the key provider. (e.g. "AWS KMS Instance 1", "Google Cloud KMS Instance 2")

        kas_uristringconfig_jsonbytes

        Optional -Filter LIST by URI of a registered Key Access Server. -If none is provided, grants from all registered KASs to policy attribute -objects are returned.

        Required +JSON configuration for the key provider. This is unique to individual key providers.

        kas_namemanager string

        Optional -Filter LIST by name of a registered Key Access Server. -If none are provided, grants from all registered KASs to policy attribute -objects are returned.

        Required +The type of key manager (e.g. "aws", "gcp", "azure", "opentdf.io/basic")

        paginationpolicy.PageRequestmetadatacommon.MetadataMutable

        Optional

        Common metadata

        @@ -12262,15 +12074,8 @@

        ListKeyAccessServe

        - - - - - - - - - + + @@ -12279,32 +12084,11 @@

        ListKeyAccessServe

        grantsKeyAccessServerGrantsrepeated

        Deprecated.

        paginationpolicy.PageResponseprovider_configpolicy.KeyProviderConfig

        - - -

        Fields with deprecated option

        - - - - - - - - - - - - - - - -
        NameOption
        grants

        true

        - - -

        ListKeyAccessServersRequest

        -

        +

        DeleteProviderConfigRequest

        +

        In order to delete a provider configuration you must first delete all keys associated with the provider.

        @@ -12314,21 +12098,10 @@

        ListKeyAccessServersRequ

        - - + + - - - - - - - - + @@ -12338,7 +12111,7 @@

        ListKeyAccessServersRequ -

        ListKeyAccessServersResponse

        +

        DeleteProviderConfigResponse

        @@ -12349,15 +12122,8 @@

        ListKeyAccessServersRes

        - - - - - - - - - + + @@ -12369,7 +12135,7 @@

        ListKeyAccessServersRes -

        ListKeyMappingsRequest

        +

        GetProviderConfigRequest

        @@ -12383,21 +12149,21 @@

        ListKeyMappingsRequest

        - + - - + + - - + + - + @@ -12407,7 +12173,7 @@

        ListKeyMappingsRequest

        -

        ListKeyMappingsResponse

        +

        GetProviderConfigResponse

        @@ -12418,17 +12184,10 @@

        ListKeyMappingsResponse

        - - - - - - - - - + + - + @@ -12438,8 +12197,8 @@

        ListKeyMappingsResponse

        -

        ListKeysRequest

        -

        List all asymmetric keys managed by a specific Key Access Server or with a given algorithm

        +

        ListProviderConfigsRequest

        +

        paginationpolicy.PageRequestidstring

        Optional

        sortKeyAccessServersSortrepeated

        Optional - CONSTRAINT: max 1 item -Sort defaults: - - direction UNSPECIFIED defaults to DESC for the specified field - - field UNSPECIFIED defaults to created_at with the specified direction - - both UNSPECIFIED or sort omitted defaults to created_at DESC

        Required

        key_access_serverspolicy.KeyAccessServerrepeated

        paginationpolicy.PageResponseprovider_configpolicy.KeyProviderConfig

        id string

        The unique identifier of the key to retrieve

        keyKasKeyIdentifiernamestring

        paginationpolicy.PageRequestmanagerstring

        Pagination request for the list of keys

        Optional - filter by manager type when searching by name

        key_mappingsKeyMappingrepeated

        The list of key mappings

        paginationpolicy.PageResponseprovider_configpolicy.KeyProviderConfig

        Pagination response for the list of keys

        @@ -12448,61 +12207,11 @@

        ListKeysRequest

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + @@ -12512,8 +12221,8 @@

        ListKeysRequest

        -

        ListKeysResponse

        -

        Response to a ListKeysRequest, containing the list of asymmetric keys and pagination information

        +

        ListProviderConfigsResponse

        +

        key_algorithmpolicy.Algorithm

        Filter keys by algorithm

        kas_idstring

        Filter keys by the KAS ID

        kas_namestring

        Filter keys by the KAS name

        kas_uristring

        Filter keys by the KAS URI

        legacybooloptional

        Optional - -Filter for legacy keys

        pagination policy.PageRequest

        Optional - -Pagination request for the list of keys

        sortKasKeysSortrepeated

        Optional - CONSTRAINT: max 1 item -Sort defaults: - - direction UNSPECIFIED defaults to DESC for the specified field - - field UNSPECIFIED defaults to created_at with the specified direction - - both UNSPECIFIED or sort omitted defaults to created_at DESC

        Optional

        @@ -12523,17 +12232,17 @@

        ListKeysResponse

        - - + + - + - + @@ -12543,7 +12252,7 @@

        ListKeysResponse

        -

        ListPublicKeyMappingRequest

        +

        UpdateProviderConfigRequest

        @@ -12554,38 +12263,46 @@

        ListPublicKeyMappingRequ

        - + - + - + - - + + - + - + - - + + - + + + + + + + + @@ -12595,7 +12312,7 @@

        ListPublicKeyMappingRequ -

        ListPublicKeyMappingResponse

        +

        UpdateProviderConfigResponse

        @@ -12606,15 +12323,8 @@

        ListPublicKeyMappingRes

        - - - - - - - - - + + @@ -12626,8 +12336,70 @@

        ListPublicKeyMappingRes -

        ListPublicKeyMappingResponse.Association

        + + + + + + +

        KeyManagementService

        +
        kas_keyspolicy.KasKeyprovider_configspolicy.KeyProviderConfig repeated

        The list of kas keys

        pagination policy.PageResponse

        Pagination response for the list of keys

        kas_idid string

        Optional

        Required

        kas_namename string

        Optional

        kas_uristringconfig_jsonbytes

        Optional

        public_key_idmanager string

        Optional Public Key ID

        Optional

        paginationpolicy.PageRequestmetadatacommon.MetadataMutable

        Optional

        Optional +Common metadata

        metadata_update_behaviorcommon.MetadataUpdateEnum
        public_key_mappingsListPublicKeyMappingResponse.PublicKeyMappingrepeated

        paginationpolicy.PageResponseprovider_configpolicy.KeyProviderConfig

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        Method NameRequest TypeResponse TypeDescription
        CreateProviderConfigCreateProviderConfigRequestCreateProviderConfigResponse

        Key Management +Provider Management

        GetProviderConfigGetProviderConfigRequestGetProviderConfigResponse

        ListProviderConfigsListProviderConfigsRequestListProviderConfigsResponse

        UpdateProviderConfigUpdateProviderConfigRequestUpdateProviderConfigResponse

        DeleteProviderConfigDeleteProviderConfigRequestDeleteProviderConfigResponse

        + + + + +
        +

        policy/namespaces/namespaces.proto

        Top +
        +

        + + +

        AssignKeyAccessServerToNamespaceRequest

        +

        Deprecated: utilize AssignPublicKeyToNamespaceRequest

        @@ -12637,15 +12409,32 @@

        ListPublicK

        - - + + + +
        idstringnamespace_key_access_serverNamespaceKeyAccessServer

        + + + + + +

        AssignKeyAccessServerToNamespaceResponse

        +

        + + + + + + + + - - + + @@ -12657,8 +12446,8 @@

        ListPublicK -

        ListPublicKeyMappingResponse.PublicKey

        -

        +

        AssignPublicKeyToNamespaceRequest

        +

        Assign Key to Namespace

        FieldTypeLabelDescription
        fqnstringnamespace_key_access_serverNamespaceKeyAccessServer

        @@ -12668,33 +12457,12 @@

        ListPublicKey

        - - + + - - - - - - - - - - - - - - - - - - - - -
        keypolicy.Keynamespace_keyNamespaceKey

        valuesListPublicKeyMappingResponse.Associationrepeated

        definitionsListPublicKeyMappingResponse.Associationrepeated

        namespacesListPublicKeyMappingResponse.Associationrepeated
        @@ -12702,7 +12470,7 @@

        ListPublicKey -

        ListPublicKeyMappingResponse.PublicKeyMapping

        +

        AssignPublicKeyToNamespaceResponse

        @@ -12713,33 +12481,12 @@

        ListPu - kas_id - string - -

        - - - - kas_name - string - -

        - - - - kas_uri - string + namespace_key + NamespaceKey

        - - public_keys - ListPublicKeyMappingResponse.PublicKey - repeated -

        - - @@ -12747,7 +12494,7 @@

        ListPu -

        ListPublicKeysRequest

        +

        CreateNamespaceRequest

        @@ -12758,29 +12505,15 @@

        ListPublicKeysRequest

        - kas_id - string - -

        Optional

        - - - - kas_name - string - -

        Optional

        - - - - kas_uri + name string -

        Optional

        +

        Required

        - pagination - policy.PageRequest + metadata + common.MetadataMutable

        Optional

        @@ -12792,7 +12525,7 @@

        ListPublicKeysRequest

        -

        ListPublicKeysResponse

        +

        CreateNamespaceResponse

        @@ -12803,15 +12536,8 @@

        ListPublicKeysResponse

        - keys - policy.Key - repeated -

        - - - - pagination - policy.PageResponse + namespace + policy.Namespace

        @@ -12823,7 +12549,7 @@

        ListPublicKeysResponse

        -

        MappedPolicyObject

        +

        DeactivateNamespaceRequest

        @@ -12837,14 +12563,7 @@

        MappedPolicyObject

        id string -

        The unique identifier of the policy object

        - - - - fqn - string - -

        The fully qualified name of the policy object

        +

        Required

        @@ -12854,7 +12573,14 @@

        MappedPolicyObject

        -

        RotateKeyRequest

        +

        DeactivateNamespaceResponse

        +

        + + + + + +

        GetNamespaceRequest

        @@ -12868,32 +12594,53 @@

        RotateKeyRequest

        id string -

        Current Active Key UUID

        +

        Deprecated. Deprecated

        - key - KasKeyIdentifier + namespace_id + string -

        Alternative way to specify the active key using KAS ID and Key ID

        +

        option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field

        - new_key - RotateKeyRequest.NewKey + fqn + string -

        Information about the new key to be rotated in

        +

        + + +

        Fields with deprecated option

        + + + + + + + + + + + + + + + +
        NameOption
        id

        true

        + + -

        RotateKeyRequest.NewKey

        -

        Nested message for specifying the new key details

        +

        GetNamespaceResponse

        +

        @@ -12903,54 +12650,10 @@

        RotateKeyRequest.NewKey

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - + @@ -12960,8 +12663,8 @@

        RotateKeyRequest.NewKey

        -

        RotateKeyResponse

        -

        Response message for the RotateKey request

        +

        ListNamespacesRequest

        +

        key_idstring

        Required

        algorithmpolicy.Algorithm

        Required

        key_modepolicy.KeyMode

        Required

        public_key_ctxpolicy.PublicKeyCtx

        Required

        private_key_ctxpolicy.PrivateKeyCtx

        Required

        provider_config_idstring

        Conditionally Required. - -Validation handled by message-level CEL

        metadatacommon.MetadataMutablenamespacepolicy.Namespace

        Common metadata fields

        @@ -12971,17 +12674,29 @@

        RotateKeyResponse

        - - + + - + - - + + - + + + + + + + + @@ -12991,8 +12706,8 @@

        RotateKeyResponse

        -

        RotatedResources

        -

        All resources that were rotated as part of the key rotation process

        +

        ListNamespacesResponse

        +

        kas_keypolicy.KasKeystatecommon.ActiveStateEnum

        The newly rotated Kas Key

        Optional +ACTIVE by default when not specified

        rotated_resourcesRotatedResourcespaginationpolicy.PageRequest

        All resources that were rotated as part of the key rotation process

        Optional

        sortNamespacesSortrepeated

        Optional - CONSTRAINT: max 1 item +Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC

        @@ -13002,30 +12717,16 @@

        RotatedResources

        - - - - - - - - - - - - - - - - + + - - - + + + @@ -13036,8 +12737,8 @@

        RotatedResources

        -

        SetBaseKeyRequest

        -

        Sets the specified key as the base key for the Key Access Server

        Note: The key must be active.

        +

        NamespaceKey

        +

        rotated_out_keypolicy.KasKey

        The old key that was rotated out

        attribute_definition_mappingsChangeMappingsrepeated

        attribute_value_mappingsChangeMappingsnamespacespolicy.Namespace repeated

        namespace_mappingsChangeMappingsrepeatedpaginationpolicy.PageResponse

        @@ -13047,17 +12748,17 @@

        SetBaseKeyRequest

        - + - + - - + + - + @@ -13067,8 +12768,8 @@

        SetBaseKeyRequest

        -

        SetBaseKeyResponse

        -

        +

        NamespaceKeyAccessServer

        +

        Deprecated

        idnamespace_id string

        Current Key UUID tp be set as default

        Required

        keyKasKeyIdentifierkey_idstring

        Alternative way to specify the key using KAS ID and Key ID

        Required (The id from the Asymmetric Key object)

        @@ -13078,17 +12779,17 @@

        SetBaseKeyResponse

        - - + + - + - - + + - + @@ -13098,7 +12799,7 @@

        SetBaseKeyResponse

        -

        UpdateKeyAccessServerRequest

        +

        NamespacesSort

        @@ -13109,56 +12810,15 @@

        UpdateKeyAccessServerRe

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - + - - + + @@ -13170,8 +12830,8 @@

        UpdateKeyAccessServerRe -

        UpdateKeyAccessServerResponse

        -

        +

        RemoveKeyAccessServerFromNamespaceRequest

        +

        Deprecated: utilize RemovePublicKeyFromNamespaceRequest

        new_base_keypolicy.SimpleKasKeynamespace_idstring

        The key that was set as base

        Required

        previous_base_keypolicy.SimpleKasKeykey_access_server_idstring

        The previous base key, if any

        Required

        idstring

        Required

        uristring

        Optional

        public_keypolicy.PublicKey

        Deprecated -Optional

        source_typepolicy.SourceType

        Optional -Using UNSPECIFIED will result in a successful update, -but will not actually update the underlying source. -You should not update KAS's from INTERNAL/EXTERNAL -to unspecified.

        namestring

        Optional

        metadatacommon.MetadataMutablefieldSortNamespacesType

        Optional -Common metadata

        metadata_update_behaviorcommon.MetadataUpdateEnumdirectionpolicy.SortDirection

        @@ -13181,8 +12841,8 @@

        UpdateKeyAccessServerR

        - - + + @@ -13194,8 +12854,8 @@

        UpdateKeyAccessServerR -

        UpdateKeyRequest

        -

        Update an existing asymmetric key in the Key Management System

        +

        RemoveKeyAccessServerFromNamespaceResponse

        +

        key_access_serverpolicy.KeyAccessServernamespace_key_access_serverNamespaceKeyAccessServer

        @@ -13205,29 +12865,34 @@

        UpdateKeyRequest

        - - + + - + - - - - - +
        idstringnamespace_key_access_serverNamespaceKeyAccessServer

        Required - -The unique identifier of the key to update

        metadatacommon.MetadataMutable

        Optional -Common metadata +

        -Mutable metadata for the key

        - + + + + +

        RemovePublicKeyFromNamespaceRequest

        +

        + + + + + + + - - + + - + @@ -13237,8 +12902,8 @@

        UpdateKeyRequest

        -

        UpdateKeyResponse

        -

        Response to an UpdateKeyRequest, containing the updated asymmetric key

        +

        RemovePublicKeyFromNamespaceResponse

        +

        FieldTypeLabelDescription
        metadata_update_behaviorcommon.MetadataUpdateEnumnamespace_keyNamespaceKey

        The behavior for updating the metadata

        @@ -13248,10 +12913,10 @@

        UpdateKeyResponse

        - - + + - + @@ -13261,7 +12926,7 @@

        UpdateKeyResponse

        -

        UpdatePublicKeyRequest

        +

        UpdateNamespaceRequest

        @@ -13282,8 +12947,7 @@

        UpdatePublicKeyRequest

        - + @@ -13300,7 +12964,7 @@

        UpdatePublicKeyRequest

        -

        UpdatePublicKeyResponse

        +

        UpdateNamespaceResponse

        @@ -13311,8 +12975,8 @@

        UpdatePublicKeyResponse

        - - + + @@ -13326,42 +12990,7 @@

        UpdatePublicKeyResponse

        -

        SortKasKeysType

        -

        -
        kas_keypolicy.KasKeynamespace_keyNamespaceKey

        The updated kas key

        metadata common.MetadataMutable

        Optional -Common metadata

        Optional

        keypolicy.Keynamespacepolicy.Namespace

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        NameNumberDescription
        SORT_KAS_KEYS_TYPE_UNSPECIFIED0

        SORT_KAS_KEYS_TYPE_KEY_ID1

        SORT_KAS_KEYS_TYPE_CREATED_AT2

        SORT_KAS_KEYS_TYPE_UPDATED_AT3

        - -

        SortKeyAccessServersType

        +

        SortNamespacesType

        @@ -13370,31 +12999,31 @@

        SortKeyAccessServersType

        - + - + - + - + - + @@ -13406,7 +13035,7 @@

        SortKeyAccessServersTypeKeyAccessServerRegistryService

        +

        NamespaceService

        SORT_KEY_ACCESS_SERVERS_TYPE_UNSPECIFIEDSORT_NAMESPACES_TYPE_UNSPECIFIED 0

        SORT_KEY_ACCESS_SERVERS_TYPE_NAMESORT_NAMESPACES_TYPE_NAME 1

        SORT_KEY_ACCESS_SERVERS_TYPE_URISORT_NAMESPACES_TYPE_FQN 2

        SORT_KEY_ACCESS_SERVERS_TYPE_CREATED_ATSORT_NAMESPACES_TYPE_CREATED_AT 3

        SORT_KEY_ACCESS_SERVERS_TYPE_UPDATED_ATSORT_NAMESPACES_TYPE_UPDATED_AT 4

        @@ -13415,102 +13044,68 @@

        KeyAccessServerRegist

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + - - - - - - - - - - - - + + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + @@ -13530,7 +13125,12 @@

        Methods with deprecated option

        - + + + + + + @@ -13551,17 +13151,12 @@

        Methods with idempotency_level option

        - - - - - - + - + @@ -13572,13 +13167,91 @@

        Methods with idempotency_level option

        -

        policy/keymanagement/key_management.proto

        Top +

        policy/obligations/obligations.proto

        Top

        -

        CreateProviderConfigRequest

        -

        Provider Configuration Requests and Response Messages

        +

        AddObligationTriggerRequest

        +

        Obligation Triggers are owned by the namespace that owns the action and attribute value, which must

        be the same. In this way, a trigger can intentionally cross namespace boundaries: associating

        obligation values of a different namespace than the one that owns the action being taken or the attribute value.

        + + +
        ListKeyAccessServersListKeyAccessServersRequestListKeyAccessServersResponse

        GetKeyAccessServerGetKeyAccessServerRequestGetKeyAccessServerResponse

        CreateKeyAccessServerCreateKeyAccessServerRequestCreateKeyAccessServerResponse

        UpdateKeyAccessServerUpdateKeyAccessServerRequestUpdateKeyAccessServerResponse

        DeleteKeyAccessServerDeleteKeyAccessServerRequestDeleteKeyAccessServerResponseGetNamespaceGetNamespaceRequestGetNamespaceResponse

        ListKeyAccessServerGrantsListKeyAccessServerGrantsRequestListKeyAccessServerGrantsResponse

        Deprecated

        CreateKeyCreateKeyRequestCreateKeyResponse

        KAS Key Management -Request to create a new key in the Key Access Service.

        ListNamespacesListNamespacesRequestListNamespacesResponse
        GetKeyGetKeyRequestGetKeyResponse

        Request to retrieve a key from the Key Access Service.

        		CreateNamespaceCreateNamespaceRequestCreateNamespaceResponse
        ListKeysListKeysRequestListKeysResponse

        Request to list keys in the Key Access Service.

        		UpdateNamespaceUpdateNamespaceRequestUpdateNamespaceResponse
        UpdateKeyUpdateKeyRequestUpdateKeyResponse

        Request to update a key in the Key Access Service.

        		DeactivateNamespaceDeactivateNamespaceRequestDeactivateNamespaceResponse
        RotateKeyRotateKeyRequestRotateKeyResponse

        Request to rotate a key in the Key Access Service.

        		AssignKeyAccessServerToNamespaceAssignKeyAccessServerToNamespaceRequestAssignKeyAccessServerToNamespaceResponse

        Deprecated: utilize AssignPublicKeyToNamespace
        SetBaseKeySetBaseKeyRequestSetBaseKeyResponse

        Request to set the default a default kas key.

        		RemoveKeyAccessServerFromNamespaceRemoveKeyAccessServerFromNamespaceRequestRemoveKeyAccessServerFromNamespaceResponse

        Deprecated: utilize RemovePublicKeyFromNamespace
        GetBaseKeyGetBaseKeyRequestGetBaseKeyResponse

        Get Default kas keys

        		AssignPublicKeyToNamespaceAssignPublicKeyToNamespaceRequestAssignPublicKeyToNamespaceResponse

        --------------------------------------* +Namespace <> Key RPCs +---------------------------------------
        ListKeyMappingsListKeyMappingsRequestListKeyMappingsResponse

        Request to list key mappings in the Key Access Service.

        		RemovePublicKeyFromNamespaceRemovePublicKeyFromNamespaceRequestRemovePublicKeyFromNamespaceResponse
        ListKeyAccessServerGrantsAssignKeyAccessServerToNamespace

        true

        RemoveKeyAccessServerFromNamespace

        true
        ListKeyAccessServers

        NO_SIDE_EFFECTS

        GetKeyAccessServerGetNamespace

        NO_SIDE_EFFECTS
        ListKeyAccessServerGrantsListNamespaces

        NO_SIDE_EFFECTS
        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        obligation_valuecommon.IdFqnIdentifier

        Required

        actioncommon.IdNameIdentifier

        Required

        attribute_valuecommon.IdFqnIdentifier

        Required

        contextpolicy.RequestContext

        Optional +The request context for this obligation value policy decisioning.

        metadatacommon.MetadataMutable

        Optional +Common metadata

        + + + + + +

        AddObligationTriggerResponse

        +

        + + + + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        triggerpolicy.ObligationTrigger

        + + + + + +

        CreateObligationRequest

        +

        @@ -13587,35 +13260,118 @@

        CreateProviderConfigRe

        + + + + + + + + + + + + + + - + - - + + + + + + + + + - + + + + +
        namespace_idstring

        namespace_fqnstring

        name string

        Required -The name of the key provider. (e.g. "AWS KMS Instance 1", "Google Cloud KMS Instance 2")

        config_jsonbytesvaluesstringrepeated

        Optional

        metadatacommon.MetadataMutable

        Required -JSON configuration for the key provider. This is unique to individual key providers.

        Optional +Common metadata

        + + + + + +

        CreateObligationResponse

        +

        + + + + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        obligationpolicy.Obligation

        + + + + + +

        CreateObligationValueRequest

        +

        + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - + + + + - + @@ -13625,7 +13381,7 @@

        CreateProviderConfigRe -

        CreateProviderConfigResponse

        +

        CreateObligationValueResponse

        @@ -13636,8 +13392,8 @@

        CreateProviderConfigR

        - - + + @@ -13649,8 +13405,8 @@

        CreateProviderConfigR -

        DeleteProviderConfigRequest

        -

        In order to delete a provider configuration you must first delete all keys associated with the provider.

        +

        DeleteObligationRequest

        +

        FieldTypeLabelDescription
        obligation_idstring

        obligation_fqnstring

        valuestring
        managerstring

        Required -The type of key manager (e.g. "aws", "gcp", "azure", "opentdf.io/basic")

        		triggersValueTriggerRequestrepeated

        Optional +Combination of action and attribute_value that will trigger this obligation value policy decisioning.

        metadata common.MetadataMutable

        Common metadata

        Optional +Common metadata

        provider_configpolicy.KeyProviderConfigvaluepolicy.ObligationValue

        @@ -13663,7 +13419,14 @@

        DeleteProviderConfigRe

        - + + + + + + + + @@ -13673,7 +13436,7 @@

        DeleteProviderConfigRe -

        DeleteProviderConfigResponse

        +

        DeleteObligationResponse

        @@ -13684,8 +13447,8 @@

        DeleteProviderConfigR

        - - + + @@ -13697,7 +13460,7 @@

        DeleteProviderConfigR -

        GetProviderConfigRequest

        +

        DeleteObligationValueRequest

        @@ -13715,19 +13478,12 @@

        GetProviderConfigRequest<

        - + - - - - - - -
        id string

        Required

        fqnstring
        provider_configpolicy.KeyProviderConfigobligationpolicy.Obligation

        namefqn string

        managerstring

        Optional - filter by manager type when searching by name

        @@ -13735,7 +13491,7 @@

        GetProviderConfigRequest< -

        GetProviderConfigResponse

        +

        DeleteObligationValueResponse

        @@ -13746,8 +13502,8 @@

        GetProviderConfigRespons - provider_config - policy.KeyProviderConfig + value + policy.ObligationValue

        @@ -13759,7 +13515,7 @@

        GetProviderConfigRespons -

        ListProviderConfigsRequest

        +

        GetObligationRequest

        @@ -13770,10 +13526,17 @@

        ListProviderConfigsRequ - pagination - policy.PageRequest + id + string -

        Optional

        +

        + + + + fqn + string + +

        @@ -13783,7 +13546,7 @@

        ListProviderConfigsRequ -

        ListProviderConfigsResponse

        +

        GetObligationResponse

        @@ -13794,15 +13557,8 @@

        ListProviderConfigsRes - provider_configs - policy.KeyProviderConfig - repeated -

        - - - - pagination - policy.PageResponse + obligation + policy.Obligation

        @@ -13814,8 +13570,8 @@

        ListProviderConfigsRes -

        UpdateProviderConfigRequest

        -

        +

        GetObligationTriggerRequest

        +

        Triggers

        @@ -13831,42 +13587,6 @@

        UpdateProviderConfigRe

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

        Required

        namestring

        Optional

        config_jsonbytes

        Optional

        managerstring

        Optional

        metadatacommon.MetadataMutable

        Optional -Common metadata

        metadata_update_behaviorcommon.MetadataUpdateEnum
        @@ -13874,7 +13594,7 @@

        UpdateProviderConfigRe -

        UpdateProviderConfigResponse

        +

        GetObligationTriggerResponse

        @@ -13885,8 +13605,8 @@

        UpdateProviderConfigR - provider_config - policy.KeyProviderConfig + trigger + policy.ObligationTrigger

        @@ -13898,70 +13618,8 @@

        UpdateProviderConfigR - - - - - - -

        KeyManagementService

        -

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Method NameRequest TypeResponse TypeDescription
        CreateProviderConfigCreateProviderConfigRequestCreateProviderConfigResponse

        Key Management -Provider Management

        GetProviderConfigGetProviderConfigRequestGetProviderConfigResponse

        ListProviderConfigsListProviderConfigsRequestListProviderConfigsResponse

        UpdateProviderConfigUpdateProviderConfigRequestUpdateProviderConfigResponse

        DeleteProviderConfigDeleteProviderConfigRequestDeleteProviderConfigResponse

        - - - - -
        -

        policy/namespaces/namespaces.proto

        Top -
        -

        - - -

        AssignKeyAccessServerToNamespaceRequest

        -

        Deprecated: utilize AssignPublicKeyToNamespaceRequest

        +

        GetObligationValueRequest

        +

        Values

        @@ -13971,32 +13629,15 @@

        AssignKeyAcce

        - - + + - -
        namespace_key_access_serverNamespaceKeyAccessServeridstring

        - - - - - -

        AssignKeyAccessServerToNamespaceResponse

        -

        - - - - - - - - - - + + @@ -14008,8 +13649,8 @@

        AssignKeyAcc -

        AssignPublicKeyToNamespaceRequest

        -

        Assign Key to Namespace

        +

        GetObligationValueResponse

        +

        FieldTypeLabelDescription
        namespace_key_access_serverNamespaceKeyAccessServerfqnstring

        @@ -14019,8 +13660,8 @@

        AssignPublicKeyToNa

        - - + + @@ -14032,7 +13673,7 @@

        AssignPublicKeyToNa -

        AssignPublicKeyToNamespaceResponse

        +

        GetObligationValuesByFQNsRequest

        @@ -14043,9 +13684,9 @@

        AssignPublicKeyToN

        - - - + + + @@ -14056,7 +13697,7 @@

        AssignPublicKeyToN -

        CreateNamespaceRequest

        +

        GetObligationValuesByFQNsResponse

        @@ -14067,17 +13708,10 @@

        CreateNamespaceRequest

        - - - - - - - - - - - + + + + @@ -14087,7 +13721,7 @@

        CreateNamespaceRequest

        -

        CreateNamespaceResponse

        +

        GetObligationValuesByFQNsResponse.FqnValueMapEntry

        @@ -14098,8 +13732,15 @@

        CreateNamespaceResponse

        - - + + + + + + + + + @@ -14111,7 +13752,7 @@

        CreateNamespaceResponse

        -

        DeactivateNamespaceRequest

        +

        GetObligationsByFQNsRequest

        @@ -14122,10 +13763,10 @@

        DeactivateNamespaceRequest

        - + - - + + @@ -14135,14 +13776,7 @@

        DeactivateNamespaceRequest -

        DeactivateNamespaceResponse

        -

        - - - - - -

        GetNamespaceRequest

        +

        GetObligationsByFQNsResponse

        @@ -14153,23 +13787,9 @@

        GetNamespaceRequest

        - - - - - - - - - - - - - - - - - + + + @@ -14177,31 +13797,10 @@

        GetNamespaceRequest

        namespace_keyNamespaceKeyvaluepolicy.ObligationValue

        namespace_keyNamespaceKeyfqnsstringrepeated

        namestring

        Required

        metadatacommon.MetadataMutable

        Optional

        		fqn_value_mapGetObligationValuesByFQNsResponse.FqnValueMapEntryrepeated
        namespacepolicy.Namespacekeystring

        valuepolicy.ObligationValue

        idfqns string

        Required

        		repeated
        idstring

        Deprecated. Deprecated

        namespace_idstring

        option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field

        fqnstringfqn_obligation_mapGetObligationsByFQNsResponse.FqnObligationMapEntryrepeated

        - - -

        Fields with deprecated option

        - - - - - - - - - - - - - - - -
        NameOption
        id

        true

        - - -

        GetNamespaceResponse

        +

        GetObligationsByFQNsResponse.FqnObligationMapEntry

        @@ -14212,8 +13811,15 @@

        GetNamespaceResponse

        - namespace - policy.Namespace + key + string + +

        + + + + value + policy.Obligation

        @@ -14225,7 +13831,7 @@

        GetNamespaceResponse

        -

        ListNamespacesRequest

        +

        ListObligationTriggersRequest

        @@ -14236,29 +13842,24 @@

        ListNamespacesRequest

        - state - common.ActiveStateEnum + namespace_id + string -

        Optional -ACTIVE by default when not specified

        +

        - pagination - policy.PageRequest + namespace_fqn + string -

        Optional

        +

        - sort - NamespacesSort - repeated -

        Optional - CONSTRAINT: max 1 item -Sort defaults: - - direction UNSPECIFIED defaults to DESC for the specified field - - field UNSPECIFIED defaults to created_at with the specified direction - - both UNSPECIFIED or sort omitted defaults to created_at DESC

        + pagination + policy.PageRequest + +

        Optional

        @@ -14268,7 +13869,7 @@

        ListNamespacesRequest

        -

        ListNamespacesResponse

        +

        ListObligationTriggersResponse

        @@ -14279,8 +13880,8 @@

        ListNamespacesResponse

        - namespaces - policy.Namespace + triggers + policy.ObligationTrigger repeated

        @@ -14299,7 +13900,7 @@

        ListNamespacesResponse

        -

        NamespaceKey

        +

        ListObligationsRequest

        @@ -14313,14 +13914,32 @@

        NamespaceKey

        namespace_id string -

        Required

        +

        - key_id + namespace_fqn string -

        Required (The id from the Asymmetric Key object)

        +

        + + + + pagination + policy.PageRequest + +

        Optional

        + + + + sort + ObligationsSort + repeated +

        Optional - CONSTRAINT: max 1 item +Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC

        @@ -14330,8 +13949,8 @@

        NamespaceKey

        -

        NamespaceKeyAccessServer

        -

        Deprecated

        +

        ListObligationsResponse

        +

        @@ -14341,17 +13960,17 @@

        NamespaceKeyAccessServer

        - - - - + + + + - - + + - + @@ -14361,7 +13980,7 @@

        NamespaceKeyAccessServer

        NamespacesSort +

        ObligationsSort

        @@ -14373,7 +13992,7 @@

        NamespacesSort

        - + @@ -14392,8 +14011,8 @@

        NamespacesSort

        -

        RemoveKeyAccessServerFromNamespaceRequest

        -

        Deprecated: utilize RemovePublicKeyFromNamespaceRequest

        +

        RemoveObligationTriggerRequest

        +

        namespace_idstring

        Required

        		obligationspolicy.Obligationrepeated
        key_access_server_idstringpaginationpolicy.PageResponse

        Required

        fieldSortNamespacesTypeSortObligationsType

        @@ -14403,10 +14022,10 @@

        RemoveKeyAc

        - - + + - + @@ -14416,7 +14035,7 @@

        RemoveKeyAc -

        RemoveKeyAccessServerFromNamespaceResponse

        +

        RemoveObligationTriggerResponse

        @@ -14427,8 +14046,8 @@

        RemoveKeyA

        - - + + @@ -14440,7 +14059,7 @@

        RemoveKeyA -

        RemovePublicKeyFromNamespaceRequest

        +

        UpdateObligationRequest

        @@ -14451,8 +14070,29 @@

        RemovePublicKeyFr

        - - + + + + + + + + + + + + + + + + + + + + + + + @@ -14464,7 +14104,7 @@

        RemovePublicKeyFr -

        RemovePublicKeyFromNamespaceResponse

        +

        UpdateObligationResponse

        @@ -14475,8 +14115,8 @@

        RemovePublicKeyF

        - - + + @@ -14488,7 +14128,7 @@

        RemovePublicKeyF -

        UpdateNamespaceRequest

        +

        UpdateObligationValueRequest

        @@ -14505,16 +14145,56 @@

        UpdateNamespaceRequest

        + + + + + + + + + + + + + + - + - - + + + + + + + +
        namespace_key_access_serverNamespaceKeyAccessServeridstring

        Required

        namespace_key_access_serverNamespaceKeyAccessServertriggerpolicy.ObligationTrigger

        namespace_keyNamespaceKeyidstring

        Required

        namestring

        Optional

        metadatacommon.MetadataMutable

        metadata_update_behaviorcommon.MetadataUpdateEnum

        namespace_keyNamespaceKeyobligationpolicy.Obligation

        Required

        valuestring

        Optional

        triggersValueTriggerRequestrepeated

        Optional +Obligation Triggers provided here will replace all existing records in the database.

        metadata common.MetadataMutable

        Optional

        Optional +Common metadata

        metadata_update_behaviorcommon.MetadataUpdateEnummetadata_update_behaviorcommon.MetadataUpdateEnum

        + + + + + +

        UpdateObligationValueResponse

        +

        + + + + + + + + + + + @@ -14526,7 +14206,7 @@

        UpdateNamespaceRequest

        -

        UpdateNamespaceResponse

        +

        ValueTriggerRequest

        @@ -14537,10 +14217,24 @@

        UpdateNamespaceResponse

        - - + + - + + + + + + + + + + + + + + + @@ -14552,7 +14246,7 @@

        UpdateNamespaceResponse

        -

        SortNamespacesType

        +

        SortObligationsType

        FieldTypeLabelDescription
        valuepolicy.ObligationValue

        namespacepolicy.Namespaceactioncommon.IdNameIdentifier

        Required. The ID of the action that will trigger this obligation value policy decisioning.

        attribute_valuecommon.IdFqnIdentifier

        Required. The attribute value ID that will trigger this obligation value policy decisioning.

        contextpolicy.RequestContext

        Optional. The request context for this obligation value policy decisioning.

        @@ -14561,31 +14255,31 @@

        SortNamespacesType

        - + - + - + - + - + @@ -14597,8 +14291,8 @@

        SortNamespacesType

        -

        NamespaceService

        -

        +

        Service

        +

        Obligation Service

        /

        SORT_NAMESPACES_TYPE_UNSPECIFIEDSORT_OBLIGATIONS_TYPE_UNSPECIFIED 0

        SORT_NAMESPACES_TYPE_NAMESORT_OBLIGATIONS_TYPE_NAME 1

        SORT_NAMESPACES_TYPE_FQNSORT_OBLIGATIONS_TYPE_FQN 2

        SORT_NAMESPACES_TYPE_CREATED_ATSORT_OBLIGATIONS_TYPE_CREATED_AT 3

        SORT_NAMESPACES_TYPE_UPDATED_ATSORT_OBLIGATIONS_TYPE_UPDATED_AT 4

        @@ -14606,99 +14300,113 @@

        NamespaceService

        - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - + + + - -
        Method NameRequest TypeResponse TypeDescription
        GetNamespaceGetNamespaceRequestGetNamespaceResponseListObligationsListObligationsRequestListObligationsResponse

        ListNamespacesListNamespacesRequestListNamespacesResponseGetObligationGetObligationRequestGetObligationResponse

        CreateNamespaceCreateNamespaceRequestCreateNamespaceResponseGetObligationsByFQNsGetObligationsByFQNsRequestGetObligationsByFQNsResponse

        UpdateNamespaceUpdateNamespaceRequestUpdateNamespaceResponseCreateObligationCreateObligationRequestCreateObligationResponse

        DeactivateNamespaceDeactivateNamespaceRequestDeactivateNamespaceResponseUpdateObligationUpdateObligationRequestUpdateObligationResponse

        AssignKeyAccessServerToNamespaceAssignKeyAccessServerToNamespaceRequestAssignKeyAccessServerToNamespaceResponse

        Deprecated: utilize AssignPublicKeyToNamespace

        		DeleteObligationDeleteObligationRequestDeleteObligationResponse
        RemoveKeyAccessServerFromNamespaceRemoveKeyAccessServerFromNamespaceRequestRemoveKeyAccessServerFromNamespaceResponse

        Deprecated: utilize RemovePublicKeyFromNamespace

        		GetObligationValueGetObligationValueRequestGetObligationValueResponse
        AssignPublicKeyToNamespaceAssignPublicKeyToNamespaceRequestAssignPublicKeyToNamespaceResponse

        --------------------------------------* -Namespace <> Key RPCs ----------------------------------------

        		GetObligationValuesByFQNsGetObligationValuesByFQNsRequestGetObligationValuesByFQNsResponse
        RemovePublicKeyFromNamespaceRemovePublicKeyFromNamespaceRequestRemovePublicKeyFromNamespaceResponseCreateObligationValueCreateObligationValueRequestCreateObligationValueResponse

        - - - - -

        Methods with deprecated option

        - - - - + + + + - - - - + + + + - - + + + + - -
        Method NameOptionUpdateObligationValueUpdateObligationValueRequestUpdateObligationValueResponse
        AssignKeyAccessServerToNamespace

        true

        		DeleteObligationValueDeleteObligationValueRequestDeleteObligationValueResponse
        RemoveKeyAccessServerFromNamespace

        true

        		GetObligationTriggerGetObligationTriggerRequestGetObligationTriggerResponse
        - + + AddObligationTrigger + AddObligationTriggerRequest + AddObligationTriggerResponse +

        + + + + RemoveObligationTrigger + RemoveObligationTriggerRequest + RemoveObligationTriggerResponse +

        + + + + ListObligationTriggers + ListObligationTriggersRequest + ListObligationTriggersResponse +

        + + + + + @@ -14713,12 +14421,37 @@

        Methods with idempotency_level option

        - GetNamespace + ListObligations

        NO_SIDE_EFFECTS

        - ListNamespaces + GetObligation +

        NO_SIDE_EFFECTS

        + + + + GetObligationsByFQNs +

        NO_SIDE_EFFECTS

        + + + + GetObligationValue +

        NO_SIDE_EFFECTS

        + + + + GetObligationValuesByFQNs +

        NO_SIDE_EFFECTS

        + + + + GetObligationTrigger +

        NO_SIDE_EFFECTS

        + + + + ListObligationTriggers

        NO_SIDE_EFFECTS

        @@ -14726,93 +14459,15 @@

        Methods with idempotency_level option

        - - -
        -

        policy/obligations/obligations.proto

        Top -
        -

        - - -

        AddObligationTriggerRequest

        -

        Obligation Triggers are owned by the namespace that owns the action and attribute value, which must

        be the same. In this way, a trigger can intentionally cross namespace boundaries: associating

        obligation values of a different namespace than the one that owns the action being taken or the attribute value.

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        FieldTypeLabelDescription
        obligation_valuecommon.IdFqnIdentifier

        Required

        actioncommon.IdNameIdentifier

        Required

        attribute_valuecommon.IdFqnIdentifier

        Required

        contextpolicy.RequestContext

        Optional -The request context for this obligation value policy decisioning.

        metadatacommon.MetadataMutable

        Optional -Common metadata

        - - - - - -

        AddObligationTriggerResponse

        -

        - - - - - - - - - - - - - - - - -
        FieldTypeLabelDescription
        triggerpolicy.ObligationTrigger

        - - - - + -

        CreateObligationRequest

        +
        +

        policy/registeredresources/registered_resources.proto

        Top +
        +

        + + +

        ActionAttributeValue

        @@ -14823,39 +14478,31 @@

        CreateObligationRequest

        - namespace_id + action_id string

        - namespace_fqn + action_name string

        - name + attribute_value_id string

        - values + attribute_value_fqn string - repeated -

        Optional

        - - - - metadata - common.MetadataMutable -

        Optional -Common metadata

        +

        @@ -14865,7 +14512,7 @@

        CreateObligationRequest

        -

        CreateObligationResponse

        +

        CreateRegisteredResourceRequest

        @@ -14876,58 +14523,35 @@

        CreateObligationResponse - obligation - policy.Obligation + name + string -

        +

        Required

        - - - - - - - -

        CreateObligationValueRequest

        -

        - - - - - - - - - + - - + + - + - + - - - - - - - @@ -14943,7 +14567,7 @@

        CreateObligationValueRe -

        CreateObligationValueResponse

        +

        CreateRegisteredResourceResponse

        @@ -14954,8 +14578,8 @@

        CreateObligationValueR

        - - + + @@ -14967,7 +14591,7 @@

        CreateObligationValueR -

        DeleteObligationRequest

        +

        CreateRegisteredResourceValueRequest

        @@ -14978,17 +14602,34 @@

        DeleteObligationRequest

        - + - + - + - + + + + + + + + + + + + + + + @@ -14998,7 +14639,7 @@

        DeleteObligationRequest

        -

        DeleteObligationResponse

        +

        CreateRegisteredResourceValueResponse

        @@ -15009,8 +14650,8 @@

        DeleteObligationResponse

        - - + + @@ -15022,7 +14663,7 @@

        DeleteObligationResponseDeleteObligationValueRequest

        +

        DeleteRegisteredResourceRequest

        @@ -15036,14 +14677,7 @@

        DeleteObligationValueRe

        - - - - - - - - + @@ -15053,7 +14687,7 @@

        DeleteObligationValueRe -

        DeleteObligationValueResponse

        +

        DeleteRegisteredResourceResponse

        @@ -15064,8 +14698,8 @@

        DeleteObligationValueR

        - - + + @@ -15077,7 +14711,7 @@

        DeleteObligationValueR -

        GetObligationRequest

        +

        DeleteRegisteredResourceValueRequest

        @@ -15091,14 +14725,7 @@

        GetObligationRequest

        - - - - - - - - + @@ -15108,7 +14735,7 @@

        GetObligationRequest

        -

        GetObligationResponse

        +

        DeleteRegisteredResourceValueResponse

        @@ -15119,8 +14746,8 @@

        GetObligationResponse

        - - + + @@ -15132,8 +14759,8 @@

        GetObligationResponse

        -

        GetObligationTriggerRequest

        -

        Triggers

        +

        GetRegisteredResourceRequest

        +

        FieldTypeLabelDescription
        obligation_idvalues string

        		repeated

        Optional +Registered Resource Values (when provided) must be alphanumeric strings, allowing hyphens and underscores but not as the first or last character. +The stored value will be normalized to lower case.

        obligation_fqnnamespace_id string

        valuenamespace_fqn string

        triggersValueTriggerRequestrepeated

        Optional -Combination of action and attribute_value that will trigger this obligation value policy decisioning.

        metadata common.MetadataMutable
        valuepolicy.ObligationValueresourcepolicy.RegisteredResource

        idresource_id string

        Required

        fqnvalue string

        Required

        action_attribute_valuesActionAttributeValuerepeated

        Optional +The associated Action <> AttributeValue combinations to be utilized in authorization/entitlement decisioning +(i.e. action read -> attribute value https://example.com/attr/department/value/marketing)

        metadatacommon.MetadataMutable

        Optional +Common metadata

        obligationpolicy.Obligationvaluepolicy.RegisteredResourceValue

        id string

        fqnstring

        Required

        valuepolicy.ObligationValueresourcepolicy.RegisteredResource

        id string

        fqnstring

        Required

        obligationpolicy.Obligationvaluepolicy.RegisteredResourceValue

        @@ -15146,59 +14773,25 @@

        GetObligationTriggerRequ

        - + - -
        id string

        Required

        - - - - - -

        GetObligationTriggerResponse

        -

        - - - - - - - - - - + + - -
        FieldTypeLabelDescription
        triggerpolicy.ObligationTriggernamestring

        - - - - - -

        GetObligationValueRequest

        -

        Values

        - - - - - - - - - + - + @@ -15211,7 +14804,7 @@

        GetObligationValueRequest< -

        GetObligationValueResponse

        +

        GetRegisteredResourceResponse

        @@ -15222,8 +14815,8 @@

        GetObligationValueRespons

        - - + + @@ -15235,7 +14828,7 @@

        GetObligationValueRespons -

        GetObligationValuesByFQNsRequest

        +

        GetRegisteredResourceValueRequest

        @@ -15246,33 +14839,16 @@

        GetObligationValues

        - + - + - -
        FieldTypeLabelDescription
        idnamespace_fqn string

        fqnnamespace_id string

        valuepolicy.ObligationValueresourcepolicy.RegisteredResource

        fqnsid stringrepeated

        - - - - - -

        GetObligationValuesByFQNsResponse

        -

        - - - - - - - - - - - + + + @@ -15283,7 +14859,7 @@

        GetObligationValue -

        GetObligationValuesByFQNsResponse.FqnValueMapEntry

        +

        GetRegisteredResourceValueResponse

        @@ -15293,16 +14869,9 @@

        G

        - - - - - - - - + @@ -15314,7 +14883,7 @@

        G -

        GetObligationsByFQNsRequest

        +

        GetRegisteredResourceValuesByFQNsRequest

        @@ -15328,7 +14897,7 @@

        GetObligationsByFQNsRequ

        - + @@ -15338,7 +14907,7 @@

        GetObligationsByFQNsRequ -

        GetObligationsByFQNsResponse

        +

        GetRegisteredResourceValuesByFQNsResponse

        @@ -15349,8 +14918,8 @@

        GetObligationsByFQNsRes

        - - + + @@ -15362,7 +14931,7 @@

        GetObligationsByFQNsRes -

        GetObligationsByFQNsResponse.FqnObligationMapEntry

        +

        GetRegisteredResourceValuesByFQNsResponse.FqnValueMapEntry

        @@ -15381,7 +14950,7 @@

        G

        - + @@ -15393,7 +14962,7 @@

        G -

        ListObligationTriggersRequest

        +

        ListRegisteredResourceValuesRequest

        @@ -15404,17 +14973,10 @@

        ListObligationTriggers

        - - - - - - - - + - + @@ -15431,7 +14993,7 @@

        ListObligationTriggers -

        ListObligationTriggersResponse

        +

        ListRegisteredResourceValuesResponse

        @@ -15442,8 +15004,8 @@

        ListObligationTrigger

        - - + + @@ -15462,7 +15024,7 @@

        ListObligationTrigger -

        ListObligationsRequest

        +

        ListRegisteredResourcesRequest

        @@ -15495,7 +15057,7 @@

        ListObligationsRequest

        - + - - + + @@ -15542,7 +15104,7 @@

        ListObligationsResponse

        -

        ObligationsSort

        +

        RegisteredResourcesSort

        @@ -15554,7 +15116,7 @@

        ObligationsSort

        - + @@ -15573,7 +15135,7 @@

        ObligationsSort

        -

        RemoveObligationTriggerRequest

        +

        UpdateRegisteredResourceRequest

        @@ -15590,6 +15152,28 @@

        RemoveObligationTrigg

        + + + + + + + + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        fqn_value_mapGetObligationValuesByFQNsResponse.FqnValueMapEntryrepeatedfqnstring

        keystring

        valuepolicy.ObligationValuepolicy.RegisteredResourceValue

        fqns string repeated

        Required

        fqn_obligation_mapGetObligationsByFQNsResponse.FqnObligationMapEntryfqn_value_mapGetRegisteredResourceValuesByFQNsResponse.FqnValueMapEntry repeated

        valuepolicy.Obligationpolicy.RegisteredResourceValue

        namespace_idstring

        namespace_fqnresource_id string

        Optional

        triggerspolicy.ObligationTriggervaluespolicy.RegisteredResourceValue repeated

        sortObligationsSortRegisteredResourcesSort repeated

        Optional - CONSTRAINT: max 1 item Sort defaults: @@ -15511,7 +15073,7 @@

        ListObligationsRequest

        -

        ListObligationsResponse

        +

        ListRegisteredResourcesResponse

        @@ -15522,8 +15084,8 @@

        ListObligationsResponse
        obligationspolicy.Obligationresourcespolicy.RegisteredResource repeated

        fieldSortObligationsTypeSortRegisteredResourcesType

        Required

        namestring

        Optional

        metadatacommon.MetadataMutable

        Optional +Common metadata

        metadata_update_behaviorcommon.MetadataUpdateEnum
        @@ -15597,7 +15181,7 @@

        RemoveObligationTrigg -

        RemoveObligationTriggerResponse

        +

        UpdateRegisteredResourceResponse

        @@ -15608,8 +15192,8 @@

        RemoveObligationTrig - trigger - policy.ObligationTrigger + resource + policy.RegisteredResource

        @@ -15621,7 +15205,7 @@

        RemoveObligationTrig -

        UpdateObligationRequest

        +

        UpdateRegisteredResourceValueRequest

        @@ -15639,17 +15223,26 @@

        UpdateObligationRequest

        - name + value string

        Optional

        + + action_attribute_values + ActionAttributeValue + repeated +

        Optional +Action Attribute Values provided here will replace all existing records in the database. To delete all action attribute values, set this field to an empty list.

        + + metadata common.MetadataMutable -

        +

        Optional +Common metadata

        @@ -15666,7 +15259,7 @@

        UpdateObligationRequest

        -

        UpdateObligationResponse

        +

        UpdateRegisteredResourceValueResponse

        @@ -15677,8 +15270,8 @@

        UpdateObligationResponse - obligation - policy.Obligation + value + policy.RegisteredResourceValue

        @@ -15690,7 +15283,145 @@

        UpdateObligationResponseUpdateObligationValueRequest

        + + +

        SortRegisteredResourcesType

        +

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        NameNumberDescription
        SORT_REGISTERED_RESOURCES_TYPE_UNSPECIFIED0

        SORT_REGISTERED_RESOURCES_TYPE_NAME1

        SORT_REGISTERED_RESOURCES_TYPE_CREATED_AT2

        SORT_REGISTERED_RESOURCES_TYPE_UPDATED_AT3

        + + + + + +

        RegisteredResourcesService

        +

        Registered Resources

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        Method NameRequest TypeResponse TypeDescription
        CreateRegisteredResourceCreateRegisteredResourceRequestCreateRegisteredResourceResponse

        GetRegisteredResourceGetRegisteredResourceRequestGetRegisteredResourceResponse

        ListRegisteredResourcesListRegisteredResourcesRequestListRegisteredResourcesResponse

        UpdateRegisteredResourceUpdateRegisteredResourceRequestUpdateRegisteredResourceResponse

        DeleteRegisteredResourceDeleteRegisteredResourceRequestDeleteRegisteredResourceResponse

        CreateRegisteredResourceValueCreateRegisteredResourceValueRequestCreateRegisteredResourceValueResponse

        GetRegisteredResourceValueGetRegisteredResourceValueRequestGetRegisteredResourceValueResponse

        GetRegisteredResourceValuesByFQNsGetRegisteredResourceValuesByFQNsRequestGetRegisteredResourceValuesByFQNsResponse

        ListRegisteredResourceValuesListRegisteredResourceValuesRequestListRegisteredResourceValuesResponse

        UpdateRegisteredResourceValueUpdateRegisteredResourceValueRequestUpdateRegisteredResourceValueResponse

        DeleteRegisteredResourceValueDeleteRegisteredResourceValueRequestDeleteRegisteredResourceValueResponse

        + + + + +
        +

        policy/resourcemapping/resource_mapping.proto

        Top +
        +

        + + +

        CreateResourceMappingGroupRequest

        @@ -15701,40 +15432,24 @@

        UpdateObligationValueRe - id + namespace_id string

        Required

        - value - string - -

        Optional

        - - - - triggers - ValueTriggerRequest - repeated -

        Optional -Obligation Triggers provided here will replace all existing records in the database.

        - - - - metadata - common.MetadataMutable + name + string -

        Optional -Common metadata

        +

        Required

        - metadata_update_behavior - common.MetadataUpdateEnum + metadata + common.MetadataMutable -

        +

        Common metadata

        @@ -15744,7 +15459,7 @@

        UpdateObligationValueRe -

        UpdateObligationValueResponse

        +

        CreateResourceMappingGroupResponse

        @@ -15755,8 +15470,8 @@

        UpdateObligationValueR - value - policy.ObligationValue + resource_mapping_group + policy.ResourceMappingGroup

        @@ -15768,7 +15483,7 @@

        UpdateObligationValueR -

        ValueTriggerRequest

        +

        CreateResourceMappingRequest

        @@ -15779,24 +15494,31 @@

        ValueTriggerRequest

        - action - common.IdNameIdentifier + attribute_value_id + string -

        Required. The ID of the action that will trigger this obligation value policy decisioning.

        +

        Required

        - attribute_value - common.IdFqnIdentifier + terms + string + repeated +

        Required

        + + + + group_id + string -

        Required. The attribute value ID that will trigger this obligation value policy decisioning.

        +

        Optional

        - context - policy.RequestContext + metadata + common.MetadataMutable -

        Optional. The request context for this obligation value policy decisioning.

        +

        Optional

        @@ -15806,230 +15528,31 @@

        ValueTriggerRequest

        - - -

        SortObligationsType

        +

        CreateResourceMappingResponse

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        NameNumberDescription
        SORT_OBLIGATIONS_TYPE_UNSPECIFIED0

        SORT_OBLIGATIONS_TYPE_NAME1

        SORT_OBLIGATIONS_TYPE_FQN2

        SORT_OBLIGATIONS_TYPE_CREATED_AT3

        SORT_OBLIGATIONS_TYPE_UPDATED_AT4

        - - - - - -

        Service

        -

        Obligation Service

        /

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Method NameRequest TypeResponse TypeDescription
        ListObligationsListObligationsRequestListObligationsResponse

        GetObligationGetObligationRequestGetObligationResponse

        GetObligationsByFQNsGetObligationsByFQNsRequestGetObligationsByFQNsResponse

        CreateObligationCreateObligationRequestCreateObligationResponse

        UpdateObligationUpdateObligationRequestUpdateObligationResponse

        DeleteObligationDeleteObligationRequestDeleteObligationResponse

        GetObligationValueGetObligationValueRequestGetObligationValueResponse

        GetObligationValuesByFQNsGetObligationValuesByFQNsRequestGetObligationValuesByFQNsResponse

        CreateObligationValueCreateObligationValueRequestCreateObligationValueResponse

        UpdateObligationValueUpdateObligationValueRequestUpdateObligationValueResponse

        DeleteObligationValueDeleteObligationValueRequestDeleteObligationValueResponse

        GetObligationTriggerGetObligationTriggerRequestGetObligationTriggerResponse

        AddObligationTriggerAddObligationTriggerRequestAddObligationTriggerResponse

        RemoveObligationTriggerRemoveObligationTriggerRequestRemoveObligationTriggerResponse

        ListObligationTriggersListObligationTriggersRequestListObligationTriggersResponse

        - - -

        Methods with idempotency_level option

        - +
        - - - - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + +
        Method NameOption
        FieldTypeLabelDescription
        ListObligations

        NO_SIDE_EFFECTS

        GetObligation

        NO_SIDE_EFFECTS

        GetObligationsByFQNs

        NO_SIDE_EFFECTS

        GetObligationValue

        NO_SIDE_EFFECTS

        GetObligationValuesByFQNs

        NO_SIDE_EFFECTS

        GetObligationTrigger

        NO_SIDE_EFFECTS

        ListObligationTriggers

        NO_SIDE_EFFECTS

        resource_mappingpolicy.ResourceMapping
        + - - - -
        -

        policy/registeredresources/registered_resources.proto

        Top -
        -

        + -

        ActionAttributeValue

        +

        DeleteResourceMappingGroupRequest

        @@ -16040,29 +15563,80 @@

        ActionAttributeValue - action_id + id string -

        +

        Required

        + + + + + + + +

        DeleteResourceMappingGroupResponse

        +

        + + + + + + + + - - + + + +
        FieldTypeLabelDescription
        action_namestringresource_mapping_grouppolicy.ResourceMappingGroup

        + + + + + +

        DeleteResourceMappingRequest

        +

        + + + + + + + + - + - + + +
        FieldTypeLabelDescription
        attribute_value_idid string

        Required

        + + + + + +

        DeleteResourceMappingResponse

        +

        + + + + + + + + - - + + @@ -16074,7 +15648,7 @@

        ActionAttributeValueCreateRegisteredResourceRequest

        +

        GetResourceMappingGroupRequest

        @@ -16085,41 +15659,113 @@

        CreateRegist

        - + + +
        FieldTypeLabelDescription
        attribute_value_fqnstringresource_mappingpolicy.ResourceMapping

        nameid string

        Required

        + + + + + +

        GetResourceMappingGroupResponse

        +

        + + + + + + + + - - - - + + + + + +
        FieldTypeLabelDescription
        valuesstringrepeated

        Optional -Registered Resource Values (when provided) must be alphanumeric strings, allowing hyphens and underscores but not as the first or last character. -The stored value will be normalized to lower case.

        		resource_mapping_grouppolicy.ResourceMappingGroup
        + + + + + +

        GetResourceMappingRequest

        +

        + + + + + + + + - + + + + + +
        FieldTypeLabelDescription
        namespace_idid string

        Required

        + + + + + +

        GetResourceMappingResponse

        +

        + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        resource_mappingpolicy.ResourceMapping

        + + + + + +

        ListResourceMappingGroupsRequest

        +

        + + + + + + + + - + - + - - + + - + @@ -16129,7 +15775,7 @@

        CreateRegist -

        CreateRegisteredResourceResponse

        +

        ListResourceMappingGroupsResponse

        @@ -16140,8 +15786,15 @@

        CreateRegis

        - - + + + + + + + + + @@ -16153,7 +15806,7 @@

        CreateRegis -

        CreateRegisteredResourceValueRequest

        +

        ListResourceMappingsByGroupFqnsRequest

        @@ -16164,34 +15817,66 @@

        CreateR

        - + - - + + + +
        FieldTypeLabelDescription
        namespace_fqnnamespace_id string

        Optional

        metadatacommon.MetadataMutablepaginationpolicy.PageRequest

        Optional -Common metadata

        Optional

        resourcepolicy.RegisteredResourceresource_mapping_groupspolicy.ResourceMappingGrouprepeated

        paginationpolicy.PageResponse

        resource_idfqns string

        Required

        		repeated

        Required +Structure of the RM Group FQN is 'https://<namespace>/resm/<group name>'

        + + + + + +

        ListResourceMappingsByGroupFqnsResponse

        +

        + + + + + + + + - - - - + + + + + +
        FieldTypeLabelDescription
        valuestring

        Required

        		fqn_resource_mapping_groupsListResourceMappingsByGroupFqnsResponse.FqnResourceMappingGroupsEntryrepeated
        + + + + + +

        ListResourceMappingsByGroupFqnsResponse.FqnResourceMappingGroupsEntry

        +

        + + + + + + + + - - - - + + + + - - + + - + @@ -16201,7 +15886,7 @@

        CreateR -

        CreateRegisteredResourceValueResponse

        +

        ListResourceMappingsRequest

        @@ -16212,10 +15897,17 @@

        Create

        - - + + - + + + + + + + + @@ -16225,7 +15917,7 @@

        Create -

        DeleteRegisteredResourceRequest

        +

        ListResourceMappingsResponse

        @@ -16236,10 +15928,17 @@

        DeleteRegist

        - - + + + + + + + + + - + @@ -16249,7 +15948,7 @@

        DeleteRegist -

        DeleteRegisteredResourceResponse

        +

        ResourceMappingsByGroup

        @@ -16260,12 +15959,19 @@

        DeleteRegis

        - - + + + + + + + + +
        FieldTypeLabelDescription
        action_attribute_valuesActionAttributeValuerepeated

        Optional -The associated Action <> AttributeValue combinations to be utilized in authorization/entitlement decisioning -(i.e. action read -> attribute value https://example.com/attr/department/value/marketing)

        		keystring
        metadatacommon.MetadataMutablevalueResourceMappingsByGroup

        Optional -Common metadata

        valuepolicy.RegisteredResourceValuegroup_idstring

        Optional

        paginationpolicy.PageRequest

        Optional

        idstringresource_mappingspolicy.ResourceMappingrepeated

        paginationpolicy.PageResponse

        Required

        resourcepolicy.RegisteredResourcegrouppolicy.ResourceMappingGroup

        mappingspolicy.ResourceMappingrepeated
        @@ -16273,7 +15979,7 @@

        DeleteRegis -

        DeleteRegisteredResourceValueRequest

        +

        UpdateResourceMappingGroupRequest

        @@ -16290,6 +15996,34 @@

        DeleteR

        Required

        + + namespace_id + string + +

        Optional

        + + + + name + string + +

        Optional

        + + + + metadata + common.MetadataMutable + +

        Common metadata

        + + + + metadata_update_behavior + common.MetadataUpdateEnum + +

        + + @@ -16297,7 +16031,7 @@

        DeleteR -

        DeleteRegisteredResourceValueResponse

        +

        UpdateResourceMappingGroupResponse

        @@ -16308,8 +16042,8 @@

        Delete - value - policy.RegisteredResourceValue + resource_mapping_group + policy.ResourceMappingGroup

        @@ -16321,7 +16055,7 @@

        Delete -

        GetRegisteredResourceRequest

        +

        UpdateResourceMappingRequest

        @@ -16335,27 +16069,42 @@

        GetRegisteredRe id string -

        +

        Required

        - name + attribute_value_id string -

        +

        Optional

        - namespace_fqn + terms string - -

        + repeated +

        Optional

        - namespace_id + group_id string +

        Optional

        + + + + metadata + common.MetadataMutable + +

        Optional +Common Metadata

        + + + + metadata_update_behavior + common.MetadataUpdateEnum +

        @@ -16366,7 +16115,7 @@

        GetRegisteredRe -

        GetRegisteredResourceResponse

        +

        UpdateResourceMappingResponse

        @@ -16377,20 +16126,164 @@

        GetRegisteredR - resource - policy.RegisteredResource + resource_mapping + policy.ResourceMapping

        - + + + + + + + + + + + +

        ResourceMappingService

        +

        Resource Mapping Groups

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        Method NameRequest TypeResponse TypeDescription
        ListResourceMappingGroupsListResourceMappingGroupsRequestListResourceMappingGroupsResponse

        GetResourceMappingGroupGetResourceMappingGroupRequestGetResourceMappingGroupResponse

        CreateResourceMappingGroupCreateResourceMappingGroupRequestCreateResourceMappingGroupResponse

        UpdateResourceMappingGroupUpdateResourceMappingGroupRequestUpdateResourceMappingGroupResponse

        DeleteResourceMappingGroupDeleteResourceMappingGroupRequestDeleteResourceMappingGroupResponse

        ListResourceMappingsListResourceMappingsRequestListResourceMappingsResponse

        ListResourceMappingsByGroupFqnsListResourceMappingsByGroupFqnsRequestListResourceMappingsByGroupFqnsResponse

        GetResourceMappingGetResourceMappingRequestGetResourceMappingResponse

        CreateResourceMappingCreateResourceMappingRequestCreateResourceMappingResponse

        UpdateResourceMappingUpdateResourceMappingRequestUpdateResourceMappingResponse

        DeleteResourceMappingDeleteResourceMappingRequestDeleteResourceMappingResponse

        + + + + +

        Methods with idempotency_level option

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        Method NameOption
        ListResourceMappingGroups

        NO_SIDE_EFFECTS

        GetResourceMappingGroup

        NO_SIDE_EFFECTS

        ListResourceMappings

        NO_SIDE_EFFECTS

        ListResourceMappingsByGroupFqns

        NO_SIDE_EFFECTS

        GetResourceMapping

        NO_SIDE_EFFECTS

        - + -

        GetRegisteredResourceValueRequest

        +
        +

        policy/subjectmapping/subject_mapping.proto

        Top +
        +

        + + +

        CreateDefinitionValueEntitlementMappingRequest

        @@ -16401,65 +16294,66 @@

        GetRegiste - id + attribute_definition_id string

        - fqn + attribute_definition_fqn string

        - - - - - - - -

        GetRegisteredResourceValueResponse

        -

        - - - - - - - + + + + + + - - + + + + + + + + + - + - -
        FieldTypeLabelDescription
        value_resolverpolicy.DefinitionValueResolver

        Required: the dynamic resolver comparing entity selector result to the resource value segment

        valuepolicy.RegisteredResourceValueactionspolicy.Actionrepeated

        Required: actions permitted on a matched value

        existing_subject_condition_set_idstring

        Optional static pre-gate. Reuse an existing SubjectConditionSet (prioritized) ...

        - - - - - -

        GetRegisteredResourceValuesByFQNsRequest

        -

        - - - - - - - + + + + + + - + - - + + + + + + + + + + + + + + + + @@ -16469,7 +16363,7 @@

        Get -

        GetRegisteredResourceValuesByFQNsResponse

        +

        CreateDefinitionValueEntitlementMappingResponse

        @@ -16480,9 +16374,9 @@

        Ge

        - - - + + + @@ -16493,7 +16387,7 @@

        Ge -

        GetRegisteredResourceValuesByFQNsResponse.FqnValueMapEntry

        +

        CreateSubjectConditionSetRequest

        @@ -16504,15 +16398,22 @@

        SubjectConditionSetCreate +

        + + + + + - - + + @@ -16524,7 +16425,7 @@

        ListRegisteredResourceValuesRequest

        +

        CreateSubjectConditionSetResponse

        @@ -16535,17 +16436,10 @@

        ListRegi

        - - - - - - - - - + + - + @@ -16555,7 +16449,7 @@

        ListRegi -

        ListRegisteredResourceValuesResponse

        +

        CreateSubjectMappingRequest

        @@ -16566,41 +16460,42 @@

        ListReg

        - - + + + + + + + + + - + - - + + - + - -
        FieldTypeLabelDescription
        new_subject_condition_setSubjectConditionSetCreate

        ... or create a new one (ignored if existing_subject_condition_set_id is provided)

        fqnsnamespace_id stringrepeated

        Required

        Optional: namespace ID or FQN for the mapping

        namespace_fqnstring

        metadatacommon.MetadataMutable

        Optional

        fqn_value_mapGetRegisteredResourceValuesByFQNsResponse.FqnValueMapEntryrepeateddefinition_value_entitlement_mappingpolicy.DefinitionValueEntitlementMapping

        namespace_id string

        valuepolicy.RegisteredResourceValuenamespace_fqnstring

        resource_idstring

        Optional

        paginationpolicy.PageRequestsubject_condition_setpolicy.SubjectConditionSet

        Optional

        valuespolicy.RegisteredResourceValueattribute_value_idstring

        Required +Attribute Value to be mapped to

        actionspolicy.Action repeated

        Required +The actions permitted by subjects in this mapping

        paginationpolicy.PageResponseexisting_subject_condition_set_idstring

        Either of the following: +Reuse existing SubjectConditionSet (NOTE: prioritized over new_subject_condition_set)

        - - - - - -

        ListRegisteredResourcesRequest

        -

        - - - - - - - + + + + + + - + @@ -16611,23 +16506,12 @@

        ListRegistere

        - - + + - - - - - - -
        FieldTypeLabelDescription
        new_subject_condition_setSubjectConditionSetCreate

        Create new SubjectConditionSet (NOTE: ignored if existing_subject_condition_set_id is provided)

        namespace_id string

        Optional +Namespace ID or FQN for the subject mapping

        paginationpolicy.PageRequestmetadatacommon.MetadataMutable

        Optional

        sortRegisteredResourcesSortrepeated

        Optional - CONSTRAINT: max 1 item -Sort defaults: - - direction UNSPECIFIED defaults to DESC for the specified field - - field UNSPECIFIED defaults to created_at with the specified direction - - both UNSPECIFIED or sort omitted defaults to created_at DESC

        @@ -16635,7 +16519,7 @@

        ListRegistere -

        ListRegisteredResourcesResponse

        +

        CreateSubjectMappingResponse

        @@ -16646,15 +16530,8 @@

        ListRegister - resources - policy.RegisteredResource - repeated -

        - - - - pagination - policy.PageResponse + subject_mapping + policy.SubjectMapping

        @@ -16666,7 +16543,7 @@

        ListRegister -

        RegisteredResourcesSort

        +

        DefinitionValueEntitlementMappingsSort

        @@ -16678,7 +16555,7 @@

        RegisteredResourcesS field - SortRegisteredResourcesType + SortDefinitionValueEntitlementMappingsType

        @@ -16697,7 +16574,14 @@

        RegisteredResourcesS -

        UpdateRegisteredResourceRequest

        +

        DeleteAllUnmappedSubjectConditionSetsRequest

        +

        Prune any Subject Condition Sets not utilized within a Subject Mapping

        + + + + + +

        DeleteAllUnmappedSubjectConditionSetsResponse

        @@ -16708,32 +16592,10 @@

        UpdateRegist - id - string - -

        Required

        - - - - name - string - -

        Optional

        - - - - metadata - common.MetadataMutable - -

        Optional -Common metadata

        - - - - metadata_update_behavior - common.MetadataUpdateEnum - -

        + subject_condition_sets + policy.SubjectConditionSet + repeated +

        Only IDs of any deleted Subject Condition Set provided

        @@ -16743,7 +16605,7 @@

        UpdateRegist -

        UpdateRegisteredResourceResponse

        +

        DeleteDefinitionValueEntitlementMappingRequest

        @@ -16754,10 +16616,10 @@

        UpdateRegis - resource - policy.RegisteredResource + id + string -

        +

        Required

        @@ -16767,7 +16629,7 @@

        UpdateRegis -

        UpdateRegisteredResourceValueRequest

        +

        DeleteDefinitionValueEntitlementMappingResponse

        @@ -16778,40 +16640,10 @@

        UpdateR - id - string - -

        Required

        - - - - value - string - -

        Optional

        - - - - action_attribute_values - ActionAttributeValue - repeated -

        Optional -Action Attribute Values provided here will replace all existing records in the database. To delete all action attribute values, set this field to an empty list.

        - - - - metadata - common.MetadataMutable - -

        Optional -Common metadata

        - - - - metadata_update_behavior - common.MetadataUpdateEnum + definition_value_entitlement_mapping + policy.DefinitionValueEntitlementMapping -

        +

        Only ID of the deleted mapping provided

        @@ -16821,7 +16653,7 @@

        UpdateR -

        UpdateRegisteredResourceValueResponse

        +

        DeleteSubjectConditionSetRequest

        @@ -16832,10 +16664,10 @@

        Update - value - policy.RegisteredResourceValue + id + string -

        +

        Required

        @@ -16845,145 +16677,31 @@

        Update - - -

        SortRegisteredResourcesType

        +

        DeleteSubjectConditionSetResponse

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        NameNumberDescription
        SORT_REGISTERED_RESOURCES_TYPE_UNSPECIFIED0

        SORT_REGISTERED_RESOURCES_TYPE_NAME1

        SORT_REGISTERED_RESOURCES_TYPE_CREATED_AT2

        SORT_REGISTERED_RESOURCES_TYPE_UPDATED_AT3

        - - + + + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        subject_condition_setpolicy.SubjectConditionSet

        Only ID of deleted Subject Condition Set provided

        - -

        RegisteredResourcesService

        -

        Registered Resources

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Method NameRequest TypeResponse TypeDescription
        CreateRegisteredResourceCreateRegisteredResourceRequestCreateRegisteredResourceResponse

        GetRegisteredResourceGetRegisteredResourceRequestGetRegisteredResourceResponse

        ListRegisteredResourcesListRegisteredResourcesRequestListRegisteredResourcesResponse

        UpdateRegisteredResourceUpdateRegisteredResourceRequestUpdateRegisteredResourceResponse

        DeleteRegisteredResourceDeleteRegisteredResourceRequestDeleteRegisteredResourceResponse

        CreateRegisteredResourceValueCreateRegisteredResourceValueRequestCreateRegisteredResourceValueResponse

        GetRegisteredResourceValueGetRegisteredResourceValueRequestGetRegisteredResourceValueResponse

        GetRegisteredResourceValuesByFQNsGetRegisteredResourceValuesByFQNsRequestGetRegisteredResourceValuesByFQNsResponse

        ListRegisteredResourceValuesListRegisteredResourceValuesRequestListRegisteredResourceValuesResponse

        UpdateRegisteredResourceValueUpdateRegisteredResourceValueRequestUpdateRegisteredResourceValueResponse

        DeleteRegisteredResourceValueDeleteRegisteredResourceValueRequestDeleteRegisteredResourceValueResponse

        + - - -
        -

        policy/resourcemapping/resource_mapping.proto

        Top -
        -

        - -

        CreateResourceMappingGroupRequest

        +

        DeleteSubjectMappingRequest

        @@ -16994,26 +16712,12 @@

        CreateResource - namespace_id - string - -

        Required

        - - - - name + id string

        Required

        - - metadata - common.MetadataMutable - -

        Common metadata

        - - @@ -17021,7 +16725,7 @@

        CreateResource -

        CreateResourceMappingGroupResponse

        +

        DeleteSubjectMappingResponse

        @@ -17032,10 +16736,10 @@

        CreateResourc - resource_mapping_group - policy.ResourceMappingGroup + subject_mapping + policy.SubjectMapping -

        +

        Only ID of the updated Subject Mapping provided

        @@ -17045,7 +16749,7 @@

        CreateResourc -

        CreateResourceMappingRequest

        +

        GetDefinitionValueEntitlementMappingRequest

        @@ -17056,33 +16760,12 @@

        CreateResourceMappi - attribute_value_id + id string

        Required

        - - terms - string - repeated -

        Required

        - - - - group_id - string - -

        Optional

        - - - - metadata - common.MetadataMutable - -

        Optional

        - - @@ -17090,7 +16773,7 @@

        CreateResourceMappi -

        CreateResourceMappingResponse

        +

        GetDefinitionValueEntitlementMappingResponse

        @@ -17101,8 +16784,8 @@

        CreateResourceMapp - resource_mapping - policy.ResourceMapping + definition_value_entitlement_mapping + policy.DefinitionValueEntitlementMapping

        @@ -17114,7 +16797,7 @@

        CreateResourceMapp -

        DeleteResourceMappingGroupRequest

        +

        GetSubjectConditionSetRequest

        @@ -17138,7 +16821,7 @@

        DeleteResource -

        DeleteResourceMappingGroupResponse

        +

        GetSubjectConditionSetResponse

        @@ -17149,12 +16832,19 @@

        DeleteResourc - resource_mapping_group - policy.ResourceMappingGroup + subject_condition_set + policy.SubjectConditionSet

        + + associated_subject_mappings + policy.SubjectMapping + repeated +

        contextualized Subject Mappings associated with this SubjectConditionSet

        + + @@ -17162,7 +16852,7 @@

        DeleteResourc -

        DeleteResourceMappingRequest

        +

        GetSubjectMappingRequest

        @@ -17186,7 +16876,7 @@

        DeleteResourceMappi -

        DeleteResourceMappingResponse

        +

        GetSubjectMappingResponse

        @@ -17197,8 +16887,8 @@

        DeleteResourceMapp - resource_mapping - policy.ResourceMapping + subject_mapping + policy.SubjectMapping

        @@ -17210,7 +16900,7 @@

        DeleteResourceMapp -

        GetResourceMappingGroupRequest

        +

        ListDefinitionValueEntitlementMappingsRequest

        @@ -17221,10 +16911,32 @@

        GetResourceMappin - id + namespace_id string -

        Required

        +

        Optional +Namespace ID, or Attribute Definition ID to filter by

        + + + + attribute_definition_id + string + +

        + + + + pagination + policy.PageRequest + +

        Optional

        + + + + sort + DefinitionValueEntitlementMappingsSort + repeated +

        Optional - CONSTRAINT: max 1 item

        @@ -17234,7 +16946,7 @@

        GetResourceMappin -

        GetResourceMappingGroupResponse

        +

        ListDefinitionValueEntitlementMappingsResponse

        @@ -17245,8 +16957,15 @@

        GetResourceMappi - resource_mapping_group - policy.ResourceMappingGroup + definition_value_entitlement_mappings + policy.DefinitionValueEntitlementMapping + repeated +

        + + + + pagination + policy.PageResponse

        @@ -17258,7 +16977,7 @@

        GetResourceMappi -

        GetResourceMappingRequest

        +

        ListSubjectConditionSetsRequest

        @@ -17269,10 +16988,35 @@

        GetResourceMappingRequ - id + namespace_id string -

        Required

        +

        + + + + namespace_fqn + string + +

        + + + + pagination + policy.PageRequest + +

        Optional

        + + + + sort + SubjectConditionSetsSort + repeated +

        Optional - CONSTRAINT: max 1 item +Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC

        @@ -17282,7 +17026,7 @@

        GetResourceMappingRequ -

        GetResourceMappingResponse

        +

        ListSubjectConditionSetsResponse

        @@ -17293,8 +17037,15 @@

        GetResourceMappingRes - resource_mapping - policy.ResourceMapping + subject_condition_sets + policy.SubjectConditionSet + repeated +

        + + + + pagination + policy.PageResponse

        @@ -17306,7 +17057,7 @@

        GetResourceMappingRes -

        ListResourceMappingGroupsRequest

        +

        ListSubjectMappingsRequest

        @@ -17320,7 +17071,14 @@

        ListResourceMap namespace_id string -

        Optional

        +

        + + + + namespace_fqn + string + +

        @@ -17330,6 +17088,17 @@

        ListResourceMap

        Optional

        + + sort + SubjectMappingsSort + repeated +

        Optional - CONSTRAINT: max 1 item +Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC

        + + @@ -17337,7 +17106,7 @@

        ListResourceMap -

        ListResourceMappingGroupsResponse

        +

        ListSubjectMappingsResponse

        @@ -17348,8 +17117,8 @@

        ListResourceMa - resource_mapping_groups - policy.ResourceMappingGroup + subject_mappings + policy.SubjectMapping repeated

        @@ -17368,8 +17137,8 @@

        ListResourceMa -

        ListResourceMappingsByGroupFqnsRequest

        -

        +

        MatchSubjectMappingsRequest

        +

        MatchSubjectMappingsRequest liberally returns a list of SubjectMappings based on the provided SubjectProperties.

        The SubjectMappings are returned if an external selector field matches.

        @@ -17379,11 +17148,10 @@

        ListResou

        - - + + - + @@ -17393,7 +17161,7 @@

        ListResou -

        ListResourceMappingsByGroupFqnsResponse

        +

        MatchSubjectMappingsResponse

        @@ -17404,8 +17172,8 @@

        ListReso

        - - + + @@ -17417,7 +17185,7 @@

        ListReso -

        ListResourceMappingsByGroupFqnsResponse.FqnResourceMappingGroupsEntry

        +

        SubjectConditionSetCreate

        @@ -17428,17 +17196,18 @@

        string -

        - + + + + - - + + - + @@ -17448,7 +17217,7 @@

        ListResourceMappingsRequest

        +

        SubjectConditionSetsSort

        @@ -17459,17 +17228,17 @@

        ListResourceMappings

        - - + + - + - - + + - + @@ -17479,7 +17248,7 @@

        ListResourceMappings -

        ListResourceMappingsResponse

        +

        SubjectMappingsSort

        @@ -17490,15 +17259,15 @@

        ListResourceMapping

        - - - + + + - - + + @@ -17510,7 +17279,7 @@

        ListResourceMapping -

        ResourceMappingsByGroup

        +

        UpdateDefinitionValueEntitlementMappingRequest

        @@ -17521,16 +17290,44 @@

        ResourceMappingsByGroup<

        - - + + - + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -17541,7 +17338,7 @@

        ResourceMappingsByGroup< -

        UpdateResourceMappingGroupRequest

        +

        UpdateDefinitionValueEntitlementMappingResponse

        @@ -17552,24 +17349,42 @@

        UpdateResource

        - - + + - + + +
        fqnsstringsubject_propertiespolicy.SubjectProperty repeated

        Required -Structure of the RM Group FQN is 'https://<namespace>/resm/<group name>'

        fqn_resource_mapping_groupsListResourceMappingsByGroupFqnsResponse.FqnResourceMappingGroupsEntrysubject_mappingspolicy.SubjectMapping repeated

        		subject_setspolicy.SubjectSetrepeated

        Required

        valueResourceMappingsByGroupmetadatacommon.MetadataMutable

        Optional +Common metadata

        group_idstringfieldSortSubjectConditionSetsType

        Optional

        paginationpolicy.PageRequestdirectionpolicy.SortDirection

        Optional

        resource_mappingspolicy.ResourceMappingrepeatedfieldSortSubjectMappingsType

        paginationpolicy.PageResponsedirectionpolicy.SortDirection

        grouppolicy.ResourceMappingGroupidstring

        Required

        mappingspolicy.ResourceMappingvalue_resolverpolicy.DefinitionValueResolver

        Optional: replace the dynamic resolver

        subject_condition_set_idstring

        Optional: replace the static pre-gate SubjectConditionSet by id

        actionspolicy.Action repeated

        Optional: replace the entire list of actions

        metadatacommon.MetadataMutable

        Common metadata

        metadata_update_behaviorcommon.MetadataUpdateEnum

        idstringdefinition_value_entitlement_mappingpolicy.DefinitionValueEntitlementMapping

        Required

        + + + + + +

        UpdateSubjectConditionSetRequest

        +

        + + + + + + + + - + - + - - - - + + + + @@ -17593,7 +17408,7 @@

        UpdateResource -

        UpdateResourceMappingGroupResponse

        +

        UpdateSubjectConditionSetResponse

        @@ -17604,10 +17419,10 @@

        UpdateResourc

        - - + + - + @@ -17617,7 +17432,7 @@

        UpdateResourc -

        UpdateResourceMappingRequest

        +

        UpdateSubjectMappingRequest

        @@ -17635,32 +17450,26 @@

        UpdateResourceMappi

        - + - + - - + + - - - - - - - - + - + @@ -17677,7 +17486,7 @@

        UpdateResourceMappi -

        UpdateResourceMappingResponse

        +

        UpdateSubjectMappingResponse

        @@ -17688,10 +17497,10 @@

        UpdateResourceMapp

        - - + + - + @@ -17703,12 +17512,99 @@

        UpdateResourceMapp +

        SortDefinitionValueEntitlementMappingsType

        +

        +
        FieldTypeLabelDescription
        namespace_idid string

        Optional

        Required

        namestring

        Optional

        		subject_setspolicy.SubjectSetrepeated

        Optional +If provided, replaces entire existing structure of Subject Sets, Condition Groups, & Conditions

        resource_mapping_grouppolicy.ResourceMappingGroupsubject_condition_setpolicy.SubjectConditionSet

        Only ID of updated Subject Condition Set provided

        attribute_value_idsubject_condition_set_id string

        Optional

        Optional +Replaces the existing SubjectConditionSet id with a new one

        termsstringactionspolicy.Action repeated

        Optional

        group_idstring

        Optional

        Optional +Replaces entire list of actions permitted by subjects

        metadata common.MetadataMutable

        Optional -Common Metadata

        Common metadata

        resource_mappingpolicy.ResourceMappingsubject_mappingpolicy.SubjectMapping

        Only ID of the updated Subject Mapping provided

        + + + + + + + + + + + + + + + + + + + + + + + + +
        NameNumberDescription
        SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED0

        SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT1

        SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT2

        + +

        SortSubjectConditionSetsType

        +

        + + + + + + + + + + + + + + + + + + + + + + + + + +
        NameNumberDescription
        SORT_SUBJECT_CONDITION_SETS_TYPE_UNSPECIFIED0

        SORT_SUBJECT_CONDITION_SETS_TYPE_CREATED_AT1

        SORT_SUBJECT_CONDITION_SETS_TYPE_UPDATED_AT2

        + +

        SortSubjectMappingsType

        +

        + + + + + + + + + + + + + + + + + + + + + + + + + +
        NameNumberDescription
        SORT_SUBJECT_MAPPINGS_TYPE_UNSPECIFIED0

        SORT_SUBJECT_MAPPINGS_TYPE_CREATED_AT1

        SORT_SUBJECT_MAPPINGS_TYPE_UPDATED_AT2

        + -

        ResourceMappingService

        -

        Resource Mapping Groups

        +

        SubjectMappingService

        +

        @@ -17716,79 +17612,121 @@

        ResourceMappingService

        - - - + + + + + + + + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -17809,27 +17747,32 @@

        Methods with idempotency_level option

        - + - + - + - + - + + + + + + diff --git a/docs/openapi/authorization/authorization.openapi.yaml b/docs/openapi/authorization/authorization.openapi.yaml index 5a112b61b6..bc3a5104e6 100644 --- a/docs/openapi/authorization/authorization.openapi.yaml +++ b/docs/openapi/authorization/authorization.openapi.yaml @@ -109,65 +109,6 @@ paths: $ref: '#/components/schemas/authorization.GetEntitlementsResponse' components: schemas: - authorization.DecisionResponse.Decision: - type: string - title: Decision - enum: - - DECISION_UNSPECIFIED - - DECISION_DENY - - DECISION_PERMIT - authorization.Entity.Category: - type: string - title: Category - enum: - - CATEGORY_UNSPECIFIED - - CATEGORY_SUBJECT - - CATEGORY_ENVIRONMENT - policy.Action.StandardAction: - type: string - title: StandardAction - enum: - - STANDARD_ACTION_UNSPECIFIED - - STANDARD_ACTION_DECRYPT - - STANDARD_ACTION_TRANSMIT - policy.Algorithm: - type: string - title: Algorithm - enum: - - ALGORITHM_UNSPECIFIED - - ALGORITHM_RSA_2048 - - ALGORITHM_RSA_4096 - - ALGORITHM_EC_P256 - - ALGORITHM_EC_P384 - - ALGORITHM_EC_P521 - - ALGORITHM_HPQT_XWING - - ALGORITHM_HPQT_SECP256R1_MLKEM768 - - ALGORITHM_HPQT_SECP384R1_MLKEM1024 - description: Supported key algorithms. - policy.KasPublicKeyAlgEnum: - type: string - title: KasPublicKeyAlgEnum - enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 - policy.SourceType: - type: string - title: SourceType - enum: - - SOURCE_TYPE_UNSPECIFIED - - SOURCE_TYPE_INTERNAL - - SOURCE_TYPE_EXTERNAL - description: |- - Describes whether this kas is managed by the organization or if they imported - the kas information from an external party. These two modes are necessary in order - to encrypt a tdf dek with an external parties kas public key. authorization.DecisionRequest: type: object properties: @@ -294,70 +235,92 @@ components: "resourceAttributesId": "attr-set-2", "decision": "DECISION_DENY" } + authorization.DecisionResponse.Decision: + type: string + title: Decision + enum: + - DECISION_UNSPECIFIED + - DECISION_DENY + - DECISION_PERMIT authorization.Entity: type: object - oneOf: - - properties: - claims: - title: claims - $ref: '#/components/schemas/google.protobuf.Any' - title: claims - required: - - claims + allOf: - properties: - clientId: + id: type: string + title: id + description: ephemeral id for tracking between request and response + category: + title: category + $ref: '#/components/schemas/authorization.Entity.Category' + - oneOf: + - type: object + properties: + claims: + title: claims + $ref: '#/components/schemas/google.protobuf.Any' + title: claims + required: + - claims + - type: object + properties: + clientId: + type: string + title: client_id title: client_id - title: client_id - required: - - clientId - - properties: - custom: + required: + - clientId + - type: object + properties: + custom: + title: custom + $ref: '#/components/schemas/authorization.EntityCustom' title: custom - $ref: '#/components/schemas/authorization.EntityCustom' - title: custom - required: - - custom - - properties: - emailAddress: - type: string + required: + - custom + - type: object + properties: + emailAddress: + type: string + title: email_address + description: one of the entity options must be set title: email_address - description: one of the entity options must be set - title: email_address - required: - - emailAddress - - properties: - remoteClaimsUrl: - type: string + required: + - emailAddress + - type: object + properties: + remoteClaimsUrl: + type: string + title: remote_claims_url title: remote_claims_url - title: remote_claims_url - required: - - remoteClaimsUrl - - properties: - userName: - type: string + required: + - remoteClaimsUrl + - type: object + properties: + userName: + type: string + title: user_name title: user_name - title: user_name - required: - - userName - - properties: - uuid: - type: string + required: + - userName + - type: object + properties: + uuid: + type: string + title: uuid title: uuid - title: uuid - required: - - uuid - properties: - id: - type: string - title: id - description: ephemeral id for tracking between request and response - category: - title: category - $ref: '#/components/schemas/authorization.Entity.Category' + required: + - uuid title: Entity additionalProperties: false description: PE (Person Entity) or NPE (Non-Person Entity) + authorization.Entity.Category: + type: string + title: Category + enum: + - CATEGORY_UNSPECIFIED + - CATEGORY_SUBJECT + - CATEGORY_ENVIRONMENT authorization.EntityChain: type: object properties: @@ -445,15 +408,17 @@ components: title: entities description: list of requested entities scope: + oneOf: + - $ref: '#/components/schemas/authorization.ResourceAttribute' + - type: "null" title: scope description: optional attribute fqn as a scope - nullable: true - $ref: '#/components/schemas/authorization.ResourceAttribute' withComprehensiveHierarchy: - type: boolean + type: + - boolean + - "null" title: with_comprehensive_hierarchy description: optional parameter to return a full list of entitlements - returns lower hierarchy attributes - nullable: true title: GetEntitlementsRequest additionalProperties: false description: |- @@ -626,17 +591,83 @@ components: title: value title: LabelsEntry additionalProperties: false - google.protobuf.Any: + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + details: + type: array + items: + $ref: '#/components/schemas/connect.error_details.Any' + description: A list of messages that carry the error details. There is no limit on the number of messages. + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + connect.error_details.Any: type: object properties: type: type: string + description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' value: type: string format: binary + description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. debug: - type: object - additionalProperties: true + oneOf: + - type: object + title: Any + additionalProperties: true + description: Detailed error information. + discriminator: + propertyName: type + title: Debug + description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. + google.protobuf.Any: + type: object + properties: + type: + type: string + value: + type: string + format: binary additionalProperties: true description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. google.protobuf.BoolValue: @@ -651,8 +682,8 @@ components: google.protobuf.Timestamp: type: string examples: - - 1s - - 1.000340012s + - "2023-01-15T01:30:15.01Z" + - "2024-12-25T12:00:00Z" format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -746,41 +777,65 @@ components: ) to obtain a formatter capable of generating timestamps in this format. policy.Action: type: object - oneOf: + allOf: - properties: - custom: + id: type: string + title: id + description: Generated uuid in database + name: + type: string + title: name + namespace: + title: namespace + description: Namespace context for this action + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + - oneOf: + - type: object + properties: + custom: + type: string + title: custom + description: Deprecated title: custom - description: Deprecated - title: custom - required: - - custom - - properties: - standard: + required: + - custom + - type: object + properties: + standard: + title: standard + description: Deprecated + $ref: '#/components/schemas/policy.Action.StandardAction' title: standard - description: Deprecated - $ref: '#/components/schemas/policy.Action.StandardAction' - title: standard - required: - - standard - properties: - id: - type: string - title: id - description: Generated uuid in database - name: - type: string - title: name - namespace: - title: namespace - description: Namespace context for this action - $ref: '#/components/schemas/policy.Namespace' - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' + required: + - standard title: Action additionalProperties: false description: An action an entity can take + policy.Action.StandardAction: + type: string + title: StandardAction + enum: + - STANDARD_ACTION_UNSPECIFIED + - STANDARD_ACTION_DECRYPT + - STANDARD_ACTION_TRANSMIT + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + - ALGORITHM_HPQT_XWING + - ALGORITHM_HPQT_SECP256R1_MLKEM768 + - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + description: Supported key algorithms. policy.KasPublicKey: type: object properties: @@ -799,7 +854,7 @@ components: alg: not: enum: - - 0 + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED title: alg description: |- A known algorithm type with any additional parameters encoded. @@ -811,6 +866,19 @@ components: description: |- Deprecated A KAS public key and some associated metadata for further identifcation + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 policy.KasPublicKeySet: type: object properties: @@ -833,13 +901,9 @@ components: uri: type: string title: uri - description: |+ + description: | Address of a KAS instance - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') - ``` - + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. publicKey: title: public_key description: 'Deprecated: KAS can have multiple key pairs' @@ -907,7 +971,8 @@ components: policy.PublicKey: type: object oneOf: - - properties: + - type: object + properties: cached: title: cached description: public key with additional information. Current preferred version @@ -915,17 +980,14 @@ components: title: cached required: - cached - - properties: + - type: object + properties: remote: type: string title: remote - description: |+ + description: | kas public key url - optional since can also be retrieved via public key - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') - ``` - + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. title: remote required: - remote @@ -963,50 +1025,17 @@ components: title: pem title: SimpleKasPublicKey additionalProperties: false - connect-protocol-version: - type: number - title: Connect-Protocol-Version + policy.SourceType: + type: string + title: SourceType enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - detail: - $ref: '#/components/schemas/google.protobuf.Any' - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. security: [] tags: - name: authorization.AuthorizationService diff --git a/docs/openapi/authorization/v2/authorization.openapi.yaml b/docs/openapi/authorization/v2/authorization.openapi.yaml index 7e9d837275..b4dbfa42d6 100644 --- a/docs/openapi/authorization/v2/authorization.openapi.yaml +++ b/docs/openapi/authorization/v2/authorization.openapi.yaml @@ -37,12 +37,12 @@ paths: application/json: schema: $ref: '#/components/schemas/authorization.v2.GetDecisionResponse' - /authorization.v2.AuthorizationService/GetDecisionMultiResource: + /authorization.v2.AuthorizationService/GetDecisionBulk: post: tags: - authorization.v2.AuthorizationService - summary: GetDecisionMultiResource - operationId: authorization.v2.AuthorizationService.GetDecisionMultiResource + summary: GetDecisionBulk + operationId: authorization.v2.AuthorizationService.GetDecisionBulk parameters: - name: Connect-Protocol-Version in: header @@ -57,7 +57,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/authorization.v2.GetDecisionMultiResourceRequest' + $ref: '#/components/schemas/authorization.v2.GetDecisionBulkRequest' required: true responses: default: @@ -71,13 +71,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/authorization.v2.GetDecisionMultiResourceResponse' - /authorization.v2.AuthorizationService/GetDecisionBulk: + $ref: '#/components/schemas/authorization.v2.GetDecisionBulkResponse' + /authorization.v2.AuthorizationService/GetDecisionMultiResource: post: tags: - authorization.v2.AuthorizationService - summary: GetDecisionBulk - operationId: authorization.v2.AuthorizationService.GetDecisionBulk + summary: GetDecisionMultiResource + operationId: authorization.v2.AuthorizationService.GetDecisionMultiResource parameters: - name: Connect-Protocol-Version in: header @@ -92,7 +92,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/authorization.v2.GetDecisionBulkRequest' + $ref: '#/components/schemas/authorization.v2.GetDecisionMultiResourceRequest' required: true responses: default: @@ -106,7 +106,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/authorization.v2.GetDecisionBulkResponse' + $ref: '#/components/schemas/authorization.v2.GetDecisionMultiResourceResponse' /authorization.v2.AuthorizationService/GetEntitlements: post: tags: @@ -151,58 +151,6 @@ components: - DECISION_UNSPECIFIED - DECISION_DENY - DECISION_PERMIT - entity.Entity.Category: - type: string - title: Category - enum: - - CATEGORY_UNSPECIFIED - - CATEGORY_SUBJECT - - CATEGORY_ENVIRONMENT - policy.Action.StandardAction: - type: string - title: StandardAction - enum: - - STANDARD_ACTION_UNSPECIFIED - - STANDARD_ACTION_DECRYPT - - STANDARD_ACTION_TRANSMIT - policy.Algorithm: - type: string - title: Algorithm - enum: - - ALGORITHM_UNSPECIFIED - - ALGORITHM_RSA_2048 - - ALGORITHM_RSA_4096 - - ALGORITHM_EC_P256 - - ALGORITHM_EC_P384 - - ALGORITHM_EC_P521 - - ALGORITHM_HPQT_XWING - - ALGORITHM_HPQT_SECP256R1_MLKEM768 - - ALGORITHM_HPQT_SECP384R1_MLKEM1024 - description: Supported key algorithms. - policy.KasPublicKeyAlgEnum: - type: string - title: KasPublicKeyAlgEnum - enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 - policy.SourceType: - type: string - title: SourceType - enum: - - SOURCE_TYPE_UNSPECIFIED - - SOURCE_TYPE_INTERNAL - - SOURCE_TYPE_EXTERNAL - description: |- - Describes whether this kas is managed by the organization or if they imported - the kas information from an external party. These two modes are necessary in order - to encrypt a tdf dek with an external parties kas public key. authorization.v2.EntityEntitlements: type: object properties: @@ -243,21 +191,19 @@ components: authorization.v2.EntityIdentifier: type: object oneOf: - - properties: + - type: object + properties: entityChain: title: entity_chain - description: |+ + description: | chain of one or more entities and at most 10 - entities must be provided and between 1 and 10 in count: - ``` - has(this.entities) && this.entities.size() > 0 && this.entities.size() <= 10 - ``` - + entity_chain_required // entities must be provided and between 1 and 10 in count $ref: '#/components/schemas/entity.EntityChain' title: entity_chain required: - entityChain - - properties: + - type: object + properties: registeredResourceValueFqn: type: string title: registered_resource_value_fqn @@ -269,30 +215,24 @@ components: title: registered_resource_value_fqn required: - registeredResourceValueFqn - - properties: + - type: object + properties: token: title: token - description: |+ + description: | access token (JWT), which is used to create an entity chain (comprising one or more entities) - token must be provided: - ``` - has(this.jwt) && this.jwt.size() > 0 - ``` - + token_required // token must be provided $ref: '#/components/schemas/entity.Token' title: token required: - token - - properties: + - type: object + properties: withRequestToken: title: with_request_token - description: |+ + description: | derive the entity from the request's authorization access token JWT, rather than passing in the body - with_request_token must be true when set: - ``` - this == true - ``` - + with_request_token_must_be_true // with_request_token must be true when set $ref: '#/components/schemas/google.protobuf.BoolValue' title: with_request_token required: @@ -352,27 +292,19 @@ components: type: array items: type: string - description: |+ - if provided, fulfillable_obligation_fqns must be between 1 and 50 in count with all valid FQNs: - ``` - this.size() == 0 || (this.size() <= 50 && this.all(item, item.isUri())) - ``` - + description: | + obligation_value_fqns_valid // if provided, fulfillable_obligation_fqns must be between 1 and 50 in count with all valid FQNs title: fulfillable_obligation_fqns - description: |+ + description: | obligations (fully qualified values) the requester is capable of fulfilling i.e. https:///obl//value/ - if provided, fulfillable_obligation_fqns must be between 1 and 50 in count with all valid FQNs: - ``` - this.size() == 0 || (this.size() <= 50 && this.all(item, item.isUri())) - ``` - + obligation_value_fqns_valid // if provided, fulfillable_obligation_fqns must be between 1 and 50 in count with all valid FQNs title: GetDecisionMultiResourceRequest required: - entityIdentifier - action additionalProperties: false - description: |+ + description: | Can the identified entity/entities access? 1. one entity reference (actor) 2. one action @@ -381,11 +313,7 @@ components: If entitled, checks obligation policy: fulfillable obligations must satisfy all triggered. Note: this is a more performant bulk request for multiple resource decisions, up to 1000 per request - action.name must be provided: - ``` - has(this.action.name) - ``` - + get_decision_multi_request.action_name_required // action.name must be provided authorization.v2.GetDecisionMultiResourceResponse: type: object properties: @@ -419,39 +347,27 @@ components: type: array items: type: string - description: |+ - if provided, fulfillable_obligation_fqns must be between 1 and 50 in count with all valid FQNs: - ``` - this.size() == 0 || (this.size() <= 50 && this.all(item, item.isUri())) - ``` - + description: | + obligation_value_fqns_valid // if provided, fulfillable_obligation_fqns must be between 1 and 50 in count with all valid FQNs title: fulfillable_obligation_fqns - description: |+ + description: | obligations (fully qualified values) the requester is capable of fulfilling i.e. https:///obl//value/ - if provided, fulfillable_obligation_fqns must be between 1 and 50 in count with all valid FQNs: - ``` - this.size() == 0 || (this.size() <= 50 && this.all(item, item.isUri())) - ``` - + obligation_value_fqns_valid // if provided, fulfillable_obligation_fqns must be between 1 and 50 in count with all valid FQNs title: GetDecisionRequest required: - entityIdentifier - action - resource additionalProperties: false - description: |+ + description: | Can the identified entity/entities access? 1. one entity reference (actor) 2. one action 3. one resource If entitled, checks obligation policy: fulfillable obligations must satisfy all triggered. - action.name must be provided: - ``` - has(this.action.name) - ``` - + get_decision_request.action_name_required // action.name must be provided authorization.v2.GetDecisionResponse: type: object properties: @@ -469,12 +385,13 @@ components: description: an entity must be identified for entitlement decisioning $ref: '#/components/schemas/authorization.v2.EntityIdentifier' withComprehensiveHierarchy: - type: boolean + type: + - boolean + - "null" title: with_comprehensive_hierarchy description: |- optional parameter to return all entitled values for attribute definitions with hierarchy rules, propagating down the hierarchical values instead of returning solely the value that is directly entitled - nullable: true title: GetEntitlementsRequest required: - entityIdentifier @@ -496,36 +413,35 @@ components: additionalProperties: false authorization.v2.Resource: type: object - oneOf: - - properties: - attributeValues: - title: attribute_values - description: |+ - a set of attribute value FQNs, such as those on a TDF, between 1 and 20 in count - if provided, resource.attribute_values must be between 1 and 20 in count with all valid FQNs: - ``` - this.fqns.size() > 0 && this.fqns.size() <= 20 && this.fqns.all(item, item.isUri()) - ``` - - $ref: '#/components/schemas/authorization.v2.Resource.AttributeValues' - title: attribute_values - required: - - attributeValues + allOf: - properties: - registeredResourceValueFqn: + ephemeralId: type: string + title: ephemeral_id + description: ephemeral id for tracking between request and response + - oneOf: + - type: object + properties: + attributeValues: + title: attribute_values + description: | + a set of attribute value FQNs, such as those on a TDF, between 1 and 20 in count + attribute_values_required // if provided, resource.attribute_values must be between 1 and 20 in count with all valid FQNs + $ref: '#/components/schemas/authorization.v2.Resource.AttributeValues' + title: attribute_values + required: + - attributeValues + - type: object + properties: + registeredResourceValueFqn: + type: string + title: registered_resource_value_fqn + minLength: 1 + format: uri + description: fully qualified name of the registered resource value stored in platform policy title: registered_resource_value_fqn - minLength: 1 - format: uri - description: fully qualified name of the registered resource value stored in platform policy - title: registered_resource_value_fqn - required: - - registeredResourceValueFqn - properties: - ephemeralId: - type: string - title: ephemeral_id - description: ephemeral id for tracking between request and response + required: + - registeredResourceValueFqn title: Resource additionalProperties: false description: Either a set of attribute values (such as those on a TDF) or a registered resource value @@ -592,49 +508,130 @@ components: title: value title: LabelsEntry additionalProperties: false + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + details: + type: array + items: + $ref: '#/components/schemas/connect.error_details.Any' + description: A list of messages that carry the error details. There is no limit on the number of messages. + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + connect.error_details.Any: + type: object + properties: + type: + type: string + description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' + value: + type: string + format: binary + description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. + debug: + oneOf: + - type: object + title: Any + additionalProperties: true + description: Detailed error information. + discriminator: + propertyName: type + title: Debug + description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. entity.Entity: type: object - oneOf: + allOf: - properties: - claims: - title: claims - description: used by ERS claims mode - $ref: '#/components/schemas/google.protobuf.Any' - title: claims - required: - - claims - - properties: - clientId: + ephemeralId: type: string + title: ephemeral_id + description: ephemeral id for tracking between request and response + category: + title: category + $ref: '#/components/schemas/entity.Entity.Category' + - oneOf: + - type: object + properties: + claims: + title: claims + description: used by ERS claims mode + $ref: '#/components/schemas/google.protobuf.Any' + title: claims + required: + - claims + - type: object + properties: + clientId: + type: string + title: client_id title: client_id - title: client_id - required: - - clientId - - properties: - emailAddress: - type: string + required: + - clientId + - type: object + properties: + emailAddress: + type: string + title: email_address title: email_address - title: email_address - required: - - emailAddress - - properties: - userName: - type: string + required: + - emailAddress + - type: object + properties: + userName: + type: string + title: user_name title: user_name - title: user_name - required: - - userName - properties: - ephemeralId: - type: string - title: ephemeral_id - description: ephemeral id for tracking between request and response - category: - title: category - $ref: '#/components/schemas/entity.Entity.Category' + required: + - userName title: Entity additionalProperties: false description: PE (Person Entity) or NPE (Non-Person Entity) + entity.Entity.Category: + type: string + title: Category + enum: + - CATEGORY_UNSPECIFIED + - CATEGORY_SUBJECT + - CATEGORY_ENVIRONMENT entity.EntityChain: type: object properties: @@ -673,9 +670,6 @@ components: value: type: string format: binary - debug: - type: object - additionalProperties: true additionalProperties: true description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. google.protobuf.BoolValue: @@ -690,8 +684,8 @@ components: google.protobuf.Timestamp: type: string examples: - - 1s - - 1.000340012s + - "2023-01-15T01:30:15.01Z" + - "2024-12-25T12:00:00Z" format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -785,41 +779,65 @@ components: ) to obtain a formatter capable of generating timestamps in this format. policy.Action: type: object - oneOf: + allOf: - properties: - custom: + id: type: string + title: id + description: Generated uuid in database + name: + type: string + title: name + namespace: + title: namespace + description: Namespace context for this action + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + - oneOf: + - type: object + properties: + custom: + type: string + title: custom + description: Deprecated title: custom - description: Deprecated - title: custom - required: - - custom - - properties: - standard: + required: + - custom + - type: object + properties: + standard: + title: standard + description: Deprecated + $ref: '#/components/schemas/policy.Action.StandardAction' title: standard - description: Deprecated - $ref: '#/components/schemas/policy.Action.StandardAction' - title: standard - required: - - standard - properties: - id: - type: string - title: id - description: Generated uuid in database - name: - type: string - title: name - namespace: - title: namespace - description: Namespace context for this action - $ref: '#/components/schemas/policy.Namespace' - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' + required: + - standard title: Action additionalProperties: false description: An action an entity can take + policy.Action.StandardAction: + type: string + title: StandardAction + enum: + - STANDARD_ACTION_UNSPECIFIED + - STANDARD_ACTION_DECRYPT + - STANDARD_ACTION_TRANSMIT + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + - ALGORITHM_HPQT_XWING + - ALGORITHM_HPQT_SECP256R1_MLKEM768 + - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + description: Supported key algorithms. policy.KasPublicKey: type: object properties: @@ -838,7 +856,7 @@ components: alg: not: enum: - - 0 + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED title: alg description: |- A known algorithm type with any additional parameters encoded. @@ -850,6 +868,19 @@ components: description: |- Deprecated A KAS public key and some associated metadata for further identifcation + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 policy.KasPublicKeySet: type: object properties: @@ -872,13 +903,9 @@ components: uri: type: string title: uri - description: |+ + description: | Address of a KAS instance - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') - ``` - + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. publicKey: title: public_key description: 'Deprecated: KAS can have multiple key pairs' @@ -946,7 +973,8 @@ components: policy.PublicKey: type: object oneOf: - - properties: + - type: object + properties: cached: title: cached description: public key with additional information. Current preferred version @@ -954,17 +982,14 @@ components: title: cached required: - cached - - properties: + - type: object + properties: remote: type: string title: remote - description: |+ + description: | kas public key url - optional since can also be retrieved via public key - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') - ``` - + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. title: remote required: - remote @@ -1002,50 +1027,17 @@ components: title: pem title: SimpleKasPublicKey additionalProperties: false - connect-protocol-version: - type: number - title: Connect-Protocol-Version + policy.SourceType: + type: string + title: SourceType enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - detail: - $ref: '#/components/schemas/google.protobuf.Any' - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. security: [] tags: - name: authorization.v2.AuthorizationService diff --git a/docs/openapi/common/common.openapi.yaml b/docs/openapi/common/common.openapi.yaml index 0d1e60b152..093091b6a7 100644 --- a/docs/openapi/common/common.openapi.yaml +++ b/docs/openapi/common/common.openapi.yaml @@ -13,15 +13,14 @@ components: - ACTIVE_STATE_ENUM_INACTIVE - ACTIVE_STATE_ENUM_ANY description: 'buflint ENUM_VALUE_PREFIX: to make sure that C++ scoping rules aren''t violated when users add new enum values to an enum in a given package' - common.MetadataUpdateEnum: - type: string - title: MetadataUpdateEnum - enum: - - METADATA_UPDATE_ENUM_UNSPECIFIED - - METADATA_UPDATE_ENUM_EXTEND - - METADATA_UPDATE_ENUM_REPLACE common.IdFqnIdentifier: type: object + allOf: + - oneOf: + - required: + - id + - required: + - fqn properties: id: type: string @@ -36,6 +35,12 @@ components: additionalProperties: false common.IdNameIdentifier: type: object + allOf: + - oneOf: + - required: + - id + - required: + - name properties: id: type: string @@ -46,12 +51,8 @@ components: title: name maxLength: 253 minLength: 1 - description: |+ - Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case.: - ``` - this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') - ``` - + description: | + name_format // Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case. title: IdNameIdentifier additionalProperties: false common.Metadata: @@ -109,11 +110,18 @@ components: title: value title: LabelsEntry additionalProperties: false + common.MetadataUpdateEnum: + type: string + title: MetadataUpdateEnum + enum: + - METADATA_UPDATE_ENUM_UNSPECIFIED + - METADATA_UPDATE_ENUM_EXTEND + - METADATA_UPDATE_ENUM_REPLACE google.protobuf.Timestamp: type: string examples: - - 1s - - 1.000340012s + - "2023-01-15T01:30:15.01Z" + - "2024-12-25T12:00:00Z" format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local diff --git a/docs/openapi/entity/entity.openapi.yaml b/docs/openapi/entity/entity.openapi.yaml index 6484c863a0..388fb1f7a3 100644 --- a/docs/openapi/entity/entity.openapi.yaml +++ b/docs/openapi/entity/entity.openapi.yaml @@ -4,56 +4,61 @@ info: paths: {} components: schemas: - entity.Entity.Category: - type: string - title: Category - enum: - - CATEGORY_UNSPECIFIED - - CATEGORY_SUBJECT - - CATEGORY_ENVIRONMENT entity.Entity: type: object - oneOf: + allOf: - properties: - claims: - title: claims - description: used by ERS claims mode - $ref: '#/components/schemas/google.protobuf.Any' - title: claims - required: - - claims - - properties: - clientId: + ephemeralId: type: string + title: ephemeral_id + description: ephemeral id for tracking between request and response + category: + title: category + $ref: '#/components/schemas/entity.Entity.Category' + - oneOf: + - type: object + properties: + claims: + title: claims + description: used by ERS claims mode + $ref: '#/components/schemas/google.protobuf.Any' + title: claims + required: + - claims + - type: object + properties: + clientId: + type: string + title: client_id title: client_id - title: client_id - required: - - clientId - - properties: - emailAddress: - type: string + required: + - clientId + - type: object + properties: + emailAddress: + type: string + title: email_address title: email_address - title: email_address - required: - - emailAddress - - properties: - userName: - type: string + required: + - emailAddress + - type: object + properties: + userName: + type: string + title: user_name title: user_name - title: user_name - required: - - userName - properties: - ephemeralId: - type: string - title: ephemeral_id - description: ephemeral id for tracking between request and response - category: - title: category - $ref: '#/components/schemas/entity.Entity.Category' + required: + - userName title: Entity additionalProperties: false description: PE (Person Entity) or NPE (Non-Person Entity) + entity.Entity.Category: + type: string + title: Category + enum: + - CATEGORY_UNSPECIFIED + - CATEGORY_SUBJECT + - CATEGORY_ENVIRONMENT entity.EntityChain: type: object properties: @@ -92,9 +97,6 @@ components: value: type: string format: binary - debug: - type: object - additionalProperties: true additionalProperties: true description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. security: [] diff --git a/docs/openapi/entityresolution/entity_resolution.openapi.yaml b/docs/openapi/entityresolution/entity_resolution.openapi.yaml index ac5e8021f4..6a57e3b749 100644 --- a/docs/openapi/entityresolution/entity_resolution.openapi.yaml +++ b/docs/openapi/entityresolution/entity_resolution.openapi.yaml @@ -2,13 +2,13 @@ openapi: 3.1.0 info: title: entityresolution paths: - /entityresolution.EntityResolutionService/ResolveEntities: + /entityresolution.EntityResolutionService/CreateEntityChainFromJwt: post: tags: - entityresolution.EntityResolutionService - summary: ResolveEntities - description: 'Deprecated: use v2 ResolveEntities instead' - operationId: entityresolution.EntityResolutionService.ResolveEntities + summary: CreateEntityChainFromJwt + description: 'Deprecated: use v2 CreateEntityChainsFromTokens instead' + operationId: entityresolution.EntityResolutionService.CreateEntityChainFromJwt parameters: - name: Connect-Protocol-Version in: header @@ -23,7 +23,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/entityresolution.ResolveEntitiesRequest' + $ref: '#/components/schemas/entityresolution.CreateEntityChainFromJwtRequest' required: true responses: default: @@ -37,14 +37,14 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/entityresolution.ResolveEntitiesResponse' - /entityresolution.EntityResolutionService/CreateEntityChainFromJwt: + $ref: '#/components/schemas/entityresolution.CreateEntityChainFromJwtResponse' + /entityresolution.EntityResolutionService/ResolveEntities: post: tags: - entityresolution.EntityResolutionService - summary: CreateEntityChainFromJwt - description: 'Deprecated: use v2 CreateEntityChainsFromTokens instead' - operationId: entityresolution.EntityResolutionService.CreateEntityChainFromJwt + summary: ResolveEntities + description: 'Deprecated: use v2 ResolveEntities instead' + operationId: entityresolution.EntityResolutionService.ResolveEntities parameters: - name: Connect-Protocol-Version in: header @@ -59,7 +59,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/entityresolution.CreateEntityChainFromJwtRequest' + $ref: '#/components/schemas/entityresolution.ResolveEntitiesRequest' required: true responses: default: @@ -73,90 +73,88 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/entityresolution.CreateEntityChainFromJwtResponse' + $ref: '#/components/schemas/entityresolution.ResolveEntitiesResponse' components: schemas: - authorization.Entity.Category: - type: string - title: Category - enum: - - CATEGORY_UNSPECIFIED - - CATEGORY_SUBJECT - - CATEGORY_ENVIRONMENT - google.protobuf.NullValue: - type: string - title: NullValue - enum: - - NULL_VALUE - description: |- - `NullValue` is a singleton enumeration to represent the null value for the - `Value` type union. - - The JSON representation for `NullValue` is JSON `null`. authorization.Entity: type: object - oneOf: - - properties: - claims: - title: claims - $ref: '#/components/schemas/google.protobuf.Any' - title: claims - required: - - claims + allOf: - properties: - clientId: + id: type: string + title: id + description: ephemeral id for tracking between request and response + category: + title: category + $ref: '#/components/schemas/authorization.Entity.Category' + - oneOf: + - type: object + properties: + claims: + title: claims + $ref: '#/components/schemas/google.protobuf.Any' + title: claims + required: + - claims + - type: object + properties: + clientId: + type: string + title: client_id title: client_id - title: client_id - required: - - clientId - - properties: - custom: + required: + - clientId + - type: object + properties: + custom: + title: custom + $ref: '#/components/schemas/authorization.EntityCustom' title: custom - $ref: '#/components/schemas/authorization.EntityCustom' - title: custom - required: - - custom - - properties: - emailAddress: - type: string + required: + - custom + - type: object + properties: + emailAddress: + type: string + title: email_address + description: one of the entity options must be set title: email_address - description: one of the entity options must be set - title: email_address - required: - - emailAddress - - properties: - remoteClaimsUrl: - type: string + required: + - emailAddress + - type: object + properties: + remoteClaimsUrl: + type: string + title: remote_claims_url title: remote_claims_url - title: remote_claims_url - required: - - remoteClaimsUrl - - properties: - userName: - type: string + required: + - remoteClaimsUrl + - type: object + properties: + userName: + type: string + title: user_name title: user_name - title: user_name - required: - - userName - - properties: - uuid: - type: string + required: + - userName + - type: object + properties: + uuid: + type: string + title: uuid title: uuid - title: uuid - required: - - uuid - properties: - id: - type: string - title: id - description: ephemeral id for tracking between request and response - category: - title: category - $ref: '#/components/schemas/authorization.Entity.Category' + required: + - uuid title: Entity additionalProperties: false description: PE (Person Entity) or NPE (Non-Person Entity) + authorization.Entity.Category: + type: string + title: Category + enum: + - CATEGORY_UNSPECIFIED + - CATEGORY_SUBJECT + - CATEGORY_ENVIRONMENT authorization.EntityChain: type: object properties: @@ -194,6 +192,75 @@ components: description: the token title: Token additionalProperties: false + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + details: + type: array + items: + $ref: '#/components/schemas/connect.error_details.Any' + description: A list of messages that carry the error details. There is no limit on the number of messages. + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + connect.error_details.Any: + type: object + properties: + type: + type: string + description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' + value: + type: string + format: binary + description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. + debug: + oneOf: + - type: object + title: Any + additionalProperties: true + description: Detailed error information. + discriminator: + propertyName: type + title: Debug + description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. entityresolution.CreateEntityChainFromJwtRequest: type: object properties: @@ -335,9 +402,6 @@ components: value: type: string format: binary - debug: - type: object - additionalProperties: true additionalProperties: true description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. google.protobuf.ListValue: @@ -355,6 +419,16 @@ components: `ListValue` is a wrapper around a repeated field of values. The JSON representation for `ListValue` is JSON array. + google.protobuf.NullValue: + type: string + title: NullValue + enum: + - NULL_VALUE + description: |- + `NullValue` is a singleton enumeration to represent the null value for the + `Value` type union. + + The JSON representation for `NullValue` is JSON `null`. google.protobuf.Struct: type: object additionalProperties: @@ -395,50 +469,6 @@ components: variants. Absence of any variant indicates an error. The JSON representation for `Value` is JSON value. - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - detail: - $ref: '#/components/schemas/google.protobuf.Any' - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' security: [] tags: - name: entityresolution.EntityResolutionService diff --git a/docs/openapi/entityresolution/v2/entity_resolution.openapi.yaml b/docs/openapi/entityresolution/v2/entity_resolution.openapi.yaml index b8e661c75a..52baa90875 100644 --- a/docs/openapi/entityresolution/v2/entity_resolution.openapi.yaml +++ b/docs/openapi/entityresolution/v2/entity_resolution.openapi.yaml @@ -2,12 +2,12 @@ openapi: 3.1.0 info: title: entityresolution.v2 paths: - /entityresolution.v2.EntityResolutionService/ResolveEntities: + /entityresolution.v2.EntityResolutionService/CreateEntityChainsFromTokens: post: tags: - entityresolution.v2.EntityResolutionService - summary: ResolveEntities - operationId: entityresolution.v2.EntityResolutionService.ResolveEntities + summary: CreateEntityChainsFromTokens + operationId: entityresolution.v2.EntityResolutionService.CreateEntityChainsFromTokens parameters: - name: Connect-Protocol-Version in: header @@ -22,7 +22,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/entityresolution.v2.ResolveEntitiesRequest' + $ref: '#/components/schemas/entityresolution.v2.CreateEntityChainsFromTokensRequest' required: true responses: default: @@ -36,13 +36,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/entityresolution.v2.ResolveEntitiesResponse' - /entityresolution.v2.EntityResolutionService/CreateEntityChainsFromTokens: + $ref: '#/components/schemas/entityresolution.v2.CreateEntityChainsFromTokensResponse' + /entityresolution.v2.EntityResolutionService/ResolveEntities: post: tags: - entityresolution.v2.EntityResolutionService - summary: CreateEntityChainsFromTokens - operationId: entityresolution.v2.EntityResolutionService.CreateEntityChainsFromTokens + summary: ResolveEntities + operationId: entityresolution.v2.EntityResolutionService.ResolveEntities parameters: - name: Connect-Protocol-Version in: header @@ -57,7 +57,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/entityresolution.v2.CreateEntityChainsFromTokensRequest' + $ref: '#/components/schemas/entityresolution.v2.ResolveEntitiesRequest' required: true responses: default: @@ -71,58 +71,40 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/entityresolution.v2.CreateEntityChainsFromTokensResponse' + $ref: '#/components/schemas/entityresolution.v2.ResolveEntitiesResponse' components: schemas: - entity.Entity.Category: - type: string - title: Category - enum: - - CATEGORY_UNSPECIFIED - - CATEGORY_SUBJECT - - CATEGORY_ENVIRONMENT - google.protobuf.NullValue: - type: string - title: NullValue - enum: - - NULL_VALUE - description: |- - `NullValue` is a singleton enumeration to represent the null value for the - `Value` type union. - - The JSON representation for `NullValue` is JSON `null`. authorization.v2.Resource: type: object - oneOf: + allOf: - properties: - attributeValues: - title: attribute_values - description: |+ - a set of attribute value FQNs, such as those on a TDF, between 1 and 20 in count - if provided, resource.attribute_values must be between 1 and 20 in count with all valid FQNs: - ``` - this.fqns.size() > 0 && this.fqns.size() <= 20 && this.fqns.all(item, item.isUri()) - ``` - - $ref: '#/components/schemas/authorization.v2.Resource.AttributeValues' - title: attribute_values - required: - - attributeValues - - properties: - registeredResourceValueFqn: + ephemeralId: type: string + title: ephemeral_id + description: ephemeral id for tracking between request and response + - oneOf: + - type: object + properties: + attributeValues: + title: attribute_values + description: | + a set of attribute value FQNs, such as those on a TDF, between 1 and 20 in count + attribute_values_required // if provided, resource.attribute_values must be between 1 and 20 in count with all valid FQNs + $ref: '#/components/schemas/authorization.v2.Resource.AttributeValues' + title: attribute_values + required: + - attributeValues + - type: object + properties: + registeredResourceValueFqn: + type: string + title: registered_resource_value_fqn + minLength: 1 + format: uri + description: fully qualified name of the registered resource value stored in platform policy title: registered_resource_value_fqn - minLength: 1 - format: uri - description: fully qualified name of the registered resource value stored in platform policy - title: registered_resource_value_fqn - required: - - registeredResourceValueFqn - properties: - ephemeralId: - type: string - title: ephemeral_id - description: ephemeral id for tracking between request and response + required: + - registeredResourceValueFqn title: Resource additionalProperties: false description: Either a set of attribute values (such as those on a TDF) or a registered resource value @@ -136,49 +118,130 @@ components: title: fqns title: AttributeValues additionalProperties: false + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + details: + type: array + items: + $ref: '#/components/schemas/connect.error_details.Any' + description: A list of messages that carry the error details. There is no limit on the number of messages. + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + connect.error_details.Any: + type: object + properties: + type: + type: string + description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' + value: + type: string + format: binary + description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. + debug: + oneOf: + - type: object + title: Any + additionalProperties: true + description: Detailed error information. + discriminator: + propertyName: type + title: Debug + description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. entity.Entity: type: object - oneOf: + allOf: - properties: - claims: - title: claims - description: used by ERS claims mode - $ref: '#/components/schemas/google.protobuf.Any' - title: claims - required: - - claims - - properties: - clientId: + ephemeralId: type: string + title: ephemeral_id + description: ephemeral id for tracking between request and response + category: + title: category + $ref: '#/components/schemas/entity.Entity.Category' + - oneOf: + - type: object + properties: + claims: + title: claims + description: used by ERS claims mode + $ref: '#/components/schemas/google.protobuf.Any' + title: claims + required: + - claims + - type: object + properties: + clientId: + type: string + title: client_id title: client_id - title: client_id - required: - - clientId - - properties: - emailAddress: - type: string + required: + - clientId + - type: object + properties: + emailAddress: + type: string + title: email_address title: email_address - title: email_address - required: - - emailAddress - - properties: - userName: - type: string + required: + - emailAddress + - type: object + properties: + userName: + type: string + title: user_name title: user_name - title: user_name - required: - - userName - properties: - ephemeralId: - type: string - title: ephemeral_id - description: ephemeral id for tracking between request and response - category: - title: category - $ref: '#/components/schemas/entity.Entity.Category' + required: + - userName title: Entity additionalProperties: false description: PE (Person Entity) or NPE (Non-Person Entity) + entity.Entity.Category: + type: string + title: Category + enum: + - CATEGORY_UNSPECIFIED + - CATEGORY_SUBJECT + - CATEGORY_ENVIRONMENT entity.EntityChain: type: object properties: @@ -322,9 +385,6 @@ components: value: type: string format: binary - debug: - type: object - additionalProperties: true additionalProperties: true description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. google.protobuf.ListValue: @@ -342,6 +402,16 @@ components: `ListValue` is a wrapper around a repeated field of values. The JSON representation for `ListValue` is JSON array. + google.protobuf.NullValue: + type: string + title: NullValue + enum: + - NULL_VALUE + description: |- + `NullValue` is a singleton enumeration to represent the null value for the + `Value` type union. + + The JSON representation for `NullValue` is JSON `null`. google.protobuf.Struct: type: object additionalProperties: @@ -382,50 +452,6 @@ components: variants. Absence of any variant indicates an error. The JSON representation for `Value` is JSON value. - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - detail: - $ref: '#/components/schemas/google.protobuf.Any' - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' security: [] tags: - name: entityresolution.v2.EntityResolutionService diff --git a/docs/openapi/kas/kas.openapi.yaml b/docs/openapi/kas/kas.openapi.yaml index a357028153..147aea0ddf 100644 --- a/docs/openapi/kas/kas.openapi.yaml +++ b/docs/openapi/kas/kas.openapi.yaml @@ -2,12 +2,16 @@ openapi: 3.1.0 info: title: kas paths: - /kas.AccessService/PublicKey: + /kas.AccessService/LegacyPublicKey: post: tags: - kas.AccessService - summary: PublicKey - operationId: kas.AccessService.PublicKey + summary: Endpoint intended for gRPC Gateway's REST endpoint to provide v1 compatibility with older TDF clients + description: |- + This endpoint is not recommended for use in new applications, prefer the v2 endpoint ('PublicKey') instead. + + buf:lint:ignore RPC_RESPONSE_STANDARD_NAME + operationId: kas.AccessService.LegacyPublicKey parameters: - name: Connect-Protocol-Version in: header @@ -22,7 +26,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/kas.PublicKeyRequest' + $ref: '#/components/schemas/kas.LegacyPublicKeyRequest' required: true responses: default: @@ -36,19 +40,14 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/kas.PublicKeyResponse' - /kas.AccessService/LegacyPublicKey: + $ref: '#/components/schemas/google.protobuf.StringValue' + deprecated: true + /kas.AccessService/PublicKey: post: tags: - kas.AccessService - summary: LegacyPublicKey - description: |- - Endpoint intended for gRPC Gateway's REST endpoint to provide v1 compatibility with older TDF clients - - This endpoint is not recommended for use in new applications, prefer the v2 endpoint ('PublicKey') instead. - - buf:lint:ignore RPC_RESPONSE_STANDARD_NAME - operationId: kas.AccessService.LegacyPublicKey + summary: PublicKey + operationId: kas.AccessService.PublicKey parameters: - name: Connect-Protocol-Version in: header @@ -63,7 +62,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/kas.LegacyPublicKeyRequest' + $ref: '#/components/schemas/kas.PublicKeyRequest' required: true responses: default: @@ -77,8 +76,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/google.protobuf.StringValue' - deprecated: true + $ref: '#/components/schemas/kas.PublicKeyResponse' /kas.AccessService/Rewrap: post: tags: @@ -116,16 +114,75 @@ paths: $ref: '#/components/schemas/kas.RewrapResponse' components: schemas: - google.protobuf.NullValue: - type: string - title: NullValue + connect-protocol-version: + type: number + title: Connect-Protocol-Version enum: - - NULL_VALUE - description: |- - `NullValue` is a singleton enumeration to represent the null value for the - `Value` type union. - - The JSON representation for `NullValue` is JSON `null`. + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + details: + type: array + items: + $ref: '#/components/schemas/connect.error_details.Any' + description: A list of messages that carry the error details. There is no limit on the number of messages. + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + connect.error_details.Any: + type: object + properties: + type: + type: string + description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' + value: + type: string + format: binary + description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. + debug: + oneOf: + - type: object + title: Any + additionalProperties: true + description: Detailed error information. + discriminator: + propertyName: type + title: Debug + description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. google.protobuf.ListValue: type: object properties: @@ -141,6 +198,16 @@ components: `ListValue` is a wrapper around a repeated field of values. The JSON representation for `ListValue` is JSON array. + google.protobuf.NullValue: + type: string + title: NullValue + enum: + - NULL_VALUE + description: |- + `NullValue` is a singleton enumeration to represent the null value for the + `Value` type union. + + The JSON representation for `NullValue` is JSON `null`. google.protobuf.StringValue: type: string description: |- @@ -290,54 +357,57 @@ components: description: Key Access Object containing cryptographic material and metadata for TDF decryption kas.KeyAccessRewrapResult: type: object - oneOf: + allOf: - properties: - error: + metadata: + type: object + title: metadata + additionalProperties: + title: value + $ref: '#/components/schemas/google.protobuf.Value' + description: |- + Metadata associated with this KAO result (e.g., required obligations) + Optional: May contain obligation requirements or other policy metadata + Common keys: "X-Required-Obligations" with array of obligation FQNs + keyAccessObjectId: type: string - title: error + title: key_access_object_id description: |- - Error message when rewrap failed - Present when status="fail" - Human-readable description of the failure reason - title: error - required: - - error - - properties: - kasWrappedKey: + Identifier matching the key_access_object_id from the request + Required: Always matches the ID from UnsignedRewrapRequest_WithKeyAccessObject + status: type: string - title: kas_wrapped_key - format: byte + title: status description: |- - Successfully rewrapped key encrypted with the session key - Present when status="permit" - Contains the DEK encrypted with the ephemeral session key - title: kas_wrapped_key - required: - - kasWrappedKey - properties: - metadata: - type: object - title: metadata - additionalProperties: - title: value - $ref: '#/components/schemas/google.protobuf.Value' - description: |- - Metadata associated with this KAO result (e.g., required obligations) - Optional: May contain obligation requirements or other policy metadata - Common keys: "X-Required-Obligations" with array of obligation FQNs - keyAccessObjectId: - type: string - title: key_access_object_id - description: |- - Identifier matching the key_access_object_id from the request - Required: Always matches the ID from UnsignedRewrapRequest_WithKeyAccessObject - status: - type: string - title: status - description: |- - Status of the rewrap operation for this KAO - Required: Always - Values: "permit" (success), "fail" (failure) + Status of the rewrap operation for this KAO + Required: Always + Values: "permit" (success), "fail" (failure) + - oneOf: + - type: object + properties: + error: + type: string + title: error + description: |- + Error message when rewrap failed + Present when status="fail" + Human-readable description of the failure reason + title: error + required: + - error + - type: object + properties: + kasWrappedKey: + type: string + title: kas_wrapped_key + format: byte + description: |- + Successfully rewrapped key encrypted with the session key + Present when status="permit" + Contains the DEK encrypted with the ephemeral session key + title: kas_wrapped_key + required: + - kasWrappedKey title: KeyAccessRewrapResult additionalProperties: false description: Result of a key access object rewrap operation @@ -619,63 +689,6 @@ components: title: WithPolicyRequest additionalProperties: false description: Request grouping policy with associated key access objects - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - detail: - $ref: '#/components/schemas/google.protobuf.Any' - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - google.protobuf.Any: - type: object - properties: - type: - type: string - value: - type: string - format: binary - debug: - type: object - additionalProperties: true - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. security: [] tags: - name: kas.AccessService diff --git a/docs/openapi/policy/actions/actions.openapi.yaml b/docs/openapi/policy/actions/actions.openapi.yaml index db1d5d2a32..b5c6f2c12b 100644 --- a/docs/openapi/policy/actions/actions.openapi.yaml +++ b/docs/openapi/policy/actions/actions.openapi.yaml @@ -2,12 +2,12 @@ openapi: 3.1.0 info: title: policy.actions paths: - /policy.actions.ActionService/GetAction: + /policy.actions.ActionService/CreateAction: post: tags: - policy.actions.ActionService - summary: GetAction - operationId: policy.actions.ActionService.GetAction + summary: CreateAction + operationId: policy.actions.ActionService.CreateAction parameters: - name: Connect-Protocol-Version in: header @@ -22,7 +22,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.actions.GetActionRequest' + $ref: '#/components/schemas/policy.actions.CreateActionRequest' required: true responses: default: @@ -36,13 +36,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.actions.GetActionResponse' - /policy.actions.ActionService/ListActions: + $ref: '#/components/schemas/policy.actions.CreateActionResponse' + /policy.actions.ActionService/DeleteAction: post: tags: - policy.actions.ActionService - summary: ListActions - operationId: policy.actions.ActionService.ListActions + summary: DeleteAction + operationId: policy.actions.ActionService.DeleteAction parameters: - name: Connect-Protocol-Version in: header @@ -57,7 +57,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.actions.ListActionsRequest' + $ref: '#/components/schemas/policy.actions.DeleteActionRequest' required: true responses: default: @@ -71,13 +71,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.actions.ListActionsResponse' - /policy.actions.ActionService/CreateAction: + $ref: '#/components/schemas/policy.actions.DeleteActionResponse' + /policy.actions.ActionService/GetAction: post: tags: - policy.actions.ActionService - summary: CreateAction - operationId: policy.actions.ActionService.CreateAction + summary: GetAction + operationId: policy.actions.ActionService.GetAction parameters: - name: Connect-Protocol-Version in: header @@ -92,7 +92,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.actions.CreateActionRequest' + $ref: '#/components/schemas/policy.actions.GetActionRequest' required: true responses: default: @@ -106,13 +106,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.actions.CreateActionResponse' - /policy.actions.ActionService/UpdateAction: + $ref: '#/components/schemas/policy.actions.GetActionResponse' + /policy.actions.ActionService/ListActions: post: tags: - policy.actions.ActionService - summary: UpdateAction - operationId: policy.actions.ActionService.UpdateAction + summary: ListActions + operationId: policy.actions.ActionService.ListActions parameters: - name: Connect-Protocol-Version in: header @@ -127,7 +127,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.actions.UpdateActionRequest' + $ref: '#/components/schemas/policy.actions.ListActionsRequest' required: true responses: default: @@ -141,13 +141,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.actions.UpdateActionResponse' - /policy.actions.ActionService/DeleteAction: + $ref: '#/components/schemas/policy.actions.ListActionsResponse' + /policy.actions.ActionService/UpdateAction: post: tags: - policy.actions.ActionService - summary: DeleteAction - operationId: policy.actions.ActionService.DeleteAction + summary: UpdateAction + operationId: policy.actions.ActionService.UpdateAction parameters: - name: Connect-Protocol-Version in: header @@ -162,7 +162,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.actions.DeleteActionRequest' + $ref: '#/components/schemas/policy.actions.UpdateActionRequest' required: true responses: default: @@ -176,84 +176,9 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.actions.DeleteActionResponse' + $ref: '#/components/schemas/policy.actions.UpdateActionResponse' components: schemas: - common.MetadataUpdateEnum: - type: string - title: MetadataUpdateEnum - enum: - - METADATA_UPDATE_ENUM_UNSPECIFIED - - METADATA_UPDATE_ENUM_EXTEND - - METADATA_UPDATE_ENUM_REPLACE - policy.Action.StandardAction: - type: string - title: StandardAction - enum: - - STANDARD_ACTION_UNSPECIFIED - - STANDARD_ACTION_DECRYPT - - STANDARD_ACTION_TRANSMIT - policy.Algorithm: - type: string - title: Algorithm - enum: - - ALGORITHM_UNSPECIFIED - - ALGORITHM_RSA_2048 - - ALGORITHM_RSA_4096 - - ALGORITHM_EC_P256 - - ALGORITHM_EC_P384 - - ALGORITHM_EC_P521 - - ALGORITHM_HPQT_XWING - - ALGORITHM_HPQT_SECP256R1_MLKEM768 - - ALGORITHM_HPQT_SECP384R1_MLKEM1024 - description: Supported key algorithms. - policy.AttributeRuleTypeEnum: - type: string - title: AttributeRuleTypeEnum - enum: - - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED - - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF - - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF - - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY - policy.ConditionBooleanTypeEnum: - type: string - title: ConditionBooleanTypeEnum - enum: - - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED - - CONDITION_BOOLEAN_TYPE_ENUM_AND - - CONDITION_BOOLEAN_TYPE_ENUM_OR - policy.KasPublicKeyAlgEnum: - type: string - title: KasPublicKeyAlgEnum - enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 - policy.SourceType: - type: string - title: SourceType - enum: - - SOURCE_TYPE_UNSPECIFIED - - SOURCE_TYPE_INTERNAL - - SOURCE_TYPE_EXTERNAL - description: |- - Describes whether this kas is managed by the organization or if they imported - the kas information from an external party. These two modes are necessary in order - to encrypt a tdf dek with an external parties kas public key. - policy.SubjectMappingOperatorEnum: - type: string - title: SubjectMappingOperatorEnum - enum: - - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED - - SUBJECT_MAPPING_OPERATOR_ENUM_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS common.Metadata: type: object properties: @@ -309,6 +234,82 @@ components: title: value title: LabelsEntry additionalProperties: false + common.MetadataUpdateEnum: + type: string + title: MetadataUpdateEnum + enum: + - METADATA_UPDATE_ENUM_UNSPECIFIED + - METADATA_UPDATE_ENUM_EXTEND + - METADATA_UPDATE_ENUM_REPLACE + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + details: + type: array + items: + $ref: '#/components/schemas/connect.error_details.Any' + description: A list of messages that carry the error details. There is no limit on the number of messages. + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + connect.error_details.Any: + type: object + properties: + type: + type: string + description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' + value: + type: string + format: binary + description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. + debug: + oneOf: + - type: object + title: Any + additionalProperties: true + description: Detailed error information. + discriminator: + propertyName: type + title: Debug + description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. google.protobuf.BoolValue: type: boolean description: |- @@ -321,8 +322,8 @@ components: google.protobuf.Timestamp: type: string examples: - - 1s - - 1.000340012s + - "2023-01-15T01:30:15.01Z" + - "2024-12-25T12:00:00Z" format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -416,41 +417,65 @@ components: ) to obtain a formatter capable of generating timestamps in this format. policy.Action: type: object - oneOf: + allOf: - properties: - custom: + id: + type: string + title: id + description: Generated uuid in database + name: type: string + title: name + namespace: + title: namespace + description: Namespace context for this action + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + - oneOf: + - type: object + properties: + custom: + type: string + title: custom + description: Deprecated title: custom - description: Deprecated - title: custom - required: - - custom - - properties: - standard: + required: + - custom + - type: object + properties: + standard: + title: standard + description: Deprecated + $ref: '#/components/schemas/policy.Action.StandardAction' title: standard - description: Deprecated - $ref: '#/components/schemas/policy.Action.StandardAction' - title: standard - required: - - standard - properties: - id: - type: string - title: id - description: Generated uuid in database - name: - type: string - title: name - namespace: - title: namespace - description: Namespace context for this action - $ref: '#/components/schemas/policy.Namespace' - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' + required: + - standard title: Action additionalProperties: false description: An action an entity can take + policy.Action.StandardAction: + type: string + title: StandardAction + enum: + - STANDARD_ACTION_UNSPECIFIED + - STANDARD_ACTION_DECRYPT + - STANDARD_ACTION_TRANSMIT + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + - ALGORITHM_HPQT_XWING + - ALGORITHM_HPQT_SECP256R1_MLKEM768 + - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + description: Supported key algorithms. policy.Attribute: type: object properties: @@ -507,6 +532,14 @@ components: required: - rule additionalProperties: false + policy.AttributeRuleTypeEnum: + type: string + title: AttributeRuleTypeEnum + enum: + - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED + - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF + - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF + - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY policy.Condition: type: object properties: @@ -524,7 +557,6 @@ components: type: array items: type: string - minItems: 1 title: subject_external_values minItems: 1 description: |- @@ -540,6 +572,13 @@ components: * A Condition defines a rule of + policy.ConditionBooleanTypeEnum: + type: string + title: ConditionBooleanTypeEnum + enum: + - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED + - CONDITION_BOOLEAN_TYPE_ENUM_AND + - CONDITION_BOOLEAN_TYPE_ENUM_OR policy.ConditionGroup: type: object properties: @@ -576,7 +615,7 @@ components: alg: not: enum: - - 0 + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED title: alg description: |- A known algorithm type with any additional parameters encoded. @@ -588,6 +627,19 @@ components: description: |- Deprecated A KAS public key and some associated metadata for further identifcation + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 policy.KasPublicKeySet: type: object properties: @@ -610,13 +662,9 @@ components: uri: type: string title: uri - description: |+ + description: | Address of a KAS instance - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') - ``` - + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. publicKey: title: public_key description: 'Deprecated: KAS can have multiple key pairs' @@ -814,7 +862,8 @@ components: policy.PublicKey: type: object oneOf: - - properties: + - type: object + properties: cached: title: cached description: public key with additional information. Current preferred version @@ -822,17 +871,14 @@ components: title: cached required: - cached - - properties: + - type: object + properties: remote: type: string title: remote - description: |+ + description: | kas public key url - optional since can also be retrieved via public key - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') - ``` - + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. title: remote required: - remote @@ -940,6 +986,17 @@ components: title: pem title: SimpleKasPublicKey additionalProperties: false + policy.SourceType: + type: string + title: SourceType + enum: + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. policy.SubjectConditionSet: type: object properties: @@ -1005,6 +1062,14 @@ components: description: |- Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute value + action(s) combination + policy.SubjectMappingOperatorEnum: + type: string + title: SubjectMappingOperatorEnum + enum: + - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED + - SUBJECT_MAPPING_OPERATOR_ENUM_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS policy.SubjectSet: type: object properties: @@ -1078,13 +1143,9 @@ components: type: string title: name maxLength: 253 - description: |+ + description: | Required - Action name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored action name will be normalized to lower case.: - ``` - this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') - ``` - + action_name_format // Action name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored action name will be normalized to lower case. namespaceId: type: string title: namespace_id @@ -1140,45 +1201,44 @@ components: additionalProperties: false policy.actions.GetActionRequest: type: object - oneOf: + allOf: - properties: - id: + namespaceId: type: string - title: id + title: namespace_id format: uuid - title: id - required: - - id - - properties: - name: + description: |- + Optional namespace ID to scope name-based lookup. + If omitted for name-based lookup, action search is limited to legacy (namespace_id = NULL) actions. + namespaceFqn: type: string + title: namespace_fqn + minLength: 1 + format: uri + description: |- + Optional namespace FQN to scope name-based lookup. + If omitted for name-based lookup, action search is limited to legacy (namespace_id = NULL) actions. + - oneOf: + - type: object + properties: + id: + type: string + title: id + format: uuid + title: id + required: + - id + - type: object + properties: + name: + type: string + title: name + maxLength: 253 + description: | + action_name_format // Action name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored action name will be normalized to lower case. title: name - maxLength: 253 - description: |+ - Action name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored action name will be normalized to lower case.: - ``` - this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') - ``` - - title: name - required: - - name - properties: - namespaceId: - type: string - title: namespace_id - format: uuid - description: |- - Optional namespace ID to scope name-based lookup. - If omitted for name-based lookup, action search is limited to legacy (namespace_id = NULL) actions. - namespaceFqn: - type: string - title: namespace_fqn - minLength: 1 - format: uri - description: |- - Optional namespace FQN to scope name-based lookup. - If omitted for name-based lookup, action search is limited to legacy (namespace_id = NULL) actions. + required: + - name title: GetActionRequest additionalProperties: false policy.actions.GetActionResponse: @@ -1245,14 +1305,10 @@ components: type: string title: name maxLength: 253 - description: |+ + description: | Optional Custom actions only: replaces the existing action name - Action name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored action name will be normalized to lower case.: - ``` - size(this) == 0 || this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') - ``` - + action_name_format // Action name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored action name will be normalized to lower case. metadata: title: metadata description: Common metadata @@ -1273,63 +1329,6 @@ components: $ref: '#/components/schemas/policy.Action' title: UpdateActionResponse additionalProperties: false - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - detail: - $ref: '#/components/schemas/google.protobuf.Any' - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - google.protobuf.Any: - type: object - properties: - type: - type: string - value: - type: string - format: binary - debug: - type: object - additionalProperties: true - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. security: [] tags: - name: policy.actions.ActionService diff --git a/docs/openapi/policy/attributes/attributes.openapi.yaml b/docs/openapi/policy/attributes/attributes.openapi.yaml index 1eb291ec16..bb6c0978fe 100644 --- a/docs/openapi/policy/attributes/attributes.openapi.yaml +++ b/docs/openapi/policy/attributes/attributes.openapi.yaml @@ -2,16 +2,13 @@ openapi: 3.1.0 info: title: policy.attributes paths: - /policy.attributes.AttributesService/ListAttributes: + /policy.attributes.AttributesService/AssignKeyAccessServerToAttribute: post: tags: - policy.attributes.AttributesService - summary: ListAttributes - description: |- - --------------------------------------* - Attribute RPCs - --------------------------------------- - operationId: policy.attributes.AttributesService.ListAttributes + summary: AssignKeyAccessServerToAttribute + description: 'Deprecated: utilize AssignPublicKeyToAttribute' + operationId: policy.attributes.AttributesService.AssignKeyAccessServerToAttribute parameters: - name: Connect-Protocol-Version in: header @@ -26,7 +23,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.ListAttributesRequest' + $ref: '#/components/schemas/policy.attributes.AssignKeyAccessServerToAttributeRequest' required: true responses: default: @@ -40,16 +37,15 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.ListAttributesResponse' - /policy.attributes.AttributesService/ListAttributeValues: + $ref: '#/components/schemas/policy.attributes.AssignKeyAccessServerToAttributeResponse' + deprecated: true + /policy.attributes.AttributesService/AssignKeyAccessServerToValue: post: tags: - policy.attributes.AttributesService - summary: ListAttributeValues - description: |- - Deprecated - Use GetAttribute - operationId: policy.attributes.AttributesService.ListAttributeValues + summary: AssignKeyAccessServerToValue + description: 'Deprecated: utilize AssignPublicKeyToValue' + operationId: policy.attributes.AttributesService.AssignKeyAccessServerToValue parameters: - name: Connect-Protocol-Version in: header @@ -64,7 +60,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.ListAttributeValuesRequest' + $ref: '#/components/schemas/policy.attributes.AssignKeyAccessServerToValueRequest' required: true responses: default: @@ -78,14 +74,14 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.ListAttributeValuesResponse' + $ref: '#/components/schemas/policy.attributes.AssignKeyAccessServerToValueResponse' deprecated: true - /policy.attributes.AttributesService/GetAttribute: + /policy.attributes.AttributesService/AssignPublicKeyToAttribute: post: tags: - policy.attributes.AttributesService - summary: GetAttribute - operationId: policy.attributes.AttributesService.GetAttribute + summary: AssignPublicKeyToAttribute + operationId: policy.attributes.AttributesService.AssignPublicKeyToAttribute parameters: - name: Connect-Protocol-Version in: header @@ -100,7 +96,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.GetAttributeRequest' + $ref: '#/components/schemas/policy.attributes.AssignPublicKeyToAttributeRequest' required: true responses: default: @@ -114,13 +110,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.GetAttributeResponse' - /policy.attributes.AttributesService/GetAttributeValuesByFqns: + $ref: '#/components/schemas/policy.attributes.AssignPublicKeyToAttributeResponse' + /policy.attributes.AttributesService/AssignPublicKeyToValue: post: tags: - policy.attributes.AttributesService - summary: GetAttributeValuesByFqns - operationId: policy.attributes.AttributesService.GetAttributeValuesByFqns + summary: AssignPublicKeyToValue + operationId: policy.attributes.AttributesService.AssignPublicKeyToValue parameters: - name: Connect-Protocol-Version in: header @@ -135,7 +131,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.GetAttributeValuesByFqnsRequest' + $ref: '#/components/schemas/policy.attributes.AssignPublicKeyToValueRequest' required: true responses: default: @@ -149,7 +145,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.GetAttributeValuesByFqnsResponse' + $ref: '#/components/schemas/policy.attributes.AssignPublicKeyToValueResponse' /policy.attributes.AttributesService/CreateAttribute: post: tags: @@ -185,12 +181,12 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.attributes.CreateAttributeResponse' - /policy.attributes.AttributesService/UpdateAttribute: + /policy.attributes.AttributesService/CreateAttributeValue: post: tags: - policy.attributes.AttributesService - summary: UpdateAttribute - operationId: policy.attributes.AttributesService.UpdateAttribute + summary: CreateAttributeValue + operationId: policy.attributes.AttributesService.CreateAttributeValue parameters: - name: Connect-Protocol-Version in: header @@ -205,7 +201,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.UpdateAttributeRequest' + $ref: '#/components/schemas/policy.attributes.CreateAttributeValueRequest' required: true responses: default: @@ -219,7 +215,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.UpdateAttributeResponse' + $ref: '#/components/schemas/policy.attributes.CreateAttributeValueResponse' /policy.attributes.AttributesService/DeactivateAttribute: post: tags: @@ -255,16 +251,12 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.attributes.DeactivateAttributeResponse' - /policy.attributes.AttributesService/GetAttributeValue: + /policy.attributes.AttributesService/DeactivateAttributeValue: post: tags: - policy.attributes.AttributesService - summary: GetAttributeValue - description: |- - --------------------------------------* - Value RPCs - --------------------------------------- - operationId: policy.attributes.AttributesService.GetAttributeValue + summary: DeactivateAttributeValue + operationId: policy.attributes.AttributesService.DeactivateAttributeValue parameters: - name: Connect-Protocol-Version in: header @@ -279,7 +271,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.GetAttributeValueRequest' + $ref: '#/components/schemas/policy.attributes.DeactivateAttributeValueRequest' required: true responses: default: @@ -293,13 +285,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.GetAttributeValueResponse' - /policy.attributes.AttributesService/CreateAttributeValue: + $ref: '#/components/schemas/policy.attributes.DeactivateAttributeValueResponse' + /policy.attributes.AttributesService/GetAttribute: post: tags: - policy.attributes.AttributesService - summary: CreateAttributeValue - operationId: policy.attributes.AttributesService.CreateAttributeValue + summary: GetAttribute + operationId: policy.attributes.AttributesService.GetAttribute parameters: - name: Connect-Protocol-Version in: header @@ -314,7 +306,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.CreateAttributeValueRequest' + $ref: '#/components/schemas/policy.attributes.GetAttributeRequest' required: true responses: default: @@ -328,13 +320,17 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.CreateAttributeValueResponse' - /policy.attributes.AttributesService/UpdateAttributeValue: + $ref: '#/components/schemas/policy.attributes.GetAttributeResponse' + /policy.attributes.AttributesService/GetAttributeValue: post: tags: - policy.attributes.AttributesService - summary: UpdateAttributeValue - operationId: policy.attributes.AttributesService.UpdateAttributeValue + summary: GetAttributeValue + description: |- + --------------------------------------* + Value RPCs + --------------------------------------- + operationId: policy.attributes.AttributesService.GetAttributeValue parameters: - name: Connect-Protocol-Version in: header @@ -349,7 +345,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.UpdateAttributeValueRequest' + $ref: '#/components/schemas/policy.attributes.GetAttributeValueRequest' required: true responses: default: @@ -363,13 +359,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.UpdateAttributeValueResponse' - /policy.attributes.AttributesService/DeactivateAttributeValue: + $ref: '#/components/schemas/policy.attributes.GetAttributeValueResponse' + /policy.attributes.AttributesService/GetAttributeValuesByFqns: post: tags: - policy.attributes.AttributesService - summary: DeactivateAttributeValue - operationId: policy.attributes.AttributesService.DeactivateAttributeValue + summary: GetAttributeValuesByFqns + operationId: policy.attributes.AttributesService.GetAttributeValuesByFqns parameters: - name: Connect-Protocol-Version in: header @@ -384,7 +380,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.DeactivateAttributeValueRequest' + $ref: '#/components/schemas/policy.attributes.GetAttributeValuesByFqnsRequest' required: true responses: default: @@ -398,14 +394,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.DeactivateAttributeValueResponse' - /policy.attributes.AttributesService/AssignKeyAccessServerToAttribute: + $ref: '#/components/schemas/policy.attributes.GetAttributeValuesByFqnsResponse' + /policy.attributes.AttributesService/ListAttributeValues: post: tags: - policy.attributes.AttributesService - summary: AssignKeyAccessServerToAttribute - description: 'Deprecated: utilize AssignPublicKeyToAttribute' - operationId: policy.attributes.AttributesService.AssignKeyAccessServerToAttribute + summary: ListAttributeValues + description: |- + Deprecated + Use GetAttribute + operationId: policy.attributes.AttributesService.ListAttributeValues parameters: - name: Connect-Protocol-Version in: header @@ -420,7 +418,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.AssignKeyAccessServerToAttributeRequest' + $ref: '#/components/schemas/policy.attributes.ListAttributeValuesRequest' required: true responses: default: @@ -434,15 +432,18 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.AssignKeyAccessServerToAttributeResponse' + $ref: '#/components/schemas/policy.attributes.ListAttributeValuesResponse' deprecated: true - /policy.attributes.AttributesService/RemoveKeyAccessServerFromAttribute: + /policy.attributes.AttributesService/ListAttributes: post: tags: - policy.attributes.AttributesService - summary: RemoveKeyAccessServerFromAttribute - description: 'Deprecated: utilize RemovePublicKeyFromAttribute' - operationId: policy.attributes.AttributesService.RemoveKeyAccessServerFromAttribute + summary: ListAttributes + description: |- + --------------------------------------* + Attribute RPCs + --------------------------------------- + operationId: policy.attributes.AttributesService.ListAttributes parameters: - name: Connect-Protocol-Version in: header @@ -457,7 +458,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.RemoveKeyAccessServerFromAttributeRequest' + $ref: '#/components/schemas/policy.attributes.ListAttributesRequest' required: true responses: default: @@ -471,15 +472,14 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.RemoveKeyAccessServerFromAttributeResponse' - deprecated: true - /policy.attributes.AttributesService/AssignKeyAccessServerToValue: + $ref: '#/components/schemas/policy.attributes.ListAttributesResponse' + /policy.attributes.AttributesService/RemoveKeyAccessServerFromAttribute: post: tags: - policy.attributes.AttributesService - summary: AssignKeyAccessServerToValue - description: 'Deprecated: utilize AssignPublicKeyToValue' - operationId: policy.attributes.AttributesService.AssignKeyAccessServerToValue + summary: RemoveKeyAccessServerFromAttribute + description: 'Deprecated: utilize RemovePublicKeyFromAttribute' + operationId: policy.attributes.AttributesService.RemoveKeyAccessServerFromAttribute parameters: - name: Connect-Protocol-Version in: header @@ -494,7 +494,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.AssignKeyAccessServerToValueRequest' + $ref: '#/components/schemas/policy.attributes.RemoveKeyAccessServerFromAttributeRequest' required: true responses: default: @@ -508,7 +508,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.AssignKeyAccessServerToValueResponse' + $ref: '#/components/schemas/policy.attributes.RemoveKeyAccessServerFromAttributeResponse' deprecated: true /policy.attributes.AttributesService/RemoveKeyAccessServerFromValue: post: @@ -547,12 +547,12 @@ paths: schema: $ref: '#/components/schemas/policy.attributes.RemoveKeyAccessServerFromValueResponse' deprecated: true - /policy.attributes.AttributesService/AssignPublicKeyToAttribute: + /policy.attributes.AttributesService/RemovePublicKeyFromAttribute: post: tags: - policy.attributes.AttributesService - summary: AssignPublicKeyToAttribute - operationId: policy.attributes.AttributesService.AssignPublicKeyToAttribute + summary: RemovePublicKeyFromAttribute + operationId: policy.attributes.AttributesService.RemovePublicKeyFromAttribute parameters: - name: Connect-Protocol-Version in: header @@ -567,7 +567,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.AssignPublicKeyToAttributeRequest' + $ref: '#/components/schemas/policy.attributes.RemovePublicKeyFromAttributeRequest' required: true responses: default: @@ -581,13 +581,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.AssignPublicKeyToAttributeResponse' - /policy.attributes.AttributesService/RemovePublicKeyFromAttribute: + $ref: '#/components/schemas/policy.attributes.RemovePublicKeyFromAttributeResponse' + /policy.attributes.AttributesService/RemovePublicKeyFromValue: post: tags: - policy.attributes.AttributesService - summary: RemovePublicKeyFromAttribute - operationId: policy.attributes.AttributesService.RemovePublicKeyFromAttribute + summary: RemovePublicKeyFromValue + operationId: policy.attributes.AttributesService.RemovePublicKeyFromValue parameters: - name: Connect-Protocol-Version in: header @@ -602,7 +602,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.RemovePublicKeyFromAttributeRequest' + $ref: '#/components/schemas/policy.attributes.RemovePublicKeyFromValueRequest' required: true responses: default: @@ -616,13 +616,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.RemovePublicKeyFromAttributeResponse' - /policy.attributes.AttributesService/AssignPublicKeyToValue: + $ref: '#/components/schemas/policy.attributes.RemovePublicKeyFromValueResponse' + /policy.attributes.AttributesService/UpdateAttribute: post: tags: - policy.attributes.AttributesService - summary: AssignPublicKeyToValue - operationId: policy.attributes.AttributesService.AssignPublicKeyToValue + summary: UpdateAttribute + operationId: policy.attributes.AttributesService.UpdateAttribute parameters: - name: Connect-Protocol-Version in: header @@ -637,7 +637,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.AssignPublicKeyToValueRequest' + $ref: '#/components/schemas/policy.attributes.UpdateAttributeRequest' required: true responses: default: @@ -651,13 +651,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.AssignPublicKeyToValueResponse' - /policy.attributes.AttributesService/RemovePublicKeyFromValue: + $ref: '#/components/schemas/policy.attributes.UpdateAttributeResponse' + /policy.attributes.AttributesService/UpdateAttributeValue: post: tags: - policy.attributes.AttributesService - summary: RemovePublicKeyFromValue - operationId: policy.attributes.AttributesService.RemovePublicKeyFromValue + summary: UpdateAttributeValue + operationId: policy.attributes.AttributesService.UpdateAttributeValue parameters: - name: Connect-Protocol-Version in: header @@ -672,7 +672,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.RemovePublicKeyFromValueRequest' + $ref: '#/components/schemas/policy.attributes.UpdateAttributeValueRequest' required: true responses: default: @@ -686,7 +686,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.attributes.RemovePublicKeyFromValueResponse' + $ref: '#/components/schemas/policy.attributes.UpdateAttributeValueResponse' components: schemas: common.ActiveStateEnum: @@ -698,103 +698,14 @@ components: - ACTIVE_STATE_ENUM_INACTIVE - ACTIVE_STATE_ENUM_ANY description: 'buflint ENUM_VALUE_PREFIX: to make sure that C++ scoping rules aren''t violated when users add new enum values to an enum in a given package' - common.MetadataUpdateEnum: - type: string - title: MetadataUpdateEnum - enum: - - METADATA_UPDATE_ENUM_UNSPECIFIED - - METADATA_UPDATE_ENUM_EXTEND - - METADATA_UPDATE_ENUM_REPLACE - policy.Action.StandardAction: - type: string - title: StandardAction - enum: - - STANDARD_ACTION_UNSPECIFIED - - STANDARD_ACTION_DECRYPT - - STANDARD_ACTION_TRANSMIT - policy.Algorithm: - type: string - title: Algorithm - enum: - - ALGORITHM_UNSPECIFIED - - ALGORITHM_RSA_2048 - - ALGORITHM_RSA_4096 - - ALGORITHM_EC_P256 - - ALGORITHM_EC_P384 - - ALGORITHM_EC_P521 - - ALGORITHM_HPQT_XWING - - ALGORITHM_HPQT_SECP256R1_MLKEM768 - - ALGORITHM_HPQT_SECP384R1_MLKEM1024 - description: Supported key algorithms. - policy.AttributeRuleTypeEnum: - type: string - title: AttributeRuleTypeEnum - enum: - - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED - - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF - - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF - - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY - policy.ConditionBooleanTypeEnum: - type: string - title: ConditionBooleanTypeEnum - enum: - - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED - - CONDITION_BOOLEAN_TYPE_ENUM_AND - - CONDITION_BOOLEAN_TYPE_ENUM_OR - policy.KasPublicKeyAlgEnum: - type: string - title: KasPublicKeyAlgEnum - enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 - policy.SortDirection: - type: string - title: SortDirection - enum: - - SORT_DIRECTION_UNSPECIFIED - - SORT_DIRECTION_ASC - - SORT_DIRECTION_DESC - description: |- - Sorting direction shared across list APIs. - When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, - the endpoint's request message defines the default ordering; see the - specific List* request docs. - policy.SourceType: - type: string - title: SourceType - enum: - - SOURCE_TYPE_UNSPECIFIED - - SOURCE_TYPE_INTERNAL - - SOURCE_TYPE_EXTERNAL - description: |- - Describes whether this kas is managed by the organization or if they imported - the kas information from an external party. These two modes are necessary in order - to encrypt a tdf dek with an external parties kas public key. - policy.SubjectMappingOperatorEnum: - type: string - title: SubjectMappingOperatorEnum - enum: - - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED - - SUBJECT_MAPPING_OPERATOR_ENUM_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS - policy.attributes.SortAttributesType: - type: string - title: SortAttributesType - enum: - - SORT_ATTRIBUTES_TYPE_UNSPECIFIED - - SORT_ATTRIBUTES_TYPE_NAME - - SORT_ATTRIBUTES_TYPE_CREATED_AT - - SORT_ATTRIBUTES_TYPE_UPDATED_AT common.IdFqnIdentifier: type: object + allOf: + - oneOf: + - required: + - id + - required: + - fqn properties: id: type: string @@ -809,6 +720,12 @@ components: additionalProperties: false common.IdNameIdentifier: type: object + allOf: + - oneOf: + - required: + - id + - required: + - name properties: id: type: string @@ -819,12 +736,8 @@ components: title: name maxLength: 253 minLength: 1 - description: |+ - Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case.: - ``` - this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') - ``` - + description: | + name_format // Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case. title: IdNameIdentifier additionalProperties: false common.Metadata: @@ -882,6 +795,82 @@ components: title: value title: LabelsEntry additionalProperties: false + common.MetadataUpdateEnum: + type: string + title: MetadataUpdateEnum + enum: + - METADATA_UPDATE_ENUM_UNSPECIFIED + - METADATA_UPDATE_ENUM_EXTEND + - METADATA_UPDATE_ENUM_REPLACE + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + details: + type: array + items: + $ref: '#/components/schemas/connect.error_details.Any' + description: A list of messages that carry the error details. There is no limit on the number of messages. + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + connect.error_details.Any: + type: object + properties: + type: + type: string + description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' + value: + type: string + format: binary + description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. + debug: + oneOf: + - type: object + title: Any + additionalProperties: true + description: Detailed error information. + discriminator: + propertyName: type + title: Debug + description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. google.protobuf.BoolValue: type: boolean description: |- @@ -894,8 +883,8 @@ components: google.protobuf.Timestamp: type: string examples: - - 1s - - 1.000340012s + - "2023-01-15T01:30:15.01Z" + - "2024-12-25T12:00:00Z" format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -989,41 +978,65 @@ components: ) to obtain a formatter capable of generating timestamps in this format. policy.Action: type: object - oneOf: + allOf: - properties: - custom: + id: + type: string + title: id + description: Generated uuid in database + name: type: string + title: name + namespace: + title: namespace + description: Namespace context for this action + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + - oneOf: + - type: object + properties: + custom: + type: string + title: custom + description: Deprecated title: custom - description: Deprecated - title: custom - required: - - custom - - properties: - standard: + required: + - custom + - type: object + properties: + standard: + title: standard + description: Deprecated + $ref: '#/components/schemas/policy.Action.StandardAction' title: standard - description: Deprecated - $ref: '#/components/schemas/policy.Action.StandardAction' - title: standard - required: - - standard - properties: - id: - type: string - title: id - description: Generated uuid in database - name: - type: string - title: name - namespace: - title: namespace - description: Namespace context for this action - $ref: '#/components/schemas/policy.Namespace' - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' + required: + - standard title: Action additionalProperties: false description: An action an entity can take + policy.Action.StandardAction: + type: string + title: StandardAction + enum: + - STANDARD_ACTION_UNSPECIFIED + - STANDARD_ACTION_DECRYPT + - STANDARD_ACTION_TRANSMIT + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + - ALGORITHM_HPQT_XWING + - ALGORITHM_HPQT_SECP256R1_MLKEM768 + - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + description: Supported key algorithms. policy.Attribute: type: object properties: @@ -1080,6 +1093,14 @@ components: required: - rule additionalProperties: false + policy.AttributeRuleTypeEnum: + type: string + title: AttributeRuleTypeEnum + enum: + - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED + - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF + - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF + - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY policy.Condition: type: object properties: @@ -1097,7 +1118,6 @@ components: type: array items: type: string - minItems: 1 title: subject_external_values minItems: 1 description: |- @@ -1113,6 +1133,13 @@ components: * A Condition defines a rule of + policy.ConditionBooleanTypeEnum: + type: string + title: ConditionBooleanTypeEnum + enum: + - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED + - CONDITION_BOOLEAN_TYPE_ENUM_AND + - CONDITION_BOOLEAN_TYPE_ENUM_OR policy.ConditionGroup: type: object properties: @@ -1149,7 +1176,7 @@ components: alg: not: enum: - - 0 + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED title: alg description: |- A known algorithm type with any additional parameters encoded. @@ -1161,6 +1188,19 @@ components: description: |- Deprecated A KAS public key and some associated metadata for further identifcation + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 policy.KasPublicKeySet: type: object properties: @@ -1183,13 +1223,9 @@ components: uri: type: string title: uri - description: |+ + description: | Address of a KAS instance - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') - ``` - + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. publicKey: title: public_key description: 'Deprecated: KAS can have multiple key pairs' @@ -1387,7 +1423,8 @@ components: policy.PublicKey: type: object oneOf: - - properties: + - type: object + properties: cached: title: cached description: public key with additional information. Current preferred version @@ -1395,17 +1432,14 @@ components: title: cached required: - cached - - properties: + - type: object + properties: remote: type: string title: remote - description: |+ + description: | kas public key url - optional since can also be retrieved via public key - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') - ``` - + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. title: remote required: - remote @@ -1513,6 +1547,29 @@ components: title: pem title: SimpleKasPublicKey additionalProperties: false + policy.SortDirection: + type: string + title: SortDirection + enum: + - SORT_DIRECTION_UNSPECIFIED + - SORT_DIRECTION_ASC + - SORT_DIRECTION_DESC + description: |- + Sorting direction shared across list APIs. + When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, + the endpoint's request message defines the default ordering; see the + specific List* request docs. + policy.SourceType: + type: string + title: SourceType + enum: + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. policy.SubjectConditionSet: type: object properties: @@ -1578,6 +1635,14 @@ components: description: |- Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute value + action(s) combination + policy.SubjectMappingOperatorEnum: + type: string + title: SubjectMappingOperatorEnum + enum: + - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED + - SUBJECT_MAPPING_OPERATOR_ENUM_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS policy.SubjectSet: type: object properties: @@ -1801,13 +1866,9 @@ components: type: string title: name maxLength: 253 - description: |+ + description: | Required - Attribute name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored attribute name will be normalized to lower case.: - ``` - this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') - ``` - + attribute_name_format // Attribute name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored attribute name will be normalized to lower case. rule: title: rule description: Required @@ -1818,7 +1879,6 @@ components: type: string maxLength: 253 pattern: ^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$ - uniqueItems: true title: values uniqueItems: true description: |- @@ -1864,13 +1924,9 @@ components: type: string title: value maxLength: 253 - description: |+ + description: | Required - Attribute value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored attribute value will be normalized to lower case.: - ``` - this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') - ``` - + attribute_value_format // Attribute value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored attribute value will be normalized to lower case. obligationTriggers: type: array items: @@ -1935,45 +1991,40 @@ components: additionalProperties: false policy.attributes.GetAttributeRequest: type: object - oneOf: + allOf: - properties: - attributeId: + id: type: string - title: attribute_id + title: id format: uuid - description: 'option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field' - title: attribute_id - required: - - attributeId - - properties: - fqn: - type: string + description: 'Deprecated: utilize identifier' + deprecated: true + - oneOf: + - type: object + properties: + attributeId: + type: string + title: attribute_id + format: uuid + description: 'option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field' + title: attribute_id + required: + - attributeId + - type: object + properties: + fqn: + type: string + title: fqn + minLength: 1 + format: uri title: fqn - minLength: 1 - format: uri - title: fqn - required: - - fqn - properties: - id: - type: string - title: id - format: uuid - description: 'Deprecated: utilize identifier' - deprecated: true + required: + - fqn title: GetAttributeRequest additionalProperties: false - description: |+ - Either use deprecated 'id' field or one of 'attribute_id' or 'fqn', but not both: - ``` - !(has(this.id) && (has(this.attribute_id) || has(this.fqn))) - ``` - - Either id or one of attribute_id or fqn must be set: - ``` - has(this.id) || has(this.attribute_id) || has(this.fqn) - ``` - + description: | + exclusive_fields // Either use deprecated 'id' field or one of 'attribute_id' or 'fqn', but not both + required_fields // Either id or one of attribute_id or fqn must be set policy.attributes.GetAttributeResponse: type: object properties: @@ -1984,48 +2035,43 @@ components: additionalProperties: false policy.attributes.GetAttributeValueRequest: type: object - oneOf: + allOf: - properties: - fqn: + id: type: string + title: id + format: uuid + description: 'Deprecated: utilize identifier' + deprecated: true + - oneOf: + - type: object + properties: + fqn: + type: string + title: fqn + minLength: 1 + format: uri title: fqn - minLength: 1 - format: uri - title: fqn - required: - - fqn - - properties: - valueId: - type: string + required: + - fqn + - type: object + properties: + valueId: + type: string + title: value_id + format: uuid + description: 'option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field' title: value_id - format: uuid - description: 'option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field' - title: value_id - required: - - valueId - properties: - id: - type: string - title: id - format: uuid - description: 'Deprecated: utilize identifier' - deprecated: true + required: + - valueId title: GetAttributeValueRequest additionalProperties: false - description: |+ + description: | / / Value RPC messages / - Either use deprecated 'id' field or one of 'value_id' or 'fqn', but not both: - ``` - !(has(this.id) && (has(this.value_id) || has(this.fqn))) - ``` - - Either id or one of value_id or fqn must be set: - ``` - has(this.id) || has(this.value_id) || has(this.fqn) - ``` - + exclusive_fields // Either use deprecated 'id' field or one of 'value_id' or 'fqn', but not both + required_fields // Either id or one of value_id or fqn must be set policy.attributes.GetAttributeValueResponse: type: object properties: @@ -2041,8 +2087,6 @@ components: type: array items: type: string - maxItems: 250 - minItems: 1 title: fqns maxItems: 250 minItems: 1 @@ -2240,6 +2284,14 @@ components: $ref: '#/components/schemas/policy.attributes.ValueKey' title: RemovePublicKeyFromValueResponse additionalProperties: false + policy.attributes.SortAttributesType: + type: string + title: SortAttributesType + enum: + - SORT_ATTRIBUTES_TYPE_UNSPECIFIED + - SORT_ATTRIBUTES_TYPE_NAME + - SORT_ATTRIBUTES_TYPE_CREATED_AT + - SORT_ATTRIBUTES_TYPE_UPDATED_AT policy.attributes.UpdateAttributeRequest: type: object properties: @@ -2325,63 +2377,6 @@ components: description: Required title: ValueKeyAccessServer additionalProperties: false - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - detail: - $ref: '#/components/schemas/google.protobuf.Any' - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - google.protobuf.Any: - type: object - properties: - type: - type: string - value: - type: string - format: binary - debug: - type: object - additionalProperties: true - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. security: [] tags: - name: policy.attributes.AttributesService diff --git a/docs/openapi/policy/definitionvalueentitlement/definition_value_entitlement.openapi.yaml b/docs/openapi/policy/definitionvalueentitlement/definition_value_entitlement.openapi.yaml deleted file mode 100644 index 34935a878e..0000000000 --- a/docs/openapi/policy/definitionvalueentitlement/definition_value_entitlement.openapi.yaml +++ /dev/null @@ -1,1472 +0,0 @@ -openapi: 3.1.0 -info: - title: policy.definitionvalueentitlement -paths: - /policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/ListDefinitionValueEntitlementMappings: - post: - tags: - - policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService - summary: ListDefinitionValueEntitlementMappings - operationId: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.ListDefinitionValueEntitlementMappings - parameters: - - name: Connect-Protocol-Version - in: header - required: true - schema: - $ref: '#/components/schemas/connect-protocol-version' - - name: Connect-Timeout-Ms - in: header - schema: - $ref: '#/components/schemas/connect-timeout-header' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/policy.definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest' - required: true - responses: - default: - description: Error - content: - application/json: - schema: - $ref: '#/components/schemas/connect.error' - "200": - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/policy.definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse' - /policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/GetDefinitionValueEntitlementMapping: - post: - tags: - - policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService - summary: GetDefinitionValueEntitlementMapping - operationId: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.GetDefinitionValueEntitlementMapping - parameters: - - name: Connect-Protocol-Version - in: header - required: true - schema: - $ref: '#/components/schemas/connect-protocol-version' - - name: Connect-Timeout-Ms - in: header - schema: - $ref: '#/components/schemas/connect-timeout-header' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/policy.definitionvalueentitlement.GetDefinitionValueEntitlementMappingRequest' - required: true - responses: - default: - description: Error - content: - application/json: - schema: - $ref: '#/components/schemas/connect.error' - "200": - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/policy.definitionvalueentitlement.GetDefinitionValueEntitlementMappingResponse' - /policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/CreateDefinitionValueEntitlementMapping: - post: - tags: - - policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService - summary: CreateDefinitionValueEntitlementMapping - operationId: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.CreateDefinitionValueEntitlementMapping - parameters: - - name: Connect-Protocol-Version - in: header - required: true - schema: - $ref: '#/components/schemas/connect-protocol-version' - - name: Connect-Timeout-Ms - in: header - schema: - $ref: '#/components/schemas/connect-timeout-header' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/policy.definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest' - required: true - responses: - default: - description: Error - content: - application/json: - schema: - $ref: '#/components/schemas/connect.error' - "200": - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/policy.definitionvalueentitlement.CreateDefinitionValueEntitlementMappingResponse' - /policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/UpdateDefinitionValueEntitlementMapping: - post: - tags: - - policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService - summary: UpdateDefinitionValueEntitlementMapping - operationId: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.UpdateDefinitionValueEntitlementMapping - parameters: - - name: Connect-Protocol-Version - in: header - required: true - schema: - $ref: '#/components/schemas/connect-protocol-version' - - name: Connect-Timeout-Ms - in: header - schema: - $ref: '#/components/schemas/connect-timeout-header' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/policy.definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest' - required: true - responses: - default: - description: Error - content: - application/json: - schema: - $ref: '#/components/schemas/connect.error' - "200": - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/policy.definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingResponse' - /policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/DeleteDefinitionValueEntitlementMapping: - post: - tags: - - policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService - summary: DeleteDefinitionValueEntitlementMapping - operationId: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.DeleteDefinitionValueEntitlementMapping - parameters: - - name: Connect-Protocol-Version - in: header - required: true - schema: - $ref: '#/components/schemas/connect-protocol-version' - - name: Connect-Timeout-Ms - in: header - schema: - $ref: '#/components/schemas/connect-timeout-header' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/policy.definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingRequest' - required: true - responses: - default: - description: Error - content: - application/json: - schema: - $ref: '#/components/schemas/connect.error' - "200": - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/policy.definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingResponse' -components: - schemas: - common.MetadataUpdateEnum: - type: string - title: MetadataUpdateEnum - enum: - - METADATA_UPDATE_ENUM_UNSPECIFIED - - METADATA_UPDATE_ENUM_EXTEND - - METADATA_UPDATE_ENUM_REPLACE - policy.Action.StandardAction: - type: string - title: StandardAction - enum: - - STANDARD_ACTION_UNSPECIFIED - - STANDARD_ACTION_DECRYPT - - STANDARD_ACTION_TRANSMIT - policy.Algorithm: - type: string - title: Algorithm - enum: - - ALGORITHM_UNSPECIFIED - - ALGORITHM_RSA_2048 - - ALGORITHM_RSA_4096 - - ALGORITHM_EC_P256 - - ALGORITHM_EC_P384 - - ALGORITHM_EC_P521 - - ALGORITHM_HPQT_XWING - - ALGORITHM_HPQT_SECP256R1_MLKEM768 - - ALGORITHM_HPQT_SECP384R1_MLKEM1024 - description: Supported key algorithms. - policy.AttributeRuleTypeEnum: - type: string - title: AttributeRuleTypeEnum - enum: - - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED - - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF - - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF - - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY - policy.ConditionBooleanTypeEnum: - type: string - title: ConditionBooleanTypeEnum - enum: - - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED - - CONDITION_BOOLEAN_TYPE_ENUM_AND - - CONDITION_BOOLEAN_TYPE_ENUM_OR - policy.DynamicValueOperatorEnum: - type: string - title: DynamicValueOperatorEnum - enum: - - DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED - - DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN - - DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS - description: |- - Operators for dynamic, definition-level value entitlement. Unlike - SubjectMappingOperatorEnum, whose right-hand operand is a static list authored into - policy, a DynamicValueOperatorEnum's right-hand operand is the requested resource's - attribute value segment, supplied at decision time. Each value is the inversion of its - static SubjectMappingOperatorEnum counterpart. - policy.KasPublicKeyAlgEnum: - type: string - title: KasPublicKeyAlgEnum - enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 - policy.SortDirection: - type: string - title: SortDirection - enum: - - SORT_DIRECTION_UNSPECIFIED - - SORT_DIRECTION_ASC - - SORT_DIRECTION_DESC - description: |- - Sorting direction shared across list APIs. - When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, - the endpoint's request message defines the default ordering; see the - specific List* request docs. - policy.SourceType: - type: string - title: SourceType - enum: - - SOURCE_TYPE_UNSPECIFIED - - SOURCE_TYPE_INTERNAL - - SOURCE_TYPE_EXTERNAL - description: |- - Describes whether this kas is managed by the organization or if they imported - the kas information from an external party. These two modes are necessary in order - to encrypt a tdf dek with an external parties kas public key. - policy.SubjectMappingOperatorEnum: - type: string - title: SubjectMappingOperatorEnum - enum: - - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED - - SUBJECT_MAPPING_OPERATOR_ENUM_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS - policy.definitionvalueentitlement.SortDefinitionValueEntitlementMappingsType: - type: string - title: SortDefinitionValueEntitlementMappingsType - enum: - - SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED - - SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT - - SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT - common.Metadata: - type: object - properties: - createdAt: - title: created_at - description: created_at set by server (entity who created will recorded in an audit event) - $ref: '#/components/schemas/google.protobuf.Timestamp' - updatedAt: - title: updated_at - description: updated_at set by server (entity who updated will recorded in an audit event) - $ref: '#/components/schemas/google.protobuf.Timestamp' - labels: - type: object - title: labels - additionalProperties: - type: string - title: value - description: optional short description - title: Metadata - additionalProperties: false - description: Struct to uniquely identify a resource with optional additional metadata - common.Metadata.LabelsEntry: - type: object - properties: - key: - type: string - title: key - value: - type: string - title: value - title: LabelsEntry - additionalProperties: false - common.MetadataMutable: - type: object - properties: - labels: - type: object - title: labels - additionalProperties: - type: string - title: value - description: optional labels - title: MetadataMutable - additionalProperties: false - common.MetadataMutable.LabelsEntry: - type: object - properties: - key: - type: string - title: key - value: - type: string - title: value - title: LabelsEntry - additionalProperties: false - google.protobuf.BoolValue: - type: boolean - description: |- - Wrapper message for `bool`. - - The JSON representation for `BoolValue` is JSON `true` and `false`. - - Not recommended for use in new APIs, but still useful for legacy APIs and - has no plan to be removed. - google.protobuf.Timestamp: - type: string - examples: - - 1s - - 1.000340012s - format: date-time - description: |- - A Timestamp represents a point in time independent of any time zone or local - calendar, encoded as a count of seconds and fractions of seconds at - nanosecond resolution. The count is relative to an epoch at UTC midnight on - January 1, 1970, in the proleptic Gregorian calendar which extends the - Gregorian calendar backwards to year one. - - All minutes are 60 seconds long. Leap seconds are "smeared" so that no leap - second table is needed for interpretation, using a [24-hour linear - smear](https://developers.google.com/time/smear). - - The range is from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z. By - restricting to that range, we ensure that we can convert to and from [RFC - 3339](https://www.ietf.org/rfc/rfc3339.txt) date strings. - - # Examples - - Example 1: Compute Timestamp from POSIX `time()`. - - Timestamp timestamp; - timestamp.set_seconds(time(NULL)); - timestamp.set_nanos(0); - - Example 2: Compute Timestamp from POSIX `gettimeofday()`. - - struct timeval tv; - gettimeofday(&tv, NULL); - - Timestamp timestamp; - timestamp.set_seconds(tv.tv_sec); - timestamp.set_nanos(tv.tv_usec * 1000); - - Example 3: Compute Timestamp from Win32 `GetSystemTimeAsFileTime()`. - - FILETIME ft; - GetSystemTimeAsFileTime(&ft); - UINT64 ticks = (((UINT64)ft.dwHighDateTime) << 32) | ft.dwLowDateTime; - - // A Windows tick is 100 nanoseconds. Windows epoch 1601-01-01T00:00:00Z - // is 11644473600 seconds before Unix epoch 1970-01-01T00:00:00Z. - Timestamp timestamp; - timestamp.set_seconds((INT64) ((ticks / 10000000) - 11644473600LL)); - timestamp.set_nanos((INT32) ((ticks % 10000000) * 100)); - - Example 4: Compute Timestamp from Java `System.currentTimeMillis()`. - - long millis = System.currentTimeMillis(); - - Timestamp timestamp = Timestamp.newBuilder().setSeconds(millis / 1000) - .setNanos((int) ((millis % 1000) * 1000000)).build(); - - Example 5: Compute Timestamp from Java `Instant.now()`. - - Instant now = Instant.now(); - - Timestamp timestamp = - Timestamp.newBuilder().setSeconds(now.getEpochSecond()) - .setNanos(now.getNano()).build(); - - Example 6: Compute Timestamp from current time in Python. - - timestamp = Timestamp() - timestamp.GetCurrentTime() - - # JSON Mapping - - In JSON format, the Timestamp type is encoded as a string in the - [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. That is, the - format is "{year}-{month}-{day}T{hour}:{min}:{sec}[.{frac_sec}]Z" - where {year} is always expressed using four digits while {month}, {day}, - {hour}, {min}, and {sec} are zero-padded to two digits each. The fractional - seconds, which can go up to 9 digits (i.e. up to 1 nanosecond resolution), - are optional. The "Z" suffix indicates the timezone ("UTC"); the timezone - is required. A proto3 JSON serializer should always use UTC (as indicated by - "Z") when printing the Timestamp type and a proto3 JSON parser should be - able to accept both UTC and other timezones (as indicated by an offset). - - For example, "2017-01-15T01:30:15.01Z" encodes 15.01 seconds past - 01:30 UTC on January 15, 2017. - - In JavaScript, one can convert a Date object to this format using the - standard - [toISOString()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toISOString) - method. In Python, a standard `datetime.datetime` object can be converted - to this format using - [`strftime`](https://docs.python.org/2/library/time.html#time.strftime) with - the time format spec '%Y-%m-%dT%H:%M:%S.%fZ'. Likewise, in Java, one can use - the Joda Time's [`ISODateTimeFormat.dateTime()`]( - http://joda-time.sourceforge.net/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime() - ) to obtain a formatter capable of generating timestamps in this format. - policy.Action: - type: object - oneOf: - - properties: - custom: - type: string - title: custom - description: Deprecated - title: custom - required: - - custom - - properties: - standard: - title: standard - description: Deprecated - $ref: '#/components/schemas/policy.Action.StandardAction' - title: standard - required: - - standard - properties: - id: - type: string - title: id - description: Generated uuid in database - name: - type: string - title: name - namespace: - title: namespace - description: Namespace context for this action - $ref: '#/components/schemas/policy.Namespace' - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' - title: Action - additionalProperties: false - description: An action an entity can take - policy.Attribute: - type: object - properties: - id: - type: string - title: id - namespace: - title: namespace - description: namespace of the attribute - $ref: '#/components/schemas/policy.Namespace' - name: - type: string - title: name - description: attribute name - rule: - title: rule - description: attribute rule enum - $ref: '#/components/schemas/policy.AttributeRuleTypeEnum' - values: - type: array - items: - $ref: '#/components/schemas/policy.Value' - title: values - grants: - type: array - items: - $ref: '#/components/schemas/policy.KeyAccessServer' - title: grants - description: Deprecated KAS grants for the attribute. Use kas_keys instead. - fqn: - type: string - title: fqn - active: - title: active - description: active by default until explicitly deactivated - $ref: '#/components/schemas/google.protobuf.BoolValue' - kasKeys: - type: array - items: - $ref: '#/components/schemas/policy.SimpleKasKey' - title: kas_keys - description: Keys associated with the attribute - allowTraversal: - title: allow_traversal - description: |- - Whether or not we will use the attribute definition during encryption - if the attribute value is missing. - $ref: '#/components/schemas/google.protobuf.BoolValue' - metadata: - title: metadata - description: Common metadata - $ref: '#/components/schemas/common.Metadata' - title: Attribute - required: - - rule - additionalProperties: false - policy.Condition: - type: object - properties: - subjectExternalSelectorValue: - type: string - title: subject_external_selector_value - description: |- - a selector for a field value on a flattened Entity Representation (such as - from idP/LDAP) - operator: - title: operator - description: the evaluation operator of relation - $ref: '#/components/schemas/policy.SubjectMappingOperatorEnum' - subjectExternalValues: - type: array - items: - type: string - minItems: 1 - title: subject_external_values - minItems: 1 - description: |- - list of comparison values for the result of applying the - subject_external_selector_value on a flattened Entity Representation - (Subject), evaluated by the operator - title: Condition - required: - - subjectExternalSelectorValue - - operator - additionalProperties: false - description: |- - * - A Condition defines a rule of - policy.ConditionGroup: - type: object - properties: - conditions: - type: array - items: - $ref: '#/components/schemas/policy.Condition' - title: conditions - minItems: 1 - booleanOperator: - title: boolean_operator - description: the boolean evaluation type across the conditions - $ref: '#/components/schemas/policy.ConditionBooleanTypeEnum' - title: ConditionGroup - required: - - booleanOperator - additionalProperties: false - description: A collection of Conditions evaluated by the boolean_operator provided - policy.DefinitionValueEntitlementMapping: - type: object - properties: - id: - type: string - title: id - attributeDefinition: - title: attribute_definition - description: the Attribute Definition whose values are entitled dynamically - $ref: '#/components/schemas/policy.Attribute' - valueResolver: - title: value_resolver - description: the dynamic resolver matched against the requested resource value segment - $ref: '#/components/schemas/policy.DefinitionValueResolver' - subjectConditionSet: - title: subject_condition_set - description: |- - optional static pre-gate on the entity, evaluated with normal SubjectConditionSet - semantics (no dynamic overload). When present, both the gate and the resolver must - pass for entitlement. - $ref: '#/components/schemas/policy.SubjectConditionSet' - actions: - type: array - items: - $ref: '#/components/schemas/policy.Action' - title: actions - description: the actions permitted by subjects in this mapping - namespace: - title: namespace - description: the namespace containing this mapping - $ref: '#/components/schemas/policy.Namespace' - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' - title: DefinitionValueEntitlementMapping - additionalProperties: false - description: |- - Definition Value Entitlement Mapping: a Policy assigning permitted action(s) to - dynamically-requested values under an Attribute Definition. It raises entitlement - authority from a concrete Attribute Value to the Attribute Definition: at decision time - the value_resolver compares the requested resource value segment against the entity - representation, avoiding pre-provisioning a value + subject mapping per discrete value. - policy.DefinitionValueResolver: - type: object - properties: - subjectExternalSelectorValue: - type: string - title: subject_external_selector_value - description: |- - a selector for a field value on a flattened Entity Representation (such as from - idP/LDAP), e.g. ".patientAssignments[]" - operator: - title: operator - description: the dynamic operator comparing the selector result to the resource value segment - $ref: '#/components/schemas/policy.DynamicValueOperatorEnum' - title: DefinitionValueResolver - required: - - subjectExternalSelectorValue - - operator - additionalProperties: false - description: |- - Definition Value Resolver: the dynamic half of a DefinitionValueEntitlementMapping. It - resolves a selector against the entity representation and compares the result to the - requested resource value segment using a DynamicValueOperatorEnum. - policy.KasPublicKey: - type: object - properties: - pem: - type: string - title: pem - maxLength: 8192 - minLength: 1 - description: x509 ASN.1 content in PEM envelope, usually - kid: - type: string - title: kid - maxLength: 32 - minLength: 1 - description: A unique string identifier for this key - alg: - not: - enum: - - 0 - title: alg - description: |- - A known algorithm type with any additional parameters encoded. - To start, these may be `rsa:2048` for RSA-based wrapping and - `ec:secp256r1` for EC-based wrapping, but more formats may be added as needed. - $ref: '#/components/schemas/policy.KasPublicKeyAlgEnum' - title: KasPublicKey - additionalProperties: false - description: |- - Deprecated - A KAS public key and some associated metadata for further identifcation - policy.KasPublicKeySet: - type: object - properties: - keys: - type: array - items: - $ref: '#/components/schemas/policy.KasPublicKey' - title: keys - title: KasPublicKeySet - additionalProperties: false - description: |- - Deprecated - A list of known KAS public keys - policy.KeyAccessServer: - type: object - properties: - id: - type: string - title: id - uri: - type: string - title: uri - description: |+ - Address of a KAS instance - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') - ``` - - publicKey: - title: public_key - description: 'Deprecated: KAS can have multiple key pairs' - $ref: '#/components/schemas/policy.PublicKey' - sourceType: - title: source_type - description: 'The source of the KAS: (INTERNAL, EXTERNAL)' - $ref: '#/components/schemas/policy.SourceType' - kasKeys: - type: array - items: - $ref: '#/components/schemas/policy.SimpleKasKey' - title: kas_keys - description: Kas keys associated with this KAS - name: - type: string - title: name - description: |- - Optional - Unique name of the KAS instance - metadata: - title: metadata - description: Common metadata - $ref: '#/components/schemas/common.Metadata' - title: KeyAccessServer - additionalProperties: false - description: Key Access Server Registry - policy.Namespace: - type: object - properties: - id: - type: string - title: id - description: generated uuid in database - name: - type: string - title: name - description: |- - used to partition Attribute Definitions, support by namespace AuthN and - enable federation - fqn: - type: string - title: fqn - active: - title: active - description: active by default until explicitly deactivated - $ref: '#/components/schemas/google.protobuf.BoolValue' - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' - grants: - type: array - items: - $ref: '#/components/schemas/policy.KeyAccessServer' - title: grants - description: Deprecated KAS grants for the namespace. Use kas_keys instead. - kasKeys: - type: array - items: - $ref: '#/components/schemas/policy.SimpleKasKey' - title: kas_keys - description: Keys for the namespace - title: Namespace - additionalProperties: false - policy.Obligation: - type: object - properties: - id: - type: string - title: id - namespace: - title: namespace - $ref: '#/components/schemas/policy.Namespace' - name: - type: string - title: name - values: - type: array - items: - $ref: '#/components/schemas/policy.ObligationValue' - title: values - fqn: - type: string - title: fqn - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' - title: Obligation - additionalProperties: false - policy.ObligationTrigger: - type: object - properties: - id: - type: string - title: id - obligationValue: - title: obligation_value - $ref: '#/components/schemas/policy.ObligationValue' - action: - title: action - $ref: '#/components/schemas/policy.Action' - attributeValue: - title: attribute_value - $ref: '#/components/schemas/policy.Value' - context: - type: array - items: - $ref: '#/components/schemas/policy.RequestContext' - title: context - namespace: - title: namespace - description: The source namespace for this trigger, derived from the attribute value and action. - $ref: '#/components/schemas/policy.Namespace' - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' - title: ObligationTrigger - additionalProperties: false - policy.ObligationValue: - type: object - properties: - id: - type: string - title: id - obligation: - title: obligation - $ref: '#/components/schemas/policy.Obligation' - value: - type: string - title: value - triggers: - type: array - items: - $ref: '#/components/schemas/policy.ObligationTrigger' - title: triggers - fqn: - type: string - title: fqn - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' - title: ObligationValue - additionalProperties: false - policy.PageRequest: - type: object - properties: - limit: - type: integer - title: limit - format: int32 - description: |- - Optional - Set to configured default limit if not provided - Maximum limit set in platform config and enforced by services - offset: - type: integer - title: offset - format: int32 - description: |- - Optional - Defaulted if not provided - title: PageRequest - additionalProperties: false - policy.PageResponse: - type: object - properties: - currentOffset: - type: integer - title: current_offset - format: int32 - description: Requested pagination offset - nextOffset: - type: integer - title: next_offset - format: int32 - description: |- - Calculated with request limit + offset or defaults - Empty when none remain after current page - total: - type: integer - title: total - format: int32 - description: Total count of entire list - title: PageResponse - additionalProperties: false - policy.PolicyEnforcementPoint: - type: object - properties: - clientId: - type: string - title: client_id - minLength: 1 - title: PolicyEnforcementPoint - additionalProperties: false - policy.PublicKey: - type: object - oneOf: - - properties: - cached: - title: cached - description: public key with additional information. Current preferred version - $ref: '#/components/schemas/policy.KasPublicKeySet' - title: cached - required: - - cached - - properties: - remote: - type: string - title: remote - description: |+ - kas public key url - optional since can also be retrieved via public key - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') - ``` - - title: remote - required: - - remote - title: PublicKey - additionalProperties: false - description: Deprecated - policy.RequestContext: - type: object - properties: - pep: - title: pep - $ref: '#/components/schemas/policy.PolicyEnforcementPoint' - title: RequestContext - required: - - pep - additionalProperties: false - description: Holds the context needed for obligation fulfillment - policy.ResourceMapping: - type: object - properties: - id: - type: string - title: id - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' - attributeValue: - title: attribute_value - $ref: '#/components/schemas/policy.Value' - terms: - type: array - items: - type: string - title: terms - group: - title: group - $ref: '#/components/schemas/policy.ResourceMappingGroup' - title: ResourceMapping - required: - - attributeValue - additionalProperties: false - description: |- - Resource Mappings (aka Access Control Resource Encodings aka ACRE) are - structures supporting the mapping of Resources and Attribute Values - policy.ResourceMappingGroup: - type: object - properties: - id: - type: string - title: id - namespaceId: - type: string - title: namespace_id - description: the namespace containing the group of resource mappings - name: - type: string - title: name - description: |- - the common name for the group of resource mappings, which must be unique - per namespace - fqn: - type: string - title: fqn - description: the fully qualified name of the resource mapping group - metadata: - title: metadata - description: Common metadata - $ref: '#/components/schemas/common.Metadata' - title: ResourceMappingGroup - required: - - namespaceId - - name - additionalProperties: false - description: |- - Resource Mapping Groups are namespaced collections of Resource Mappings - associated under a common group name. - policy.SimpleKasKey: - type: object - properties: - kasUri: - type: string - title: kas_uri - description: The URL of the Key Access Server - publicKey: - title: public_key - description: The public key of the Key that belongs to the KAS - $ref: '#/components/schemas/policy.SimpleKasPublicKey' - kasId: - type: string - title: kas_id - description: The ID of the Key Access Server - title: SimpleKasKey - additionalProperties: false - policy.SimpleKasPublicKey: - type: object - properties: - algorithm: - title: algorithm - $ref: '#/components/schemas/policy.Algorithm' - kid: - type: string - title: kid - pem: - type: string - title: pem - title: SimpleKasPublicKey - additionalProperties: false - policy.SubjectConditionSet: - type: object - properties: - id: - type: string - title: id - namespace: - title: namespace - description: |- - the namespace containing this subject condition set - possible this is empty in the case a subject condition set - has not been migrated to a namespace. - $ref: '#/components/schemas/policy.Namespace' - subjectSets: - type: array - items: - $ref: '#/components/schemas/policy.SubjectSet' - title: subject_sets - minItems: 1 - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' - title: SubjectConditionSet - additionalProperties: false - description: |- - A container for multiple Subject Sets, each containing Condition Groups, each - containing Conditions. Multiple Subject Sets in a SubjectConditionSet are - evaluated with AND logic. As each Subject Mapping has only one Attribute - Value, the SubjectConditionSet is reusable across multiple Subject Mappings / - Attribute Values and is an independent unit. - policy.SubjectMapping: - type: object - properties: - id: - type: string - title: id - attributeValue: - title: attribute_value - description: 'the Attribute Value mapped to; aka: "The Entity Entitlement Attribute"' - $ref: '#/components/schemas/policy.Value' - subjectConditionSet: - title: subject_condition_set - description: the reusable SubjectConditionSet mapped to the given Attribute Value - $ref: '#/components/schemas/policy.SubjectConditionSet' - actions: - type: array - items: - $ref: '#/components/schemas/policy.Action' - title: actions - description: The actions permitted by subjects in this mapping - namespace: - title: namespace - description: |- - the namespace containing this subject mapping - possible this is empty. If so that means - the Subject Mapping has not been migrated to a namespace. - $ref: '#/components/schemas/policy.Namespace' - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' - title: SubjectMapping - additionalProperties: false - description: |- - Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute - value + action(s) combination - policy.SubjectSet: - type: object - properties: - conditionGroups: - type: array - items: - $ref: '#/components/schemas/policy.ConditionGroup' - title: condition_groups - minItems: 1 - description: multiple Condition Groups are evaluated with AND logic - title: SubjectSet - additionalProperties: false - description: A collection of Condition Groups - policy.Value: - type: object - properties: - id: - type: string - title: id - description: generated uuid in database - attribute: - title: attribute - $ref: '#/components/schemas/policy.Attribute' - value: - type: string - title: value - grants: - type: array - items: - $ref: '#/components/schemas/policy.KeyAccessServer' - title: grants - description: Deprecated KAS grants for the value. Use kas_keys instead. - fqn: - type: string - title: fqn - active: - title: active - description: active by default until explicitly deactivated - $ref: '#/components/schemas/google.protobuf.BoolValue' - subjectMappings: - type: array - items: - $ref: '#/components/schemas/policy.SubjectMapping' - title: subject_mappings - description: subject mapping - kasKeys: - type: array - items: - $ref: '#/components/schemas/policy.SimpleKasKey' - title: kas_keys - resourceMappings: - type: array - items: - $ref: '#/components/schemas/policy.ResourceMapping' - title: resource_mappings - obligations: - type: array - items: - $ref: '#/components/schemas/policy.Obligation' - title: obligations - metadata: - title: metadata - description: Common metadata - $ref: '#/components/schemas/common.Metadata' - title: Value - additionalProperties: false - policy.definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest: - type: object - properties: - attributeDefinitionId: - type: string - title: attribute_definition_id - description: |+ - Optional field must be a valid UUID: - ``` - size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') - ``` - - attributeDefinitionFqn: - type: string - title: attribute_definition_fqn - format: uri - valueResolver: - title: value_resolver - description: 'Required: the dynamic resolver comparing entity selector result to the resource value segment' - $ref: '#/components/schemas/policy.DefinitionValueResolver' - actions: - type: array - items: - $ref: '#/components/schemas/policy.Action' - title: actions - minItems: 1 - description: |+ - Required: actions permitted on a matched value - Action name or ID must not be empty if provided: - ``` - this.all(item, item.name != '' || item.id != '') - ``` - - existingSubjectConditionSetId: - type: string - title: existing_subject_condition_set_id - description: |+ - Optional static pre-gate. Reuse an existing SubjectConditionSet (prioritized) ... - Optional field must be a valid UUID: - ``` - size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') - ``` - - newSubjectConditionSet: - title: new_subject_condition_set - description: '... or create a new one (ignored if existing_subject_condition_set_id is provided)' - $ref: '#/components/schemas/policy.subjectmapping.SubjectConditionSetCreate' - namespaceId: - type: string - title: namespace_id - description: |+ - Optional: namespace ID or FQN for the mapping - Optional field must be a valid UUID: - ``` - size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') - ``` - - namespaceFqn: - type: string - title: namespace_fqn - format: uri - metadata: - title: metadata - description: Optional - $ref: '#/components/schemas/common.MetadataMutable' - title: CreateDefinitionValueEntitlementMappingRequest - required: - - valueResolver - additionalProperties: false - policy.definitionvalueentitlement.CreateDefinitionValueEntitlementMappingResponse: - type: object - properties: - definitionValueEntitlementMapping: - title: definition_value_entitlement_mapping - $ref: '#/components/schemas/policy.DefinitionValueEntitlementMapping' - title: CreateDefinitionValueEntitlementMappingResponse - additionalProperties: false - policy.definitionvalueentitlement.DefinitionValueEntitlementMappingsSort: - type: object - properties: - field: - title: field - $ref: '#/components/schemas/policy.definitionvalueentitlement.SortDefinitionValueEntitlementMappingsType' - direction: - title: direction - $ref: '#/components/schemas/policy.SortDirection' - title: DefinitionValueEntitlementMappingsSort - additionalProperties: false - policy.definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingRequest: - type: object - properties: - id: - type: string - title: id - format: uuid - description: Required - title: DeleteDefinitionValueEntitlementMappingRequest - additionalProperties: false - policy.definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingResponse: - type: object - properties: - definitionValueEntitlementMapping: - title: definition_value_entitlement_mapping - description: Only ID of the deleted mapping provided - $ref: '#/components/schemas/policy.DefinitionValueEntitlementMapping' - title: DeleteDefinitionValueEntitlementMappingResponse - additionalProperties: false - policy.definitionvalueentitlement.GetDefinitionValueEntitlementMappingRequest: - type: object - properties: - id: - type: string - title: id - format: uuid - description: Required - title: GetDefinitionValueEntitlementMappingRequest - additionalProperties: false - policy.definitionvalueentitlement.GetDefinitionValueEntitlementMappingResponse: - type: object - properties: - definitionValueEntitlementMapping: - title: definition_value_entitlement_mapping - $ref: '#/components/schemas/policy.DefinitionValueEntitlementMapping' - title: GetDefinitionValueEntitlementMappingResponse - additionalProperties: false - policy.definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest: - type: object - properties: - namespaceId: - type: string - title: namespace_id - description: |+ - Optional - Namespace ID or FQN, or Attribute Definition ID or FQN to filter by - Optional field must be a valid UUID: - ``` - size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') - ``` - - attributeDefinitionId: - type: string - title: attribute_definition_id - description: |+ - Optional field must be a valid UUID: - ``` - size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') - ``` - - pagination: - title: pagination - description: Optional - $ref: '#/components/schemas/policy.PageRequest' - sort: - type: array - items: - $ref: '#/components/schemas/policy.definitionvalueentitlement.DefinitionValueEntitlementMappingsSort' - title: sort - maxItems: 1 - description: 'Optional - CONSTRAINT: max 1 item' - title: ListDefinitionValueEntitlementMappingsRequest - additionalProperties: false - policy.definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse: - type: object - properties: - definitionValueEntitlementMappings: - type: array - items: - $ref: '#/components/schemas/policy.DefinitionValueEntitlementMapping' - title: definition_value_entitlement_mappings - pagination: - title: pagination - $ref: '#/components/schemas/policy.PageResponse' - title: ListDefinitionValueEntitlementMappingsResponse - additionalProperties: false - policy.definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest: - type: object - properties: - id: - type: string - title: id - format: uuid - description: Required - valueResolver: - title: value_resolver - description: 'Optional: replace the dynamic resolver' - $ref: '#/components/schemas/policy.DefinitionValueResolver' - subjectConditionSetId: - type: string - title: subject_condition_set_id - description: |+ - Optional: replace the static pre-gate SubjectConditionSet by id - Optional field must be a valid UUID: - ``` - size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') - ``` - - actions: - type: array - items: - $ref: '#/components/schemas/policy.Action' - title: actions - description: |+ - Optional: replace the entire list of actions - Action name or ID must not be empty if provided: - ``` - this.size() == 0 || this.all(item, item.name != '' || item.id != '') - ``` - - metadata: - title: metadata - description: Common metadata - $ref: '#/components/schemas/common.MetadataMutable' - metadataUpdateBehavior: - title: metadata_update_behavior - $ref: '#/components/schemas/common.MetadataUpdateEnum' - title: UpdateDefinitionValueEntitlementMappingRequest - additionalProperties: false - policy.definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingResponse: - type: object - properties: - definitionValueEntitlementMapping: - title: definition_value_entitlement_mapping - $ref: '#/components/schemas/policy.DefinitionValueEntitlementMapping' - title: UpdateDefinitionValueEntitlementMappingResponse - additionalProperties: false - policy.subjectmapping.SubjectConditionSetCreate: - type: object - properties: - subjectSets: - type: array - items: - $ref: '#/components/schemas/policy.SubjectSet' - title: subject_sets - minItems: 1 - description: Required - metadata: - title: metadata - description: |- - Optional - Common metadata - $ref: '#/components/schemas/common.MetadataMutable' - title: SubjectConditionSetCreate - additionalProperties: false - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - detail: - $ref: '#/components/schemas/google.protobuf.Any' - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - google.protobuf.Any: - type: object - properties: - type: - type: string - value: - type: string - format: binary - debug: - type: object - additionalProperties: true - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. -security: [] -tags: - - name: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService diff --git a/docs/openapi/policy/kasregistry/key_access_server_registry.openapi.yaml b/docs/openapi/policy/kasregistry/key_access_server_registry.openapi.yaml index a3eb12f037..8d9f785054 100644 --- a/docs/openapi/policy/kasregistry/key_access_server_registry.openapi.yaml +++ b/docs/openapi/policy/kasregistry/key_access_server_registry.openapi.yaml @@ -2,12 +2,15 @@ openapi: 3.1.0 info: title: policy.kasregistry paths: - /policy.kasregistry.KeyAccessServerRegistryService/ListKeyAccessServers: + /policy.kasregistry.KeyAccessServerRegistryService/CreateKey: post: tags: - policy.kasregistry.KeyAccessServerRegistryService - summary: ListKeyAccessServers - operationId: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers + summary: CreateKey + description: |- + KAS Key Management + Request to create a new key in the Key Access Service. + operationId: policy.kasregistry.KeyAccessServerRegistryService.CreateKey parameters: - name: Connect-Protocol-Version in: header @@ -22,7 +25,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.ListKeyAccessServersRequest' + $ref: '#/components/schemas/policy.kasregistry.CreateKeyRequest' required: true responses: default: @@ -36,13 +39,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.ListKeyAccessServersResponse' - /policy.kasregistry.KeyAccessServerRegistryService/GetKeyAccessServer: + $ref: '#/components/schemas/policy.kasregistry.CreateKeyResponse' + /policy.kasregistry.KeyAccessServerRegistryService/CreateKeyAccessServer: post: tags: - policy.kasregistry.KeyAccessServerRegistryService - summary: GetKeyAccessServer - operationId: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer + summary: CreateKeyAccessServer + operationId: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer parameters: - name: Connect-Protocol-Version in: header @@ -57,7 +60,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.GetKeyAccessServerRequest' + $ref: '#/components/schemas/policy.kasregistry.CreateKeyAccessServerRequest' required: true responses: default: @@ -71,13 +74,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.GetKeyAccessServerResponse' - /policy.kasregistry.KeyAccessServerRegistryService/CreateKeyAccessServer: + $ref: '#/components/schemas/policy.kasregistry.CreateKeyAccessServerResponse' + /policy.kasregistry.KeyAccessServerRegistryService/DeleteKeyAccessServer: post: tags: - policy.kasregistry.KeyAccessServerRegistryService - summary: CreateKeyAccessServer - operationId: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer + summary: DeleteKeyAccessServer + operationId: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer parameters: - name: Connect-Protocol-Version in: header @@ -92,7 +95,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.CreateKeyAccessServerRequest' + $ref: '#/components/schemas/policy.kasregistry.DeleteKeyAccessServerRequest' required: true responses: default: @@ -106,13 +109,14 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.CreateKeyAccessServerResponse' - /policy.kasregistry.KeyAccessServerRegistryService/UpdateKeyAccessServer: + $ref: '#/components/schemas/policy.kasregistry.DeleteKeyAccessServerResponse' + /policy.kasregistry.KeyAccessServerRegistryService/GetBaseKey: post: tags: - policy.kasregistry.KeyAccessServerRegistryService - summary: UpdateKeyAccessServer - operationId: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer + summary: GetBaseKey + description: Get Default kas keys + operationId: policy.kasregistry.KeyAccessServerRegistryService.GetBaseKey parameters: - name: Connect-Protocol-Version in: header @@ -127,7 +131,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.UpdateKeyAccessServerRequest' + $ref: '#/components/schemas/policy.kasregistry.GetBaseKeyRequest' required: true responses: default: @@ -141,13 +145,14 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.UpdateKeyAccessServerResponse' - /policy.kasregistry.KeyAccessServerRegistryService/DeleteKeyAccessServer: + $ref: '#/components/schemas/policy.kasregistry.GetBaseKeyResponse' + /policy.kasregistry.KeyAccessServerRegistryService/GetKey: post: tags: - policy.kasregistry.KeyAccessServerRegistryService - summary: DeleteKeyAccessServer - operationId: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer + summary: GetKey + description: Request to retrieve a key from the Key Access Service. + operationId: policy.kasregistry.KeyAccessServerRegistryService.GetKey parameters: - name: Connect-Protocol-Version in: header @@ -162,7 +167,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.DeleteKeyAccessServerRequest' + $ref: '#/components/schemas/policy.kasregistry.GetKeyRequest' required: true responses: default: @@ -176,14 +181,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.DeleteKeyAccessServerResponse' - /policy.kasregistry.KeyAccessServerRegistryService/ListKeyAccessServerGrants: + $ref: '#/components/schemas/policy.kasregistry.GetKeyResponse' + /policy.kasregistry.KeyAccessServerRegistryService/GetKeyAccessServer: post: tags: - policy.kasregistry.KeyAccessServerRegistryService - summary: ListKeyAccessServerGrants - description: Deprecated - operationId: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants + summary: GetKeyAccessServer + operationId: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer parameters: - name: Connect-Protocol-Version in: header @@ -198,7 +202,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.ListKeyAccessServerGrantsRequest' + $ref: '#/components/schemas/policy.kasregistry.GetKeyAccessServerRequest' required: true responses: default: @@ -212,17 +216,14 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.ListKeyAccessServerGrantsResponse' - deprecated: true - /policy.kasregistry.KeyAccessServerRegistryService/CreateKey: + $ref: '#/components/schemas/policy.kasregistry.GetKeyAccessServerResponse' + /policy.kasregistry.KeyAccessServerRegistryService/ListKeyAccessServerGrants: post: tags: - policy.kasregistry.KeyAccessServerRegistryService - summary: CreateKey - description: |- - KAS Key Management - Request to create a new key in the Key Access Service. - operationId: policy.kasregistry.KeyAccessServerRegistryService.CreateKey + summary: ListKeyAccessServerGrants + description: Deprecated + operationId: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants parameters: - name: Connect-Protocol-Version in: header @@ -237,7 +238,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.CreateKeyRequest' + $ref: '#/components/schemas/policy.kasregistry.ListKeyAccessServerGrantsRequest' required: true responses: default: @@ -251,14 +252,14 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.CreateKeyResponse' - /policy.kasregistry.KeyAccessServerRegistryService/GetKey: + $ref: '#/components/schemas/policy.kasregistry.ListKeyAccessServerGrantsResponse' + deprecated: true + /policy.kasregistry.KeyAccessServerRegistryService/ListKeyAccessServers: post: tags: - policy.kasregistry.KeyAccessServerRegistryService - summary: GetKey - description: Request to retrieve a key from the Key Access Service. - operationId: policy.kasregistry.KeyAccessServerRegistryService.GetKey + summary: ListKeyAccessServers + operationId: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers parameters: - name: Connect-Protocol-Version in: header @@ -273,7 +274,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.GetKeyRequest' + $ref: '#/components/schemas/policy.kasregistry.ListKeyAccessServersRequest' required: true responses: default: @@ -287,14 +288,14 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.GetKeyResponse' - /policy.kasregistry.KeyAccessServerRegistryService/ListKeys: + $ref: '#/components/schemas/policy.kasregistry.ListKeyAccessServersResponse' + /policy.kasregistry.KeyAccessServerRegistryService/ListKeyMappings: post: tags: - policy.kasregistry.KeyAccessServerRegistryService - summary: ListKeys - description: Request to list keys in the Key Access Service. - operationId: policy.kasregistry.KeyAccessServerRegistryService.ListKeys + summary: ListKeyMappings + description: Request to list key mappings in the Key Access Service. + operationId: policy.kasregistry.KeyAccessServerRegistryService.ListKeyMappings parameters: - name: Connect-Protocol-Version in: header @@ -309,7 +310,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.ListKeysRequest' + $ref: '#/components/schemas/policy.kasregistry.ListKeyMappingsRequest' required: true responses: default: @@ -323,14 +324,14 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.ListKeysResponse' - /policy.kasregistry.KeyAccessServerRegistryService/UpdateKey: + $ref: '#/components/schemas/policy.kasregistry.ListKeyMappingsResponse' + /policy.kasregistry.KeyAccessServerRegistryService/ListKeys: post: tags: - policy.kasregistry.KeyAccessServerRegistryService - summary: UpdateKey - description: Request to update a key in the Key Access Service. - operationId: policy.kasregistry.KeyAccessServerRegistryService.UpdateKey + summary: ListKeys + description: Request to list keys in the Key Access Service. + operationId: policy.kasregistry.KeyAccessServerRegistryService.ListKeys parameters: - name: Connect-Protocol-Version in: header @@ -345,7 +346,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.UpdateKeyRequest' + $ref: '#/components/schemas/policy.kasregistry.ListKeysRequest' required: true responses: default: @@ -359,7 +360,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.UpdateKeyResponse' + $ref: '#/components/schemas/policy.kasregistry.ListKeysResponse' /policy.kasregistry.KeyAccessServerRegistryService/RotateKey: post: tags: @@ -432,13 +433,13 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.kasregistry.SetBaseKeyResponse' - /policy.kasregistry.KeyAccessServerRegistryService/GetBaseKey: + /policy.kasregistry.KeyAccessServerRegistryService/UpdateKey: post: tags: - policy.kasregistry.KeyAccessServerRegistryService - summary: GetBaseKey - description: Get Default kas keys - operationId: policy.kasregistry.KeyAccessServerRegistryService.GetBaseKey + summary: UpdateKey + description: Request to update a key in the Key Access Service. + operationId: policy.kasregistry.KeyAccessServerRegistryService.UpdateKey parameters: - name: Connect-Protocol-Version in: header @@ -453,7 +454,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.GetBaseKeyRequest' + $ref: '#/components/schemas/policy.kasregistry.UpdateKeyRequest' required: true responses: default: @@ -467,14 +468,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.GetBaseKeyResponse' - /policy.kasregistry.KeyAccessServerRegistryService/ListKeyMappings: + $ref: '#/components/schemas/policy.kasregistry.UpdateKeyResponse' + /policy.kasregistry.KeyAccessServerRegistryService/UpdateKeyAccessServer: post: tags: - policy.kasregistry.KeyAccessServerRegistryService - summary: ListKeyMappings - description: Request to list key mappings in the Key Access Service. - operationId: policy.kasregistry.KeyAccessServerRegistryService.ListKeyMappings + summary: UpdateKeyAccessServer + operationId: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer parameters: - name: Connect-Protocol-Version in: header @@ -489,7 +489,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.ListKeyMappingsRequest' + $ref: '#/components/schemas/policy.kasregistry.UpdateKeyAccessServerRequest' required: true responses: default: @@ -503,101 +503,9 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.kasregistry.ListKeyMappingsResponse' + $ref: '#/components/schemas/policy.kasregistry.UpdateKeyAccessServerResponse' components: schemas: - common.MetadataUpdateEnum: - type: string - title: MetadataUpdateEnum - enum: - - METADATA_UPDATE_ENUM_UNSPECIFIED - - METADATA_UPDATE_ENUM_EXTEND - - METADATA_UPDATE_ENUM_REPLACE - policy.Algorithm: - type: string - title: Algorithm - enum: - - ALGORITHM_UNSPECIFIED - - ALGORITHM_RSA_2048 - - ALGORITHM_RSA_4096 - - ALGORITHM_EC_P256 - - ALGORITHM_EC_P384 - - ALGORITHM_EC_P521 - - ALGORITHM_HPQT_XWING - - ALGORITHM_HPQT_SECP256R1_MLKEM768 - - ALGORITHM_HPQT_SECP384R1_MLKEM1024 - description: Supported key algorithms. - policy.KasPublicKeyAlgEnum: - type: string - title: KasPublicKeyAlgEnum - enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 - policy.KeyMode: - type: string - title: KeyMode - enum: - - KEY_MODE_UNSPECIFIED - - KEY_MODE_CONFIG_ROOT_KEY - - KEY_MODE_PROVIDER_ROOT_KEY - - KEY_MODE_REMOTE - - KEY_MODE_PUBLIC_KEY_ONLY - description: Describes the management and operational mode of a cryptographic key. - policy.KeyStatus: - type: string - title: KeyStatus - enum: - - KEY_STATUS_UNSPECIFIED - - KEY_STATUS_ACTIVE - - KEY_STATUS_ROTATED - description: The status of the key - policy.SortDirection: - type: string - title: SortDirection - enum: - - SORT_DIRECTION_UNSPECIFIED - - SORT_DIRECTION_ASC - - SORT_DIRECTION_DESC - description: |- - Sorting direction shared across list APIs. - When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, - the endpoint's request message defines the default ordering; see the - specific List* request docs. - policy.SourceType: - type: string - title: SourceType - enum: - - SOURCE_TYPE_UNSPECIFIED - - SOURCE_TYPE_INTERNAL - - SOURCE_TYPE_EXTERNAL - description: |- - Describes whether this kas is managed by the organization or if they imported - the kas information from an external party. These two modes are necessary in order - to encrypt a tdf dek with an external parties kas public key. - policy.kasregistry.SortKasKeysType: - type: string - title: SortKasKeysType - enum: - - SORT_KAS_KEYS_TYPE_UNSPECIFIED - - SORT_KAS_KEYS_TYPE_KEY_ID - - SORT_KAS_KEYS_TYPE_CREATED_AT - - SORT_KAS_KEYS_TYPE_UPDATED_AT - policy.kasregistry.SortKeyAccessServersType: - type: string - title: SortKeyAccessServersType - enum: - - SORT_KEY_ACCESS_SERVERS_TYPE_UNSPECIFIED - - SORT_KEY_ACCESS_SERVERS_TYPE_NAME - - SORT_KEY_ACCESS_SERVERS_TYPE_URI - - SORT_KEY_ACCESS_SERVERS_TYPE_CREATED_AT - - SORT_KEY_ACCESS_SERVERS_TYPE_UPDATED_AT common.Metadata: type: object properties: @@ -653,6 +561,82 @@ components: title: value title: LabelsEntry additionalProperties: false + common.MetadataUpdateEnum: + type: string + title: MetadataUpdateEnum + enum: + - METADATA_UPDATE_ENUM_UNSPECIFIED + - METADATA_UPDATE_ENUM_EXTEND + - METADATA_UPDATE_ENUM_REPLACE + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + details: + type: array + items: + $ref: '#/components/schemas/connect.error_details.Any' + description: A list of messages that carry the error details. There is no limit on the number of messages. + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + connect.error_details.Any: + type: object + properties: + type: + type: string + description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' + value: + type: string + format: binary + description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. + debug: + oneOf: + - type: object + title: Any + additionalProperties: true + description: Detailed error information. + discriminator: + propertyName: type + title: Debug + description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. google.protobuf.BoolValue: type: boolean description: |- @@ -665,8 +649,8 @@ components: google.protobuf.Timestamp: type: string examples: - - 1s - - 1.000340012s + - "2023-01-15T01:30:15.01Z" + - "2024-12-25T12:00:00Z" format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -758,6 +742,20 @@ components: the Joda Time's [`ISODateTimeFormat.dateTime()`]( http://joda-time.sourceforge.net/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime() ) to obtain a formatter capable of generating timestamps in this format. + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + - ALGORITHM_HPQT_XWING + - ALGORITHM_HPQT_SECP256R1_MLKEM768 + - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + description: Supported key algorithms. policy.AsymmetricKey: type: object properties: @@ -835,7 +833,7 @@ components: alg: not: enum: - - 0 + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED title: alg description: |- A known algorithm type with any additional parameters encoded. @@ -847,6 +845,19 @@ components: description: |- Deprecated A KAS public key and some associated metadata for further identifcation + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 policy.KasPublicKeySet: type: object properties: @@ -894,13 +905,9 @@ components: uri: type: string title: uri - description: |+ + description: | Address of a KAS instance - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') - ``` - + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. publicKey: title: public_key description: 'Deprecated: KAS can have multiple key pairs' @@ -928,6 +935,16 @@ components: title: KeyAccessServer additionalProperties: false description: Key Access Server Registry + policy.KeyMode: + type: string + title: KeyMode + enum: + - KEY_MODE_UNSPECIFIED + - KEY_MODE_CONFIG_ROOT_KEY + - KEY_MODE_PROVIDER_ROOT_KEY + - KEY_MODE_REMOTE + - KEY_MODE_PUBLIC_KEY_ONLY + description: Describes the management and operational mode of a cryptographic key. policy.KeyProviderConfig: type: object properties: @@ -950,6 +967,14 @@ components: $ref: '#/components/schemas/common.Metadata' title: KeyProviderConfig additionalProperties: false + policy.KeyStatus: + type: string + title: KeyStatus + enum: + - KEY_STATUS_UNSPECIFIED + - KEY_STATUS_ACTIVE + - KEY_STATUS_ROTATED + description: The status of the key policy.PageRequest: type: object properties: @@ -1009,7 +1034,8 @@ components: policy.PublicKey: type: object oneOf: - - properties: + - type: object + properties: cached: title: cached description: public key with additional information. Current preferred version @@ -1017,17 +1043,14 @@ components: title: cached required: - cached - - properties: + - type: object + properties: remote: type: string title: remote - description: |+ + description: | kas public key url - optional since can also be retrieved via public key - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') - ``` - + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. title: remote required: - remote @@ -1075,6 +1098,29 @@ components: title: pem title: SimpleKasPublicKey additionalProperties: false + policy.SortDirection: + type: string + title: SortDirection + enum: + - SORT_DIRECTION_UNSPECIFIED + - SORT_DIRECTION_ASC + - SORT_DIRECTION_DESC + description: |- + Sorting direction shared across list APIs. + When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, + the endpoint's request message defines the default ordering; see the + specific List* request docs. + policy.SourceType: + type: string + title: SourceType + enum: + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. policy.kasregistry.ActivatePublicKeyRequest: type: object properties: @@ -1112,13 +1158,9 @@ components: uri: type: string title: uri - description: |+ + description: | Required - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.isUri() - ``` - + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. publicKey: title: public_key description: Deprecated @@ -1131,13 +1173,9 @@ components: type: string title: name maxLength: 253 - description: |+ + description: | Optional - Registered KAS name must be an alphanumeric string, allowing hyphens, and underscores but not as the first or last character. The stored KAS name will be normalized to lower case.: - ``` - size(this) > 0 ? this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') : true - ``` - + kas_name_format // Registered KAS name must be an alphanumeric string, allowing hyphens, and underscores but not as the first or last character. The stored KAS name will be normalized to lower case. metadata: title: metadata description: Common metadata @@ -1167,23 +1205,15 @@ components: description: Required A user-defined identifier for the key keyAlgorithm: title: key_algorithm - description: |+ + description: | Required The algorithm to be used for the key - The key_algorithm must be one of the defined values.: - ``` - this in [1, 2, 3, 4, 5, 6, 7, 8] - ``` - + key_algorithm_defined // The key_algorithm must be one of the defined values. $ref: '#/components/schemas/policy.Algorithm' keyMode: title: key_mode - description: |+ + description: | Required The mode of the key (e.g., local or external) - The key_mode must be one of the defined values (1-4).: - ``` - this >= 1 && this <= 4 - ``` - + key_mode_defined // The key_mode must be one of the defined values (1-4). $ref: '#/components/schemas/policy.KeyMode' publicKeyCtx: title: public_key_ctx @@ -1209,23 +1239,11 @@ components: required: - publicKeyCtx additionalProperties: false - description: |+ + description: | Create a new asymmetric key for the specified Key Access Server (KAS) - The wrapped_key is required if key_mode is KEY_MODE_CONFIG_ROOT_KEY or KEY_MODE_PROVIDER_ROOT_KEY. The wrapped_key must be empty if key_mode is KEY_MODE_REMOTE or KEY_MODE_PUBLIC_KEY_ONLY.: - ``` - ((this.key_mode == 1 || this.key_mode == 2) && this.private_key_ctx.wrapped_key != '') || ((this.key_mode == 3 || this.key_mode == 4) && this.private_key_ctx.wrapped_key == '') - ``` - - Provider config id is required if key_mode is KEY_MODE_PROVIDER_ROOT_KEY or KEY_MODE_REMOTE. It must be empty for KEY_MODE_CONFIG_ROOT_KEY and KEY_MODE_PUBLIC_KEY_ONLY.: - ``` - ((this.key_mode == 1 || this.key_mode == 4) && this.provider_config_id == '') || ((this.key_mode == 2 || this.key_mode == 3) && this.provider_config_id != '') - ``` - - private_key_ctx must not be set if key_mode is KEY_MODE_PUBLIC_KEY_ONLY.: - ``` - !(this.key_mode == 4 && has(this.private_key_ctx)) - ``` - + private_key_ctx_for_public_key_only // private_key_ctx must not be set if key_mode is KEY_MODE_PUBLIC_KEY_ONLY. + private_key_ctx_optionally_required // The wrapped_key is required if key_mode is KEY_MODE_CONFIG_ROOT_KEY or KEY_MODE_PROVIDER_ROOT_KEY. The wrapped_key must be empty if key_mode is KEY_MODE_REMOTE or KEY_MODE_PUBLIC_KEY_ONLY. + provider_config_id_optionally_required // Provider config id is required if key_mode is KEY_MODE_PROVIDER_ROOT_KEY or KEY_MODE_REMOTE. It must be empty for KEY_MODE_CONFIG_ROOT_KEY and KEY_MODE_PUBLIC_KEY_ONLY. policy.kasregistry.CreateKeyResponse: type: object properties: @@ -1314,53 +1332,49 @@ components: additionalProperties: false policy.kasregistry.GetKeyAccessServerRequest: type: object - oneOf: + allOf: - properties: - kasId: + id: type: string - title: kas_id + title: id format: uuid - description: 'option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field' - title: kas_id - required: - - kasId - - properties: - name: - type: string + description: Deprecated + deprecated: true + - oneOf: + - type: object + properties: + kasId: + type: string + title: kas_id + format: uuid + description: 'option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field' + title: kas_id + required: + - kasId + - type: object + properties: + name: + type: string + title: name + minLength: 1 title: name - minLength: 1 - title: name - required: - - name - - properties: - uri: - type: string + required: + - name + - type: object + properties: + uri: + type: string + title: uri + minLength: 1 + format: uri title: uri - minLength: 1 - format: uri - title: uri - required: - - uri - properties: - id: - type: string - title: id - format: uuid - description: Deprecated - deprecated: true + required: + - uri title: GetKeyAccessServerRequest additionalProperties: false - description: |+ - Either use deprecated 'id' field or one of 'kas_id' or 'uri', but not both: - ``` - !(has(this.id) && (has(this.kas_id) || has(this.uri) || has(this.name))) - ``` - - Either id or one of kas_id or uri must be set: - ``` - has(this.id) || has(this.kas_id) || has(this.uri) || has(this.name) - ``` - + description: | + exclusive_fields // Either use deprecated 'id' field or one of 'kas_id' or 'uri', but not both + required_fields // Either id or one of kas_id or uri must be set policy.kasregistry.GetKeyAccessServerResponse: type: object properties: @@ -1372,7 +1386,8 @@ components: policy.kasregistry.GetKeyRequest: type: object oneOf: - - properties: + - type: object + properties: id: type: string title: id @@ -1381,7 +1396,8 @@ components: title: id required: - id - - properties: + - type: object + properties: key: title: key $ref: '#/components/schemas/policy.kasregistry.KasKeyIdentifier' @@ -1404,7 +1420,8 @@ components: policy.kasregistry.GetPublicKeyRequest: type: object oneOf: - - properties: + - type: object + properties: id: type: string title: id @@ -1436,38 +1453,42 @@ components: description: Can be namespace, attribute definition, or value policy.kasregistry.KasKeyIdentifier: type: object - oneOf: + allOf: - properties: - kasId: + kid: type: string + title: kid + minLength: 1 + description: Required Key ID of the key in question + - oneOf: + - type: object + properties: + kasId: + type: string + title: kas_id + format: uuid title: kas_id - format: uuid - title: kas_id - required: - - kasId - - properties: - name: - type: string + required: + - kasId + - type: object + properties: + name: + type: string + title: name + minLength: 1 title: name - minLength: 1 - title: name - required: - - name - - properties: - uri: - type: string + required: + - name + - type: object + properties: + uri: + type: string + title: uri + minLength: 1 + format: uri title: uri - minLength: 1 - format: uri - title: uri - required: - - uri - properties: - kid: - type: string - title: kid - minLength: 1 - description: Required Key ID of the key in question + required: + - uri title: KasKeyIdentifier additionalProperties: false description: Nested message for specifying the active key using KAS ID and Key ID @@ -1552,43 +1573,31 @@ components: kasId: type: string title: kas_id - description: |+ + description: | Optional Filter LIST by ID of a registered Key Access Server. If neither is provided, grants from all registered KASs to policy attribute objects are returned. - Optional field must be a valid UUID: - ``` - size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') - ``` - + optional_uuid_format // Optional field must be a valid UUID kasUri: type: string title: kas_uri - description: |+ + description: | Optional Filter LIST by URI of a registered Key Access Server. If none is provided, grants from all registered KASs to policy attribute objects are returned. - Optional URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - size(this) == 0 || this.isUri() - ``` - + optional_uri_format // Optional URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. kasName: type: string title: kas_name maxLength: 253 - description: |+ + description: | Optional Filter LIST by name of a registered Key Access Server. If none are provided, grants from all registered KASs to policy attribute objects are returned. - Registered KAS name must be an alphanumeric string, allowing hyphens, and underscores but not as the first or last character. The stored KAS name will be normalized to lower case.: - ``` - size(this) == 0 || this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') - ``` - + kas_name_format // Registered KAS name must be an alphanumeric string, allowing hyphens, and underscores but not as the first or last character. The stored KAS name will be normalized to lower case. pagination: title: pagination description: Optional @@ -1651,28 +1660,31 @@ components: additionalProperties: false policy.kasregistry.ListKeyMappingsRequest: type: object - oneOf: + allOf: - properties: - id: - type: string + pagination: + title: pagination + description: Pagination request for the list of keys + $ref: '#/components/schemas/policy.PageRequest' + - oneOf: + - type: object + properties: + id: + type: string + title: id + format: uuid + description: The unique identifier of the key to retrieve title: id - format: uuid - description: The unique identifier of the key to retrieve - title: id - required: - - id - - properties: - key: + required: + - id + - type: object + properties: + key: + title: key + $ref: '#/components/schemas/policy.kasregistry.KasKeyIdentifier' title: key - $ref: '#/components/schemas/policy.kasregistry.KasKeyIdentifier' - title: key - required: - - key - properties: - pagination: - title: pagination - description: Pagination request for the list of keys - $ref: '#/components/schemas/policy.PageRequest' + required: + - key title: ListKeyMappingsRequest additionalProperties: false policy.kasregistry.ListKeyMappingsResponse: @@ -1692,67 +1704,68 @@ components: additionalProperties: false policy.kasregistry.ListKeysRequest: type: object - oneOf: + allOf: - properties: - kasId: - type: string + keyAlgorithm: + title: key_algorithm + description: | + Filter keys by algorithm + key_algorithm_defined // The key_algorithm must be one of the defined values. + $ref: '#/components/schemas/policy.Algorithm' + legacy: + type: + - boolean + - "null" + title: legacy + description: Optional Filter for legacy keys + pagination: + title: pagination + description: Optional Pagination request for the list of keys + $ref: '#/components/schemas/policy.PageRequest' + sort: + type: array + items: + $ref: '#/components/schemas/policy.kasregistry.KasKeysSort' + title: sort + maxItems: 1 + description: |- + Optional - CONSTRAINT: max 1 item + Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC + - oneOf: + - type: object + properties: + kasId: + type: string + title: kas_id + format: uuid + description: Filter keys by the KAS ID title: kas_id - format: uuid - description: Filter keys by the KAS ID - title: kas_id - required: - - kasId - - properties: - kasName: - type: string + required: + - kasId + - type: object + properties: + kasName: + type: string + title: kas_name + minLength: 1 + description: Filter keys by the KAS name title: kas_name - minLength: 1 - description: Filter keys by the KAS name - title: kas_name - required: - - kasName - - properties: - kasUri: - type: string + required: + - kasName + - type: object + properties: + kasUri: + type: string + title: kas_uri + minLength: 1 + format: uri + description: Filter keys by the KAS URI title: kas_uri - minLength: 1 - format: uri - description: Filter keys by the KAS URI - title: kas_uri - required: - - kasUri - properties: - keyAlgorithm: - title: key_algorithm - description: |+ - Filter keys by algorithm - The key_algorithm must be one of the defined values.: - ``` - this in [0, 1, 2, 3, 4, 5, 6, 7, 8] - ``` - - $ref: '#/components/schemas/policy.Algorithm' - legacy: - type: boolean - title: legacy - description: Optional Filter for legacy keys - nullable: true - pagination: - title: pagination - description: Optional Pagination request for the list of keys - $ref: '#/components/schemas/policy.PageRequest' - sort: - type: array - items: - $ref: '#/components/schemas/policy.kasregistry.KasKeysSort' - title: sort - maxItems: 1 - description: |- - Optional - CONSTRAINT: max 1 item - Sort defaults: - - direction UNSPECIFIED defaults to DESC for the specified field - - field UNSPECIFIED defaults to created_at with the specified direction - - both UNSPECIFIED or sort omitted defaults to created_at DESC + required: + - kasUri title: ListKeysRequest additionalProperties: false description: List all asymmetric keys managed by a specific Key Access Server or with a given algorithm @@ -1774,45 +1787,49 @@ components: description: Response to a ListKeysRequest, containing the list of asymmetric keys and pagination information policy.kasregistry.ListPublicKeyMappingRequest: type: object - oneOf: + allOf: - properties: - kasId: + publicKeyId: type: string - title: kas_id + title: public_key_id format: uuid + description: Optional Public Key ID + pagination: + title: pagination description: Optional - title: kas_id - required: - - kasId - - properties: - kasName: - type: string + $ref: '#/components/schemas/policy.PageRequest' + - oneOf: + - type: object + properties: + kasId: + type: string + title: kas_id + format: uuid + description: Optional + title: kas_id + required: + - kasId + - type: object + properties: + kasName: + type: string + title: kas_name + minLength: 1 + description: Optional title: kas_name - minLength: 1 - description: Optional - title: kas_name - required: - - kasName - - properties: - kasUri: - type: string + required: + - kasName + - type: object + properties: + kasUri: + type: string + title: kas_uri + minLength: 1 + format: uri + description: Optional title: kas_uri - minLength: 1 - format: uri - description: Optional - title: kas_uri - required: - - kasUri - properties: - publicKeyId: - type: string - title: public_key_id - format: uuid - description: Optional Public Key ID - pagination: - title: pagination - description: Optional - $ref: '#/components/schemas/policy.PageRequest' + required: + - kasUri title: ListPublicKeyMappingRequest additionalProperties: false policy.kasregistry.ListPublicKeyMappingResponse: @@ -1883,40 +1900,44 @@ components: additionalProperties: false policy.kasregistry.ListPublicKeysRequest: type: object - oneOf: + allOf: - properties: - kasId: - type: string - title: kas_id - format: uuid + pagination: + title: pagination description: Optional - title: kas_id - required: - - kasId - - properties: - kasName: - type: string + $ref: '#/components/schemas/policy.PageRequest' + - oneOf: + - type: object + properties: + kasId: + type: string + title: kas_id + format: uuid + description: Optional + title: kas_id + required: + - kasId + - type: object + properties: + kasName: + type: string + title: kas_name + minLength: 1 + description: Optional title: kas_name - minLength: 1 - description: Optional - title: kas_name - required: - - kasName - - properties: - kasUri: - type: string + required: + - kasName + - type: object + properties: + kasUri: + type: string + title: kas_uri + minLength: 1 + format: uri + description: Optional title: kas_uri - minLength: 1 - format: uri - description: Optional - title: kas_uri - required: - - kasUri - properties: - pagination: - title: pagination - description: Optional - $ref: '#/components/schemas/policy.PageRequest' + required: + - kasUri title: ListPublicKeysRequest additionalProperties: false policy.kasregistry.ListPublicKeysResponse: @@ -1947,47 +1968,38 @@ components: additionalProperties: false policy.kasregistry.RotateKeyRequest: type: object - oneOf: + allOf: - properties: - id: - type: string + newKey: + title: new_key + description: Information about the new key to be rotated in + $ref: '#/components/schemas/policy.kasregistry.RotateKeyRequest.NewKey' + - oneOf: + - type: object + properties: + id: + type: string + title: id + format: uuid + description: Current Active Key UUID title: id - format: uuid - description: Current Active Key UUID - title: id - required: - - id - - properties: - key: + required: + - id + - type: object + properties: + key: + title: key + description: Alternative way to specify the active key using KAS ID and Key ID + $ref: '#/components/schemas/policy.kasregistry.KasKeyIdentifier' title: key - description: Alternative way to specify the active key using KAS ID and Key ID - $ref: '#/components/schemas/policy.kasregistry.KasKeyIdentifier' - title: key - required: - - key - properties: - newKey: - title: new_key - description: Information about the new key to be rotated in - $ref: '#/components/schemas/policy.kasregistry.RotateKeyRequest.NewKey' + required: + - key title: RotateKeyRequest additionalProperties: false - description: |+ - For the new key, the wrapped_key is required if key_mode is KEY_MODE_CONFIG_ROOT_KEY or KEY_MODE_PROVIDER_ROOT_KEY. The wrapped_key must be empty if key_mode is KEY_MODE_REMOTE or KEY_MODE_PUBLIC_KEY_ONLY.: - ``` - ((this.new_key.key_mode == 1 || this.new_key.key_mode == 2) && this.new_key.private_key_ctx.wrapped_key != '') || ((this.new_key.key_mode == 3 || this.new_key.key_mode == 4) && this.new_key.private_key_ctx.wrapped_key == '') - ``` - - For the new key, provider config id is required if key_mode is KEY_MODE_PROVIDER_ROOT_KEY or KEY_MODE_REMOTE. It must be empty for KEY_MODE_CONFIG_ROOT_KEY and KEY_MODE_PUBLIC_KEY_ONLY.: - ``` - ((this.new_key.key_mode == 1 || this.new_key.key_mode == 4) && this.new_key.provider_config_id == '') || ((this.new_key.key_mode == 2 || this.new_key.key_mode == 3) && this.new_key.provider_config_id != '') - ``` - - private_key_ctx must not be set if key_mode is KEY_MODE_PUBLIC_KEY_ONLY.: - ``` - !(this.new_key.key_mode == 4 && has(this.new_key.private_key_ctx)) - ``` - + description: | + private_key_ctx_for_public_key_only // private_key_ctx must not be set if key_mode is KEY_MODE_PUBLIC_KEY_ONLY. + private_key_ctx_optionally_required // For the new key, the wrapped_key is required if key_mode is KEY_MODE_CONFIG_ROOT_KEY or KEY_MODE_PROVIDER_ROOT_KEY. The wrapped_key must be empty if key_mode is KEY_MODE_REMOTE or KEY_MODE_PUBLIC_KEY_ONLY. + provider_config_id_optionally_required // For the new key, provider config id is required if key_mode is KEY_MODE_PROVIDER_ROOT_KEY or KEY_MODE_REMOTE. It must be empty for KEY_MODE_CONFIG_ROOT_KEY and KEY_MODE_PUBLIC_KEY_ONLY. policy.kasregistry.RotateKeyRequest.NewKey: type: object properties: @@ -1998,23 +2010,15 @@ components: description: Required algorithm: title: algorithm - description: |+ + description: | Required - The key_algorithm must be one of the defined values.: - ``` - this in [1, 2, 3, 4, 5, 6, 7, 8] - ``` - + key_algorithm_defined // The key_algorithm must be one of the defined values. $ref: '#/components/schemas/policy.Algorithm' keyMode: title: key_mode - description: |+ + description: | Required - The new key_mode must be one of the defined values (1-4).: - ``` - this in [1, 2, 3, 4] - ``` - + new_key_mode_defined // The new key_mode must be one of the defined values (1-4). $ref: '#/components/schemas/policy.KeyMode' publicKeyCtx: title: public_key_ctx @@ -2079,7 +2083,8 @@ components: policy.kasregistry.SetBaseKeyRequest: type: object oneOf: - - properties: + - type: object + properties: id: type: string title: id @@ -2088,7 +2093,8 @@ components: title: id required: - id - - properties: + - type: object + properties: key: title: key description: Alternative way to specify the key using KAS ID and Key ID @@ -2114,6 +2120,23 @@ components: $ref: '#/components/schemas/policy.SimpleKasKey' title: SetBaseKeyResponse additionalProperties: false + policy.kasregistry.SortKasKeysType: + type: string + title: SortKasKeysType + enum: + - SORT_KAS_KEYS_TYPE_UNSPECIFIED + - SORT_KAS_KEYS_TYPE_KEY_ID + - SORT_KAS_KEYS_TYPE_CREATED_AT + - SORT_KAS_KEYS_TYPE_UPDATED_AT + policy.kasregistry.SortKeyAccessServersType: + type: string + title: SortKeyAccessServersType + enum: + - SORT_KEY_ACCESS_SERVERS_TYPE_UNSPECIFIED + - SORT_KEY_ACCESS_SERVERS_TYPE_NAME + - SORT_KEY_ACCESS_SERVERS_TYPE_URI + - SORT_KEY_ACCESS_SERVERS_TYPE_CREATED_AT + - SORT_KEY_ACCESS_SERVERS_TYPE_UPDATED_AT policy.kasregistry.UpdateKeyAccessServerRequest: type: object properties: @@ -2125,13 +2148,9 @@ components: uri: type: string title: uri - description: |+ + description: | Optional - Optional URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - size(this) == 0 || this.isUri() - ``` - + optional_uri_format // Optional URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. publicKey: title: public_key description: |- @@ -2151,13 +2170,9 @@ components: type: string title: name maxLength: 253 - description: |+ + description: | Optional - Registered KAS name must be an alphanumeric string, allowing hyphens, and underscores but not as the first or last character. The stored KAS name will be normalized to lower case.: - ``` - size(this) == 0 || this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') - ``` - + kas_name_format // Registered KAS name must be an alphanumeric string, allowing hyphens, and underscores but not as the first or last character. The stored KAS name will be normalized to lower case. metadata: title: metadata description: |- @@ -2197,13 +2212,9 @@ components: $ref: '#/components/schemas/common.MetadataUpdateEnum' title: UpdateKeyRequest additionalProperties: false - description: |+ + description: | Update an existing asymmetric key in the Key Management System - Metadata update behavior must be either APPEND or REPLACE, when updating metadata.: - ``` - ((!has(this.metadata)) || (has(this.metadata) && this.metadata_update_behavior != 0)) - ``` - + metadata_update_behavior // Metadata update behavior must be either APPEND or REPLACE, when updating metadata. policy.kasregistry.UpdateKeyResponse: type: object properties: @@ -2241,63 +2252,6 @@ components: $ref: '#/components/schemas/policy.Key' title: UpdatePublicKeyResponse additionalProperties: false - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - detail: - $ref: '#/components/schemas/google.protobuf.Any' - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - google.protobuf.Any: - type: object - properties: - type: - type: string - value: - type: string - format: binary - debug: - type: object - additionalProperties: true - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. security: [] tags: - name: policy.kasregistry.KeyAccessServerRegistryService diff --git a/docs/openapi/policy/keymanagement/key_management.openapi.yaml b/docs/openapi/policy/keymanagement/key_management.openapi.yaml index 61a3e433ba..94f70d9b92 100644 --- a/docs/openapi/policy/keymanagement/key_management.openapi.yaml +++ b/docs/openapi/policy/keymanagement/key_management.openapi.yaml @@ -40,12 +40,12 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.keymanagement.CreateProviderConfigResponse' - /policy.keymanagement.KeyManagementService/GetProviderConfig: + /policy.keymanagement.KeyManagementService/DeleteProviderConfig: post: tags: - policy.keymanagement.KeyManagementService - summary: GetProviderConfig - operationId: policy.keymanagement.KeyManagementService.GetProviderConfig + summary: DeleteProviderConfig + operationId: policy.keymanagement.KeyManagementService.DeleteProviderConfig parameters: - name: Connect-Protocol-Version in: header @@ -60,7 +60,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.keymanagement.GetProviderConfigRequest' + $ref: '#/components/schemas/policy.keymanagement.DeleteProviderConfigRequest' required: true responses: default: @@ -74,13 +74,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.keymanagement.GetProviderConfigResponse' - /policy.keymanagement.KeyManagementService/ListProviderConfigs: + $ref: '#/components/schemas/policy.keymanagement.DeleteProviderConfigResponse' + /policy.keymanagement.KeyManagementService/GetProviderConfig: post: tags: - policy.keymanagement.KeyManagementService - summary: ListProviderConfigs - operationId: policy.keymanagement.KeyManagementService.ListProviderConfigs + summary: GetProviderConfig + operationId: policy.keymanagement.KeyManagementService.GetProviderConfig parameters: - name: Connect-Protocol-Version in: header @@ -95,7 +95,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.keymanagement.ListProviderConfigsRequest' + $ref: '#/components/schemas/policy.keymanagement.GetProviderConfigRequest' required: true responses: default: @@ -109,13 +109,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.keymanagement.ListProviderConfigsResponse' - /policy.keymanagement.KeyManagementService/UpdateProviderConfig: + $ref: '#/components/schemas/policy.keymanagement.GetProviderConfigResponse' + /policy.keymanagement.KeyManagementService/ListProviderConfigs: post: tags: - policy.keymanagement.KeyManagementService - summary: UpdateProviderConfig - operationId: policy.keymanagement.KeyManagementService.UpdateProviderConfig + summary: ListProviderConfigs + operationId: policy.keymanagement.KeyManagementService.ListProviderConfigs parameters: - name: Connect-Protocol-Version in: header @@ -130,7 +130,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.keymanagement.UpdateProviderConfigRequest' + $ref: '#/components/schemas/policy.keymanagement.ListProviderConfigsRequest' required: true responses: default: @@ -144,13 +144,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.keymanagement.UpdateProviderConfigResponse' - /policy.keymanagement.KeyManagementService/DeleteProviderConfig: + $ref: '#/components/schemas/policy.keymanagement.ListProviderConfigsResponse' + /policy.keymanagement.KeyManagementService/UpdateProviderConfig: post: tags: - policy.keymanagement.KeyManagementService - summary: DeleteProviderConfig - operationId: policy.keymanagement.KeyManagementService.DeleteProviderConfig + summary: UpdateProviderConfig + operationId: policy.keymanagement.KeyManagementService.UpdateProviderConfig parameters: - name: Connect-Protocol-Version in: header @@ -165,7 +165,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.keymanagement.DeleteProviderConfigRequest' + $ref: '#/components/schemas/policy.keymanagement.UpdateProviderConfigRequest' required: true responses: default: @@ -179,16 +179,9 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.keymanagement.DeleteProviderConfigResponse' + $ref: '#/components/schemas/policy.keymanagement.UpdateProviderConfigResponse' components: schemas: - common.MetadataUpdateEnum: - type: string - title: MetadataUpdateEnum - enum: - - METADATA_UPDATE_ENUM_UNSPECIFIED - - METADATA_UPDATE_ENUM_EXTEND - - METADATA_UPDATE_ENUM_REPLACE common.Metadata: type: object properties: @@ -244,11 +237,87 @@ components: title: value title: LabelsEntry additionalProperties: false + common.MetadataUpdateEnum: + type: string + title: MetadataUpdateEnum + enum: + - METADATA_UPDATE_ENUM_UNSPECIFIED + - METADATA_UPDATE_ENUM_EXTEND + - METADATA_UPDATE_ENUM_REPLACE + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + details: + type: array + items: + $ref: '#/components/schemas/connect.error_details.Any' + description: A list of messages that carry the error details. There is no limit on the number of messages. + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + connect.error_details.Any: + type: object + properties: + type: + type: string + description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' + value: + type: string + format: binary + description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. + debug: + oneOf: + - type: object + title: Any + additionalProperties: true + description: Detailed error information. + discriminator: + propertyName: type + title: Debug + description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. google.protobuf.Timestamp: type: string examples: - - 1s - - 1.000340012s + - "2023-01-15T01:30:15.01Z" + - "2024-12-25T12:00:00Z" format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -466,28 +535,31 @@ components: additionalProperties: false policy.keymanagement.GetProviderConfigRequest: type: object - oneOf: + allOf: - properties: - id: + manager: type: string + title: manager + description: Optional - filter by manager type when searching by name + - oneOf: + - type: object + properties: + id: + type: string + title: id + format: uuid title: id - format: uuid - title: id - required: - - id - - properties: - name: - type: string + required: + - id + - type: object + properties: + name: + type: string + title: name + minLength: 1 title: name - minLength: 1 - title: name - required: - - name - properties: - manager: - type: string - title: manager - description: Optional - filter by manager type when searching by name + required: + - name title: GetProviderConfigRequest additionalProperties: false policy.keymanagement.GetProviderConfigResponse: @@ -560,63 +632,6 @@ components: $ref: '#/components/schemas/policy.KeyProviderConfig' title: UpdateProviderConfigResponse additionalProperties: false - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - detail: - $ref: '#/components/schemas/google.protobuf.Any' - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - google.protobuf.Any: - type: object - properties: - type: - type: string - value: - type: string - format: binary - debug: - type: object - additionalProperties: true - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. security: [] tags: - name: policy.keymanagement.KeyManagementService diff --git a/docs/openapi/policy/namespaces/namespaces.openapi.yaml b/docs/openapi/policy/namespaces/namespaces.openapi.yaml index 191af3eaf6..506217b193 100644 --- a/docs/openapi/policy/namespaces/namespaces.openapi.yaml +++ b/docs/openapi/policy/namespaces/namespaces.openapi.yaml @@ -2,12 +2,13 @@ openapi: 3.1.0 info: title: policy.namespaces paths: - /policy.namespaces.NamespaceService/GetNamespace: + /policy.namespaces.NamespaceService/AssignKeyAccessServerToNamespace: post: tags: - policy.namespaces.NamespaceService - summary: GetNamespace - operationId: policy.namespaces.NamespaceService.GetNamespace + summary: AssignKeyAccessServerToNamespace + description: 'Deprecated: utilize AssignPublicKeyToNamespace' + operationId: policy.namespaces.NamespaceService.AssignKeyAccessServerToNamespace parameters: - name: Connect-Protocol-Version in: header @@ -22,7 +23,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.GetNamespaceRequest' + $ref: '#/components/schemas/policy.namespaces.AssignKeyAccessServerToNamespaceRequest' required: true responses: default: @@ -36,13 +37,18 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.GetNamespaceResponse' - /policy.namespaces.NamespaceService/ListNamespaces: + $ref: '#/components/schemas/policy.namespaces.AssignKeyAccessServerToNamespaceResponse' + deprecated: true + /policy.namespaces.NamespaceService/AssignPublicKeyToNamespace: post: tags: - policy.namespaces.NamespaceService - summary: ListNamespaces - operationId: policy.namespaces.NamespaceService.ListNamespaces + summary: AssignPublicKeyToNamespace + description: |- + --------------------------------------* + Namespace <> Key RPCs + --------------------------------------- + operationId: policy.namespaces.NamespaceService.AssignPublicKeyToNamespace parameters: - name: Connect-Protocol-Version in: header @@ -57,7 +63,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.ListNamespacesRequest' + $ref: '#/components/schemas/policy.namespaces.AssignPublicKeyToNamespaceRequest' required: true responses: default: @@ -71,7 +77,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.ListNamespacesResponse' + $ref: '#/components/schemas/policy.namespaces.AssignPublicKeyToNamespaceResponse' /policy.namespaces.NamespaceService/CreateNamespace: post: tags: @@ -107,12 +113,12 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.namespaces.CreateNamespaceResponse' - /policy.namespaces.NamespaceService/UpdateNamespace: + /policy.namespaces.NamespaceService/DeactivateNamespace: post: tags: - policy.namespaces.NamespaceService - summary: UpdateNamespace - operationId: policy.namespaces.NamespaceService.UpdateNamespace + summary: DeactivateNamespace + operationId: policy.namespaces.NamespaceService.DeactivateNamespace parameters: - name: Connect-Protocol-Version in: header @@ -127,7 +133,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.UpdateNamespaceRequest' + $ref: '#/components/schemas/policy.namespaces.DeactivateNamespaceRequest' required: true responses: default: @@ -141,13 +147,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.UpdateNamespaceResponse' - /policy.namespaces.NamespaceService/DeactivateNamespace: + $ref: '#/components/schemas/policy.namespaces.DeactivateNamespaceResponse' + /policy.namespaces.NamespaceService/GetNamespace: post: tags: - policy.namespaces.NamespaceService - summary: DeactivateNamespace - operationId: policy.namespaces.NamespaceService.DeactivateNamespace + summary: GetNamespace + operationId: policy.namespaces.NamespaceService.GetNamespace parameters: - name: Connect-Protocol-Version in: header @@ -162,7 +168,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.DeactivateNamespaceRequest' + $ref: '#/components/schemas/policy.namespaces.GetNamespaceRequest' required: true responses: default: @@ -176,14 +182,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.DeactivateNamespaceResponse' - /policy.namespaces.NamespaceService/AssignKeyAccessServerToNamespace: + $ref: '#/components/schemas/policy.namespaces.GetNamespaceResponse' + /policy.namespaces.NamespaceService/ListNamespaces: post: tags: - policy.namespaces.NamespaceService - summary: AssignKeyAccessServerToNamespace - description: 'Deprecated: utilize AssignPublicKeyToNamespace' - operationId: policy.namespaces.NamespaceService.AssignKeyAccessServerToNamespace + summary: ListNamespaces + operationId: policy.namespaces.NamespaceService.ListNamespaces parameters: - name: Connect-Protocol-Version in: header @@ -198,7 +203,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.AssignKeyAccessServerToNamespaceRequest' + $ref: '#/components/schemas/policy.namespaces.ListNamespacesRequest' required: true responses: default: @@ -212,8 +217,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.AssignKeyAccessServerToNamespaceResponse' - deprecated: true + $ref: '#/components/schemas/policy.namespaces.ListNamespacesResponse' /policy.namespaces.NamespaceService/RemoveKeyAccessServerFromNamespace: post: tags: @@ -251,16 +255,12 @@ paths: schema: $ref: '#/components/schemas/policy.namespaces.RemoveKeyAccessServerFromNamespaceResponse' deprecated: true - /policy.namespaces.NamespaceService/AssignPublicKeyToNamespace: + /policy.namespaces.NamespaceService/RemovePublicKeyFromNamespace: post: tags: - policy.namespaces.NamespaceService - summary: AssignPublicKeyToNamespace - description: |- - --------------------------------------* - Namespace <> Key RPCs - --------------------------------------- - operationId: policy.namespaces.NamespaceService.AssignPublicKeyToNamespace + summary: RemovePublicKeyFromNamespace + operationId: policy.namespaces.NamespaceService.RemovePublicKeyFromNamespace parameters: - name: Connect-Protocol-Version in: header @@ -275,7 +275,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.AssignPublicKeyToNamespaceRequest' + $ref: '#/components/schemas/policy.namespaces.RemovePublicKeyFromNamespaceRequest' required: true responses: default: @@ -289,13 +289,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.AssignPublicKeyToNamespaceResponse' - /policy.namespaces.NamespaceService/RemovePublicKeyFromNamespace: + $ref: '#/components/schemas/policy.namespaces.RemovePublicKeyFromNamespaceResponse' + /policy.namespaces.NamespaceService/UpdateNamespace: post: tags: - policy.namespaces.NamespaceService - summary: RemovePublicKeyFromNamespace - operationId: policy.namespaces.NamespaceService.RemovePublicKeyFromNamespace + summary: UpdateNamespace + operationId: policy.namespaces.NamespaceService.UpdateNamespace parameters: - name: Connect-Protocol-Version in: header @@ -310,7 +310,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.RemovePublicKeyFromNamespaceRequest' + $ref: '#/components/schemas/policy.namespaces.UpdateNamespaceRequest' required: true responses: default: @@ -324,7 +324,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.namespaces.RemovePublicKeyFromNamespaceResponse' + $ref: '#/components/schemas/policy.namespaces.UpdateNamespaceResponse' components: schemas: common.ActiveStateEnum: @@ -336,72 +336,6 @@ components: - ACTIVE_STATE_ENUM_INACTIVE - ACTIVE_STATE_ENUM_ANY description: 'buflint ENUM_VALUE_PREFIX: to make sure that C++ scoping rules aren''t violated when users add new enum values to an enum in a given package' - common.MetadataUpdateEnum: - type: string - title: MetadataUpdateEnum - enum: - - METADATA_UPDATE_ENUM_UNSPECIFIED - - METADATA_UPDATE_ENUM_EXTEND - - METADATA_UPDATE_ENUM_REPLACE - policy.Algorithm: - type: string - title: Algorithm - enum: - - ALGORITHM_UNSPECIFIED - - ALGORITHM_RSA_2048 - - ALGORITHM_RSA_4096 - - ALGORITHM_EC_P256 - - ALGORITHM_EC_P384 - - ALGORITHM_EC_P521 - - ALGORITHM_HPQT_XWING - - ALGORITHM_HPQT_SECP256R1_MLKEM768 - - ALGORITHM_HPQT_SECP384R1_MLKEM1024 - description: Supported key algorithms. - policy.KasPublicKeyAlgEnum: - type: string - title: KasPublicKeyAlgEnum - enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 - policy.SortDirection: - type: string - title: SortDirection - enum: - - SORT_DIRECTION_UNSPECIFIED - - SORT_DIRECTION_ASC - - SORT_DIRECTION_DESC - description: |- - Sorting direction shared across list APIs. - When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, - the endpoint's request message defines the default ordering; see the - specific List* request docs. - policy.SourceType: - type: string - title: SourceType - enum: - - SOURCE_TYPE_UNSPECIFIED - - SOURCE_TYPE_INTERNAL - - SOURCE_TYPE_EXTERNAL - description: |- - Describes whether this kas is managed by the organization or if they imported - the kas information from an external party. These two modes are necessary in order - to encrypt a tdf dek with an external parties kas public key. - policy.namespaces.SortNamespacesType: - type: string - title: SortNamespacesType - enum: - - SORT_NAMESPACES_TYPE_UNSPECIFIED - - SORT_NAMESPACES_TYPE_NAME - - SORT_NAMESPACES_TYPE_FQN - - SORT_NAMESPACES_TYPE_CREATED_AT - - SORT_NAMESPACES_TYPE_UPDATED_AT common.Metadata: type: object properties: @@ -457,6 +391,82 @@ components: title: value title: LabelsEntry additionalProperties: false + common.MetadataUpdateEnum: + type: string + title: MetadataUpdateEnum + enum: + - METADATA_UPDATE_ENUM_UNSPECIFIED + - METADATA_UPDATE_ENUM_EXTEND + - METADATA_UPDATE_ENUM_REPLACE + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + details: + type: array + items: + $ref: '#/components/schemas/connect.error_details.Any' + description: A list of messages that carry the error details. There is no limit on the number of messages. + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + connect.error_details.Any: + type: object + properties: + type: + type: string + description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' + value: + type: string + format: binary + description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. + debug: + oneOf: + - type: object + title: Any + additionalProperties: true + description: Detailed error information. + discriminator: + propertyName: type + title: Debug + description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. google.protobuf.BoolValue: type: boolean description: |- @@ -469,8 +479,8 @@ components: google.protobuf.Timestamp: type: string examples: - - 1s - - 1.000340012s + - "2023-01-15T01:30:15.01Z" + - "2024-12-25T12:00:00Z" format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -562,6 +572,20 @@ components: the Joda Time's [`ISODateTimeFormat.dateTime()`]( http://joda-time.sourceforge.net/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime() ) to obtain a formatter capable of generating timestamps in this format. + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + - ALGORITHM_HPQT_XWING + - ALGORITHM_HPQT_SECP256R1_MLKEM768 + - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + description: Supported key algorithms. policy.KasPublicKey: type: object properties: @@ -580,7 +604,7 @@ components: alg: not: enum: - - 0 + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED title: alg description: |- A known algorithm type with any additional parameters encoded. @@ -592,6 +616,19 @@ components: description: |- Deprecated A KAS public key and some associated metadata for further identifcation + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 policy.KasPublicKeySet: type: object properties: @@ -614,13 +651,9 @@ components: uri: type: string title: uri - description: |+ + description: | Address of a KAS instance - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') - ``` - + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. publicKey: title: public_key description: 'Deprecated: KAS can have multiple key pairs' @@ -730,7 +763,8 @@ components: policy.PublicKey: type: object oneOf: - - properties: + - type: object + properties: cached: title: cached description: public key with additional information. Current preferred version @@ -738,17 +772,14 @@ components: title: cached required: - cached - - properties: + - type: object + properties: remote: type: string title: remote - description: |+ + description: | kas public key url - optional since can also be retrieved via public key - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') - ``` - + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. title: remote required: - remote @@ -786,6 +817,29 @@ components: title: pem title: SimpleKasPublicKey additionalProperties: false + policy.SortDirection: + type: string + title: SortDirection + enum: + - SORT_DIRECTION_UNSPECIFIED + - SORT_DIRECTION_ASC + - SORT_DIRECTION_DESC + description: |- + Sorting direction shared across list APIs. + When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, + the endpoint's request message defines the default ordering; see the + specific List* request docs. + policy.SourceType: + type: string + title: SourceType + enum: + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. policy.namespaces.AssignKeyAccessServerToNamespaceRequest: type: object properties: @@ -829,13 +883,9 @@ components: type: string title: name maxLength: 253 - description: |+ + description: | Required - Namespace must be a valid hostname. It should include at least one dot, with each segment (label) starting and ending with an alphanumeric character. Each label must be 1 to 63 characters long, allowing hyphens but not as the first or last character. The top-level domain (the last segment after the final dot) must consist of at least two alphabetic characters. The stored namespace will be normalized to lower case.: - ``` - this.matches('^([a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?\\.)+[a-zA-Z]{2,}$') - ``` - + namespace_format // Namespace must be a valid hostname. It should include at least one dot, with each segment (label) starting and ending with an alphanumeric character. Each label must be 1 to 63 characters long, allowing hyphens but not as the first or last character. The top-level domain (the last segment after the final dot) must consist of at least two alphabetic characters. The stored namespace will be normalized to lower case. metadata: title: metadata description: Optional @@ -868,45 +918,40 @@ components: additionalProperties: false policy.namespaces.GetNamespaceRequest: type: object - oneOf: + allOf: - properties: - fqn: + id: type: string + title: id + format: uuid + description: Deprecated + deprecated: true + - oneOf: + - type: object + properties: + fqn: + type: string + title: fqn + minLength: 1 + format: uri title: fqn - minLength: 1 - format: uri - title: fqn - required: - - fqn - - properties: - namespaceId: - type: string + required: + - fqn + - type: object + properties: + namespaceId: + type: string + title: namespace_id + format: uuid + description: 'option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field' title: namespace_id - format: uuid - description: 'option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field' - title: namespace_id - required: - - namespaceId - properties: - id: - type: string - title: id - format: uuid - description: Deprecated - deprecated: true + required: + - namespaceId title: GetNamespaceRequest additionalProperties: false - description: |+ - Either use deprecated 'id' field or one of 'namespace_id' or 'fqn', but not both: - ``` - !(has(this.id) && (has(this.namespace_id) || has(this.fqn))) - ``` - - Either id or one of namespace_id or fqn must be set: - ``` - has(this.id) || has(this.namespace_id) || has(this.fqn) - ``` - + description: | + exclusive_fields // Either use deprecated 'id' field or one of 'namespace_id' or 'fqn', but not both + required_fields // Either id or one of namespace_id or fqn must be set policy.namespaces.GetNamespaceResponse: type: object properties: @@ -1035,6 +1080,15 @@ components: $ref: '#/components/schemas/policy.namespaces.NamespaceKey' title: RemovePublicKeyFromNamespaceResponse additionalProperties: false + policy.namespaces.SortNamespacesType: + type: string + title: SortNamespacesType + enum: + - SORT_NAMESPACES_TYPE_UNSPECIFIED + - SORT_NAMESPACES_TYPE_NAME + - SORT_NAMESPACES_TYPE_FQN + - SORT_NAMESPACES_TYPE_CREATED_AT + - SORT_NAMESPACES_TYPE_UPDATED_AT policy.namespaces.UpdateNamespaceRequest: type: object properties: @@ -1060,63 +1114,6 @@ components: $ref: '#/components/schemas/policy.Namespace' title: UpdateNamespaceResponse additionalProperties: false - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - detail: - $ref: '#/components/schemas/google.protobuf.Any' - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - google.protobuf.Any: - type: object - properties: - type: - type: string - value: - type: string - format: binary - debug: - type: object - additionalProperties: true - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. security: [] tags: - name: policy.namespaces.NamespaceService diff --git a/docs/openapi/policy/objects.openapi.yaml b/docs/openapi/policy/objects.openapi.yaml index a1debb1154..6b1ee8b279 100644 --- a/docs/openapi/policy/objects.openapi.yaml +++ b/docs/openapi/policy/objects.openapi.yaml @@ -4,105 +4,6 @@ info: paths: {} components: schemas: - policy.Action.StandardAction: - type: string - title: StandardAction - enum: - - STANDARD_ACTION_UNSPECIFIED - - STANDARD_ACTION_DECRYPT - - STANDARD_ACTION_TRANSMIT - policy.Algorithm: - type: string - title: Algorithm - enum: - - ALGORITHM_UNSPECIFIED - - ALGORITHM_RSA_2048 - - ALGORITHM_RSA_4096 - - ALGORITHM_EC_P256 - - ALGORITHM_EC_P384 - - ALGORITHM_EC_P521 - - ALGORITHM_HPQT_XWING - - ALGORITHM_HPQT_SECP256R1_MLKEM768 - - ALGORITHM_HPQT_SECP384R1_MLKEM1024 - description: Supported key algorithms. - policy.AttributeRuleTypeEnum: - type: string - title: AttributeRuleTypeEnum - enum: - - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED - - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF - - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF - - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY - policy.ConditionBooleanTypeEnum: - type: string - title: ConditionBooleanTypeEnum - enum: - - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED - - CONDITION_BOOLEAN_TYPE_ENUM_AND - - CONDITION_BOOLEAN_TYPE_ENUM_OR - policy.DynamicValueOperatorEnum: - type: string - title: DynamicValueOperatorEnum - enum: - - DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED - - DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN - - DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS - description: |- - Operators for dynamic, definition-level value entitlement. Unlike - SubjectMappingOperatorEnum, whose right-hand operand is a static list authored into - policy, a DynamicValueOperatorEnum's right-hand operand is the requested resource's - attribute value segment, supplied at decision time. Each value is the inversion of its - static SubjectMappingOperatorEnum counterpart. - policy.KasPublicKeyAlgEnum: - type: string - title: KasPublicKeyAlgEnum - enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 - policy.KeyMode: - type: string - title: KeyMode - enum: - - KEY_MODE_UNSPECIFIED - - KEY_MODE_CONFIG_ROOT_KEY - - KEY_MODE_PROVIDER_ROOT_KEY - - KEY_MODE_REMOTE - - KEY_MODE_PUBLIC_KEY_ONLY - description: Describes the management and operational mode of a cryptographic key. - policy.KeyStatus: - type: string - title: KeyStatus - enum: - - KEY_STATUS_UNSPECIFIED - - KEY_STATUS_ACTIVE - - KEY_STATUS_ROTATED - description: The status of the key - policy.SourceType: - type: string - title: SourceType - enum: - - SOURCE_TYPE_UNSPECIFIED - - SOURCE_TYPE_INTERNAL - - SOURCE_TYPE_EXTERNAL - description: |- - Describes whether this kas is managed by the organization or if they imported - the kas information from an external party. These two modes are necessary in order - to encrypt a tdf dek with an external parties kas public key. - policy.SubjectMappingOperatorEnum: - type: string - title: SubjectMappingOperatorEnum - enum: - - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED - - SUBJECT_MAPPING_OPERATOR_ENUM_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS common.Metadata: type: object properties: @@ -147,8 +48,8 @@ components: google.protobuf.Timestamp: type: string examples: - - 1s - - 1.000340012s + - "2023-01-15T01:30:15.01Z" + - "2024-12-25T12:00:00Z" format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -242,41 +143,65 @@ components: ) to obtain a formatter capable of generating timestamps in this format. policy.Action: type: object - oneOf: + allOf: - properties: - custom: + id: + type: string + title: id + description: Generated uuid in database + name: type: string + title: name + namespace: + title: namespace + description: Namespace context for this action + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + - oneOf: + - type: object + properties: + custom: + type: string + title: custom + description: Deprecated title: custom - description: Deprecated - title: custom - required: - - custom - - properties: - standard: + required: + - custom + - type: object + properties: + standard: + title: standard + description: Deprecated + $ref: '#/components/schemas/policy.Action.StandardAction' title: standard - description: Deprecated - $ref: '#/components/schemas/policy.Action.StandardAction' - title: standard - required: - - standard - properties: - id: - type: string - title: id - description: Generated uuid in database - name: - type: string - title: name - namespace: - title: namespace - description: Namespace context for this action - $ref: '#/components/schemas/policy.Namespace' - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' + required: + - standard title: Action additionalProperties: false description: An action an entity can take + policy.Action.StandardAction: + type: string + title: StandardAction + enum: + - STANDARD_ACTION_UNSPECIFIED + - STANDARD_ACTION_DECRYPT + - STANDARD_ACTION_TRANSMIT + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + - ALGORITHM_HPQT_XWING + - ALGORITHM_HPQT_SECP256R1_MLKEM768 + - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + description: Supported key algorithms. policy.AsymmetricKey: type: object properties: @@ -378,6 +303,14 @@ components: required: - rule additionalProperties: false + policy.AttributeRuleTypeEnum: + type: string + title: AttributeRuleTypeEnum + enum: + - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED + - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF + - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF + - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY policy.Condition: type: object properties: @@ -395,7 +328,6 @@ components: type: array items: type: string - minItems: 1 title: subject_external_values minItems: 1 description: |- @@ -411,6 +343,13 @@ components: * A Condition defines a rule of + policy.ConditionBooleanTypeEnum: + type: string + title: ConditionBooleanTypeEnum + enum: + - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED + - CONDITION_BOOLEAN_TYPE_ENUM_AND + - CONDITION_BOOLEAN_TYPE_ENUM_OR policy.ConditionGroup: type: object properties: @@ -493,6 +432,19 @@ components: Definition Value Resolver: the dynamic half of a DefinitionValueEntitlementMapping. It resolves a selector against the entity representation and compares the result to the requested resource value segment using a DynamicValueOperatorEnum. + policy.DynamicValueOperatorEnum: + type: string + title: DynamicValueOperatorEnum + enum: + - DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED + - DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN + - DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS + description: |- + Operators for dynamic, definition-level value entitlement. Unlike + SubjectMappingOperatorEnum, whose right-hand operand is a static list authored into + policy, a DynamicValueOperatorEnum's right-hand operand is the requested resource's + attribute value segment, supplied at decision time. Each value is the inversion of its + static SubjectMappingOperatorEnum counterpart. policy.KasKey: type: object properties: @@ -525,7 +477,7 @@ components: alg: not: enum: - - 0 + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED title: alg description: |- A known algorithm type with any additional parameters encoded. @@ -537,6 +489,19 @@ components: description: |- Deprecated A KAS public key and some associated metadata for further identifcation + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 policy.KasPublicKeySet: type: object properties: @@ -584,13 +549,9 @@ components: uri: type: string title: uri - description: |+ + description: | Address of a KAS instance - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') - ``` - + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. publicKey: title: public_key description: 'Deprecated: KAS can have multiple key pairs' @@ -618,6 +579,16 @@ components: title: KeyAccessServer additionalProperties: false description: Key Access Server Registry + policy.KeyMode: + type: string + title: KeyMode + enum: + - KEY_MODE_UNSPECIFIED + - KEY_MODE_CONFIG_ROOT_KEY + - KEY_MODE_PROVIDER_ROOT_KEY + - KEY_MODE_REMOTE + - KEY_MODE_PUBLIC_KEY_ONLY + description: Describes the management and operational mode of a cryptographic key. policy.KeyProviderConfig: type: object properties: @@ -640,6 +611,14 @@ components: $ref: '#/components/schemas/common.Metadata' title: KeyProviderConfig additionalProperties: false + policy.KeyStatus: + type: string + title: KeyStatus + enum: + - KEY_STATUS_UNSPECIFIED + - KEY_STATUS_ACTIVE + - KEY_STATUS_ROTATED + description: The status of the key policy.Namespace: type: object properties: @@ -782,7 +761,8 @@ components: policy.PublicKey: type: object oneOf: - - properties: + - type: object + properties: cached: title: cached description: public key with additional information. Current preferred version @@ -790,17 +770,14 @@ components: title: cached required: - cached - - properties: + - type: object + properties: remote: type: string title: remote - description: |+ + description: | kas public key url - optional since can also be retrieved via public key - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') - ``` - + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. title: remote required: - remote @@ -985,6 +962,17 @@ components: title: pem title: SimpleKasPublicKey additionalProperties: false + policy.SourceType: + type: string + title: SourceType + enum: + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. policy.SubjectConditionSet: type: object properties: @@ -1050,6 +1038,14 @@ components: description: |- Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute value + action(s) combination + policy.SubjectMappingOperatorEnum: + type: string + title: SubjectMappingOperatorEnum + enum: + - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED + - SUBJECT_MAPPING_OPERATOR_ENUM_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS policy.SubjectProperty: type: object properties: diff --git a/docs/openapi/policy/obligations/obligations.openapi.yaml b/docs/openapi/policy/obligations/obligations.openapi.yaml index 154701d935..946d6ce813 100644 --- a/docs/openapi/policy/obligations/obligations.openapi.yaml +++ b/docs/openapi/policy/obligations/obligations.openapi.yaml @@ -2,12 +2,12 @@ openapi: 3.1.0 info: title: policy.obligations paths: - /policy.obligations.Service/ListObligations: + /policy.obligations.Service/AddObligationTrigger: post: tags: - policy.obligations.Service - summary: ListObligations - operationId: policy.obligations.Service.ListObligations + summary: AddObligationTrigger + operationId: policy.obligations.Service.AddObligationTrigger parameters: - name: Connect-Protocol-Version in: header @@ -22,7 +22,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.ListObligationsRequest' + $ref: '#/components/schemas/policy.obligations.AddObligationTriggerRequest' required: true responses: default: @@ -36,13 +36,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.ListObligationsResponse' - /policy.obligations.Service/GetObligation: + $ref: '#/components/schemas/policy.obligations.AddObligationTriggerResponse' + /policy.obligations.Service/CreateObligation: post: tags: - policy.obligations.Service - summary: GetObligation - operationId: policy.obligations.Service.GetObligation + summary: CreateObligation + operationId: policy.obligations.Service.CreateObligation parameters: - name: Connect-Protocol-Version in: header @@ -57,7 +57,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.GetObligationRequest' + $ref: '#/components/schemas/policy.obligations.CreateObligationRequest' required: true responses: default: @@ -71,13 +71,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.GetObligationResponse' - /policy.obligations.Service/GetObligationsByFQNs: + $ref: '#/components/schemas/policy.obligations.CreateObligationResponse' + /policy.obligations.Service/CreateObligationValue: post: tags: - policy.obligations.Service - summary: GetObligationsByFQNs - operationId: policy.obligations.Service.GetObligationsByFQNs + summary: CreateObligationValue + operationId: policy.obligations.Service.CreateObligationValue parameters: - name: Connect-Protocol-Version in: header @@ -92,7 +92,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.GetObligationsByFQNsRequest' + $ref: '#/components/schemas/policy.obligations.CreateObligationValueRequest' required: true responses: default: @@ -106,13 +106,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.GetObligationsByFQNsResponse' - /policy.obligations.Service/CreateObligation: + $ref: '#/components/schemas/policy.obligations.CreateObligationValueResponse' + /policy.obligations.Service/DeleteObligation: post: tags: - policy.obligations.Service - summary: CreateObligation - operationId: policy.obligations.Service.CreateObligation + summary: DeleteObligation + operationId: policy.obligations.Service.DeleteObligation parameters: - name: Connect-Protocol-Version in: header @@ -127,7 +127,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.CreateObligationRequest' + $ref: '#/components/schemas/policy.obligations.DeleteObligationRequest' required: true responses: default: @@ -141,13 +141,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.CreateObligationResponse' - /policy.obligations.Service/UpdateObligation: + $ref: '#/components/schemas/policy.obligations.DeleteObligationResponse' + /policy.obligations.Service/DeleteObligationValue: post: tags: - policy.obligations.Service - summary: UpdateObligation - operationId: policy.obligations.Service.UpdateObligation + summary: DeleteObligationValue + operationId: policy.obligations.Service.DeleteObligationValue parameters: - name: Connect-Protocol-Version in: header @@ -162,7 +162,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.UpdateObligationRequest' + $ref: '#/components/schemas/policy.obligations.DeleteObligationValueRequest' required: true responses: default: @@ -176,13 +176,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.UpdateObligationResponse' - /policy.obligations.Service/DeleteObligation: + $ref: '#/components/schemas/policy.obligations.DeleteObligationValueResponse' + /policy.obligations.Service/GetObligation: post: tags: - policy.obligations.Service - summary: DeleteObligation - operationId: policy.obligations.Service.DeleteObligation + summary: GetObligation + operationId: policy.obligations.Service.GetObligation parameters: - name: Connect-Protocol-Version in: header @@ -197,7 +197,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.DeleteObligationRequest' + $ref: '#/components/schemas/policy.obligations.GetObligationRequest' required: true responses: default: @@ -211,13 +211,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.DeleteObligationResponse' - /policy.obligations.Service/GetObligationValue: + $ref: '#/components/schemas/policy.obligations.GetObligationResponse' + /policy.obligations.Service/GetObligationTrigger: post: tags: - policy.obligations.Service - summary: GetObligationValue - operationId: policy.obligations.Service.GetObligationValue + summary: GetObligationTrigger + operationId: policy.obligations.Service.GetObligationTrigger parameters: - name: Connect-Protocol-Version in: header @@ -232,7 +232,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.GetObligationValueRequest' + $ref: '#/components/schemas/policy.obligations.GetObligationTriggerRequest' required: true responses: default: @@ -246,13 +246,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.GetObligationValueResponse' - /policy.obligations.Service/GetObligationValuesByFQNs: + $ref: '#/components/schemas/policy.obligations.GetObligationTriggerResponse' + /policy.obligations.Service/GetObligationValue: post: tags: - policy.obligations.Service - summary: GetObligationValuesByFQNs - operationId: policy.obligations.Service.GetObligationValuesByFQNs + summary: GetObligationValue + operationId: policy.obligations.Service.GetObligationValue parameters: - name: Connect-Protocol-Version in: header @@ -267,7 +267,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.GetObligationValuesByFQNsRequest' + $ref: '#/components/schemas/policy.obligations.GetObligationValueRequest' required: true responses: default: @@ -281,13 +281,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.GetObligationValuesByFQNsResponse' - /policy.obligations.Service/CreateObligationValue: + $ref: '#/components/schemas/policy.obligations.GetObligationValueResponse' + /policy.obligations.Service/GetObligationValuesByFQNs: post: tags: - policy.obligations.Service - summary: CreateObligationValue - operationId: policy.obligations.Service.CreateObligationValue + summary: GetObligationValuesByFQNs + operationId: policy.obligations.Service.GetObligationValuesByFQNs parameters: - name: Connect-Protocol-Version in: header @@ -302,7 +302,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.CreateObligationValueRequest' + $ref: '#/components/schemas/policy.obligations.GetObligationValuesByFQNsRequest' required: true responses: default: @@ -316,13 +316,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.CreateObligationValueResponse' - /policy.obligations.Service/UpdateObligationValue: + $ref: '#/components/schemas/policy.obligations.GetObligationValuesByFQNsResponse' + /policy.obligations.Service/GetObligationsByFQNs: post: tags: - policy.obligations.Service - summary: UpdateObligationValue - operationId: policy.obligations.Service.UpdateObligationValue + summary: GetObligationsByFQNs + operationId: policy.obligations.Service.GetObligationsByFQNs parameters: - name: Connect-Protocol-Version in: header @@ -337,7 +337,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.UpdateObligationValueRequest' + $ref: '#/components/schemas/policy.obligations.GetObligationsByFQNsRequest' required: true responses: default: @@ -351,13 +351,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.UpdateObligationValueResponse' - /policy.obligations.Service/DeleteObligationValue: + $ref: '#/components/schemas/policy.obligations.GetObligationsByFQNsResponse' + /policy.obligations.Service/ListObligationTriggers: post: tags: - policy.obligations.Service - summary: DeleteObligationValue - operationId: policy.obligations.Service.DeleteObligationValue + summary: ListObligationTriggers + operationId: policy.obligations.Service.ListObligationTriggers parameters: - name: Connect-Protocol-Version in: header @@ -372,7 +372,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.DeleteObligationValueRequest' + $ref: '#/components/schemas/policy.obligations.ListObligationTriggersRequest' required: true responses: default: @@ -386,13 +386,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.DeleteObligationValueResponse' - /policy.obligations.Service/GetObligationTrigger: + $ref: '#/components/schemas/policy.obligations.ListObligationTriggersResponse' + /policy.obligations.Service/ListObligations: post: tags: - policy.obligations.Service - summary: GetObligationTrigger - operationId: policy.obligations.Service.GetObligationTrigger + summary: ListObligations + operationId: policy.obligations.Service.ListObligations parameters: - name: Connect-Protocol-Version in: header @@ -407,7 +407,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.GetObligationTriggerRequest' + $ref: '#/components/schemas/policy.obligations.ListObligationsRequest' required: true responses: default: @@ -421,13 +421,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.GetObligationTriggerResponse' - /policy.obligations.Service/AddObligationTrigger: + $ref: '#/components/schemas/policy.obligations.ListObligationsResponse' + /policy.obligations.Service/RemoveObligationTrigger: post: tags: - policy.obligations.Service - summary: AddObligationTrigger - operationId: policy.obligations.Service.AddObligationTrigger + summary: RemoveObligationTrigger + operationId: policy.obligations.Service.RemoveObligationTrigger parameters: - name: Connect-Protocol-Version in: header @@ -442,7 +442,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.AddObligationTriggerRequest' + $ref: '#/components/schemas/policy.obligations.RemoveObligationTriggerRequest' required: true responses: default: @@ -456,13 +456,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.AddObligationTriggerResponse' - /policy.obligations.Service/RemoveObligationTrigger: + $ref: '#/components/schemas/policy.obligations.RemoveObligationTriggerResponse' + /policy.obligations.Service/UpdateObligation: post: tags: - policy.obligations.Service - summary: RemoveObligationTrigger - operationId: policy.obligations.Service.RemoveObligationTrigger + summary: UpdateObligation + operationId: policy.obligations.Service.UpdateObligation parameters: - name: Connect-Protocol-Version in: header @@ -477,7 +477,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.RemoveObligationTriggerRequest' + $ref: '#/components/schemas/policy.obligations.UpdateObligationRequest' required: true responses: default: @@ -491,13 +491,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.RemoveObligationTriggerResponse' - /policy.obligations.Service/ListObligationTriggers: + $ref: '#/components/schemas/policy.obligations.UpdateObligationResponse' + /policy.obligations.Service/UpdateObligationValue: post: tags: - policy.obligations.Service - summary: ListObligationTriggers - operationId: policy.obligations.Service.ListObligationTriggers + summary: UpdateObligationValue + operationId: policy.obligations.Service.UpdateObligationValue parameters: - name: Connect-Protocol-Version in: header @@ -512,7 +512,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.ListObligationTriggersRequest' + $ref: '#/components/schemas/policy.obligations.UpdateObligationValueRequest' required: true responses: default: @@ -526,107 +526,17 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.obligations.ListObligationTriggersResponse' + $ref: '#/components/schemas/policy.obligations.UpdateObligationValueResponse' components: schemas: - common.MetadataUpdateEnum: - type: string - title: MetadataUpdateEnum - enum: - - METADATA_UPDATE_ENUM_UNSPECIFIED - - METADATA_UPDATE_ENUM_EXTEND - - METADATA_UPDATE_ENUM_REPLACE - policy.Action.StandardAction: - type: string - title: StandardAction - enum: - - STANDARD_ACTION_UNSPECIFIED - - STANDARD_ACTION_DECRYPT - - STANDARD_ACTION_TRANSMIT - policy.Algorithm: - type: string - title: Algorithm - enum: - - ALGORITHM_UNSPECIFIED - - ALGORITHM_RSA_2048 - - ALGORITHM_RSA_4096 - - ALGORITHM_EC_P256 - - ALGORITHM_EC_P384 - - ALGORITHM_EC_P521 - - ALGORITHM_HPQT_XWING - - ALGORITHM_HPQT_SECP256R1_MLKEM768 - - ALGORITHM_HPQT_SECP384R1_MLKEM1024 - description: Supported key algorithms. - policy.AttributeRuleTypeEnum: - type: string - title: AttributeRuleTypeEnum - enum: - - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED - - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF - - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF - - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY - policy.ConditionBooleanTypeEnum: - type: string - title: ConditionBooleanTypeEnum - enum: - - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED - - CONDITION_BOOLEAN_TYPE_ENUM_AND - - CONDITION_BOOLEAN_TYPE_ENUM_OR - policy.KasPublicKeyAlgEnum: - type: string - title: KasPublicKeyAlgEnum - enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 - policy.SortDirection: - type: string - title: SortDirection - enum: - - SORT_DIRECTION_UNSPECIFIED - - SORT_DIRECTION_ASC - - SORT_DIRECTION_DESC - description: |- - Sorting direction shared across list APIs. - When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, - the endpoint's request message defines the default ordering; see the - specific List* request docs. - policy.SourceType: - type: string - title: SourceType - enum: - - SOURCE_TYPE_UNSPECIFIED - - SOURCE_TYPE_INTERNAL - - SOURCE_TYPE_EXTERNAL - description: |- - Describes whether this kas is managed by the organization or if they imported - the kas information from an external party. These two modes are necessary in order - to encrypt a tdf dek with an external parties kas public key. - policy.SubjectMappingOperatorEnum: - type: string - title: SubjectMappingOperatorEnum - enum: - - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED - - SUBJECT_MAPPING_OPERATOR_ENUM_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS - policy.obligations.SortObligationsType: - type: string - title: SortObligationsType - enum: - - SORT_OBLIGATIONS_TYPE_UNSPECIFIED - - SORT_OBLIGATIONS_TYPE_NAME - - SORT_OBLIGATIONS_TYPE_FQN - - SORT_OBLIGATIONS_TYPE_CREATED_AT - - SORT_OBLIGATIONS_TYPE_UPDATED_AT common.IdFqnIdentifier: type: object + allOf: + - oneOf: + - required: + - id + - required: + - fqn properties: id: type: string @@ -641,6 +551,12 @@ components: additionalProperties: false common.IdNameIdentifier: type: object + allOf: + - oneOf: + - required: + - id + - required: + - name properties: id: type: string @@ -651,12 +567,8 @@ components: title: name maxLength: 253 minLength: 1 - description: |+ - Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case.: - ``` - this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') - ``` - + description: | + name_format // Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case. title: IdNameIdentifier additionalProperties: false common.Metadata: @@ -714,6 +626,82 @@ components: title: value title: LabelsEntry additionalProperties: false + common.MetadataUpdateEnum: + type: string + title: MetadataUpdateEnum + enum: + - METADATA_UPDATE_ENUM_UNSPECIFIED + - METADATA_UPDATE_ENUM_EXTEND + - METADATA_UPDATE_ENUM_REPLACE + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + details: + type: array + items: + $ref: '#/components/schemas/connect.error_details.Any' + description: A list of messages that carry the error details. There is no limit on the number of messages. + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + connect.error_details.Any: + type: object + properties: + type: + type: string + description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' + value: + type: string + format: binary + description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. + debug: + oneOf: + - type: object + title: Any + additionalProperties: true + description: Detailed error information. + discriminator: + propertyName: type + title: Debug + description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. google.protobuf.BoolValue: type: boolean description: |- @@ -726,8 +714,8 @@ components: google.protobuf.Timestamp: type: string examples: - - 1s - - 1.000340012s + - "2023-01-15T01:30:15.01Z" + - "2024-12-25T12:00:00Z" format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -821,41 +809,65 @@ components: ) to obtain a formatter capable of generating timestamps in this format. policy.Action: type: object - oneOf: + allOf: - properties: - custom: + id: + type: string + title: id + description: Generated uuid in database + name: type: string + title: name + namespace: + title: namespace + description: Namespace context for this action + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + - oneOf: + - type: object + properties: + custom: + type: string + title: custom + description: Deprecated title: custom - description: Deprecated - title: custom - required: - - custom - - properties: - standard: + required: + - custom + - type: object + properties: + standard: + title: standard + description: Deprecated + $ref: '#/components/schemas/policy.Action.StandardAction' title: standard - description: Deprecated - $ref: '#/components/schemas/policy.Action.StandardAction' - title: standard - required: - - standard - properties: - id: - type: string - title: id - description: Generated uuid in database - name: - type: string - title: name - namespace: - title: namespace - description: Namespace context for this action - $ref: '#/components/schemas/policy.Namespace' - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' + required: + - standard title: Action additionalProperties: false description: An action an entity can take + policy.Action.StandardAction: + type: string + title: StandardAction + enum: + - STANDARD_ACTION_UNSPECIFIED + - STANDARD_ACTION_DECRYPT + - STANDARD_ACTION_TRANSMIT + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + - ALGORITHM_HPQT_XWING + - ALGORITHM_HPQT_SECP256R1_MLKEM768 + - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + description: Supported key algorithms. policy.Attribute: type: object properties: @@ -912,6 +924,14 @@ components: required: - rule additionalProperties: false + policy.AttributeRuleTypeEnum: + type: string + title: AttributeRuleTypeEnum + enum: + - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED + - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF + - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF + - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY policy.Condition: type: object properties: @@ -929,7 +949,6 @@ components: type: array items: type: string - minItems: 1 title: subject_external_values minItems: 1 description: |- @@ -945,6 +964,13 @@ components: * A Condition defines a rule of + policy.ConditionBooleanTypeEnum: + type: string + title: ConditionBooleanTypeEnum + enum: + - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED + - CONDITION_BOOLEAN_TYPE_ENUM_AND + - CONDITION_BOOLEAN_TYPE_ENUM_OR policy.ConditionGroup: type: object properties: @@ -981,7 +1007,7 @@ components: alg: not: enum: - - 0 + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED title: alg description: |- A known algorithm type with any additional parameters encoded. @@ -993,6 +1019,19 @@ components: description: |- Deprecated A KAS public key and some associated metadata for further identifcation + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 policy.KasPublicKeySet: type: object properties: @@ -1015,13 +1054,9 @@ components: uri: type: string title: uri - description: |+ + description: | Address of a KAS instance - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') - ``` - + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. publicKey: title: public_key description: 'Deprecated: KAS can have multiple key pairs' @@ -1219,7 +1254,8 @@ components: policy.PublicKey: type: object oneOf: - - properties: + - type: object + properties: cached: title: cached description: public key with additional information. Current preferred version @@ -1227,17 +1263,14 @@ components: title: cached required: - cached - - properties: + - type: object + properties: remote: type: string title: remote - description: |+ + description: | kas public key url - optional since can also be retrieved via public key - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') - ``` - + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. title: remote required: - remote @@ -1345,6 +1378,29 @@ components: title: pem title: SimpleKasPublicKey additionalProperties: false + policy.SortDirection: + type: string + title: SortDirection + enum: + - SORT_DIRECTION_UNSPECIFIED + - SORT_DIRECTION_ASC + - SORT_DIRECTION_DESC + description: |- + Sorting direction shared across list APIs. + When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, + the endpoint's request message defines the default ordering; see the + specific List* request docs. + policy.SourceType: + type: string + title: SourceType + enum: + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. policy.SubjectConditionSet: type: object properties: @@ -1410,6 +1466,14 @@ components: description: |- Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute value + action(s) combination + policy.SubjectMappingOperatorEnum: + type: string + title: SubjectMappingOperatorEnum + enum: + - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED + - SUBJECT_MAPPING_OPERATOR_ENUM_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS policy.SubjectSet: type: object properties: @@ -1523,6 +1587,12 @@ components: additionalProperties: false policy.obligations.CreateObligationRequest: type: object + allOf: + - oneOf: + - required: + - namespaceId + - required: + - namespaceFqn properties: namespaceId: type: string @@ -1537,19 +1607,14 @@ components: type: string title: name maxLength: 253 - description: |+ - Obligation name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case.: - ``` - this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') - ``` - + description: | + obligation_name_format // Obligation name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case. values: type: array items: type: string maxLength: 253 pattern: ^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$ - uniqueItems: true title: values uniqueItems: true description: Optional @@ -1573,6 +1638,12 @@ components: additionalProperties: false policy.obligations.CreateObligationValueRequest: type: object + allOf: + - oneOf: + - required: + - obligationId + - required: + - obligationFqn properties: obligationId: type: string @@ -1587,12 +1658,8 @@ components: type: string title: value maxLength: 253 - description: |+ - Obligation value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored value will be normalized to lower case.: - ``` - this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') - ``` - + description: | + obligation_value_format // Obligation value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored value will be normalized to lower case. triggers: type: array items: @@ -1621,6 +1688,12 @@ components: additionalProperties: false policy.obligations.DeleteObligationRequest: type: object + allOf: + - oneOf: + - required: + - id + - required: + - fqn properties: id: type: string @@ -1643,6 +1716,12 @@ components: additionalProperties: false policy.obligations.DeleteObligationValueRequest: type: object + allOf: + - oneOf: + - required: + - id + - required: + - fqn properties: id: type: string @@ -1665,6 +1744,12 @@ components: additionalProperties: false policy.obligations.GetObligationRequest: type: object + allOf: + - oneOf: + - required: + - id + - required: + - fqn properties: id: type: string @@ -1706,6 +1791,12 @@ components: additionalProperties: false policy.obligations.GetObligationValueRequest: type: object + allOf: + - oneOf: + - required: + - id + - required: + - fqn properties: id: type: string @@ -1736,9 +1827,6 @@ components: type: string minLength: 1 format: uri - maxItems: 250 - minItems: 1 - uniqueItems: true title: fqns maxItems: 250 minItems: 1 @@ -1776,9 +1864,6 @@ components: type: string minLength: 1 format: uri - maxItems: 250 - minItems: 1 - uniqueItems: true title: fqns maxItems: 250 minItems: 1 @@ -1910,6 +1995,15 @@ components: $ref: '#/components/schemas/policy.ObligationTrigger' title: RemoveObligationTriggerResponse additionalProperties: false + policy.obligations.SortObligationsType: + type: string + title: SortObligationsType + enum: + - SORT_OBLIGATIONS_TYPE_UNSPECIFIED + - SORT_OBLIGATIONS_TYPE_NAME + - SORT_OBLIGATIONS_TYPE_FQN + - SORT_OBLIGATIONS_TYPE_CREATED_AT + - SORT_OBLIGATIONS_TYPE_UPDATED_AT policy.obligations.UpdateObligationRequest: type: object properties: @@ -1922,13 +2016,9 @@ components: type: string title: name maxLength: 253 - description: |+ + description: | Optional - Obligation name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case.: - ``` - size(this) > 0 ? this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') : true - ``` - + obligation_name_format // Obligation name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case. metadata: title: metadata $ref: '#/components/schemas/common.MetadataMutable' @@ -1957,13 +2047,9 @@ components: type: string title: value maxLength: 253 - description: |+ + description: | Optional - Obligation value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored value will be normalized to lower case.: - ``` - size(this) > 0 ? this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') : true - ``` - + obligation_value_format // Obligation value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored value will be normalized to lower case. triggers: type: array items: @@ -2011,63 +2097,6 @@ components: - action - attributeValue additionalProperties: false - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - detail: - $ref: '#/components/schemas/google.protobuf.Any' - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - google.protobuf.Any: - type: object - properties: - type: - type: string - value: - type: string - format: binary - debug: - type: object - additionalProperties: true - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. security: [] tags: - name: policy.obligations.Service diff --git a/docs/openapi/policy/registeredresources/registered_resources.openapi.yaml b/docs/openapi/policy/registeredresources/registered_resources.openapi.yaml index 9c761fa78d..c22280f626 100644 --- a/docs/openapi/policy/registeredresources/registered_resources.openapi.yaml +++ b/docs/openapi/policy/registeredresources/registered_resources.openapi.yaml @@ -37,12 +37,12 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.registeredresources.CreateRegisteredResourceResponse' - /policy.registeredresources.RegisteredResourcesService/GetRegisteredResource: + /policy.registeredresources.RegisteredResourcesService/CreateRegisteredResourceValue: post: tags: - policy.registeredresources.RegisteredResourcesService - summary: GetRegisteredResource - operationId: policy.registeredresources.RegisteredResourcesService.GetRegisteredResource + summary: CreateRegisteredResourceValue + operationId: policy.registeredresources.RegisteredResourcesService.CreateRegisteredResourceValue parameters: - name: Connect-Protocol-Version in: header @@ -57,7 +57,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceRequest' + $ref: '#/components/schemas/policy.registeredresources.CreateRegisteredResourceValueRequest' required: true responses: default: @@ -71,13 +71,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceResponse' - /policy.registeredresources.RegisteredResourcesService/ListRegisteredResources: + $ref: '#/components/schemas/policy.registeredresources.CreateRegisteredResourceValueResponse' + /policy.registeredresources.RegisteredResourcesService/DeleteRegisteredResource: post: tags: - policy.registeredresources.RegisteredResourcesService - summary: ListRegisteredResources - operationId: policy.registeredresources.RegisteredResourcesService.ListRegisteredResources + summary: DeleteRegisteredResource + operationId: policy.registeredresources.RegisteredResourcesService.DeleteRegisteredResource parameters: - name: Connect-Protocol-Version in: header @@ -92,7 +92,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.ListRegisteredResourcesRequest' + $ref: '#/components/schemas/policy.registeredresources.DeleteRegisteredResourceRequest' required: true responses: default: @@ -106,13 +106,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.ListRegisteredResourcesResponse' - /policy.registeredresources.RegisteredResourcesService/UpdateRegisteredResource: + $ref: '#/components/schemas/policy.registeredresources.DeleteRegisteredResourceResponse' + /policy.registeredresources.RegisteredResourcesService/DeleteRegisteredResourceValue: post: tags: - policy.registeredresources.RegisteredResourcesService - summary: UpdateRegisteredResource - operationId: policy.registeredresources.RegisteredResourcesService.UpdateRegisteredResource + summary: DeleteRegisteredResourceValue + operationId: policy.registeredresources.RegisteredResourcesService.DeleteRegisteredResourceValue parameters: - name: Connect-Protocol-Version in: header @@ -127,7 +127,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.UpdateRegisteredResourceRequest' + $ref: '#/components/schemas/policy.registeredresources.DeleteRegisteredResourceValueRequest' required: true responses: default: @@ -141,13 +141,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.UpdateRegisteredResourceResponse' - /policy.registeredresources.RegisteredResourcesService/DeleteRegisteredResource: + $ref: '#/components/schemas/policy.registeredresources.DeleteRegisteredResourceValueResponse' + /policy.registeredresources.RegisteredResourcesService/GetRegisteredResource: post: tags: - policy.registeredresources.RegisteredResourcesService - summary: DeleteRegisteredResource - operationId: policy.registeredresources.RegisteredResourcesService.DeleteRegisteredResource + summary: GetRegisteredResource + operationId: policy.registeredresources.RegisteredResourcesService.GetRegisteredResource parameters: - name: Connect-Protocol-Version in: header @@ -162,7 +162,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.DeleteRegisteredResourceRequest' + $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceRequest' required: true responses: default: @@ -176,13 +176,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.DeleteRegisteredResourceResponse' - /policy.registeredresources.RegisteredResourcesService/CreateRegisteredResourceValue: + $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceResponse' + /policy.registeredresources.RegisteredResourcesService/GetRegisteredResourceValue: post: tags: - policy.registeredresources.RegisteredResourcesService - summary: CreateRegisteredResourceValue - operationId: policy.registeredresources.RegisteredResourcesService.CreateRegisteredResourceValue + summary: GetRegisteredResourceValue + operationId: policy.registeredresources.RegisteredResourcesService.GetRegisteredResourceValue parameters: - name: Connect-Protocol-Version in: header @@ -197,7 +197,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.CreateRegisteredResourceValueRequest' + $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceValueRequest' required: true responses: default: @@ -211,13 +211,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.CreateRegisteredResourceValueResponse' - /policy.registeredresources.RegisteredResourcesService/GetRegisteredResourceValue: + $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceValueResponse' + /policy.registeredresources.RegisteredResourcesService/GetRegisteredResourceValuesByFQNs: post: tags: - policy.registeredresources.RegisteredResourcesService - summary: GetRegisteredResourceValue - operationId: policy.registeredresources.RegisteredResourcesService.GetRegisteredResourceValue + summary: GetRegisteredResourceValuesByFQNs + operationId: policy.registeredresources.RegisteredResourcesService.GetRegisteredResourceValuesByFQNs parameters: - name: Connect-Protocol-Version in: header @@ -232,7 +232,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceValueRequest' + $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceValuesByFQNsRequest' required: true responses: default: @@ -246,13 +246,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceValueResponse' - /policy.registeredresources.RegisteredResourcesService/GetRegisteredResourceValuesByFQNs: + $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceValuesByFQNsResponse' + /policy.registeredresources.RegisteredResourcesService/ListRegisteredResourceValues: post: tags: - policy.registeredresources.RegisteredResourcesService - summary: GetRegisteredResourceValuesByFQNs - operationId: policy.registeredresources.RegisteredResourcesService.GetRegisteredResourceValuesByFQNs + summary: ListRegisteredResourceValues + operationId: policy.registeredresources.RegisteredResourcesService.ListRegisteredResourceValues parameters: - name: Connect-Protocol-Version in: header @@ -267,7 +267,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceValuesByFQNsRequest' + $ref: '#/components/schemas/policy.registeredresources.ListRegisteredResourceValuesRequest' required: true responses: default: @@ -281,13 +281,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceValuesByFQNsResponse' - /policy.registeredresources.RegisteredResourcesService/ListRegisteredResourceValues: + $ref: '#/components/schemas/policy.registeredresources.ListRegisteredResourceValuesResponse' + /policy.registeredresources.RegisteredResourcesService/ListRegisteredResources: post: tags: - policy.registeredresources.RegisteredResourcesService - summary: ListRegisteredResourceValues - operationId: policy.registeredresources.RegisteredResourcesService.ListRegisteredResourceValues + summary: ListRegisteredResources + operationId: policy.registeredresources.RegisteredResourcesService.ListRegisteredResources parameters: - name: Connect-Protocol-Version in: header @@ -302,7 +302,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.ListRegisteredResourceValuesRequest' + $ref: '#/components/schemas/policy.registeredresources.ListRegisteredResourcesRequest' required: true responses: default: @@ -316,13 +316,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.ListRegisteredResourceValuesResponse' - /policy.registeredresources.RegisteredResourcesService/UpdateRegisteredResourceValue: + $ref: '#/components/schemas/policy.registeredresources.ListRegisteredResourcesResponse' + /policy.registeredresources.RegisteredResourcesService/UpdateRegisteredResource: post: tags: - policy.registeredresources.RegisteredResourcesService - summary: UpdateRegisteredResourceValue - operationId: policy.registeredresources.RegisteredResourcesService.UpdateRegisteredResourceValue + summary: UpdateRegisteredResource + operationId: policy.registeredresources.RegisteredResourcesService.UpdateRegisteredResource parameters: - name: Connect-Protocol-Version in: header @@ -337,7 +337,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.UpdateRegisteredResourceValueRequest' + $ref: '#/components/schemas/policy.registeredresources.UpdateRegisteredResourceRequest' required: true responses: default: @@ -351,13 +351,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.UpdateRegisteredResourceValueResponse' - /policy.registeredresources.RegisteredResourcesService/DeleteRegisteredResourceValue: + $ref: '#/components/schemas/policy.registeredresources.UpdateRegisteredResourceResponse' + /policy.registeredresources.RegisteredResourcesService/UpdateRegisteredResourceValue: post: tags: - policy.registeredresources.RegisteredResourcesService - summary: DeleteRegisteredResourceValue - operationId: policy.registeredresources.RegisteredResourcesService.DeleteRegisteredResourceValue + summary: UpdateRegisteredResourceValue + operationId: policy.registeredresources.RegisteredResourcesService.UpdateRegisteredResourceValue parameters: - name: Connect-Protocol-Version in: header @@ -372,7 +372,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.DeleteRegisteredResourceValueRequest' + $ref: '#/components/schemas/policy.registeredresources.UpdateRegisteredResourceValueRequest' required: true responses: default: @@ -386,104 +386,9 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.registeredresources.DeleteRegisteredResourceValueResponse' + $ref: '#/components/schemas/policy.registeredresources.UpdateRegisteredResourceValueResponse' components: schemas: - common.MetadataUpdateEnum: - type: string - title: MetadataUpdateEnum - enum: - - METADATA_UPDATE_ENUM_UNSPECIFIED - - METADATA_UPDATE_ENUM_EXTEND - - METADATA_UPDATE_ENUM_REPLACE - policy.Action.StandardAction: - type: string - title: StandardAction - enum: - - STANDARD_ACTION_UNSPECIFIED - - STANDARD_ACTION_DECRYPT - - STANDARD_ACTION_TRANSMIT - policy.Algorithm: - type: string - title: Algorithm - enum: - - ALGORITHM_UNSPECIFIED - - ALGORITHM_RSA_2048 - - ALGORITHM_RSA_4096 - - ALGORITHM_EC_P256 - - ALGORITHM_EC_P384 - - ALGORITHM_EC_P521 - - ALGORITHM_HPQT_XWING - - ALGORITHM_HPQT_SECP256R1_MLKEM768 - - ALGORITHM_HPQT_SECP384R1_MLKEM1024 - description: Supported key algorithms. - policy.AttributeRuleTypeEnum: - type: string - title: AttributeRuleTypeEnum - enum: - - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED - - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF - - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF - - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY - policy.ConditionBooleanTypeEnum: - type: string - title: ConditionBooleanTypeEnum - enum: - - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED - - CONDITION_BOOLEAN_TYPE_ENUM_AND - - CONDITION_BOOLEAN_TYPE_ENUM_OR - policy.KasPublicKeyAlgEnum: - type: string - title: KasPublicKeyAlgEnum - enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 - policy.SortDirection: - type: string - title: SortDirection - enum: - - SORT_DIRECTION_UNSPECIFIED - - SORT_DIRECTION_ASC - - SORT_DIRECTION_DESC - description: |- - Sorting direction shared across list APIs. - When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, - the endpoint's request message defines the default ordering; see the - specific List* request docs. - policy.SourceType: - type: string - title: SourceType - enum: - - SOURCE_TYPE_UNSPECIFIED - - SOURCE_TYPE_INTERNAL - - SOURCE_TYPE_EXTERNAL - description: |- - Describes whether this kas is managed by the organization or if they imported - the kas information from an external party. These two modes are necessary in order - to encrypt a tdf dek with an external parties kas public key. - policy.SubjectMappingOperatorEnum: - type: string - title: SubjectMappingOperatorEnum - enum: - - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED - - SUBJECT_MAPPING_OPERATOR_ENUM_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS - policy.registeredresources.SortRegisteredResourcesType: - type: string - title: SortRegisteredResourcesType - enum: - - SORT_REGISTERED_RESOURCES_TYPE_UNSPECIFIED - - SORT_REGISTERED_RESOURCES_TYPE_NAME - - SORT_REGISTERED_RESOURCES_TYPE_CREATED_AT - - SORT_REGISTERED_RESOURCES_TYPE_UPDATED_AT common.Metadata: type: object properties: @@ -539,6 +444,82 @@ components: title: value title: LabelsEntry additionalProperties: false + common.MetadataUpdateEnum: + type: string + title: MetadataUpdateEnum + enum: + - METADATA_UPDATE_ENUM_UNSPECIFIED + - METADATA_UPDATE_ENUM_EXTEND + - METADATA_UPDATE_ENUM_REPLACE + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + details: + type: array + items: + $ref: '#/components/schemas/connect.error_details.Any' + description: A list of messages that carry the error details. There is no limit on the number of messages. + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + connect.error_details.Any: + type: object + properties: + type: + type: string + description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' + value: + type: string + format: binary + description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. + debug: + oneOf: + - type: object + title: Any + additionalProperties: true + description: Detailed error information. + discriminator: + propertyName: type + title: Debug + description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. google.protobuf.BoolValue: type: boolean description: |- @@ -551,8 +532,8 @@ components: google.protobuf.Timestamp: type: string examples: - - 1s - - 1.000340012s + - "2023-01-15T01:30:15.01Z" + - "2024-12-25T12:00:00Z" format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -646,41 +627,65 @@ components: ) to obtain a formatter capable of generating timestamps in this format. policy.Action: type: object - oneOf: + allOf: - properties: - custom: + id: + type: string + title: id + description: Generated uuid in database + name: type: string + title: name + namespace: + title: namespace + description: Namespace context for this action + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + - oneOf: + - type: object + properties: + custom: + type: string + title: custom + description: Deprecated title: custom - description: Deprecated - title: custom - required: - - custom - - properties: - standard: + required: + - custom + - type: object + properties: + standard: + title: standard + description: Deprecated + $ref: '#/components/schemas/policy.Action.StandardAction' title: standard - description: Deprecated - $ref: '#/components/schemas/policy.Action.StandardAction' - title: standard - required: - - standard - properties: - id: - type: string - title: id - description: Generated uuid in database - name: - type: string - title: name - namespace: - title: namespace - description: Namespace context for this action - $ref: '#/components/schemas/policy.Namespace' - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' + required: + - standard title: Action additionalProperties: false description: An action an entity can take + policy.Action.StandardAction: + type: string + title: StandardAction + enum: + - STANDARD_ACTION_UNSPECIFIED + - STANDARD_ACTION_DECRYPT + - STANDARD_ACTION_TRANSMIT + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + - ALGORITHM_HPQT_XWING + - ALGORITHM_HPQT_SECP256R1_MLKEM768 + - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + description: Supported key algorithms. policy.Attribute: type: object properties: @@ -737,6 +742,14 @@ components: required: - rule additionalProperties: false + policy.AttributeRuleTypeEnum: + type: string + title: AttributeRuleTypeEnum + enum: + - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED + - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF + - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF + - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY policy.Condition: type: object properties: @@ -754,7 +767,6 @@ components: type: array items: type: string - minItems: 1 title: subject_external_values minItems: 1 description: |- @@ -770,6 +782,13 @@ components: * A Condition defines a rule of + policy.ConditionBooleanTypeEnum: + type: string + title: ConditionBooleanTypeEnum + enum: + - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED + - CONDITION_BOOLEAN_TYPE_ENUM_AND + - CONDITION_BOOLEAN_TYPE_ENUM_OR policy.ConditionGroup: type: object properties: @@ -806,7 +825,7 @@ components: alg: not: enum: - - 0 + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED title: alg description: |- A known algorithm type with any additional parameters encoded. @@ -818,6 +837,19 @@ components: description: |- Deprecated A KAS public key and some associated metadata for further identifcation + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 policy.KasPublicKeySet: type: object properties: @@ -840,13 +872,9 @@ components: uri: type: string title: uri - description: |+ + description: | Address of a KAS instance - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') - ``` - + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. publicKey: title: public_key description: 'Deprecated: KAS can have multiple key pairs' @@ -1044,7 +1072,8 @@ components: policy.PublicKey: type: object oneOf: - - properties: + - type: object + properties: cached: title: cached description: public key with additional information. Current preferred version @@ -1052,17 +1081,14 @@ components: title: cached required: - cached - - properties: + - type: object + properties: remote: type: string title: remote - description: |+ + description: | kas public key url - optional since can also be retrieved via public key - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') - ``` - + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. title: remote required: - remote @@ -1237,6 +1263,29 @@ components: title: pem title: SimpleKasPublicKey additionalProperties: false + policy.SortDirection: + type: string + title: SortDirection + enum: + - SORT_DIRECTION_UNSPECIFIED + - SORT_DIRECTION_ASC + - SORT_DIRECTION_DESC + description: |- + Sorting direction shared across list APIs. + When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, + the endpoint's request message defines the default ordering; see the + specific List* request docs. + policy.SourceType: + type: string + title: SourceType + enum: + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. policy.SubjectConditionSet: type: object properties: @@ -1302,6 +1351,14 @@ components: description: |- Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute value + action(s) combination + policy.SubjectMappingOperatorEnum: + type: string + title: SubjectMappingOperatorEnum + enum: + - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED + - SUBJECT_MAPPING_OPERATOR_ENUM_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS policy.SubjectSet: type: object properties: @@ -1372,7 +1429,8 @@ components: type: object allOf: - oneOf: - - properties: + - type: object + properties: actionId: type: string title: action_id @@ -1380,22 +1438,20 @@ components: title: action_id required: - actionId - - properties: + - type: object + properties: actionName: type: string title: action_name maxLength: 253 - description: |+ - Action name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored action name will be normalized to lower case.: - ``` - this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') - ``` - + description: | + action_name_format // Action name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored action name will be normalized to lower case. title: action_name required: - actionName - oneOf: - - properties: + - type: object + properties: attributeValueFqn: type: string title: attribute_value_fqn @@ -1404,7 +1460,8 @@ components: title: attribute_value_fqn required: - attributeValueFqn - - properties: + - type: object + properties: attributeValueId: type: string title: attribute_value_id @@ -1421,20 +1478,15 @@ components: type: string title: name maxLength: 253 - description: |+ + description: | Required - Registered Resource Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case.: - ``` - this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') - ``` - + rr_name_format // Registered Resource Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case. values: type: array items: type: string maxLength: 253 pattern: ^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$ - uniqueItems: true title: values uniqueItems: true description: |- @@ -1480,13 +1532,9 @@ components: type: string title: value maxLength: 253 - description: |+ + description: | Required - Registered Resource Value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored value will be normalized to lower case.: - ``` - this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') - ``` - + rr_value_format // Registered Resource Value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored value will be normalized to lower case. actionAttributeValues: type: array items: @@ -1552,39 +1600,38 @@ components: additionalProperties: false policy.registeredresources.GetRegisteredResourceRequest: type: object - oneOf: + allOf: - properties: - id: + namespaceFqn: type: string - title: id - format: uuid - title: id - required: - - id - - properties: - name: + title: namespace_fqn + minLength: 1 + format: uri + namespaceId: type: string + title: namespace_id + format: uuid + - oneOf: + - type: object + properties: + id: + type: string + title: id + format: uuid + title: id + required: + - id + - type: object + properties: + name: + type: string + title: name + maxLength: 253 + description: | + rr_name_format // Registered Resource Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case. title: name - maxLength: 253 - description: |+ - Registered Resource Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case.: - ``` - size(this) > 0 ? this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') : true - ``` - - title: name - required: - - name - properties: - namespaceFqn: - type: string - title: namespace_fqn - minLength: 1 - format: uri - namespaceId: - type: string - title: namespace_id - format: uuid + required: + - name title: GetRegisteredResourceRequest additionalProperties: false policy.registeredresources.GetRegisteredResourceResponse: @@ -1598,7 +1645,8 @@ components: policy.registeredresources.GetRegisteredResourceValueRequest: type: object oneOf: - - properties: + - type: object + properties: fqn: type: string title: fqn @@ -1607,7 +1655,8 @@ components: title: fqn required: - fqn - - properties: + - type: object + properties: id: type: string title: id @@ -1634,8 +1683,6 @@ components: type: string minLength: 1 format: uri - minItems: 1 - uniqueItems: true title: fqns minItems: 1 uniqueItems: true @@ -1670,13 +1717,9 @@ components: resourceId: type: string title: resource_id - description: |+ + description: | Optional - Optional field must be a valid UUID: - ``` - size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') - ``` - + optional_uuid_format // Optional field must be a valid UUID pagination: title: pagination description: Optional @@ -1750,6 +1793,14 @@ components: $ref: '#/components/schemas/policy.SortDirection' title: RegisteredResourcesSort additionalProperties: false + policy.registeredresources.SortRegisteredResourcesType: + type: string + title: SortRegisteredResourcesType + enum: + - SORT_REGISTERED_RESOURCES_TYPE_UNSPECIFIED + - SORT_REGISTERED_RESOURCES_TYPE_NAME + - SORT_REGISTERED_RESOURCES_TYPE_CREATED_AT + - SORT_REGISTERED_RESOURCES_TYPE_UPDATED_AT policy.registeredresources.UpdateRegisteredResourceRequest: type: object properties: @@ -1762,13 +1813,9 @@ components: type: string title: name maxLength: 253 - description: |+ + description: | Optional - Registered Resource Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case.: - ``` - size(this) > 0 ? this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') : true - ``` - + rr_name_format // Registered Resource Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case. metadata: title: metadata description: |- @@ -1800,13 +1847,9 @@ components: type: string title: value maxLength: 253 - description: |+ + description: | Optional - Registered Resource Value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored value will be normalized to lower case.: - ``` - size(this) > 0 ? this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') : true - ``` - + rr_value_format // Registered Resource Value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored value will be normalized to lower case. actionAttributeValues: type: array items: @@ -1834,63 +1877,6 @@ components: $ref: '#/components/schemas/policy.RegisteredResourceValue' title: UpdateRegisteredResourceValueResponse additionalProperties: false - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - detail: - $ref: '#/components/schemas/google.protobuf.Any' - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - google.protobuf.Any: - type: object - properties: - type: - type: string - value: - type: string - format: binary - debug: - type: object - additionalProperties: true - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. security: [] tags: - name: policy.registeredresources.RegisteredResourcesService diff --git a/docs/openapi/policy/resourcemapping/resource_mapping.openapi.yaml b/docs/openapi/policy/resourcemapping/resource_mapping.openapi.yaml index c49765740a..7928a38a98 100644 --- a/docs/openapi/policy/resourcemapping/resource_mapping.openapi.yaml +++ b/docs/openapi/policy/resourcemapping/resource_mapping.openapi.yaml @@ -2,12 +2,12 @@ openapi: 3.1.0 info: title: policy.resourcemapping paths: - /policy.resourcemapping.ResourceMappingService/ListResourceMappingGroups: + /policy.resourcemapping.ResourceMappingService/CreateResourceMapping: post: tags: - policy.resourcemapping.ResourceMappingService - summary: ListResourceMappingGroups - operationId: policy.resourcemapping.ResourceMappingService.ListResourceMappingGroups + summary: CreateResourceMapping + operationId: policy.resourcemapping.ResourceMappingService.CreateResourceMapping parameters: - name: Connect-Protocol-Version in: header @@ -22,7 +22,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingGroupsRequest' + $ref: '#/components/schemas/policy.resourcemapping.CreateResourceMappingRequest' required: true responses: default: @@ -36,13 +36,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingGroupsResponse' - /policy.resourcemapping.ResourceMappingService/GetResourceMappingGroup: + $ref: '#/components/schemas/policy.resourcemapping.CreateResourceMappingResponse' + /policy.resourcemapping.ResourceMappingService/CreateResourceMappingGroup: post: tags: - policy.resourcemapping.ResourceMappingService - summary: GetResourceMappingGroup - operationId: policy.resourcemapping.ResourceMappingService.GetResourceMappingGroup + summary: CreateResourceMappingGroup + operationId: policy.resourcemapping.ResourceMappingService.CreateResourceMappingGroup parameters: - name: Connect-Protocol-Version in: header @@ -57,7 +57,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.GetResourceMappingGroupRequest' + $ref: '#/components/schemas/policy.resourcemapping.CreateResourceMappingGroupRequest' required: true responses: default: @@ -71,13 +71,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.GetResourceMappingGroupResponse' - /policy.resourcemapping.ResourceMappingService/CreateResourceMappingGroup: + $ref: '#/components/schemas/policy.resourcemapping.CreateResourceMappingGroupResponse' + /policy.resourcemapping.ResourceMappingService/DeleteResourceMapping: post: tags: - policy.resourcemapping.ResourceMappingService - summary: CreateResourceMappingGroup - operationId: policy.resourcemapping.ResourceMappingService.CreateResourceMappingGroup + summary: DeleteResourceMapping + operationId: policy.resourcemapping.ResourceMappingService.DeleteResourceMapping parameters: - name: Connect-Protocol-Version in: header @@ -92,7 +92,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.CreateResourceMappingGroupRequest' + $ref: '#/components/schemas/policy.resourcemapping.DeleteResourceMappingRequest' required: true responses: default: @@ -106,13 +106,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.CreateResourceMappingGroupResponse' - /policy.resourcemapping.ResourceMappingService/UpdateResourceMappingGroup: + $ref: '#/components/schemas/policy.resourcemapping.DeleteResourceMappingResponse' + /policy.resourcemapping.ResourceMappingService/DeleteResourceMappingGroup: post: tags: - policy.resourcemapping.ResourceMappingService - summary: UpdateResourceMappingGroup - operationId: policy.resourcemapping.ResourceMappingService.UpdateResourceMappingGroup + summary: DeleteResourceMappingGroup + operationId: policy.resourcemapping.ResourceMappingService.DeleteResourceMappingGroup parameters: - name: Connect-Protocol-Version in: header @@ -127,7 +127,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.UpdateResourceMappingGroupRequest' + $ref: '#/components/schemas/policy.resourcemapping.DeleteResourceMappingGroupRequest' required: true responses: default: @@ -141,13 +141,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.UpdateResourceMappingGroupResponse' - /policy.resourcemapping.ResourceMappingService/DeleteResourceMappingGroup: + $ref: '#/components/schemas/policy.resourcemapping.DeleteResourceMappingGroupResponse' + /policy.resourcemapping.ResourceMappingService/GetResourceMapping: post: tags: - policy.resourcemapping.ResourceMappingService - summary: DeleteResourceMappingGroup - operationId: policy.resourcemapping.ResourceMappingService.DeleteResourceMappingGroup + summary: GetResourceMapping + operationId: policy.resourcemapping.ResourceMappingService.GetResourceMapping parameters: - name: Connect-Protocol-Version in: header @@ -162,7 +162,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.DeleteResourceMappingGroupRequest' + $ref: '#/components/schemas/policy.resourcemapping.GetResourceMappingRequest' required: true responses: default: @@ -176,13 +176,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.DeleteResourceMappingGroupResponse' - /policy.resourcemapping.ResourceMappingService/ListResourceMappings: + $ref: '#/components/schemas/policy.resourcemapping.GetResourceMappingResponse' + /policy.resourcemapping.ResourceMappingService/GetResourceMappingGroup: post: tags: - policy.resourcemapping.ResourceMappingService - summary: ListResourceMappings - operationId: policy.resourcemapping.ResourceMappingService.ListResourceMappings + summary: GetResourceMappingGroup + operationId: policy.resourcemapping.ResourceMappingService.GetResourceMappingGroup parameters: - name: Connect-Protocol-Version in: header @@ -197,7 +197,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingsRequest' + $ref: '#/components/schemas/policy.resourcemapping.GetResourceMappingGroupRequest' required: true responses: default: @@ -211,13 +211,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingsResponse' - /policy.resourcemapping.ResourceMappingService/ListResourceMappingsByGroupFqns: + $ref: '#/components/schemas/policy.resourcemapping.GetResourceMappingGroupResponse' + /policy.resourcemapping.ResourceMappingService/ListResourceMappingGroups: post: tags: - policy.resourcemapping.ResourceMappingService - summary: ListResourceMappingsByGroupFqns - operationId: policy.resourcemapping.ResourceMappingService.ListResourceMappingsByGroupFqns + summary: ListResourceMappingGroups + operationId: policy.resourcemapping.ResourceMappingService.ListResourceMappingGroups parameters: - name: Connect-Protocol-Version in: header @@ -232,7 +232,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingsByGroupFqnsRequest' + $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingGroupsRequest' required: true responses: default: @@ -246,13 +246,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingsByGroupFqnsResponse' - /policy.resourcemapping.ResourceMappingService/GetResourceMapping: + $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingGroupsResponse' + /policy.resourcemapping.ResourceMappingService/ListResourceMappings: post: tags: - policy.resourcemapping.ResourceMappingService - summary: GetResourceMapping - operationId: policy.resourcemapping.ResourceMappingService.GetResourceMapping + summary: ListResourceMappings + operationId: policy.resourcemapping.ResourceMappingService.ListResourceMappings parameters: - name: Connect-Protocol-Version in: header @@ -267,7 +267,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.GetResourceMappingRequest' + $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingsRequest' required: true responses: default: @@ -281,13 +281,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.GetResourceMappingResponse' - /policy.resourcemapping.ResourceMappingService/CreateResourceMapping: + $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingsResponse' + /policy.resourcemapping.ResourceMappingService/ListResourceMappingsByGroupFqns: post: tags: - policy.resourcemapping.ResourceMappingService - summary: CreateResourceMapping - operationId: policy.resourcemapping.ResourceMappingService.CreateResourceMapping + summary: ListResourceMappingsByGroupFqns + operationId: policy.resourcemapping.ResourceMappingService.ListResourceMappingsByGroupFqns parameters: - name: Connect-Protocol-Version in: header @@ -302,7 +302,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.CreateResourceMappingRequest' + $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingsByGroupFqnsRequest' required: true responses: default: @@ -316,7 +316,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.CreateResourceMappingResponse' + $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingsByGroupFqnsResponse' /policy.resourcemapping.ResourceMappingService/UpdateResourceMapping: post: tags: @@ -352,12 +352,12 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.resourcemapping.UpdateResourceMappingResponse' - /policy.resourcemapping.ResourceMappingService/DeleteResourceMapping: + /policy.resourcemapping.ResourceMappingService/UpdateResourceMappingGroup: post: tags: - policy.resourcemapping.ResourceMappingService - summary: DeleteResourceMapping - operationId: policy.resourcemapping.ResourceMappingService.DeleteResourceMapping + summary: UpdateResourceMappingGroup + operationId: policy.resourcemapping.ResourceMappingService.UpdateResourceMappingGroup parameters: - name: Connect-Protocol-Version in: header @@ -372,7 +372,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.DeleteResourceMappingRequest' + $ref: '#/components/schemas/policy.resourcemapping.UpdateResourceMappingGroupRequest' required: true responses: default: @@ -386,84 +386,9 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.resourcemapping.DeleteResourceMappingResponse' + $ref: '#/components/schemas/policy.resourcemapping.UpdateResourceMappingGroupResponse' components: schemas: - common.MetadataUpdateEnum: - type: string - title: MetadataUpdateEnum - enum: - - METADATA_UPDATE_ENUM_UNSPECIFIED - - METADATA_UPDATE_ENUM_EXTEND - - METADATA_UPDATE_ENUM_REPLACE - policy.Action.StandardAction: - type: string - title: StandardAction - enum: - - STANDARD_ACTION_UNSPECIFIED - - STANDARD_ACTION_DECRYPT - - STANDARD_ACTION_TRANSMIT - policy.Algorithm: - type: string - title: Algorithm - enum: - - ALGORITHM_UNSPECIFIED - - ALGORITHM_RSA_2048 - - ALGORITHM_RSA_4096 - - ALGORITHM_EC_P256 - - ALGORITHM_EC_P384 - - ALGORITHM_EC_P521 - - ALGORITHM_HPQT_XWING - - ALGORITHM_HPQT_SECP256R1_MLKEM768 - - ALGORITHM_HPQT_SECP384R1_MLKEM1024 - description: Supported key algorithms. - policy.AttributeRuleTypeEnum: - type: string - title: AttributeRuleTypeEnum - enum: - - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED - - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF - - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF - - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY - policy.ConditionBooleanTypeEnum: - type: string - title: ConditionBooleanTypeEnum - enum: - - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED - - CONDITION_BOOLEAN_TYPE_ENUM_AND - - CONDITION_BOOLEAN_TYPE_ENUM_OR - policy.KasPublicKeyAlgEnum: - type: string - title: KasPublicKeyAlgEnum - enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 - policy.SourceType: - type: string - title: SourceType - enum: - - SOURCE_TYPE_UNSPECIFIED - - SOURCE_TYPE_INTERNAL - - SOURCE_TYPE_EXTERNAL - description: |- - Describes whether this kas is managed by the organization or if they imported - the kas information from an external party. These two modes are necessary in order - to encrypt a tdf dek with an external parties kas public key. - policy.SubjectMappingOperatorEnum: - type: string - title: SubjectMappingOperatorEnum - enum: - - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED - - SUBJECT_MAPPING_OPERATOR_ENUM_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS common.Metadata: type: object properties: @@ -519,6 +444,82 @@ components: title: value title: LabelsEntry additionalProperties: false + common.MetadataUpdateEnum: + type: string + title: MetadataUpdateEnum + enum: + - METADATA_UPDATE_ENUM_UNSPECIFIED + - METADATA_UPDATE_ENUM_EXTEND + - METADATA_UPDATE_ENUM_REPLACE + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + details: + type: array + items: + $ref: '#/components/schemas/connect.error_details.Any' + description: A list of messages that carry the error details. There is no limit on the number of messages. + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + connect.error_details.Any: + type: object + properties: + type: + type: string + description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' + value: + type: string + format: binary + description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. + debug: + oneOf: + - type: object + title: Any + additionalProperties: true + description: Detailed error information. + discriminator: + propertyName: type + title: Debug + description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. google.protobuf.BoolValue: type: boolean description: |- @@ -531,8 +532,8 @@ components: google.protobuf.Timestamp: type: string examples: - - 1s - - 1.000340012s + - "2023-01-15T01:30:15.01Z" + - "2024-12-25T12:00:00Z" format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -626,41 +627,65 @@ components: ) to obtain a formatter capable of generating timestamps in this format. policy.Action: type: object - oneOf: + allOf: - properties: - custom: + id: + type: string + title: id + description: Generated uuid in database + name: type: string + title: name + namespace: + title: namespace + description: Namespace context for this action + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + - oneOf: + - type: object + properties: + custom: + type: string + title: custom + description: Deprecated title: custom - description: Deprecated - title: custom - required: - - custom - - properties: - standard: + required: + - custom + - type: object + properties: + standard: + title: standard + description: Deprecated + $ref: '#/components/schemas/policy.Action.StandardAction' title: standard - description: Deprecated - $ref: '#/components/schemas/policy.Action.StandardAction' - title: standard - required: - - standard - properties: - id: - type: string - title: id - description: Generated uuid in database - name: - type: string - title: name - namespace: - title: namespace - description: Namespace context for this action - $ref: '#/components/schemas/policy.Namespace' - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' + required: + - standard title: Action additionalProperties: false description: An action an entity can take + policy.Action.StandardAction: + type: string + title: StandardAction + enum: + - STANDARD_ACTION_UNSPECIFIED + - STANDARD_ACTION_DECRYPT + - STANDARD_ACTION_TRANSMIT + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + - ALGORITHM_HPQT_XWING + - ALGORITHM_HPQT_SECP256R1_MLKEM768 + - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + description: Supported key algorithms. policy.Attribute: type: object properties: @@ -717,6 +742,14 @@ components: required: - rule additionalProperties: false + policy.AttributeRuleTypeEnum: + type: string + title: AttributeRuleTypeEnum + enum: + - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED + - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF + - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF + - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY policy.Condition: type: object properties: @@ -734,7 +767,6 @@ components: type: array items: type: string - minItems: 1 title: subject_external_values minItems: 1 description: |- @@ -750,6 +782,13 @@ components: * A Condition defines a rule of + policy.ConditionBooleanTypeEnum: + type: string + title: ConditionBooleanTypeEnum + enum: + - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED + - CONDITION_BOOLEAN_TYPE_ENUM_AND + - CONDITION_BOOLEAN_TYPE_ENUM_OR policy.ConditionGroup: type: object properties: @@ -786,7 +825,7 @@ components: alg: not: enum: - - 0 + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED title: alg description: |- A known algorithm type with any additional parameters encoded. @@ -798,6 +837,19 @@ components: description: |- Deprecated A KAS public key and some associated metadata for further identifcation + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 policy.KasPublicKeySet: type: object properties: @@ -820,13 +872,9 @@ components: uri: type: string title: uri - description: |+ + description: | Address of a KAS instance - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') - ``` - + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. publicKey: title: public_key description: 'Deprecated: KAS can have multiple key pairs' @@ -1024,7 +1072,8 @@ components: policy.PublicKey: type: object oneOf: - - properties: + - type: object + properties: cached: title: cached description: public key with additional information. Current preferred version @@ -1032,17 +1081,14 @@ components: title: cached required: - cached - - properties: + - type: object + properties: remote: type: string title: remote - description: |+ + description: | kas public key url - optional since can also be retrieved via public key - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') - ``` - + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. title: remote required: - remote @@ -1150,6 +1196,17 @@ components: title: pem title: SimpleKasPublicKey additionalProperties: false + policy.SourceType: + type: string + title: SourceType + enum: + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. policy.SubjectConditionSet: type: object properties: @@ -1215,6 +1272,14 @@ components: description: |- Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute value + action(s) combination + policy.SubjectMappingOperatorEnum: + type: string + title: SubjectMappingOperatorEnum + enum: + - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED + - SUBJECT_MAPPING_OPERATOR_ENUM_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS policy.SubjectSet: type: object properties: @@ -1321,8 +1386,6 @@ components: type: array items: type: string - maxItems: 1000 - minItems: 1 title: terms maxItems: 1000 minItems: 1 @@ -1330,13 +1393,9 @@ components: groupId: type: string title: group_id - description: |+ + description: | Optional - Optional field must be a valid UUID: - ``` - size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') - ``` - + optional_uuid_format // Optional field must be a valid UUID metadata: title: metadata description: Optional @@ -1429,13 +1488,9 @@ components: namespaceId: type: string title: namespace_id - description: |+ + description: | Optional - Optional field must be a valid UUID: - ``` - size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') - ``` - + optional_uuid_format // Optional field must be a valid UUID pagination: title: pagination description: Optional @@ -1462,7 +1517,6 @@ components: type: array items: type: string - minItems: 1 title: fqns minItems: 1 description: |- @@ -1498,13 +1552,9 @@ components: groupId: type: string title: group_id - description: |+ + description: | Optional - Optional field must be a valid UUID: - ``` - size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') - ``` - + optional_uuid_format // Optional field must be a valid UUID pagination: title: pagination description: Optional @@ -1548,24 +1598,16 @@ components: namespaceId: type: string title: namespace_id - description: |+ + description: | Optional - Optional field must be a valid UUID: - ``` - size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') - ``` - + optional_uuid_format // Optional field must be a valid UUID name: type: string title: name maxLength: 253 - description: |+ + description: | Optional - Optional field must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored group name will be normalized to lower case.: - ``` - size(this) == 0 || this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') - ``` - + optional_name_format // Optional field must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored group name will be normalized to lower case. metadata: title: metadata description: Common metadata @@ -1594,31 +1636,22 @@ components: attributeValueId: type: string title: attribute_value_id - description: |+ + description: | Optional - Optional field must be a valid UUID: - ``` - size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') - ``` - + optional_uuid_format // Optional field must be a valid UUID terms: type: array items: type: string - maxItems: 1000 title: terms maxItems: 1000 description: Optional groupId: type: string title: group_id - description: |+ + description: | Optional - Optional field must be a valid UUID: - ``` - size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') - ``` - + optional_uuid_format // Optional field must be a valid UUID metadata: title: metadata description: |- @@ -1638,63 +1671,6 @@ components: $ref: '#/components/schemas/policy.ResourceMapping' title: UpdateResourceMappingResponse additionalProperties: false - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - detail: - $ref: '#/components/schemas/google.protobuf.Any' - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - google.protobuf.Any: - type: object - properties: - type: - type: string - value: - type: string - format: binary - debug: - type: object - additionalProperties: true - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. security: [] tags: - name: policy.resourcemapping.ResourceMappingService diff --git a/docs/openapi/policy/selectors.openapi.yaml b/docs/openapi/policy/selectors.openapi.yaml index 8b885a5a41..65cc330d4a 100644 --- a/docs/openapi/policy/selectors.openapi.yaml +++ b/docs/openapi/policy/selectors.openapi.yaml @@ -4,18 +4,6 @@ info: paths: {} components: schemas: - policy.SortDirection: - type: string - title: SortDirection - enum: - - SORT_DIRECTION_UNSPECIFIED - - SORT_DIRECTION_ASC - - SORT_DIRECTION_DESC - description: |- - Sorting direction shared across list APIs. - When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, - the endpoint's request message defines the default ordering; see the - specific List* request docs. policy.AttributeDefinitionSelector: type: object properties: @@ -164,4 +152,16 @@ components: description: Total count of entire list title: PageResponse additionalProperties: false + policy.SortDirection: + type: string + title: SortDirection + enum: + - SORT_DIRECTION_UNSPECIFIED + - SORT_DIRECTION_ASC + - SORT_DIRECTION_DESC + description: |- + Sorting direction shared across list APIs. + When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, + the endpoint's request message defines the default ordering; see the + specific List* request docs. security: [] diff --git a/docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml b/docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml index 1608ae7962..e1caccb81e 100644 --- a/docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml +++ b/docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml @@ -2,13 +2,12 @@ openapi: 3.1.0 info: title: policy.subjectmapping paths: - /policy.subjectmapping.SubjectMappingService/MatchSubjectMappings: + /policy.subjectmapping.SubjectMappingService/CreateDefinitionValueEntitlementMapping: post: tags: - policy.subjectmapping.SubjectMappingService - summary: MatchSubjectMappings - description: Find matching Subject Mappings for a given Subject - operationId: policy.subjectmapping.SubjectMappingService.MatchSubjectMappings + summary: CreateDefinitionValueEntitlementMapping + operationId: policy.subjectmapping.SubjectMappingService.CreateDefinitionValueEntitlementMapping parameters: - name: Connect-Protocol-Version in: header @@ -23,7 +22,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.MatchSubjectMappingsRequest' + $ref: '#/components/schemas/policy.subjectmapping.CreateDefinitionValueEntitlementMappingRequest' required: true responses: default: @@ -37,13 +36,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.MatchSubjectMappingsResponse' - /policy.subjectmapping.SubjectMappingService/ListSubjectMappings: + $ref: '#/components/schemas/policy.subjectmapping.CreateDefinitionValueEntitlementMappingResponse' + /policy.subjectmapping.SubjectMappingService/CreateSubjectConditionSet: post: tags: - policy.subjectmapping.SubjectMappingService - summary: ListSubjectMappings - operationId: policy.subjectmapping.SubjectMappingService.ListSubjectMappings + summary: CreateSubjectConditionSet + operationId: policy.subjectmapping.SubjectMappingService.CreateSubjectConditionSet parameters: - name: Connect-Protocol-Version in: header @@ -58,7 +57,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.ListSubjectMappingsRequest' + $ref: '#/components/schemas/policy.subjectmapping.CreateSubjectConditionSetRequest' required: true responses: default: @@ -72,13 +71,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.ListSubjectMappingsResponse' - /policy.subjectmapping.SubjectMappingService/GetSubjectMapping: + $ref: '#/components/schemas/policy.subjectmapping.CreateSubjectConditionSetResponse' + /policy.subjectmapping.SubjectMappingService/CreateSubjectMapping: post: tags: - policy.subjectmapping.SubjectMappingService - summary: GetSubjectMapping - operationId: policy.subjectmapping.SubjectMappingService.GetSubjectMapping + summary: CreateSubjectMapping + operationId: policy.subjectmapping.SubjectMappingService.CreateSubjectMapping parameters: - name: Connect-Protocol-Version in: header @@ -93,7 +92,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.GetSubjectMappingRequest' + $ref: '#/components/schemas/policy.subjectmapping.CreateSubjectMappingRequest' required: true responses: default: @@ -107,13 +106,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.GetSubjectMappingResponse' - /policy.subjectmapping.SubjectMappingService/CreateSubjectMapping: + $ref: '#/components/schemas/policy.subjectmapping.CreateSubjectMappingResponse' + /policy.subjectmapping.SubjectMappingService/DeleteAllUnmappedSubjectConditionSets: post: tags: - policy.subjectmapping.SubjectMappingService - summary: CreateSubjectMapping - operationId: policy.subjectmapping.SubjectMappingService.CreateSubjectMapping + summary: DeleteAllUnmappedSubjectConditionSets + operationId: policy.subjectmapping.SubjectMappingService.DeleteAllUnmappedSubjectConditionSets parameters: - name: Connect-Protocol-Version in: header @@ -128,7 +127,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.CreateSubjectMappingRequest' + $ref: '#/components/schemas/policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest' required: true responses: default: @@ -142,13 +141,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.CreateSubjectMappingResponse' - /policy.subjectmapping.SubjectMappingService/UpdateSubjectMapping: + $ref: '#/components/schemas/policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse' + /policy.subjectmapping.SubjectMappingService/DeleteDefinitionValueEntitlementMapping: post: tags: - policy.subjectmapping.SubjectMappingService - summary: UpdateSubjectMapping - operationId: policy.subjectmapping.SubjectMappingService.UpdateSubjectMapping + summary: DeleteDefinitionValueEntitlementMapping + operationId: policy.subjectmapping.SubjectMappingService.DeleteDefinitionValueEntitlementMapping parameters: - name: Connect-Protocol-Version in: header @@ -163,7 +162,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.UpdateSubjectMappingRequest' + $ref: '#/components/schemas/policy.subjectmapping.DeleteDefinitionValueEntitlementMappingRequest' required: true responses: default: @@ -177,7 +176,42 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.UpdateSubjectMappingResponse' + $ref: '#/components/schemas/policy.subjectmapping.DeleteDefinitionValueEntitlementMappingResponse' + /policy.subjectmapping.SubjectMappingService/DeleteSubjectConditionSet: + post: + tags: + - policy.subjectmapping.SubjectMappingService + summary: DeleteSubjectConditionSet + operationId: policy.subjectmapping.SubjectMappingService.DeleteSubjectConditionSet + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.subjectmapping.DeleteSubjectConditionSetRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.subjectmapping.DeleteSubjectConditionSetResponse' /policy.subjectmapping.SubjectMappingService/DeleteSubjectMapping: post: tags: @@ -213,12 +247,12 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.subjectmapping.DeleteSubjectMappingResponse' - /policy.subjectmapping.SubjectMappingService/ListSubjectConditionSets: + /policy.subjectmapping.SubjectMappingService/GetDefinitionValueEntitlementMapping: post: tags: - policy.subjectmapping.SubjectMappingService - summary: ListSubjectConditionSets - operationId: policy.subjectmapping.SubjectMappingService.ListSubjectConditionSets + summary: GetDefinitionValueEntitlementMapping + operationId: policy.subjectmapping.SubjectMappingService.GetDefinitionValueEntitlementMapping parameters: - name: Connect-Protocol-Version in: header @@ -233,7 +267,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.ListSubjectConditionSetsRequest' + $ref: '#/components/schemas/policy.subjectmapping.GetDefinitionValueEntitlementMappingRequest' required: true responses: default: @@ -247,7 +281,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.ListSubjectConditionSetsResponse' + $ref: '#/components/schemas/policy.subjectmapping.GetDefinitionValueEntitlementMappingResponse' /policy.subjectmapping.SubjectMappingService/GetSubjectConditionSet: post: tags: @@ -283,12 +317,12 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.subjectmapping.GetSubjectConditionSetResponse' - /policy.subjectmapping.SubjectMappingService/CreateSubjectConditionSet: + /policy.subjectmapping.SubjectMappingService/GetSubjectMapping: post: tags: - policy.subjectmapping.SubjectMappingService - summary: CreateSubjectConditionSet - operationId: policy.subjectmapping.SubjectMappingService.CreateSubjectConditionSet + summary: GetSubjectMapping + operationId: policy.subjectmapping.SubjectMappingService.GetSubjectMapping parameters: - name: Connect-Protocol-Version in: header @@ -303,7 +337,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.CreateSubjectConditionSetRequest' + $ref: '#/components/schemas/policy.subjectmapping.GetSubjectMappingRequest' required: true responses: default: @@ -317,13 +351,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.CreateSubjectConditionSetResponse' - /policy.subjectmapping.SubjectMappingService/UpdateSubjectConditionSet: + $ref: '#/components/schemas/policy.subjectmapping.GetSubjectMappingResponse' + /policy.subjectmapping.SubjectMappingService/ListDefinitionValueEntitlementMappings: post: tags: - policy.subjectmapping.SubjectMappingService - summary: UpdateSubjectConditionSet - operationId: policy.subjectmapping.SubjectMappingService.UpdateSubjectConditionSet + summary: ListDefinitionValueEntitlementMappings + operationId: policy.subjectmapping.SubjectMappingService.ListDefinitionValueEntitlementMappings parameters: - name: Connect-Protocol-Version in: header @@ -338,7 +372,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.UpdateSubjectConditionSetRequest' + $ref: '#/components/schemas/policy.subjectmapping.ListDefinitionValueEntitlementMappingsRequest' required: true responses: default: @@ -352,13 +386,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.UpdateSubjectConditionSetResponse' - /policy.subjectmapping.SubjectMappingService/DeleteSubjectConditionSet: + $ref: '#/components/schemas/policy.subjectmapping.ListDefinitionValueEntitlementMappingsResponse' + /policy.subjectmapping.SubjectMappingService/ListSubjectConditionSets: post: tags: - policy.subjectmapping.SubjectMappingService - summary: DeleteSubjectConditionSet - operationId: policy.subjectmapping.SubjectMappingService.DeleteSubjectConditionSet + summary: ListSubjectConditionSets + operationId: policy.subjectmapping.SubjectMappingService.ListSubjectConditionSets parameters: - name: Connect-Protocol-Version in: header @@ -373,7 +407,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.DeleteSubjectConditionSetRequest' + $ref: '#/components/schemas/policy.subjectmapping.ListSubjectConditionSetsRequest' required: true responses: default: @@ -387,13 +421,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.DeleteSubjectConditionSetResponse' - /policy.subjectmapping.SubjectMappingService/DeleteAllUnmappedSubjectConditionSets: + $ref: '#/components/schemas/policy.subjectmapping.ListSubjectConditionSetsResponse' + /policy.subjectmapping.SubjectMappingService/ListSubjectMappings: post: tags: - policy.subjectmapping.SubjectMappingService - summary: DeleteAllUnmappedSubjectConditionSets - operationId: policy.subjectmapping.SubjectMappingService.DeleteAllUnmappedSubjectConditionSets + summary: ListSubjectMappings + operationId: policy.subjectmapping.SubjectMappingService.ListSubjectMappings parameters: - name: Connect-Protocol-Version in: header @@ -408,7 +442,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest' + $ref: '#/components/schemas/policy.subjectmapping.ListSubjectMappingsRequest' required: true responses: default: @@ -422,110 +456,150 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse' + $ref: '#/components/schemas/policy.subjectmapping.ListSubjectMappingsResponse' + /policy.subjectmapping.SubjectMappingService/MatchSubjectMappings: + post: + tags: + - policy.subjectmapping.SubjectMappingService + summary: MatchSubjectMappings + description: Find matching Subject Mappings for a given Subject + operationId: policy.subjectmapping.SubjectMappingService.MatchSubjectMappings + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.subjectmapping.MatchSubjectMappingsRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.subjectmapping.MatchSubjectMappingsResponse' + /policy.subjectmapping.SubjectMappingService/UpdateDefinitionValueEntitlementMapping: + post: + tags: + - policy.subjectmapping.SubjectMappingService + summary: UpdateDefinitionValueEntitlementMapping + operationId: policy.subjectmapping.SubjectMappingService.UpdateDefinitionValueEntitlementMapping + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.subjectmapping.UpdateDefinitionValueEntitlementMappingRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.subjectmapping.UpdateDefinitionValueEntitlementMappingResponse' + /policy.subjectmapping.SubjectMappingService/UpdateSubjectConditionSet: + post: + tags: + - policy.subjectmapping.SubjectMappingService + summary: UpdateSubjectConditionSet + operationId: policy.subjectmapping.SubjectMappingService.UpdateSubjectConditionSet + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.subjectmapping.UpdateSubjectConditionSetRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.subjectmapping.UpdateSubjectConditionSetResponse' + /policy.subjectmapping.SubjectMappingService/UpdateSubjectMapping: + post: + tags: + - policy.subjectmapping.SubjectMappingService + summary: UpdateSubjectMapping + operationId: policy.subjectmapping.SubjectMappingService.UpdateSubjectMapping + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.subjectmapping.UpdateSubjectMappingRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.subjectmapping.UpdateSubjectMappingResponse' components: schemas: - common.MetadataUpdateEnum: - type: string - title: MetadataUpdateEnum - enum: - - METADATA_UPDATE_ENUM_UNSPECIFIED - - METADATA_UPDATE_ENUM_EXTEND - - METADATA_UPDATE_ENUM_REPLACE - policy.Action.StandardAction: - type: string - title: StandardAction - enum: - - STANDARD_ACTION_UNSPECIFIED - - STANDARD_ACTION_DECRYPT - - STANDARD_ACTION_TRANSMIT - policy.Algorithm: - type: string - title: Algorithm - enum: - - ALGORITHM_UNSPECIFIED - - ALGORITHM_RSA_2048 - - ALGORITHM_RSA_4096 - - ALGORITHM_EC_P256 - - ALGORITHM_EC_P384 - - ALGORITHM_EC_P521 - - ALGORITHM_HPQT_XWING - - ALGORITHM_HPQT_SECP256R1_MLKEM768 - - ALGORITHM_HPQT_SECP384R1_MLKEM1024 - description: Supported key algorithms. - policy.AttributeRuleTypeEnum: - type: string - title: AttributeRuleTypeEnum - enum: - - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED - - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF - - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF - - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY - policy.ConditionBooleanTypeEnum: - type: string - title: ConditionBooleanTypeEnum - enum: - - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED - - CONDITION_BOOLEAN_TYPE_ENUM_AND - - CONDITION_BOOLEAN_TYPE_ENUM_OR - policy.KasPublicKeyAlgEnum: - type: string - title: KasPublicKeyAlgEnum - enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 - policy.SortDirection: - type: string - title: SortDirection - enum: - - SORT_DIRECTION_UNSPECIFIED - - SORT_DIRECTION_ASC - - SORT_DIRECTION_DESC - description: |- - Sorting direction shared across list APIs. - When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, - the endpoint's request message defines the default ordering; see the - specific List* request docs. - policy.SourceType: - type: string - title: SourceType - enum: - - SOURCE_TYPE_UNSPECIFIED - - SOURCE_TYPE_INTERNAL - - SOURCE_TYPE_EXTERNAL - description: |- - Describes whether this kas is managed by the organization or if they imported - the kas information from an external party. These two modes are necessary in order - to encrypt a tdf dek with an external parties kas public key. - policy.SubjectMappingOperatorEnum: - type: string - title: SubjectMappingOperatorEnum - enum: - - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED - - SUBJECT_MAPPING_OPERATOR_ENUM_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS - policy.subjectmapping.SortSubjectConditionSetsType: - type: string - title: SortSubjectConditionSetsType - enum: - - SORT_SUBJECT_CONDITION_SETS_TYPE_UNSPECIFIED - - SORT_SUBJECT_CONDITION_SETS_TYPE_CREATED_AT - - SORT_SUBJECT_CONDITION_SETS_TYPE_UPDATED_AT - policy.subjectmapping.SortSubjectMappingsType: - type: string - title: SortSubjectMappingsType - enum: - - SORT_SUBJECT_MAPPINGS_TYPE_UNSPECIFIED - - SORT_SUBJECT_MAPPINGS_TYPE_CREATED_AT - - SORT_SUBJECT_MAPPINGS_TYPE_UPDATED_AT common.Metadata: type: object properties: @@ -581,6 +655,82 @@ components: title: value title: LabelsEntry additionalProperties: false + common.MetadataUpdateEnum: + type: string + title: MetadataUpdateEnum + enum: + - METADATA_UPDATE_ENUM_UNSPECIFIED + - METADATA_UPDATE_ENUM_EXTEND + - METADATA_UPDATE_ENUM_REPLACE + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + details: + type: array + items: + $ref: '#/components/schemas/connect.error_details.Any' + description: A list of messages that carry the error details. There is no limit on the number of messages. + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + connect.error_details.Any: + type: object + properties: + type: + type: string + description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' + value: + type: string + format: binary + description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. + debug: + oneOf: + - type: object + title: Any + additionalProperties: true + description: Detailed error information. + discriminator: + propertyName: type + title: Debug + description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. google.protobuf.BoolValue: type: boolean description: |- @@ -593,8 +743,8 @@ components: google.protobuf.Timestamp: type: string examples: - - 1s - - 1.000340012s + - "2023-01-15T01:30:15.01Z" + - "2024-12-25T12:00:00Z" format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -688,41 +838,65 @@ components: ) to obtain a formatter capable of generating timestamps in this format. policy.Action: type: object - oneOf: + allOf: - properties: - custom: + id: type: string + title: id + description: Generated uuid in database + name: + type: string + title: name + namespace: + title: namespace + description: Namespace context for this action + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + - oneOf: + - type: object + properties: + custom: + type: string + title: custom + description: Deprecated title: custom - description: Deprecated - title: custom - required: - - custom - - properties: - standard: + required: + - custom + - type: object + properties: + standard: + title: standard + description: Deprecated + $ref: '#/components/schemas/policy.Action.StandardAction' title: standard - description: Deprecated - $ref: '#/components/schemas/policy.Action.StandardAction' - title: standard - required: - - standard - properties: - id: - type: string - title: id - description: Generated uuid in database - name: - type: string - title: name - namespace: - title: namespace - description: Namespace context for this action - $ref: '#/components/schemas/policy.Namespace' - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' + required: + - standard title: Action additionalProperties: false description: An action an entity can take + policy.Action.StandardAction: + type: string + title: StandardAction + enum: + - STANDARD_ACTION_UNSPECIFIED + - STANDARD_ACTION_DECRYPT + - STANDARD_ACTION_TRANSMIT + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + - ALGORITHM_HPQT_XWING + - ALGORITHM_HPQT_SECP256R1_MLKEM768 + - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + description: Supported key algorithms. policy.Attribute: type: object properties: @@ -779,6 +953,14 @@ components: required: - rule additionalProperties: false + policy.AttributeRuleTypeEnum: + type: string + title: AttributeRuleTypeEnum + enum: + - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED + - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF + - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF + - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY policy.Condition: type: object properties: @@ -796,7 +978,6 @@ components: type: array items: type: string - minItems: 1 title: subject_external_values minItems: 1 description: |- @@ -812,6 +993,13 @@ components: * A Condition defines a rule of + policy.ConditionBooleanTypeEnum: + type: string + title: ConditionBooleanTypeEnum + enum: + - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED + - CONDITION_BOOLEAN_TYPE_ENUM_AND + - CONDITION_BOOLEAN_TYPE_ENUM_OR policy.ConditionGroup: type: object properties: @@ -827,9 +1015,86 @@ components: $ref: '#/components/schemas/policy.ConditionBooleanTypeEnum' title: ConditionGroup required: - - booleanOperator + - booleanOperator + additionalProperties: false + description: A collection of Conditions evaluated by the boolean_operator provided + policy.DefinitionValueEntitlementMapping: + type: object + properties: + id: + type: string + title: id + attributeDefinition: + title: attribute_definition + description: the Attribute Definition whose values are entitled dynamically + $ref: '#/components/schemas/policy.Attribute' + valueResolver: + title: value_resolver + description: the dynamic resolver matched against the requested resource value segment + $ref: '#/components/schemas/policy.DefinitionValueResolver' + subjectConditionSet: + title: subject_condition_set + description: |- + optional static pre-gate on the entity, evaluated with normal SubjectConditionSet + semantics (no dynamic overload). When present, both the gate and the resolver must + pass for entitlement. + $ref: '#/components/schemas/policy.SubjectConditionSet' + actions: + type: array + items: + $ref: '#/components/schemas/policy.Action' + title: actions + description: the actions permitted by subjects in this mapping + namespace: + title: namespace + description: the namespace containing this mapping + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + title: DefinitionValueEntitlementMapping + additionalProperties: false + description: |- + Definition Value Entitlement Mapping: a Policy assigning permitted action(s) to + dynamically-requested values under an Attribute Definition. It raises entitlement + authority from a concrete Attribute Value to the Attribute Definition: at decision time + the value_resolver compares the requested resource value segment against the entity + representation, avoiding pre-provisioning a value + subject mapping per discrete value. + policy.DefinitionValueResolver: + type: object + properties: + subjectExternalSelectorValue: + type: string + title: subject_external_selector_value + description: |- + a selector for a field value on a flattened Entity Representation (such as from + idP/LDAP), e.g. ".patientAssignments[]" + operator: + title: operator + description: the dynamic operator comparing the selector result to the resource value segment + $ref: '#/components/schemas/policy.DynamicValueOperatorEnum' + title: DefinitionValueResolver + required: + - subjectExternalSelectorValue + - operator additionalProperties: false - description: A collection of Conditions evaluated by the boolean_operator provided + description: |- + Definition Value Resolver: the dynamic half of a DefinitionValueEntitlementMapping. It + resolves a selector against the entity representation and compares the result to the + requested resource value segment using a DynamicValueOperatorEnum. + policy.DynamicValueOperatorEnum: + type: string + title: DynamicValueOperatorEnum + enum: + - DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED + - DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN + - DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS + description: |- + Operators for dynamic, definition-level value entitlement. Unlike + SubjectMappingOperatorEnum, whose right-hand operand is a static list authored into + policy, a DynamicValueOperatorEnum's right-hand operand is the requested resource's + attribute value segment, supplied at decision time. Each value is the inversion of its + static SubjectMappingOperatorEnum counterpart. policy.KasPublicKey: type: object properties: @@ -848,7 +1113,7 @@ components: alg: not: enum: - - 0 + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED title: alg description: |- A known algorithm type with any additional parameters encoded. @@ -860,6 +1125,19 @@ components: description: |- Deprecated A KAS public key and some associated metadata for further identifcation + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 policy.KasPublicKeySet: type: object properties: @@ -882,13 +1160,9 @@ components: uri: type: string title: uri - description: |+ + description: | Address of a KAS instance - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') - ``` - + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. publicKey: title: public_key description: 'Deprecated: KAS can have multiple key pairs' @@ -1086,7 +1360,8 @@ components: policy.PublicKey: type: object oneOf: - - properties: + - type: object + properties: cached: title: cached description: public key with additional information. Current preferred version @@ -1094,17 +1369,14 @@ components: title: cached required: - cached - - properties: + - type: object + properties: remote: type: string title: remote - description: |+ + description: | kas public key url - optional since can also be retrieved via public key - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') - ``` - + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. title: remote required: - remote @@ -1212,6 +1484,29 @@ components: title: pem title: SimpleKasPublicKey additionalProperties: false + policy.SortDirection: + type: string + title: SortDirection + enum: + - SORT_DIRECTION_UNSPECIFIED + - SORT_DIRECTION_ASC + - SORT_DIRECTION_DESC + description: |- + Sorting direction shared across list APIs. + When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, + the endpoint's request message defines the default ordering; see the + specific List* request docs. + policy.SourceType: + type: string + title: SourceType + enum: + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. policy.SubjectConditionSet: type: object properties: @@ -1277,6 +1572,14 @@ components: description: |- Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute value + action(s) combination + policy.SubjectMappingOperatorEnum: + type: string + title: SubjectMappingOperatorEnum + enum: + - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED + - SUBJECT_MAPPING_OPERATOR_ENUM_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS policy.SubjectProperty: type: object properties: @@ -1368,6 +1671,73 @@ components: $ref: '#/components/schemas/common.Metadata' title: Value additionalProperties: false + policy.subjectmapping.CreateDefinitionValueEntitlementMappingRequest: + type: object + allOf: + - oneOf: + - required: + - attributeDefinitionId + - required: + - attributeDefinitionFqn + properties: + attributeDefinitionId: + type: string + title: attribute_definition_id + description: | + optional_uuid_format // Optional field must be a valid UUID + attributeDefinitionFqn: + type: string + title: attribute_definition_fqn + format: uri + valueResolver: + title: value_resolver + description: 'Required: the dynamic resolver comparing entity selector result to the resource value segment' + $ref: '#/components/schemas/policy.DefinitionValueResolver' + actions: + type: array + items: + $ref: '#/components/schemas/policy.Action' + title: actions + minItems: 1 + description: | + Required: actions permitted on a matched value + action_name_or_id_not_empty // Action name or ID must not be empty if provided + existingSubjectConditionSetId: + type: string + title: existing_subject_condition_set_id + description: | + Optional static pre-gate. Reuse an existing SubjectConditionSet (prioritized) ... + optional_uuid_format // Optional field must be a valid UUID + newSubjectConditionSet: + title: new_subject_condition_set + description: '... or create a new one (ignored if existing_subject_condition_set_id is provided)' + $ref: '#/components/schemas/policy.subjectmapping.SubjectConditionSetCreate' + namespaceId: + type: string + title: namespace_id + description: | + Optional: namespace ID or FQN for the mapping + optional_uuid_format // Optional field must be a valid UUID + namespaceFqn: + type: string + title: namespace_fqn + format: uri + metadata: + title: metadata + description: Optional + $ref: '#/components/schemas/common.MetadataMutable' + title: CreateDefinitionValueEntitlementMappingRequest + required: + - valueResolver + additionalProperties: false + policy.subjectmapping.CreateDefinitionValueEntitlementMappingResponse: + type: object + properties: + definitionValueEntitlementMapping: + title: definition_value_entitlement_mapping + $ref: '#/components/schemas/policy.DefinitionValueEntitlementMapping' + title: CreateDefinitionValueEntitlementMappingResponse + additionalProperties: false policy.subjectmapping.CreateSubjectConditionSetRequest: type: object properties: @@ -1411,25 +1781,17 @@ components: $ref: '#/components/schemas/policy.Action' title: actions minItems: 1 - description: |+ + description: | Required The actions permitted by subjects in this mapping - Action name or ID must not be empty if provided: - ``` - this.all(item, item.name != '' || item.id != '') - ``` - + action_name_or_id_not_empty // Action name or ID must not be empty if provided existingSubjectConditionSetId: type: string title: existing_subject_condition_set_id - description: |+ + description: | Either of the following: Reuse existing SubjectConditionSet (NOTE: prioritized over new_subject_condition_set) - Optional field must be a valid UUID: - ``` - size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') - ``` - + optional_uuid_format // Optional field must be a valid UUID newSubjectConditionSet: title: new_subject_condition_set description: 'Create new SubjectConditionSet (NOTE: ignored if existing_subject_condition_set_id is provided)' @@ -1460,6 +1822,17 @@ components: $ref: '#/components/schemas/policy.SubjectMapping' title: CreateSubjectMappingResponse additionalProperties: false + policy.subjectmapping.DefinitionValueEntitlementMappingsSort: + type: object + properties: + field: + title: field + $ref: '#/components/schemas/policy.subjectmapping.SortDefinitionValueEntitlementMappingsType' + direction: + title: direction + $ref: '#/components/schemas/policy.SortDirection' + title: DefinitionValueEntitlementMappingsSort + additionalProperties: false policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest: type: object title: DeleteAllUnmappedSubjectConditionSetsRequest @@ -1476,6 +1849,25 @@ components: description: Only IDs of any deleted Subject Condition Set provided title: DeleteAllUnmappedSubjectConditionSetsResponse additionalProperties: false + policy.subjectmapping.DeleteDefinitionValueEntitlementMappingRequest: + type: object + properties: + id: + type: string + title: id + format: uuid + description: Required + title: DeleteDefinitionValueEntitlementMappingRequest + additionalProperties: false + policy.subjectmapping.DeleteDefinitionValueEntitlementMappingResponse: + type: object + properties: + definitionValueEntitlementMapping: + title: definition_value_entitlement_mapping + description: Only ID of the deleted mapping provided + $ref: '#/components/schemas/policy.DefinitionValueEntitlementMapping' + title: DeleteDefinitionValueEntitlementMappingResponse + additionalProperties: false policy.subjectmapping.DeleteSubjectConditionSetRequest: type: object properties: @@ -1514,6 +1906,24 @@ components: $ref: '#/components/schemas/policy.SubjectMapping' title: DeleteSubjectMappingResponse additionalProperties: false + policy.subjectmapping.GetDefinitionValueEntitlementMappingRequest: + type: object + properties: + id: + type: string + title: id + format: uuid + description: Required + title: GetDefinitionValueEntitlementMappingRequest + additionalProperties: false + policy.subjectmapping.GetDefinitionValueEntitlementMappingResponse: + type: object + properties: + definitionValueEntitlementMapping: + title: definition_value_entitlement_mapping + $ref: '#/components/schemas/policy.DefinitionValueEntitlementMapping' + title: GetDefinitionValueEntitlementMappingResponse + additionalProperties: false policy.subjectmapping.GetSubjectConditionSetRequest: type: object properties: @@ -1556,6 +1966,47 @@ components: $ref: '#/components/schemas/policy.SubjectMapping' title: GetSubjectMappingResponse additionalProperties: false + policy.subjectmapping.ListDefinitionValueEntitlementMappingsRequest: + type: object + properties: + namespaceId: + type: string + title: namespace_id + description: | + Optional + Namespace ID, or Attribute Definition ID to filter by + optional_uuid_format // Optional field must be a valid UUID + attributeDefinitionId: + type: string + title: attribute_definition_id + description: | + optional_uuid_format // Optional field must be a valid UUID + pagination: + title: pagination + description: Optional + $ref: '#/components/schemas/policy.PageRequest' + sort: + type: array + items: + $ref: '#/components/schemas/policy.subjectmapping.DefinitionValueEntitlementMappingsSort' + title: sort + maxItems: 1 + description: 'Optional - CONSTRAINT: max 1 item' + title: ListDefinitionValueEntitlementMappingsRequest + additionalProperties: false + policy.subjectmapping.ListDefinitionValueEntitlementMappingsResponse: + type: object + properties: + definitionValueEntitlementMappings: + type: array + items: + $ref: '#/components/schemas/policy.DefinitionValueEntitlementMapping' + title: definition_value_entitlement_mappings + pagination: + title: pagination + $ref: '#/components/schemas/policy.PageResponse' + title: ListDefinitionValueEntitlementMappingsResponse + additionalProperties: false policy.subjectmapping.ListSubjectConditionSetsRequest: type: object properties: @@ -1666,6 +2117,27 @@ components: title: subject_mappings title: MatchSubjectMappingsResponse additionalProperties: false + policy.subjectmapping.SortDefinitionValueEntitlementMappingsType: + type: string + title: SortDefinitionValueEntitlementMappingsType + enum: + - SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED + - SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT + - SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT + policy.subjectmapping.SortSubjectConditionSetsType: + type: string + title: SortSubjectConditionSetsType + enum: + - SORT_SUBJECT_CONDITION_SETS_TYPE_UNSPECIFIED + - SORT_SUBJECT_CONDITION_SETS_TYPE_CREATED_AT + - SORT_SUBJECT_CONDITION_SETS_TYPE_UPDATED_AT + policy.subjectmapping.SortSubjectMappingsType: + type: string + title: SortSubjectMappingsType + enum: + - SORT_SUBJECT_MAPPINGS_TYPE_UNSPECIFIED + - SORT_SUBJECT_MAPPINGS_TYPE_CREATED_AT + - SORT_SUBJECT_MAPPINGS_TYPE_UPDATED_AT policy.subjectmapping.SubjectConditionSetCreate: type: object properties: @@ -1706,6 +2178,49 @@ components: $ref: '#/components/schemas/policy.SortDirection' title: SubjectMappingsSort additionalProperties: false + policy.subjectmapping.UpdateDefinitionValueEntitlementMappingRequest: + type: object + properties: + id: + type: string + title: id + format: uuid + description: Required + valueResolver: + title: value_resolver + description: 'Optional: replace the dynamic resolver' + $ref: '#/components/schemas/policy.DefinitionValueResolver' + subjectConditionSetId: + type: string + title: subject_condition_set_id + description: | + Optional: replace the static pre-gate SubjectConditionSet by id + optional_uuid_format // Optional field must be a valid UUID + actions: + type: array + items: + $ref: '#/components/schemas/policy.Action' + title: actions + description: | + Optional: replace the entire list of actions + action_name_or_id_not_empty // Action name or ID must not be empty if provided + metadata: + title: metadata + description: Common metadata + $ref: '#/components/schemas/common.MetadataMutable' + metadataUpdateBehavior: + title: metadata_update_behavior + $ref: '#/components/schemas/common.MetadataUpdateEnum' + title: UpdateDefinitionValueEntitlementMappingRequest + additionalProperties: false + policy.subjectmapping.UpdateDefinitionValueEntitlementMappingResponse: + type: object + properties: + definitionValueEntitlementMapping: + title: definition_value_entitlement_mapping + $ref: '#/components/schemas/policy.DefinitionValueEntitlementMapping' + title: UpdateDefinitionValueEntitlementMappingResponse + additionalProperties: false policy.subjectmapping.UpdateSubjectConditionSetRequest: type: object properties: @@ -1751,27 +2266,19 @@ components: subjectConditionSetId: type: string title: subject_condition_set_id - description: |+ + description: | Optional Replaces the existing SubjectConditionSet id with a new one - Optional field must be a valid UUID: - ``` - size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}') - ``` - + optional_uuid_format // Optional field must be a valid UUID actions: type: array items: $ref: '#/components/schemas/policy.Action' title: actions - description: |+ + description: | Optional Replaces entire list of actions permitted by subjects - Action name or ID must not be empty if provided: - ``` - this.size() == 0 || this.all(item, item.name != '' || item.id != '') - ``` - + action_name_or_id_not_empty // Action name or ID must not be empty if provided metadata: title: metadata description: Common metadata @@ -1790,63 +2297,6 @@ components: $ref: '#/components/schemas/policy.SubjectMapping' title: UpdateSubjectMappingResponse additionalProperties: false - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - detail: - $ref: '#/components/schemas/google.protobuf.Any' - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - google.protobuf.Any: - type: object - properties: - type: - type: string - value: - type: string - format: binary - debug: - type: object - additionalProperties: true - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. security: [] tags: - name: policy.subjectmapping.SubjectMappingService diff --git a/docs/openapi/policy/unsafe/unsafe.openapi.yaml b/docs/openapi/policy/unsafe/unsafe.openapi.yaml index 279b0154a6..168c60f735 100644 --- a/docs/openapi/policy/unsafe/unsafe.openapi.yaml +++ b/docs/openapi/policy/unsafe/unsafe.openapi.yaml @@ -2,16 +2,12 @@ openapi: 3.1.0 info: title: policy.unsafe paths: - /policy.unsafe.UnsafeService/UnsafeUpdateNamespace: + /policy.unsafe.UnsafeService/UnsafeDeleteAttribute: post: tags: - policy.unsafe.UnsafeService - summary: UnsafeUpdateNamespace - description: |- - --------------------------------------* - Namespace RPCs - --------------------------------------- - operationId: policy.unsafe.UnsafeService.UnsafeUpdateNamespace + summary: UnsafeDeleteAttribute + operationId: policy.unsafe.UnsafeService.UnsafeDeleteAttribute parameters: - name: Connect-Protocol-Version in: header @@ -26,7 +22,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateNamespaceRequest' + $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteAttributeRequest' required: true responses: default: @@ -40,13 +36,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateNamespaceResponse' - /policy.unsafe.UnsafeService/UnsafeReactivateNamespace: + $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteAttributeResponse' + /policy.unsafe.UnsafeService/UnsafeDeleteAttributeValue: post: tags: - policy.unsafe.UnsafeService - summary: UnsafeReactivateNamespace - operationId: policy.unsafe.UnsafeService.UnsafeReactivateNamespace + summary: UnsafeDeleteAttributeValue + operationId: policy.unsafe.UnsafeService.UnsafeDeleteAttributeValue parameters: - name: Connect-Protocol-Version in: header @@ -61,7 +57,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeReactivateNamespaceRequest' + $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteAttributeValueRequest' required: true responses: default: @@ -75,13 +71,17 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeReactivateNamespaceResponse' - /policy.unsafe.UnsafeService/UnsafeDeleteNamespace: + $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteAttributeValueResponse' + /policy.unsafe.UnsafeService/UnsafeDeleteKasKey: post: tags: - policy.unsafe.UnsafeService - summary: UnsafeDeleteNamespace - operationId: policy.unsafe.UnsafeService.UnsafeDeleteNamespace + summary: UnsafeDeleteKasKey + description: |- + --------------------------------------* + Kas Key RPCs + --------------------------------------- + operationId: policy.unsafe.UnsafeService.UnsafeDeleteKasKey parameters: - name: Connect-Protocol-Version in: header @@ -96,7 +96,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteNamespaceRequest' + $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteKasKeyRequest' required: true responses: default: @@ -110,17 +110,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteNamespaceResponse' - /policy.unsafe.UnsafeService/UnsafeUpdateAttribute: + $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteKasKeyResponse' + /policy.unsafe.UnsafeService/UnsafeDeleteNamespace: post: tags: - policy.unsafe.UnsafeService - summary: UnsafeUpdateAttribute - description: |- - --------------------------------------* - Attribute RPCs - --------------------------------------- - operationId: policy.unsafe.UnsafeService.UnsafeUpdateAttribute + summary: UnsafeDeleteNamespace + operationId: policy.unsafe.UnsafeService.UnsafeDeleteNamespace parameters: - name: Connect-Protocol-Version in: header @@ -135,7 +131,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateAttributeRequest' + $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteNamespaceRequest' required: true responses: default: @@ -149,7 +145,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateAttributeResponse' + $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteNamespaceResponse' /policy.unsafe.UnsafeService/UnsafeReactivateAttribute: post: tags: @@ -185,12 +181,12 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.unsafe.UnsafeReactivateAttributeResponse' - /policy.unsafe.UnsafeService/UnsafeDeleteAttribute: + /policy.unsafe.UnsafeService/UnsafeReactivateAttributeValue: post: tags: - policy.unsafe.UnsafeService - summary: UnsafeDeleteAttribute - operationId: policy.unsafe.UnsafeService.UnsafeDeleteAttribute + summary: UnsafeReactivateAttributeValue + operationId: policy.unsafe.UnsafeService.UnsafeReactivateAttributeValue parameters: - name: Connect-Protocol-Version in: header @@ -205,7 +201,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteAttributeRequest' + $ref: '#/components/schemas/policy.unsafe.UnsafeReactivateAttributeValueRequest' required: true responses: default: @@ -219,17 +215,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteAttributeResponse' - /policy.unsafe.UnsafeService/UnsafeUpdateAttributeValue: + $ref: '#/components/schemas/policy.unsafe.UnsafeReactivateAttributeValueResponse' + /policy.unsafe.UnsafeService/UnsafeReactivateNamespace: post: tags: - policy.unsafe.UnsafeService - summary: UnsafeUpdateAttributeValue - description: |- - --------------------------------------* - Value RPCs - --------------------------------------- - operationId: policy.unsafe.UnsafeService.UnsafeUpdateAttributeValue + summary: UnsafeReactivateNamespace + operationId: policy.unsafe.UnsafeService.UnsafeReactivateNamespace parameters: - name: Connect-Protocol-Version in: header @@ -244,7 +236,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateAttributeValueRequest' + $ref: '#/components/schemas/policy.unsafe.UnsafeReactivateNamespaceRequest' required: true responses: default: @@ -258,13 +250,17 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateAttributeValueResponse' - /policy.unsafe.UnsafeService/UnsafeReactivateAttributeValue: + $ref: '#/components/schemas/policy.unsafe.UnsafeReactivateNamespaceResponse' + /policy.unsafe.UnsafeService/UnsafeUpdateAttribute: post: tags: - policy.unsafe.UnsafeService - summary: UnsafeReactivateAttributeValue - operationId: policy.unsafe.UnsafeService.UnsafeReactivateAttributeValue + summary: UnsafeUpdateAttribute + description: |- + --------------------------------------* + Attribute RPCs + --------------------------------------- + operationId: policy.unsafe.UnsafeService.UnsafeUpdateAttribute parameters: - name: Connect-Protocol-Version in: header @@ -279,7 +275,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeReactivateAttributeValueRequest' + $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateAttributeRequest' required: true responses: default: @@ -293,13 +289,17 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeReactivateAttributeValueResponse' - /policy.unsafe.UnsafeService/UnsafeDeleteAttributeValue: + $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateAttributeResponse' + /policy.unsafe.UnsafeService/UnsafeUpdateAttributeValue: post: tags: - policy.unsafe.UnsafeService - summary: UnsafeDeleteAttributeValue - operationId: policy.unsafe.UnsafeService.UnsafeDeleteAttributeValue + summary: UnsafeUpdateAttributeValue + description: |- + --------------------------------------* + Value RPCs + --------------------------------------- + operationId: policy.unsafe.UnsafeService.UnsafeUpdateAttributeValue parameters: - name: Connect-Protocol-Version in: header @@ -314,7 +314,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteAttributeValueRequest' + $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateAttributeValueRequest' required: true responses: default: @@ -328,17 +328,17 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteAttributeValueResponse' - /policy.unsafe.UnsafeService/UnsafeDeleteKasKey: + $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateAttributeValueResponse' + /policy.unsafe.UnsafeService/UnsafeUpdateNamespace: post: tags: - policy.unsafe.UnsafeService - summary: UnsafeDeleteKasKey + summary: UnsafeUpdateNamespace description: |- --------------------------------------* - Kas Key RPCs + Namespace RPCs --------------------------------------- - operationId: policy.unsafe.UnsafeService.UnsafeDeleteKasKey + operationId: policy.unsafe.UnsafeService.UnsafeUpdateNamespace parameters: - name: Connect-Protocol-Version in: header @@ -353,7 +353,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteKasKeyRequest' + $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateNamespaceRequest' required: true responses: default: @@ -367,95 +367,9 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteKasKeyResponse' + $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateNamespaceResponse' components: schemas: - policy.Action.StandardAction: - type: string - title: StandardAction - enum: - - STANDARD_ACTION_UNSPECIFIED - - STANDARD_ACTION_DECRYPT - - STANDARD_ACTION_TRANSMIT - policy.Algorithm: - type: string - title: Algorithm - enum: - - ALGORITHM_UNSPECIFIED - - ALGORITHM_RSA_2048 - - ALGORITHM_RSA_4096 - - ALGORITHM_EC_P256 - - ALGORITHM_EC_P384 - - ALGORITHM_EC_P521 - - ALGORITHM_HPQT_XWING - - ALGORITHM_HPQT_SECP256R1_MLKEM768 - - ALGORITHM_HPQT_SECP384R1_MLKEM1024 - description: Supported key algorithms. - policy.AttributeRuleTypeEnum: - type: string - title: AttributeRuleTypeEnum - enum: - - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED - - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF - - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF - - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY - policy.ConditionBooleanTypeEnum: - type: string - title: ConditionBooleanTypeEnum - enum: - - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED - - CONDITION_BOOLEAN_TYPE_ENUM_AND - - CONDITION_BOOLEAN_TYPE_ENUM_OR - policy.KasPublicKeyAlgEnum: - type: string - title: KasPublicKeyAlgEnum - enum: - - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 - - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 - - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 - policy.KeyMode: - type: string - title: KeyMode - enum: - - KEY_MODE_UNSPECIFIED - - KEY_MODE_CONFIG_ROOT_KEY - - KEY_MODE_PROVIDER_ROOT_KEY - - KEY_MODE_REMOTE - - KEY_MODE_PUBLIC_KEY_ONLY - description: Describes the management and operational mode of a cryptographic key. - policy.KeyStatus: - type: string - title: KeyStatus - enum: - - KEY_STATUS_UNSPECIFIED - - KEY_STATUS_ACTIVE - - KEY_STATUS_ROTATED - description: The status of the key - policy.SourceType: - type: string - title: SourceType - enum: - - SOURCE_TYPE_UNSPECIFIED - - SOURCE_TYPE_INTERNAL - - SOURCE_TYPE_EXTERNAL - description: |- - Describes whether this kas is managed by the organization or if they imported - the kas information from an external party. These two modes are necessary in order - to encrypt a tdf dek with an external parties kas public key. - policy.SubjectMappingOperatorEnum: - type: string - title: SubjectMappingOperatorEnum - enum: - - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED - - SUBJECT_MAPPING_OPERATOR_ENUM_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN - - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS common.Metadata: type: object properties: @@ -488,6 +402,75 @@ components: title: value title: LabelsEntry additionalProperties: false + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + details: + type: array + items: + $ref: '#/components/schemas/connect.error_details.Any' + description: A list of messages that carry the error details. There is no limit on the number of messages. + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + connect.error_details.Any: + type: object + properties: + type: + type: string + description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' + value: + type: string + format: binary + description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. + debug: + oneOf: + - type: object + title: Any + additionalProperties: true + description: Detailed error information. + discriminator: + propertyName: type + title: Debug + description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. google.protobuf.BoolValue: type: boolean description: |- @@ -500,8 +483,8 @@ components: google.protobuf.Timestamp: type: string examples: - - 1s - - 1.000340012s + - "2023-01-15T01:30:15.01Z" + - "2024-12-25T12:00:00Z" format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -595,41 +578,65 @@ components: ) to obtain a formatter capable of generating timestamps in this format. policy.Action: type: object - oneOf: + allOf: - properties: - custom: + id: type: string + title: id + description: Generated uuid in database + name: + type: string + title: name + namespace: + title: namespace + description: Namespace context for this action + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + - oneOf: + - type: object + properties: + custom: + type: string + title: custom + description: Deprecated title: custom - description: Deprecated - title: custom - required: - - custom - - properties: - standard: + required: + - custom + - type: object + properties: + standard: + title: standard + description: Deprecated + $ref: '#/components/schemas/policy.Action.StandardAction' title: standard - description: Deprecated - $ref: '#/components/schemas/policy.Action.StandardAction' - title: standard - required: - - standard - properties: - id: - type: string - title: id - description: Generated uuid in database - name: - type: string - title: name - namespace: - title: namespace - description: Namespace context for this action - $ref: '#/components/schemas/policy.Namespace' - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' + required: + - standard title: Action additionalProperties: false description: An action an entity can take + policy.Action.StandardAction: + type: string + title: StandardAction + enum: + - STANDARD_ACTION_UNSPECIFIED + - STANDARD_ACTION_DECRYPT + - STANDARD_ACTION_TRANSMIT + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + - ALGORITHM_HPQT_XWING + - ALGORITHM_HPQT_SECP256R1_MLKEM768 + - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + description: Supported key algorithms. policy.AsymmetricKey: type: object properties: @@ -731,6 +738,14 @@ components: required: - rule additionalProperties: false + policy.AttributeRuleTypeEnum: + type: string + title: AttributeRuleTypeEnum + enum: + - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED + - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF + - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF + - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY policy.Condition: type: object properties: @@ -748,7 +763,6 @@ components: type: array items: type: string - minItems: 1 title: subject_external_values minItems: 1 description: |- @@ -764,6 +778,13 @@ components: * A Condition defines a rule of + policy.ConditionBooleanTypeEnum: + type: string + title: ConditionBooleanTypeEnum + enum: + - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED + - CONDITION_BOOLEAN_TYPE_ENUM_AND + - CONDITION_BOOLEAN_TYPE_ENUM_OR policy.ConditionGroup: type: object properties: @@ -814,7 +835,7 @@ components: alg: not: enum: - - 0 + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED title: alg description: |- A known algorithm type with any additional parameters encoded. @@ -826,6 +847,19 @@ components: description: |- Deprecated A KAS public key and some associated metadata for further identifcation + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 policy.KasPublicKeySet: type: object properties: @@ -848,13 +882,9 @@ components: uri: type: string title: uri - description: |+ + description: | Address of a KAS instance - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') - ``` - + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. publicKey: title: public_key description: 'Deprecated: KAS can have multiple key pairs' @@ -882,6 +912,16 @@ components: title: KeyAccessServer additionalProperties: false description: Key Access Server Registry + policy.KeyMode: + type: string + title: KeyMode + enum: + - KEY_MODE_UNSPECIFIED + - KEY_MODE_CONFIG_ROOT_KEY + - KEY_MODE_PROVIDER_ROOT_KEY + - KEY_MODE_REMOTE + - KEY_MODE_PUBLIC_KEY_ONLY + description: Describes the management and operational mode of a cryptographic key. policy.KeyProviderConfig: type: object properties: @@ -904,6 +944,14 @@ components: $ref: '#/components/schemas/common.Metadata' title: KeyProviderConfig additionalProperties: false + policy.KeyStatus: + type: string + title: KeyStatus + enum: + - KEY_STATUS_UNSPECIFIED + - KEY_STATUS_ACTIVE + - KEY_STATUS_ROTATED + description: The status of the key policy.Namespace: type: object properties: @@ -1046,7 +1094,8 @@ components: policy.PublicKey: type: object oneOf: - - properties: + - type: object + properties: cached: title: cached description: public key with additional information. Current preferred version @@ -1054,17 +1103,14 @@ components: title: cached required: - cached - - properties: + - type: object + properties: remote: type: string title: remote - description: |+ + description: | kas public key url - optional since can also be retrieved via public key - URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: - ``` - this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') - ``` - + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. title: remote required: - remote @@ -1182,6 +1228,17 @@ components: title: pem title: SimpleKasPublicKey additionalProperties: false + policy.SourceType: + type: string + title: SourceType + enum: + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. policy.SubjectConditionSet: type: object properties: @@ -1247,6 +1304,14 @@ components: description: |- Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute value + action(s) combination + policy.SubjectMappingOperatorEnum: + type: string + title: SubjectMappingOperatorEnum + enum: + - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED + - SUBJECT_MAPPING_OPERATOR_ENUM_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS policy.SubjectSet: type: object properties: @@ -1525,15 +1590,11 @@ components: type: string title: name maxLength: 253 - description: |+ + description: | Optional WARNING!! Updating the name of an Attribute will retroactively alter access to existing TDFs of the old and new Attribute name. - Attribute name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored attribute name will be normalized to lower case.: - ``` - size(this) > 0 ? this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') : true - ``` - + attribute_name_format // Attribute name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored attribute name will be normalized to lower case. rule: title: rule description: |- @@ -1586,13 +1647,9 @@ components: type: string title: value maxLength: 253 - description: |+ + description: | Required - Attribute Value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored attribute value will be normalized to lower case.: - ``` - this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') - ``` - + value_format // Attribute Value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored attribute value will be normalized to lower case. title: UnsafeUpdateAttributeValueRequest additionalProperties: false description: |- @@ -1618,13 +1675,9 @@ components: type: string title: name maxLength: 253 - description: |+ + description: | Required - Namespace must be a valid hostname. It should include at least one dot, with each segment (label) starting and ending with an alphanumeric character. Each label must be 1 to 63 characters long, allowing hyphens but not as the first or last character. The top-level domain (the last segment after the final dot) must consist of at least two alphabetic characters. The stored namespace will be normalized to lower case.: - ``` - this.matches('^([a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?\\.)+[a-zA-Z]{2,}$') - ``` - + namespace_name_format // Namespace must be a valid hostname. It should include at least one dot, with each segment (label) starting and ending with an alphanumeric character. Each label must be 1 to 63 characters long, allowing hyphens but not as the first or last character. The top-level domain (the last segment after the final dot) must consist of at least two alphabetic characters. The stored namespace will be normalized to lower case. title: UnsafeUpdateNamespaceRequest additionalProperties: false description: |- @@ -1639,63 +1692,6 @@ components: $ref: '#/components/schemas/policy.Namespace' title: UnsafeUpdateNamespaceResponse additionalProperties: false - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - detail: - $ref: '#/components/schemas/google.protobuf.Any' - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - google.protobuf.Any: - type: object - properties: - type: - type: string - value: - type: string - format: binary - debug: - type: object - additionalProperties: true - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. security: [] tags: - name: policy.unsafe.UnsafeService diff --git a/docs/openapi/wellknownconfiguration/wellknown_configuration.openapi.yaml b/docs/openapi/wellknownconfiguration/wellknown_configuration.openapi.yaml index ad18ddfa64..203cf0b27e 100644 --- a/docs/openapi/wellknownconfiguration/wellknown_configuration.openapi.yaml +++ b/docs/openapi/wellknownconfiguration/wellknown_configuration.openapi.yaml @@ -39,16 +39,75 @@ paths: $ref: '#/components/schemas/wellknownconfiguration.GetWellKnownConfigurationResponse' components: schemas: - google.protobuf.NullValue: - type: string - title: NullValue + connect-protocol-version: + type: number + title: Connect-Protocol-Version enum: - - NULL_VALUE - description: |- - `NullValue` is a singleton enumeration to represent the null value for the - `Value` type union. - - The JSON representation for `NullValue` is JSON `null`. + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + details: + type: array + items: + $ref: '#/components/schemas/connect.error_details.Any' + description: A list of messages that carry the error details. There is no limit on the number of messages. + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + connect.error_details.Any: + type: object + properties: + type: + type: string + description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' + value: + type: string + format: binary + description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. + debug: + oneOf: + - type: object + title: Any + additionalProperties: true + description: Detailed error information. + discriminator: + propertyName: type + title: Debug + description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. google.protobuf.ListValue: type: object properties: @@ -64,6 +123,16 @@ components: `ListValue` is a wrapper around a repeated field of values. The JSON representation for `ListValue` is JSON array. + google.protobuf.NullValue: + type: string + title: NullValue + enum: + - NULL_VALUE + description: |- + `NullValue` is a singleton enumeration to represent the null value for the + `Value` type union. + + The JSON representation for `NullValue` is JSON `null`. google.protobuf.Struct: type: object additionalProperties: @@ -138,63 +207,6 @@ components: $ref: '#/components/schemas/google.protobuf.Struct' title: ConfigurationEntry additionalProperties: false - connect-protocol-version: - type: number - title: Connect-Protocol-Version - enum: - - 1 - description: Define the version of the Connect protocol - const: 1 - connect-timeout-header: - type: number - title: Connect-Timeout-Ms - description: Define the timeout, in ms - connect.error: - type: object - properties: - code: - type: string - examples: - - not_found - enum: - - canceled - - unknown - - invalid_argument - - deadline_exceeded - - not_found - - already_exists - - permission_denied - - resource_exhausted - - failed_precondition - - aborted - - out_of_range - - unimplemented - - internal - - unavailable - - data_loss - - unauthenticated - description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. - message: - type: string - description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. - detail: - $ref: '#/components/schemas/google.protobuf.Any' - title: Connect Error - additionalProperties: true - description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' - google.protobuf.Any: - type: object - properties: - type: - type: string - value: - type: string - format: binary - debug: - type: object - additionalProperties: true - additionalProperties: true - description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. security: [] tags: - name: wellknownconfiguration.WellKnownService diff --git a/protocol/go/policy/definitionvalueentitlement/definition_value_entitlement.pb.go b/protocol/go/policy/definitionvalueentitlement/definition_value_entitlement.pb.go deleted file mode 100644 index c3df1f758f..0000000000 --- a/protocol/go/policy/definitionvalueentitlement/definition_value_entitlement.pb.go +++ /dev/null @@ -1,1365 +0,0 @@ -// Code generated by protoc-gen-go. DO NOT EDIT. -// versions: -// protoc-gen-go v1.33.0 -// protoc (unknown) -// source: policy/definitionvalueentitlement/definition_value_entitlement.proto - -package definitionvalueentitlement - -import ( - _ "buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go/buf/validate" - common "github.com/opentdf/platform/protocol/go/common" - policy "github.com/opentdf/platform/protocol/go/policy" - subjectmapping "github.com/opentdf/platform/protocol/go/policy/subjectmapping" - protoreflect "google.golang.org/protobuf/reflect/protoreflect" - protoimpl "google.golang.org/protobuf/runtime/protoimpl" - reflect "reflect" - sync "sync" -) - -const ( - // Verify that this generated code is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) - // Verify that runtime/protoimpl is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) -) - -type SortDefinitionValueEntitlementMappingsType int32 - -const ( - SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED SortDefinitionValueEntitlementMappingsType = 0 - SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT SortDefinitionValueEntitlementMappingsType = 1 - SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT SortDefinitionValueEntitlementMappingsType = 2 -) - -// Enum value maps for SortDefinitionValueEntitlementMappingsType. -var ( - SortDefinitionValueEntitlementMappingsType_name = map[int32]string{ - 0: "SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED", - 1: "SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT", - 2: "SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT", - } - SortDefinitionValueEntitlementMappingsType_value = map[string]int32{ - "SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED": 0, - "SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT": 1, - "SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT": 2, - } -) - -func (x SortDefinitionValueEntitlementMappingsType) Enum() *SortDefinitionValueEntitlementMappingsType { - p := new(SortDefinitionValueEntitlementMappingsType) - *p = x - return p -} - -func (x SortDefinitionValueEntitlementMappingsType) String() string { - return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) -} - -func (SortDefinitionValueEntitlementMappingsType) Descriptor() protoreflect.EnumDescriptor { - return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_enumTypes[0].Descriptor() -} - -func (SortDefinitionValueEntitlementMappingsType) Type() protoreflect.EnumType { - return &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_enumTypes[0] -} - -func (x SortDefinitionValueEntitlementMappingsType) Number() protoreflect.EnumNumber { - return protoreflect.EnumNumber(x) -} - -// Deprecated: Use SortDefinitionValueEntitlementMappingsType.Descriptor instead. -func (SortDefinitionValueEntitlementMappingsType) EnumDescriptor() ([]byte, []int) { - return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescGZIP(), []int{0} -} - -type GetDefinitionValueEntitlementMappingRequest struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Required - Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` -} - -func (x *GetDefinitionValueEntitlementMappingRequest) Reset() { - *x = GetDefinitionValueEntitlementMappingRequest{} - if protoimpl.UnsafeEnabled { - mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[0] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *GetDefinitionValueEntitlementMappingRequest) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*GetDefinitionValueEntitlementMappingRequest) ProtoMessage() {} - -func (x *GetDefinitionValueEntitlementMappingRequest) ProtoReflect() protoreflect.Message { - mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[0] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use GetDefinitionValueEntitlementMappingRequest.ProtoReflect.Descriptor instead. -func (*GetDefinitionValueEntitlementMappingRequest) Descriptor() ([]byte, []int) { - return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescGZIP(), []int{0} -} - -func (x *GetDefinitionValueEntitlementMappingRequest) GetId() string { - if x != nil { - return x.Id - } - return "" -} - -type GetDefinitionValueEntitlementMappingResponse struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - DefinitionValueEntitlementMapping *policy.DefinitionValueEntitlementMapping `protobuf:"bytes,1,opt,name=definition_value_entitlement_mapping,json=definitionValueEntitlementMapping,proto3" json:"definition_value_entitlement_mapping,omitempty"` -} - -func (x *GetDefinitionValueEntitlementMappingResponse) Reset() { - *x = GetDefinitionValueEntitlementMappingResponse{} - if protoimpl.UnsafeEnabled { - mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[1] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *GetDefinitionValueEntitlementMappingResponse) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*GetDefinitionValueEntitlementMappingResponse) ProtoMessage() {} - -func (x *GetDefinitionValueEntitlementMappingResponse) ProtoReflect() protoreflect.Message { - mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[1] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use GetDefinitionValueEntitlementMappingResponse.ProtoReflect.Descriptor instead. -func (*GetDefinitionValueEntitlementMappingResponse) Descriptor() ([]byte, []int) { - return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescGZIP(), []int{1} -} - -func (x *GetDefinitionValueEntitlementMappingResponse) GetDefinitionValueEntitlementMapping() *policy.DefinitionValueEntitlementMapping { - if x != nil { - return x.DefinitionValueEntitlementMapping - } - return nil -} - -type DefinitionValueEntitlementMappingsSort struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Field SortDefinitionValueEntitlementMappingsType `protobuf:"varint,1,opt,name=field,proto3,enum=policy.definitionvalueentitlement.SortDefinitionValueEntitlementMappingsType" json:"field,omitempty"` - Direction policy.SortDirection `protobuf:"varint,2,opt,name=direction,proto3,enum=policy.SortDirection" json:"direction,omitempty"` -} - -func (x *DefinitionValueEntitlementMappingsSort) Reset() { - *x = DefinitionValueEntitlementMappingsSort{} - if protoimpl.UnsafeEnabled { - mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[2] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *DefinitionValueEntitlementMappingsSort) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*DefinitionValueEntitlementMappingsSort) ProtoMessage() {} - -func (x *DefinitionValueEntitlementMappingsSort) ProtoReflect() protoreflect.Message { - mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[2] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use DefinitionValueEntitlementMappingsSort.ProtoReflect.Descriptor instead. -func (*DefinitionValueEntitlementMappingsSort) Descriptor() ([]byte, []int) { - return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescGZIP(), []int{2} -} - -func (x *DefinitionValueEntitlementMappingsSort) GetField() SortDefinitionValueEntitlementMappingsType { - if x != nil { - return x.Field - } - return SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED -} - -func (x *DefinitionValueEntitlementMappingsSort) GetDirection() policy.SortDirection { - if x != nil { - return x.Direction - } - return policy.SortDirection(0) -} - -type ListDefinitionValueEntitlementMappingsRequest struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Optional - // Namespace ID or FQN, or Attribute Definition ID or FQN to filter by - NamespaceId string `protobuf:"bytes,1,opt,name=namespace_id,json=namespaceId,proto3" json:"namespace_id,omitempty"` - AttributeDefinitionId string `protobuf:"bytes,2,opt,name=attribute_definition_id,json=attributeDefinitionId,proto3" json:"attribute_definition_id,omitempty"` - // Optional - Pagination *policy.PageRequest `protobuf:"bytes,10,opt,name=pagination,proto3" json:"pagination,omitempty"` - // Optional - CONSTRAINT: max 1 item - Sort []*DefinitionValueEntitlementMappingsSort `protobuf:"bytes,11,rep,name=sort,proto3" json:"sort,omitempty"` -} - -func (x *ListDefinitionValueEntitlementMappingsRequest) Reset() { - *x = ListDefinitionValueEntitlementMappingsRequest{} - if protoimpl.UnsafeEnabled { - mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[3] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *ListDefinitionValueEntitlementMappingsRequest) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*ListDefinitionValueEntitlementMappingsRequest) ProtoMessage() {} - -func (x *ListDefinitionValueEntitlementMappingsRequest) ProtoReflect() protoreflect.Message { - mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[3] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use ListDefinitionValueEntitlementMappingsRequest.ProtoReflect.Descriptor instead. -func (*ListDefinitionValueEntitlementMappingsRequest) Descriptor() ([]byte, []int) { - return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescGZIP(), []int{3} -} - -func (x *ListDefinitionValueEntitlementMappingsRequest) GetNamespaceId() string { - if x != nil { - return x.NamespaceId - } - return "" -} - -func (x *ListDefinitionValueEntitlementMappingsRequest) GetAttributeDefinitionId() string { - if x != nil { - return x.AttributeDefinitionId - } - return "" -} - -func (x *ListDefinitionValueEntitlementMappingsRequest) GetPagination() *policy.PageRequest { - if x != nil { - return x.Pagination - } - return nil -} - -func (x *ListDefinitionValueEntitlementMappingsRequest) GetSort() []*DefinitionValueEntitlementMappingsSort { - if x != nil { - return x.Sort - } - return nil -} - -type ListDefinitionValueEntitlementMappingsResponse struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - DefinitionValueEntitlementMappings []*policy.DefinitionValueEntitlementMapping `protobuf:"bytes,1,rep,name=definition_value_entitlement_mappings,json=definitionValueEntitlementMappings,proto3" json:"definition_value_entitlement_mappings,omitempty"` - Pagination *policy.PageResponse `protobuf:"bytes,10,opt,name=pagination,proto3" json:"pagination,omitempty"` -} - -func (x *ListDefinitionValueEntitlementMappingsResponse) Reset() { - *x = ListDefinitionValueEntitlementMappingsResponse{} - if protoimpl.UnsafeEnabled { - mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[4] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *ListDefinitionValueEntitlementMappingsResponse) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*ListDefinitionValueEntitlementMappingsResponse) ProtoMessage() {} - -func (x *ListDefinitionValueEntitlementMappingsResponse) ProtoReflect() protoreflect.Message { - mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[4] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use ListDefinitionValueEntitlementMappingsResponse.ProtoReflect.Descriptor instead. -func (*ListDefinitionValueEntitlementMappingsResponse) Descriptor() ([]byte, []int) { - return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescGZIP(), []int{4} -} - -func (x *ListDefinitionValueEntitlementMappingsResponse) GetDefinitionValueEntitlementMappings() []*policy.DefinitionValueEntitlementMapping { - if x != nil { - return x.DefinitionValueEntitlementMappings - } - return nil -} - -func (x *ListDefinitionValueEntitlementMappingsResponse) GetPagination() *policy.PageResponse { - if x != nil { - return x.Pagination - } - return nil -} - -type CreateDefinitionValueEntitlementMappingRequest struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - AttributeDefinitionId string `protobuf:"bytes,1,opt,name=attribute_definition_id,json=attributeDefinitionId,proto3" json:"attribute_definition_id,omitempty"` - AttributeDefinitionFqn string `protobuf:"bytes,2,opt,name=attribute_definition_fqn,json=attributeDefinitionFqn,proto3" json:"attribute_definition_fqn,omitempty"` - // Required: the dynamic resolver comparing entity selector result to the resource value segment - ValueResolver *policy.DefinitionValueResolver `protobuf:"bytes,3,opt,name=value_resolver,json=valueResolver,proto3" json:"value_resolver,omitempty"` - // Required: actions permitted on a matched value - Actions []*policy.Action `protobuf:"bytes,4,rep,name=actions,proto3" json:"actions,omitempty"` - // Optional static pre-gate. Reuse an existing SubjectConditionSet (prioritized) ... - ExistingSubjectConditionSetId string `protobuf:"bytes,5,opt,name=existing_subject_condition_set_id,json=existingSubjectConditionSetId,proto3" json:"existing_subject_condition_set_id,omitempty"` - // ... or create a new one (ignored if existing_subject_condition_set_id is provided) - NewSubjectConditionSet *subjectmapping.SubjectConditionSetCreate `protobuf:"bytes,6,opt,name=new_subject_condition_set,json=newSubjectConditionSet,proto3" json:"new_subject_condition_set,omitempty"` - // Optional: namespace ID or FQN for the mapping - NamespaceId string `protobuf:"bytes,7,opt,name=namespace_id,json=namespaceId,proto3" json:"namespace_id,omitempty"` - NamespaceFqn string `protobuf:"bytes,8,opt,name=namespace_fqn,json=namespaceFqn,proto3" json:"namespace_fqn,omitempty"` - // Optional - Metadata *common.MetadataMutable `protobuf:"bytes,100,opt,name=metadata,proto3" json:"metadata,omitempty"` -} - -func (x *CreateDefinitionValueEntitlementMappingRequest) Reset() { - *x = CreateDefinitionValueEntitlementMappingRequest{} - if protoimpl.UnsafeEnabled { - mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[5] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *CreateDefinitionValueEntitlementMappingRequest) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*CreateDefinitionValueEntitlementMappingRequest) ProtoMessage() {} - -func (x *CreateDefinitionValueEntitlementMappingRequest) ProtoReflect() protoreflect.Message { - mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[5] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use CreateDefinitionValueEntitlementMappingRequest.ProtoReflect.Descriptor instead. -func (*CreateDefinitionValueEntitlementMappingRequest) Descriptor() ([]byte, []int) { - return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescGZIP(), []int{5} -} - -func (x *CreateDefinitionValueEntitlementMappingRequest) GetAttributeDefinitionId() string { - if x != nil { - return x.AttributeDefinitionId - } - return "" -} - -func (x *CreateDefinitionValueEntitlementMappingRequest) GetAttributeDefinitionFqn() string { - if x != nil { - return x.AttributeDefinitionFqn - } - return "" -} - -func (x *CreateDefinitionValueEntitlementMappingRequest) GetValueResolver() *policy.DefinitionValueResolver { - if x != nil { - return x.ValueResolver - } - return nil -} - -func (x *CreateDefinitionValueEntitlementMappingRequest) GetActions() []*policy.Action { - if x != nil { - return x.Actions - } - return nil -} - -func (x *CreateDefinitionValueEntitlementMappingRequest) GetExistingSubjectConditionSetId() string { - if x != nil { - return x.ExistingSubjectConditionSetId - } - return "" -} - -func (x *CreateDefinitionValueEntitlementMappingRequest) GetNewSubjectConditionSet() *subjectmapping.SubjectConditionSetCreate { - if x != nil { - return x.NewSubjectConditionSet - } - return nil -} - -func (x *CreateDefinitionValueEntitlementMappingRequest) GetNamespaceId() string { - if x != nil { - return x.NamespaceId - } - return "" -} - -func (x *CreateDefinitionValueEntitlementMappingRequest) GetNamespaceFqn() string { - if x != nil { - return x.NamespaceFqn - } - return "" -} - -func (x *CreateDefinitionValueEntitlementMappingRequest) GetMetadata() *common.MetadataMutable { - if x != nil { - return x.Metadata - } - return nil -} - -type CreateDefinitionValueEntitlementMappingResponse struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - DefinitionValueEntitlementMapping *policy.DefinitionValueEntitlementMapping `protobuf:"bytes,1,opt,name=definition_value_entitlement_mapping,json=definitionValueEntitlementMapping,proto3" json:"definition_value_entitlement_mapping,omitempty"` -} - -func (x *CreateDefinitionValueEntitlementMappingResponse) Reset() { - *x = CreateDefinitionValueEntitlementMappingResponse{} - if protoimpl.UnsafeEnabled { - mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[6] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *CreateDefinitionValueEntitlementMappingResponse) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*CreateDefinitionValueEntitlementMappingResponse) ProtoMessage() {} - -func (x *CreateDefinitionValueEntitlementMappingResponse) ProtoReflect() protoreflect.Message { - mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[6] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use CreateDefinitionValueEntitlementMappingResponse.ProtoReflect.Descriptor instead. -func (*CreateDefinitionValueEntitlementMappingResponse) Descriptor() ([]byte, []int) { - return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescGZIP(), []int{6} -} - -func (x *CreateDefinitionValueEntitlementMappingResponse) GetDefinitionValueEntitlementMapping() *policy.DefinitionValueEntitlementMapping { - if x != nil { - return x.DefinitionValueEntitlementMapping - } - return nil -} - -type UpdateDefinitionValueEntitlementMappingRequest struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Required - Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` - // Optional: replace the dynamic resolver - ValueResolver *policy.DefinitionValueResolver `protobuf:"bytes,2,opt,name=value_resolver,json=valueResolver,proto3" json:"value_resolver,omitempty"` - // Optional: replace the static pre-gate SubjectConditionSet by id - SubjectConditionSetId string `protobuf:"bytes,3,opt,name=subject_condition_set_id,json=subjectConditionSetId,proto3" json:"subject_condition_set_id,omitempty"` - // Optional: replace the entire list of actions - Actions []*policy.Action `protobuf:"bytes,4,rep,name=actions,proto3" json:"actions,omitempty"` - // Common metadata - Metadata *common.MetadataMutable `protobuf:"bytes,100,opt,name=metadata,proto3" json:"metadata,omitempty"` - MetadataUpdateBehavior common.MetadataUpdateEnum `protobuf:"varint,101,opt,name=metadata_update_behavior,json=metadataUpdateBehavior,proto3,enum=common.MetadataUpdateEnum" json:"metadata_update_behavior,omitempty"` -} - -func (x *UpdateDefinitionValueEntitlementMappingRequest) Reset() { - *x = UpdateDefinitionValueEntitlementMappingRequest{} - if protoimpl.UnsafeEnabled { - mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[7] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *UpdateDefinitionValueEntitlementMappingRequest) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*UpdateDefinitionValueEntitlementMappingRequest) ProtoMessage() {} - -func (x *UpdateDefinitionValueEntitlementMappingRequest) ProtoReflect() protoreflect.Message { - mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[7] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use UpdateDefinitionValueEntitlementMappingRequest.ProtoReflect.Descriptor instead. -func (*UpdateDefinitionValueEntitlementMappingRequest) Descriptor() ([]byte, []int) { - return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescGZIP(), []int{7} -} - -func (x *UpdateDefinitionValueEntitlementMappingRequest) GetId() string { - if x != nil { - return x.Id - } - return "" -} - -func (x *UpdateDefinitionValueEntitlementMappingRequest) GetValueResolver() *policy.DefinitionValueResolver { - if x != nil { - return x.ValueResolver - } - return nil -} - -func (x *UpdateDefinitionValueEntitlementMappingRequest) GetSubjectConditionSetId() string { - if x != nil { - return x.SubjectConditionSetId - } - return "" -} - -func (x *UpdateDefinitionValueEntitlementMappingRequest) GetActions() []*policy.Action { - if x != nil { - return x.Actions - } - return nil -} - -func (x *UpdateDefinitionValueEntitlementMappingRequest) GetMetadata() *common.MetadataMutable { - if x != nil { - return x.Metadata - } - return nil -} - -func (x *UpdateDefinitionValueEntitlementMappingRequest) GetMetadataUpdateBehavior() common.MetadataUpdateEnum { - if x != nil { - return x.MetadataUpdateBehavior - } - return common.MetadataUpdateEnum(0) -} - -type UpdateDefinitionValueEntitlementMappingResponse struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - DefinitionValueEntitlementMapping *policy.DefinitionValueEntitlementMapping `protobuf:"bytes,1,opt,name=definition_value_entitlement_mapping,json=definitionValueEntitlementMapping,proto3" json:"definition_value_entitlement_mapping,omitempty"` -} - -func (x *UpdateDefinitionValueEntitlementMappingResponse) Reset() { - *x = UpdateDefinitionValueEntitlementMappingResponse{} - if protoimpl.UnsafeEnabled { - mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[8] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *UpdateDefinitionValueEntitlementMappingResponse) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*UpdateDefinitionValueEntitlementMappingResponse) ProtoMessage() {} - -func (x *UpdateDefinitionValueEntitlementMappingResponse) ProtoReflect() protoreflect.Message { - mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[8] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use UpdateDefinitionValueEntitlementMappingResponse.ProtoReflect.Descriptor instead. -func (*UpdateDefinitionValueEntitlementMappingResponse) Descriptor() ([]byte, []int) { - return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescGZIP(), []int{8} -} - -func (x *UpdateDefinitionValueEntitlementMappingResponse) GetDefinitionValueEntitlementMapping() *policy.DefinitionValueEntitlementMapping { - if x != nil { - return x.DefinitionValueEntitlementMapping - } - return nil -} - -type DeleteDefinitionValueEntitlementMappingRequest struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Required - Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` -} - -func (x *DeleteDefinitionValueEntitlementMappingRequest) Reset() { - *x = DeleteDefinitionValueEntitlementMappingRequest{} - if protoimpl.UnsafeEnabled { - mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[9] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *DeleteDefinitionValueEntitlementMappingRequest) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*DeleteDefinitionValueEntitlementMappingRequest) ProtoMessage() {} - -func (x *DeleteDefinitionValueEntitlementMappingRequest) ProtoReflect() protoreflect.Message { - mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[9] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use DeleteDefinitionValueEntitlementMappingRequest.ProtoReflect.Descriptor instead. -func (*DeleteDefinitionValueEntitlementMappingRequest) Descriptor() ([]byte, []int) { - return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescGZIP(), []int{9} -} - -func (x *DeleteDefinitionValueEntitlementMappingRequest) GetId() string { - if x != nil { - return x.Id - } - return "" -} - -type DeleteDefinitionValueEntitlementMappingResponse struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Only ID of the deleted mapping provided - DefinitionValueEntitlementMapping *policy.DefinitionValueEntitlementMapping `protobuf:"bytes,1,opt,name=definition_value_entitlement_mapping,json=definitionValueEntitlementMapping,proto3" json:"definition_value_entitlement_mapping,omitempty"` -} - -func (x *DeleteDefinitionValueEntitlementMappingResponse) Reset() { - *x = DeleteDefinitionValueEntitlementMappingResponse{} - if protoimpl.UnsafeEnabled { - mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[10] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *DeleteDefinitionValueEntitlementMappingResponse) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*DeleteDefinitionValueEntitlementMappingResponse) ProtoMessage() {} - -func (x *DeleteDefinitionValueEntitlementMappingResponse) ProtoReflect() protoreflect.Message { - mi := &file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[10] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use DeleteDefinitionValueEntitlementMappingResponse.ProtoReflect.Descriptor instead. -func (*DeleteDefinitionValueEntitlementMappingResponse) Descriptor() ([]byte, []int) { - return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescGZIP(), []int{10} -} - -func (x *DeleteDefinitionValueEntitlementMappingResponse) GetDefinitionValueEntitlementMapping() *policy.DefinitionValueEntitlementMapping { - if x != nil { - return x.DefinitionValueEntitlementMapping - } - return nil -} - -var File_policy_definitionvalueentitlement_definition_value_entitlement_proto protoreflect.FileDescriptor - -var file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDesc = []byte{ - 0x0a, 0x44, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, - 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, - 0x65, 0x6e, 0x74, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, - 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x21, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, - 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, - 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x1a, 0x1b, 0x62, 0x75, 0x66, 0x2f, 0x76, - 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x13, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2f, 0x63, - 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x14, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2f, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x1a, 0x16, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, - 0x6f, 0x72, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x2b, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, - 0x2f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x47, 0x0a, 0x2b, 0x47, 0x65, 0x74, 0x44, 0x65, 0x66, - 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, - 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, 0x02, 0x69, 0x64, 0x22, - 0xaa, 0x01, 0x0a, 0x2c, 0x47, 0x65, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, - 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, - 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, - 0x12, 0x7a, 0x0a, 0x24, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, - 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, - 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, - 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, - 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, - 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x21, 0x64, 0x65, 0x66, 0x69, 0x6e, - 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, - 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x22, 0xd6, 0x01, 0x0a, - 0x26, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, - 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, - 0x6e, 0x67, 0x73, 0x53, 0x6f, 0x72, 0x74, 0x12, 0x6d, 0x0a, 0x05, 0x66, 0x69, 0x65, 0x6c, 0x64, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x4d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, - 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, - 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x6f, 0x72, 0x74, 0x44, - 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, - 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, - 0x73, 0x54, 0x79, 0x70, 0x65, 0x42, 0x08, 0xba, 0x48, 0x05, 0x82, 0x01, 0x02, 0x10, 0x01, 0x52, - 0x05, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x12, 0x3d, 0x0a, 0x09, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, - 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x15, 0x2e, 0x70, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x2e, 0x53, 0x6f, 0x72, 0x74, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, - 0x42, 0x08, 0xba, 0x48, 0x05, 0x82, 0x01, 0x02, 0x10, 0x01, 0x52, 0x09, 0x64, 0x69, 0x72, 0x65, - 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x96, 0x05, 0x0a, 0x2d, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x65, - 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, - 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, - 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0xd7, 0x01, 0x0a, 0x0c, 0x6e, 0x61, 0x6d, 0x65, - 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, - 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, - 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, - 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, - 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, - 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, - 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, - 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, - 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, - 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, - 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, - 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, - 0x32, 0x7d, 0x27, 0x29, 0x52, 0x0b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x49, - 0x64, 0x12, 0xec, 0x01, 0x0a, 0x17, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, - 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, - 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, - 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, - 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, - 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, - 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, - 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, - 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, - 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, - 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, - 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, - 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, - 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x15, 0x61, 0x74, 0x74, 0x72, 0x69, - 0x62, 0x75, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x64, - 0x12, 0x33, 0x0a, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0a, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x61, - 0x67, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x52, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x67, 0x0a, 0x04, 0x73, 0x6f, 0x72, 0x74, 0x18, 0x0b, 0x20, - 0x03, 0x28, 0x0b, 0x32, 0x49, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x65, 0x66, - 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, - 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, - 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, - 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x53, 0x6f, 0x72, 0x74, 0x42, 0x08, - 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, 0x10, 0x01, 0x52, 0x04, 0x73, 0x6f, 0x72, 0x74, 0x22, 0xe4, - 0x01, 0x0a, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, - 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, - 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, - 0x65, 0x12, 0x7c, 0x0a, 0x25, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, - 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, - 0x74, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, - 0x32, 0x29, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, - 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, - 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x22, 0x64, 0x65, 0x66, - 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, - 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, - 0x34, 0x0a, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0a, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x61, 0x67, - 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x52, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xda, 0x0a, 0x0a, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, - 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, - 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, - 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0xec, 0x01, 0x0a, 0x17, 0x61, 0x74, 0x74, - 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, - 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, - 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, - 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, - 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, - 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, - 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, - 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, - 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, - 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, - 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, - 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, - 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, - 0x52, 0x15, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, - 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x64, 0x12, 0x44, 0x0a, 0x18, 0x61, 0x74, 0x74, 0x72, 0x69, - 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, - 0x66, 0x71, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x0a, 0xba, 0x48, 0x07, 0x72, 0x05, - 0x10, 0x00, 0x88, 0x01, 0x01, 0x52, 0x16, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, - 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x71, 0x6e, 0x12, 0x4e, 0x0a, - 0x0e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x18, - 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, - 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, - 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x0d, - 0x76, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x12, 0xb8, 0x01, - 0x0a, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, - 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x42, - 0x8d, 0x01, 0xba, 0x48, 0x89, 0x01, 0xba, 0x01, 0x80, 0x01, 0x0a, 0x1b, 0x61, 0x63, 0x74, 0x69, - 0x6f, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x5f, 0x6f, 0x72, 0x5f, 0x69, 0x64, 0x5f, 0x6e, 0x6f, - 0x74, 0x5f, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x12, 0x2f, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20, - 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x6f, 0x72, 0x20, 0x49, 0x44, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, - 0x6e, 0x6f, 0x74, 0x20, 0x62, 0x65, 0x20, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x20, 0x69, 0x66, 0x20, - 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x64, 0x1a, 0x30, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x61, - 0x6c, 0x6c, 0x28, 0x69, 0x74, 0x65, 0x6d, 0x2c, 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x6e, 0x61, - 0x6d, 0x65, 0x20, 0x21, 0x3d, 0x20, 0x27, 0x27, 0x20, 0x7c, 0x7c, 0x20, 0x69, 0x74, 0x65, 0x6d, - 0x2e, 0x69, 0x64, 0x20, 0x21, 0x3d, 0x20, 0x27, 0x27, 0x29, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, - 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0xfe, 0x01, 0x0a, 0x21, 0x65, 0x78, 0x69, - 0x73, 0x74, 0x69, 0x6e, 0x67, 0x5f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x63, 0x6f, - 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x05, - 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, - 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, - 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, - 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, - 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, - 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, - 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, - 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, - 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, - 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, - 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, - 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x1d, 0x65, 0x78, 0x69, 0x73, - 0x74, 0x69, 0x6e, 0x67, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, - 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x49, 0x64, 0x12, 0x6b, 0x0a, 0x19, 0x6e, 0x65, 0x77, - 0x5f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, - 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, - 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, - 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x52, 0x16, - 0x6e, 0x65, 0x77, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, - 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0xd7, 0x01, 0x0a, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, - 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, - 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, - 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, - 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, - 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, - 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, - 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, - 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, - 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, - 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, - 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, - 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, - 0x7d, 0x27, 0x29, 0x52, 0x0b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x49, 0x64, - 0x12, 0x2f, 0x0a, 0x0d, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x66, 0x71, - 0x6e, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x42, 0x0a, 0xba, 0x48, 0x07, 0x72, 0x05, 0x10, 0x00, - 0x88, 0x01, 0x01, 0x52, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x46, 0x71, - 0x6e, 0x12, 0x33, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, - 0x61, 0x64, 0x61, 0x74, 0x61, 0x4d, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x08, 0x6d, 0x65, - 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x3a, 0x3a, 0xba, 0x48, 0x37, 0x22, 0x35, 0x0a, 0x17, 0x61, - 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, - 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x0a, 0x18, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, - 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x66, 0x71, 0x6e, - 0x10, 0x01, 0x22, 0xad, 0x01, 0x0a, 0x2f, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, - 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, - 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, - 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x7a, 0x0a, 0x24, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, - 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65, 0x6e, 0x74, 0x69, 0x74, - 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x65, - 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, - 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, - 0x21, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, - 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, - 0x6e, 0x67, 0x22, 0xd7, 0x05, 0x0a, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, - 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, - 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, 0x02, 0x69, 0x64, 0x12, - 0x46, 0x0a, 0x0e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, - 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x2e, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, - 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x52, 0x0d, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x52, - 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x12, 0xed, 0x01, 0x0a, 0x18, 0x73, 0x75, 0x62, 0x6a, - 0x65, 0x63, 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, - 0x74, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, - 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, - 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, - 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, - 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, - 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, - 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, - 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, - 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, - 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, - 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, - 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, - 0x52, 0x15, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, - 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x49, 0x64, 0x12, 0xc7, 0x01, 0x0a, 0x07, 0x61, 0x63, 0x74, 0x69, - 0x6f, 0x6e, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x9c, 0x01, 0xba, 0x48, 0x98, 0x01, - 0xba, 0x01, 0x94, 0x01, 0x0a, 0x1b, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, - 0x65, 0x5f, 0x6f, 0x72, 0x5f, 0x69, 0x64, 0x5f, 0x6e, 0x6f, 0x74, 0x5f, 0x65, 0x6d, 0x70, 0x74, - 0x79, 0x12, 0x2f, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x6f, - 0x72, 0x20, 0x49, 0x44, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x6e, 0x6f, 0x74, 0x20, 0x62, 0x65, - 0x20, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x20, 0x69, 0x66, 0x20, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, - 0x65, 0x64, 0x1a, 0x44, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x29, 0x20, - 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x61, 0x6c, 0x6c, - 0x28, 0x69, 0x74, 0x65, 0x6d, 0x2c, 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x6e, 0x61, 0x6d, 0x65, - 0x20, 0x21, 0x3d, 0x20, 0x27, 0x27, 0x20, 0x7c, 0x7c, 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x69, - 0x64, 0x20, 0x21, 0x3d, 0x20, 0x27, 0x27, 0x29, 0x52, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, - 0x73, 0x12, 0x33, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, - 0x61, 0x64, 0x61, 0x74, 0x61, 0x4d, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x08, 0x6d, 0x65, - 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x54, 0x0a, 0x18, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, - 0x74, 0x61, 0x5f, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, - 0x6f, 0x72, 0x18, 0x65, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1a, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, - 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, - 0x45, 0x6e, 0x75, 0x6d, 0x52, 0x16, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x55, 0x70, - 0x64, 0x61, 0x74, 0x65, 0x42, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x22, 0xad, 0x01, 0x0a, - 0x2f, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, - 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, - 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, - 0x12, 0x7a, 0x0a, 0x24, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, - 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, - 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, - 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, - 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, - 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x21, 0x64, 0x65, 0x66, 0x69, 0x6e, - 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, - 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x22, 0x4a, 0x0a, 0x2e, - 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, - 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, - 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, - 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, - 0x03, 0xb0, 0x01, 0x01, 0x52, 0x02, 0x69, 0x64, 0x22, 0xad, 0x01, 0x0a, 0x2f, 0x44, 0x65, 0x6c, - 0x65, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, - 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, - 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x7a, 0x0a, 0x24, - 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, - 0x5f, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x6d, 0x61, 0x70, - 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, - 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, - 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x21, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, - 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, - 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2a, 0xed, 0x01, 0x0a, 0x2a, 0x53, 0x6f, 0x72, - 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, - 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, - 0x6e, 0x67, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, 0x3f, 0x0a, 0x3b, 0x53, 0x4f, 0x52, 0x54, 0x5f, - 0x44, 0x45, 0x46, 0x49, 0x4e, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x56, 0x41, 0x4c, 0x55, 0x45, - 0x5f, 0x45, 0x4e, 0x54, 0x49, 0x54, 0x4c, 0x45, 0x4d, 0x45, 0x4e, 0x54, 0x5f, 0x4d, 0x41, 0x50, - 0x50, 0x49, 0x4e, 0x47, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, - 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x3e, 0x0a, 0x3a, 0x53, 0x4f, 0x52, 0x54, - 0x5f, 0x44, 0x45, 0x46, 0x49, 0x4e, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x56, 0x41, 0x4c, 0x55, - 0x45, 0x5f, 0x45, 0x4e, 0x54, 0x49, 0x54, 0x4c, 0x45, 0x4d, 0x45, 0x4e, 0x54, 0x5f, 0x4d, 0x41, - 0x50, 0x50, 0x49, 0x4e, 0x47, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x52, 0x45, 0x41, - 0x54, 0x45, 0x44, 0x5f, 0x41, 0x54, 0x10, 0x01, 0x12, 0x3e, 0x0a, 0x3a, 0x53, 0x4f, 0x52, 0x54, - 0x5f, 0x44, 0x45, 0x46, 0x49, 0x4e, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x56, 0x41, 0x4c, 0x55, - 0x45, 0x5f, 0x45, 0x4e, 0x54, 0x49, 0x54, 0x4c, 0x45, 0x4d, 0x45, 0x4e, 0x54, 0x5f, 0x4d, 0x41, - 0x50, 0x50, 0x49, 0x4e, 0x47, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x50, 0x44, 0x41, - 0x54, 0x45, 0x44, 0x5f, 0x41, 0x54, 0x10, 0x02, 0x32, 0xcd, 0x08, 0x0a, 0x28, 0x44, 0x65, 0x66, - 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, - 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x53, 0x65, - 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0xd2, 0x01, 0x0a, 0x26, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x65, - 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, - 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, - 0x12, 0x50, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, - 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, - 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, - 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, - 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, - 0x73, 0x74, 0x1a, 0x51, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x65, 0x66, 0x69, - 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, 0x74, - 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, - 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, - 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x73, - 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x03, 0x90, 0x02, 0x01, 0x12, 0xcc, 0x01, 0x0a, 0x24, 0x47, - 0x65, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, - 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, - 0x69, 0x6e, 0x67, 0x12, 0x4e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x65, 0x66, - 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, - 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, - 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, - 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, - 0x65, 0x73, 0x74, 0x1a, 0x4f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x65, 0x66, - 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, - 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, - 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, - 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, - 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x03, 0x90, 0x02, 0x01, 0x12, 0xd2, 0x01, 0x0a, 0x27, 0x43, 0x72, - 0x65, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, - 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, - 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x51, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, - 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, - 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, - 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, - 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, - 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x52, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, - 0x65, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x43, 0x72, 0x65, - 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, - 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, - 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0xd2, - 0x01, 0x0a, 0x27, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, - 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, - 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x51, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, - 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x55, - 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, - 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, - 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x52, 0x2e, - 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, - 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, - 0x74, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, - 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, - 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, - 0x65, 0x22, 0x00, 0x12, 0xd2, 0x01, 0x0a, 0x27, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x65, - 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, - 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, - 0x51, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, - 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, - 0x65, 0x6e, 0x74, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, - 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, - 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, - 0x73, 0x74, 0x1a, 0x52, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x65, 0x66, 0x69, - 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, 0x74, - 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x65, 0x66, - 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, - 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, - 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0xb8, 0x02, 0x0a, 0x25, 0x63, 0x6f, 0x6d, - 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, - 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, - 0x6e, 0x74, 0x42, 0x1f, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, - 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x50, 0x72, - 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x49, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, - 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, - 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, - 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, - 0xa2, 0x02, 0x03, 0x50, 0x44, 0x58, 0xaa, 0x02, 0x21, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, - 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, - 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0xca, 0x02, 0x21, 0x50, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x5c, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x61, - 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0xe2, 0x02, - 0x2d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, - 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, - 0x6e, 0x74, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, - 0x22, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x3a, 0x3a, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, - 0x69, 0x6f, 0x6e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, - 0x65, 0x6e, 0x74, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, -} - -var ( - file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescOnce sync.Once - file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescData = file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDesc -) - -func file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescGZIP() []byte { - file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescOnce.Do(func() { - file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescData = protoimpl.X.CompressGZIP(file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescData) - }) - return file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDescData -} - -var file_policy_definitionvalueentitlement_definition_value_entitlement_proto_enumTypes = make([]protoimpl.EnumInfo, 1) -var file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes = make([]protoimpl.MessageInfo, 11) -var file_policy_definitionvalueentitlement_definition_value_entitlement_proto_goTypes = []interface{}{ - (SortDefinitionValueEntitlementMappingsType)(0), // 0: policy.definitionvalueentitlement.SortDefinitionValueEntitlementMappingsType - (*GetDefinitionValueEntitlementMappingRequest)(nil), // 1: policy.definitionvalueentitlement.GetDefinitionValueEntitlementMappingRequest - (*GetDefinitionValueEntitlementMappingResponse)(nil), // 2: policy.definitionvalueentitlement.GetDefinitionValueEntitlementMappingResponse - (*DefinitionValueEntitlementMappingsSort)(nil), // 3: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingsSort - (*ListDefinitionValueEntitlementMappingsRequest)(nil), // 4: policy.definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest - (*ListDefinitionValueEntitlementMappingsResponse)(nil), // 5: policy.definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse - (*CreateDefinitionValueEntitlementMappingRequest)(nil), // 6: policy.definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest - (*CreateDefinitionValueEntitlementMappingResponse)(nil), // 7: policy.definitionvalueentitlement.CreateDefinitionValueEntitlementMappingResponse - (*UpdateDefinitionValueEntitlementMappingRequest)(nil), // 8: policy.definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest - (*UpdateDefinitionValueEntitlementMappingResponse)(nil), // 9: policy.definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingResponse - (*DeleteDefinitionValueEntitlementMappingRequest)(nil), // 10: policy.definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingRequest - (*DeleteDefinitionValueEntitlementMappingResponse)(nil), // 11: policy.definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingResponse - (*policy.DefinitionValueEntitlementMapping)(nil), // 12: policy.DefinitionValueEntitlementMapping - (policy.SortDirection)(0), // 13: policy.SortDirection - (*policy.PageRequest)(nil), // 14: policy.PageRequest - (*policy.PageResponse)(nil), // 15: policy.PageResponse - (*policy.DefinitionValueResolver)(nil), // 16: policy.DefinitionValueResolver - (*policy.Action)(nil), // 17: policy.Action - (*subjectmapping.SubjectConditionSetCreate)(nil), // 18: policy.subjectmapping.SubjectConditionSetCreate - (*common.MetadataMutable)(nil), // 19: common.MetadataMutable - (common.MetadataUpdateEnum)(0), // 20: common.MetadataUpdateEnum -} -var file_policy_definitionvalueentitlement_definition_value_entitlement_proto_depIdxs = []int32{ - 12, // 0: policy.definitionvalueentitlement.GetDefinitionValueEntitlementMappingResponse.definition_value_entitlement_mapping:type_name -> policy.DefinitionValueEntitlementMapping - 0, // 1: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingsSort.field:type_name -> policy.definitionvalueentitlement.SortDefinitionValueEntitlementMappingsType - 13, // 2: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingsSort.direction:type_name -> policy.SortDirection - 14, // 3: policy.definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest.pagination:type_name -> policy.PageRequest - 3, // 4: policy.definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest.sort:type_name -> policy.definitionvalueentitlement.DefinitionValueEntitlementMappingsSort - 12, // 5: policy.definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse.definition_value_entitlement_mappings:type_name -> policy.DefinitionValueEntitlementMapping - 15, // 6: policy.definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse.pagination:type_name -> policy.PageResponse - 16, // 7: policy.definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest.value_resolver:type_name -> policy.DefinitionValueResolver - 17, // 8: policy.definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest.actions:type_name -> policy.Action - 18, // 9: policy.definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest.new_subject_condition_set:type_name -> policy.subjectmapping.SubjectConditionSetCreate - 19, // 10: policy.definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest.metadata:type_name -> common.MetadataMutable - 12, // 11: policy.definitionvalueentitlement.CreateDefinitionValueEntitlementMappingResponse.definition_value_entitlement_mapping:type_name -> policy.DefinitionValueEntitlementMapping - 16, // 12: policy.definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest.value_resolver:type_name -> policy.DefinitionValueResolver - 17, // 13: policy.definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest.actions:type_name -> policy.Action - 19, // 14: policy.definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest.metadata:type_name -> common.MetadataMutable - 20, // 15: policy.definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum - 12, // 16: policy.definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingResponse.definition_value_entitlement_mapping:type_name -> policy.DefinitionValueEntitlementMapping - 12, // 17: policy.definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingResponse.definition_value_entitlement_mapping:type_name -> policy.DefinitionValueEntitlementMapping - 4, // 18: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.ListDefinitionValueEntitlementMappings:input_type -> policy.definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest - 1, // 19: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.GetDefinitionValueEntitlementMapping:input_type -> policy.definitionvalueentitlement.GetDefinitionValueEntitlementMappingRequest - 6, // 20: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.CreateDefinitionValueEntitlementMapping:input_type -> policy.definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest - 8, // 21: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.UpdateDefinitionValueEntitlementMapping:input_type -> policy.definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest - 10, // 22: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.DeleteDefinitionValueEntitlementMapping:input_type -> policy.definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingRequest - 5, // 23: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.ListDefinitionValueEntitlementMappings:output_type -> policy.definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse - 2, // 24: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.GetDefinitionValueEntitlementMapping:output_type -> policy.definitionvalueentitlement.GetDefinitionValueEntitlementMappingResponse - 7, // 25: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.CreateDefinitionValueEntitlementMapping:output_type -> policy.definitionvalueentitlement.CreateDefinitionValueEntitlementMappingResponse - 9, // 26: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.UpdateDefinitionValueEntitlementMapping:output_type -> policy.definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingResponse - 11, // 27: policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.DeleteDefinitionValueEntitlementMapping:output_type -> policy.definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingResponse - 23, // [23:28] is the sub-list for method output_type - 18, // [18:23] is the sub-list for method input_type - 18, // [18:18] is the sub-list for extension type_name - 18, // [18:18] is the sub-list for extension extendee - 0, // [0:18] is the sub-list for field type_name -} - -func init() { file_policy_definitionvalueentitlement_definition_value_entitlement_proto_init() } -func file_policy_definitionvalueentitlement_definition_value_entitlement_proto_init() { - if File_policy_definitionvalueentitlement_definition_value_entitlement_proto != nil { - return - } - if !protoimpl.UnsafeEnabled { - file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*GetDefinitionValueEntitlementMappingRequest); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*GetDefinitionValueEntitlementMappingResponse); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*DefinitionValueEntitlementMappingsSort); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ListDefinitionValueEntitlementMappingsRequest); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ListDefinitionValueEntitlementMappingsResponse); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*CreateDefinitionValueEntitlementMappingRequest); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*CreateDefinitionValueEntitlementMappingResponse); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*UpdateDefinitionValueEntitlementMappingRequest); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*UpdateDefinitionValueEntitlementMappingResponse); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*DeleteDefinitionValueEntitlementMappingRequest); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*DeleteDefinitionValueEntitlementMappingResponse); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - } - type x struct{} - out := protoimpl.TypeBuilder{ - File: protoimpl.DescBuilder{ - GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDesc, - NumEnums: 1, - NumMessages: 11, - NumExtensions: 0, - NumServices: 1, - }, - GoTypes: file_policy_definitionvalueentitlement_definition_value_entitlement_proto_goTypes, - DependencyIndexes: file_policy_definitionvalueentitlement_definition_value_entitlement_proto_depIdxs, - EnumInfos: file_policy_definitionvalueentitlement_definition_value_entitlement_proto_enumTypes, - MessageInfos: file_policy_definitionvalueentitlement_definition_value_entitlement_proto_msgTypes, - }.Build() - File_policy_definitionvalueentitlement_definition_value_entitlement_proto = out.File - file_policy_definitionvalueentitlement_definition_value_entitlement_proto_rawDesc = nil - file_policy_definitionvalueentitlement_definition_value_entitlement_proto_goTypes = nil - file_policy_definitionvalueentitlement_definition_value_entitlement_proto_depIdxs = nil -} diff --git a/protocol/go/policy/definitionvalueentitlement/definition_value_entitlement_grpc.pb.go b/protocol/go/policy/definitionvalueentitlement/definition_value_entitlement_grpc.pb.go deleted file mode 100644 index 7aff532c33..0000000000 --- a/protocol/go/policy/definitionvalueentitlement/definition_value_entitlement_grpc.pb.go +++ /dev/null @@ -1,258 +0,0 @@ -// Code generated by protoc-gen-go-grpc. DO NOT EDIT. -// versions: -// - protoc-gen-go-grpc v1.3.0 -// - protoc (unknown) -// source: policy/definitionvalueentitlement/definition_value_entitlement.proto - -package definitionvalueentitlement - -import ( - context "context" - grpc "google.golang.org/grpc" - codes "google.golang.org/grpc/codes" - status "google.golang.org/grpc/status" -) - -// This is a compile-time assertion to ensure that this generated file -// is compatible with the grpc package it is being compiled against. -// Requires gRPC-Go v1.32.0 or later. -const _ = grpc.SupportPackageIsVersion7 - -const ( - DefinitionValueEntitlementMappingService_ListDefinitionValueEntitlementMappings_FullMethodName = "/policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/ListDefinitionValueEntitlementMappings" - DefinitionValueEntitlementMappingService_GetDefinitionValueEntitlementMapping_FullMethodName = "/policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/GetDefinitionValueEntitlementMapping" - DefinitionValueEntitlementMappingService_CreateDefinitionValueEntitlementMapping_FullMethodName = "/policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/CreateDefinitionValueEntitlementMapping" - DefinitionValueEntitlementMappingService_UpdateDefinitionValueEntitlementMapping_FullMethodName = "/policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/UpdateDefinitionValueEntitlementMapping" - DefinitionValueEntitlementMappingService_DeleteDefinitionValueEntitlementMapping_FullMethodName = "/policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/DeleteDefinitionValueEntitlementMapping" -) - -// DefinitionValueEntitlementMappingServiceClient is the client API for DefinitionValueEntitlementMappingService service. -// -// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. -type DefinitionValueEntitlementMappingServiceClient interface { - ListDefinitionValueEntitlementMappings(ctx context.Context, in *ListDefinitionValueEntitlementMappingsRequest, opts ...grpc.CallOption) (*ListDefinitionValueEntitlementMappingsResponse, error) - GetDefinitionValueEntitlementMapping(ctx context.Context, in *GetDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*GetDefinitionValueEntitlementMappingResponse, error) - CreateDefinitionValueEntitlementMapping(ctx context.Context, in *CreateDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*CreateDefinitionValueEntitlementMappingResponse, error) - UpdateDefinitionValueEntitlementMapping(ctx context.Context, in *UpdateDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*UpdateDefinitionValueEntitlementMappingResponse, error) - DeleteDefinitionValueEntitlementMapping(ctx context.Context, in *DeleteDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*DeleteDefinitionValueEntitlementMappingResponse, error) -} - -type definitionValueEntitlementMappingServiceClient struct { - cc grpc.ClientConnInterface -} - -func NewDefinitionValueEntitlementMappingServiceClient(cc grpc.ClientConnInterface) DefinitionValueEntitlementMappingServiceClient { - return &definitionValueEntitlementMappingServiceClient{cc} -} - -func (c *definitionValueEntitlementMappingServiceClient) ListDefinitionValueEntitlementMappings(ctx context.Context, in *ListDefinitionValueEntitlementMappingsRequest, opts ...grpc.CallOption) (*ListDefinitionValueEntitlementMappingsResponse, error) { - out := new(ListDefinitionValueEntitlementMappingsResponse) - err := c.cc.Invoke(ctx, DefinitionValueEntitlementMappingService_ListDefinitionValueEntitlementMappings_FullMethodName, in, out, opts...) - if err != nil { - return nil, err - } - return out, nil -} - -func (c *definitionValueEntitlementMappingServiceClient) GetDefinitionValueEntitlementMapping(ctx context.Context, in *GetDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*GetDefinitionValueEntitlementMappingResponse, error) { - out := new(GetDefinitionValueEntitlementMappingResponse) - err := c.cc.Invoke(ctx, DefinitionValueEntitlementMappingService_GetDefinitionValueEntitlementMapping_FullMethodName, in, out, opts...) - if err != nil { - return nil, err - } - return out, nil -} - -func (c *definitionValueEntitlementMappingServiceClient) CreateDefinitionValueEntitlementMapping(ctx context.Context, in *CreateDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*CreateDefinitionValueEntitlementMappingResponse, error) { - out := new(CreateDefinitionValueEntitlementMappingResponse) - err := c.cc.Invoke(ctx, DefinitionValueEntitlementMappingService_CreateDefinitionValueEntitlementMapping_FullMethodName, in, out, opts...) - if err != nil { - return nil, err - } - return out, nil -} - -func (c *definitionValueEntitlementMappingServiceClient) UpdateDefinitionValueEntitlementMapping(ctx context.Context, in *UpdateDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*UpdateDefinitionValueEntitlementMappingResponse, error) { - out := new(UpdateDefinitionValueEntitlementMappingResponse) - err := c.cc.Invoke(ctx, DefinitionValueEntitlementMappingService_UpdateDefinitionValueEntitlementMapping_FullMethodName, in, out, opts...) - if err != nil { - return nil, err - } - return out, nil -} - -func (c *definitionValueEntitlementMappingServiceClient) DeleteDefinitionValueEntitlementMapping(ctx context.Context, in *DeleteDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*DeleteDefinitionValueEntitlementMappingResponse, error) { - out := new(DeleteDefinitionValueEntitlementMappingResponse) - err := c.cc.Invoke(ctx, DefinitionValueEntitlementMappingService_DeleteDefinitionValueEntitlementMapping_FullMethodName, in, out, opts...) - if err != nil { - return nil, err - } - return out, nil -} - -// DefinitionValueEntitlementMappingServiceServer is the server API for DefinitionValueEntitlementMappingService service. -// All implementations must embed UnimplementedDefinitionValueEntitlementMappingServiceServer -// for forward compatibility -type DefinitionValueEntitlementMappingServiceServer interface { - ListDefinitionValueEntitlementMappings(context.Context, *ListDefinitionValueEntitlementMappingsRequest) (*ListDefinitionValueEntitlementMappingsResponse, error) - GetDefinitionValueEntitlementMapping(context.Context, *GetDefinitionValueEntitlementMappingRequest) (*GetDefinitionValueEntitlementMappingResponse, error) - CreateDefinitionValueEntitlementMapping(context.Context, *CreateDefinitionValueEntitlementMappingRequest) (*CreateDefinitionValueEntitlementMappingResponse, error) - UpdateDefinitionValueEntitlementMapping(context.Context, *UpdateDefinitionValueEntitlementMappingRequest) (*UpdateDefinitionValueEntitlementMappingResponse, error) - DeleteDefinitionValueEntitlementMapping(context.Context, *DeleteDefinitionValueEntitlementMappingRequest) (*DeleteDefinitionValueEntitlementMappingResponse, error) - mustEmbedUnimplementedDefinitionValueEntitlementMappingServiceServer() -} - -// UnimplementedDefinitionValueEntitlementMappingServiceServer must be embedded to have forward compatible implementations. -type UnimplementedDefinitionValueEntitlementMappingServiceServer struct { -} - -func (UnimplementedDefinitionValueEntitlementMappingServiceServer) ListDefinitionValueEntitlementMappings(context.Context, *ListDefinitionValueEntitlementMappingsRequest) (*ListDefinitionValueEntitlementMappingsResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method ListDefinitionValueEntitlementMappings not implemented") -} -func (UnimplementedDefinitionValueEntitlementMappingServiceServer) GetDefinitionValueEntitlementMapping(context.Context, *GetDefinitionValueEntitlementMappingRequest) (*GetDefinitionValueEntitlementMappingResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method GetDefinitionValueEntitlementMapping not implemented") -} -func (UnimplementedDefinitionValueEntitlementMappingServiceServer) CreateDefinitionValueEntitlementMapping(context.Context, *CreateDefinitionValueEntitlementMappingRequest) (*CreateDefinitionValueEntitlementMappingResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method CreateDefinitionValueEntitlementMapping not implemented") -} -func (UnimplementedDefinitionValueEntitlementMappingServiceServer) UpdateDefinitionValueEntitlementMapping(context.Context, *UpdateDefinitionValueEntitlementMappingRequest) (*UpdateDefinitionValueEntitlementMappingResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method UpdateDefinitionValueEntitlementMapping not implemented") -} -func (UnimplementedDefinitionValueEntitlementMappingServiceServer) DeleteDefinitionValueEntitlementMapping(context.Context, *DeleteDefinitionValueEntitlementMappingRequest) (*DeleteDefinitionValueEntitlementMappingResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method DeleteDefinitionValueEntitlementMapping not implemented") -} -func (UnimplementedDefinitionValueEntitlementMappingServiceServer) mustEmbedUnimplementedDefinitionValueEntitlementMappingServiceServer() { -} - -// UnsafeDefinitionValueEntitlementMappingServiceServer may be embedded to opt out of forward compatibility for this service. -// Use of this interface is not recommended, as added methods to DefinitionValueEntitlementMappingServiceServer will -// result in compilation errors. -type UnsafeDefinitionValueEntitlementMappingServiceServer interface { - mustEmbedUnimplementedDefinitionValueEntitlementMappingServiceServer() -} - -func RegisterDefinitionValueEntitlementMappingServiceServer(s grpc.ServiceRegistrar, srv DefinitionValueEntitlementMappingServiceServer) { - s.RegisterService(&DefinitionValueEntitlementMappingService_ServiceDesc, srv) -} - -func _DefinitionValueEntitlementMappingService_ListDefinitionValueEntitlementMappings_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(ListDefinitionValueEntitlementMappingsRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(DefinitionValueEntitlementMappingServiceServer).ListDefinitionValueEntitlementMappings(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: DefinitionValueEntitlementMappingService_ListDefinitionValueEntitlementMappings_FullMethodName, - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(DefinitionValueEntitlementMappingServiceServer).ListDefinitionValueEntitlementMappings(ctx, req.(*ListDefinitionValueEntitlementMappingsRequest)) - } - return interceptor(ctx, in, info, handler) -} - -func _DefinitionValueEntitlementMappingService_GetDefinitionValueEntitlementMapping_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(GetDefinitionValueEntitlementMappingRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(DefinitionValueEntitlementMappingServiceServer).GetDefinitionValueEntitlementMapping(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: DefinitionValueEntitlementMappingService_GetDefinitionValueEntitlementMapping_FullMethodName, - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(DefinitionValueEntitlementMappingServiceServer).GetDefinitionValueEntitlementMapping(ctx, req.(*GetDefinitionValueEntitlementMappingRequest)) - } - return interceptor(ctx, in, info, handler) -} - -func _DefinitionValueEntitlementMappingService_CreateDefinitionValueEntitlementMapping_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(CreateDefinitionValueEntitlementMappingRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(DefinitionValueEntitlementMappingServiceServer).CreateDefinitionValueEntitlementMapping(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: DefinitionValueEntitlementMappingService_CreateDefinitionValueEntitlementMapping_FullMethodName, - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(DefinitionValueEntitlementMappingServiceServer).CreateDefinitionValueEntitlementMapping(ctx, req.(*CreateDefinitionValueEntitlementMappingRequest)) - } - return interceptor(ctx, in, info, handler) -} - -func _DefinitionValueEntitlementMappingService_UpdateDefinitionValueEntitlementMapping_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(UpdateDefinitionValueEntitlementMappingRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(DefinitionValueEntitlementMappingServiceServer).UpdateDefinitionValueEntitlementMapping(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: DefinitionValueEntitlementMappingService_UpdateDefinitionValueEntitlementMapping_FullMethodName, - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(DefinitionValueEntitlementMappingServiceServer).UpdateDefinitionValueEntitlementMapping(ctx, req.(*UpdateDefinitionValueEntitlementMappingRequest)) - } - return interceptor(ctx, in, info, handler) -} - -func _DefinitionValueEntitlementMappingService_DeleteDefinitionValueEntitlementMapping_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(DeleteDefinitionValueEntitlementMappingRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(DefinitionValueEntitlementMappingServiceServer).DeleteDefinitionValueEntitlementMapping(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: DefinitionValueEntitlementMappingService_DeleteDefinitionValueEntitlementMapping_FullMethodName, - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(DefinitionValueEntitlementMappingServiceServer).DeleteDefinitionValueEntitlementMapping(ctx, req.(*DeleteDefinitionValueEntitlementMappingRequest)) - } - return interceptor(ctx, in, info, handler) -} - -// DefinitionValueEntitlementMappingService_ServiceDesc is the grpc.ServiceDesc for DefinitionValueEntitlementMappingService service. -// It's only intended for direct use with grpc.RegisterService, -// and not to be introspected or modified (even as a copy) -var DefinitionValueEntitlementMappingService_ServiceDesc = grpc.ServiceDesc{ - ServiceName: "policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService", - HandlerType: (*DefinitionValueEntitlementMappingServiceServer)(nil), - Methods: []grpc.MethodDesc{ - { - MethodName: "ListDefinitionValueEntitlementMappings", - Handler: _DefinitionValueEntitlementMappingService_ListDefinitionValueEntitlementMappings_Handler, - }, - { - MethodName: "GetDefinitionValueEntitlementMapping", - Handler: _DefinitionValueEntitlementMappingService_GetDefinitionValueEntitlementMapping_Handler, - }, - { - MethodName: "CreateDefinitionValueEntitlementMapping", - Handler: _DefinitionValueEntitlementMappingService_CreateDefinitionValueEntitlementMapping_Handler, - }, - { - MethodName: "UpdateDefinitionValueEntitlementMapping", - Handler: _DefinitionValueEntitlementMappingService_UpdateDefinitionValueEntitlementMapping_Handler, - }, - { - MethodName: "DeleteDefinitionValueEntitlementMapping", - Handler: _DefinitionValueEntitlementMappingService_DeleteDefinitionValueEntitlementMapping_Handler, - }, - }, - Streams: []grpc.StreamDesc{}, - Metadata: "policy/definitionvalueentitlement/definition_value_entitlement.proto", -} diff --git a/protocol/go/policy/definitionvalueentitlement/definitionvalueentitlementconnect/definition_value_entitlement.connect.go b/protocol/go/policy/definitionvalueentitlement/definitionvalueentitlementconnect/definition_value_entitlement.connect.go deleted file mode 100644 index 0e12ffe6a9..0000000000 --- a/protocol/go/policy/definitionvalueentitlement/definitionvalueentitlementconnect/definition_value_entitlement.connect.go +++ /dev/null @@ -1,245 +0,0 @@ -// Code generated by protoc-gen-connect-go. DO NOT EDIT. -// -// Source: policy/definitionvalueentitlement/definition_value_entitlement.proto - -package definitionvalueentitlementconnect - -import ( - connect "connectrpc.com/connect" - context "context" - errors "errors" - definitionvalueentitlement "github.com/opentdf/platform/protocol/go/policy/definitionvalueentitlement" - http "net/http" - strings "strings" -) - -// This is a compile-time assertion to ensure that this generated file and the connect package are -// compatible. If you get a compiler error that this constant is not defined, this code was -// generated with a version of connect newer than the one compiled into your binary. You can fix the -// problem by either regenerating this code with an older version of connect or updating the connect -// version compiled into your binary. -const _ = connect.IsAtLeastVersion1_13_0 - -const ( - // DefinitionValueEntitlementMappingServiceName is the fully-qualified name of the - // DefinitionValueEntitlementMappingService service. - DefinitionValueEntitlementMappingServiceName = "policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService" -) - -// These constants are the fully-qualified names of the RPCs defined in this package. They're -// exposed at runtime as Spec.Procedure and as the final two segments of the HTTP route. -// -// Note that these are different from the fully-qualified method names used by -// google.golang.org/protobuf/reflect/protoreflect. To convert from these constants to -// reflection-formatted method names, remove the leading slash and convert the remaining slash to a -// period. -const ( - // DefinitionValueEntitlementMappingServiceListDefinitionValueEntitlementMappingsProcedure is the - // fully-qualified name of the DefinitionValueEntitlementMappingService's - // ListDefinitionValueEntitlementMappings RPC. - DefinitionValueEntitlementMappingServiceListDefinitionValueEntitlementMappingsProcedure = "/policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/ListDefinitionValueEntitlementMappings" - // DefinitionValueEntitlementMappingServiceGetDefinitionValueEntitlementMappingProcedure is the - // fully-qualified name of the DefinitionValueEntitlementMappingService's - // GetDefinitionValueEntitlementMapping RPC. - DefinitionValueEntitlementMappingServiceGetDefinitionValueEntitlementMappingProcedure = "/policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/GetDefinitionValueEntitlementMapping" - // DefinitionValueEntitlementMappingServiceCreateDefinitionValueEntitlementMappingProcedure is the - // fully-qualified name of the DefinitionValueEntitlementMappingService's - // CreateDefinitionValueEntitlementMapping RPC. - DefinitionValueEntitlementMappingServiceCreateDefinitionValueEntitlementMappingProcedure = "/policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/CreateDefinitionValueEntitlementMapping" - // DefinitionValueEntitlementMappingServiceUpdateDefinitionValueEntitlementMappingProcedure is the - // fully-qualified name of the DefinitionValueEntitlementMappingService's - // UpdateDefinitionValueEntitlementMapping RPC. - DefinitionValueEntitlementMappingServiceUpdateDefinitionValueEntitlementMappingProcedure = "/policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/UpdateDefinitionValueEntitlementMapping" - // DefinitionValueEntitlementMappingServiceDeleteDefinitionValueEntitlementMappingProcedure is the - // fully-qualified name of the DefinitionValueEntitlementMappingService's - // DeleteDefinitionValueEntitlementMapping RPC. - DefinitionValueEntitlementMappingServiceDeleteDefinitionValueEntitlementMappingProcedure = "/policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/DeleteDefinitionValueEntitlementMapping" -) - -// DefinitionValueEntitlementMappingServiceClient is a client for the -// policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService service. -type DefinitionValueEntitlementMappingServiceClient interface { - ListDefinitionValueEntitlementMappings(context.Context, *connect.Request[definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest]) (*connect.Response[definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse], error) - GetDefinitionValueEntitlementMapping(context.Context, *connect.Request[definitionvalueentitlement.GetDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.GetDefinitionValueEntitlementMappingResponse], error) - CreateDefinitionValueEntitlementMapping(context.Context, *connect.Request[definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.CreateDefinitionValueEntitlementMappingResponse], error) - UpdateDefinitionValueEntitlementMapping(context.Context, *connect.Request[definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingResponse], error) - DeleteDefinitionValueEntitlementMapping(context.Context, *connect.Request[definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingResponse], error) -} - -// NewDefinitionValueEntitlementMappingServiceClient constructs a client for the -// policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService service. By default, -// it uses the Connect protocol with the binary Protobuf Codec, asks for gzipped responses, and -// sends uncompressed requests. To use the gRPC or gRPC-Web protocols, supply the connect.WithGRPC() -// or connect.WithGRPCWeb() options. -// -// The URL supplied here should be the base URL for the Connect or gRPC server (for example, -// http://api.acme.com or https://acme.com/grpc). -func NewDefinitionValueEntitlementMappingServiceClient(httpClient connect.HTTPClient, baseURL string, opts ...connect.ClientOption) DefinitionValueEntitlementMappingServiceClient { - baseURL = strings.TrimRight(baseURL, "/") - definitionValueEntitlementMappingServiceMethods := definitionvalueentitlement.File_policy_definitionvalueentitlement_definition_value_entitlement_proto.Services().ByName("DefinitionValueEntitlementMappingService").Methods() - return &definitionValueEntitlementMappingServiceClient{ - listDefinitionValueEntitlementMappings: connect.NewClient[definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest, definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse]( - httpClient, - baseURL+DefinitionValueEntitlementMappingServiceListDefinitionValueEntitlementMappingsProcedure, - connect.WithSchema(definitionValueEntitlementMappingServiceMethods.ByName("ListDefinitionValueEntitlementMappings")), - connect.WithIdempotency(connect.IdempotencyNoSideEffects), - connect.WithClientOptions(opts...), - ), - getDefinitionValueEntitlementMapping: connect.NewClient[definitionvalueentitlement.GetDefinitionValueEntitlementMappingRequest, definitionvalueentitlement.GetDefinitionValueEntitlementMappingResponse]( - httpClient, - baseURL+DefinitionValueEntitlementMappingServiceGetDefinitionValueEntitlementMappingProcedure, - connect.WithSchema(definitionValueEntitlementMappingServiceMethods.ByName("GetDefinitionValueEntitlementMapping")), - connect.WithIdempotency(connect.IdempotencyNoSideEffects), - connect.WithClientOptions(opts...), - ), - createDefinitionValueEntitlementMapping: connect.NewClient[definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest, definitionvalueentitlement.CreateDefinitionValueEntitlementMappingResponse]( - httpClient, - baseURL+DefinitionValueEntitlementMappingServiceCreateDefinitionValueEntitlementMappingProcedure, - connect.WithSchema(definitionValueEntitlementMappingServiceMethods.ByName("CreateDefinitionValueEntitlementMapping")), - connect.WithClientOptions(opts...), - ), - updateDefinitionValueEntitlementMapping: connect.NewClient[definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest, definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingResponse]( - httpClient, - baseURL+DefinitionValueEntitlementMappingServiceUpdateDefinitionValueEntitlementMappingProcedure, - connect.WithSchema(definitionValueEntitlementMappingServiceMethods.ByName("UpdateDefinitionValueEntitlementMapping")), - connect.WithClientOptions(opts...), - ), - deleteDefinitionValueEntitlementMapping: connect.NewClient[definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingRequest, definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingResponse]( - httpClient, - baseURL+DefinitionValueEntitlementMappingServiceDeleteDefinitionValueEntitlementMappingProcedure, - connect.WithSchema(definitionValueEntitlementMappingServiceMethods.ByName("DeleteDefinitionValueEntitlementMapping")), - connect.WithClientOptions(opts...), - ), - } -} - -// definitionValueEntitlementMappingServiceClient implements -// DefinitionValueEntitlementMappingServiceClient. -type definitionValueEntitlementMappingServiceClient struct { - listDefinitionValueEntitlementMappings *connect.Client[definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest, definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse] - getDefinitionValueEntitlementMapping *connect.Client[definitionvalueentitlement.GetDefinitionValueEntitlementMappingRequest, definitionvalueentitlement.GetDefinitionValueEntitlementMappingResponse] - createDefinitionValueEntitlementMapping *connect.Client[definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest, definitionvalueentitlement.CreateDefinitionValueEntitlementMappingResponse] - updateDefinitionValueEntitlementMapping *connect.Client[definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest, definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingResponse] - deleteDefinitionValueEntitlementMapping *connect.Client[definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingRequest, definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingResponse] -} - -// ListDefinitionValueEntitlementMappings calls -// policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.ListDefinitionValueEntitlementMappings. -func (c *definitionValueEntitlementMappingServiceClient) ListDefinitionValueEntitlementMappings(ctx context.Context, req *connect.Request[definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest]) (*connect.Response[definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse], error) { - return c.listDefinitionValueEntitlementMappings.CallUnary(ctx, req) -} - -// GetDefinitionValueEntitlementMapping calls -// policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.GetDefinitionValueEntitlementMapping. -func (c *definitionValueEntitlementMappingServiceClient) GetDefinitionValueEntitlementMapping(ctx context.Context, req *connect.Request[definitionvalueentitlement.GetDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.GetDefinitionValueEntitlementMappingResponse], error) { - return c.getDefinitionValueEntitlementMapping.CallUnary(ctx, req) -} - -// CreateDefinitionValueEntitlementMapping calls -// policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.CreateDefinitionValueEntitlementMapping. -func (c *definitionValueEntitlementMappingServiceClient) CreateDefinitionValueEntitlementMapping(ctx context.Context, req *connect.Request[definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.CreateDefinitionValueEntitlementMappingResponse], error) { - return c.createDefinitionValueEntitlementMapping.CallUnary(ctx, req) -} - -// UpdateDefinitionValueEntitlementMapping calls -// policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.UpdateDefinitionValueEntitlementMapping. -func (c *definitionValueEntitlementMappingServiceClient) UpdateDefinitionValueEntitlementMapping(ctx context.Context, req *connect.Request[definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingResponse], error) { - return c.updateDefinitionValueEntitlementMapping.CallUnary(ctx, req) -} - -// DeleteDefinitionValueEntitlementMapping calls -// policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.DeleteDefinitionValueEntitlementMapping. -func (c *definitionValueEntitlementMappingServiceClient) DeleteDefinitionValueEntitlementMapping(ctx context.Context, req *connect.Request[definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingResponse], error) { - return c.deleteDefinitionValueEntitlementMapping.CallUnary(ctx, req) -} - -// DefinitionValueEntitlementMappingServiceHandler is an implementation of the -// policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService service. -type DefinitionValueEntitlementMappingServiceHandler interface { - ListDefinitionValueEntitlementMappings(context.Context, *connect.Request[definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest]) (*connect.Response[definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse], error) - GetDefinitionValueEntitlementMapping(context.Context, *connect.Request[definitionvalueentitlement.GetDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.GetDefinitionValueEntitlementMappingResponse], error) - CreateDefinitionValueEntitlementMapping(context.Context, *connect.Request[definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.CreateDefinitionValueEntitlementMappingResponse], error) - UpdateDefinitionValueEntitlementMapping(context.Context, *connect.Request[definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingResponse], error) - DeleteDefinitionValueEntitlementMapping(context.Context, *connect.Request[definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingResponse], error) -} - -// NewDefinitionValueEntitlementMappingServiceHandler builds an HTTP handler from the service -// implementation. It returns the path on which to mount the handler and the handler itself. -// -// By default, handlers support the Connect, gRPC, and gRPC-Web protocols with the binary Protobuf -// and JSON codecs. They also support gzip compression. -func NewDefinitionValueEntitlementMappingServiceHandler(svc DefinitionValueEntitlementMappingServiceHandler, opts ...connect.HandlerOption) (string, http.Handler) { - definitionValueEntitlementMappingServiceMethods := definitionvalueentitlement.File_policy_definitionvalueentitlement_definition_value_entitlement_proto.Services().ByName("DefinitionValueEntitlementMappingService").Methods() - definitionValueEntitlementMappingServiceListDefinitionValueEntitlementMappingsHandler := connect.NewUnaryHandler( - DefinitionValueEntitlementMappingServiceListDefinitionValueEntitlementMappingsProcedure, - svc.ListDefinitionValueEntitlementMappings, - connect.WithSchema(definitionValueEntitlementMappingServiceMethods.ByName("ListDefinitionValueEntitlementMappings")), - connect.WithIdempotency(connect.IdempotencyNoSideEffects), - connect.WithHandlerOptions(opts...), - ) - definitionValueEntitlementMappingServiceGetDefinitionValueEntitlementMappingHandler := connect.NewUnaryHandler( - DefinitionValueEntitlementMappingServiceGetDefinitionValueEntitlementMappingProcedure, - svc.GetDefinitionValueEntitlementMapping, - connect.WithSchema(definitionValueEntitlementMappingServiceMethods.ByName("GetDefinitionValueEntitlementMapping")), - connect.WithIdempotency(connect.IdempotencyNoSideEffects), - connect.WithHandlerOptions(opts...), - ) - definitionValueEntitlementMappingServiceCreateDefinitionValueEntitlementMappingHandler := connect.NewUnaryHandler( - DefinitionValueEntitlementMappingServiceCreateDefinitionValueEntitlementMappingProcedure, - svc.CreateDefinitionValueEntitlementMapping, - connect.WithSchema(definitionValueEntitlementMappingServiceMethods.ByName("CreateDefinitionValueEntitlementMapping")), - connect.WithHandlerOptions(opts...), - ) - definitionValueEntitlementMappingServiceUpdateDefinitionValueEntitlementMappingHandler := connect.NewUnaryHandler( - DefinitionValueEntitlementMappingServiceUpdateDefinitionValueEntitlementMappingProcedure, - svc.UpdateDefinitionValueEntitlementMapping, - connect.WithSchema(definitionValueEntitlementMappingServiceMethods.ByName("UpdateDefinitionValueEntitlementMapping")), - connect.WithHandlerOptions(opts...), - ) - definitionValueEntitlementMappingServiceDeleteDefinitionValueEntitlementMappingHandler := connect.NewUnaryHandler( - DefinitionValueEntitlementMappingServiceDeleteDefinitionValueEntitlementMappingProcedure, - svc.DeleteDefinitionValueEntitlementMapping, - connect.WithSchema(definitionValueEntitlementMappingServiceMethods.ByName("DeleteDefinitionValueEntitlementMapping")), - connect.WithHandlerOptions(opts...), - ) - return "/policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - switch r.URL.Path { - case DefinitionValueEntitlementMappingServiceListDefinitionValueEntitlementMappingsProcedure: - definitionValueEntitlementMappingServiceListDefinitionValueEntitlementMappingsHandler.ServeHTTP(w, r) - case DefinitionValueEntitlementMappingServiceGetDefinitionValueEntitlementMappingProcedure: - definitionValueEntitlementMappingServiceGetDefinitionValueEntitlementMappingHandler.ServeHTTP(w, r) - case DefinitionValueEntitlementMappingServiceCreateDefinitionValueEntitlementMappingProcedure: - definitionValueEntitlementMappingServiceCreateDefinitionValueEntitlementMappingHandler.ServeHTTP(w, r) - case DefinitionValueEntitlementMappingServiceUpdateDefinitionValueEntitlementMappingProcedure: - definitionValueEntitlementMappingServiceUpdateDefinitionValueEntitlementMappingHandler.ServeHTTP(w, r) - case DefinitionValueEntitlementMappingServiceDeleteDefinitionValueEntitlementMappingProcedure: - definitionValueEntitlementMappingServiceDeleteDefinitionValueEntitlementMappingHandler.ServeHTTP(w, r) - default: - http.NotFound(w, r) - } - }) -} - -// UnimplementedDefinitionValueEntitlementMappingServiceHandler returns CodeUnimplemented from all -// methods. -type UnimplementedDefinitionValueEntitlementMappingServiceHandler struct{} - -func (UnimplementedDefinitionValueEntitlementMappingServiceHandler) ListDefinitionValueEntitlementMappings(context.Context, *connect.Request[definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest]) (*connect.Response[definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse], error) { - return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.ListDefinitionValueEntitlementMappings is not implemented")) -} - -func (UnimplementedDefinitionValueEntitlementMappingServiceHandler) GetDefinitionValueEntitlementMapping(context.Context, *connect.Request[definitionvalueentitlement.GetDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.GetDefinitionValueEntitlementMappingResponse], error) { - return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.GetDefinitionValueEntitlementMapping is not implemented")) -} - -func (UnimplementedDefinitionValueEntitlementMappingServiceHandler) CreateDefinitionValueEntitlementMapping(context.Context, *connect.Request[definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.CreateDefinitionValueEntitlementMappingResponse], error) { - return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.CreateDefinitionValueEntitlementMapping is not implemented")) -} - -func (UnimplementedDefinitionValueEntitlementMappingServiceHandler) UpdateDefinitionValueEntitlementMapping(context.Context, *connect.Request[definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingResponse], error) { - return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.UpdateDefinitionValueEntitlementMapping is not implemented")) -} - -func (UnimplementedDefinitionValueEntitlementMappingServiceHandler) DeleteDefinitionValueEntitlementMapping(context.Context, *connect.Request[definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingRequest]) (*connect.Response[definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingResponse], error) { - return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.definitionvalueentitlement.DefinitionValueEntitlementMappingService.DeleteDefinitionValueEntitlementMapping is not implemented")) -} diff --git a/protocol/go/policy/subjectmapping/subject_mapping.pb.go b/protocol/go/policy/subjectmapping/subject_mapping.pb.go index 3c1bf6c2f1..3d8cbeb57a 100644 --- a/protocol/go/policy/subjectmapping/subject_mapping.pb.go +++ b/protocol/go/policy/subjectmapping/subject_mapping.pb.go @@ -121,6 +121,55 @@ func (SortSubjectConditionSetsType) EnumDescriptor() ([]byte, []int) { return file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP(), []int{1} } +type SortDefinitionValueEntitlementMappingsType int32 + +const ( + SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED SortDefinitionValueEntitlementMappingsType = 0 + SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT SortDefinitionValueEntitlementMappingsType = 1 + SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT SortDefinitionValueEntitlementMappingsType = 2 +) + +// Enum value maps for SortDefinitionValueEntitlementMappingsType. +var ( + SortDefinitionValueEntitlementMappingsType_name = map[int32]string{ + 0: "SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED", + 1: "SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT", + 2: "SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT", + } + SortDefinitionValueEntitlementMappingsType_value = map[string]int32{ + "SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED": 0, + "SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT": 1, + "SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT": 2, + } +) + +func (x SortDefinitionValueEntitlementMappingsType) Enum() *SortDefinitionValueEntitlementMappingsType { + p := new(SortDefinitionValueEntitlementMappingsType) + *p = x + return p +} + +func (x SortDefinitionValueEntitlementMappingsType) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (SortDefinitionValueEntitlementMappingsType) Descriptor() protoreflect.EnumDescriptor { + return file_policy_subjectmapping_subject_mapping_proto_enumTypes[2].Descriptor() +} + +func (SortDefinitionValueEntitlementMappingsType) Type() protoreflect.EnumType { + return &file_policy_subjectmapping_subject_mapping_proto_enumTypes[2] +} + +func (x SortDefinitionValueEntitlementMappingsType) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// Deprecated: Use SortDefinitionValueEntitlementMappingsType.Descriptor instead. +func (SortDefinitionValueEntitlementMappingsType) EnumDescriptor() ([]byte, []int) { + return file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP(), []int{2} +} + // MatchSubjectMappingsRequest liberally returns a list of SubjectMappings based on the provided SubjectProperties. // The SubjectMappings are returned if an external selector field matches. type MatchSubjectMappingsRequest struct { @@ -1645,234 +1694,913 @@ func (x *DeleteAllUnmappedSubjectConditionSetsResponse) GetSubjectConditionSets( return nil } -var File_policy_subjectmapping_subject_mapping_proto protoreflect.FileDescriptor +type GetDefinitionValueEntitlementMappingRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields -var file_policy_subjectmapping_subject_mapping_proto_rawDesc = []byte{ - 0x0a, 0x2b, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, - 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x15, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, - 0x70, 0x69, 0x6e, 0x67, 0x1a, 0x1b, 0x62, 0x75, 0x66, 0x2f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, - 0x74, 0x65, 0x2f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x1a, 0x13, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x14, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x6f, - 0x62, 0x6a, 0x65, 0x63, 0x74, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x16, 0x70, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x2e, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x6f, 0x0a, 0x1b, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x53, 0x75, 0x62, - 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, - 0x65, 0x73, 0x74, 0x12, 0x50, 0x0a, 0x12, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x70, - 0x72, 0x6f, 0x70, 0x65, 0x72, 0x74, 0x69, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, - 0x17, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x50, 0x72, 0x6f, 0x70, 0x65, 0x72, 0x74, 0x79, 0x42, 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, - 0x08, 0x01, 0x52, 0x11, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x50, 0x72, 0x6f, 0x70, 0x65, - 0x72, 0x74, 0x69, 0x65, 0x73, 0x22, 0x61, 0x0a, 0x1c, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x53, 0x75, - 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x73, - 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x41, 0x0a, 0x10, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, - 0x16, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x0f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x22, 0x34, 0x0a, 0x18, 0x47, 0x65, 0x74, 0x53, - 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, - 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, - 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, 0x02, 0x69, 0x64, 0x22, 0x5c, - 0x0a, 0x19, 0x47, 0x65, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, - 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3f, 0x0a, 0x0f, 0x73, - 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, - 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x0e, 0x73, 0x75, - 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x22, 0xa4, 0x01, 0x0a, - 0x13, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, - 0x53, 0x6f, 0x72, 0x74, 0x12, 0x4e, 0x0a, 0x05, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x0e, 0x32, 0x2e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, - 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x53, 0x6f, 0x72, 0x74, - 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x54, - 0x79, 0x70, 0x65, 0x42, 0x08, 0xba, 0x48, 0x05, 0x82, 0x01, 0x02, 0x10, 0x01, 0x52, 0x05, 0x66, - 0x69, 0x65, 0x6c, 0x64, 0x12, 0x3d, 0x0a, 0x09, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, - 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x15, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x2e, 0x53, 0x6f, 0x72, 0x74, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x08, - 0xba, 0x48, 0x05, 0x82, 0x01, 0x02, 0x10, 0x01, 0x52, 0x09, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, - 0x69, 0x6f, 0x6e, 0x22, 0x9f, 0x02, 0x0a, 0x1a, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x75, 0x62, 0x6a, - 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, - 0x73, 0x74, 0x12, 0x2b, 0x0a, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, - 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, - 0x01, 0x01, 0x52, 0x0b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x49, 0x64, 0x12, - 0x2f, 0x0a, 0x0d, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x66, 0x71, 0x6e, - 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x0a, 0xba, 0x48, 0x07, 0x72, 0x05, 0x10, 0x01, 0x88, - 0x01, 0x01, 0x52, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x46, 0x71, 0x6e, - 0x12, 0x33, 0x0a, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0a, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x61, - 0x67, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x52, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x48, 0x0a, 0x04, 0x73, 0x6f, 0x72, 0x74, 0x18, 0x0b, 0x20, - 0x03, 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, - 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x53, 0x75, 0x62, 0x6a, - 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x53, 0x6f, 0x72, 0x74, 0x42, - 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, 0x10, 0x01, 0x52, 0x04, 0x73, 0x6f, 0x72, 0x74, 0x3a, - 0x24, 0xba, 0x48, 0x21, 0x22, 0x1f, 0x0a, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, - 0x65, 0x5f, 0x69, 0x64, 0x0a, 0x0d, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, - 0x66, 0x71, 0x6e, 0x10, 0x00, 0x22, 0x96, 0x01, 0x0a, 0x1b, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x75, - 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x73, - 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x41, 0x0a, 0x10, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, - 0x16, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x0f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x34, 0x0a, 0x0a, 0x70, 0x61, 0x67, 0x69, - 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x61, 0x67, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, - 0x73, 0x65, 0x52, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xb7, - 0x06, 0x0a, 0x1b, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x36, - 0x0a, 0x12, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x76, 0x61, 0x6c, 0x75, - 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, - 0x03, 0xb0, 0x01, 0x01, 0x52, 0x10, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, - 0x61, 0x6c, 0x75, 0x65, 0x49, 0x64, 0x12, 0xb8, 0x01, 0x0a, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, - 0x6e, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x8d, 0x01, 0xba, 0x48, 0x89, 0x01, 0xba, - 0x01, 0x80, 0x01, 0x0a, 0x1b, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, 0x65, - 0x5f, 0x6f, 0x72, 0x5f, 0x69, 0x64, 0x5f, 0x6e, 0x6f, 0x74, 0x5f, 0x65, 0x6d, 0x70, 0x74, 0x79, - 0x12, 0x2f, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x6f, 0x72, - 0x20, 0x49, 0x44, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x6e, 0x6f, 0x74, 0x20, 0x62, 0x65, 0x20, - 0x65, 0x6d, 0x70, 0x74, 0x79, 0x20, 0x69, 0x66, 0x20, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, - 0x64, 0x1a, 0x30, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x61, 0x6c, 0x6c, 0x28, 0x69, 0x74, 0x65, 0x6d, - 0x2c, 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x21, 0x3d, 0x20, 0x27, - 0x27, 0x20, 0x7c, 0x7c, 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x69, 0x64, 0x20, 0x21, 0x3d, 0x20, - 0x27, 0x27, 0x29, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, - 0x73, 0x12, 0xfe, 0x01, 0x0a, 0x21, 0x65, 0x78, 0x69, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x5f, 0x73, - 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, - 0x5f, 0x73, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, - 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, - 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, - 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, - 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, - 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, - 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, - 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, - 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, - 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, - 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, - 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, - 0x7d, 0x27, 0x29, 0x52, 0x1d, 0x65, 0x78, 0x69, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x53, 0x75, 0x62, - 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, - 0x49, 0x64, 0x12, 0x6b, 0x0a, 0x19, 0x6e, 0x65, 0x77, 0x5f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, - 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x18, - 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, - 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x53, 0x75, - 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, - 0x74, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x52, 0x16, 0x6e, 0x65, 0x77, 0x53, 0x75, 0x62, 0x6a, - 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, - 0x2b, 0x0a, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, - 0x05, 0x20, 0x01, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, - 0x0b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x49, 0x64, 0x12, 0x2f, 0x0a, 0x0d, - 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x66, 0x71, 0x6e, 0x18, 0x06, 0x20, - 0x01, 0x28, 0x09, 0x42, 0x0a, 0xba, 0x48, 0x07, 0x72, 0x05, 0x10, 0x01, 0x88, 0x01, 0x01, 0x52, - 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x46, 0x71, 0x6e, 0x12, 0x33, 0x0a, - 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x17, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, - 0x61, 0x4d, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, - 0x74, 0x61, 0x3a, 0x24, 0xba, 0x48, 0x21, 0x22, 0x1f, 0x0a, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, - 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x0a, 0x0d, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, - 0x63, 0x65, 0x5f, 0x66, 0x71, 0x6e, 0x10, 0x00, 0x22, 0x5f, 0x0a, 0x1c, 0x43, 0x72, 0x65, 0x61, - 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, - 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3f, 0x0a, 0x0f, 0x73, 0x75, 0x62, 0x6a, - 0x65, 0x63, 0x74, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x16, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, - 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x0e, 0x73, 0x75, 0x62, 0x6a, 0x65, - 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x22, 0xfc, 0x04, 0x0a, 0x1b, 0x55, 0x70, - 0x64, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, - 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x02, 0x69, 0x64, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, - 0x02, 0x69, 0x64, 0x12, 0xed, 0x01, 0x0a, 0x18, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, - 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x5f, 0x69, 0x64, - 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, - 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, - 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, - 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, - 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, - 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, - 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, - 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, - 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, - 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, - 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, - 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x15, 0x73, 0x75, - 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, - 0x74, 0x49, 0x64, 0x12, 0xc7, 0x01, 0x0a, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, - 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, - 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x9c, 0x01, 0xba, 0x48, 0x98, 0x01, 0xba, 0x01, 0x94, 0x01, - 0x0a, 0x1b, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x5f, 0x6f, 0x72, - 0x5f, 0x69, 0x64, 0x5f, 0x6e, 0x6f, 0x74, 0x5f, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x12, 0x2f, 0x41, - 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x6f, 0x72, 0x20, 0x49, 0x44, - 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x6e, 0x6f, 0x74, 0x20, 0x62, 0x65, 0x20, 0x65, 0x6d, 0x70, - 0x74, 0x79, 0x20, 0x69, 0x66, 0x20, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x64, 0x1a, 0x44, - 0x74, 0x68, 0x69, 0x73, 0x2e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, - 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x61, 0x6c, 0x6c, 0x28, 0x69, 0x74, 0x65, - 0x6d, 0x2c, 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x21, 0x3d, 0x20, - 0x27, 0x27, 0x20, 0x7c, 0x7c, 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x69, 0x64, 0x20, 0x21, 0x3d, - 0x20, 0x27, 0x27, 0x29, 0x52, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x33, 0x0a, - 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x17, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, - 0x61, 0x4d, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, - 0x74, 0x61, 0x12, 0x54, 0x0a, 0x18, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x75, - 0x70, 0x64, 0x61, 0x74, 0x65, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x18, 0x65, - 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1a, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, - 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x45, 0x6e, 0x75, 0x6d, - 0x52, 0x16, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, - 0x42, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x22, 0x5f, 0x0a, 0x1c, 0x55, 0x70, 0x64, 0x61, - 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, - 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3f, 0x0a, 0x0f, 0x73, 0x75, 0x62, 0x6a, - 0x65, 0x63, 0x74, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x16, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, - 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x0e, 0x73, 0x75, 0x62, 0x6a, 0x65, - 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x22, 0x37, 0x0a, 0x1b, 0x44, 0x65, 0x6c, - 0x65, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, - 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, 0x02, - 0x69, 0x64, 0x22, 0x5f, 0x0a, 0x1c, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, - 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, - 0x73, 0x65, 0x12, 0x3f, 0x0a, 0x0f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x6d, 0x61, - 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x70, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, - 0x69, 0x6e, 0x67, 0x52, 0x0e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, - 0x69, 0x6e, 0x67, 0x22, 0x39, 0x0a, 0x1d, 0x47, 0x65, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, - 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x65, 0x71, - 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, - 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, 0x02, 0x69, 0x64, 0x22, 0xc9, - 0x01, 0x0a, 0x1e, 0x47, 0x65, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, - 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, - 0x65, 0x12, 0x4f, 0x0a, 0x15, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x63, 0x6f, 0x6e, - 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, - 0x32, 0x1b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, - 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x13, 0x73, - 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, - 0x65, 0x74, 0x12, 0x56, 0x0a, 0x1b, 0x61, 0x73, 0x73, 0x6f, 0x63, 0x69, 0x61, 0x74, 0x65, 0x64, - 0x5f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, - 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, - 0x19, 0x61, 0x73, 0x73, 0x6f, 0x63, 0x69, 0x61, 0x74, 0x65, 0x64, 0x53, 0x75, 0x62, 0x6a, 0x65, - 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x22, 0xae, 0x01, 0x0a, 0x18, 0x53, - 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, - 0x65, 0x74, 0x73, 0x53, 0x6f, 0x72, 0x74, 0x12, 0x53, 0x0a, 0x05, 0x66, 0x69, 0x65, 0x6c, 0x64, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x33, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, - 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x53, - 0x6f, 0x72, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, - 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x73, 0x54, 0x79, 0x70, 0x65, 0x42, 0x08, 0xba, 0x48, 0x05, - 0x82, 0x01, 0x02, 0x10, 0x01, 0x52, 0x05, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x12, 0x3d, 0x0a, 0x09, - 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, - 0x15, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x6f, 0x72, 0x74, 0x44, 0x69, 0x72, - 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x08, 0xba, 0x48, 0x05, 0x82, 0x01, 0x02, 0x10, 0x01, - 0x52, 0x09, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xa9, 0x02, 0x0a, 0x1f, - 0x4c, 0x69, 0x73, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, - 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, - 0x2b, 0x0a, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, - 0x0b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x49, 0x64, 0x12, 0x2f, 0x0a, 0x0d, - 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x66, 0x71, 0x6e, 0x18, 0x02, 0x20, - 0x01, 0x28, 0x09, 0x42, 0x0a, 0xba, 0x48, 0x07, 0x72, 0x05, 0x10, 0x01, 0x88, 0x01, 0x01, 0x52, - 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x46, 0x71, 0x6e, 0x12, 0x33, 0x0a, - 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0a, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x13, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x61, 0x67, 0x65, 0x52, - 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x52, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x12, 0x4d, 0x0a, 0x04, 0x73, 0x6f, 0x72, 0x74, 0x18, 0x0b, 0x20, 0x03, 0x28, 0x0b, - 0x32, 0x2f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, + // Required + Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` +} + +func (x *GetDefinitionValueEntitlementMappingRequest) Reset() { + *x = GetDefinitionValueEntitlementMappingRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[27] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *GetDefinitionValueEntitlementMappingRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetDefinitionValueEntitlementMappingRequest) ProtoMessage() {} + +func (x *GetDefinitionValueEntitlementMappingRequest) ProtoReflect() protoreflect.Message { + mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[27] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetDefinitionValueEntitlementMappingRequest.ProtoReflect.Descriptor instead. +func (*GetDefinitionValueEntitlementMappingRequest) Descriptor() ([]byte, []int) { + return file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP(), []int{27} +} + +func (x *GetDefinitionValueEntitlementMappingRequest) GetId() string { + if x != nil { + return x.Id + } + return "" +} + +type GetDefinitionValueEntitlementMappingResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + DefinitionValueEntitlementMapping *policy.DefinitionValueEntitlementMapping `protobuf:"bytes,1,opt,name=definition_value_entitlement_mapping,json=definitionValueEntitlementMapping,proto3" json:"definition_value_entitlement_mapping,omitempty"` +} + +func (x *GetDefinitionValueEntitlementMappingResponse) Reset() { + *x = GetDefinitionValueEntitlementMappingResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[28] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *GetDefinitionValueEntitlementMappingResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetDefinitionValueEntitlementMappingResponse) ProtoMessage() {} + +func (x *GetDefinitionValueEntitlementMappingResponse) ProtoReflect() protoreflect.Message { + mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[28] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetDefinitionValueEntitlementMappingResponse.ProtoReflect.Descriptor instead. +func (*GetDefinitionValueEntitlementMappingResponse) Descriptor() ([]byte, []int) { + return file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP(), []int{28} +} + +func (x *GetDefinitionValueEntitlementMappingResponse) GetDefinitionValueEntitlementMapping() *policy.DefinitionValueEntitlementMapping { + if x != nil { + return x.DefinitionValueEntitlementMapping + } + return nil +} + +type DefinitionValueEntitlementMappingsSort struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Field SortDefinitionValueEntitlementMappingsType `protobuf:"varint,1,opt,name=field,proto3,enum=policy.subjectmapping.SortDefinitionValueEntitlementMappingsType" json:"field,omitempty"` + Direction policy.SortDirection `protobuf:"varint,2,opt,name=direction,proto3,enum=policy.SortDirection" json:"direction,omitempty"` +} + +func (x *DefinitionValueEntitlementMappingsSort) Reset() { + *x = DefinitionValueEntitlementMappingsSort{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[29] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *DefinitionValueEntitlementMappingsSort) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DefinitionValueEntitlementMappingsSort) ProtoMessage() {} + +func (x *DefinitionValueEntitlementMappingsSort) ProtoReflect() protoreflect.Message { + mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[29] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DefinitionValueEntitlementMappingsSort.ProtoReflect.Descriptor instead. +func (*DefinitionValueEntitlementMappingsSort) Descriptor() ([]byte, []int) { + return file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP(), []int{29} +} + +func (x *DefinitionValueEntitlementMappingsSort) GetField() SortDefinitionValueEntitlementMappingsType { + if x != nil { + return x.Field + } + return SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED +} + +func (x *DefinitionValueEntitlementMappingsSort) GetDirection() policy.SortDirection { + if x != nil { + return x.Direction + } + return policy.SortDirection(0) +} + +type ListDefinitionValueEntitlementMappingsRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Optional + // Namespace ID, or Attribute Definition ID to filter by + NamespaceId string `protobuf:"bytes,1,opt,name=namespace_id,json=namespaceId,proto3" json:"namespace_id,omitempty"` + AttributeDefinitionId string `protobuf:"bytes,2,opt,name=attribute_definition_id,json=attributeDefinitionId,proto3" json:"attribute_definition_id,omitempty"` + // Optional + Pagination *policy.PageRequest `protobuf:"bytes,10,opt,name=pagination,proto3" json:"pagination,omitempty"` + // Optional - CONSTRAINT: max 1 item + Sort []*DefinitionValueEntitlementMappingsSort `protobuf:"bytes,11,rep,name=sort,proto3" json:"sort,omitempty"` +} + +func (x *ListDefinitionValueEntitlementMappingsRequest) Reset() { + *x = ListDefinitionValueEntitlementMappingsRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[30] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ListDefinitionValueEntitlementMappingsRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ListDefinitionValueEntitlementMappingsRequest) ProtoMessage() {} + +func (x *ListDefinitionValueEntitlementMappingsRequest) ProtoReflect() protoreflect.Message { + mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[30] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ListDefinitionValueEntitlementMappingsRequest.ProtoReflect.Descriptor instead. +func (*ListDefinitionValueEntitlementMappingsRequest) Descriptor() ([]byte, []int) { + return file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP(), []int{30} +} + +func (x *ListDefinitionValueEntitlementMappingsRequest) GetNamespaceId() string { + if x != nil { + return x.NamespaceId + } + return "" +} + +func (x *ListDefinitionValueEntitlementMappingsRequest) GetAttributeDefinitionId() string { + if x != nil { + return x.AttributeDefinitionId + } + return "" +} + +func (x *ListDefinitionValueEntitlementMappingsRequest) GetPagination() *policy.PageRequest { + if x != nil { + return x.Pagination + } + return nil +} + +func (x *ListDefinitionValueEntitlementMappingsRequest) GetSort() []*DefinitionValueEntitlementMappingsSort { + if x != nil { + return x.Sort + } + return nil +} + +type ListDefinitionValueEntitlementMappingsResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + DefinitionValueEntitlementMappings []*policy.DefinitionValueEntitlementMapping `protobuf:"bytes,1,rep,name=definition_value_entitlement_mappings,json=definitionValueEntitlementMappings,proto3" json:"definition_value_entitlement_mappings,omitempty"` + Pagination *policy.PageResponse `protobuf:"bytes,10,opt,name=pagination,proto3" json:"pagination,omitempty"` +} + +func (x *ListDefinitionValueEntitlementMappingsResponse) Reset() { + *x = ListDefinitionValueEntitlementMappingsResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[31] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ListDefinitionValueEntitlementMappingsResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ListDefinitionValueEntitlementMappingsResponse) ProtoMessage() {} + +func (x *ListDefinitionValueEntitlementMappingsResponse) ProtoReflect() protoreflect.Message { + mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[31] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ListDefinitionValueEntitlementMappingsResponse.ProtoReflect.Descriptor instead. +func (*ListDefinitionValueEntitlementMappingsResponse) Descriptor() ([]byte, []int) { + return file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP(), []int{31} +} + +func (x *ListDefinitionValueEntitlementMappingsResponse) GetDefinitionValueEntitlementMappings() []*policy.DefinitionValueEntitlementMapping { + if x != nil { + return x.DefinitionValueEntitlementMappings + } + return nil +} + +func (x *ListDefinitionValueEntitlementMappingsResponse) GetPagination() *policy.PageResponse { + if x != nil { + return x.Pagination + } + return nil +} + +type CreateDefinitionValueEntitlementMappingRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + AttributeDefinitionId string `protobuf:"bytes,1,opt,name=attribute_definition_id,json=attributeDefinitionId,proto3" json:"attribute_definition_id,omitempty"` + AttributeDefinitionFqn string `protobuf:"bytes,2,opt,name=attribute_definition_fqn,json=attributeDefinitionFqn,proto3" json:"attribute_definition_fqn,omitempty"` + // Required: the dynamic resolver comparing entity selector result to the resource value segment + ValueResolver *policy.DefinitionValueResolver `protobuf:"bytes,3,opt,name=value_resolver,json=valueResolver,proto3" json:"value_resolver,omitempty"` + // Required: actions permitted on a matched value + Actions []*policy.Action `protobuf:"bytes,4,rep,name=actions,proto3" json:"actions,omitempty"` + // Optional static pre-gate. Reuse an existing SubjectConditionSet (prioritized) ... + ExistingSubjectConditionSetId string `protobuf:"bytes,5,opt,name=existing_subject_condition_set_id,json=existingSubjectConditionSetId,proto3" json:"existing_subject_condition_set_id,omitempty"` + // ... or create a new one (ignored if existing_subject_condition_set_id is provided) + NewSubjectConditionSet *SubjectConditionSetCreate `protobuf:"bytes,6,opt,name=new_subject_condition_set,json=newSubjectConditionSet,proto3" json:"new_subject_condition_set,omitempty"` + // Optional: namespace ID or FQN for the mapping + NamespaceId string `protobuf:"bytes,7,opt,name=namespace_id,json=namespaceId,proto3" json:"namespace_id,omitempty"` + NamespaceFqn string `protobuf:"bytes,8,opt,name=namespace_fqn,json=namespaceFqn,proto3" json:"namespace_fqn,omitempty"` + // Optional + Metadata *common.MetadataMutable `protobuf:"bytes,100,opt,name=metadata,proto3" json:"metadata,omitempty"` +} + +func (x *CreateDefinitionValueEntitlementMappingRequest) Reset() { + *x = CreateDefinitionValueEntitlementMappingRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[32] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *CreateDefinitionValueEntitlementMappingRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*CreateDefinitionValueEntitlementMappingRequest) ProtoMessage() {} + +func (x *CreateDefinitionValueEntitlementMappingRequest) ProtoReflect() protoreflect.Message { + mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[32] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use CreateDefinitionValueEntitlementMappingRequest.ProtoReflect.Descriptor instead. +func (*CreateDefinitionValueEntitlementMappingRequest) Descriptor() ([]byte, []int) { + return file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP(), []int{32} +} + +func (x *CreateDefinitionValueEntitlementMappingRequest) GetAttributeDefinitionId() string { + if x != nil { + return x.AttributeDefinitionId + } + return "" +} + +func (x *CreateDefinitionValueEntitlementMappingRequest) GetAttributeDefinitionFqn() string { + if x != nil { + return x.AttributeDefinitionFqn + } + return "" +} + +func (x *CreateDefinitionValueEntitlementMappingRequest) GetValueResolver() *policy.DefinitionValueResolver { + if x != nil { + return x.ValueResolver + } + return nil +} + +func (x *CreateDefinitionValueEntitlementMappingRequest) GetActions() []*policy.Action { + if x != nil { + return x.Actions + } + return nil +} + +func (x *CreateDefinitionValueEntitlementMappingRequest) GetExistingSubjectConditionSetId() string { + if x != nil { + return x.ExistingSubjectConditionSetId + } + return "" +} + +func (x *CreateDefinitionValueEntitlementMappingRequest) GetNewSubjectConditionSet() *SubjectConditionSetCreate { + if x != nil { + return x.NewSubjectConditionSet + } + return nil +} + +func (x *CreateDefinitionValueEntitlementMappingRequest) GetNamespaceId() string { + if x != nil { + return x.NamespaceId + } + return "" +} + +func (x *CreateDefinitionValueEntitlementMappingRequest) GetNamespaceFqn() string { + if x != nil { + return x.NamespaceFqn + } + return "" +} + +func (x *CreateDefinitionValueEntitlementMappingRequest) GetMetadata() *common.MetadataMutable { + if x != nil { + return x.Metadata + } + return nil +} + +type CreateDefinitionValueEntitlementMappingResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + DefinitionValueEntitlementMapping *policy.DefinitionValueEntitlementMapping `protobuf:"bytes,1,opt,name=definition_value_entitlement_mapping,json=definitionValueEntitlementMapping,proto3" json:"definition_value_entitlement_mapping,omitempty"` +} + +func (x *CreateDefinitionValueEntitlementMappingResponse) Reset() { + *x = CreateDefinitionValueEntitlementMappingResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[33] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *CreateDefinitionValueEntitlementMappingResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*CreateDefinitionValueEntitlementMappingResponse) ProtoMessage() {} + +func (x *CreateDefinitionValueEntitlementMappingResponse) ProtoReflect() protoreflect.Message { + mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[33] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use CreateDefinitionValueEntitlementMappingResponse.ProtoReflect.Descriptor instead. +func (*CreateDefinitionValueEntitlementMappingResponse) Descriptor() ([]byte, []int) { + return file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP(), []int{33} +} + +func (x *CreateDefinitionValueEntitlementMappingResponse) GetDefinitionValueEntitlementMapping() *policy.DefinitionValueEntitlementMapping { + if x != nil { + return x.DefinitionValueEntitlementMapping + } + return nil +} + +type UpdateDefinitionValueEntitlementMappingRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Required + Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` + // Optional: replace the dynamic resolver + ValueResolver *policy.DefinitionValueResolver `protobuf:"bytes,2,opt,name=value_resolver,json=valueResolver,proto3" json:"value_resolver,omitempty"` + // Optional: replace the static pre-gate SubjectConditionSet by id + SubjectConditionSetId string `protobuf:"bytes,3,opt,name=subject_condition_set_id,json=subjectConditionSetId,proto3" json:"subject_condition_set_id,omitempty"` + // Optional: replace the entire list of actions + Actions []*policy.Action `protobuf:"bytes,4,rep,name=actions,proto3" json:"actions,omitempty"` + // Common metadata + Metadata *common.MetadataMutable `protobuf:"bytes,100,opt,name=metadata,proto3" json:"metadata,omitempty"` + MetadataUpdateBehavior common.MetadataUpdateEnum `protobuf:"varint,101,opt,name=metadata_update_behavior,json=metadataUpdateBehavior,proto3,enum=common.MetadataUpdateEnum" json:"metadata_update_behavior,omitempty"` +} + +func (x *UpdateDefinitionValueEntitlementMappingRequest) Reset() { + *x = UpdateDefinitionValueEntitlementMappingRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[34] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *UpdateDefinitionValueEntitlementMappingRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*UpdateDefinitionValueEntitlementMappingRequest) ProtoMessage() {} + +func (x *UpdateDefinitionValueEntitlementMappingRequest) ProtoReflect() protoreflect.Message { + mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[34] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use UpdateDefinitionValueEntitlementMappingRequest.ProtoReflect.Descriptor instead. +func (*UpdateDefinitionValueEntitlementMappingRequest) Descriptor() ([]byte, []int) { + return file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP(), []int{34} +} + +func (x *UpdateDefinitionValueEntitlementMappingRequest) GetId() string { + if x != nil { + return x.Id + } + return "" +} + +func (x *UpdateDefinitionValueEntitlementMappingRequest) GetValueResolver() *policy.DefinitionValueResolver { + if x != nil { + return x.ValueResolver + } + return nil +} + +func (x *UpdateDefinitionValueEntitlementMappingRequest) GetSubjectConditionSetId() string { + if x != nil { + return x.SubjectConditionSetId + } + return "" +} + +func (x *UpdateDefinitionValueEntitlementMappingRequest) GetActions() []*policy.Action { + if x != nil { + return x.Actions + } + return nil +} + +func (x *UpdateDefinitionValueEntitlementMappingRequest) GetMetadata() *common.MetadataMutable { + if x != nil { + return x.Metadata + } + return nil +} + +func (x *UpdateDefinitionValueEntitlementMappingRequest) GetMetadataUpdateBehavior() common.MetadataUpdateEnum { + if x != nil { + return x.MetadataUpdateBehavior + } + return common.MetadataUpdateEnum(0) +} + +type UpdateDefinitionValueEntitlementMappingResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + DefinitionValueEntitlementMapping *policy.DefinitionValueEntitlementMapping `protobuf:"bytes,1,opt,name=definition_value_entitlement_mapping,json=definitionValueEntitlementMapping,proto3" json:"definition_value_entitlement_mapping,omitempty"` +} + +func (x *UpdateDefinitionValueEntitlementMappingResponse) Reset() { + *x = UpdateDefinitionValueEntitlementMappingResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[35] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *UpdateDefinitionValueEntitlementMappingResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*UpdateDefinitionValueEntitlementMappingResponse) ProtoMessage() {} + +func (x *UpdateDefinitionValueEntitlementMappingResponse) ProtoReflect() protoreflect.Message { + mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[35] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use UpdateDefinitionValueEntitlementMappingResponse.ProtoReflect.Descriptor instead. +func (*UpdateDefinitionValueEntitlementMappingResponse) Descriptor() ([]byte, []int) { + return file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP(), []int{35} +} + +func (x *UpdateDefinitionValueEntitlementMappingResponse) GetDefinitionValueEntitlementMapping() *policy.DefinitionValueEntitlementMapping { + if x != nil { + return x.DefinitionValueEntitlementMapping + } + return nil +} + +type DeleteDefinitionValueEntitlementMappingRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Required + Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` +} + +func (x *DeleteDefinitionValueEntitlementMappingRequest) Reset() { + *x = DeleteDefinitionValueEntitlementMappingRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[36] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *DeleteDefinitionValueEntitlementMappingRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DeleteDefinitionValueEntitlementMappingRequest) ProtoMessage() {} + +func (x *DeleteDefinitionValueEntitlementMappingRequest) ProtoReflect() protoreflect.Message { + mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[36] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DeleteDefinitionValueEntitlementMappingRequest.ProtoReflect.Descriptor instead. +func (*DeleteDefinitionValueEntitlementMappingRequest) Descriptor() ([]byte, []int) { + return file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP(), []int{36} +} + +func (x *DeleteDefinitionValueEntitlementMappingRequest) GetId() string { + if x != nil { + return x.Id + } + return "" +} + +type DeleteDefinitionValueEntitlementMappingResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Only ID of the deleted mapping provided + DefinitionValueEntitlementMapping *policy.DefinitionValueEntitlementMapping `protobuf:"bytes,1,opt,name=definition_value_entitlement_mapping,json=definitionValueEntitlementMapping,proto3" json:"definition_value_entitlement_mapping,omitempty"` +} + +func (x *DeleteDefinitionValueEntitlementMappingResponse) Reset() { + *x = DeleteDefinitionValueEntitlementMappingResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[37] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *DeleteDefinitionValueEntitlementMappingResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DeleteDefinitionValueEntitlementMappingResponse) ProtoMessage() {} + +func (x *DeleteDefinitionValueEntitlementMappingResponse) ProtoReflect() protoreflect.Message { + mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[37] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DeleteDefinitionValueEntitlementMappingResponse.ProtoReflect.Descriptor instead. +func (*DeleteDefinitionValueEntitlementMappingResponse) Descriptor() ([]byte, []int) { + return file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP(), []int{37} +} + +func (x *DeleteDefinitionValueEntitlementMappingResponse) GetDefinitionValueEntitlementMapping() *policy.DefinitionValueEntitlementMapping { + if x != nil { + return x.DefinitionValueEntitlementMapping + } + return nil +} + +var File_policy_subjectmapping_subject_mapping_proto protoreflect.FileDescriptor + +var file_policy_subjectmapping_subject_mapping_proto_rawDesc = []byte{ + 0x0a, 0x2b, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, + 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x15, 0x70, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, + 0x70, 0x69, 0x6e, 0x67, 0x1a, 0x1b, 0x62, 0x75, 0x66, 0x2f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, + 0x74, 0x65, 0x2f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x1a, 0x13, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, + 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x14, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x6f, + 0x62, 0x6a, 0x65, 0x63, 0x74, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x16, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x6f, 0x0a, 0x1b, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x53, 0x75, 0x62, + 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x12, 0x50, 0x0a, 0x12, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x70, + 0x72, 0x6f, 0x70, 0x65, 0x72, 0x74, 0x69, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, + 0x17, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x50, 0x72, 0x6f, 0x70, 0x65, 0x72, 0x74, 0x79, 0x42, 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, + 0x08, 0x01, 0x52, 0x11, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x50, 0x72, 0x6f, 0x70, 0x65, + 0x72, 0x74, 0x69, 0x65, 0x73, 0x22, 0x61, 0x0a, 0x1c, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x53, 0x75, + 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x73, + 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x41, 0x0a, 0x10, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, + 0x16, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x0f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x22, 0x34, 0x0a, 0x18, 0x47, 0x65, 0x74, 0x53, + 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, + 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, + 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, 0x02, 0x69, 0x64, 0x22, 0x5c, + 0x0a, 0x19, 0x47, 0x65, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, + 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3f, 0x0a, 0x0f, 0x73, + 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, + 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x0e, 0x73, 0x75, + 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x22, 0xa4, 0x01, 0x0a, + 0x13, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, + 0x53, 0x6f, 0x72, 0x74, 0x12, 0x4e, 0x0a, 0x05, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x0e, 0x32, 0x2e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, + 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x53, 0x6f, 0x72, 0x74, + 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x54, + 0x79, 0x70, 0x65, 0x42, 0x08, 0xba, 0x48, 0x05, 0x82, 0x01, 0x02, 0x10, 0x01, 0x52, 0x05, 0x66, + 0x69, 0x65, 0x6c, 0x64, 0x12, 0x3d, 0x0a, 0x09, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, + 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x15, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x53, 0x6f, 0x72, 0x74, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x08, + 0xba, 0x48, 0x05, 0x82, 0x01, 0x02, 0x10, 0x01, 0x52, 0x09, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, + 0x69, 0x6f, 0x6e, 0x22, 0x9f, 0x02, 0x0a, 0x1a, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x75, 0x62, 0x6a, + 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, + 0x73, 0x74, 0x12, 0x2b, 0x0a, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, + 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, + 0x01, 0x01, 0x52, 0x0b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x49, 0x64, 0x12, + 0x2f, 0x0a, 0x0d, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x66, 0x71, 0x6e, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x0a, 0xba, 0x48, 0x07, 0x72, 0x05, 0x10, 0x01, 0x88, + 0x01, 0x01, 0x52, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x46, 0x71, 0x6e, + 0x12, 0x33, 0x0a, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0a, + 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x61, + 0x67, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x52, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x48, 0x0a, 0x04, 0x73, 0x6f, 0x72, 0x74, 0x18, 0x0b, 0x20, + 0x03, 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, + 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x53, 0x75, 0x62, 0x6a, + 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x53, 0x6f, 0x72, 0x74, 0x42, + 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, 0x10, 0x01, 0x52, 0x04, 0x73, 0x6f, 0x72, 0x74, 0x3a, + 0x24, 0xba, 0x48, 0x21, 0x22, 0x1f, 0x0a, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, + 0x65, 0x5f, 0x69, 0x64, 0x0a, 0x0d, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, + 0x66, 0x71, 0x6e, 0x10, 0x00, 0x22, 0x96, 0x01, 0x0a, 0x1b, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x75, + 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x73, + 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x41, 0x0a, 0x10, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, + 0x16, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x0f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x34, 0x0a, 0x0a, 0x70, 0x61, 0x67, 0x69, + 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x61, 0x67, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x52, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xb7, + 0x06, 0x0a, 0x1b, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x36, + 0x0a, 0x12, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x76, 0x61, 0x6c, 0x75, + 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, + 0x03, 0xb0, 0x01, 0x01, 0x52, 0x10, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, + 0x61, 0x6c, 0x75, 0x65, 0x49, 0x64, 0x12, 0xb8, 0x01, 0x0a, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, + 0x6e, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x8d, 0x01, 0xba, 0x48, 0x89, 0x01, 0xba, + 0x01, 0x80, 0x01, 0x0a, 0x1b, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, 0x65, + 0x5f, 0x6f, 0x72, 0x5f, 0x69, 0x64, 0x5f, 0x6e, 0x6f, 0x74, 0x5f, 0x65, 0x6d, 0x70, 0x74, 0x79, + 0x12, 0x2f, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x6f, 0x72, + 0x20, 0x49, 0x44, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x6e, 0x6f, 0x74, 0x20, 0x62, 0x65, 0x20, + 0x65, 0x6d, 0x70, 0x74, 0x79, 0x20, 0x69, 0x66, 0x20, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, + 0x64, 0x1a, 0x30, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x61, 0x6c, 0x6c, 0x28, 0x69, 0x74, 0x65, 0x6d, + 0x2c, 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x21, 0x3d, 0x20, 0x27, + 0x27, 0x20, 0x7c, 0x7c, 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x69, 0x64, 0x20, 0x21, 0x3d, 0x20, + 0x27, 0x27, 0x29, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, + 0x73, 0x12, 0xfe, 0x01, 0x0a, 0x21, 0x65, 0x78, 0x69, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x5f, 0x73, + 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, + 0x5f, 0x73, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, + 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, + 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, + 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, + 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, + 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, + 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, + 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, + 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, + 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, + 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, + 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, + 0x7d, 0x27, 0x29, 0x52, 0x1d, 0x65, 0x78, 0x69, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x53, 0x75, 0x62, + 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, + 0x49, 0x64, 0x12, 0x6b, 0x0a, 0x19, 0x6e, 0x65, 0x77, 0x5f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, + 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x18, + 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, + 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x53, 0x75, + 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, + 0x74, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x52, 0x16, 0x6e, 0x65, 0x77, 0x53, 0x75, 0x62, 0x6a, + 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, + 0x2b, 0x0a, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, + 0x05, 0x20, 0x01, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, + 0x0b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x49, 0x64, 0x12, 0x2f, 0x0a, 0x0d, + 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x66, 0x71, 0x6e, 0x18, 0x06, 0x20, + 0x01, 0x28, 0x09, 0x42, 0x0a, 0xba, 0x48, 0x07, 0x72, 0x05, 0x10, 0x01, 0x88, 0x01, 0x01, 0x52, + 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x46, 0x71, 0x6e, 0x12, 0x33, 0x0a, + 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x17, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, + 0x61, 0x4d, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, + 0x74, 0x61, 0x3a, 0x24, 0xba, 0x48, 0x21, 0x22, 0x1f, 0x0a, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, + 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x0a, 0x0d, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, + 0x63, 0x65, 0x5f, 0x66, 0x71, 0x6e, 0x10, 0x00, 0x22, 0x5f, 0x0a, 0x1c, 0x43, 0x72, 0x65, 0x61, + 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3f, 0x0a, 0x0f, 0x73, 0x75, 0x62, 0x6a, + 0x65, 0x63, 0x74, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x16, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, + 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x0e, 0x73, 0x75, 0x62, 0x6a, 0x65, + 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x22, 0xfc, 0x04, 0x0a, 0x1b, 0x55, 0x70, + 0x64, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x02, 0x69, 0x64, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, + 0x02, 0x69, 0x64, 0x12, 0xed, 0x01, 0x0a, 0x18, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, + 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x5f, 0x69, 0x64, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, + 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, + 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, + 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, + 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, + 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, + 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, + 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, + 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, + 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, + 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, + 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x15, 0x73, 0x75, + 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, + 0x74, 0x49, 0x64, 0x12, 0xc7, 0x01, 0x0a, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, + 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, + 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x9c, 0x01, 0xba, 0x48, 0x98, 0x01, 0xba, 0x01, 0x94, 0x01, + 0x0a, 0x1b, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x5f, 0x6f, 0x72, + 0x5f, 0x69, 0x64, 0x5f, 0x6e, 0x6f, 0x74, 0x5f, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x12, 0x2f, 0x41, + 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x6f, 0x72, 0x20, 0x49, 0x44, + 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x6e, 0x6f, 0x74, 0x20, 0x62, 0x65, 0x20, 0x65, 0x6d, 0x70, + 0x74, 0x79, 0x20, 0x69, 0x66, 0x20, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x64, 0x1a, 0x44, + 0x74, 0x68, 0x69, 0x73, 0x2e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, + 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x61, 0x6c, 0x6c, 0x28, 0x69, 0x74, 0x65, + 0x6d, 0x2c, 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x21, 0x3d, 0x20, + 0x27, 0x27, 0x20, 0x7c, 0x7c, 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x69, 0x64, 0x20, 0x21, 0x3d, + 0x20, 0x27, 0x27, 0x29, 0x52, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x33, 0x0a, + 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x17, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, + 0x61, 0x4d, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, + 0x74, 0x61, 0x12, 0x54, 0x0a, 0x18, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x75, + 0x70, 0x64, 0x61, 0x74, 0x65, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x18, 0x65, + 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1a, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, + 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x45, 0x6e, 0x75, 0x6d, + 0x52, 0x16, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, + 0x42, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x22, 0x5f, 0x0a, 0x1c, 0x55, 0x70, 0x64, 0x61, + 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3f, 0x0a, 0x0f, 0x73, 0x75, 0x62, 0x6a, + 0x65, 0x63, 0x74, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x16, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, + 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x0e, 0x73, 0x75, 0x62, 0x6a, 0x65, + 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x22, 0x37, 0x0a, 0x1b, 0x44, 0x65, 0x6c, + 0x65, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, + 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, 0x02, + 0x69, 0x64, 0x22, 0x5f, 0x0a, 0x1c, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, + 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x12, 0x3f, 0x0a, 0x0f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x6d, 0x61, + 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, + 0x69, 0x6e, 0x67, 0x52, 0x0e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, + 0x69, 0x6e, 0x67, 0x22, 0x39, 0x0a, 0x1d, 0x47, 0x65, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, + 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x65, 0x71, + 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, + 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, 0x02, 0x69, 0x64, 0x22, 0xc9, + 0x01, 0x0a, 0x1e, 0x47, 0x65, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, + 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, + 0x65, 0x12, 0x4f, 0x0a, 0x15, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x63, 0x6f, 0x6e, + 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x1b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, + 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x13, 0x73, + 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, + 0x65, 0x74, 0x12, 0x56, 0x0a, 0x1b, 0x61, 0x73, 0x73, 0x6f, 0x63, 0x69, 0x61, 0x74, 0x65, 0x64, + 0x5f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, + 0x19, 0x61, 0x73, 0x73, 0x6f, 0x63, 0x69, 0x61, 0x74, 0x65, 0x64, 0x53, 0x75, 0x62, 0x6a, 0x65, + 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x22, 0xae, 0x01, 0x0a, 0x18, 0x53, + 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, + 0x65, 0x74, 0x73, 0x53, 0x6f, 0x72, 0x74, 0x12, 0x53, 0x0a, 0x05, 0x66, 0x69, 0x65, 0x6c, 0x64, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x33, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x53, + 0x6f, 0x72, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, + 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x73, 0x54, 0x79, 0x70, 0x65, 0x42, 0x08, 0xba, 0x48, 0x05, + 0x82, 0x01, 0x02, 0x10, 0x01, 0x52, 0x05, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x12, 0x3d, 0x0a, 0x09, + 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, + 0x15, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x6f, 0x72, 0x74, 0x44, 0x69, 0x72, + 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x08, 0xba, 0x48, 0x05, 0x82, 0x01, 0x02, 0x10, 0x01, + 0x52, 0x09, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xa9, 0x02, 0x0a, 0x1f, + 0x4c, 0x69, 0x73, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, + 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, + 0x2b, 0x0a, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, + 0x0b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x49, 0x64, 0x12, 0x2f, 0x0a, 0x0d, + 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x66, 0x71, 0x6e, 0x18, 0x02, 0x20, + 0x01, 0x28, 0x09, 0x42, 0x0a, 0xba, 0x48, 0x07, 0x72, 0x05, 0x10, 0x01, 0x88, 0x01, 0x01, 0x52, + 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x46, 0x71, 0x6e, 0x12, 0x33, 0x0a, + 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0a, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x13, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x61, 0x67, 0x65, 0x52, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x52, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, + 0x6f, 0x6e, 0x12, 0x4d, 0x0a, 0x04, 0x73, 0x6f, 0x72, 0x74, 0x18, 0x0b, 0x20, 0x03, 0x28, 0x0b, + 0x32, 0x2f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x73, 0x53, 0x6f, 0x72, 0x74, 0x42, 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, 0x10, 0x01, 0x52, 0x04, 0x73, 0x6f, 0x72, @@ -1969,151 +2697,477 @@ var file_policy_subjectmapping_subject_mapping_proto_rawDesc = []byte{ 0x03, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x14, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, - 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x73, 0x2a, 0x9b, 0x01, 0x0a, 0x17, 0x53, 0x6f, 0x72, 0x74, 0x53, - 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x54, 0x79, - 0x70, 0x65, 0x12, 0x2a, 0x0a, 0x26, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x53, 0x55, 0x42, 0x4a, 0x45, - 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, - 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x29, - 0x0a, 0x25, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, - 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x52, 0x45, - 0x41, 0x54, 0x45, 0x44, 0x5f, 0x41, 0x54, 0x10, 0x01, 0x12, 0x29, 0x0a, 0x25, 0x53, 0x4f, 0x52, - 0x54, 0x5f, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, - 0x47, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x50, 0x44, 0x41, 0x54, 0x45, 0x44, 0x5f, - 0x41, 0x54, 0x10, 0x02, 0x2a, 0xb2, 0x01, 0x0a, 0x1c, 0x53, 0x6f, 0x72, 0x74, 0x53, 0x75, 0x62, - 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, - 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, 0x30, 0x0a, 0x2c, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x53, 0x55, - 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, - 0x53, 0x45, 0x54, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, - 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x2f, 0x0a, 0x2b, 0x53, 0x4f, 0x52, 0x54, 0x5f, - 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, - 0x4e, 0x5f, 0x53, 0x45, 0x54, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x52, 0x45, 0x41, - 0x54, 0x45, 0x44, 0x5f, 0x41, 0x54, 0x10, 0x01, 0x12, 0x2f, 0x0a, 0x2b, 0x53, 0x4f, 0x52, 0x54, - 0x5f, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, - 0x4f, 0x4e, 0x5f, 0x53, 0x45, 0x54, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x50, 0x44, - 0x41, 0x54, 0x45, 0x44, 0x5f, 0x41, 0x54, 0x10, 0x02, 0x32, 0xb8, 0x0d, 0x0a, 0x15, 0x53, 0x75, - 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x53, 0x65, 0x72, 0x76, - 0x69, 0x63, 0x65, 0x12, 0x81, 0x01, 0x0a, 0x14, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x53, 0x75, 0x62, - 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x32, 0x2e, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, - 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, - 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, - 0x1a, 0x33, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, - 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x53, 0x75, - 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x73, - 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x81, 0x01, 0x0a, 0x13, 0x4c, 0x69, 0x73, 0x74, - 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, - 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x75, 0x62, 0x6a, - 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, - 0x73, 0x74, 0x1a, 0x32, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, - 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x53, - 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, - 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x03, 0x90, 0x02, 0x01, 0x12, 0x7b, 0x0a, 0x11, 0x47, - 0x65, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, - 0x12, 0x2f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, - 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x75, 0x62, 0x6a, - 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, - 0x74, 0x1a, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, - 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x75, 0x62, - 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, - 0x6e, 0x73, 0x65, 0x22, 0x03, 0x90, 0x02, 0x01, 0x12, 0x81, 0x01, 0x0a, 0x14, 0x43, 0x72, 0x65, - 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, - 0x67, 0x12, 0x32, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, - 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, - 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x33, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, - 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x72, - 0x65, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, - 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x81, 0x01, 0x0a, - 0x14, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, - 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x32, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, - 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x55, 0x70, - 0x64, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, - 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x33, 0x2e, 0x70, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, - 0x67, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, - 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, - 0x12, 0x81, 0x01, 0x0a, 0x14, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, - 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x32, 0x2e, 0x70, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, - 0x67, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, - 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x33, 0x2e, - 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, - 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, - 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, - 0x73, 0x65, 0x22, 0x00, 0x12, 0x90, 0x01, 0x0a, 0x18, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x75, 0x62, + 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x73, 0x22, 0x47, 0x0a, 0x2b, 0x47, 0x65, 0x74, 0x44, 0x65, 0x66, + 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, + 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, 0x02, 0x69, 0x64, 0x22, + 0xaa, 0x01, 0x0a, 0x2c, 0x47, 0x65, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, + 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, + 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, + 0x12, 0x7a, 0x0a, 0x24, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, + 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, + 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, + 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, + 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, + 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x21, 0x64, 0x65, 0x66, 0x69, 0x6e, + 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, + 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x22, 0xca, 0x01, 0x0a, + 0x26, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, + 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x73, 0x53, 0x6f, 0x72, 0x74, 0x12, 0x61, 0x0a, 0x05, 0x66, 0x69, 0x65, 0x6c, 0x64, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x41, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x53, + 0x6f, 0x72, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, + 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, + 0x70, 0x69, 0x6e, 0x67, 0x73, 0x54, 0x79, 0x70, 0x65, 0x42, 0x08, 0xba, 0x48, 0x05, 0x82, 0x01, + 0x02, 0x10, 0x01, 0x52, 0x05, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x12, 0x3d, 0x0a, 0x09, 0x64, 0x69, + 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x15, 0x2e, + 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x6f, 0x72, 0x74, 0x44, 0x69, 0x72, 0x65, 0x63, + 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x08, 0xba, 0x48, 0x05, 0x82, 0x01, 0x02, 0x10, 0x01, 0x52, 0x09, + 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x8a, 0x05, 0x0a, 0x2d, 0x4c, 0x69, + 0x73, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, + 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, + 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0xd7, 0x01, 0x0a, 0x0c, + 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, + 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, + 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, + 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, + 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, + 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, + 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, + 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, + 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, + 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, + 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, + 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x0b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, + 0x61, 0x63, 0x65, 0x49, 0x64, 0x12, 0xec, 0x01, 0x0a, 0x17, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, + 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, + 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, + 0xab, 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, + 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, + 0x61, 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, + 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, + 0x69, 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, + 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, + 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, + 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, + 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, + 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, + 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x15, 0x61, + 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, + 0x6f, 0x6e, 0x49, 0x64, 0x12, 0x33, 0x0a, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, + 0x6f, 0x6e, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0x2e, 0x50, 0x61, 0x67, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x52, 0x0a, 0x70, + 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x5b, 0x0a, 0x04, 0x73, 0x6f, 0x72, + 0x74, 0x18, 0x0b, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x3d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, + 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, + 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, + 0x67, 0x73, 0x53, 0x6f, 0x72, 0x74, 0x42, 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, 0x10, 0x01, + 0x52, 0x04, 0x73, 0x6f, 0x72, 0x74, 0x22, 0xe4, 0x01, 0x0a, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x44, + 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, + 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x7c, 0x0a, 0x25, 0x64, 0x65, 0x66, + 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65, 0x6e, + 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, + 0x67, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0x2e, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, + 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, + 0x69, 0x6e, 0x67, 0x52, 0x22, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, + 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, + 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x34, 0x0a, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x61, 0x67, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, + 0x65, 0x52, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xda, 0x0a, + 0x0a, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, + 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, + 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, + 0x12, 0xec, 0x01, 0x0a, 0x17, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, + 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, + 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, + 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, + 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, + 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, + 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, + 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, + 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, + 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, + 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, + 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, + 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x15, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, + 0x75, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x64, 0x12, + 0x44, 0x0a, 0x18, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, + 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x66, 0x71, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, + 0x09, 0x42, 0x0a, 0xba, 0x48, 0x07, 0x72, 0x05, 0x10, 0x00, 0x88, 0x01, 0x01, 0x52, 0x16, 0x61, + 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, + 0x6f, 0x6e, 0x46, 0x71, 0x6e, 0x12, 0x4e, 0x0a, 0x0e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x72, + 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e, + 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, + 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x42, 0x06, + 0xba, 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x0d, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, 0x73, + 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x12, 0xb8, 0x01, 0x0a, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, + 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x8d, 0x01, 0xba, 0x48, 0x89, 0x01, 0xba, 0x01, + 0x80, 0x01, 0x0a, 0x1b, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x5f, + 0x6f, 0x72, 0x5f, 0x69, 0x64, 0x5f, 0x6e, 0x6f, 0x74, 0x5f, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x12, + 0x2f, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x6f, 0x72, 0x20, + 0x49, 0x44, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x6e, 0x6f, 0x74, 0x20, 0x62, 0x65, 0x20, 0x65, + 0x6d, 0x70, 0x74, 0x79, 0x20, 0x69, 0x66, 0x20, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x64, + 0x1a, 0x30, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x61, 0x6c, 0x6c, 0x28, 0x69, 0x74, 0x65, 0x6d, 0x2c, + 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x21, 0x3d, 0x20, 0x27, 0x27, + 0x20, 0x7c, 0x7c, 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x69, 0x64, 0x20, 0x21, 0x3d, 0x20, 0x27, + 0x27, 0x29, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, + 0x12, 0xfe, 0x01, 0x0a, 0x21, 0x65, 0x78, 0x69, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x5f, 0x73, 0x75, + 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, + 0x73, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, + 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, + 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, + 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, + 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, + 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, + 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, + 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, + 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, + 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, + 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, + 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, + 0x27, 0x29, 0x52, 0x1d, 0x65, 0x78, 0x69, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x53, 0x75, 0x62, 0x6a, + 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x49, + 0x64, 0x12, 0x6b, 0x0a, 0x19, 0x6e, 0x65, 0x77, 0x5f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x5f, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x18, 0x06, + 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, + 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, - 0x73, 0x12, 0x36, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, - 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x75, - 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, - 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x37, 0x2e, 0x70, 0x6f, 0x6c, 0x69, + 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x52, 0x16, 0x6e, 0x65, 0x77, 0x53, 0x75, 0x62, 0x6a, 0x65, + 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0xd7, + 0x01, 0x0a, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, + 0x07, 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, + 0x0a, 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, + 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, + 0x20, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, + 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, + 0x65, 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, + 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, + 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, + 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, + 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, + 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, + 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x0b, 0x6e, 0x61, 0x6d, + 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x49, 0x64, 0x12, 0x2f, 0x0a, 0x0d, 0x6e, 0x61, 0x6d, 0x65, + 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x66, 0x71, 0x6e, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x42, + 0x0a, 0xba, 0x48, 0x07, 0x72, 0x05, 0x10, 0x00, 0x88, 0x01, 0x01, 0x52, 0x0c, 0x6e, 0x61, 0x6d, + 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x46, 0x71, 0x6e, 0x12, 0x33, 0x0a, 0x08, 0x6d, 0x65, 0x74, + 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x63, 0x6f, + 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x4d, 0x75, 0x74, + 0x61, 0x62, 0x6c, 0x65, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x3a, 0x3a, + 0xba, 0x48, 0x37, 0x22, 0x35, 0x0a, 0x17, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, + 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x0a, 0x18, + 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, + 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x66, 0x71, 0x6e, 0x10, 0x01, 0x22, 0xad, 0x01, 0x0a, 0x2f, 0x43, + 0x72, 0x65, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, + 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, + 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x7a, + 0x0a, 0x24, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, 0x61, 0x6c, + 0x75, 0x65, 0x5f, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x6d, + 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x70, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, + 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, + 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x21, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, + 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, + 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x22, 0xd7, 0x05, 0x0a, 0x2e, 0x55, + 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, + 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, + 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, + 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, + 0xb0, 0x01, 0x01, 0x52, 0x02, 0x69, 0x64, 0x12, 0x46, 0x0a, 0x0e, 0x76, 0x61, 0x6c, 0x75, 0x65, + 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x1f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, + 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, + 0x52, 0x0d, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x12, + 0xed, 0x01, 0x0a, 0x18, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x64, + 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, + 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, + 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, + 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, + 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, + 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, + 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, + 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, + 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, + 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, + 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, + 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, + 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x15, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, + 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x49, 0x64, 0x12, + 0xc7, 0x01, 0x0a, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, + 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, + 0x6e, 0x42, 0x9c, 0x01, 0xba, 0x48, 0x98, 0x01, 0xba, 0x01, 0x94, 0x01, 0x0a, 0x1b, 0x61, 0x63, + 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x5f, 0x6f, 0x72, 0x5f, 0x69, 0x64, 0x5f, + 0x6e, 0x6f, 0x74, 0x5f, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x12, 0x2f, 0x41, 0x63, 0x74, 0x69, 0x6f, + 0x6e, 0x20, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x6f, 0x72, 0x20, 0x49, 0x44, 0x20, 0x6d, 0x75, 0x73, + 0x74, 0x20, 0x6e, 0x6f, 0x74, 0x20, 0x62, 0x65, 0x20, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x20, 0x69, + 0x66, 0x20, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x64, 0x1a, 0x44, 0x74, 0x68, 0x69, 0x73, + 0x2e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, + 0x74, 0x68, 0x69, 0x73, 0x2e, 0x61, 0x6c, 0x6c, 0x28, 0x69, 0x74, 0x65, 0x6d, 0x2c, 0x20, 0x69, + 0x74, 0x65, 0x6d, 0x2e, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x21, 0x3d, 0x20, 0x27, 0x27, 0x20, 0x7c, + 0x7c, 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x69, 0x64, 0x20, 0x21, 0x3d, 0x20, 0x27, 0x27, 0x29, + 0x52, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x33, 0x0a, 0x08, 0x6d, 0x65, 0x74, + 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x63, 0x6f, + 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x4d, 0x75, 0x74, + 0x61, 0x62, 0x6c, 0x65, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x54, + 0x0a, 0x18, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x75, 0x70, 0x64, 0x61, 0x74, + 0x65, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x18, 0x65, 0x20, 0x01, 0x28, 0x0e, + 0x32, 0x1a, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, + 0x74, 0x61, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x45, 0x6e, 0x75, 0x6d, 0x52, 0x16, 0x6d, 0x65, + 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x42, 0x65, 0x68, 0x61, + 0x76, 0x69, 0x6f, 0x72, 0x22, 0xad, 0x01, 0x0a, 0x2f, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, + 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, + 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x7a, 0x0a, 0x24, 0x64, 0x65, 0x66, 0x69, + 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65, 0x6e, 0x74, + 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, + 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, + 0x67, 0x52, 0x21, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, + 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, + 0x70, 0x69, 0x6e, 0x67, 0x22, 0x4a, 0x0a, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x65, + 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, + 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, 0x02, 0x69, 0x64, + 0x22, 0xad, 0x01, 0x0a, 0x2f, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, + 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, + 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, + 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x7a, 0x0a, 0x24, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, + 0x6f, 0x6e, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, + 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x65, 0x66, 0x69, + 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, + 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x21, 0x64, + 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, + 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x2a, 0x9b, 0x01, 0x0a, 0x17, 0x53, 0x6f, 0x72, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, 0x2a, 0x0a, 0x26, + 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, + 0x50, 0x49, 0x4e, 0x47, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, + 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x29, 0x0a, 0x25, 0x53, 0x4f, 0x52, 0x54, + 0x5f, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, + 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x52, 0x45, 0x41, 0x54, 0x45, 0x44, 0x5f, 0x41, + 0x54, 0x10, 0x01, 0x12, 0x29, 0x0a, 0x25, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x53, 0x55, 0x42, 0x4a, + 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x53, 0x5f, 0x54, 0x59, 0x50, + 0x45, 0x5f, 0x55, 0x50, 0x44, 0x41, 0x54, 0x45, 0x44, 0x5f, 0x41, 0x54, 0x10, 0x02, 0x2a, 0xb2, + 0x01, 0x0a, 0x1c, 0x53, 0x6f, 0x72, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, + 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, + 0x30, 0x0a, 0x2c, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, + 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x53, 0x45, 0x54, 0x53, 0x5f, 0x54, + 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, + 0x00, 0x12, 0x2f, 0x0a, 0x2b, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, + 0x54, 0x5f, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x53, 0x45, 0x54, 0x53, + 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x52, 0x45, 0x41, 0x54, 0x45, 0x44, 0x5f, 0x41, 0x54, + 0x10, 0x01, 0x12, 0x2f, 0x0a, 0x2b, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x53, 0x55, 0x42, 0x4a, 0x45, + 0x43, 0x54, 0x5f, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x53, 0x45, 0x54, + 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x50, 0x44, 0x41, 0x54, 0x45, 0x44, 0x5f, 0x41, + 0x54, 0x10, 0x02, 0x2a, 0xed, 0x01, 0x0a, 0x2a, 0x53, 0x6f, 0x72, 0x74, 0x44, 0x65, 0x66, 0x69, + 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, + 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x54, 0x79, + 0x70, 0x65, 0x12, 0x3f, 0x0a, 0x3b, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x44, 0x45, 0x46, 0x49, 0x4e, + 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x45, 0x4e, 0x54, 0x49, + 0x54, 0x4c, 0x45, 0x4d, 0x45, 0x4e, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x53, + 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, + 0x44, 0x10, 0x00, 0x12, 0x3e, 0x0a, 0x3a, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x44, 0x45, 0x46, 0x49, + 0x4e, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x45, 0x4e, 0x54, + 0x49, 0x54, 0x4c, 0x45, 0x4d, 0x45, 0x4e, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, + 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x52, 0x45, 0x41, 0x54, 0x45, 0x44, 0x5f, 0x41, + 0x54, 0x10, 0x01, 0x12, 0x3e, 0x0a, 0x3a, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x44, 0x45, 0x46, 0x49, + 0x4e, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x45, 0x4e, 0x54, + 0x49, 0x54, 0x4c, 0x45, 0x4d, 0x45, 0x4e, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, + 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x50, 0x44, 0x41, 0x54, 0x45, 0x44, 0x5f, 0x41, + 0x54, 0x10, 0x02, 0x32, 0xe3, 0x14, 0x0a, 0x15, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, + 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x81, 0x01, + 0x0a, 0x14, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, + 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x32, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x4d, + 0x61, 0x74, 0x63, 0x68, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x33, 0x2e, 0x70, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x2e, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, + 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, + 0x00, 0x12, 0x81, 0x01, 0x0a, 0x13, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, + 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, - 0x67, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, - 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, - 0x73, 0x65, 0x22, 0x03, 0x90, 0x02, 0x01, 0x12, 0x8a, 0x01, 0x0a, 0x16, 0x47, 0x65, 0x74, 0x53, - 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, - 0x65, 0x74, 0x12, 0x34, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, + 0x67, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, + 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x32, 0x2e, 0x70, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, + 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, + 0x22, 0x03, 0x90, 0x02, 0x01, 0x12, 0x7b, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x53, 0x75, 0x62, 0x6a, + 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x2f, 0x2e, 0x70, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, + 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x30, 0x2e, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, + 0x69, 0x6e, 0x67, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, + 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x03, 0x90, + 0x02, 0x01, 0x12, 0x81, 0x01, 0x0a, 0x14, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, + 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x32, 0x2e, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, + 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, + 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, + 0x33, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x75, + 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, + 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x81, 0x01, 0x0a, 0x14, 0x55, 0x70, 0x64, 0x61, 0x74, + 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, + 0x32, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x53, 0x75, + 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x1a, 0x33, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, + 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x55, 0x70, 0x64, 0x61, + 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x81, 0x01, 0x0a, 0x14, 0x44, + 0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, + 0x69, 0x6e, 0x67, 0x12, 0x32, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, + 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x44, 0x65, 0x6c, 0x65, + 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x33, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, + 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, + 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x90, + 0x01, 0x0a, 0x18, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, + 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x73, 0x12, 0x36, 0x2e, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, + 0x69, 0x6e, 0x67, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, + 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x1a, 0x37, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, + 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x4c, 0x69, 0x73, 0x74, + 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, + 0x53, 0x65, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x03, 0x90, 0x02, + 0x01, 0x12, 0x8a, 0x01, 0x0a, 0x16, 0x47, 0x65, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0x34, 0x2e, 0x70, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, + 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, + 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, + 0x73, 0x74, 0x1a, 0x35, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, - 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x35, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, - 0x2e, 0x47, 0x65, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, + 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x03, 0x90, 0x02, 0x01, 0x12, 0x90, + 0x01, 0x0a, 0x19, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0x37, 0x2e, 0x70, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, + 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, + 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x38, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, + 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x72, + 0x65, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, - 0x03, 0x90, 0x02, 0x01, 0x12, 0x90, 0x01, 0x0a, 0x19, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, + 0x00, 0x12, 0x90, 0x01, 0x0a, 0x19, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, + 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, + 0x37, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x53, 0x75, + 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, + 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x38, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, + 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x22, 0x00, 0x12, 0x90, 0x01, 0x0a, 0x19, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0x37, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, - 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, + 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x38, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, - 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, + 0x69, 0x6e, 0x67, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x65, 0x73, - 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x90, 0x01, 0x0a, 0x19, 0x55, 0x70, 0x64, 0x61, - 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, - 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0x37, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, - 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x55, 0x70, - 0x64, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, - 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x38, - 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, - 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, + 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0xb4, 0x01, 0x0a, 0x25, 0x44, 0x65, 0x6c, 0x65, + 0x74, 0x65, 0x41, 0x6c, 0x6c, 0x55, 0x6e, 0x6d, 0x61, 0x70, 0x70, 0x65, 0x64, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, - 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x90, 0x01, 0x0a, 0x19, 0x44, - 0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, - 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0x37, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, - 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, - 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, - 0x74, 0x1a, 0x38, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, + 0x73, 0x12, 0x43, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, + 0x41, 0x6c, 0x6c, 0x55, 0x6e, 0x6d, 0x61, 0x70, 0x70, 0x65, 0x64, 0x53, 0x75, 0x62, 0x6a, 0x65, + 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x73, 0x52, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x44, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x44, + 0x65, 0x6c, 0x65, 0x74, 0x65, 0x41, 0x6c, 0x6c, 0x55, 0x6e, 0x6d, 0x61, 0x70, 0x70, 0x65, 0x64, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, - 0x53, 0x65, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0xb4, 0x01, - 0x0a, 0x25, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x41, 0x6c, 0x6c, 0x55, 0x6e, 0x6d, 0x61, 0x70, - 0x70, 0x65, 0x64, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, - 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x73, 0x12, 0x43, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, - 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x41, 0x6c, 0x6c, 0x55, 0x6e, 0x6d, 0x61, 0x70, 0x70, 0x65, - 0x64, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, - 0x6e, 0x53, 0x65, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x44, 0x2e, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, - 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x41, 0x6c, 0x6c, 0x55, 0x6e, - 0x6d, 0x61, 0x70, 0x70, 0x65, 0x64, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, - 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, - 0x73, 0x65, 0x22, 0x00, 0x42, 0xe4, 0x01, 0x0a, 0x19, 0x63, 0x6f, 0x6d, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, - 0x6e, 0x67, 0x42, 0x13, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, - 0x6e, 0x67, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x3d, 0x67, 0x69, 0x74, 0x68, 0x75, - 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, - 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, - 0x67, 0x6f, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, - 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0xa2, 0x02, 0x03, 0x50, 0x53, 0x58, 0xaa, 0x02, - 0x15, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, - 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0xca, 0x02, 0x15, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, - 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0xe2, 0x02, - 0x21, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, - 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, - 0x74, 0x61, 0xea, 0x02, 0x16, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x3a, 0x3a, 0x53, 0x75, 0x62, - 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x62, 0x06, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x33, + 0x53, 0x65, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0xba, + 0x01, 0x0a, 0x26, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, + 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, + 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x44, 0x2e, 0x70, 0x6f, 0x6c, 0x69, + 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, + 0x67, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, + 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, + 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, + 0x45, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x65, 0x66, 0x69, + 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, + 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, + 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x03, 0x90, 0x02, 0x01, 0x12, 0xb4, 0x01, 0x0a, 0x24, + 0x47, 0x65, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, + 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, + 0x70, 0x69, 0x6e, 0x67, 0x12, 0x42, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, + 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x47, 0x65, 0x74, + 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, + 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, + 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x43, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x2e, 0x47, 0x65, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, + 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, + 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x03, 0x90, + 0x02, 0x01, 0x12, 0xba, 0x01, 0x0a, 0x27, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, + 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, + 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x45, + 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, + 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, + 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, + 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x46, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, + 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x72, + 0x65, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, + 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, + 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, + 0xba, 0x01, 0x0a, 0x27, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, + 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, + 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x45, 0x2e, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, + 0x69, 0x6e, 0x67, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, + 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, + 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, + 0x73, 0x74, 0x1a, 0x46, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, + 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, + 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, + 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0xba, 0x01, 0x0a, + 0x27, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, + 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, + 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x45, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, + 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, + 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, + 0x46, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x65, + 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, + 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, + 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0xe4, 0x01, 0x0a, 0x19, 0x63, 0x6f, + 0x6d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x42, 0x13, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x3d, + 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, + 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x73, + 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0xa2, 0x02, 0x03, + 0x50, 0x53, 0x58, 0xaa, 0x02, 0x15, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, + 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0xca, 0x02, 0x15, 0x50, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, + 0x69, 0x6e, 0x67, 0xe2, 0x02, 0x21, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x53, 0x75, 0x62, + 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5c, 0x47, 0x50, 0x42, 0x4d, + 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x16, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x3a, 0x3a, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -2128,115 +3182,157 @@ func file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP() []byte { return file_policy_subjectmapping_subject_mapping_proto_rawDescData } -var file_policy_subjectmapping_subject_mapping_proto_enumTypes = make([]protoimpl.EnumInfo, 2) -var file_policy_subjectmapping_subject_mapping_proto_msgTypes = make([]protoimpl.MessageInfo, 27) +var file_policy_subjectmapping_subject_mapping_proto_enumTypes = make([]protoimpl.EnumInfo, 3) +var file_policy_subjectmapping_subject_mapping_proto_msgTypes = make([]protoimpl.MessageInfo, 38) var file_policy_subjectmapping_subject_mapping_proto_goTypes = []interface{}{ - (SortSubjectMappingsType)(0), // 0: policy.subjectmapping.SortSubjectMappingsType - (SortSubjectConditionSetsType)(0), // 1: policy.subjectmapping.SortSubjectConditionSetsType - (*MatchSubjectMappingsRequest)(nil), // 2: policy.subjectmapping.MatchSubjectMappingsRequest - (*MatchSubjectMappingsResponse)(nil), // 3: policy.subjectmapping.MatchSubjectMappingsResponse - (*GetSubjectMappingRequest)(nil), // 4: policy.subjectmapping.GetSubjectMappingRequest - (*GetSubjectMappingResponse)(nil), // 5: policy.subjectmapping.GetSubjectMappingResponse - (*SubjectMappingsSort)(nil), // 6: policy.subjectmapping.SubjectMappingsSort - (*ListSubjectMappingsRequest)(nil), // 7: policy.subjectmapping.ListSubjectMappingsRequest - (*ListSubjectMappingsResponse)(nil), // 8: policy.subjectmapping.ListSubjectMappingsResponse - (*CreateSubjectMappingRequest)(nil), // 9: policy.subjectmapping.CreateSubjectMappingRequest - (*CreateSubjectMappingResponse)(nil), // 10: policy.subjectmapping.CreateSubjectMappingResponse - (*UpdateSubjectMappingRequest)(nil), // 11: policy.subjectmapping.UpdateSubjectMappingRequest - (*UpdateSubjectMappingResponse)(nil), // 12: policy.subjectmapping.UpdateSubjectMappingResponse - (*DeleteSubjectMappingRequest)(nil), // 13: policy.subjectmapping.DeleteSubjectMappingRequest - (*DeleteSubjectMappingResponse)(nil), // 14: policy.subjectmapping.DeleteSubjectMappingResponse - (*GetSubjectConditionSetRequest)(nil), // 15: policy.subjectmapping.GetSubjectConditionSetRequest - (*GetSubjectConditionSetResponse)(nil), // 16: policy.subjectmapping.GetSubjectConditionSetResponse - (*SubjectConditionSetsSort)(nil), // 17: policy.subjectmapping.SubjectConditionSetsSort - (*ListSubjectConditionSetsRequest)(nil), // 18: policy.subjectmapping.ListSubjectConditionSetsRequest - (*ListSubjectConditionSetsResponse)(nil), // 19: policy.subjectmapping.ListSubjectConditionSetsResponse - (*SubjectConditionSetCreate)(nil), // 20: policy.subjectmapping.SubjectConditionSetCreate - (*CreateSubjectConditionSetRequest)(nil), // 21: policy.subjectmapping.CreateSubjectConditionSetRequest - (*CreateSubjectConditionSetResponse)(nil), // 22: policy.subjectmapping.CreateSubjectConditionSetResponse - (*UpdateSubjectConditionSetRequest)(nil), // 23: policy.subjectmapping.UpdateSubjectConditionSetRequest - (*UpdateSubjectConditionSetResponse)(nil), // 24: policy.subjectmapping.UpdateSubjectConditionSetResponse - (*DeleteSubjectConditionSetRequest)(nil), // 25: policy.subjectmapping.DeleteSubjectConditionSetRequest - (*DeleteSubjectConditionSetResponse)(nil), // 26: policy.subjectmapping.DeleteSubjectConditionSetResponse - (*DeleteAllUnmappedSubjectConditionSetsRequest)(nil), // 27: policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest - (*DeleteAllUnmappedSubjectConditionSetsResponse)(nil), // 28: policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse - (*policy.SubjectProperty)(nil), // 29: policy.SubjectProperty - (*policy.SubjectMapping)(nil), // 30: policy.SubjectMapping - (policy.SortDirection)(0), // 31: policy.SortDirection - (*policy.PageRequest)(nil), // 32: policy.PageRequest - (*policy.PageResponse)(nil), // 33: policy.PageResponse - (*policy.Action)(nil), // 34: policy.Action - (*common.MetadataMutable)(nil), // 35: common.MetadataMutable - (common.MetadataUpdateEnum)(0), // 36: common.MetadataUpdateEnum - (*policy.SubjectConditionSet)(nil), // 37: policy.SubjectConditionSet - (*policy.SubjectSet)(nil), // 38: policy.SubjectSet + (SortSubjectMappingsType)(0), // 0: policy.subjectmapping.SortSubjectMappingsType + (SortSubjectConditionSetsType)(0), // 1: policy.subjectmapping.SortSubjectConditionSetsType + (SortDefinitionValueEntitlementMappingsType)(0), // 2: policy.subjectmapping.SortDefinitionValueEntitlementMappingsType + (*MatchSubjectMappingsRequest)(nil), // 3: policy.subjectmapping.MatchSubjectMappingsRequest + (*MatchSubjectMappingsResponse)(nil), // 4: policy.subjectmapping.MatchSubjectMappingsResponse + (*GetSubjectMappingRequest)(nil), // 5: policy.subjectmapping.GetSubjectMappingRequest + (*GetSubjectMappingResponse)(nil), // 6: policy.subjectmapping.GetSubjectMappingResponse + (*SubjectMappingsSort)(nil), // 7: policy.subjectmapping.SubjectMappingsSort + (*ListSubjectMappingsRequest)(nil), // 8: policy.subjectmapping.ListSubjectMappingsRequest + (*ListSubjectMappingsResponse)(nil), // 9: policy.subjectmapping.ListSubjectMappingsResponse + (*CreateSubjectMappingRequest)(nil), // 10: policy.subjectmapping.CreateSubjectMappingRequest + (*CreateSubjectMappingResponse)(nil), // 11: policy.subjectmapping.CreateSubjectMappingResponse + (*UpdateSubjectMappingRequest)(nil), // 12: policy.subjectmapping.UpdateSubjectMappingRequest + (*UpdateSubjectMappingResponse)(nil), // 13: policy.subjectmapping.UpdateSubjectMappingResponse + (*DeleteSubjectMappingRequest)(nil), // 14: policy.subjectmapping.DeleteSubjectMappingRequest + (*DeleteSubjectMappingResponse)(nil), // 15: policy.subjectmapping.DeleteSubjectMappingResponse + (*GetSubjectConditionSetRequest)(nil), // 16: policy.subjectmapping.GetSubjectConditionSetRequest + (*GetSubjectConditionSetResponse)(nil), // 17: policy.subjectmapping.GetSubjectConditionSetResponse + (*SubjectConditionSetsSort)(nil), // 18: policy.subjectmapping.SubjectConditionSetsSort + (*ListSubjectConditionSetsRequest)(nil), // 19: policy.subjectmapping.ListSubjectConditionSetsRequest + (*ListSubjectConditionSetsResponse)(nil), // 20: policy.subjectmapping.ListSubjectConditionSetsResponse + (*SubjectConditionSetCreate)(nil), // 21: policy.subjectmapping.SubjectConditionSetCreate + (*CreateSubjectConditionSetRequest)(nil), // 22: policy.subjectmapping.CreateSubjectConditionSetRequest + (*CreateSubjectConditionSetResponse)(nil), // 23: policy.subjectmapping.CreateSubjectConditionSetResponse + (*UpdateSubjectConditionSetRequest)(nil), // 24: policy.subjectmapping.UpdateSubjectConditionSetRequest + (*UpdateSubjectConditionSetResponse)(nil), // 25: policy.subjectmapping.UpdateSubjectConditionSetResponse + (*DeleteSubjectConditionSetRequest)(nil), // 26: policy.subjectmapping.DeleteSubjectConditionSetRequest + (*DeleteSubjectConditionSetResponse)(nil), // 27: policy.subjectmapping.DeleteSubjectConditionSetResponse + (*DeleteAllUnmappedSubjectConditionSetsRequest)(nil), // 28: policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest + (*DeleteAllUnmappedSubjectConditionSetsResponse)(nil), // 29: policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse + (*GetDefinitionValueEntitlementMappingRequest)(nil), // 30: policy.subjectmapping.GetDefinitionValueEntitlementMappingRequest + (*GetDefinitionValueEntitlementMappingResponse)(nil), // 31: policy.subjectmapping.GetDefinitionValueEntitlementMappingResponse + (*DefinitionValueEntitlementMappingsSort)(nil), // 32: policy.subjectmapping.DefinitionValueEntitlementMappingsSort + (*ListDefinitionValueEntitlementMappingsRequest)(nil), // 33: policy.subjectmapping.ListDefinitionValueEntitlementMappingsRequest + (*ListDefinitionValueEntitlementMappingsResponse)(nil), // 34: policy.subjectmapping.ListDefinitionValueEntitlementMappingsResponse + (*CreateDefinitionValueEntitlementMappingRequest)(nil), // 35: policy.subjectmapping.CreateDefinitionValueEntitlementMappingRequest + (*CreateDefinitionValueEntitlementMappingResponse)(nil), // 36: policy.subjectmapping.CreateDefinitionValueEntitlementMappingResponse + (*UpdateDefinitionValueEntitlementMappingRequest)(nil), // 37: policy.subjectmapping.UpdateDefinitionValueEntitlementMappingRequest + (*UpdateDefinitionValueEntitlementMappingResponse)(nil), // 38: policy.subjectmapping.UpdateDefinitionValueEntitlementMappingResponse + (*DeleteDefinitionValueEntitlementMappingRequest)(nil), // 39: policy.subjectmapping.DeleteDefinitionValueEntitlementMappingRequest + (*DeleteDefinitionValueEntitlementMappingResponse)(nil), // 40: policy.subjectmapping.DeleteDefinitionValueEntitlementMappingResponse + (*policy.SubjectProperty)(nil), // 41: policy.SubjectProperty + (*policy.SubjectMapping)(nil), // 42: policy.SubjectMapping + (policy.SortDirection)(0), // 43: policy.SortDirection + (*policy.PageRequest)(nil), // 44: policy.PageRequest + (*policy.PageResponse)(nil), // 45: policy.PageResponse + (*policy.Action)(nil), // 46: policy.Action + (*common.MetadataMutable)(nil), // 47: common.MetadataMutable + (common.MetadataUpdateEnum)(0), // 48: common.MetadataUpdateEnum + (*policy.SubjectConditionSet)(nil), // 49: policy.SubjectConditionSet + (*policy.SubjectSet)(nil), // 50: policy.SubjectSet + (*policy.DefinitionValueEntitlementMapping)(nil), // 51: policy.DefinitionValueEntitlementMapping + (*policy.DefinitionValueResolver)(nil), // 52: policy.DefinitionValueResolver } var file_policy_subjectmapping_subject_mapping_proto_depIdxs = []int32{ - 29, // 0: policy.subjectmapping.MatchSubjectMappingsRequest.subject_properties:type_name -> policy.SubjectProperty - 30, // 1: policy.subjectmapping.MatchSubjectMappingsResponse.subject_mappings:type_name -> policy.SubjectMapping - 30, // 2: policy.subjectmapping.GetSubjectMappingResponse.subject_mapping:type_name -> policy.SubjectMapping + 41, // 0: policy.subjectmapping.MatchSubjectMappingsRequest.subject_properties:type_name -> policy.SubjectProperty + 42, // 1: policy.subjectmapping.MatchSubjectMappingsResponse.subject_mappings:type_name -> policy.SubjectMapping + 42, // 2: policy.subjectmapping.GetSubjectMappingResponse.subject_mapping:type_name -> policy.SubjectMapping 0, // 3: policy.subjectmapping.SubjectMappingsSort.field:type_name -> policy.subjectmapping.SortSubjectMappingsType - 31, // 4: policy.subjectmapping.SubjectMappingsSort.direction:type_name -> policy.SortDirection - 32, // 5: policy.subjectmapping.ListSubjectMappingsRequest.pagination:type_name -> policy.PageRequest - 6, // 6: policy.subjectmapping.ListSubjectMappingsRequest.sort:type_name -> policy.subjectmapping.SubjectMappingsSort - 30, // 7: policy.subjectmapping.ListSubjectMappingsResponse.subject_mappings:type_name -> policy.SubjectMapping - 33, // 8: policy.subjectmapping.ListSubjectMappingsResponse.pagination:type_name -> policy.PageResponse - 34, // 9: policy.subjectmapping.CreateSubjectMappingRequest.actions:type_name -> policy.Action - 20, // 10: policy.subjectmapping.CreateSubjectMappingRequest.new_subject_condition_set:type_name -> policy.subjectmapping.SubjectConditionSetCreate - 35, // 11: policy.subjectmapping.CreateSubjectMappingRequest.metadata:type_name -> common.MetadataMutable - 30, // 12: policy.subjectmapping.CreateSubjectMappingResponse.subject_mapping:type_name -> policy.SubjectMapping - 34, // 13: policy.subjectmapping.UpdateSubjectMappingRequest.actions:type_name -> policy.Action - 35, // 14: policy.subjectmapping.UpdateSubjectMappingRequest.metadata:type_name -> common.MetadataMutable - 36, // 15: policy.subjectmapping.UpdateSubjectMappingRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum - 30, // 16: policy.subjectmapping.UpdateSubjectMappingResponse.subject_mapping:type_name -> policy.SubjectMapping - 30, // 17: policy.subjectmapping.DeleteSubjectMappingResponse.subject_mapping:type_name -> policy.SubjectMapping - 37, // 18: policy.subjectmapping.GetSubjectConditionSetResponse.subject_condition_set:type_name -> policy.SubjectConditionSet - 30, // 19: policy.subjectmapping.GetSubjectConditionSetResponse.associated_subject_mappings:type_name -> policy.SubjectMapping + 43, // 4: policy.subjectmapping.SubjectMappingsSort.direction:type_name -> policy.SortDirection + 44, // 5: policy.subjectmapping.ListSubjectMappingsRequest.pagination:type_name -> policy.PageRequest + 7, // 6: policy.subjectmapping.ListSubjectMappingsRequest.sort:type_name -> policy.subjectmapping.SubjectMappingsSort + 42, // 7: policy.subjectmapping.ListSubjectMappingsResponse.subject_mappings:type_name -> policy.SubjectMapping + 45, // 8: policy.subjectmapping.ListSubjectMappingsResponse.pagination:type_name -> policy.PageResponse + 46, // 9: policy.subjectmapping.CreateSubjectMappingRequest.actions:type_name -> policy.Action + 21, // 10: policy.subjectmapping.CreateSubjectMappingRequest.new_subject_condition_set:type_name -> policy.subjectmapping.SubjectConditionSetCreate + 47, // 11: policy.subjectmapping.CreateSubjectMappingRequest.metadata:type_name -> common.MetadataMutable + 42, // 12: policy.subjectmapping.CreateSubjectMappingResponse.subject_mapping:type_name -> policy.SubjectMapping + 46, // 13: policy.subjectmapping.UpdateSubjectMappingRequest.actions:type_name -> policy.Action + 47, // 14: policy.subjectmapping.UpdateSubjectMappingRequest.metadata:type_name -> common.MetadataMutable + 48, // 15: policy.subjectmapping.UpdateSubjectMappingRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum + 42, // 16: policy.subjectmapping.UpdateSubjectMappingResponse.subject_mapping:type_name -> policy.SubjectMapping + 42, // 17: policy.subjectmapping.DeleteSubjectMappingResponse.subject_mapping:type_name -> policy.SubjectMapping + 49, // 18: policy.subjectmapping.GetSubjectConditionSetResponse.subject_condition_set:type_name -> policy.SubjectConditionSet + 42, // 19: policy.subjectmapping.GetSubjectConditionSetResponse.associated_subject_mappings:type_name -> policy.SubjectMapping 1, // 20: policy.subjectmapping.SubjectConditionSetsSort.field:type_name -> policy.subjectmapping.SortSubjectConditionSetsType - 31, // 21: policy.subjectmapping.SubjectConditionSetsSort.direction:type_name -> policy.SortDirection - 32, // 22: policy.subjectmapping.ListSubjectConditionSetsRequest.pagination:type_name -> policy.PageRequest - 17, // 23: policy.subjectmapping.ListSubjectConditionSetsRequest.sort:type_name -> policy.subjectmapping.SubjectConditionSetsSort - 37, // 24: policy.subjectmapping.ListSubjectConditionSetsResponse.subject_condition_sets:type_name -> policy.SubjectConditionSet - 33, // 25: policy.subjectmapping.ListSubjectConditionSetsResponse.pagination:type_name -> policy.PageResponse - 38, // 26: policy.subjectmapping.SubjectConditionSetCreate.subject_sets:type_name -> policy.SubjectSet - 35, // 27: policy.subjectmapping.SubjectConditionSetCreate.metadata:type_name -> common.MetadataMutable - 20, // 28: policy.subjectmapping.CreateSubjectConditionSetRequest.subject_condition_set:type_name -> policy.subjectmapping.SubjectConditionSetCreate - 37, // 29: policy.subjectmapping.CreateSubjectConditionSetResponse.subject_condition_set:type_name -> policy.SubjectConditionSet - 38, // 30: policy.subjectmapping.UpdateSubjectConditionSetRequest.subject_sets:type_name -> policy.SubjectSet - 35, // 31: policy.subjectmapping.UpdateSubjectConditionSetRequest.metadata:type_name -> common.MetadataMutable - 36, // 32: policy.subjectmapping.UpdateSubjectConditionSetRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum - 37, // 33: policy.subjectmapping.UpdateSubjectConditionSetResponse.subject_condition_set:type_name -> policy.SubjectConditionSet - 37, // 34: policy.subjectmapping.DeleteSubjectConditionSetResponse.subject_condition_set:type_name -> policy.SubjectConditionSet - 37, // 35: policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse.subject_condition_sets:type_name -> policy.SubjectConditionSet - 2, // 36: policy.subjectmapping.SubjectMappingService.MatchSubjectMappings:input_type -> policy.subjectmapping.MatchSubjectMappingsRequest - 7, // 37: policy.subjectmapping.SubjectMappingService.ListSubjectMappings:input_type -> policy.subjectmapping.ListSubjectMappingsRequest - 4, // 38: policy.subjectmapping.SubjectMappingService.GetSubjectMapping:input_type -> policy.subjectmapping.GetSubjectMappingRequest - 9, // 39: policy.subjectmapping.SubjectMappingService.CreateSubjectMapping:input_type -> policy.subjectmapping.CreateSubjectMappingRequest - 11, // 40: policy.subjectmapping.SubjectMappingService.UpdateSubjectMapping:input_type -> policy.subjectmapping.UpdateSubjectMappingRequest - 13, // 41: policy.subjectmapping.SubjectMappingService.DeleteSubjectMapping:input_type -> policy.subjectmapping.DeleteSubjectMappingRequest - 18, // 42: policy.subjectmapping.SubjectMappingService.ListSubjectConditionSets:input_type -> policy.subjectmapping.ListSubjectConditionSetsRequest - 15, // 43: policy.subjectmapping.SubjectMappingService.GetSubjectConditionSet:input_type -> policy.subjectmapping.GetSubjectConditionSetRequest - 21, // 44: policy.subjectmapping.SubjectMappingService.CreateSubjectConditionSet:input_type -> policy.subjectmapping.CreateSubjectConditionSetRequest - 23, // 45: policy.subjectmapping.SubjectMappingService.UpdateSubjectConditionSet:input_type -> policy.subjectmapping.UpdateSubjectConditionSetRequest - 25, // 46: policy.subjectmapping.SubjectMappingService.DeleteSubjectConditionSet:input_type -> policy.subjectmapping.DeleteSubjectConditionSetRequest - 27, // 47: policy.subjectmapping.SubjectMappingService.DeleteAllUnmappedSubjectConditionSets:input_type -> policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest - 3, // 48: policy.subjectmapping.SubjectMappingService.MatchSubjectMappings:output_type -> policy.subjectmapping.MatchSubjectMappingsResponse - 8, // 49: policy.subjectmapping.SubjectMappingService.ListSubjectMappings:output_type -> policy.subjectmapping.ListSubjectMappingsResponse - 5, // 50: policy.subjectmapping.SubjectMappingService.GetSubjectMapping:output_type -> policy.subjectmapping.GetSubjectMappingResponse - 10, // 51: policy.subjectmapping.SubjectMappingService.CreateSubjectMapping:output_type -> policy.subjectmapping.CreateSubjectMappingResponse - 12, // 52: policy.subjectmapping.SubjectMappingService.UpdateSubjectMapping:output_type -> policy.subjectmapping.UpdateSubjectMappingResponse - 14, // 53: policy.subjectmapping.SubjectMappingService.DeleteSubjectMapping:output_type -> policy.subjectmapping.DeleteSubjectMappingResponse - 19, // 54: policy.subjectmapping.SubjectMappingService.ListSubjectConditionSets:output_type -> policy.subjectmapping.ListSubjectConditionSetsResponse - 16, // 55: policy.subjectmapping.SubjectMappingService.GetSubjectConditionSet:output_type -> policy.subjectmapping.GetSubjectConditionSetResponse - 22, // 56: policy.subjectmapping.SubjectMappingService.CreateSubjectConditionSet:output_type -> policy.subjectmapping.CreateSubjectConditionSetResponse - 24, // 57: policy.subjectmapping.SubjectMappingService.UpdateSubjectConditionSet:output_type -> policy.subjectmapping.UpdateSubjectConditionSetResponse - 26, // 58: policy.subjectmapping.SubjectMappingService.DeleteSubjectConditionSet:output_type -> policy.subjectmapping.DeleteSubjectConditionSetResponse - 28, // 59: policy.subjectmapping.SubjectMappingService.DeleteAllUnmappedSubjectConditionSets:output_type -> policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse - 48, // [48:60] is the sub-list for method output_type - 36, // [36:48] is the sub-list for method input_type - 36, // [36:36] is the sub-list for extension type_name - 36, // [36:36] is the sub-list for extension extendee - 0, // [0:36] is the sub-list for field type_name + 43, // 21: policy.subjectmapping.SubjectConditionSetsSort.direction:type_name -> policy.SortDirection + 44, // 22: policy.subjectmapping.ListSubjectConditionSetsRequest.pagination:type_name -> policy.PageRequest + 18, // 23: policy.subjectmapping.ListSubjectConditionSetsRequest.sort:type_name -> policy.subjectmapping.SubjectConditionSetsSort + 49, // 24: policy.subjectmapping.ListSubjectConditionSetsResponse.subject_condition_sets:type_name -> policy.SubjectConditionSet + 45, // 25: policy.subjectmapping.ListSubjectConditionSetsResponse.pagination:type_name -> policy.PageResponse + 50, // 26: policy.subjectmapping.SubjectConditionSetCreate.subject_sets:type_name -> policy.SubjectSet + 47, // 27: policy.subjectmapping.SubjectConditionSetCreate.metadata:type_name -> common.MetadataMutable + 21, // 28: policy.subjectmapping.CreateSubjectConditionSetRequest.subject_condition_set:type_name -> policy.subjectmapping.SubjectConditionSetCreate + 49, // 29: policy.subjectmapping.CreateSubjectConditionSetResponse.subject_condition_set:type_name -> policy.SubjectConditionSet + 50, // 30: policy.subjectmapping.UpdateSubjectConditionSetRequest.subject_sets:type_name -> policy.SubjectSet + 47, // 31: policy.subjectmapping.UpdateSubjectConditionSetRequest.metadata:type_name -> common.MetadataMutable + 48, // 32: policy.subjectmapping.UpdateSubjectConditionSetRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum + 49, // 33: policy.subjectmapping.UpdateSubjectConditionSetResponse.subject_condition_set:type_name -> policy.SubjectConditionSet + 49, // 34: policy.subjectmapping.DeleteSubjectConditionSetResponse.subject_condition_set:type_name -> policy.SubjectConditionSet + 49, // 35: policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse.subject_condition_sets:type_name -> policy.SubjectConditionSet + 51, // 36: policy.subjectmapping.GetDefinitionValueEntitlementMappingResponse.definition_value_entitlement_mapping:type_name -> policy.DefinitionValueEntitlementMapping + 2, // 37: policy.subjectmapping.DefinitionValueEntitlementMappingsSort.field:type_name -> policy.subjectmapping.SortDefinitionValueEntitlementMappingsType + 43, // 38: policy.subjectmapping.DefinitionValueEntitlementMappingsSort.direction:type_name -> policy.SortDirection + 44, // 39: policy.subjectmapping.ListDefinitionValueEntitlementMappingsRequest.pagination:type_name -> policy.PageRequest + 32, // 40: policy.subjectmapping.ListDefinitionValueEntitlementMappingsRequest.sort:type_name -> policy.subjectmapping.DefinitionValueEntitlementMappingsSort + 51, // 41: policy.subjectmapping.ListDefinitionValueEntitlementMappingsResponse.definition_value_entitlement_mappings:type_name -> policy.DefinitionValueEntitlementMapping + 45, // 42: policy.subjectmapping.ListDefinitionValueEntitlementMappingsResponse.pagination:type_name -> policy.PageResponse + 52, // 43: policy.subjectmapping.CreateDefinitionValueEntitlementMappingRequest.value_resolver:type_name -> policy.DefinitionValueResolver + 46, // 44: policy.subjectmapping.CreateDefinitionValueEntitlementMappingRequest.actions:type_name -> policy.Action + 21, // 45: policy.subjectmapping.CreateDefinitionValueEntitlementMappingRequest.new_subject_condition_set:type_name -> policy.subjectmapping.SubjectConditionSetCreate + 47, // 46: policy.subjectmapping.CreateDefinitionValueEntitlementMappingRequest.metadata:type_name -> common.MetadataMutable + 51, // 47: policy.subjectmapping.CreateDefinitionValueEntitlementMappingResponse.definition_value_entitlement_mapping:type_name -> policy.DefinitionValueEntitlementMapping + 52, // 48: policy.subjectmapping.UpdateDefinitionValueEntitlementMappingRequest.value_resolver:type_name -> policy.DefinitionValueResolver + 46, // 49: policy.subjectmapping.UpdateDefinitionValueEntitlementMappingRequest.actions:type_name -> policy.Action + 47, // 50: policy.subjectmapping.UpdateDefinitionValueEntitlementMappingRequest.metadata:type_name -> common.MetadataMutable + 48, // 51: policy.subjectmapping.UpdateDefinitionValueEntitlementMappingRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum + 51, // 52: policy.subjectmapping.UpdateDefinitionValueEntitlementMappingResponse.definition_value_entitlement_mapping:type_name -> policy.DefinitionValueEntitlementMapping + 51, // 53: policy.subjectmapping.DeleteDefinitionValueEntitlementMappingResponse.definition_value_entitlement_mapping:type_name -> policy.DefinitionValueEntitlementMapping + 3, // 54: policy.subjectmapping.SubjectMappingService.MatchSubjectMappings:input_type -> policy.subjectmapping.MatchSubjectMappingsRequest + 8, // 55: policy.subjectmapping.SubjectMappingService.ListSubjectMappings:input_type -> policy.subjectmapping.ListSubjectMappingsRequest + 5, // 56: policy.subjectmapping.SubjectMappingService.GetSubjectMapping:input_type -> policy.subjectmapping.GetSubjectMappingRequest + 10, // 57: policy.subjectmapping.SubjectMappingService.CreateSubjectMapping:input_type -> policy.subjectmapping.CreateSubjectMappingRequest + 12, // 58: policy.subjectmapping.SubjectMappingService.UpdateSubjectMapping:input_type -> policy.subjectmapping.UpdateSubjectMappingRequest + 14, // 59: policy.subjectmapping.SubjectMappingService.DeleteSubjectMapping:input_type -> policy.subjectmapping.DeleteSubjectMappingRequest + 19, // 60: policy.subjectmapping.SubjectMappingService.ListSubjectConditionSets:input_type -> policy.subjectmapping.ListSubjectConditionSetsRequest + 16, // 61: policy.subjectmapping.SubjectMappingService.GetSubjectConditionSet:input_type -> policy.subjectmapping.GetSubjectConditionSetRequest + 22, // 62: policy.subjectmapping.SubjectMappingService.CreateSubjectConditionSet:input_type -> policy.subjectmapping.CreateSubjectConditionSetRequest + 24, // 63: policy.subjectmapping.SubjectMappingService.UpdateSubjectConditionSet:input_type -> policy.subjectmapping.UpdateSubjectConditionSetRequest + 26, // 64: policy.subjectmapping.SubjectMappingService.DeleteSubjectConditionSet:input_type -> policy.subjectmapping.DeleteSubjectConditionSetRequest + 28, // 65: policy.subjectmapping.SubjectMappingService.DeleteAllUnmappedSubjectConditionSets:input_type -> policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest + 33, // 66: policy.subjectmapping.SubjectMappingService.ListDefinitionValueEntitlementMappings:input_type -> policy.subjectmapping.ListDefinitionValueEntitlementMappingsRequest + 30, // 67: policy.subjectmapping.SubjectMappingService.GetDefinitionValueEntitlementMapping:input_type -> policy.subjectmapping.GetDefinitionValueEntitlementMappingRequest + 35, // 68: policy.subjectmapping.SubjectMappingService.CreateDefinitionValueEntitlementMapping:input_type -> policy.subjectmapping.CreateDefinitionValueEntitlementMappingRequest + 37, // 69: policy.subjectmapping.SubjectMappingService.UpdateDefinitionValueEntitlementMapping:input_type -> policy.subjectmapping.UpdateDefinitionValueEntitlementMappingRequest + 39, // 70: policy.subjectmapping.SubjectMappingService.DeleteDefinitionValueEntitlementMapping:input_type -> policy.subjectmapping.DeleteDefinitionValueEntitlementMappingRequest + 4, // 71: policy.subjectmapping.SubjectMappingService.MatchSubjectMappings:output_type -> policy.subjectmapping.MatchSubjectMappingsResponse + 9, // 72: policy.subjectmapping.SubjectMappingService.ListSubjectMappings:output_type -> policy.subjectmapping.ListSubjectMappingsResponse + 6, // 73: policy.subjectmapping.SubjectMappingService.GetSubjectMapping:output_type -> policy.subjectmapping.GetSubjectMappingResponse + 11, // 74: policy.subjectmapping.SubjectMappingService.CreateSubjectMapping:output_type -> policy.subjectmapping.CreateSubjectMappingResponse + 13, // 75: policy.subjectmapping.SubjectMappingService.UpdateSubjectMapping:output_type -> policy.subjectmapping.UpdateSubjectMappingResponse + 15, // 76: policy.subjectmapping.SubjectMappingService.DeleteSubjectMapping:output_type -> policy.subjectmapping.DeleteSubjectMappingResponse + 20, // 77: policy.subjectmapping.SubjectMappingService.ListSubjectConditionSets:output_type -> policy.subjectmapping.ListSubjectConditionSetsResponse + 17, // 78: policy.subjectmapping.SubjectMappingService.GetSubjectConditionSet:output_type -> policy.subjectmapping.GetSubjectConditionSetResponse + 23, // 79: policy.subjectmapping.SubjectMappingService.CreateSubjectConditionSet:output_type -> policy.subjectmapping.CreateSubjectConditionSetResponse + 25, // 80: policy.subjectmapping.SubjectMappingService.UpdateSubjectConditionSet:output_type -> policy.subjectmapping.UpdateSubjectConditionSetResponse + 27, // 81: policy.subjectmapping.SubjectMappingService.DeleteSubjectConditionSet:output_type -> policy.subjectmapping.DeleteSubjectConditionSetResponse + 29, // 82: policy.subjectmapping.SubjectMappingService.DeleteAllUnmappedSubjectConditionSets:output_type -> policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse + 34, // 83: policy.subjectmapping.SubjectMappingService.ListDefinitionValueEntitlementMappings:output_type -> policy.subjectmapping.ListDefinitionValueEntitlementMappingsResponse + 31, // 84: policy.subjectmapping.SubjectMappingService.GetDefinitionValueEntitlementMapping:output_type -> policy.subjectmapping.GetDefinitionValueEntitlementMappingResponse + 36, // 85: policy.subjectmapping.SubjectMappingService.CreateDefinitionValueEntitlementMapping:output_type -> policy.subjectmapping.CreateDefinitionValueEntitlementMappingResponse + 38, // 86: policy.subjectmapping.SubjectMappingService.UpdateDefinitionValueEntitlementMapping:output_type -> policy.subjectmapping.UpdateDefinitionValueEntitlementMappingResponse + 40, // 87: policy.subjectmapping.SubjectMappingService.DeleteDefinitionValueEntitlementMapping:output_type -> policy.subjectmapping.DeleteDefinitionValueEntitlementMappingResponse + 71, // [71:88] is the sub-list for method output_type + 54, // [54:71] is the sub-list for method input_type + 54, // [54:54] is the sub-list for extension type_name + 54, // [54:54] is the sub-list for extension extendee + 0, // [0:54] is the sub-list for field type_name } func init() { file_policy_subjectmapping_subject_mapping_proto_init() } @@ -2569,14 +3665,146 @@ func file_policy_subjectmapping_subject_mapping_proto_init() { return nil } } + file_policy_subjectmapping_subject_mapping_proto_msgTypes[27].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*GetDefinitionValueEntitlementMappingRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_subjectmapping_subject_mapping_proto_msgTypes[28].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*GetDefinitionValueEntitlementMappingResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_subjectmapping_subject_mapping_proto_msgTypes[29].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*DefinitionValueEntitlementMappingsSort); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_subjectmapping_subject_mapping_proto_msgTypes[30].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ListDefinitionValueEntitlementMappingsRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_subjectmapping_subject_mapping_proto_msgTypes[31].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ListDefinitionValueEntitlementMappingsResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_subjectmapping_subject_mapping_proto_msgTypes[32].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*CreateDefinitionValueEntitlementMappingRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_subjectmapping_subject_mapping_proto_msgTypes[33].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*CreateDefinitionValueEntitlementMappingResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_subjectmapping_subject_mapping_proto_msgTypes[34].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*UpdateDefinitionValueEntitlementMappingRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_subjectmapping_subject_mapping_proto_msgTypes[35].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*UpdateDefinitionValueEntitlementMappingResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_subjectmapping_subject_mapping_proto_msgTypes[36].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*DeleteDefinitionValueEntitlementMappingRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_subjectmapping_subject_mapping_proto_msgTypes[37].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*DeleteDefinitionValueEntitlementMappingResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } } type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_policy_subjectmapping_subject_mapping_proto_rawDesc, - NumEnums: 2, - NumMessages: 27, + NumEnums: 3, + NumMessages: 38, NumExtensions: 0, NumServices: 1, }, diff --git a/protocol/go/policy/subjectmapping/subject_mapping_grpc.pb.go b/protocol/go/policy/subjectmapping/subject_mapping_grpc.pb.go index 71a4f6e635..2086851938 100644 --- a/protocol/go/policy/subjectmapping/subject_mapping_grpc.pb.go +++ b/protocol/go/policy/subjectmapping/subject_mapping_grpc.pb.go @@ -19,18 +19,23 @@ import ( const _ = grpc.SupportPackageIsVersion7 const ( - SubjectMappingService_MatchSubjectMappings_FullMethodName = "/policy.subjectmapping.SubjectMappingService/MatchSubjectMappings" - SubjectMappingService_ListSubjectMappings_FullMethodName = "/policy.subjectmapping.SubjectMappingService/ListSubjectMappings" - SubjectMappingService_GetSubjectMapping_FullMethodName = "/policy.subjectmapping.SubjectMappingService/GetSubjectMapping" - SubjectMappingService_CreateSubjectMapping_FullMethodName = "/policy.subjectmapping.SubjectMappingService/CreateSubjectMapping" - SubjectMappingService_UpdateSubjectMapping_FullMethodName = "/policy.subjectmapping.SubjectMappingService/UpdateSubjectMapping" - SubjectMappingService_DeleteSubjectMapping_FullMethodName = "/policy.subjectmapping.SubjectMappingService/DeleteSubjectMapping" - SubjectMappingService_ListSubjectConditionSets_FullMethodName = "/policy.subjectmapping.SubjectMappingService/ListSubjectConditionSets" - SubjectMappingService_GetSubjectConditionSet_FullMethodName = "/policy.subjectmapping.SubjectMappingService/GetSubjectConditionSet" - SubjectMappingService_CreateSubjectConditionSet_FullMethodName = "/policy.subjectmapping.SubjectMappingService/CreateSubjectConditionSet" - SubjectMappingService_UpdateSubjectConditionSet_FullMethodName = "/policy.subjectmapping.SubjectMappingService/UpdateSubjectConditionSet" - SubjectMappingService_DeleteSubjectConditionSet_FullMethodName = "/policy.subjectmapping.SubjectMappingService/DeleteSubjectConditionSet" - SubjectMappingService_DeleteAllUnmappedSubjectConditionSets_FullMethodName = "/policy.subjectmapping.SubjectMappingService/DeleteAllUnmappedSubjectConditionSets" + SubjectMappingService_MatchSubjectMappings_FullMethodName = "/policy.subjectmapping.SubjectMappingService/MatchSubjectMappings" + SubjectMappingService_ListSubjectMappings_FullMethodName = "/policy.subjectmapping.SubjectMappingService/ListSubjectMappings" + SubjectMappingService_GetSubjectMapping_FullMethodName = "/policy.subjectmapping.SubjectMappingService/GetSubjectMapping" + SubjectMappingService_CreateSubjectMapping_FullMethodName = "/policy.subjectmapping.SubjectMappingService/CreateSubjectMapping" + SubjectMappingService_UpdateSubjectMapping_FullMethodName = "/policy.subjectmapping.SubjectMappingService/UpdateSubjectMapping" + SubjectMappingService_DeleteSubjectMapping_FullMethodName = "/policy.subjectmapping.SubjectMappingService/DeleteSubjectMapping" + SubjectMappingService_ListSubjectConditionSets_FullMethodName = "/policy.subjectmapping.SubjectMappingService/ListSubjectConditionSets" + SubjectMappingService_GetSubjectConditionSet_FullMethodName = "/policy.subjectmapping.SubjectMappingService/GetSubjectConditionSet" + SubjectMappingService_CreateSubjectConditionSet_FullMethodName = "/policy.subjectmapping.SubjectMappingService/CreateSubjectConditionSet" + SubjectMappingService_UpdateSubjectConditionSet_FullMethodName = "/policy.subjectmapping.SubjectMappingService/UpdateSubjectConditionSet" + SubjectMappingService_DeleteSubjectConditionSet_FullMethodName = "/policy.subjectmapping.SubjectMappingService/DeleteSubjectConditionSet" + SubjectMappingService_DeleteAllUnmappedSubjectConditionSets_FullMethodName = "/policy.subjectmapping.SubjectMappingService/DeleteAllUnmappedSubjectConditionSets" + SubjectMappingService_ListDefinitionValueEntitlementMappings_FullMethodName = "/policy.subjectmapping.SubjectMappingService/ListDefinitionValueEntitlementMappings" + SubjectMappingService_GetDefinitionValueEntitlementMapping_FullMethodName = "/policy.subjectmapping.SubjectMappingService/GetDefinitionValueEntitlementMapping" + SubjectMappingService_CreateDefinitionValueEntitlementMapping_FullMethodName = "/policy.subjectmapping.SubjectMappingService/CreateDefinitionValueEntitlementMapping" + SubjectMappingService_UpdateDefinitionValueEntitlementMapping_FullMethodName = "/policy.subjectmapping.SubjectMappingService/UpdateDefinitionValueEntitlementMapping" + SubjectMappingService_DeleteDefinitionValueEntitlementMapping_FullMethodName = "/policy.subjectmapping.SubjectMappingService/DeleteDefinitionValueEntitlementMapping" ) // SubjectMappingServiceClient is the client API for SubjectMappingService service. @@ -50,6 +55,11 @@ type SubjectMappingServiceClient interface { UpdateSubjectConditionSet(ctx context.Context, in *UpdateSubjectConditionSetRequest, opts ...grpc.CallOption) (*UpdateSubjectConditionSetResponse, error) DeleteSubjectConditionSet(ctx context.Context, in *DeleteSubjectConditionSetRequest, opts ...grpc.CallOption) (*DeleteSubjectConditionSetResponse, error) DeleteAllUnmappedSubjectConditionSets(ctx context.Context, in *DeleteAllUnmappedSubjectConditionSetsRequest, opts ...grpc.CallOption) (*DeleteAllUnmappedSubjectConditionSetsResponse, error) + ListDefinitionValueEntitlementMappings(ctx context.Context, in *ListDefinitionValueEntitlementMappingsRequest, opts ...grpc.CallOption) (*ListDefinitionValueEntitlementMappingsResponse, error) + GetDefinitionValueEntitlementMapping(ctx context.Context, in *GetDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*GetDefinitionValueEntitlementMappingResponse, error) + CreateDefinitionValueEntitlementMapping(ctx context.Context, in *CreateDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*CreateDefinitionValueEntitlementMappingResponse, error) + UpdateDefinitionValueEntitlementMapping(ctx context.Context, in *UpdateDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*UpdateDefinitionValueEntitlementMappingResponse, error) + DeleteDefinitionValueEntitlementMapping(ctx context.Context, in *DeleteDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*DeleteDefinitionValueEntitlementMappingResponse, error) } type subjectMappingServiceClient struct { @@ -168,6 +178,51 @@ func (c *subjectMappingServiceClient) DeleteAllUnmappedSubjectConditionSets(ctx return out, nil } +func (c *subjectMappingServiceClient) ListDefinitionValueEntitlementMappings(ctx context.Context, in *ListDefinitionValueEntitlementMappingsRequest, opts ...grpc.CallOption) (*ListDefinitionValueEntitlementMappingsResponse, error) { + out := new(ListDefinitionValueEntitlementMappingsResponse) + err := c.cc.Invoke(ctx, SubjectMappingService_ListDefinitionValueEntitlementMappings_FullMethodName, in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *subjectMappingServiceClient) GetDefinitionValueEntitlementMapping(ctx context.Context, in *GetDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*GetDefinitionValueEntitlementMappingResponse, error) { + out := new(GetDefinitionValueEntitlementMappingResponse) + err := c.cc.Invoke(ctx, SubjectMappingService_GetDefinitionValueEntitlementMapping_FullMethodName, in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *subjectMappingServiceClient) CreateDefinitionValueEntitlementMapping(ctx context.Context, in *CreateDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*CreateDefinitionValueEntitlementMappingResponse, error) { + out := new(CreateDefinitionValueEntitlementMappingResponse) + err := c.cc.Invoke(ctx, SubjectMappingService_CreateDefinitionValueEntitlementMapping_FullMethodName, in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *subjectMappingServiceClient) UpdateDefinitionValueEntitlementMapping(ctx context.Context, in *UpdateDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*UpdateDefinitionValueEntitlementMappingResponse, error) { + out := new(UpdateDefinitionValueEntitlementMappingResponse) + err := c.cc.Invoke(ctx, SubjectMappingService_UpdateDefinitionValueEntitlementMapping_FullMethodName, in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *subjectMappingServiceClient) DeleteDefinitionValueEntitlementMapping(ctx context.Context, in *DeleteDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*DeleteDefinitionValueEntitlementMappingResponse, error) { + out := new(DeleteDefinitionValueEntitlementMappingResponse) + err := c.cc.Invoke(ctx, SubjectMappingService_DeleteDefinitionValueEntitlementMapping_FullMethodName, in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + // SubjectMappingServiceServer is the server API for SubjectMappingService service. // All implementations must embed UnimplementedSubjectMappingServiceServer // for forward compatibility @@ -185,6 +240,11 @@ type SubjectMappingServiceServer interface { UpdateSubjectConditionSet(context.Context, *UpdateSubjectConditionSetRequest) (*UpdateSubjectConditionSetResponse, error) DeleteSubjectConditionSet(context.Context, *DeleteSubjectConditionSetRequest) (*DeleteSubjectConditionSetResponse, error) DeleteAllUnmappedSubjectConditionSets(context.Context, *DeleteAllUnmappedSubjectConditionSetsRequest) (*DeleteAllUnmappedSubjectConditionSetsResponse, error) + ListDefinitionValueEntitlementMappings(context.Context, *ListDefinitionValueEntitlementMappingsRequest) (*ListDefinitionValueEntitlementMappingsResponse, error) + GetDefinitionValueEntitlementMapping(context.Context, *GetDefinitionValueEntitlementMappingRequest) (*GetDefinitionValueEntitlementMappingResponse, error) + CreateDefinitionValueEntitlementMapping(context.Context, *CreateDefinitionValueEntitlementMappingRequest) (*CreateDefinitionValueEntitlementMappingResponse, error) + UpdateDefinitionValueEntitlementMapping(context.Context, *UpdateDefinitionValueEntitlementMappingRequest) (*UpdateDefinitionValueEntitlementMappingResponse, error) + DeleteDefinitionValueEntitlementMapping(context.Context, *DeleteDefinitionValueEntitlementMappingRequest) (*DeleteDefinitionValueEntitlementMappingResponse, error) mustEmbedUnimplementedSubjectMappingServiceServer() } @@ -228,6 +288,21 @@ func (UnimplementedSubjectMappingServiceServer) DeleteSubjectConditionSet(contex func (UnimplementedSubjectMappingServiceServer) DeleteAllUnmappedSubjectConditionSets(context.Context, *DeleteAllUnmappedSubjectConditionSetsRequest) (*DeleteAllUnmappedSubjectConditionSetsResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method DeleteAllUnmappedSubjectConditionSets not implemented") } +func (UnimplementedSubjectMappingServiceServer) ListDefinitionValueEntitlementMappings(context.Context, *ListDefinitionValueEntitlementMappingsRequest) (*ListDefinitionValueEntitlementMappingsResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method ListDefinitionValueEntitlementMappings not implemented") +} +func (UnimplementedSubjectMappingServiceServer) GetDefinitionValueEntitlementMapping(context.Context, *GetDefinitionValueEntitlementMappingRequest) (*GetDefinitionValueEntitlementMappingResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method GetDefinitionValueEntitlementMapping not implemented") +} +func (UnimplementedSubjectMappingServiceServer) CreateDefinitionValueEntitlementMapping(context.Context, *CreateDefinitionValueEntitlementMappingRequest) (*CreateDefinitionValueEntitlementMappingResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method CreateDefinitionValueEntitlementMapping not implemented") +} +func (UnimplementedSubjectMappingServiceServer) UpdateDefinitionValueEntitlementMapping(context.Context, *UpdateDefinitionValueEntitlementMappingRequest) (*UpdateDefinitionValueEntitlementMappingResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method UpdateDefinitionValueEntitlementMapping not implemented") +} +func (UnimplementedSubjectMappingServiceServer) DeleteDefinitionValueEntitlementMapping(context.Context, *DeleteDefinitionValueEntitlementMappingRequest) (*DeleteDefinitionValueEntitlementMappingResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method DeleteDefinitionValueEntitlementMapping not implemented") +} func (UnimplementedSubjectMappingServiceServer) mustEmbedUnimplementedSubjectMappingServiceServer() {} // UnsafeSubjectMappingServiceServer may be embedded to opt out of forward compatibility for this service. @@ -457,6 +532,96 @@ func _SubjectMappingService_DeleteAllUnmappedSubjectConditionSets_Handler(srv in return interceptor(ctx, in, info, handler) } +func _SubjectMappingService_ListDefinitionValueEntitlementMappings_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(ListDefinitionValueEntitlementMappingsRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(SubjectMappingServiceServer).ListDefinitionValueEntitlementMappings(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: SubjectMappingService_ListDefinitionValueEntitlementMappings_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(SubjectMappingServiceServer).ListDefinitionValueEntitlementMappings(ctx, req.(*ListDefinitionValueEntitlementMappingsRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _SubjectMappingService_GetDefinitionValueEntitlementMapping_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(GetDefinitionValueEntitlementMappingRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(SubjectMappingServiceServer).GetDefinitionValueEntitlementMapping(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: SubjectMappingService_GetDefinitionValueEntitlementMapping_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(SubjectMappingServiceServer).GetDefinitionValueEntitlementMapping(ctx, req.(*GetDefinitionValueEntitlementMappingRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _SubjectMappingService_CreateDefinitionValueEntitlementMapping_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(CreateDefinitionValueEntitlementMappingRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(SubjectMappingServiceServer).CreateDefinitionValueEntitlementMapping(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: SubjectMappingService_CreateDefinitionValueEntitlementMapping_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(SubjectMappingServiceServer).CreateDefinitionValueEntitlementMapping(ctx, req.(*CreateDefinitionValueEntitlementMappingRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _SubjectMappingService_UpdateDefinitionValueEntitlementMapping_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(UpdateDefinitionValueEntitlementMappingRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(SubjectMappingServiceServer).UpdateDefinitionValueEntitlementMapping(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: SubjectMappingService_UpdateDefinitionValueEntitlementMapping_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(SubjectMappingServiceServer).UpdateDefinitionValueEntitlementMapping(ctx, req.(*UpdateDefinitionValueEntitlementMappingRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _SubjectMappingService_DeleteDefinitionValueEntitlementMapping_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(DeleteDefinitionValueEntitlementMappingRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(SubjectMappingServiceServer).DeleteDefinitionValueEntitlementMapping(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: SubjectMappingService_DeleteDefinitionValueEntitlementMapping_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(SubjectMappingServiceServer).DeleteDefinitionValueEntitlementMapping(ctx, req.(*DeleteDefinitionValueEntitlementMappingRequest)) + } + return interceptor(ctx, in, info, handler) +} + // SubjectMappingService_ServiceDesc is the grpc.ServiceDesc for SubjectMappingService service. // It's only intended for direct use with grpc.RegisterService, // and not to be introspected or modified (even as a copy) @@ -512,6 +677,26 @@ var SubjectMappingService_ServiceDesc = grpc.ServiceDesc{ MethodName: "DeleteAllUnmappedSubjectConditionSets", Handler: _SubjectMappingService_DeleteAllUnmappedSubjectConditionSets_Handler, }, + { + MethodName: "ListDefinitionValueEntitlementMappings", + Handler: _SubjectMappingService_ListDefinitionValueEntitlementMappings_Handler, + }, + { + MethodName: "GetDefinitionValueEntitlementMapping", + Handler: _SubjectMappingService_GetDefinitionValueEntitlementMapping_Handler, + }, + { + MethodName: "CreateDefinitionValueEntitlementMapping", + Handler: _SubjectMappingService_CreateDefinitionValueEntitlementMapping_Handler, + }, + { + MethodName: "UpdateDefinitionValueEntitlementMapping", + Handler: _SubjectMappingService_UpdateDefinitionValueEntitlementMapping_Handler, + }, + { + MethodName: "DeleteDefinitionValueEntitlementMapping", + Handler: _SubjectMappingService_DeleteDefinitionValueEntitlementMapping_Handler, + }, }, Streams: []grpc.StreamDesc{}, Metadata: "policy/subjectmapping/subject_mapping.proto", diff --git a/protocol/go/policy/subjectmapping/subjectmappingconnect/subject_mapping.connect.go b/protocol/go/policy/subjectmapping/subjectmappingconnect/subject_mapping.connect.go index 0838829b23..11bd2abc9f 100644 --- a/protocol/go/policy/subjectmapping/subjectmappingconnect/subject_mapping.connect.go +++ b/protocol/go/policy/subjectmapping/subjectmappingconnect/subject_mapping.connect.go @@ -69,6 +69,21 @@ const ( // SubjectMappingServiceDeleteAllUnmappedSubjectConditionSetsProcedure is the fully-qualified name // of the SubjectMappingService's DeleteAllUnmappedSubjectConditionSets RPC. SubjectMappingServiceDeleteAllUnmappedSubjectConditionSetsProcedure = "/policy.subjectmapping.SubjectMappingService/DeleteAllUnmappedSubjectConditionSets" + // SubjectMappingServiceListDefinitionValueEntitlementMappingsProcedure is the fully-qualified name + // of the SubjectMappingService's ListDefinitionValueEntitlementMappings RPC. + SubjectMappingServiceListDefinitionValueEntitlementMappingsProcedure = "/policy.subjectmapping.SubjectMappingService/ListDefinitionValueEntitlementMappings" + // SubjectMappingServiceGetDefinitionValueEntitlementMappingProcedure is the fully-qualified name of + // the SubjectMappingService's GetDefinitionValueEntitlementMapping RPC. + SubjectMappingServiceGetDefinitionValueEntitlementMappingProcedure = "/policy.subjectmapping.SubjectMappingService/GetDefinitionValueEntitlementMapping" + // SubjectMappingServiceCreateDefinitionValueEntitlementMappingProcedure is the fully-qualified name + // of the SubjectMappingService's CreateDefinitionValueEntitlementMapping RPC. + SubjectMappingServiceCreateDefinitionValueEntitlementMappingProcedure = "/policy.subjectmapping.SubjectMappingService/CreateDefinitionValueEntitlementMapping" + // SubjectMappingServiceUpdateDefinitionValueEntitlementMappingProcedure is the fully-qualified name + // of the SubjectMappingService's UpdateDefinitionValueEntitlementMapping RPC. + SubjectMappingServiceUpdateDefinitionValueEntitlementMappingProcedure = "/policy.subjectmapping.SubjectMappingService/UpdateDefinitionValueEntitlementMapping" + // SubjectMappingServiceDeleteDefinitionValueEntitlementMappingProcedure is the fully-qualified name + // of the SubjectMappingService's DeleteDefinitionValueEntitlementMapping RPC. + SubjectMappingServiceDeleteDefinitionValueEntitlementMappingProcedure = "/policy.subjectmapping.SubjectMappingService/DeleteDefinitionValueEntitlementMapping" ) // SubjectMappingServiceClient is a client for the policy.subjectmapping.SubjectMappingService @@ -87,6 +102,11 @@ type SubjectMappingServiceClient interface { UpdateSubjectConditionSet(context.Context, *connect.Request[subjectmapping.UpdateSubjectConditionSetRequest]) (*connect.Response[subjectmapping.UpdateSubjectConditionSetResponse], error) DeleteSubjectConditionSet(context.Context, *connect.Request[subjectmapping.DeleteSubjectConditionSetRequest]) (*connect.Response[subjectmapping.DeleteSubjectConditionSetResponse], error) DeleteAllUnmappedSubjectConditionSets(context.Context, *connect.Request[subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest]) (*connect.Response[subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse], error) + ListDefinitionValueEntitlementMappings(context.Context, *connect.Request[subjectmapping.ListDefinitionValueEntitlementMappingsRequest]) (*connect.Response[subjectmapping.ListDefinitionValueEntitlementMappingsResponse], error) + GetDefinitionValueEntitlementMapping(context.Context, *connect.Request[subjectmapping.GetDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.GetDefinitionValueEntitlementMappingResponse], error) + CreateDefinitionValueEntitlementMapping(context.Context, *connect.Request[subjectmapping.CreateDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.CreateDefinitionValueEntitlementMappingResponse], error) + UpdateDefinitionValueEntitlementMapping(context.Context, *connect.Request[subjectmapping.UpdateDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.UpdateDefinitionValueEntitlementMappingResponse], error) + DeleteDefinitionValueEntitlementMapping(context.Context, *connect.Request[subjectmapping.DeleteDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.DeleteDefinitionValueEntitlementMappingResponse], error) } // NewSubjectMappingServiceClient constructs a client for the @@ -177,23 +197,60 @@ func NewSubjectMappingServiceClient(httpClient connect.HTTPClient, baseURL strin connect.WithSchema(subjectMappingServiceMethods.ByName("DeleteAllUnmappedSubjectConditionSets")), connect.WithClientOptions(opts...), ), + listDefinitionValueEntitlementMappings: connect.NewClient[subjectmapping.ListDefinitionValueEntitlementMappingsRequest, subjectmapping.ListDefinitionValueEntitlementMappingsResponse]( + httpClient, + baseURL+SubjectMappingServiceListDefinitionValueEntitlementMappingsProcedure, + connect.WithSchema(subjectMappingServiceMethods.ByName("ListDefinitionValueEntitlementMappings")), + connect.WithIdempotency(connect.IdempotencyNoSideEffects), + connect.WithClientOptions(opts...), + ), + getDefinitionValueEntitlementMapping: connect.NewClient[subjectmapping.GetDefinitionValueEntitlementMappingRequest, subjectmapping.GetDefinitionValueEntitlementMappingResponse]( + httpClient, + baseURL+SubjectMappingServiceGetDefinitionValueEntitlementMappingProcedure, + connect.WithSchema(subjectMappingServiceMethods.ByName("GetDefinitionValueEntitlementMapping")), + connect.WithIdempotency(connect.IdempotencyNoSideEffects), + connect.WithClientOptions(opts...), + ), + createDefinitionValueEntitlementMapping: connect.NewClient[subjectmapping.CreateDefinitionValueEntitlementMappingRequest, subjectmapping.CreateDefinitionValueEntitlementMappingResponse]( + httpClient, + baseURL+SubjectMappingServiceCreateDefinitionValueEntitlementMappingProcedure, + connect.WithSchema(subjectMappingServiceMethods.ByName("CreateDefinitionValueEntitlementMapping")), + connect.WithClientOptions(opts...), + ), + updateDefinitionValueEntitlementMapping: connect.NewClient[subjectmapping.UpdateDefinitionValueEntitlementMappingRequest, subjectmapping.UpdateDefinitionValueEntitlementMappingResponse]( + httpClient, + baseURL+SubjectMappingServiceUpdateDefinitionValueEntitlementMappingProcedure, + connect.WithSchema(subjectMappingServiceMethods.ByName("UpdateDefinitionValueEntitlementMapping")), + connect.WithClientOptions(opts...), + ), + deleteDefinitionValueEntitlementMapping: connect.NewClient[subjectmapping.DeleteDefinitionValueEntitlementMappingRequest, subjectmapping.DeleteDefinitionValueEntitlementMappingResponse]( + httpClient, + baseURL+SubjectMappingServiceDeleteDefinitionValueEntitlementMappingProcedure, + connect.WithSchema(subjectMappingServiceMethods.ByName("DeleteDefinitionValueEntitlementMapping")), + connect.WithClientOptions(opts...), + ), } } // subjectMappingServiceClient implements SubjectMappingServiceClient. type subjectMappingServiceClient struct { - matchSubjectMappings *connect.Client[subjectmapping.MatchSubjectMappingsRequest, subjectmapping.MatchSubjectMappingsResponse] - listSubjectMappings *connect.Client[subjectmapping.ListSubjectMappingsRequest, subjectmapping.ListSubjectMappingsResponse] - getSubjectMapping *connect.Client[subjectmapping.GetSubjectMappingRequest, subjectmapping.GetSubjectMappingResponse] - createSubjectMapping *connect.Client[subjectmapping.CreateSubjectMappingRequest, subjectmapping.CreateSubjectMappingResponse] - updateSubjectMapping *connect.Client[subjectmapping.UpdateSubjectMappingRequest, subjectmapping.UpdateSubjectMappingResponse] - deleteSubjectMapping *connect.Client[subjectmapping.DeleteSubjectMappingRequest, subjectmapping.DeleteSubjectMappingResponse] - listSubjectConditionSets *connect.Client[subjectmapping.ListSubjectConditionSetsRequest, subjectmapping.ListSubjectConditionSetsResponse] - getSubjectConditionSet *connect.Client[subjectmapping.GetSubjectConditionSetRequest, subjectmapping.GetSubjectConditionSetResponse] - createSubjectConditionSet *connect.Client[subjectmapping.CreateSubjectConditionSetRequest, subjectmapping.CreateSubjectConditionSetResponse] - updateSubjectConditionSet *connect.Client[subjectmapping.UpdateSubjectConditionSetRequest, subjectmapping.UpdateSubjectConditionSetResponse] - deleteSubjectConditionSet *connect.Client[subjectmapping.DeleteSubjectConditionSetRequest, subjectmapping.DeleteSubjectConditionSetResponse] - deleteAllUnmappedSubjectConditionSets *connect.Client[subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest, subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse] + matchSubjectMappings *connect.Client[subjectmapping.MatchSubjectMappingsRequest, subjectmapping.MatchSubjectMappingsResponse] + listSubjectMappings *connect.Client[subjectmapping.ListSubjectMappingsRequest, subjectmapping.ListSubjectMappingsResponse] + getSubjectMapping *connect.Client[subjectmapping.GetSubjectMappingRequest, subjectmapping.GetSubjectMappingResponse] + createSubjectMapping *connect.Client[subjectmapping.CreateSubjectMappingRequest, subjectmapping.CreateSubjectMappingResponse] + updateSubjectMapping *connect.Client[subjectmapping.UpdateSubjectMappingRequest, subjectmapping.UpdateSubjectMappingResponse] + deleteSubjectMapping *connect.Client[subjectmapping.DeleteSubjectMappingRequest, subjectmapping.DeleteSubjectMappingResponse] + listSubjectConditionSets *connect.Client[subjectmapping.ListSubjectConditionSetsRequest, subjectmapping.ListSubjectConditionSetsResponse] + getSubjectConditionSet *connect.Client[subjectmapping.GetSubjectConditionSetRequest, subjectmapping.GetSubjectConditionSetResponse] + createSubjectConditionSet *connect.Client[subjectmapping.CreateSubjectConditionSetRequest, subjectmapping.CreateSubjectConditionSetResponse] + updateSubjectConditionSet *connect.Client[subjectmapping.UpdateSubjectConditionSetRequest, subjectmapping.UpdateSubjectConditionSetResponse] + deleteSubjectConditionSet *connect.Client[subjectmapping.DeleteSubjectConditionSetRequest, subjectmapping.DeleteSubjectConditionSetResponse] + deleteAllUnmappedSubjectConditionSets *connect.Client[subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest, subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse] + listDefinitionValueEntitlementMappings *connect.Client[subjectmapping.ListDefinitionValueEntitlementMappingsRequest, subjectmapping.ListDefinitionValueEntitlementMappingsResponse] + getDefinitionValueEntitlementMapping *connect.Client[subjectmapping.GetDefinitionValueEntitlementMappingRequest, subjectmapping.GetDefinitionValueEntitlementMappingResponse] + createDefinitionValueEntitlementMapping *connect.Client[subjectmapping.CreateDefinitionValueEntitlementMappingRequest, subjectmapping.CreateDefinitionValueEntitlementMappingResponse] + updateDefinitionValueEntitlementMapping *connect.Client[subjectmapping.UpdateDefinitionValueEntitlementMappingRequest, subjectmapping.UpdateDefinitionValueEntitlementMappingResponse] + deleteDefinitionValueEntitlementMapping *connect.Client[subjectmapping.DeleteDefinitionValueEntitlementMappingRequest, subjectmapping.DeleteDefinitionValueEntitlementMappingResponse] } // MatchSubjectMappings calls policy.subjectmapping.SubjectMappingService.MatchSubjectMappings. @@ -261,6 +318,36 @@ func (c *subjectMappingServiceClient) DeleteAllUnmappedSubjectConditionSets(ctx return c.deleteAllUnmappedSubjectConditionSets.CallUnary(ctx, req) } +// ListDefinitionValueEntitlementMappings calls +// policy.subjectmapping.SubjectMappingService.ListDefinitionValueEntitlementMappings. +func (c *subjectMappingServiceClient) ListDefinitionValueEntitlementMappings(ctx context.Context, req *connect.Request[subjectmapping.ListDefinitionValueEntitlementMappingsRequest]) (*connect.Response[subjectmapping.ListDefinitionValueEntitlementMappingsResponse], error) { + return c.listDefinitionValueEntitlementMappings.CallUnary(ctx, req) +} + +// GetDefinitionValueEntitlementMapping calls +// policy.subjectmapping.SubjectMappingService.GetDefinitionValueEntitlementMapping. +func (c *subjectMappingServiceClient) GetDefinitionValueEntitlementMapping(ctx context.Context, req *connect.Request[subjectmapping.GetDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.GetDefinitionValueEntitlementMappingResponse], error) { + return c.getDefinitionValueEntitlementMapping.CallUnary(ctx, req) +} + +// CreateDefinitionValueEntitlementMapping calls +// policy.subjectmapping.SubjectMappingService.CreateDefinitionValueEntitlementMapping. +func (c *subjectMappingServiceClient) CreateDefinitionValueEntitlementMapping(ctx context.Context, req *connect.Request[subjectmapping.CreateDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.CreateDefinitionValueEntitlementMappingResponse], error) { + return c.createDefinitionValueEntitlementMapping.CallUnary(ctx, req) +} + +// UpdateDefinitionValueEntitlementMapping calls +// policy.subjectmapping.SubjectMappingService.UpdateDefinitionValueEntitlementMapping. +func (c *subjectMappingServiceClient) UpdateDefinitionValueEntitlementMapping(ctx context.Context, req *connect.Request[subjectmapping.UpdateDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.UpdateDefinitionValueEntitlementMappingResponse], error) { + return c.updateDefinitionValueEntitlementMapping.CallUnary(ctx, req) +} + +// DeleteDefinitionValueEntitlementMapping calls +// policy.subjectmapping.SubjectMappingService.DeleteDefinitionValueEntitlementMapping. +func (c *subjectMappingServiceClient) DeleteDefinitionValueEntitlementMapping(ctx context.Context, req *connect.Request[subjectmapping.DeleteDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.DeleteDefinitionValueEntitlementMappingResponse], error) { + return c.deleteDefinitionValueEntitlementMapping.CallUnary(ctx, req) +} + // SubjectMappingServiceHandler is an implementation of the // policy.subjectmapping.SubjectMappingService service. type SubjectMappingServiceHandler interface { @@ -277,6 +364,11 @@ type SubjectMappingServiceHandler interface { UpdateSubjectConditionSet(context.Context, *connect.Request[subjectmapping.UpdateSubjectConditionSetRequest]) (*connect.Response[subjectmapping.UpdateSubjectConditionSetResponse], error) DeleteSubjectConditionSet(context.Context, *connect.Request[subjectmapping.DeleteSubjectConditionSetRequest]) (*connect.Response[subjectmapping.DeleteSubjectConditionSetResponse], error) DeleteAllUnmappedSubjectConditionSets(context.Context, *connect.Request[subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest]) (*connect.Response[subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse], error) + ListDefinitionValueEntitlementMappings(context.Context, *connect.Request[subjectmapping.ListDefinitionValueEntitlementMappingsRequest]) (*connect.Response[subjectmapping.ListDefinitionValueEntitlementMappingsResponse], error) + GetDefinitionValueEntitlementMapping(context.Context, *connect.Request[subjectmapping.GetDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.GetDefinitionValueEntitlementMappingResponse], error) + CreateDefinitionValueEntitlementMapping(context.Context, *connect.Request[subjectmapping.CreateDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.CreateDefinitionValueEntitlementMappingResponse], error) + UpdateDefinitionValueEntitlementMapping(context.Context, *connect.Request[subjectmapping.UpdateDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.UpdateDefinitionValueEntitlementMappingResponse], error) + DeleteDefinitionValueEntitlementMapping(context.Context, *connect.Request[subjectmapping.DeleteDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.DeleteDefinitionValueEntitlementMappingResponse], error) } // NewSubjectMappingServiceHandler builds an HTTP handler from the service implementation. It @@ -362,6 +454,38 @@ func NewSubjectMappingServiceHandler(svc SubjectMappingServiceHandler, opts ...c connect.WithSchema(subjectMappingServiceMethods.ByName("DeleteAllUnmappedSubjectConditionSets")), connect.WithHandlerOptions(opts...), ) + subjectMappingServiceListDefinitionValueEntitlementMappingsHandler := connect.NewUnaryHandler( + SubjectMappingServiceListDefinitionValueEntitlementMappingsProcedure, + svc.ListDefinitionValueEntitlementMappings, + connect.WithSchema(subjectMappingServiceMethods.ByName("ListDefinitionValueEntitlementMappings")), + connect.WithIdempotency(connect.IdempotencyNoSideEffects), + connect.WithHandlerOptions(opts...), + ) + subjectMappingServiceGetDefinitionValueEntitlementMappingHandler := connect.NewUnaryHandler( + SubjectMappingServiceGetDefinitionValueEntitlementMappingProcedure, + svc.GetDefinitionValueEntitlementMapping, + connect.WithSchema(subjectMappingServiceMethods.ByName("GetDefinitionValueEntitlementMapping")), + connect.WithIdempotency(connect.IdempotencyNoSideEffects), + connect.WithHandlerOptions(opts...), + ) + subjectMappingServiceCreateDefinitionValueEntitlementMappingHandler := connect.NewUnaryHandler( + SubjectMappingServiceCreateDefinitionValueEntitlementMappingProcedure, + svc.CreateDefinitionValueEntitlementMapping, + connect.WithSchema(subjectMappingServiceMethods.ByName("CreateDefinitionValueEntitlementMapping")), + connect.WithHandlerOptions(opts...), + ) + subjectMappingServiceUpdateDefinitionValueEntitlementMappingHandler := connect.NewUnaryHandler( + SubjectMappingServiceUpdateDefinitionValueEntitlementMappingProcedure, + svc.UpdateDefinitionValueEntitlementMapping, + connect.WithSchema(subjectMappingServiceMethods.ByName("UpdateDefinitionValueEntitlementMapping")), + connect.WithHandlerOptions(opts...), + ) + subjectMappingServiceDeleteDefinitionValueEntitlementMappingHandler := connect.NewUnaryHandler( + SubjectMappingServiceDeleteDefinitionValueEntitlementMappingProcedure, + svc.DeleteDefinitionValueEntitlementMapping, + connect.WithSchema(subjectMappingServiceMethods.ByName("DeleteDefinitionValueEntitlementMapping")), + connect.WithHandlerOptions(opts...), + ) return "/policy.subjectmapping.SubjectMappingService/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { switch r.URL.Path { case SubjectMappingServiceMatchSubjectMappingsProcedure: @@ -388,6 +512,16 @@ func NewSubjectMappingServiceHandler(svc SubjectMappingServiceHandler, opts ...c subjectMappingServiceDeleteSubjectConditionSetHandler.ServeHTTP(w, r) case SubjectMappingServiceDeleteAllUnmappedSubjectConditionSetsProcedure: subjectMappingServiceDeleteAllUnmappedSubjectConditionSetsHandler.ServeHTTP(w, r) + case SubjectMappingServiceListDefinitionValueEntitlementMappingsProcedure: + subjectMappingServiceListDefinitionValueEntitlementMappingsHandler.ServeHTTP(w, r) + case SubjectMappingServiceGetDefinitionValueEntitlementMappingProcedure: + subjectMappingServiceGetDefinitionValueEntitlementMappingHandler.ServeHTTP(w, r) + case SubjectMappingServiceCreateDefinitionValueEntitlementMappingProcedure: + subjectMappingServiceCreateDefinitionValueEntitlementMappingHandler.ServeHTTP(w, r) + case SubjectMappingServiceUpdateDefinitionValueEntitlementMappingProcedure: + subjectMappingServiceUpdateDefinitionValueEntitlementMappingHandler.ServeHTTP(w, r) + case SubjectMappingServiceDeleteDefinitionValueEntitlementMappingProcedure: + subjectMappingServiceDeleteDefinitionValueEntitlementMappingHandler.ServeHTTP(w, r) default: http.NotFound(w, r) } @@ -444,3 +578,23 @@ func (UnimplementedSubjectMappingServiceHandler) DeleteSubjectConditionSet(conte func (UnimplementedSubjectMappingServiceHandler) DeleteAllUnmappedSubjectConditionSets(context.Context, *connect.Request[subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest]) (*connect.Response[subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse], error) { return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.subjectmapping.SubjectMappingService.DeleteAllUnmappedSubjectConditionSets is not implemented")) } + +func (UnimplementedSubjectMappingServiceHandler) ListDefinitionValueEntitlementMappings(context.Context, *connect.Request[subjectmapping.ListDefinitionValueEntitlementMappingsRequest]) (*connect.Response[subjectmapping.ListDefinitionValueEntitlementMappingsResponse], error) { + return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.subjectmapping.SubjectMappingService.ListDefinitionValueEntitlementMappings is not implemented")) +} + +func (UnimplementedSubjectMappingServiceHandler) GetDefinitionValueEntitlementMapping(context.Context, *connect.Request[subjectmapping.GetDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.GetDefinitionValueEntitlementMappingResponse], error) { + return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.subjectmapping.SubjectMappingService.GetDefinitionValueEntitlementMapping is not implemented")) +} + +func (UnimplementedSubjectMappingServiceHandler) CreateDefinitionValueEntitlementMapping(context.Context, *connect.Request[subjectmapping.CreateDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.CreateDefinitionValueEntitlementMappingResponse], error) { + return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.subjectmapping.SubjectMappingService.CreateDefinitionValueEntitlementMapping is not implemented")) +} + +func (UnimplementedSubjectMappingServiceHandler) UpdateDefinitionValueEntitlementMapping(context.Context, *connect.Request[subjectmapping.UpdateDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.UpdateDefinitionValueEntitlementMappingResponse], error) { + return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.subjectmapping.SubjectMappingService.UpdateDefinitionValueEntitlementMapping is not implemented")) +} + +func (UnimplementedSubjectMappingServiceHandler) DeleteDefinitionValueEntitlementMapping(context.Context, *connect.Request[subjectmapping.DeleteDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.DeleteDefinitionValueEntitlementMappingResponse], error) { + return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.subjectmapping.SubjectMappingService.DeleteDefinitionValueEntitlementMapping is not implemented")) +} diff --git a/sdk/codegen/main.go b/sdk/codegen/main.go index 457c791c7e..f917a9e5fc 100644 --- a/sdk/codegen/main.go +++ b/sdk/codegen/main.go @@ -66,10 +66,6 @@ var clientsToGenerateList = []runner.ClientsToGenerate{ GrpcClientInterface: "SubjectMappingServiceClient", GrpcPackagePath: "github.com/opentdf/platform/protocol/go/policy/subjectmapping", }, - { - GrpcClientInterface: "DefinitionValueEntitlementMappingServiceClient", - GrpcPackagePath: "github.com/opentdf/platform/protocol/go/policy/definitionvalueentitlement", - }, { GrpcClientInterface: "UnsafeServiceClient", GrpcPackagePath: "github.com/opentdf/platform/protocol/go/policy/unsafe", diff --git a/sdk/sdk.go b/sdk/sdk.go index c31f643e1a..2b9bbca965 100644 --- a/sdk/sdk.go +++ b/sdk/sdk.go @@ -96,7 +96,6 @@ type SDK struct { RegisteredResources sdkconnect.RegisteredResourcesServiceClient ResourceMapping sdkconnect.ResourceMappingServiceClient SubjectMapping sdkconnect.SubjectMappingServiceClient - DefinitionValueEntitlementMapping sdkconnect.DefinitionValueEntitlementMappingServiceClient Unsafe sdkconnect.UnsafeServiceClient KeyManagement sdkconnect.KeyManagementServiceClient wellknownConfiguration sdkconnect.WellKnownServiceClient @@ -230,7 +229,6 @@ func New(platformEndpoint string, opts ...Option) (*SDK, error) { RegisteredResources: sdkconnect.NewRegisteredResourcesServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), ResourceMapping: sdkconnect.NewResourceMappingServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), SubjectMapping: sdkconnect.NewSubjectMappingServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), - DefinitionValueEntitlementMapping: sdkconnect.NewDefinitionValueEntitlementMappingServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), Unsafe: sdkconnect.NewUnsafeServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), KeyAccessServerRegistry: sdkconnect.NewKeyAccessServerRegistryServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), Authorization: sdkconnect.NewAuthorizationServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), diff --git a/sdk/sdkconnect/definitionvalueentitlement.go b/sdk/sdkconnect/definitionvalueentitlement.go deleted file mode 100644 index f52ed58f03..0000000000 --- a/sdk/sdkconnect/definitionvalueentitlement.go +++ /dev/null @@ -1,70 +0,0 @@ -// Wrapper for DefinitionValueEntitlementMappingServiceClient (generated code) DO NOT EDIT -package sdkconnect - -import ( - "connectrpc.com/connect" - "context" - "github.com/opentdf/platform/protocol/go/policy/definitionvalueentitlement" - "github.com/opentdf/platform/protocol/go/policy/definitionvalueentitlement/definitionvalueentitlementconnect" -) - -type DefinitionValueEntitlementMappingServiceClientConnectWrapper struct { - definitionvalueentitlementconnect.DefinitionValueEntitlementMappingServiceClient -} - -func NewDefinitionValueEntitlementMappingServiceClientConnectWrapper(httpClient connect.HTTPClient, baseURL string, opts ...connect.ClientOption) *DefinitionValueEntitlementMappingServiceClientConnectWrapper { - return &DefinitionValueEntitlementMappingServiceClientConnectWrapper{DefinitionValueEntitlementMappingServiceClient: definitionvalueentitlementconnect.NewDefinitionValueEntitlementMappingServiceClient(httpClient, baseURL, opts...)} -} - -type DefinitionValueEntitlementMappingServiceClient interface { - ListDefinitionValueEntitlementMappings(ctx context.Context, req *definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest) (*definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse, error) - GetDefinitionValueEntitlementMapping(ctx context.Context, req *definitionvalueentitlement.GetDefinitionValueEntitlementMappingRequest) (*definitionvalueentitlement.GetDefinitionValueEntitlementMappingResponse, error) - CreateDefinitionValueEntitlementMapping(ctx context.Context, req *definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest) (*definitionvalueentitlement.CreateDefinitionValueEntitlementMappingResponse, error) - UpdateDefinitionValueEntitlementMapping(ctx context.Context, req *definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest) (*definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingResponse, error) - DeleteDefinitionValueEntitlementMapping(ctx context.Context, req *definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingRequest) (*definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingResponse, error) -} - -func (w *DefinitionValueEntitlementMappingServiceClientConnectWrapper) ListDefinitionValueEntitlementMappings(ctx context.Context, req *definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest) (*definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse, error) { - // Wrap Connect RPC client request - res, err := w.DefinitionValueEntitlementMappingServiceClient.ListDefinitionValueEntitlementMappings(ctx, connect.NewRequest(req)) - if res == nil { - return nil, err - } - return res.Msg, err -} - -func (w *DefinitionValueEntitlementMappingServiceClientConnectWrapper) GetDefinitionValueEntitlementMapping(ctx context.Context, req *definitionvalueentitlement.GetDefinitionValueEntitlementMappingRequest) (*definitionvalueentitlement.GetDefinitionValueEntitlementMappingResponse, error) { - // Wrap Connect RPC client request - res, err := w.DefinitionValueEntitlementMappingServiceClient.GetDefinitionValueEntitlementMapping(ctx, connect.NewRequest(req)) - if res == nil { - return nil, err - } - return res.Msg, err -} - -func (w *DefinitionValueEntitlementMappingServiceClientConnectWrapper) CreateDefinitionValueEntitlementMapping(ctx context.Context, req *definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest) (*definitionvalueentitlement.CreateDefinitionValueEntitlementMappingResponse, error) { - // Wrap Connect RPC client request - res, err := w.DefinitionValueEntitlementMappingServiceClient.CreateDefinitionValueEntitlementMapping(ctx, connect.NewRequest(req)) - if res == nil { - return nil, err - } - return res.Msg, err -} - -func (w *DefinitionValueEntitlementMappingServiceClientConnectWrapper) UpdateDefinitionValueEntitlementMapping(ctx context.Context, req *definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest) (*definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingResponse, error) { - // Wrap Connect RPC client request - res, err := w.DefinitionValueEntitlementMappingServiceClient.UpdateDefinitionValueEntitlementMapping(ctx, connect.NewRequest(req)) - if res == nil { - return nil, err - } - return res.Msg, err -} - -func (w *DefinitionValueEntitlementMappingServiceClientConnectWrapper) DeleteDefinitionValueEntitlementMapping(ctx context.Context, req *definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingRequest) (*definitionvalueentitlement.DeleteDefinitionValueEntitlementMappingResponse, error) { - // Wrap Connect RPC client request - res, err := w.DefinitionValueEntitlementMappingServiceClient.DeleteDefinitionValueEntitlementMapping(ctx, connect.NewRequest(req)) - if res == nil { - return nil, err - } - return res.Msg, err -} diff --git a/sdk/sdkconnect/subjectmapping.go b/sdk/sdkconnect/subjectmapping.go index 90640a1d72..a5b321fb19 100644 --- a/sdk/sdkconnect/subjectmapping.go +++ b/sdk/sdkconnect/subjectmapping.go @@ -29,6 +29,11 @@ type SubjectMappingServiceClient interface { UpdateSubjectConditionSet(ctx context.Context, req *subjectmapping.UpdateSubjectConditionSetRequest) (*subjectmapping.UpdateSubjectConditionSetResponse, error) DeleteSubjectConditionSet(ctx context.Context, req *subjectmapping.DeleteSubjectConditionSetRequest) (*subjectmapping.DeleteSubjectConditionSetResponse, error) DeleteAllUnmappedSubjectConditionSets(ctx context.Context, req *subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest) (*subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse, error) + ListDefinitionValueEntitlementMappings(ctx context.Context, req *subjectmapping.ListDefinitionValueEntitlementMappingsRequest) (*subjectmapping.ListDefinitionValueEntitlementMappingsResponse, error) + GetDefinitionValueEntitlementMapping(ctx context.Context, req *subjectmapping.GetDefinitionValueEntitlementMappingRequest) (*subjectmapping.GetDefinitionValueEntitlementMappingResponse, error) + CreateDefinitionValueEntitlementMapping(ctx context.Context, req *subjectmapping.CreateDefinitionValueEntitlementMappingRequest) (*subjectmapping.CreateDefinitionValueEntitlementMappingResponse, error) + UpdateDefinitionValueEntitlementMapping(ctx context.Context, req *subjectmapping.UpdateDefinitionValueEntitlementMappingRequest) (*subjectmapping.UpdateDefinitionValueEntitlementMappingResponse, error) + DeleteDefinitionValueEntitlementMapping(ctx context.Context, req *subjectmapping.DeleteDefinitionValueEntitlementMappingRequest) (*subjectmapping.DeleteDefinitionValueEntitlementMappingResponse, error) } func (w *SubjectMappingServiceClientConnectWrapper) MatchSubjectMappings(ctx context.Context, req *subjectmapping.MatchSubjectMappingsRequest) (*subjectmapping.MatchSubjectMappingsResponse, error) { @@ -138,3 +143,48 @@ func (w *SubjectMappingServiceClientConnectWrapper) DeleteAllUnmappedSubjectCond } return res.Msg, err } + +func (w *SubjectMappingServiceClientConnectWrapper) ListDefinitionValueEntitlementMappings(ctx context.Context, req *subjectmapping.ListDefinitionValueEntitlementMappingsRequest) (*subjectmapping.ListDefinitionValueEntitlementMappingsResponse, error) { + // Wrap Connect RPC client request + res, err := w.SubjectMappingServiceClient.ListDefinitionValueEntitlementMappings(ctx, connect.NewRequest(req)) + if res == nil { + return nil, err + } + return res.Msg, err +} + +func (w *SubjectMappingServiceClientConnectWrapper) GetDefinitionValueEntitlementMapping(ctx context.Context, req *subjectmapping.GetDefinitionValueEntitlementMappingRequest) (*subjectmapping.GetDefinitionValueEntitlementMappingResponse, error) { + // Wrap Connect RPC client request + res, err := w.SubjectMappingServiceClient.GetDefinitionValueEntitlementMapping(ctx, connect.NewRequest(req)) + if res == nil { + return nil, err + } + return res.Msg, err +} + +func (w *SubjectMappingServiceClientConnectWrapper) CreateDefinitionValueEntitlementMapping(ctx context.Context, req *subjectmapping.CreateDefinitionValueEntitlementMappingRequest) (*subjectmapping.CreateDefinitionValueEntitlementMappingResponse, error) { + // Wrap Connect RPC client request + res, err := w.SubjectMappingServiceClient.CreateDefinitionValueEntitlementMapping(ctx, connect.NewRequest(req)) + if res == nil { + return nil, err + } + return res.Msg, err +} + +func (w *SubjectMappingServiceClientConnectWrapper) UpdateDefinitionValueEntitlementMapping(ctx context.Context, req *subjectmapping.UpdateDefinitionValueEntitlementMappingRequest) (*subjectmapping.UpdateDefinitionValueEntitlementMappingResponse, error) { + // Wrap Connect RPC client request + res, err := w.SubjectMappingServiceClient.UpdateDefinitionValueEntitlementMapping(ctx, connect.NewRequest(req)) + if res == nil { + return nil, err + } + return res.Msg, err +} + +func (w *SubjectMappingServiceClientConnectWrapper) DeleteDefinitionValueEntitlementMapping(ctx context.Context, req *subjectmapping.DeleteDefinitionValueEntitlementMappingRequest) (*subjectmapping.DeleteDefinitionValueEntitlementMappingResponse, error) { + // Wrap Connect RPC client request + res, err := w.SubjectMappingServiceClient.DeleteDefinitionValueEntitlementMapping(ctx, connect.NewRequest(req)) + if res == nil { + return nil, err + } + return res.Msg, err +} diff --git a/service/integration/definition_value_entitlement_mappings_test.go b/service/integration/definition_value_entitlement_mappings_test.go index 8e55835537..66c039ceea 100644 --- a/service/integration/definition_value_entitlement_mappings_test.go +++ b/service/integration/definition_value_entitlement_mappings_test.go @@ -7,7 +7,6 @@ import ( "github.com/opentdf/platform/protocol/go/policy" "github.com/opentdf/platform/protocol/go/policy/attributes" - "github.com/opentdf/platform/protocol/go/policy/definitionvalueentitlement" "github.com/opentdf/platform/protocol/go/policy/subjectmapping" "github.com/opentdf/platform/protocol/go/policy/unsafe" "github.com/opentdf/platform/service/internal/fixtures" @@ -48,7 +47,7 @@ func TestDefinitionValueEntitlementMappingsSuite(t *testing.T) { func (s *DefinitionValueEntitlementMappingsSuite) TestCreateAndGet() { attr := s.createDefinition("dvem_create_ok", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF) - created, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest{ + created, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &subjectmapping.CreateDefinitionValueEntitlementMappingRequest{ AttributeDefinitionId: attr.GetId(), ValueResolver: s.resolver(".patientAssignments[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN), Actions: []*policy.Action{s.readAction()}, @@ -68,7 +67,7 @@ func (s *DefinitionValueEntitlementMappingsSuite) TestCreateAndGet() { func (s *DefinitionValueEntitlementMappingsSuite) TestCreateWithStaticGate() { attr := s.createDefinition("dvem_create_gate", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF) - created, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest{ + created, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &subjectmapping.CreateDefinitionValueEntitlementMappingRequest{ AttributeDefinitionId: attr.GetId(), ValueResolver: s.resolver(".patientAssignments[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN), Actions: []*policy.Action{s.readAction()}, @@ -85,7 +84,7 @@ func (s *DefinitionValueEntitlementMappingsSuite) TestCreateWithStaticGate() { func (s *DefinitionValueEntitlementMappingsSuite) TestRejectsHierarchyDefinition() { attr := s.createDefinition("dvem_hierarchy", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY) - _, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest{ + _, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &subjectmapping.CreateDefinitionValueEntitlementMappingRequest{ AttributeDefinitionId: attr.GetId(), ValueResolver: s.resolver(".x[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN), Actions: []*policy.Action{s.readAction()}, @@ -106,7 +105,7 @@ func (s *DefinitionValueEntitlementMappingsSuite) TestNoCoexistence_SubjectMappi s.Require().NoError(err) // definition now has a value-level subject mapping; a dynamic mapping must be rejected - _, err = s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest{ + _, err = s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &subjectmapping.CreateDefinitionValueEntitlementMappingRequest{ AttributeDefinitionId: attr.GetId(), ValueResolver: s.resolver(".x[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN), Actions: []*policy.Action{s.readAction()}, @@ -117,7 +116,7 @@ func (s *DefinitionValueEntitlementMappingsSuite) TestNoCoexistence_SubjectMappi func (s *DefinitionValueEntitlementMappingsSuite) TestNoCoexistence_DynamicThenSubjectMapping() { attr := s.createDefinition("dvem_coexist_rev", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF) - _, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest{ + _, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &subjectmapping.CreateDefinitionValueEntitlementMappingRequest{ AttributeDefinitionId: attr.GetId(), ValueResolver: s.resolver(".x[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN), Actions: []*policy.Action{s.readAction()}, @@ -139,7 +138,7 @@ func (s *DefinitionValueEntitlementMappingsSuite) TestNoCoexistence_DynamicThenS func (s *DefinitionValueEntitlementMappingsSuite) TestRejectsRuleChangeToHierarchy() { attr := s.createDefinition("dvem_rule_guard", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF) - _, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest{ + _, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &subjectmapping.CreateDefinitionValueEntitlementMappingRequest{ AttributeDefinitionId: attr.GetId(), ValueResolver: s.resolver(".x[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN), Actions: []*policy.Action{s.readAction()}, @@ -156,14 +155,14 @@ func (s *DefinitionValueEntitlementMappingsSuite) TestRejectsRuleChangeToHierarc func (s *DefinitionValueEntitlementMappingsSuite) TestUpdateAndDelete() { attr := s.createDefinition("dvem_update_delete", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF) - created, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest{ + created, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &subjectmapping.CreateDefinitionValueEntitlementMappingRequest{ AttributeDefinitionId: attr.GetId(), ValueResolver: s.resolver(".patientAssignments[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN), Actions: []*policy.Action{s.readAction()}, }) s.Require().NoError(err) - updated, err := s.db.PolicyClient.UpdateDefinitionValueEntitlementMapping(s.ctx, &definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest{ + updated, err := s.db.PolicyClient.UpdateDefinitionValueEntitlementMapping(s.ctx, &subjectmapping.UpdateDefinitionValueEntitlementMappingRequest{ Id: created.GetId(), ValueResolver: s.resolver(".accounts[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS), }) @@ -180,14 +179,14 @@ func (s *DefinitionValueEntitlementMappingsSuite) TestUpdateAndDelete() { func (s *DefinitionValueEntitlementMappingsSuite) TestListByDefinition() { attr := s.createDefinition("dvem_list", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF) - _, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest{ + _, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &subjectmapping.CreateDefinitionValueEntitlementMappingRequest{ AttributeDefinitionId: attr.GetId(), ValueResolver: s.resolver(".patientAssignments[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN), Actions: []*policy.Action{s.readAction()}, }) s.Require().NoError(err) - resp, err := s.db.PolicyClient.ListDefinitionValueEntitlementMappings(s.ctx, &definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest{ + resp, err := s.db.PolicyClient.ListDefinitionValueEntitlementMappings(s.ctx, &subjectmapping.ListDefinitionValueEntitlementMappingsRequest{ AttributeDefinitionId: attr.GetId(), }) s.Require().NoError(err) diff --git a/service/internal/access/v2/policy_store.go b/service/internal/access/v2/policy_store.go index 3f9033718b..038ef87460 100644 --- a/service/internal/access/v2/policy_store.go +++ b/service/internal/access/v2/policy_store.go @@ -7,7 +7,6 @@ import ( "github.com/opentdf/platform/protocol/go/common" "github.com/opentdf/platform/protocol/go/policy" attrs "github.com/opentdf/platform/protocol/go/policy/attributes" - "github.com/opentdf/platform/protocol/go/policy/definitionvalueentitlement" "github.com/opentdf/platform/protocol/go/policy/obligations" "github.com/opentdf/platform/protocol/go/policy/registeredresources" "github.com/opentdf/platform/protocol/go/policy/subjectmapping" @@ -112,7 +111,7 @@ func (p *EntitlementPolicyRetriever) ListAllDefinitionValueEntitlementMappings(c mappingsList := make([]*policy.DefinitionValueEntitlementMapping, 0) for { - listed, err := p.SDK.DefinitionValueEntitlementMapping.ListDefinitionValueEntitlementMappings(ctx, &definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest{ + listed, err := p.SDK.SubjectMapping.ListDefinitionValueEntitlementMappings(ctx, &subjectmapping.ListDefinitionValueEntitlementMappingsRequest{ // defer to service default for limit pagination Pagination: &policy.PageRequest{ Offset: nextOffset, diff --git a/service/policy/adr/0005-dynamic-attribute-value-entitlements-spike.md b/service/policy/adr/0005-dynamic-attribute-value-entitlements-spike.md index 09724f3d6e..a545b5e964 100644 --- a/service/policy/adr/0005-dynamic-attribute-value-entitlements-spike.md +++ b/service/policy/adr/0005-dynamic-attribute-value-entitlements-spike.md @@ -11,8 +11,8 @@ implementation spike** the question of *how* to model it. This document records The original spike prototyped all three options as a throwaway package to make them comparable on real behavior. The recommendation below (a new primitive carrying a new operator) is now implemented as production code: the `DefinitionValueEntitlementMapping` primitive -([`service/policy/objects.proto`](../objects.proto)), its dedicated service -([`service/policy/definitionvalueentitlement`](../definitionvalueentitlement)), DB layer, and the +([`service/policy/objects.proto`](../objects.proto)), its CRUD RPCs on the existing +[`SubjectMappingService`](../subjectmapping), DB layer, and the decision-time evaluator ([`service/internal/subjectmappingbuiltin/definition_value_entitlement_builtin.go`](../../internal/subjectmappingbuiltin/definition_value_entitlement_builtin.go)) wired into the PDP. The findings below record why that shape was chosen over the alternatives. diff --git a/service/policy/db/definition_value_entitlement_mappings.go b/service/policy/db/definition_value_entitlement_mappings.go index 737de6b8a9..e535e5753b 100644 --- a/service/policy/db/definition_value_entitlement_mappings.go +++ b/service/policy/db/definition_value_entitlement_mappings.go @@ -10,7 +10,7 @@ import ( "github.com/opentdf/platform/protocol/go/common" "github.com/opentdf/platform/protocol/go/policy" "github.com/opentdf/platform/protocol/go/policy/attributes" - "github.com/opentdf/platform/protocol/go/policy/definitionvalueentitlement" + "github.com/opentdf/platform/protocol/go/policy/subjectmapping" "github.com/opentdf/platform/service/pkg/db" ) @@ -25,7 +25,7 @@ type definitionValueEntitlementMappingRow struct { namespace interface{} } -func (c PolicyDBClient) CreateDefinitionValueEntitlementMapping(ctx context.Context, r *definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest) (*policy.DefinitionValueEntitlementMapping, error) { +func (c PolicyDBClient) CreateDefinitionValueEntitlementMapping(ctx context.Context, r *subjectmapping.CreateDefinitionValueEntitlementMappingRequest) (*policy.DefinitionValueEntitlementMapping, error) { resolver := r.GetValueResolver() if resolver.GetOperator() == policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED { return nil, errors.Join(db.ErrEnumValueInvalid, errors.New("value_resolver.operator must be specified")) @@ -107,7 +107,7 @@ func (c PolicyDBClient) GetDefinitionValueEntitlementMapping(ctx context.Context }) } -func (c PolicyDBClient) ListDefinitionValueEntitlementMappings(ctx context.Context, r *definitionvalueentitlement.ListDefinitionValueEntitlementMappingsRequest) (*definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse, error) { +func (c PolicyDBClient) ListDefinitionValueEntitlementMappings(ctx context.Context, r *subjectmapping.ListDefinitionValueEntitlementMappingsRequest) (*subjectmapping.ListDefinitionValueEntitlementMappingsResponse, error) { limit, offset := c.getRequestedLimitOffset(r.GetPagination()) maxLimit := c.listCfg.limitMax @@ -156,7 +156,7 @@ func (c PolicyDBClient) ListDefinitionValueEntitlementMappings(ctx context.Conte nextOffset = getNextOffset(offset, limit, total) } - return &definitionvalueentitlement.ListDefinitionValueEntitlementMappingsResponse{ + return &subjectmapping.ListDefinitionValueEntitlementMappingsResponse{ DefinitionValueEntitlementMappings: mappings, Pagination: &policy.PageResponse{ CurrentOffset: offset, @@ -166,7 +166,7 @@ func (c PolicyDBClient) ListDefinitionValueEntitlementMappings(ctx context.Conte }, nil } -func (c PolicyDBClient) UpdateDefinitionValueEntitlementMapping(ctx context.Context, r *definitionvalueentitlement.UpdateDefinitionValueEntitlementMappingRequest) (*policy.DefinitionValueEntitlementMapping, error) { +func (c PolicyDBClient) UpdateDefinitionValueEntitlementMapping(ctx context.Context, r *subjectmapping.UpdateDefinitionValueEntitlementMappingRequest) (*policy.DefinitionValueEntitlementMapping, error) { id := r.GetId() before, err := c.GetDefinitionValueEntitlementMapping(ctx, id) if err != nil { @@ -340,7 +340,7 @@ func (c PolicyDBClient) ensureNoDefinitionValueEntitlementMappingCoexistence(ctx func (c PolicyDBClient) resolveDefinitionValueEntitlementMappingSubjectConditionSet( ctx context.Context, - r *definitionvalueentitlement.CreateDefinitionValueEntitlementMappingRequest, + r *subjectmapping.CreateDefinitionValueEntitlementMappingRequest, namespaceID string, ) (*policy.SubjectConditionSet, error) { switch { diff --git a/service/policy/db/utils.go b/service/policy/db/utils.go index 27f3f4041f..d4eed94fce 100644 --- a/service/policy/db/utils.go +++ b/service/policy/db/utils.go @@ -10,7 +10,6 @@ import ( "github.com/opentdf/platform/protocol/go/common" "github.com/opentdf/platform/protocol/go/policy" "github.com/opentdf/platform/protocol/go/policy/attributes" - "github.com/opentdf/platform/protocol/go/policy/definitionvalueentitlement" "github.com/opentdf/platform/protocol/go/policy/kasregistry" "github.com/opentdf/platform/protocol/go/policy/namespaces" "github.com/opentdf/platform/protocol/go/policy/obligations" @@ -405,20 +404,20 @@ func GetSubjectMappingsSortParams(sort []*subjectmapping.SubjectMappingsSort) (s return getSubjectMappingsSortField(sort[0].GetField()), getSortDirection(sort[0].GetDirection()) } -func getDefinitionValueEntitlementMappingsSortField(field definitionvalueentitlement.SortDefinitionValueEntitlementMappingsType) string { +func getDefinitionValueEntitlementMappingsSortField(field subjectmapping.SortDefinitionValueEntitlementMappingsType) string { switch field { - case definitionvalueentitlement.SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT: + case subjectmapping.SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT: return sortFieldCreatedAt - case definitionvalueentitlement.SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT: + case subjectmapping.SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT: return sortFieldUpdatedAt - case definitionvalueentitlement.SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED: + case subjectmapping.SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED: fallthrough default: return "" } } -func GetDefinitionValueEntitlementMappingsSortParams(sort []*definitionvalueentitlement.DefinitionValueEntitlementMappingsSort) (string, string) { +func GetDefinitionValueEntitlementMappingsSortParams(sort []*subjectmapping.DefinitionValueEntitlementMappingsSort) (string, string) { if len(sort) == 0 { return "", "" } diff --git a/service/policy/definitionvalueentitlement/definition_value_entitlement.go b/service/policy/definitionvalueentitlement/definition_value_entitlement.go deleted file mode 100644 index b027fecd5d..0000000000 --- a/service/policy/definitionvalueentitlement/definition_value_entitlement.go +++ /dev/null @@ -1,189 +0,0 @@ -package definitionvalueentitlement - -import ( - "context" - "errors" - "fmt" - "log/slog" - - "connectrpc.com/connect" - dvem "github.com/opentdf/platform/protocol/go/policy/definitionvalueentitlement" - "github.com/opentdf/platform/protocol/go/policy/definitionvalueentitlement/definitionvalueentitlementconnect" - "github.com/opentdf/platform/service/logger" - "github.com/opentdf/platform/service/logger/audit" - "github.com/opentdf/platform/service/pkg/config" - "github.com/opentdf/platform/service/pkg/db" - "github.com/opentdf/platform/service/pkg/serviceregistry" - policyconfig "github.com/opentdf/platform/service/policy/config" - policydb "github.com/opentdf/platform/service/policy/db" -) - -type DefinitionValueEntitlementMappingService struct { //nolint:revive // descriptive name mirrors the policy object - dbClient policydb.PolicyDBClient - logger *logger.Logger - config *policyconfig.Config -} - -func OnConfigUpdate(svc *DefinitionValueEntitlementMappingService) serviceregistry.OnConfigUpdateHook { - return func(_ context.Context, cfg config.ServiceConfig) error { - sharedCfg, err := policyconfig.GetSharedPolicyConfig(cfg) - if err != nil { - return fmt.Errorf("failed to get shared policy config: %w", err) - } - svc.config = sharedCfg - svc.dbClient = policydb.NewClient(svc.dbClient.Client, svc.logger, int32(sharedCfg.ListRequestLimitMax), int32(sharedCfg.ListRequestLimitDefault)) - svc.logger.Info("definition value entitlement mapping service config reloaded") - return nil - } -} - -func NewRegistration(ns string, dbRegister serviceregistry.DBRegister) *serviceregistry.Service[definitionvalueentitlementconnect.DefinitionValueEntitlementMappingServiceHandler] { - svc := new(DefinitionValueEntitlementMappingService) - onUpdateConfigHook := OnConfigUpdate(svc) - - return &serviceregistry.Service[definitionvalueentitlementconnect.DefinitionValueEntitlementMappingServiceHandler]{ - Close: svc.Close, - ServiceOptions: serviceregistry.ServiceOptions[definitionvalueentitlementconnect.DefinitionValueEntitlementMappingServiceHandler]{ - Namespace: ns, - DB: dbRegister, - ServiceDesc: &dvem.DefinitionValueEntitlementMappingService_ServiceDesc, - ConnectRPCFunc: definitionvalueentitlementconnect.NewDefinitionValueEntitlementMappingServiceHandler, - OnConfigUpdate: onUpdateConfigHook, - RegisterFunc: func(srp serviceregistry.RegistrationParams) (definitionvalueentitlementconnect.DefinitionValueEntitlementMappingServiceHandler, serviceregistry.HandlerServer) { - logger := srp.Logger - cfg, err := policyconfig.GetSharedPolicyConfig(srp.Config) - if err != nil { - logger.Error("error getting definition value entitlement mapping service policy config", slog.String("error", err.Error())) - panic(err) - } - - svc.logger = logger - svc.dbClient = policydb.NewClient(srp.DBClient, logger, int32(cfg.ListRequestLimitMax), int32(cfg.ListRequestLimitDefault)) - svc.config = cfg - return svc, nil - }, - }, - } -} - -// Close gracefully shuts down the service, closing the database client. -func (s *DefinitionValueEntitlementMappingService) Close() { - s.logger.Info("gracefully shutting down definition value entitlement mapping service") - s.dbClient.Close() -} - -func (s DefinitionValueEntitlementMappingService) CreateDefinitionValueEntitlementMapping(ctx context.Context, - req *connect.Request[dvem.CreateDefinitionValueEntitlementMappingRequest], -) (*connect.Response[dvem.CreateDefinitionValueEntitlementMappingResponse], error) { - rsp := &dvem.CreateDefinitionValueEntitlementMappingResponse{} - s.logger.DebugContext(ctx, "creating definition value entitlement mapping") - if s.config.NamespacedPolicy && req.Msg.GetNamespaceId() == "" && req.Msg.GetNamespaceFqn() == "" { - return nil, connect.NewError(connect.CodeInvalidArgument, errors.New("either namespace_id or namespace_fqn must be provided")) - } - - auditParams := audit.PolicyEventParams{ - ActionType: audit.ActionTypeCreate, - ObjectType: audit.ObjectTypeDefinitionValueEntitlementMapping, - } - - // Creation may involve action or SubjectConditionSet creation, so use a transaction. - err := s.dbClient.RunInTx(ctx, func(txClient *policydb.PolicyDBClient) error { - mapping, err := txClient.CreateDefinitionValueEntitlementMapping(ctx, req.Msg) - if err != nil { - s.logger.Audit.PolicyCRUDFailure(ctx, auditParams) - return err - } - - auditParams.ObjectID = mapping.GetId() - auditParams.Original = mapping - s.logger.Audit.PolicyCRUDSuccess(ctx, auditParams) - - rsp.DefinitionValueEntitlementMapping = mapping - return nil - }) - if err != nil { - return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextCreationFailed, slog.String("definitionValueEntitlementMapping", req.Msg.String())) - } - return connect.NewResponse(rsp), nil -} - -func (s DefinitionValueEntitlementMappingService) ListDefinitionValueEntitlementMappings(ctx context.Context, - req *connect.Request[dvem.ListDefinitionValueEntitlementMappingsRequest], -) (*connect.Response[dvem.ListDefinitionValueEntitlementMappingsResponse], error) { - s.logger.DebugContext(ctx, "listing definition value entitlement mappings") - - rsp, err := s.dbClient.ListDefinitionValueEntitlementMappings(ctx, req.Msg) - if err != nil { - return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextListRetrievalFailed) - } - return connect.NewResponse(rsp), nil -} - -func (s DefinitionValueEntitlementMappingService) GetDefinitionValueEntitlementMapping(ctx context.Context, - req *connect.Request[dvem.GetDefinitionValueEntitlementMappingRequest], -) (*connect.Response[dvem.GetDefinitionValueEntitlementMappingResponse], error) { - s.logger.DebugContext(ctx, "getting definition value entitlement mapping", slog.String("id", req.Msg.GetId())) - - mapping, err := s.dbClient.GetDefinitionValueEntitlementMapping(ctx, req.Msg.GetId()) - if err != nil { - return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextGetRetrievalFailed, slog.String("id", req.Msg.GetId())) - } - return connect.NewResponse(&dvem.GetDefinitionValueEntitlementMappingResponse{DefinitionValueEntitlementMapping: mapping}), nil -} - -func (s DefinitionValueEntitlementMappingService) UpdateDefinitionValueEntitlementMapping(ctx context.Context, - req *connect.Request[dvem.UpdateDefinitionValueEntitlementMappingRequest], -) (*connect.Response[dvem.UpdateDefinitionValueEntitlementMappingResponse], error) { - rsp := &dvem.UpdateDefinitionValueEntitlementMappingResponse{} - id := req.Msg.GetId() - s.logger.DebugContext(ctx, "updating definition value entitlement mapping", slog.String("id", id)) - - auditParams := audit.PolicyEventParams{ - ActionType: audit.ActionTypeUpdate, - ObjectType: audit.ObjectTypeDefinitionValueEntitlementMapping, - ObjectID: id, - } - - original, err := s.dbClient.GetDefinitionValueEntitlementMapping(ctx, id) - if err != nil { - s.logger.Audit.PolicyCRUDFailure(ctx, auditParams) - return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextGetRetrievalFailed, slog.String("id", id)) - } - - updated, err := s.dbClient.UpdateDefinitionValueEntitlementMapping(ctx, req.Msg) - if err != nil { - s.logger.Audit.PolicyCRUDFailure(ctx, auditParams) - return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextUpdateFailed, slog.String("id", id), slog.String("definitionValueEntitlementMapping", req.Msg.String())) - } - - auditParams.Original = original - auditParams.Updated = updated - s.logger.Audit.PolicyCRUDSuccess(ctx, auditParams) - - rsp.DefinitionValueEntitlementMapping = updated - return connect.NewResponse(rsp), nil -} - -func (s DefinitionValueEntitlementMappingService) DeleteDefinitionValueEntitlementMapping(ctx context.Context, - req *connect.Request[dvem.DeleteDefinitionValueEntitlementMappingRequest], -) (*connect.Response[dvem.DeleteDefinitionValueEntitlementMappingResponse], error) { - rsp := &dvem.DeleteDefinitionValueEntitlementMappingResponse{} - id := req.Msg.GetId() - s.logger.DebugContext(ctx, "deleting definition value entitlement mapping", slog.String("id", id)) - - auditParams := audit.PolicyEventParams{ - ActionType: audit.ActionTypeDelete, - ObjectType: audit.ObjectTypeDefinitionValueEntitlementMapping, - ObjectID: id, - } - - deleted, err := s.dbClient.DeleteDefinitionValueEntitlementMapping(ctx, id) - if err != nil { - s.logger.Audit.PolicyCRUDFailure(ctx, auditParams) - return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextDeletionFailed, slog.String("id", id)) - } - - s.logger.Audit.PolicyCRUDSuccess(ctx, auditParams) - rsp.DefinitionValueEntitlementMapping = deleted - return connect.NewResponse(rsp), nil -} diff --git a/service/policy/definitionvalueentitlement/definition_value_entitlement.proto b/service/policy/definitionvalueentitlement/definition_value_entitlement.proto deleted file mode 100644 index c03d0f581b..0000000000 --- a/service/policy/definitionvalueentitlement/definition_value_entitlement.proto +++ /dev/null @@ -1,168 +0,0 @@ -syntax = "proto3"; - -package policy.definitionvalueentitlement; - -import "buf/validate/validate.proto"; -import "common/common.proto"; -import "policy/objects.proto"; -import "policy/selectors.proto"; -import "policy/subjectmapping/subject_mapping.proto"; - -/* - Definition Value Entitlement Mapping CRUD operations -*/ - -message GetDefinitionValueEntitlementMappingRequest { - // Required - string id = 1 [(buf.validate.field).string.uuid = true]; -} -message GetDefinitionValueEntitlementMappingResponse { - policy.DefinitionValueEntitlementMapping definition_value_entitlement_mapping = 1; -} - -enum SortDefinitionValueEntitlementMappingsType { - SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED = 0; - SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT = 1; - SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT = 2; -} - -message DefinitionValueEntitlementMappingsSort { - SortDefinitionValueEntitlementMappingsType field = 1 [(buf.validate.field).enum.defined_only = true]; - policy.SortDirection direction = 2 [(buf.validate.field).enum.defined_only = true]; -} - -message ListDefinitionValueEntitlementMappingsRequest { - // Optional - // Namespace ID or FQN, or Attribute Definition ID or FQN to filter by - string namespace_id = 1 [(buf.validate.field).cel = { - id: "optional_uuid_format" - message: "Optional field must be a valid UUID" - expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" - }]; - string attribute_definition_id = 2 [(buf.validate.field).cel = { - id: "optional_uuid_format" - message: "Optional field must be a valid UUID" - expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" - }]; - - // Optional - policy.PageRequest pagination = 10; - - // Optional - CONSTRAINT: max 1 item - repeated DefinitionValueEntitlementMappingsSort sort = 11 [(buf.validate.field).repeated.max_items = 1]; -} -message ListDefinitionValueEntitlementMappingsResponse { - repeated policy.DefinitionValueEntitlementMapping definition_value_entitlement_mappings = 1; - - policy.PageResponse pagination = 10; -} - -message CreateDefinitionValueEntitlementMappingRequest { - // Required: Attribute Definition ID or FQN to scope the mapping to - option (buf.validate.message).oneof = { - fields: ["attribute_definition_id", "attribute_definition_fqn"] - required: true - }; - string attribute_definition_id = 1 [(buf.validate.field).cel = { - id: "optional_uuid_format" - message: "Optional field must be a valid UUID" - expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" - }]; - string attribute_definition_fqn = 2 [ - (buf.validate.field).string = { - min_len: 0 - uri: true - } - ]; - - // Required: the dynamic resolver comparing entity selector result to the resource value segment - policy.DefinitionValueResolver value_resolver = 3 [(buf.validate.field).required = true]; - - // Required: actions permitted on a matched value - repeated policy.Action actions = 4 [ - (buf.validate.field).repeated.min_items = 1, - (buf.validate.field).cel = { - id: "action_name_or_id_not_empty" - message: "Action name or ID must not be empty if provided" - expression: "this.all(item, item.name != '' || item.id != '')" - } - ]; - - // Optional static pre-gate. Reuse an existing SubjectConditionSet (prioritized) ... - string existing_subject_condition_set_id = 5 [(buf.validate.field).cel = { - id: "optional_uuid_format" - message: "Optional field must be a valid UUID" - expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" - }]; - // ... or create a new one (ignored if existing_subject_condition_set_id is provided) - policy.subjectmapping.SubjectConditionSetCreate new_subject_condition_set = 6; - - // Optional: namespace ID or FQN for the mapping - string namespace_id = 7 [(buf.validate.field).cel = { - id: "optional_uuid_format" - message: "Optional field must be a valid UUID" - expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" - }]; - string namespace_fqn = 8 [ - (buf.validate.field).string = { - min_len: 0 - uri: true - } - ]; - - // Optional - common.MetadataMutable metadata = 100; -} -message CreateDefinitionValueEntitlementMappingResponse { - policy.DefinitionValueEntitlementMapping definition_value_entitlement_mapping = 1; -} - -message UpdateDefinitionValueEntitlementMappingRequest { - // Required - string id = 1 [(buf.validate.field).string.uuid = true]; - - // Optional: replace the dynamic resolver - policy.DefinitionValueResolver value_resolver = 2; - - // Optional: replace the static pre-gate SubjectConditionSet by id - string subject_condition_set_id = 3 [(buf.validate.field).cel = { - id: "optional_uuid_format" - message: "Optional field must be a valid UUID" - expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" - }]; - - // Optional: replace the entire list of actions - repeated policy.Action actions = 4 [(buf.validate.field).cel = { - id: "action_name_or_id_not_empty" - message: "Action name or ID must not be empty if provided" - expression: "this.size() == 0 || this.all(item, item.name != '' || item.id != '')" - }]; - - // Common metadata - common.MetadataMutable metadata = 100; - common.MetadataUpdateEnum metadata_update_behavior = 101; -} -message UpdateDefinitionValueEntitlementMappingResponse { - policy.DefinitionValueEntitlementMapping definition_value_entitlement_mapping = 1; -} - -message DeleteDefinitionValueEntitlementMappingRequest { - // Required - string id = 1 [(buf.validate.field).string.uuid = true]; -} -message DeleteDefinitionValueEntitlementMappingResponse { - // Only ID of the deleted mapping provided - policy.DefinitionValueEntitlementMapping definition_value_entitlement_mapping = 1; -} - -service DefinitionValueEntitlementMappingService { - rpc ListDefinitionValueEntitlementMappings(ListDefinitionValueEntitlementMappingsRequest) returns (ListDefinitionValueEntitlementMappingsResponse) { - option idempotency_level = NO_SIDE_EFFECTS; - } - rpc GetDefinitionValueEntitlementMapping(GetDefinitionValueEntitlementMappingRequest) returns (GetDefinitionValueEntitlementMappingResponse) { - option idempotency_level = NO_SIDE_EFFECTS; - } - rpc CreateDefinitionValueEntitlementMapping(CreateDefinitionValueEntitlementMappingRequest) returns (CreateDefinitionValueEntitlementMappingResponse) {} - rpc UpdateDefinitionValueEntitlementMapping(UpdateDefinitionValueEntitlementMappingRequest) returns (UpdateDefinitionValueEntitlementMappingResponse) {} - rpc DeleteDefinitionValueEntitlementMapping(DeleteDefinitionValueEntitlementMappingRequest) returns (DeleteDefinitionValueEntitlementMappingResponse) {} -} diff --git a/service/policy/policy.go b/service/policy/policy.go index fa2b1386f4..4e1f479454 100644 --- a/service/policy/policy.go +++ b/service/policy/policy.go @@ -7,7 +7,6 @@ import ( "github.com/opentdf/platform/service/policy/actions" "github.com/opentdf/platform/service/policy/attributes" "github.com/opentdf/platform/service/policy/db/migrations" - "github.com/opentdf/platform/service/policy/definitionvalueentitlement" "github.com/opentdf/platform/service/policy/kasregistry" "github.com/opentdf/platform/service/policy/keymanagement" "github.com/opentdf/platform/service/policy/namespaces" @@ -37,7 +36,6 @@ func NewRegistrations() []serviceregistry.IService { namespaces.NewRegistration(namespace, dbRegister), resourcemapping.NewRegistration(namespace, dbRegister), subjectmapping.NewRegistration(namespace, dbRegister), - definitionvalueentitlement.NewRegistration(namespace, dbRegister), kasregistry.NewRegistration(namespace, dbRegister), unsafe.NewRegistration(namespace, dbRegister), actions.NewRegistration(namespace, dbRegister), diff --git a/service/policy/subjectmapping/subject_mapping.go b/service/policy/subjectmapping/subject_mapping.go index 554a3c3ab3..2577b53149 100644 --- a/service/policy/subjectmapping/subject_mapping.go +++ b/service/policy/subjectmapping/subject_mapping.go @@ -397,3 +397,123 @@ func (s SubjectMappingService) DeleteAllUnmappedSubjectConditionSets(ctx context rsp.SubjectConditionSets = deleted return connect.NewResponse(rsp), nil } + +/* ----------------------------------------------------------------- + * --------- Definition Value Entitlement Mappings (DSPX-2754) ------ + * ----------------------------------------------------------------*/ + +func (s SubjectMappingService) CreateDefinitionValueEntitlementMapping(ctx context.Context, + req *connect.Request[sm.CreateDefinitionValueEntitlementMappingRequest], +) (*connect.Response[sm.CreateDefinitionValueEntitlementMappingResponse], error) { + rsp := &sm.CreateDefinitionValueEntitlementMappingResponse{} + s.logger.DebugContext(ctx, "creating definition value entitlement mapping") + if s.config.NamespacedPolicy && req.Msg.GetNamespaceId() == "" && req.Msg.GetNamespaceFqn() == "" { + return nil, connect.NewError(connect.CodeInvalidArgument, errors.New("either namespace_id or namespace_fqn must be provided")) + } + + auditParams := audit.PolicyEventParams{ + ActionType: audit.ActionTypeCreate, + ObjectType: audit.ObjectTypeDefinitionValueEntitlementMapping, + } + + // Creation may involve action or SubjectConditionSet creation, so use a transaction. + err := s.dbClient.RunInTx(ctx, func(txClient *policydb.PolicyDBClient) error { + mapping, err := txClient.CreateDefinitionValueEntitlementMapping(ctx, req.Msg) + if err != nil { + s.logger.Audit.PolicyCRUDFailure(ctx, auditParams) + return err + } + + auditParams.ObjectID = mapping.GetId() + auditParams.Original = mapping + s.logger.Audit.PolicyCRUDSuccess(ctx, auditParams) + + rsp.DefinitionValueEntitlementMapping = mapping + return nil + }) + if err != nil { + return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextCreationFailed, slog.String("definitionValueEntitlementMapping", req.Msg.String())) + } + return connect.NewResponse(rsp), nil +} + +func (s SubjectMappingService) ListDefinitionValueEntitlementMappings(ctx context.Context, + req *connect.Request[sm.ListDefinitionValueEntitlementMappingsRequest], +) (*connect.Response[sm.ListDefinitionValueEntitlementMappingsResponse], error) { + s.logger.DebugContext(ctx, "listing definition value entitlement mappings") + + rsp, err := s.dbClient.ListDefinitionValueEntitlementMappings(ctx, req.Msg) + if err != nil { + return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextListRetrievalFailed) + } + return connect.NewResponse(rsp), nil +} + +func (s SubjectMappingService) GetDefinitionValueEntitlementMapping(ctx context.Context, + req *connect.Request[sm.GetDefinitionValueEntitlementMappingRequest], +) (*connect.Response[sm.GetDefinitionValueEntitlementMappingResponse], error) { + s.logger.DebugContext(ctx, "getting definition value entitlement mapping", slog.String("id", req.Msg.GetId())) + + mapping, err := s.dbClient.GetDefinitionValueEntitlementMapping(ctx, req.Msg.GetId()) + if err != nil { + return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextGetRetrievalFailed, slog.String("id", req.Msg.GetId())) + } + return connect.NewResponse(&sm.GetDefinitionValueEntitlementMappingResponse{DefinitionValueEntitlementMapping: mapping}), nil +} + +func (s SubjectMappingService) UpdateDefinitionValueEntitlementMapping(ctx context.Context, + req *connect.Request[sm.UpdateDefinitionValueEntitlementMappingRequest], +) (*connect.Response[sm.UpdateDefinitionValueEntitlementMappingResponse], error) { + rsp := &sm.UpdateDefinitionValueEntitlementMappingResponse{} + id := req.Msg.GetId() + s.logger.DebugContext(ctx, "updating definition value entitlement mapping", slog.String("id", id)) + + auditParams := audit.PolicyEventParams{ + ActionType: audit.ActionTypeUpdate, + ObjectType: audit.ObjectTypeDefinitionValueEntitlementMapping, + ObjectID: id, + } + + original, err := s.dbClient.GetDefinitionValueEntitlementMapping(ctx, id) + if err != nil { + s.logger.Audit.PolicyCRUDFailure(ctx, auditParams) + return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextGetRetrievalFailed, slog.String("id", id)) + } + + updated, err := s.dbClient.UpdateDefinitionValueEntitlementMapping(ctx, req.Msg) + if err != nil { + s.logger.Audit.PolicyCRUDFailure(ctx, auditParams) + return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextUpdateFailed, slog.String("id", id), slog.String("definitionValueEntitlementMapping", req.Msg.String())) + } + + auditParams.Original = original + auditParams.Updated = updated + s.logger.Audit.PolicyCRUDSuccess(ctx, auditParams) + + rsp.DefinitionValueEntitlementMapping = updated + return connect.NewResponse(rsp), nil +} + +func (s SubjectMappingService) DeleteDefinitionValueEntitlementMapping(ctx context.Context, + req *connect.Request[sm.DeleteDefinitionValueEntitlementMappingRequest], +) (*connect.Response[sm.DeleteDefinitionValueEntitlementMappingResponse], error) { + rsp := &sm.DeleteDefinitionValueEntitlementMappingResponse{} + id := req.Msg.GetId() + s.logger.DebugContext(ctx, "deleting definition value entitlement mapping", slog.String("id", id)) + + auditParams := audit.PolicyEventParams{ + ActionType: audit.ActionTypeDelete, + ObjectType: audit.ObjectTypeDefinitionValueEntitlementMapping, + ObjectID: id, + } + + deleted, err := s.dbClient.DeleteDefinitionValueEntitlementMapping(ctx, id) + if err != nil { + s.logger.Audit.PolicyCRUDFailure(ctx, auditParams) + return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextDeletionFailed, slog.String("id", id)) + } + + s.logger.Audit.PolicyCRUDSuccess(ctx, auditParams) + rsp.DefinitionValueEntitlementMapping = deleted + return connect.NewResponse(rsp), nil +} diff --git a/service/policy/subjectmapping/subject_mapping.proto b/service/policy/subjectmapping/subject_mapping.proto index af6da858ba..b33f40ff5d 100644 --- a/service/policy/subjectmapping/subject_mapping.proto +++ b/service/policy/subjectmapping/subject_mapping.proto @@ -260,6 +260,158 @@ message DeleteAllUnmappedSubjectConditionSetsResponse { repeated policy.SubjectConditionSet subject_condition_sets = 1; } +/* + Definition Value Entitlement Mapping CRUD operations + + A DefinitionValueEntitlementMapping raises entitlement authority from a concrete + AttributeValue to the AttributeDefinition: at decision time the value_resolver compares + the requested resource value segment against the entity representation. These RPCs live on + the SubjectMappingService as they are entitlement-adjacent and share the SubjectConditionSet. +*/ + +message GetDefinitionValueEntitlementMappingRequest { + // Required + string id = 1 [(buf.validate.field).string.uuid = true]; +} +message GetDefinitionValueEntitlementMappingResponse { + policy.DefinitionValueEntitlementMapping definition_value_entitlement_mapping = 1; +} + +enum SortDefinitionValueEntitlementMappingsType { + SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED = 0; + SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT = 1; + SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT = 2; +} + +message DefinitionValueEntitlementMappingsSort { + SortDefinitionValueEntitlementMappingsType field = 1 [(buf.validate.field).enum.defined_only = true]; + policy.SortDirection direction = 2 [(buf.validate.field).enum.defined_only = true]; +} + +message ListDefinitionValueEntitlementMappingsRequest { + // Optional + // Namespace ID, or Attribute Definition ID to filter by + string namespace_id = 1 [(buf.validate.field).cel = { + id: "optional_uuid_format" + message: "Optional field must be a valid UUID" + expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" + }]; + string attribute_definition_id = 2 [(buf.validate.field).cel = { + id: "optional_uuid_format" + message: "Optional field must be a valid UUID" + expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" + }]; + + // Optional + policy.PageRequest pagination = 10; + + // Optional - CONSTRAINT: max 1 item + repeated DefinitionValueEntitlementMappingsSort sort = 11 [(buf.validate.field).repeated.max_items = 1]; +} +message ListDefinitionValueEntitlementMappingsResponse { + repeated policy.DefinitionValueEntitlementMapping definition_value_entitlement_mappings = 1; + + policy.PageResponse pagination = 10; +} + +message CreateDefinitionValueEntitlementMappingRequest { + // Required: Attribute Definition ID or FQN to scope the mapping to + option (buf.validate.message).oneof = { + fields: ["attribute_definition_id", "attribute_definition_fqn"] + required: true + }; + string attribute_definition_id = 1 [(buf.validate.field).cel = { + id: "optional_uuid_format" + message: "Optional field must be a valid UUID" + expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" + }]; + string attribute_definition_fqn = 2 [ + (buf.validate.field).string = { + min_len: 0 + uri: true + } + ]; + + // Required: the dynamic resolver comparing entity selector result to the resource value segment + policy.DefinitionValueResolver value_resolver = 3 [(buf.validate.field).required = true]; + + // Required: actions permitted on a matched value + repeated policy.Action actions = 4 [ + (buf.validate.field).repeated.min_items = 1, + (buf.validate.field).cel = { + id: "action_name_or_id_not_empty" + message: "Action name or ID must not be empty if provided" + expression: "this.all(item, item.name != '' || item.id != '')" + } + ]; + + // Optional static pre-gate. Reuse an existing SubjectConditionSet (prioritized) ... + string existing_subject_condition_set_id = 5 [(buf.validate.field).cel = { + id: "optional_uuid_format" + message: "Optional field must be a valid UUID" + expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" + }]; + // ... or create a new one (ignored if existing_subject_condition_set_id is provided) + SubjectConditionSetCreate new_subject_condition_set = 6; + + // Optional: namespace ID or FQN for the mapping + string namespace_id = 7 [(buf.validate.field).cel = { + id: "optional_uuid_format" + message: "Optional field must be a valid UUID" + expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" + }]; + string namespace_fqn = 8 [ + (buf.validate.field).string = { + min_len: 0 + uri: true + } + ]; + + // Optional + common.MetadataMutable metadata = 100; +} +message CreateDefinitionValueEntitlementMappingResponse { + policy.DefinitionValueEntitlementMapping definition_value_entitlement_mapping = 1; +} + +message UpdateDefinitionValueEntitlementMappingRequest { + // Required + string id = 1 [(buf.validate.field).string.uuid = true]; + + // Optional: replace the dynamic resolver + policy.DefinitionValueResolver value_resolver = 2; + + // Optional: replace the static pre-gate SubjectConditionSet by id + string subject_condition_set_id = 3 [(buf.validate.field).cel = { + id: "optional_uuid_format" + message: "Optional field must be a valid UUID" + expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" + }]; + + // Optional: replace the entire list of actions + repeated policy.Action actions = 4 [(buf.validate.field).cel = { + id: "action_name_or_id_not_empty" + message: "Action name or ID must not be empty if provided" + expression: "this.size() == 0 || this.all(item, item.name != '' || item.id != '')" + }]; + + // Common metadata + common.MetadataMutable metadata = 100; + common.MetadataUpdateEnum metadata_update_behavior = 101; +} +message UpdateDefinitionValueEntitlementMappingResponse { + policy.DefinitionValueEntitlementMapping definition_value_entitlement_mapping = 1; +} + +message DeleteDefinitionValueEntitlementMappingRequest { + // Required + string id = 1 [(buf.validate.field).string.uuid = true]; +} +message DeleteDefinitionValueEntitlementMappingResponse { + // Only ID of the deleted mapping provided + policy.DefinitionValueEntitlementMapping definition_value_entitlement_mapping = 1; +} + service SubjectMappingService { // Find matching Subject Mappings for a given Subject rpc MatchSubjectMappings(MatchSubjectMappingsRequest) returns (MatchSubjectMappingsResponse) {} @@ -292,4 +444,14 @@ service SubjectMappingService { rpc DeleteSubjectConditionSet(DeleteSubjectConditionSetRequest) returns (DeleteSubjectConditionSetResponse) {} rpc DeleteAllUnmappedSubjectConditionSets(DeleteAllUnmappedSubjectConditionSetsRequest) returns (DeleteAllUnmappedSubjectConditionSetsResponse) {} + + rpc ListDefinitionValueEntitlementMappings(ListDefinitionValueEntitlementMappingsRequest) returns (ListDefinitionValueEntitlementMappingsResponse) { + option idempotency_level = NO_SIDE_EFFECTS; + } + rpc GetDefinitionValueEntitlementMapping(GetDefinitionValueEntitlementMappingRequest) returns (GetDefinitionValueEntitlementMappingResponse) { + option idempotency_level = NO_SIDE_EFFECTS; + } + rpc CreateDefinitionValueEntitlementMapping(CreateDefinitionValueEntitlementMappingRequest) returns (CreateDefinitionValueEntitlementMappingResponse) {} + rpc UpdateDefinitionValueEntitlementMapping(UpdateDefinitionValueEntitlementMappingRequest) returns (UpdateDefinitionValueEntitlementMappingResponse) {} + rpc DeleteDefinitionValueEntitlementMapping(DeleteDefinitionValueEntitlementMappingRequest) returns (DeleteDefinitionValueEntitlementMappingResponse) {} } From 0c32b890f929cddf80b6fda0bb2b63aa4c8c3c58 Mon Sep 17 00:00:00 2001 From: Krish Suchak Date: Fri, 5 Jun 2026 17:21:04 -0400 Subject: [PATCH 7/8] refactor(policy): rename to DynamicValueMapping; dedicated service Rename the primitive from DefinitionValueEntitlementMapping to DynamicValueMapping (shorter, drops redundant 'Entitlement' per SubjectMapping/ResourceMapping convention, avoids overloading the authz 'entitlement' term). The upstream ADR #266 noted names are subject to change during implementation. Restore the dedicated service: DynamicValueMappingService in its own policy.dynamicvaluemapping package (un-folded from SubjectMappingService), with its own SDK client. DynamicValueResolver + DynamicValueOperatorEnum round out the type family. DB tables/queries/files renamed to dynamic_value_mapping(s). ADR 0005 updated with the rename note. NOTE: this adds a new protocol/go package, so per-module 'go mod tidy' will fail until protocol/go is released with it (intended; see the protocol-first split). Refs: DSPX-3498, DSPX-2754 Signed-off-by: Krish Suchak --- docs/grpc/index.html | 6959 +++++++++-------- .../dynamic_value_mapping.openapi.yaml | 1454 ++++ docs/openapi/policy/objects.openapi.yaml | 40 +- .../subject_mapping.openapi.yaml | 458 -- .../dynamic_value_mapping.pb.go | 1312 ++++ .../dynamic_value_mapping_grpc.pb.go | 258 + .../dynamic_value_mapping.connect.go | 238 + protocol/go/policy/objects.pb.go | 1042 ++- .../subjectmapping/subject_mapping.pb.go | 1704 +--- .../subjectmapping/subject_mapping_grpc.pb.go | 209 +- .../subject_mapping.connect.go | 178 +- sdk/codegen/main.go | 4 + sdk/sdk.go | 74 +- sdk/sdkconnect/dynamicvaluemapping.go | 70 + sdk/sdkconnect/subjectmapping.go | 50 - service/authorization/v2/cache.go | 36 +- ...test.go => dynamic_value_mappings_test.go} | 77 +- service/internal/access/v2/helpers.go | 12 +- .../internal/access/v2/just_in_time_pdp.go | 6 +- service/internal/access/v2/pdp.go | 36 +- .../internal/access/v2/pdp_dynamic_test.go | 12 +- service/internal/access/v2/policy_store.go | 23 +- service/internal/access/v2/validators.go | 16 +- ...in.go => dynamic_value_mapping_builtin.go} | 20 +- ... => dynamic_value_mapping_builtin_test.go} | 50 +- service/logger/audit/constants.go | 4 +- ...amic-attribute-value-entitlements-spike.md | 18 +- service/policy/db/attributes.go | 4 +- ..._mappings.go => dynamic_value_mappings.go} | 92 +- ...s.sql.go => dynamic_value_mappings.sql.go} | 158 +- ..._definition_value_entitlement_mappings.sql | 61 - ...60604000000_add_dynamic_value_mappings.sql | 61 + service/policy/db/models.go | 8 +- ...appings.sql => dynamic_value_mappings.sql} | 60 +- service/policy/db/subject_mappings.go | 2 +- service/policy/db/utils.go | 13 +- .../dynamic_value_mapping.go | 189 + .../dynamic_value_mapping.proto | 173 + service/policy/objects.proto | 10 +- service/policy/policy.go | 2 + .../policy/subjectmapping/subject_mapping.go | 120 - .../subjectmapping/subject_mapping.proto | 162 - 42 files changed, 8442 insertions(+), 7033 deletions(-) create mode 100644 docs/openapi/policy/dynamicvaluemapping/dynamic_value_mapping.openapi.yaml create mode 100644 protocol/go/policy/dynamicvaluemapping/dynamic_value_mapping.pb.go create mode 100644 protocol/go/policy/dynamicvaluemapping/dynamic_value_mapping_grpc.pb.go create mode 100644 protocol/go/policy/dynamicvaluemapping/dynamicvaluemappingconnect/dynamic_value_mapping.connect.go create mode 100644 sdk/sdkconnect/dynamicvaluemapping.go rename service/integration/{definition_value_entitlement_mappings_test.go => dynamic_value_mappings_test.go} (67%) rename service/internal/subjectmappingbuiltin/{definition_value_entitlement_builtin.go => dynamic_value_mapping_builtin.go} (85%) rename service/internal/subjectmappingbuiltin/{definition_value_entitlement_builtin_test.go => dynamic_value_mapping_builtin_test.go} (68%) rename service/policy/db/{definition_value_entitlement_mappings.go => dynamic_value_mappings.go} (67%) rename service/policy/db/{definition_value_entitlement_mappings.sql.go => dynamic_value_mappings.sql.go} (75%) delete mode 100644 service/policy/db/migrations/20260604000000_add_definition_value_entitlement_mappings.sql create mode 100644 service/policy/db/migrations/20260604000000_add_dynamic_value_mappings.sql rename service/policy/db/queries/{definition_value_entitlement_mappings.sql => dynamic_value_mappings.sql} (79%) create mode 100644 service/policy/dynamicvaluemapping/dynamic_value_mapping.go create mode 100644 service/policy/dynamicvaluemapping/dynamic_value_mapping.proto diff --git a/docs/grpc/index.html b/docs/grpc/index.html index 69b44f5f3f..0dfdd58073 100644 --- a/docs/grpc/index.html +++ b/docs/grpc/index.html @@ -242,11 +242,11 @@

        Table of Contents

      • - MDefinitionValueEntitlementMapping + MDynamicValueMapping
      • - MDefinitionValueResolver + MDynamicValueResolver
      • @@ -1079,6 +1079,200 @@

        Table of Contents

        • +
      • + policy/subjectmapping/subject_mapping.proto + +
        • + + +
      • + policy/dynamicvaluemapping/dynamic_value_mapping.proto + +
        • + +
      • policy/kasregistry/key_access_server_registry.proto
        • Method NameRequest TypeResponse TypeDescription
        ListResourceMappingGroupsListResourceMappingGroupsRequestListResourceMappingGroupsResponseMatchSubjectMappingsMatchSubjectMappingsRequestMatchSubjectMappingsResponse

        Find matching Subject Mappings for a given Subject

        ListSubjectMappingsListSubjectMappingsRequestListSubjectMappingsResponse

        GetResourceMappingGroupGetResourceMappingGroupRequestGetResourceMappingGroupResponseGetSubjectMappingGetSubjectMappingRequestGetSubjectMappingResponse

        CreateResourceMappingGroupCreateResourceMappingGroupRequestCreateResourceMappingGroupResponseCreateSubjectMappingCreateSubjectMappingRequestCreateSubjectMappingResponse

        UpdateResourceMappingGroupUpdateResourceMappingGroupRequestUpdateResourceMappingGroupResponseUpdateSubjectMappingUpdateSubjectMappingRequestUpdateSubjectMappingResponse

        DeleteResourceMappingGroupDeleteResourceMappingGroupRequestDeleteResourceMappingGroupResponseDeleteSubjectMappingDeleteSubjectMappingRequestDeleteSubjectMappingResponse

        ListResourceMappingsListResourceMappingsRequestListResourceMappingsResponseListSubjectConditionSetsListSubjectConditionSetsRequestListSubjectConditionSetsResponse

        ListResourceMappingsByGroupFqnsListResourceMappingsByGroupFqnsRequestListResourceMappingsByGroupFqnsResponseGetSubjectConditionSetGetSubjectConditionSetRequestGetSubjectConditionSetResponse

        GetResourceMappingGetResourceMappingRequestGetResourceMappingResponseCreateSubjectConditionSetCreateSubjectConditionSetRequestCreateSubjectConditionSetResponse

        CreateResourceMappingCreateResourceMappingRequestCreateResourceMappingResponseUpdateSubjectConditionSetUpdateSubjectConditionSetRequestUpdateSubjectConditionSetResponse

        UpdateResourceMappingUpdateResourceMappingRequestUpdateResourceMappingResponseDeleteSubjectConditionSetDeleteSubjectConditionSetRequestDeleteSubjectConditionSetResponse

        DeleteResourceMappingDeleteResourceMappingRequestDeleteResourceMappingResponseDeleteAllUnmappedSubjectConditionSetsDeleteAllUnmappedSubjectConditionSetsRequestDeleteAllUnmappedSubjectConditionSetsResponse

        ListDefinitionValueEntitlementMappingsListDefinitionValueEntitlementMappingsRequestListDefinitionValueEntitlementMappingsResponse

        GetDefinitionValueEntitlementMappingGetDefinitionValueEntitlementMappingRequestGetDefinitionValueEntitlementMappingResponse

        CreateDefinitionValueEntitlementMappingCreateDefinitionValueEntitlementMappingRequestCreateDefinitionValueEntitlementMappingResponse

        UpdateDefinitionValueEntitlementMappingUpdateDefinitionValueEntitlementMappingRequestUpdateDefinitionValueEntitlementMappingResponse

        DeleteDefinitionValueEntitlementMappingDeleteDefinitionValueEntitlementMappingRequestDeleteDefinitionValueEntitlementMappingResponse

        ListResourceMappingGroupsListSubjectMappings

        NO_SIDE_EFFECTS
        GetResourceMappingGroupGetSubjectMapping

        NO_SIDE_EFFECTS
        ListResourceMappingsListSubjectConditionSets

        NO_SIDE_EFFECTS
        ListResourceMappingsByGroupFqnsGetSubjectConditionSet

        NO_SIDE_EFFECTS
        GetResourceMappingListDefinitionValueEntitlementMappings

        NO_SIDE_EFFECTS

        GetDefinitionValueEntitlementMapping

        NO_SIDE_EFFECTS
        @@ -2794,7 +2809,7 @@

        DefinitionValueEntitlementMapp

        - + @@ -2836,8 +2851,8 @@

        DefinitionValueEntitlementMapp -

        DefinitionValueResolver

        -

        Definition Value Resolver: the dynamic half of a DefinitionValueEntitlementMapping. It

        resolves a selector against the entity representation and compares the result to the

        requested resource value segment using a DynamicValueOperatorEnum.

        +

        DynamicValueResolver

        +

        Definition Value Resolver: the dynamic half of a DynamicValueMapping. It

        resolves a selector against the entity representation and compares the result to the

        requested resource value segment using a DynamicValueOperatorEnum.

        value_resolverDefinitionValueResolverDynamicValueResolver

        the dynamic resolver matched against the requested resource value segment

        @@ -9736,12 +9751,12 @@

        Methods with idempotency_level option

        -

        policy/kasregistry/key_access_server_registry.proto

        Top +

        policy/subjectmapping/subject_mapping.proto

        Top

        -

        ActivatePublicKeyRequest

        +

        CreateSubjectConditionSetRequest

        @@ -9752,7 +9767,21 @@

        ActivatePublicKeyRequest

        - + + + + + + + + + + + + + + + @@ -9765,7 +9794,7 @@

        ActivatePublicKeyRequestActivatePublicKeyResponse

        +

        CreateSubjectConditionSetResponse

        @@ -9776,8 +9805,8 @@

        ActivatePublicKeyResponse<

        - - + + @@ -9789,8 +9818,8 @@

        ActivatePublicKeyResponse< -

        ChangeMappings

        -

        Simplified information about the resources that were rotated as part of the key rotation process.

        +

        CreateSubjectMappingRequest

        +

        idsubject_condition_setSubjectConditionSetCreate

        namespace_idstring

        namespace_fqn string

        keypolicy.Keysubject_condition_setpolicy.SubjectConditionSet

        @@ -9800,69 +9829,56 @@

        ChangeMappings

        - + - + - - - - + + + + - -
        idattribute_value_id string

        Required +Attribute Value to be mapped to

        fqnstring

        		actionspolicy.Actionrepeated

        Required +The actions permitted by subjects in this mapping

        - - - - - -

        CreateKeyAccessServerRequest

        -

        - - - - - - - - - + - + - - + + - + - - + + - + - + - + - + @@ -9872,7 +9888,7 @@

        CreateKeyAccessServerRe -

        CreateKeyAccessServerResponse

        +

        CreateSubjectMappingResponse

        @@ -9883,8 +9899,8 @@

        CreateKeyAccessServerR

        - - + + @@ -9896,106 +9912,15 @@

        CreateKeyAccessServerR -

        CreateKeyRequest

        -

        Create a new asymmetric key for the specified Key Access Server (KAS)

        +

        DeleteAllUnmappedSubjectConditionSetsRequest

        +

        Prune any Subject Condition Sets not utilized within a Subject Mapping

        -
        FieldTypeLabelDescription
        uriexisting_subject_condition_set_id string

        Required

        Either of the following: +Reuse existing SubjectConditionSet (NOTE: prioritized over new_subject_condition_set)

        public_keypolicy.PublicKeynew_subject_condition_setSubjectConditionSetCreate

        Deprecated

        Create new SubjectConditionSet (NOTE: ignored if existing_subject_condition_set_id is provided)

        source_typepolicy.SourceTypenamespace_idstring

        Optional

        Optional +Namespace ID or FQN for the subject mapping

        namenamespace_fqn string

        Optional

        metadata common.MetadataMutable

        Common metadata

        Optional

        key_access_serverpolicy.KeyAccessServersubject_mappingpolicy.SubjectMapping

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        FieldTypeLabelDescription
        kas_idstring

        Required - -The unique identifier of the Key Access Server

        key_idstring

        Required - -A user-defined identifier for the key

        key_algorithmpolicy.Algorithm

        Required - -The algorithm to be used for the key

        key_modepolicy.KeyMode

        Required - -The mode of the key (e.g., local or external)

        public_key_ctxpolicy.PublicKeyCtx

        Required - -Context or additional data specific to the public key, based on the key provider implementation

        private_key_ctxpolicy.PrivateKeyCtx

        Conditionally Required - -Context or additional data specific to the private key, based on the key provider implementation

        provider_config_idstring

        Optional - -Configuration ID for the key provider, if applicable

        legacybool

        Optional - -Whether the key is a legacy key

        metadatacommon.MetadataMutable

        Common metadata - -Mutable metadata for the key

        - - -

        CreateKeyResponse

        -

        Response to a CreateKeyRequest, containing the created asymmetric key

        +

        DeleteAllUnmappedSubjectConditionSetsResponse

        +

        @@ -10005,10 +9930,10 @@

        CreateKeyResponse

        - - - - + + + + @@ -10018,7 +9943,7 @@

        CreateKeyResponse

        -

        CreatePublicKeyRequest

        +

        DeleteSubjectConditionSetRequest

        @@ -10029,26 +9954,12 @@

        CreatePublicKeyRequest

        - + - - - - - - - - - - - - - -
        kas_keypolicy.KasKey

        The created asymmetric key for a KAS.

        		subject_condition_setspolicy.SubjectConditionSetrepeated

        Only IDs of any deleted Subject Condition Set provided

        kas_idid string

        Required

        keypolicy.KasPublicKey

        Required

        metadatacommon.MetadataMutable

        Common metadata

        @@ -10056,7 +9967,7 @@

        CreatePublicKeyRequest

        -

        CreatePublicKeyResponse

        +

        DeleteSubjectConditionSetResponse

        @@ -10067,10 +9978,10 @@

        CreatePublicKeyResponse

        - key - policy.Key + subject_condition_set + policy.SubjectConditionSet -

        +

        Only ID of deleted Subject Condition Set provided

        @@ -10080,7 +9991,7 @@

        CreatePublicKeyResponse

        -

        DeactivatePublicKeyRequest

        +

        DeleteSubjectMappingRequest

        @@ -10094,7 +10005,7 @@

        DeactivatePublicKeyReques id string -

        +

        Required

        @@ -10104,7 +10015,7 @@

        DeactivatePublicKeyReques -

        DeactivatePublicKeyResponse

        +

        DeleteSubjectMappingResponse

        @@ -10115,10 +10026,10 @@

        DeactivatePublicKeyRespo - key - policy.Key + subject_mapping + policy.SubjectMapping -

        +

        Only ID of the updated Subject Mapping provided

        @@ -10128,7 +10039,7 @@

        DeactivatePublicKeyRespo -

        DeleteKeyAccessServerRequest

        +

        GetSubjectConditionSetRequest

        @@ -10152,7 +10063,7 @@

        DeleteKeyAccessServerRe -

        DeleteKeyAccessServerResponse

        +

        GetSubjectConditionSetResponse

        @@ -10163,12 +10074,19 @@

        DeleteKeyAccessServerR - key_access_server - policy.KeyAccessServer + subject_condition_set + policy.SubjectConditionSet

        + + associated_subject_mappings + policy.SubjectMapping + repeated +

        contextualized Subject Mappings associated with this SubjectConditionSet

        + + @@ -10176,14 +10094,31 @@

        DeleteKeyAccessServerR -

        GetBaseKeyRequest

        +

        GetSubjectMappingRequest

        + + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        idstring

        Required

        + + -

        GetBaseKeyResponse

        +

        GetSubjectMappingResponse

        @@ -10194,10 +10129,10 @@

        GetBaseKeyResponse

        - base_key - policy.SimpleKasKey + subject_mapping + policy.SubjectMapping -

        The current base key

        +

        @@ -10207,7 +10142,7 @@

        GetBaseKeyResponse

        -

        GetKeyAccessServerRequest

        +

        ListSubjectConditionSetsRequest

        @@ -10218,62 +10153,45 @@

        GetKeyAccessServerRequest< - id + namespace_id string -

        Deprecated. Deprecated

        +

        - kas_id + namespace_fqn string -

        option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field

        +

        - name - string + pagination + policy.PageRequest -

        +

        Optional

        - uri - string - -

        + sort + SubjectConditionSetsSort + repeated +

        Optional - CONSTRAINT: max 1 item +Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC

        - - -

        Fields with deprecated option

        - - - - - - - - - - - - - - - -
        NameOption
        id

        true

        - - -

        GetKeyAccessServerResponse

        +

        ListSubjectConditionSetsResponse

        @@ -10284,8 +10202,15 @@

        GetKeyAccessServerRespons - key_access_server - policy.KeyAccessServer + subject_condition_sets + policy.SubjectConditionSet + repeated +

        + + + + pagination + policy.PageResponse

        @@ -10297,8 +10222,8 @@

        GetKeyAccessServerRespons -

        GetKeyRequest

        -

        Retrieve an existing asymmetric key from the Key Management System

        +

        ListSubjectMappingsRequest

        +

        @@ -10308,28 +10233,46 @@

        GetKeyRequest

        - + - + - - + + - + + + + + + + + + + + + + + +
        idnamespace_id string

        The unique identifier of the key to retrieve

        keyKasKeyIdentifiernamespace_fqnstring

        paginationpolicy.PageRequest

        Optional

        sortSubjectMappingsSortrepeated

        Optional - CONSTRAINT: max 1 item +Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC

        -

        GetKeyResponse

        -

        Response to a GetKeyRequest, containing the requested asymmetric key

        +

        ListSubjectMappingsResponse

        +

        @@ -10339,10 +10282,17 @@

        GetKeyResponse

        - - + + + + + + + + + - + @@ -10352,8 +10302,8 @@

        GetKeyResponse

        -

        GetPublicKeyRequest

        -

        +

        MatchSubjectMappingsRequest

        +

        MatchSubjectMappingsRequest liberally returns a list of SubjectMappings based on the provided SubjectProperties.

        The SubjectMappings are returned if an external selector field matches.

        kas_keypolicy.KasKeysubject_mappingspolicy.SubjectMappingrepeated

        paginationpolicy.PageResponse

        The requested asymmetric key for a KAS.

        @@ -10363,9 +10313,9 @@

        GetPublicKeyRequest

        - - - + + + @@ -10376,7 +10326,7 @@

        GetPublicKeyRequest

        -

        GetPublicKeyResponse

        +

        MatchSubjectMappingsResponse

        @@ -10387,9 +10337,9 @@

        GetPublicKeyResponse

        - - - + + + @@ -10400,8 +10350,8 @@

        GetPublicKeyResponse

        -

        GrantedPolicyObject

        -

        Can be namespace, attribute definition, or value

        +

        SubjectConditionSetCreate

        +

        idstringsubject_propertiespolicy.SubjectPropertyrepeated

        keypolicy.Keysubject_mappingspolicy.SubjectMappingrepeated

        @@ -10411,17 +10361,18 @@

        GrantedPolicyObject

        - - - - + + + + - - + + - + @@ -10431,8 +10382,8 @@

        GrantedPolicyObject

        -

        KasKeyIdentifier

        -

        Nested message for specifying the active key using KAS ID and Key ID

        +

        SubjectConditionSetsSort

        +

        idstring

        		subject_setspolicy.SubjectSetrepeated

        Required

        fqnstringmetadatacommon.MetadataMutable

        Optional +Common metadata

        @@ -10442,33 +10393,19 @@

        KasKeyIdentifier

        - - - - - - - - - + + - - + + - - - - - - -
        kas_idstring

        namestringfieldSortSubjectConditionSetsType

        uristringdirectionpolicy.SortDirection

        kidstring

        Required Key ID of the key in question

        @@ -10476,7 +10413,7 @@

        KasKeyIdentifier

        -

        KasKeysSort

        +

        SubjectMappingsSort

        @@ -10488,7 +10425,7 @@

        KasKeysSort

        field - SortKasKeysType + SortSubjectMappingsType

        @@ -10507,8 +10444,8 @@

        KasKeysSort

        -

        KeyAccessServerGrants

        -

        Deprecated

        +

        UpdateSubjectConditionSetRequest

        +

        @@ -10518,30 +10455,31 @@

        KeyAccessServerGrants

        - - + + - + - - + + - + - - - - + + + + - - - + + + @@ -10552,7 +10490,7 @@

        KeyAccessServerGrants

        -

        KeyAccessServersSort

        +

        UpdateSubjectConditionSetResponse

        @@ -10563,17 +10501,10 @@

        KeyAccessServersSort

        - - - - - - - - - + + - + @@ -10583,7 +10514,7 @@

        KeyAccessServersSort

        -

        KeyMapping

        +

        UpdateSubjectMappingRequest

        @@ -10594,38 +10525,40 @@

        KeyMapping

        - + - + - + - + - - + + - + - - - - + + + + - - - - + + + + @@ -10635,8 +10568,8 @@

        KeyMapping

        -

        ListKeyAccessServerGrantsRequest

        -

        LIST of KAS Grants returns flat response of grants to all policy objects. It

        does not employ selectors for grants to specific policy objects or build the

        attribute tree relation. If grants to a known namespace, attribute, or value

        are needed, use the respective GET request to the specific policy object.

        +

        UpdateSubjectMappingResponse

        +

        key_access_serverpolicy.KeyAccessServeridstring

        Required

        namespace_grantsGrantedPolicyObjectsubject_setspolicy.SubjectSet repeated

        Optional +If provided, replaces entire existing structure of Subject Sets, Condition Groups, & Conditions

        attribute_grantsGrantedPolicyObjectrepeated

        		metadatacommon.MetadataMutable

        Common metadata

        value_grantsGrantedPolicyObjectrepeatedmetadata_update_behaviorcommon.MetadataUpdateEnum

        fieldSortKeyAccessServersType

        directionpolicy.SortDirectionsubject_condition_setpolicy.SubjectConditionSet

        Only ID of updated Subject Condition Set provided

        kidid string

        Required

        kas_urisubject_condition_set_id string

        Optional +Replaces the existing SubjectConditionSet id with a new one

        namespace_mappingsMappedPolicyObjectactionspolicy.Action repeated

        List of namespaces mapped to the key

        Optional +Replaces entire list of actions permitted by subjects

        attribute_mappingsMappedPolicyObjectrepeated

        List of attribute definitions mapped to the key

        		metadatacommon.MetadataMutable

        Common metadata

        value_mappingsMappedPolicyObjectrepeated

        List of attribute values mapped to the key

        		metadata_update_behaviorcommon.MetadataUpdateEnum
        @@ -10646,40 +10579,10 @@

        ListKeyAccessServer

        - - - - - - - - - - - - - - - - - - - - - - - + + - + @@ -10689,59 +10592,394 @@

        ListKeyAccessServer -

        ListKeyAccessServerGrantsResponse

        -

        Deprecated

        - - -
        kas_idstring

        Optional -Filter LIST by ID of a registered Key Access Server. -If neither is provided, grants from all registered KASs to policy attribute -objects are returned.

        kas_uristring

        Optional -Filter LIST by URI of a registered Key Access Server. -If none is provided, grants from all registered KASs to policy attribute -objects are returned.

        kas_namestring

        Optional -Filter LIST by name of a registered Key Access Server. -If none are provided, grants from all registered KASs to policy attribute -objects are returned.

        paginationpolicy.PageRequestsubject_mappingpolicy.SubjectMapping

        Optional

        Only ID of the updated Subject Mapping provided

        - - - - - - - - - - - - - - - - - - - - -
        FieldTypeLabelDescription
        grantsKeyAccessServerGrantsrepeated

        Deprecated.

        paginationpolicy.PageResponse

        - - - -

        Fields with deprecated option

        - - - - - + +

        SortSubjectConditionSetsType

        +

        +
        NameOption
        + + + + + + + + + + + + + + + + + + + + + + + + +
        NameNumberDescription
        SORT_SUBJECT_CONDITION_SETS_TYPE_UNSPECIFIED0

        SORT_SUBJECT_CONDITION_SETS_TYPE_CREATED_AT1

        SORT_SUBJECT_CONDITION_SETS_TYPE_UPDATED_AT2

        + +

        SortSubjectMappingsType

        +

        + + + + + + + + + + + + + + + + + + + + + + + + + +
        NameNumberDescription
        SORT_SUBJECT_MAPPINGS_TYPE_UNSPECIFIED0

        SORT_SUBJECT_MAPPINGS_TYPE_CREATED_AT1

        SORT_SUBJECT_MAPPINGS_TYPE_UPDATED_AT2

        + + + + + +

        SubjectMappingService

        +

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        Method NameRequest TypeResponse TypeDescription
        MatchSubjectMappingsMatchSubjectMappingsRequestMatchSubjectMappingsResponse

        Find matching Subject Mappings for a given Subject

        ListSubjectMappingsListSubjectMappingsRequestListSubjectMappingsResponse

        GetSubjectMappingGetSubjectMappingRequestGetSubjectMappingResponse

        CreateSubjectMappingCreateSubjectMappingRequestCreateSubjectMappingResponse

        UpdateSubjectMappingUpdateSubjectMappingRequestUpdateSubjectMappingResponse

        DeleteSubjectMappingDeleteSubjectMappingRequestDeleteSubjectMappingResponse

        ListSubjectConditionSetsListSubjectConditionSetsRequestListSubjectConditionSetsResponse

        GetSubjectConditionSetGetSubjectConditionSetRequestGetSubjectConditionSetResponse

        CreateSubjectConditionSetCreateSubjectConditionSetRequestCreateSubjectConditionSetResponse

        UpdateSubjectConditionSetUpdateSubjectConditionSetRequestUpdateSubjectConditionSetResponse

        DeleteSubjectConditionSetDeleteSubjectConditionSetRequestDeleteSubjectConditionSetResponse

        DeleteAllUnmappedSubjectConditionSetsDeleteAllUnmappedSubjectConditionSetsRequestDeleteAllUnmappedSubjectConditionSetsResponse

        + + + + +

        Methods with idempotency_level option

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        Method NameOption
        ListSubjectMappings

        NO_SIDE_EFFECTS

        GetSubjectMapping

        NO_SIDE_EFFECTS

        ListSubjectConditionSets

        NO_SIDE_EFFECTS

        GetSubjectConditionSet

        NO_SIDE_EFFECTS

        + + + + +
        +

        policy/dynamicvaluemapping/dynamic_value_mapping.proto

        Top +
        +

        + + +

        CreateDynamicValueMappingRequest

        +

        + + + + + + + + + + + + + - - - - + + + + - -
        FieldTypeLabelDescription
        attribute_definition_idstring
        grants

        true

        		attribute_definition_fqnstring
        - + + value_resolver + policy.DynamicValueResolver + +

        Required: the dynamic resolver comparing entity selector result to the resource value segment

        + + + + actions + policy.Action + repeated +

        Required: actions permitted on a matched value

        + + + + existing_subject_condition_set_id + string + +

        Optional static pre-gate. Reuse an existing SubjectConditionSet (prioritized) ...

        + + + + new_subject_condition_set + policy.subjectmapping.SubjectConditionSetCreate + +

        ... or create a new one (ignored if existing_subject_condition_set_id is provided)

        + + + + namespace_id + string + +

        Optional: namespace ID or FQN for the mapping

        + + + + namespace_fqn + string + +

        + + + + metadata + common.MetadataMutable + +

        Optional

        + + + + + -

        ListKeyAccessServersRequest

        +

        CreateDynamicValueMappingResponse

        +

        + + + + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        dynamic_value_mappingpolicy.DynamicValueMapping

        + + + + + +

        DeleteDynamicValueMappingRequest

        +

        + + + + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        idstring

        Required

        + + + + + +

        DeleteDynamicValueMappingResponse

        +

        + + + + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        dynamic_value_mappingpolicy.DynamicValueMapping

        Only ID of the deleted mapping provided

        + + + + + +

        DynamicValueMappingsSort

        +

        + + + + + + + + + + + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        fieldSortDynamicValueMappingsType

        directionpolicy.SortDirection

        + + + + + +

        GetDynamicValueMappingRequest

        @@ -10751,6 +10989,69 @@

        ListKeyAccessServersRequ + + id + string + +

        Required

        + + + + + + + + + +

        GetDynamicValueMappingResponse

        +

        + + + + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        dynamic_value_mappingpolicy.DynamicValueMapping

        + + + + + +

        ListDynamicValueMappingsRequest

        +

        + + + + + + + + + + + + + + + + + + + + + + @@ -10760,13 +11061,9 @@

        ListKeyAccessServersRequ

        - + - + @@ -10776,7 +11073,7 @@

        ListKeyAccessServersRequ -

        ListKeyAccessServersResponse

        +

        ListDynamicValueMappingsResponse

        @@ -10787,8 +11084,8 @@

        ListKeyAccessServersRes

        - - + + @@ -10807,7 +11104,7 @@

        ListKeyAccessServersRes -

        ListKeyMappingsRequest

        +

        UpdateDynamicValueMappingRequest

        @@ -10821,21 +11118,42 @@

        ListKeyMappingsRequest

        - + - - + + - + - - + + - + + + + + + + + + + + + + + + + + + + + + + @@ -10845,7 +11163,7 @@

        ListKeyMappingsRequest

        -

        ListKeyMappingsResponse

        +

        UpdateDynamicValueMappingResponse

        @@ -10856,17 +11174,150 @@

        ListKeyMappingsResponse

        - - - - + + + + + +
        FieldTypeLabelDescription
        namespace_idstring

        Optional +Namespace ID, or Attribute Definition ID to filter by

        attribute_definition_idstring

        pagination policy.PageRequest
        sortKeyAccessServersSortDynamicValueMappingsSort repeated

        Optional - CONSTRAINT: max 1 item -Sort defaults: - - direction UNSPECIFIED defaults to DESC for the specified field - - field UNSPECIFIED defaults to created_at with the specified direction - - both UNSPECIFIED or sort omitted defaults to created_at DESC

        Optional - CONSTRAINT: max 1 item

        key_access_serverspolicy.KeyAccessServerdynamic_value_mappingspolicy.DynamicValueMapping repeated

        id string

        The unique identifier of the key to retrieve

        Required

        keyKasKeyIdentifiervalue_resolverpolicy.DynamicValueResolver

        Optional: replace the dynamic resolver

        paginationpolicy.PageRequestsubject_condition_set_idstring

        Pagination request for the list of keys

        Optional: replace the static pre-gate SubjectConditionSet by id

        actionspolicy.Actionrepeated

        Optional: replace the entire list of actions

        metadatacommon.MetadataMutable

        Common metadata

        metadata_update_behaviorcommon.MetadataUpdateEnum
        key_mappingsKeyMappingrepeated

        The list of key mappings

        		dynamic_value_mappingpolicy.DynamicValueMapping
        + + + + + + + +

        SortDynamicValueMappingsType

        +

        + + + + + + + + + + + + + + + + + + + + + + + + + +
        NameNumberDescription
        SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UNSPECIFIED0

        SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_CREATED_AT1

        SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UPDATED_AT2

        + + + + + +

        DynamicValueMappingService

        +

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        Method NameRequest TypeResponse TypeDescription
        ListDynamicValueMappingsListDynamicValueMappingsRequestListDynamicValueMappingsResponse

        GetDynamicValueMappingGetDynamicValueMappingRequestGetDynamicValueMappingResponse

        CreateDynamicValueMappingCreateDynamicValueMappingRequestCreateDynamicValueMappingResponse

        UpdateDynamicValueMappingUpdateDynamicValueMappingRequestUpdateDynamicValueMappingResponse

        DeleteDynamicValueMappingDeleteDynamicValueMappingRequestDeleteDynamicValueMappingResponse

        + + + + +

        Methods with idempotency_level option

        + + + + + + + + + + + + + + + + + + + + +
        Method NameOption
        ListDynamicValueMappings

        NO_SIDE_EFFECTS

        GetDynamicValueMapping

        NO_SIDE_EFFECTS

        + + + + +
        +

        policy/kasregistry/key_access_server_registry.proto

        Top +
        +

        + + +

        ActivatePublicKeyRequest

        +

        + + + + + + + + - - + + - + @@ -10876,8 +11327,8 @@

        ListKeyMappingsResponse

        -

        ListKeysRequest

        -

        List all asymmetric keys managed by a specific Key Access Server or with a given algorithm

        +

        ActivatePublicKeyResponse

        +

        FieldTypeLabelDescription
        paginationpolicy.PageResponseidstring

        Pagination response for the list of keys

        @@ -10887,60 +11338,93 @@

        ListKeysRequest

        - - + + - + + +
        key_algorithmpolicy.Algorithmkeypolicy.Key

        Filter keys by algorithm

        + + + + + +

        ChangeMappings

        +

        Simplified information about the resources that were rotated as part of the key rotation process.

        + + + + + + + + - + - + - + - + + +
        FieldTypeLabelDescription
        kas_idid string

        Filter keys by the KAS ID

        kas_namefqn string

        Filter keys by the KAS name

        + + + + + +

        CreateKeyAccessServerRequest

        +

        + + + + + + + + - + - + - - - - + + + + - - + + - + + + + + + + + - - - - + + + + @@ -10950,8 +11434,8 @@

        ListKeysRequest

        -

        ListKeysResponse

        -

        Response to a ListKeysRequest, containing the list of asymmetric keys and pagination information

        +

        CreateKeyAccessServerResponse

        +

        FieldTypeLabelDescription
        kas_uriuri string

        Filter keys by the KAS URI

        Required

        legacybooloptional

        Optional - -Filter for legacy keys

        		public_keypolicy.PublicKey

        Deprecated

        paginationpolicy.PageRequestsource_typepolicy.SourceType

        Optional - -Pagination request for the list of keys

        Optional

        namestring

        Optional

        sortKasKeysSortrepeated

        Optional - CONSTRAINT: max 1 item -Sort defaults: - - direction UNSPECIFIED defaults to DESC for the specified field - - field UNSPECIFIED defaults to created_at with the specified direction - - both UNSPECIFIED or sort omitted defaults to created_at DESC

        		metadatacommon.MetadataMutable

        Common metadata

        @@ -10961,17 +11445,10 @@

        ListKeysResponse

        - - - - - - - - - + + - + @@ -10981,8 +11458,8 @@

        ListKeysResponse

        -

        ListPublicKeyMappingRequest

        -

        +

        CreateKeyRequest

        +

        Create a new asymmetric key for the specified Key Access Server (KAS)

        kas_keyspolicy.KasKeyrepeated

        The list of kas keys

        paginationpolicy.PageResponsekey_access_serverpolicy.KeyAccessServer

        Pagination response for the list of keys

        @@ -10995,35 +11472,81 @@

        ListPublicKeyMappingRequ

        - + - + - + - - + + - + - + + + + + + + + + + + + + + + + + + + + + + - + - - + + - + + + + + + + + @@ -11033,8 +11556,8 @@

        ListPublicKeyMappingRequ -

        ListPublicKeyMappingResponse

        -

        +

        CreateKeyResponse

        +

        Response to a CreateKeyRequest, containing the created asymmetric key

        kas_id string

        Optional

        Required + +The unique identifier of the Key Access Server

        kas_namekey_id string

        Optional

        Required + +A user-defined identifier for the key

        kas_uristringkey_algorithmpolicy.Algorithm

        Optional

        Required + +The algorithm to be used for the key

        public_key_idkey_modepolicy.KeyMode

        Required + +The mode of the key (e.g., local or external)

        public_key_ctxpolicy.PublicKeyCtx

        Required + +Context or additional data specific to the public key, based on the key provider implementation

        private_key_ctxpolicy.PrivateKeyCtx

        Conditionally Required + +Context or additional data specific to the private key, based on the key provider implementation

        provider_config_id string

        Optional Public Key ID

        Optional + +Configuration ID for the key provider, if applicable

        paginationpolicy.PageRequestlegacybool

        Optional

        Optional + +Whether the key is a legacy key

        metadatacommon.MetadataMutable

        Common metadata + +Mutable metadata for the key

        @@ -11044,17 +11567,10 @@

        ListPublicKeyMappingRes

        - - - - - - - - - + + - + @@ -11064,7 +11580,7 @@

        ListPublicKeyMappingRes -

        ListPublicKeyMappingResponse.Association

        +

        CreatePublicKeyRequest

        @@ -11075,17 +11591,24 @@

        ListPublicK

        - + - + - - + + - + + + + + + + + @@ -11095,7 +11618,7 @@

        ListPublicK -

        ListPublicKeyMappingResponse.PublicKey

        +

        CreatePublicKeyResponse

        @@ -11112,27 +11635,6 @@

        ListPublicKey

        - - - - - - - - - - - - - - - - - - - - -
        public_key_mappingsListPublicKeyMappingResponse.PublicKeyMappingrepeated

        paginationpolicy.PageResponsekas_keypolicy.KasKey

        The created asymmetric key for a KAS.

        idkas_id string

        Required

        fqnstringkeypolicy.KasPublicKey

        Required

        metadatacommon.MetadataMutable

        Common metadata

        valuesListPublicKeyMappingResponse.Associationrepeated

        definitionsListPublicKeyMappingResponse.Associationrepeated

        namespacesListPublicKeyMappingResponse.Associationrepeated
        @@ -11140,7 +11642,7 @@

        ListPublicKey -

        ListPublicKeyMappingResponse.PublicKeyMapping

        +

        DeactivatePublicKeyRequest

        @@ -11151,33 +11653,12 @@

        ListPu - kas_id - string - -

        - - - - kas_name - string - -

        - - - - kas_uri + id string

        - - public_keys - ListPublicKeyMappingResponse.PublicKey - repeated -

        - - @@ -11185,7 +11666,7 @@

        ListPu -

        ListPublicKeysRequest

        +

        DeactivatePublicKeyResponse

        @@ -11196,31 +11677,10 @@

        ListPublicKeysRequest

        - kas_id - string - -

        Optional

        - - - - kas_name - string - -

        Optional

        - - - - kas_uri - string - -

        Optional

        - - - - pagination - policy.PageRequest + key + policy.Key -

        Optional

        +

        @@ -11230,7 +11690,7 @@

        ListPublicKeysRequest

        -

        ListPublicKeysResponse

        +

        DeleteKeyAccessServerRequest

        @@ -11241,17 +11701,10 @@

        ListPublicKeysResponse

        - keys - policy.Key - repeated -

        - - - - pagination - policy.PageResponse + id + string -

        +

        Required

        @@ -11261,7 +11714,7 @@

        ListPublicKeysResponse

        -

        MappedPolicyObject

        +

        DeleteKeyAccessServerResponse

        @@ -11272,17 +11725,10 @@

        MappedPolicyObject

        - id - string - -

        The unique identifier of the policy object

        - - - - fqn - string + key_access_server + policy.KeyAccessServer -

        The fully qualified name of the policy object

        +

        @@ -11292,7 +11738,14 @@

        MappedPolicyObject

        -

        RotateKeyRequest

        +

        GetBaseKeyRequest

        +

        + + + + + +

        GetBaseKeyResponse

        @@ -11303,24 +11756,10 @@

        RotateKeyRequest

        - id - string - -

        Current Active Key UUID

        - - - - key - KasKeyIdentifier - -

        Alternative way to specify the active key using KAS ID and Key ID

        - - - - new_key - RotateKeyRequest.NewKey + base_key + policy.SimpleKasKey -

        Information about the new key to be rotated in

        +

        The current base key

        @@ -11330,8 +11769,8 @@

        RotateKeyRequest

        -

        RotateKeyRequest.NewKey

        -

        Nested message for specifying the new key details

        +

        GetKeyAccessServerRequest

        +

        @@ -11341,96 +11780,63 @@

        RotateKeyRequest.NewKey

        - + - - - - - - - - - - - - - - - - - - - - - - + - - + + - + - + - + - - + + - +
        key_idid string

        Required

        algorithmpolicy.Algorithm

        Required

        key_modepolicy.KeyMode

        Required

        public_key_ctxpolicy.PublicKeyCtx

        Required

        Deprecated. Deprecated

        private_key_ctxpolicy.PrivateKeyCtxkas_idstring

        Required

        option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field

        provider_config_idname string

        Conditionally Required. - -Validation handled by message-level CEL

        metadatacommon.MetadataMutableuristring

        Common metadata fields

        - - - -

        RotateKeyResponse

        -

        Response message for the RotateKey request

        - - - - - - - - + + +

        Fields with deprecated option

        +
        FieldTypeLabelDescription
        + - - - - + + + + - - - - + + - -
        kas_keypolicy.KasKey

        The newly rotated Kas Key

        		NameOption
        rotated_resourcesRotatedResources

        All resources that were rotated as part of the key rotation process

        		id

        true
        - + + + -

        RotatedResources

        -

        All resources that were rotated as part of the key rotation process

        +

        GetKeyAccessServerResponse

        +

        @@ -11440,30 +11846,9 @@

        RotatedResources

        - - + + - - - - - - - - - - - - - - - - - - - - - @@ -11474,8 +11859,8 @@

        RotatedResources

        -

        SetBaseKeyRequest

        -

        Sets the specified key as the base key for the Key Access Server

        Note: The key must be active.

        +

        GetKeyRequest

        +

        Retrieve an existing asymmetric key from the Key Management System

        rotated_out_keypolicy.KasKeykey_access_serverpolicy.KeyAccessServer

        The old key that was rotated out

        attribute_definition_mappingsChangeMappingsrepeated

        attribute_value_mappingsChangeMappingsrepeated

        namespace_mappingsChangeMappingsrepeated

        @@ -11488,14 +11873,14 @@

        SetBaseKeyRequest

        - + - + @@ -11505,8 +11890,8 @@

        SetBaseKeyRequest

        -

        SetBaseKeyResponse

        -

        +

        GetKeyResponse

        +

        Response to a GetKeyRequest, containing the requested asymmetric key

        id string

        Current Key UUID tp be set as default

        The unique identifier of the key to retrieve

        key KasKeyIdentifier

        Alternative way to specify the key using KAS ID and Key ID

        @@ -11516,17 +11901,10 @@

        SetBaseKeyResponse

        - - - - - - - - - + + - + @@ -11536,7 +11914,7 @@

        SetBaseKeyResponse

        -

        UpdateKeyAccessServerRequest

        +

        GetPublicKeyRequest

        @@ -11550,54 +11928,6 @@

        UpdateKeyAccessServerRe

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - @@ -11608,7 +11938,7 @@

        UpdateKeyAccessServerRe -

        UpdateKeyAccessServerResponse

        +

        GetPublicKeyResponse

        @@ -11619,8 +11949,8 @@

        UpdateKeyAccessServerR

        - - + + @@ -11632,8 +11962,8 @@

        UpdateKeyAccessServerR -

        UpdateKeyRequest

        -

        Update an existing asymmetric key in the Key Management System

        +

        GrantedPolicyObject

        +

        Can be namespace, attribute definition, or value

        new_base_keypolicy.SimpleKasKey

        The key that was set as base

        previous_base_keypolicy.SimpleKasKeykas_keypolicy.KasKey

        The previous base key, if any

        The requested asymmetric key for a KAS.

        id string

        Required

        uristring

        Optional

        public_keypolicy.PublicKey

        Deprecated -Optional

        source_typepolicy.SourceType

        Optional -Using UNSPECIFIED will result in a successful update, -but will not actually update the underlying source. -You should not update KAS's from INTERNAL/EXTERNAL -to unspecified.

        namestring

        Optional

        metadatacommon.MetadataMutable

        Optional -Common metadata

        metadata_update_behaviorcommon.MetadataUpdateEnum

        key_access_serverpolicy.KeyAccessServerkeypolicy.Key

        @@ -11646,26 +11976,14 @@

        UpdateKeyRequest

        - - - - - - - - + - - + + - + @@ -11675,8 +11993,8 @@

        UpdateKeyRequest

        -

        UpdateKeyResponse

        -

        Response to an UpdateKeyRequest, containing the updated asymmetric key

        +

        KasKeyIdentifier

        +

        Nested message for specifying the active key using KAS ID and Key ID

        id string

        Required - -The unique identifier of the key to update

        metadatacommon.MetadataMutable

        Optional -Common metadata - -Mutable metadata for the key

        metadata_update_behaviorcommon.MetadataUpdateEnumfqnstring

        The behavior for updating the metadata

        @@ -11686,10 +12004,31 @@

        UpdateKeyResponse

        - - + + + + + + + + + + + + + + + + - + + + + + + + + @@ -11699,7 +12038,7 @@

        UpdateKeyResponse

        -

        UpdatePublicKeyRequest

        +

        KasKeysSort

        @@ -11710,23 +12049,15 @@

        UpdatePublicKeyRequest

        - - - - - - - - - + + - + - - + + @@ -11738,8 +12069,8 @@

        UpdatePublicKeyRequest

        -

        UpdatePublicKeyResponse

        -

        +

        KeyAccessServerGrants

        +

        Deprecated

        kas_keypolicy.KasKeykas_idstring

        namestring

        uristring

        The updated kas key

        kidstring

        Required Key ID of the key in question

        idstring

        Required

        metadatacommon.MetadataMutablefieldSortKasKeysType

        Optional -Common metadata

        metadata_update_behaviorcommon.MetadataUpdateEnumdirectionpolicy.SortDirection

        @@ -11749,274 +12080,125 @@

        UpdatePublicKeyResponse

        - - + + - -
        keypolicy.Keykey_access_serverpolicy.KeyAccessServer

        - - - - - - - -

        SortKasKeysType

        -

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        NameNumberDescription
        SORT_KAS_KEYS_TYPE_UNSPECIFIED0

        SORT_KAS_KEYS_TYPE_KEY_ID1

        SORT_KAS_KEYS_TYPE_CREATED_AT2

        SORT_KAS_KEYS_TYPE_UPDATED_AT3

        - -

        SortKeyAccessServersType

        -

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        NameNumberDescription
        SORT_KEY_ACCESS_SERVERS_TYPE_UNSPECIFIED0

        SORT_KEY_ACCESS_SERVERS_TYPE_NAME1

        SORT_KEY_ACCESS_SERVERS_TYPE_URI2

        SORT_KEY_ACCESS_SERVERS_TYPE_CREATED_AT3

        SORT_KEY_ACCESS_SERVERS_TYPE_UPDATED_AT4

        - - - - - -

        KeyAccessServerRegistryService

        -

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Method NameRequest TypeResponse TypeDescription
        ListKeyAccessServersListKeyAccessServersRequestListKeyAccessServersResponse

        GetKeyAccessServerGetKeyAccessServerRequestGetKeyAccessServerResponse

        CreateKeyAccessServerCreateKeyAccessServerRequestCreateKeyAccessServerResponse

        UpdateKeyAccessServerUpdateKeyAccessServerRequestUpdateKeyAccessServerResponse

        DeleteKeyAccessServerDeleteKeyAccessServerRequestDeleteKeyAccessServerResponse

        ListKeyAccessServerGrantsListKeyAccessServerGrantsRequestListKeyAccessServerGrantsResponse

        Deprecated

        CreateKeyCreateKeyRequestCreateKeyResponse

        KAS Key Management -Request to create a new key in the Key Access Service.

        GetKeyGetKeyRequestGetKeyResponse

        Request to retrieve a key from the Key Access Service.

        ListKeysListKeysRequestListKeysResponse

        Request to list keys in the Key Access Service.

        UpdateKeyUpdateKeyRequestUpdateKeyResponse

        Request to update a key in the Key Access Service.

        RotateKeyRotateKeyRequestRotateKeyResponse

        Request to rotate a key in the Key Access Service.

        SetBaseKeySetBaseKeyRequestSetBaseKeyResponse

        Request to set the default a default kas key.

        GetBaseKeyGetBaseKeyRequestGetBaseKeyResponse

        Get Default kas keys

        ListKeyMappingsListKeyMappingsRequestListKeyMappingsResponse

        Request to list key mappings in the Key Access Service.

        + + namespace_grants + GrantedPolicyObject + repeated +

        + + + + attribute_grants + GrantedPolicyObject + repeated +

        + + + + value_grants + GrantedPolicyObject + repeated +

        + + + + - - -

        Methods with deprecated option

        - + + + +

        KeyAccessServersSort

        +

        + + +
        - - - - + - - - - - - + + + + + + + + + + + + + + +
        Method NameOption
        FieldTypeLabelDescription
        ListKeyAccessServerGrants

        true

        fieldSortKeyAccessServersType

        directionpolicy.SortDirection
        + + - - -

        Methods with idempotency_level option

        - + +

        KeyMapping

        +

        + + +
        - - - - + - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        Method NameOption
        FieldTypeLabelDescription
        ListKeyAccessServers

        NO_SIDE_EFFECTS

        GetKeyAccessServer

        NO_SIDE_EFFECTS

        ListKeyAccessServerGrants

        NO_SIDE_EFFECTS

        kidstring

        kas_uristring

        namespace_mappingsMappedPolicyObjectrepeated

        List of namespaces mapped to the key

        attribute_mappingsMappedPolicyObjectrepeated

        List of attribute definitions mapped to the key

        value_mappingsMappedPolicyObjectrepeated

        List of attribute values mapped to the key

        + - - - -
        -

        policy/keymanagement/key_management.proto

        Top -
        -

        + -

        CreateProviderConfigRequest

        -

        Provider Configuration Requests and Response Messages

        +

        ListKeyAccessServerGrantsRequest

        +

        LIST of KAS Grants returns flat response of grants to all policy objects. It

        does not employ selectors for grants to specific policy objects or build the

        attribute tree relation. If grants to a known namespace, attribute, or value

        are needed, use the respective GET request to the specific policy object.

        @@ -12026,34 +12208,40 @@

        CreateProviderConfigRe

        - + - + - - + + - + - + - + - - + + - + @@ -12063,8 +12251,8 @@

        CreateProviderConfigRe -

        CreateProviderConfigResponse

        -

        +

        ListKeyAccessServerGrantsResponse

        +

        Deprecated

        namekas_id string

        Required -The name of the key provider. (e.g. "AWS KMS Instance 1", "Google Cloud KMS Instance 2")

        Optional +Filter LIST by ID of a registered Key Access Server. +If neither is provided, grants from all registered KASs to policy attribute +objects are returned.

        config_jsonbyteskas_uristring

        Required -JSON configuration for the key provider. This is unique to individual key providers.

        Optional +Filter LIST by URI of a registered Key Access Server. +If none is provided, grants from all registered KASs to policy attribute +objects are returned.

        managerkas_name string

        Required -The type of key manager (e.g. "aws", "gcp", "azure", "opentdf.io/basic")

        Optional +Filter LIST by name of a registered Key Access Server. +If none are provided, grants from all registered KASs to policy attribute +objects are returned.

        metadatacommon.MetadataMutablepaginationpolicy.PageRequest

        Common metadata

        Optional

        @@ -12074,8 +12262,15 @@

        CreateProviderConfigR

        - - + + + + + + + + + @@ -12084,11 +12279,32 @@

        CreateProviderConfigR

        provider_configpolicy.KeyProviderConfiggrantsKeyAccessServerGrantsrepeated

        Deprecated.

        paginationpolicy.PageResponse

        + + +

        Fields with deprecated option

        + + + + + + + + + + + + + + + +
        NameOption
        grants

        true

        + + -

        DeleteProviderConfigRequest

        -

        In order to delete a provider configuration you must first delete all keys associated with the provider.

        +

        ListKeyAccessServersRequest

        +

        @@ -12098,10 +12314,21 @@

        DeleteProviderConfigRe

        - - + + - + + + + + + + + @@ -12111,7 +12338,7 @@

        DeleteProviderConfigRe -

        DeleteProviderConfigResponse

        +

        ListKeyAccessServersResponse

        @@ -12122,8 +12349,15 @@

        DeleteProviderConfigR

        - - + + + + + + + + + @@ -12135,7 +12369,7 @@

        DeleteProviderConfigR -

        GetProviderConfigRequest

        +

        ListKeyMappingsRequest

        @@ -12149,21 +12383,21 @@

        GetProviderConfigRequest<

        - + - - + + - - + + - + @@ -12173,7 +12407,7 @@

        GetProviderConfigRequest< -

        GetProviderConfigResponse

        +

        ListKeyMappingsResponse

        @@ -12184,10 +12418,17 @@

        GetProviderConfigRespons

        - - + + + + + + + + + - + @@ -12197,8 +12438,8 @@

        GetProviderConfigRespons -

        ListProviderConfigsRequest

        -

        +

        ListKeysRequest

        +

        List all asymmetric keys managed by a specific Key Access Server or with a given algorithm

        idstringpaginationpolicy.PageRequest

        Required

        Optional

        sortKeyAccessServersSortrepeated

        Optional - CONSTRAINT: max 1 item +Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC

        provider_configpolicy.KeyProviderConfigkey_access_serverspolicy.KeyAccessServerrepeated

        paginationpolicy.PageResponse

        id string

        The unique identifier of the key to retrieve

        namestringkeyKasKeyIdentifier

        managerstringpaginationpolicy.PageRequest

        Optional - filter by manager type when searching by name

        Pagination request for the list of keys

        provider_configpolicy.KeyProviderConfigkey_mappingsKeyMappingrepeated

        The list of key mappings

        paginationpolicy.PageResponse

        Pagination response for the list of keys

        @@ -12207,11 +12448,61 @@

        ListProviderConfigsRequ

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + + + @@ -12221,8 +12512,8 @@

        ListProviderConfigsRequ -

        ListProviderConfigsResponse

        -

        +

        ListKeysResponse

        +

        Response to a ListKeysRequest, containing the list of asymmetric keys and pagination information

        key_algorithmpolicy.Algorithm

        Filter keys by algorithm

        kas_idstring

        Filter keys by the KAS ID

        kas_namestring

        Filter keys by the KAS name

        kas_uristring

        Filter keys by the KAS URI

        legacybooloptional

        Optional + +Filter for legacy keys

        pagination policy.PageRequest

        Optional

        Optional + +Pagination request for the list of keys

        sortKasKeysSortrepeated

        Optional - CONSTRAINT: max 1 item +Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC

        @@ -12232,17 +12523,17 @@

        ListProviderConfigsRes

        - - + + - + - + @@ -12252,7 +12543,7 @@

        ListProviderConfigsRes -

        UpdateProviderConfigRequest

        +

        ListPublicKeyMappingRequest

        @@ -12263,46 +12554,38 @@

        UpdateProviderConfigRe

        - - - - - - - - + - - + + - + - - + + - + - - + + - + @@ -12312,7 +12595,7 @@

        UpdateProviderConfigRe -

        UpdateProviderConfigResponse

        +

        ListPublicKeyMappingResponse

        @@ -12323,8 +12606,15 @@

        UpdateProviderConfigR

        - - + + + + + + + + + @@ -12336,70 +12626,8 @@

        UpdateProviderConfigR - - - - - - -

        KeyManagementService

        +

        ListPublicKeyMappingResponse.Association

        -
        provider_configspolicy.KeyProviderConfigkas_keyspolicy.KasKey repeated

        The list of kas keys

        pagination policy.PageResponse

        Pagination response for the list of keys

        idstring

        Required

        namekas_id string

        Optional

        config_jsonbyteskas_namestring

        Optional

        managerkas_uri string

        Optional

        metadatacommon.MetadataMutablepublic_key_idstring

        Optional -Common metadata

        Optional Public Key ID

        metadata_update_behaviorcommon.MetadataUpdateEnumpaginationpolicy.PageRequest

        Optional

        provider_configpolicy.KeyProviderConfigpublic_key_mappingsListPublicKeyMappingResponse.PublicKeyMappingrepeated

        paginationpolicy.PageResponse

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Method NameRequest TypeResponse TypeDescription
        CreateProviderConfigCreateProviderConfigRequestCreateProviderConfigResponse

        Key Management -Provider Management

        GetProviderConfigGetProviderConfigRequestGetProviderConfigResponse

        ListProviderConfigsListProviderConfigsRequestListProviderConfigsResponse

        UpdateProviderConfigUpdateProviderConfigRequestUpdateProviderConfigResponse

        DeleteProviderConfigDeleteProviderConfigRequestDeleteProviderConfigResponse

        - - - - -
        -

        policy/namespaces/namespaces.proto

        Top -
        -

        - - -

        AssignKeyAccessServerToNamespaceRequest

        -

        Deprecated: utilize AssignPublicKeyToNamespaceRequest

        @@ -12409,8 +12637,15 @@

        AssignKeyAcce

        - - + + + + + + + + + @@ -12422,7 +12657,7 @@

        AssignKeyAcce -

        AssignKeyAccessServerToNamespaceResponse

        +

        ListPublicKeyMappingResponse.PublicKey

        @@ -12433,33 +12668,30 @@

        AssignKeyAcc

        - - + + - -
        namespace_key_access_serverNamespaceKeyAccessServeridstring

        fqnstring

        namespace_key_access_serverNamespaceKeyAccessServerkeypolicy.Key

        - - - - - -

        AssignPublicKeyToNamespaceRequest

        -

        Assign Key to Namespace

        - - - - - - - + + + + + + - - - + + + + + + + + + + @@ -12470,7 +12702,7 @@

        AssignPublicKeyToNa -

        AssignPublicKeyToNamespaceResponse

        +

        ListPublicKeyMappingResponse.PublicKeyMapping

        @@ -12481,12 +12713,33 @@

        AssignPublicKeyToN

        - - + + + + + + + + + + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        valuesListPublicKeyMappingResponse.Associationrepeated

        namespace_keyNamespaceKeydefinitionsListPublicKeyMappingResponse.Associationrepeated

        namespacesListPublicKeyMappingResponse.Associationrepeated

        namespace_keyNamespaceKeykas_idstring

        kas_namestring

        kas_uristring

        public_keysListPublicKeyMappingResponse.PublicKeyrepeated
        @@ -12494,7 +12747,7 @@

        AssignPublicKeyToN -

        CreateNamespaceRequest

        +

        ListPublicKeysRequest

        @@ -12505,15 +12758,29 @@

        CreateNamespaceRequest

        - name + kas_id string -

        Required

        +

        Optional

        - metadata - common.MetadataMutable + kas_name + string + +

        Optional

        + + + + kas_uri + string + +

        Optional

        + + + + pagination + policy.PageRequest

        Optional

        @@ -12525,7 +12792,7 @@

        CreateNamespaceRequest

        -

        CreateNamespaceResponse

        +

        ListPublicKeysResponse

        @@ -12536,8 +12803,15 @@

        CreateNamespaceResponse

        - namespace - policy.Namespace + keys + policy.Key + repeated +

        + + + + pagination + policy.PageResponse

        @@ -12549,7 +12823,7 @@

        CreateNamespaceResponse

        -

        DeactivateNamespaceRequest

        +

        MappedPolicyObject

        @@ -12563,7 +12837,14 @@

        DeactivateNamespaceRequest id string -

        Required

        +

        The unique identifier of the policy object

        + + + + fqn + string + +

        The fully qualified name of the policy object

        @@ -12573,14 +12854,7 @@

        DeactivateNamespaceRequest -

        DeactivateNamespaceResponse

        -

        - - - - - -

        GetNamespaceRequest

        +

        RotateKeyRequest

        @@ -12594,53 +12868,100 @@

        GetNamespaceRequest

        id string -

        Deprecated. Deprecated

        +

        Current Active Key UUID

        - namespace_id - string + key + KasKeyIdentifier -

        option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field

        +

        Alternative way to specify the active key using KAS ID and Key ID

        - fqn - string + new_key + RotateKeyRequest.NewKey -

        +

        Information about the new key to be rotated in

        - - -

        Fields with deprecated option

        - - + + + +

        RotateKeyRequest.NewKey

        +

        Nested message for specifying the new key details

        + + +
        + + + + + - - + + + + - - - - + + + + - -
        FieldTypeLabelDescription
        NameOptionkey_idstring

        Required

        id

        true

        		algorithmpolicy.Algorithm

        Required

        - + + key_mode + policy.KeyMode + +

        Required

        + + + + public_key_ctx + policy.PublicKeyCtx + +

        Required

        + + + + private_key_ctx + policy.PrivateKeyCtx + +

        Required

        + + + + provider_config_id + string + +

        Conditionally Required. + +Validation handled by message-level CEL

        + + + + metadata + common.MetadataMutable + +

        Common metadata fields

        + + + + + -

        GetNamespaceResponse

        -

        +

        RotateKeyResponse

        +

        Response message for the RotateKey request

        @@ -12650,10 +12971,17 @@

        GetNamespaceResponse

        - - + + - + + + + + + + + @@ -12663,8 +12991,8 @@

        GetNamespaceResponse

        -

        ListNamespacesRequest

        -

        +

        RotatedResources

        +

        All resources that were rotated as part of the key rotation process

        namespacepolicy.Namespacekas_keypolicy.KasKey

        The newly rotated Kas Key

        rotated_resourcesRotatedResources

        All resources that were rotated as part of the key rotation process

        @@ -12674,29 +13002,31 @@

        ListNamespacesRequest

        - - + + - + - - - - + + + + - - + + - + + + + + + + + @@ -12706,8 +13036,8 @@

        ListNamespacesRequest

        -

        ListNamespacesResponse

        -

        +

        SetBaseKeyRequest

        +

        Sets the specified key as the base key for the Key Access Server

        Note: The key must be active.

        statecommon.ActiveStateEnumrotated_out_keypolicy.KasKey

        Optional -ACTIVE by default when not specified

        The old key that was rotated out

        paginationpolicy.PageRequest

        Optional

        		attribute_definition_mappingsChangeMappingsrepeated
        sortNamespacesSortattribute_value_mappingsChangeMappings repeated

        Optional - CONSTRAINT: max 1 item -Sort defaults: - - direction UNSPECIFIED defaults to DESC for the specified field - - field UNSPECIFIED defaults to created_at with the specified direction - - both UNSPECIFIED or sort omitted defaults to created_at DESC

        namespace_mappingsChangeMappingsrepeated
        @@ -12717,17 +13047,17 @@

        ListNamespacesResponse

        - - - - + + + + - - + + - + @@ -12737,7 +13067,7 @@

        ListNamespacesResponse

        -

        NamespaceKey

        +

        SetBaseKeyResponse

        @@ -12748,17 +13078,17 @@

        NamespaceKey

        - - + + - + - - + + - + @@ -12768,8 +13098,8 @@

        NamespaceKey

        -

        NamespaceKeyAccessServer

        -

        Deprecated

        +

        UpdateKeyAccessServerRequest

        +

        namespacespolicy.Namespacerepeated

        		idstring

        Current Key UUID tp be set as default

        paginationpolicy.PageResponsekeyKasKeyIdentifier

        Alternative way to specify the key using KAS ID and Key ID

        namespace_idstringnew_base_keypolicy.SimpleKasKey

        Required

        The key that was set as base

        key_idstringprevious_base_keypolicy.SimpleKasKey

        Required (The id from the Asymmetric Key object)

        The previous base key, if any

        @@ -12779,46 +13109,56 @@

        NamespaceKeyAccessServer

        - + + + + + + + + - + + + + + + + + + + + + + + + - + - + - -
        namespace_ididstring

        Required

        uri string

        Required

        Optional

        public_keypolicy.PublicKey

        Deprecated +Optional

        source_typepolicy.SourceType

        Optional +Using UNSPECIFIED will result in a successful update, +but will not actually update the underlying source. +You should not update KAS's from INTERNAL/EXTERNAL +to unspecified.

        key_access_server_idname string

        Required

        Optional

        - - - - - -

        NamespacesSort

        -

        - - - - - - - - - - + + - + - - + + @@ -12830,8 +13170,8 @@

        NamespacesSort

        -

        RemoveKeyAccessServerFromNamespaceRequest

        -

        Deprecated: utilize RemovePublicKeyFromNamespaceRequest

        +

        UpdateKeyAccessServerResponse

        +

        FieldTypeLabelDescription
        fieldSortNamespacesTypemetadatacommon.MetadataMutable

        Optional +Common metadata

        directionpolicy.SortDirectionmetadata_update_behaviorcommon.MetadataUpdateEnum

        @@ -12841,8 +13181,8 @@

        RemoveKeyAc

        - - + + @@ -12854,8 +13194,8 @@

        RemoveKeyAc -

        RemoveKeyAccessServerFromNamespaceResponse

        -

        +

        UpdateKeyRequest

        +

        Update an existing asymmetric key in the Key Management System

        namespace_key_access_serverNamespaceKeyAccessServerkey_access_serverpolicy.KeyAccessServer

        @@ -12865,34 +13205,29 @@

        RemoveKeyA

        - - + + - + - -
        namespace_key_access_serverNamespaceKeyAccessServeridstring

        Required + +The unique identifier of the key to update

        - - - - - -

        RemovePublicKeyFromNamespaceRequest

        -

        + + metadata + common.MetadataMutable + +

        Optional +Common metadata - - - - - - +Mutable metadata for the key

        + - - + + - + @@ -12902,8 +13237,8 @@

        RemovePublicKeyFr -

        RemovePublicKeyFromNamespaceResponse

        -

        +

        UpdateKeyResponse

        +

        Response to an UpdateKeyRequest, containing the updated asymmetric key

        FieldTypeLabelDescription
        namespace_keyNamespaceKeymetadata_update_behaviorcommon.MetadataUpdateEnum

        The behavior for updating the metadata

        @@ -12913,10 +13248,10 @@

        RemovePublicKeyF

        - - + + - + @@ -12926,7 +13261,7 @@

        RemovePublicKeyF -

        UpdateNamespaceRequest

        +

        UpdatePublicKeyRequest

        @@ -12947,7 +13282,8 @@

        UpdateNamespaceRequest

        - + @@ -12964,7 +13300,7 @@

        UpdateNamespaceRequest

        -

        UpdateNamespaceResponse

        +

        UpdatePublicKeyResponse

        @@ -12975,8 +13311,8 @@

        UpdateNamespaceResponse

        - - + + @@ -12990,7 +13326,7 @@

        UpdateNamespaceResponse

        -

        SortNamespacesType

        +

        SortKasKeysType

        namespace_keyNamespaceKeykas_keypolicy.KasKey

        The updated kas key

        metadata common.MetadataMutable

        Optional

        Optional +Common metadata

        namespacepolicy.Namespacekeypolicy.Key

        @@ -12999,31 +13335,66 @@

        SortNamespacesType

        - + - + - + - + + + + + + +
        SORT_NAMESPACES_TYPE_UNSPECIFIEDSORT_KAS_KEYS_TYPE_UNSPECIFIED 0

        SORT_NAMESPACES_TYPE_NAMESORT_KAS_KEYS_TYPE_KEY_ID 1

        SORT_NAMESPACES_TYPE_FQNSORT_KAS_KEYS_TYPE_CREATED_AT 2

        SORT_NAMESPACES_TYPE_CREATED_ATSORT_KAS_KEYS_TYPE_UPDATED_AT3

        + +

        SortKeyAccessServersType

        +

        + + + + + + + + + + + + + + + + + + + + + + + + + + - + @@ -13035,7 +13406,7 @@

        SortNamespacesType

        -

        NamespaceService

        +

        KeyAccessServerRegistryService

        NameNumberDescription
        SORT_KEY_ACCESS_SERVERS_TYPE_UNSPECIFIED0

        SORT_KEY_ACCESS_SERVERS_TYPE_NAME1

        SORT_KEY_ACCESS_SERVERS_TYPE_URI2

        SORT_KEY_ACCESS_SERVERS_TYPE_CREATED_AT 3

        SORT_NAMESPACES_TYPE_UPDATED_ATSORT_KEY_ACCESS_SERVERS_TYPE_UPDATED_AT 4

        @@ -13044,68 +13415,102 @@

        NamespaceService

        - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -13125,12 +13530,7 @@

        Methods with deprecated option

        - - - - - - + @@ -13151,12 +13551,17 @@

        Methods with idempotency_level option

        - + - + + + + + + @@ -13167,91 +13572,13 @@

        Methods with idempotency_level option

        -

        policy/obligations/obligations.proto

        Top +

        policy/keymanagement/key_management.proto

        Top

        -

        AddObligationTriggerRequest

        -

        Obligation Triggers are owned by the namespace that owns the action and attribute value, which must

        be the same. In this way, a trigger can intentionally cross namespace boundaries: associating

        obligation values of a different namespace than the one that owns the action being taken or the attribute value.

        - - -
        GetNamespaceGetNamespaceRequestGetNamespaceResponseListKeyAccessServersListKeyAccessServersRequestListKeyAccessServersResponse

        ListNamespacesListNamespacesRequestListNamespacesResponseGetKeyAccessServerGetKeyAccessServerRequestGetKeyAccessServerResponse

        CreateNamespaceCreateNamespaceRequestCreateNamespaceResponseCreateKeyAccessServerCreateKeyAccessServerRequestCreateKeyAccessServerResponse

        UpdateNamespaceUpdateNamespaceRequestUpdateNamespaceResponseUpdateKeyAccessServerUpdateKeyAccessServerRequestUpdateKeyAccessServerResponse

        DeactivateNamespaceDeactivateNamespaceRequestDeactivateNamespaceResponseDeleteKeyAccessServerDeleteKeyAccessServerRequestDeleteKeyAccessServerResponse

        AssignKeyAccessServerToNamespaceAssignKeyAccessServerToNamespaceRequestAssignKeyAccessServerToNamespaceResponse

        Deprecated: utilize AssignPublicKeyToNamespace

        		ListKeyAccessServerGrantsListKeyAccessServerGrantsRequestListKeyAccessServerGrantsResponse

        Deprecated
        RemoveKeyAccessServerFromNamespaceRemoveKeyAccessServerFromNamespaceRequestRemoveKeyAccessServerFromNamespaceResponse

        Deprecated: utilize RemovePublicKeyFromNamespace

        		CreateKeyCreateKeyRequestCreateKeyResponse

        KAS Key Management +Request to create a new key in the Key Access Service.
        AssignPublicKeyToNamespaceAssignPublicKeyToNamespaceRequestAssignPublicKeyToNamespaceResponse

        --------------------------------------* -Namespace <> Key RPCs ----------------------------------------

        		GetKeyGetKeyRequestGetKeyResponse

        Request to retrieve a key from the Key Access Service.
        RemovePublicKeyFromNamespaceRemovePublicKeyFromNamespaceRequestRemovePublicKeyFromNamespaceResponse

        		ListKeysListKeysRequestListKeysResponse

        Request to list keys in the Key Access Service.

        UpdateKeyUpdateKeyRequestUpdateKeyResponse

        Request to update a key in the Key Access Service.

        RotateKeyRotateKeyRequestRotateKeyResponse

        Request to rotate a key in the Key Access Service.

        SetBaseKeySetBaseKeyRequestSetBaseKeyResponse

        Request to set the default a default kas key.

        GetBaseKeyGetBaseKeyRequestGetBaseKeyResponse

        Get Default kas keys

        ListKeyMappingsListKeyMappingsRequestListKeyMappingsResponse

        Request to list key mappings in the Key Access Service.
        AssignKeyAccessServerToNamespace

        true

        RemoveKeyAccessServerFromNamespaceListKeyAccessServerGrants

        true
        GetNamespaceListKeyAccessServers

        NO_SIDE_EFFECTS
        ListNamespacesGetKeyAccessServer

        NO_SIDE_EFFECTS

        ListKeyAccessServerGrants

        NO_SIDE_EFFECTS
        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        FieldTypeLabelDescription
        obligation_valuecommon.IdFqnIdentifier

        Required

        actioncommon.IdNameIdentifier

        Required

        attribute_valuecommon.IdFqnIdentifier

        Required

        contextpolicy.RequestContext

        Optional -The request context for this obligation value policy decisioning.

        metadatacommon.MetadataMutable

        Optional -Common metadata

        - - - - - -

        AddObligationTriggerResponse

        -

        - - - - - - - - - - - - - - - - -
        FieldTypeLabelDescription
        triggerpolicy.ObligationTrigger

        - - - - - -

        CreateObligationRequest

        -

        +

        CreateProviderConfigRequest

        +

        Provider Configuration Requests and Response Messages

        @@ -13261,39 +13588,34 @@

        CreateObligationRequest

        - + - + - - + + - + - + - - - - - - - - + - + @@ -13303,7 +13625,7 @@

        CreateObligationRequest

        -

        CreateObligationResponse

        +

        CreateProviderConfigResponse

        @@ -13314,8 +13636,8 @@

        CreateObligationResponse

        - - + + @@ -13327,8 +13649,8 @@

        CreateObligationResponseCreateObligationValueRequest

        -

        +

        DeleteProviderConfigRequest

        +

        In order to delete a provider configuration you must first delete all keys associated with the provider.

        namespace_idname string

        Required +The name of the key provider. (e.g. "AWS KMS Instance 1", "Google Cloud KMS Instance 2")

        namespace_fqnstringconfig_jsonbytes

        Required +JSON configuration for the key provider. This is unique to individual key providers.

        namemanager string

        valuesstringrepeated

        Optional

        Required +The type of key manager (e.g. "aws", "gcp", "azure", "opentdf.io/basic")

        metadata common.MetadataMutable

        Optional -Common metadata

        Common metadata

        obligationpolicy.Obligationprovider_configpolicy.KeyProviderConfig

        @@ -13338,40 +13660,10 @@

        CreateObligationValueRe

        - - - - - - - - - - - - - - - + - - - - - - - - - - - - - - - + @@ -13381,7 +13673,7 @@

        CreateObligationValueRe -

        CreateObligationValueResponse

        +

        DeleteProviderConfigResponse

        @@ -13392,8 +13684,8 @@

        CreateObligationValueR

        - - + + @@ -13405,7 +13697,7 @@

        CreateObligationValueR -

        DeleteObligationRequest

        +

        GetProviderConfigRequest

        @@ -13423,65 +13715,17 @@

        DeleteObligationRequest

        - - - - - - - -
        obligation_idstring

        obligation_fqnstring

        valueid string

        triggersValueTriggerRequestrepeated

        Optional -Combination of action and attribute_value that will trigger this obligation value policy decisioning.

        metadatacommon.MetadataMutable

        Optional -Common metadata

        Required

        valuepolicy.ObligationValueprovider_configpolicy.KeyProviderConfig

        fqnstring

        - - - - - -

        DeleteObligationResponse

        -

        - - - - - - - - - - - - - - - - -
        FieldTypeLabelDescription
        obligationpolicy.Obligation

        - - - - - -

        DeleteObligationValueRequest

        -

        - - - - - - - - - - + - + - + @@ -13491,7 +13735,7 @@

        DeleteObligationValueRe -

        DeleteObligationValueResponse

        +

        GetProviderConfigResponse

        @@ -13502,8 +13746,8 @@

        DeleteObligationValueR

        - - + + @@ -13515,7 +13759,7 @@

        DeleteObligationValueR -

        GetObligationRequest

        +

        ListProviderConfigsRequest

        @@ -13526,17 +13770,10 @@

        GetObligationRequest

        - - - - - - - - - + + - + @@ -13546,7 +13783,7 @@

        GetObligationRequest

        -

        GetObligationResponse

        +

        ListProviderConfigsResponse

        @@ -13557,8 +13794,15 @@

        GetObligationResponse

        - - + + + + + + + + + @@ -13570,8 +13814,8 @@

        GetObligationResponse

        -

        GetObligationTriggerRequest

        -

        Triggers

        +

        UpdateProviderConfigRequest

        +

        FieldTypeLabelDescription
        idname string

        fqnmanager string

        Optional - filter by manager type when searching by name

        valuepolicy.ObligationValueprovider_configpolicy.KeyProviderConfig

        idstring

        fqnstringpaginationpolicy.PageRequest

        Optional

        obligationpolicy.Obligationprovider_configspolicy.KeyProviderConfigrepeated

        paginationpolicy.PageResponse

        @@ -13587,6 +13831,42 @@

        GetObligationTriggerRequ

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

        Required

        namestring

        Optional

        config_jsonbytes

        Optional

        managerstring

        Optional

        metadatacommon.MetadataMutable

        Optional +Common metadata

        metadata_update_behaviorcommon.MetadataUpdateEnum
        @@ -13594,7 +13874,7 @@

        GetObligationTriggerRequ -

        GetObligationTriggerResponse

        +

        UpdateProviderConfigResponse

        @@ -13605,8 +13885,8 @@

        GetObligationTriggerRes - trigger - policy.ObligationTrigger + provider_config + policy.KeyProviderConfig

        @@ -13618,8 +13898,70 @@

        GetObligationTriggerRes -

        GetObligationValueRequest

        -

        Values

        + + + + + + +

        KeyManagementService

        +

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        Method NameRequest TypeResponse TypeDescription
        CreateProviderConfigCreateProviderConfigRequestCreateProviderConfigResponse

        Key Management +Provider Management

        GetProviderConfigGetProviderConfigRequestGetProviderConfigResponse

        ListProviderConfigsListProviderConfigsRequestListProviderConfigsResponse

        UpdateProviderConfigUpdateProviderConfigRequestUpdateProviderConfigResponse

        DeleteProviderConfigDeleteProviderConfigRequestDeleteProviderConfigResponse

        + + + + +
        +

        policy/namespaces/namespaces.proto

        Top +
        +

        + + +

        AssignKeyAccessServerToNamespaceRequest

        +

        Deprecated: utilize AssignPublicKeyToNamespaceRequest

        @@ -13629,15 +13971,8 @@

        GetObligationValueRequest<

        - - - - - - - - - + + @@ -13649,7 +13984,7 @@

        GetObligationValueRequest< -

        GetObligationValueResponse

        +

        AssignKeyAccessServerToNamespaceResponse

        @@ -13660,8 +13995,8 @@

        GetObligationValueRespons

        - - + + @@ -13673,8 +14008,8 @@

        GetObligationValueRespons -

        GetObligationValuesByFQNsRequest

        -

        +

        AssignPublicKeyToNamespaceRequest

        +

        Assign Key to Namespace

        idstring

        fqnstringnamespace_key_access_serverNamespaceKeyAccessServer

        valuepolicy.ObligationValuenamespace_key_access_serverNamespaceKeyAccessServer

        @@ -13684,9 +14019,9 @@

        GetObligationValues

        - - - + + + @@ -13697,7 +14032,7 @@

        GetObligationValues -

        GetObligationValuesByFQNsResponse

        +

        AssignPublicKeyToNamespaceResponse

        @@ -13708,9 +14043,9 @@

        GetObligationValue

        - - - + + + @@ -13721,7 +14056,7 @@

        GetObligationValue -

        GetObligationValuesByFQNsResponse.FqnValueMapEntry

        +

        CreateNamespaceRequest

        @@ -13732,17 +14067,17 @@

        G

        - + - + - - + + - + @@ -13752,7 +14087,7 @@

        G -

        GetObligationsByFQNsRequest

        +

        CreateNamespaceResponse

        @@ -13763,9 +14098,9 @@

        GetObligationsByFQNsRequ

        - - - + + + @@ -13776,7 +14111,7 @@

        GetObligationsByFQNsRequ -

        GetObligationsByFQNsResponse

        +

        DeactivateNamespaceRequest

        @@ -13787,10 +14122,10 @@

        GetObligationsByFQNsRes

        - - - - + + + + @@ -13800,7 +14135,14 @@

        GetObligationsByFQNsRes -

        GetObligationsByFQNsResponse.FqnObligationMapEntry

        +

        DeactivateNamespaceResponse

        +

        + + + + + +

        GetNamespaceRequest

        @@ -13811,15 +14153,22 @@

        G

        - + - + - - + + + + + + + + + @@ -13828,10 +14177,31 @@

        G

        fqnsstringrepeatednamespace_keyNamespaceKey

        fqn_value_mapGetObligationValuesByFQNsResponse.FqnValueMapEntryrepeatednamespace_keyNamespaceKey

        keyname string

        Required

        valuepolicy.ObligationValuemetadatacommon.MetadataMutable

        Optional

        fqnsstringrepeatednamespacepolicy.Namespace

        fqn_obligation_mapGetObligationsByFQNsResponse.FqnObligationMapEntryrepeated

        		idstring

        Required

        keyid string

        Deprecated. Deprecated

        valuepolicy.Obligationnamespace_idstring

        option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field

        fqnstring

        + + +

        Fields with deprecated option

        + + + + + + + + + + + + + + + +
        NameOption
        id

        true

        + + -

        ListObligationTriggersRequest

        +

        GetNamespaceResponse

        @@ -13842,17 +14212,35 @@

        ListObligationTriggers - namespace_id - string + namespace + policy.Namespace

        + + + + + + + +

        ListNamespacesRequest

        +

        + + + + + + + + - - + + - + @@ -13862,6 +14250,17 @@

        ListObligationTriggers

        + + + + + + +
        FieldTypeLabelDescription
        namespace_fqnstringstatecommon.ActiveStateEnum

        Optional +ACTIVE by default when not specified

        Optional

        sortNamespacesSortrepeated

        Optional - CONSTRAINT: max 1 item +Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC

        @@ -13869,7 +14268,7 @@

        ListObligationTriggers -

        ListObligationTriggersResponse

        +

        ListNamespacesResponse

        @@ -13880,8 +14279,8 @@

        ListObligationTrigger - triggers - policy.ObligationTrigger + namespaces + policy.Namespace repeated

        @@ -13900,7 +14299,7 @@

        ListObligationTrigger -

        ListObligationsRequest

        +

        NamespaceKey

        @@ -13914,32 +14313,14 @@

        ListObligationsRequest

        namespace_id string -

        +

        Required

        - namespace_fqn + key_id string -

        - - - - pagination - policy.PageRequest - -

        Optional

        - - - - sort - ObligationsSort - repeated -

        Optional - CONSTRAINT: max 1 item -Sort defaults: - - direction UNSPECIFIED defaults to DESC for the specified field - - field UNSPECIFIED defaults to created_at with the specified direction - - both UNSPECIFIED or sort omitted defaults to created_at DESC

        +

        Required (The id from the Asymmetric Key object)

        @@ -13949,8 +14330,8 @@

        ListObligationsRequest

        -

        ListObligationsResponse

        -

        +

        NamespaceKeyAccessServer

        +

        Deprecated

        @@ -13960,17 +14341,17 @@

        ListObligationsResponse

        - - - - + + + + - - + + - + @@ -13980,7 +14361,7 @@

        ListObligationsResponse

        -

        ObligationsSort

        +

        NamespacesSort

        @@ -13992,7 +14373,7 @@

        ObligationsSort

        - + @@ -14011,8 +14392,8 @@

        ObligationsSort

        -

        RemoveObligationTriggerRequest

        -

        +

        RemoveKeyAccessServerFromNamespaceRequest

        +

        Deprecated: utilize RemovePublicKeyFromNamespaceRequest

        obligationspolicy.Obligationrepeated

        		namespace_idstring

        Required

        paginationpolicy.PageResponsekey_access_server_idstring

        Required

        fieldSortObligationsTypeSortNamespacesType

        @@ -14022,10 +14403,10 @@

        RemoveObligationTrigg

        - - + + - + @@ -14035,7 +14416,7 @@

        RemoveObligationTrigg -

        RemoveObligationTriggerResponse

        +

        RemoveKeyAccessServerFromNamespaceResponse

        @@ -14046,8 +14427,8 @@

        RemoveObligationTrig

        - - + + @@ -14059,7 +14440,7 @@

        RemoveObligationTrig -

        UpdateObligationRequest

        +

        RemovePublicKeyFromNamespaceRequest

        @@ -14070,29 +14451,8 @@

        UpdateObligationRequest

        - - - - - - - - - - - - - - - - - - - - - - - + + @@ -14104,7 +14464,7 @@

        UpdateObligationRequest

        -

        UpdateObligationResponse

        +

        RemovePublicKeyFromNamespaceResponse

        @@ -14115,8 +14475,8 @@

        UpdateObligationResponse

        - - + + @@ -14128,7 +14488,7 @@

        UpdateObligationResponseUpdateObligationValueRequest

        +

        UpdateNamespaceRequest

        @@ -14145,27 +14505,11 @@

        UpdateObligationValueRe

        - - - - - - - - - - - - - - - + @@ -14182,7 +14526,7 @@

        UpdateObligationValueRe -

        UpdateObligationValueResponse

        +

        UpdateNamespaceResponse

        @@ -14193,8 +14537,8 @@

        UpdateObligationValueR

        - - + + @@ -14206,47 +14550,9 @@

        UpdateObligationValueR -

        ValueTriggerRequest

        -

        - - -
        idstringnamespace_key_access_serverNamespaceKeyAccessServer

        Required

        triggerpolicy.ObligationTriggernamespace_key_access_serverNamespaceKeyAccessServer

        idstring

        Required

        namestring

        Optional

        metadatacommon.MetadataMutable

        metadata_update_behaviorcommon.MetadataUpdateEnumnamespace_keyNamespaceKey

        obligationpolicy.Obligationnamespace_keyNamespaceKey

        Required

        valuestring

        Optional

        triggersValueTriggerRequestrepeated

        Optional -Obligation Triggers provided here will replace all existing records in the database.

        metadata common.MetadataMutable

        Optional -Common metadata

        Optional

        valuepolicy.ObligationValuenamespacepolicy.Namespace

        - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        FieldTypeLabelDescription
        actioncommon.IdNameIdentifier

        Required. The ID of the action that will trigger this obligation value policy decisioning.

        attribute_valuecommon.IdFqnIdentifier

        Required. The attribute value ID that will trigger this obligation value policy decisioning.

        contextpolicy.RequestContext

        Optional. The request context for this obligation value policy decisioning.

        - - - - - -

        SortObligationsType

        +

        SortNamespacesType

        @@ -14255,152 +14561,112 @@

        SortObligationsType

        - + - + - + - - - - - - - - - - - - -
        SORT_OBLIGATIONS_TYPE_UNSPECIFIEDSORT_NAMESPACES_TYPE_UNSPECIFIED 0

        SORT_OBLIGATIONS_TYPE_NAMESORT_NAMESPACES_TYPE_NAME 1

        SORT_OBLIGATIONS_TYPE_FQNSORT_NAMESPACES_TYPE_FQN 2

        SORT_OBLIGATIONS_TYPE_CREATED_AT3

        SORT_OBLIGATIONS_TYPE_UPDATED_AT4

        - - - - - -

        Service

        -

        Obligation Service

        /

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - + + + +
        Method NameRequest TypeResponse TypeDescription
        ListObligationsListObligationsRequestListObligationsResponse

        GetObligationGetObligationRequestGetObligationResponse

        GetObligationsByFQNsGetObligationsByFQNsRequestGetObligationsByFQNsResponse

        CreateObligationCreateObligationRequestCreateObligationResponse

        UpdateObligationUpdateObligationRequestUpdateObligationResponseSORT_NAMESPACES_TYPE_CREATED_AT3

        DeleteObligationDeleteObligationRequestDeleteObligationResponseSORT_NAMESPACES_TYPE_UPDATED_AT4

        + + + + + +

        NamespaceService

        +

        + + + + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - + + + @@ -14410,7 +14676,7 @@

        Service

        -

        Methods with idempotency_level option

        +

        Methods with deprecated option

        Method NameRequest TypeResponse TypeDescription
        GetObligationValueGetObligationValueRequestGetObligationValueResponseGetNamespaceGetNamespaceRequestGetNamespaceResponse

        GetObligationValuesByFQNsGetObligationValuesByFQNsRequestGetObligationValuesByFQNsResponseListNamespacesListNamespacesRequestListNamespacesResponse

        CreateObligationValueCreateObligationValueRequestCreateObligationValueResponseCreateNamespaceCreateNamespaceRequestCreateNamespaceResponse

        UpdateObligationValueUpdateObligationValueRequestUpdateObligationValueResponseUpdateNamespaceUpdateNamespaceRequestUpdateNamespaceResponse

        DeleteObligationValueDeleteObligationValueRequestDeleteObligationValueResponseDeactivateNamespaceDeactivateNamespaceRequestDeactivateNamespaceResponse

        GetObligationTriggerGetObligationTriggerRequestGetObligationTriggerResponse

        		AssignKeyAccessServerToNamespaceAssignKeyAccessServerToNamespaceRequestAssignKeyAccessServerToNamespaceResponse

        Deprecated: utilize AssignPublicKeyToNamespace
        AddObligationTriggerAddObligationTriggerRequestAddObligationTriggerResponse

        		RemoveKeyAccessServerFromNamespaceRemoveKeyAccessServerFromNamespaceRequestRemoveKeyAccessServerFromNamespaceResponse

        Deprecated: utilize RemovePublicKeyFromNamespace
        RemoveObligationTriggerRemoveObligationTriggerRequestRemoveObligationTriggerResponse

        		AssignPublicKeyToNamespaceAssignPublicKeyToNamespaceRequestAssignPublicKeyToNamespaceResponse

        --------------------------------------* +Namespace <> Key RPCs +---------------------------------------
        ListObligationTriggersListObligationTriggersRequestListObligationTriggersResponseRemovePublicKeyFromNamespaceRemovePublicKeyFromNamespaceRequestRemovePublicKeyFromNamespaceResponse

        @@ -14421,37 +14687,38 @@

        Methods with idempotency_level option

        - - - - - - - - - - - - + + - - + + + +
        ListObligations

        NO_SIDE_EFFECTS

        GetObligation

        NO_SIDE_EFFECTS

        GetObligationsByFQNs

        NO_SIDE_EFFECTS

        		AssignKeyAccessServerToNamespace

        true
        GetObligationValue

        NO_SIDE_EFFECTS

        		RemoveKeyAccessServerFromNamespace

        true
        + + + + +

        Methods with idempotency_level option

        + + - - + + + + - + - + @@ -14462,13 +14729,13 @@

        Methods with idempotency_level option

        -

        policy/registeredresources/registered_resources.proto

        Top +

        policy/obligations/obligations.proto

        Top

        -

        ActionAttributeValue

        -

        +

        AddObligationTriggerRequest

        +

        Obligation Triggers are owned by the namespace that owns the action and attribute value, which must

        be the same. In this way, a trigger can intentionally cross namespace boundaries: associating

        obligation values of a different namespace than the one that owns the action being taken or the attribute value.

        GetObligationValuesByFQNs

        NO_SIDE_EFFECTS

        		Method NameOption
        GetObligationTriggerGetNamespace

        NO_SIDE_EFFECTS
        ListObligationTriggersListNamespaces

        NO_SIDE_EFFECTS
        @@ -14478,31 +14745,40 @@

        ActionAttributeValue

        - - + + - + - - + + - + - - + + - + - - + + - + + + + + + + + @@ -14512,7 +14788,7 @@

        ActionAttributeValueCreateRegisteredResourceRequest

        +

        AddObligationTriggerResponse

        @@ -14523,35 +14799,57 @@

        CreateRegist

        - - + + - + + +
        action_idstringobligation_valuecommon.IdFqnIdentifier

        Required

        action_namestringactioncommon.IdNameIdentifier

        Required

        attribute_value_idstringattribute_valuecommon.IdFqnIdentifier

        Required

        attribute_value_fqnstringcontextpolicy.RequestContext

        Optional +The request context for this obligation value policy decisioning.

        metadatacommon.MetadataMutable

        Optional +Common metadata

        namestringtriggerpolicy.ObligationTrigger

        Required

        + + + + + +

        CreateObligationRequest

        +

        + + + + + + + + - + - - + + - + - + + + + + + + + @@ -14567,7 +14865,7 @@

        CreateRegist -

        CreateRegisteredResourceResponse

        +

        CreateObligationResponse

        @@ -14578,8 +14876,8 @@

        CreateRegis

        - - + + @@ -14591,7 +14889,7 @@

        CreateRegis -

        CreateRegisteredResourceValueRequest

        +

        CreateObligationValueRequest

        @@ -14602,82 +14900,40 @@

        CreateR

        - + - + - + - - - - - - - - - - - - - - - + - -
        FieldTypeLabelDescription
        valuesnamespace_id stringrepeated

        Optional -Registered Resource Values (when provided) must be alphanumeric strings, allowing hyphens and underscores but not as the first or last character. -The stored value will be normalized to lower case.

        namespace_idnamespace_fqn string

        namespace_fqnname string

        valuesstringrepeated

        Optional

        metadata common.MetadataMutable
        resourcepolicy.RegisteredResourceobligationpolicy.Obligation

        resource_idobligation_id string

        Required

        valueobligation_fqn string

        Required

        action_attribute_valuesActionAttributeValuerepeated

        Optional -The associated Action <> AttributeValue combinations to be utilized in authorization/entitlement decisioning -(i.e. action read -> attribute value https://example.com/attr/department/value/marketing)

        metadatacommon.MetadataMutable

        Optional -Common metadata

        - - - - - -

        CreateRegisteredResourceValueResponse

        -

        - - - - - - - - - + - -
        FieldTypeLabelDescription
        valuepolicy.RegisteredResourceValuestring

        - - - - - -

        DeleteRegisteredResourceRequest

        -

        - - - - - - - + + + + + + - - + + - + @@ -14687,7 +14943,7 @@

        DeleteRegist -

        DeleteRegisteredResourceResponse

        +

        CreateObligationValueResponse

        @@ -14698,8 +14954,8 @@

        DeleteRegis

        - - + + @@ -14711,7 +14967,7 @@

        DeleteRegis -

        DeleteRegisteredResourceValueRequest

        +

        DeleteObligationRequest

        @@ -14725,7 +14981,14 @@

        DeleteR

        - + + + + + + + + @@ -14735,7 +14998,7 @@

        DeleteR -

        DeleteRegisteredResourceValueResponse

        +

        DeleteObligationResponse

        @@ -14746,8 +15009,8 @@

        Delete

        - - + + @@ -14759,7 +15022,7 @@

        Delete -

        GetRegisteredResourceRequest

        +

        DeleteObligationValueRequest

        @@ -14777,21 +15040,7 @@

        GetRegisteredRe

        - - - - - - - - - - - - - - - + @@ -14804,7 +15053,7 @@

        GetRegisteredRe -

        GetRegisteredResourceResponse

        +

        DeleteObligationValueResponse

        @@ -14815,8 +15064,8 @@

        GetRegisteredR

        - - + + @@ -14828,7 +15077,7 @@

        GetRegisteredR -

        GetRegisteredResourceValueRequest

        +

        GetObligationRequest

        @@ -14859,7 +15108,7 @@

        GetRegiste -

        GetRegisteredResourceValueResponse

        +

        GetObligationResponse

        @@ -14870,8 +15119,8 @@

        GetRegist

        - - + + @@ -14883,8 +15132,8 @@

        GetRegist -

        GetRegisteredResourceValuesByFQNsRequest

        -

        +

        GetObligationTriggerRequest

        +

        Triggers

        FieldTypeLabelDescription
        triggersValueTriggerRequestrepeated

        Optional +Combination of action and attribute_value that will trigger this obligation value policy decisioning.

        idstringmetadatacommon.MetadataMutable

        Required

        Optional +Common metadata

        resourcepolicy.RegisteredResourcevaluepolicy.ObligationValue

        id string

        Required

        fqnstring
        valuepolicy.RegisteredResourceValueobligationpolicy.Obligation

        namestring

        namespace_fqnstring

        namespace_idfqn string

        resourcepolicy.RegisteredResourcevaluepolicy.ObligationValue

        valuepolicy.RegisteredResourceValueobligationpolicy.Obligation

        @@ -14894,9 +15143,9 @@

        Get

        - + - + @@ -14907,7 +15156,7 @@

        Get -

        GetRegisteredResourceValuesByFQNsResponse

        +

        GetObligationTriggerResponse

        @@ -14918,9 +15167,9 @@

        Ge

        - - - + + + @@ -14931,8 +15180,8 @@

        Ge -

        GetRegisteredResourceValuesByFQNsResponse.FqnValueMapEntry

        -

        +

        GetObligationValueRequest

        +

        Values

        fqnsid stringrepeated

        Required

        fqn_value_mapGetRegisteredResourceValuesByFQNsResponse.FqnValueMapEntryrepeatedtriggerpolicy.ObligationTrigger

        @@ -14942,15 +15191,15 @@

        string

        - - + + @@ -14962,7 +15211,7 @@

        ListRegisteredResourceValuesRequest

        +

        GetObligationValueResponse

        @@ -14973,17 +15222,10 @@

        ListRegi

        - - - - - - - - - + + - + @@ -14993,7 +15235,7 @@

        ListRegi -

        ListRegisteredResourceValuesResponse

        +

        GetObligationValuesByFQNsRequest

        @@ -15004,19 +15246,12 @@

        ListReg

        - - + + - - - - - - -

        valuepolicy.RegisteredResourceValuefqnstring

        resource_idstring

        Optional

        paginationpolicy.PageRequestvaluepolicy.ObligationValue

        Optional

        valuespolicy.RegisteredResourceValuefqnsstring repeated

        paginationpolicy.PageResponse
        @@ -15024,7 +15259,7 @@

        ListReg -

        ListRegisteredResourcesRequest

        +

        GetObligationValuesByFQNsResponse

        @@ -15035,35 +15270,10 @@

        ListRegistere - namespace_id - string - -

        - - - - namespace_fqn - string - -

        - - - - pagination - policy.PageRequest - -

        Optional

        - - - - sort - RegisteredResourcesSort + fqn_value_map + GetObligationValuesByFQNsResponse.FqnValueMapEntry repeated -

        Optional - CONSTRAINT: max 1 item -Sort defaults: - - direction UNSPECIFIED defaults to DESC for the specified field - - field UNSPECIFIED defaults to created_at with the specified direction - - both UNSPECIFIED or sort omitted defaults to created_at DESC

        +

        @@ -15073,7 +15283,7 @@

        ListRegistere -

        ListRegisteredResourcesResponse

        +

        GetObligationValuesByFQNsResponse.FqnValueMapEntry

        @@ -15084,15 +15294,15 @@

        ListRegister - resources - policy.RegisteredResource - repeated + key + string +

        - pagination - policy.PageResponse + value + policy.ObligationValue

        @@ -15104,7 +15314,7 @@

        ListRegister -

        RegisteredResourcesSort

        +

        GetObligationsByFQNsRequest

        @@ -15115,16 +15325,9 @@

        RegisteredResourcesS - field - SortRegisteredResourcesType - -

        - - - - direction - policy.SortDirection - + fqns + string + repeated

        @@ -15135,7 +15338,7 @@

        RegisteredResourcesS -

        UpdateRegisteredResourceRequest

        +

        GetObligationsByFQNsResponse

        @@ -15146,31 +15349,9 @@

        UpdateRegist - id - string - -

        Required

        - - - - name - string - -

        Optional

        - - - - metadata - common.MetadataMutable - -

        Optional -Common metadata

        - - - - metadata_update_behavior - common.MetadataUpdateEnum - + fqn_obligation_map + GetObligationsByFQNsResponse.FqnObligationMapEntry + repeated

        @@ -15181,7 +15362,7 @@

        UpdateRegist -

        UpdateRegisteredResourceResponse

        +

        GetObligationsByFQNsResponse.FqnObligationMapEntry

        @@ -15192,8 +15373,15 @@

        UpdateRegis - resource - policy.RegisteredResource + key + string + +

        + + + + value + policy.Obligation

        @@ -15205,51 +15393,35 @@

        UpdateRegis -

        UpdateRegisteredResourceValueRequest

        +

        ListObligationTriggersRequest

        - - - - - - - - - - - + + + + - + - - - - - - - - + - - + + - + - - + + - + @@ -15259,7 +15431,7 @@

        UpdateR -

        UpdateRegisteredResourceValueResponse

        +

        ListObligationTriggersResponse

        @@ -15270,8 +15442,15 @@

        Update

        - - + + + + + + + + + @@ -15283,145 +15462,7 @@

        Update - - -

        SortRegisteredResourcesType

        -

        -
        FieldTypeLabelDescription
        idstring

        Required

        FieldTypeLabelDescription
        valuenamespace_id string

        Optional

        action_attribute_valuesActionAttributeValuerepeated

        Optional -Action Attribute Values provided here will replace all existing records in the database. To delete all action attribute values, set this field to an empty list.

        metadatacommon.MetadataMutablenamespace_fqnstring

        Optional -Common metadata

        metadata_update_behaviorcommon.MetadataUpdateEnumpaginationpolicy.PageRequest

        Optional

        valuepolicy.RegisteredResourceValuetriggerspolicy.ObligationTriggerrepeated

        paginationpolicy.PageResponse

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        NameNumberDescription
        SORT_REGISTERED_RESOURCES_TYPE_UNSPECIFIED0

        SORT_REGISTERED_RESOURCES_TYPE_NAME1

        SORT_REGISTERED_RESOURCES_TYPE_CREATED_AT2

        SORT_REGISTERED_RESOURCES_TYPE_UPDATED_AT3

        - - - - - -

        RegisteredResourcesService

        -

        Registered Resources

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Method NameRequest TypeResponse TypeDescription
        CreateRegisteredResourceCreateRegisteredResourceRequestCreateRegisteredResourceResponse

        GetRegisteredResourceGetRegisteredResourceRequestGetRegisteredResourceResponse

        ListRegisteredResourcesListRegisteredResourcesRequestListRegisteredResourcesResponse

        UpdateRegisteredResourceUpdateRegisteredResourceRequestUpdateRegisteredResourceResponse

        DeleteRegisteredResourceDeleteRegisteredResourceRequestDeleteRegisteredResourceResponse

        CreateRegisteredResourceValueCreateRegisteredResourceValueRequestCreateRegisteredResourceValueResponse

        GetRegisteredResourceValueGetRegisteredResourceValueRequestGetRegisteredResourceValueResponse

        GetRegisteredResourceValuesByFQNsGetRegisteredResourceValuesByFQNsRequestGetRegisteredResourceValuesByFQNsResponse

        ListRegisteredResourceValuesListRegisteredResourceValuesRequestListRegisteredResourceValuesResponse

        UpdateRegisteredResourceValueUpdateRegisteredResourceValueRequestUpdateRegisteredResourceValueResponse

        DeleteRegisteredResourceValueDeleteRegisteredResourceValueRequestDeleteRegisteredResourceValueResponse

        - - - - -
        -

        policy/resourcemapping/resource_mapping.proto

        Top -
        -

        - - -

        CreateResourceMappingGroupRequest

        +

        ListObligationsRequest

        @@ -15435,21 +15476,32 @@

        CreateResource namespace_id string -

        Required

        +

        - name + namespace_fqn string -

        Required

        +

        - metadata - common.MetadataMutable + pagination + policy.PageRequest -

        Common metadata

        +

        Optional

        + + + + sort + ObligationsSort + repeated +

        Optional - CONSTRAINT: max 1 item +Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC

        @@ -15459,7 +15511,7 @@

        CreateResource -

        CreateResourceMappingGroupResponse

        +

        ListObligationsResponse

        @@ -15470,8 +15522,15 @@

        CreateResourc - resource_mapping_group - policy.ResourceMappingGroup + obligations + policy.Obligation + repeated +

        + + + + pagination + policy.PageResponse

        @@ -15483,7 +15542,7 @@

        CreateResourc -

        CreateResourceMappingRequest

        +

        ObligationsSort

        @@ -15494,31 +15553,41 @@

        CreateResourceMappi - attribute_value_id - string + field + SortObligationsType -

        Required

        - - - - terms - string - repeated -

        Required

        +

        - group_id - string + direction + policy.SortDirection -

        Optional

        +

        + + + + + + + +

        RemoveObligationTriggerRequest

        +

        + + + + + + + + - - + + - + @@ -15528,7 +15597,7 @@

        CreateResourceMappi -

        CreateResourceMappingResponse

        +

        RemoveObligationTriggerResponse

        @@ -15539,8 +15608,8 @@

        CreateResourceMapp

        - - + + @@ -15552,7 +15621,7 @@

        CreateResourceMapp -

        DeleteResourceMappingGroupRequest

        +

        UpdateObligationRequest

        @@ -15569,6 +15638,27 @@

        DeleteResource

        + + + + + + + + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        metadatacommon.MetadataMutableidstring

        Optional

        Required

        resource_mappingpolicy.ResourceMappingtriggerpolicy.ObligationTrigger

        Required

        namestring

        Optional

        metadatacommon.MetadataMutable

        metadata_update_behaviorcommon.MetadataUpdateEnum
        @@ -15576,7 +15666,7 @@

        DeleteResource -

        DeleteResourceMappingGroupResponse

        +

        UpdateObligationResponse

        @@ -15587,8 +15677,8 @@

        DeleteResourc - resource_mapping_group - policy.ResourceMappingGroup + obligation + policy.Obligation

        @@ -15600,7 +15690,7 @@

        DeleteResourc -

        DeleteResourceMappingRequest

        +

        UpdateObligationValueRequest

        @@ -15617,6 +15707,36 @@

        DeleteResourceMappi

        Required

        + + value + string + +

        Optional

        + + + + triggers + ValueTriggerRequest + repeated +

        Optional +Obligation Triggers provided here will replace all existing records in the database.

        + + + + metadata + common.MetadataMutable + +

        Optional +Common metadata

        + + + + metadata_update_behavior + common.MetadataUpdateEnum + +

        + + @@ -15624,7 +15744,7 @@

        DeleteResourceMappi -

        DeleteResourceMappingResponse

        +

        UpdateObligationValueResponse

        @@ -15635,8 +15755,8 @@

        DeleteResourceMapp - resource_mapping - policy.ResourceMapping + value + policy.ObligationValue

        @@ -15648,7 +15768,7 @@

        DeleteResourceMapp -

        GetResourceMappingGroupRequest

        +

        ValueTriggerRequest

        @@ -15659,10 +15779,24 @@

        GetResourceMappin - id - string + action + common.IdNameIdentifier -

        Required

        +

        Required. The ID of the action that will trigger this obligation value policy decisioning.

        + + + + attribute_value + common.IdFqnIdentifier + +

        Required. The attribute value ID that will trigger this obligation value policy decisioning.

        + + + + context + policy.RequestContext + +

        Optional. The request context for this obligation value policy decisioning.

        @@ -15672,110 +15806,230 @@

        GetResourceMappin -

        GetResourceMappingGroupResponse

        + + +

        SortObligationsType

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        NameNumberDescription
        SORT_OBLIGATIONS_TYPE_UNSPECIFIED0

        SORT_OBLIGATIONS_TYPE_NAME1

        SORT_OBLIGATIONS_TYPE_FQN2

        SORT_OBLIGATIONS_TYPE_CREATED_AT3

        SORT_OBLIGATIONS_TYPE_UPDATED_AT4

        + + + + + +

        Service

        +

        Obligation Service

        /

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        Method NameRequest TypeResponse TypeDescription
        ListObligationsListObligationsRequestListObligationsResponse

        GetObligationGetObligationRequestGetObligationResponse

        GetObligationsByFQNsGetObligationsByFQNsRequestGetObligationsByFQNsResponse

        CreateObligationCreateObligationRequestCreateObligationResponse

        UpdateObligationUpdateObligationRequestUpdateObligationResponse

        DeleteObligationDeleteObligationRequestDeleteObligationResponse

        GetObligationValueGetObligationValueRequestGetObligationValueResponse

        GetObligationValuesByFQNsGetObligationValuesByFQNsRequestGetObligationValuesByFQNsResponse

        CreateObligationValueCreateObligationValueRequestCreateObligationValueResponse

        UpdateObligationValueUpdateObligationValueRequestUpdateObligationValueResponse

        DeleteObligationValueDeleteObligationValueRequestDeleteObligationValueResponse

        GetObligationTriggerGetObligationTriggerRequestGetObligationTriggerResponse

        AddObligationTriggerAddObligationTriggerRequestAddObligationTriggerResponse

        RemoveObligationTriggerRemoveObligationTriggerRequestRemoveObligationTriggerResponse

        ListObligationTriggersListObligationTriggersRequestListObligationTriggersResponse

        - - - - - - - - - - - - - - -
        FieldTypeLabelDescription
        resource_mapping_grouppolicy.ResourceMappingGroup

        - - - - -

        GetResourceMappingRequest

        -

        - - - - - - - - - - - - - - - - -
        FieldTypeLabelDescription
        idstring

        Required

        - - - - -

        GetResourceMappingResponse

        -

        - - - +

        Methods with idempotency_level option

        +
        - + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        Method NameOption
        resource_mappingpolicy.ResourceMapping

        ListObligations

        NO_SIDE_EFFECTS

        GetObligation

        NO_SIDE_EFFECTS

        GetObligationsByFQNs

        NO_SIDE_EFFECTS

        GetObligationValue

        NO_SIDE_EFFECTS

        GetObligationValuesByFQNs

        NO_SIDE_EFFECTS

        GetObligationTrigger

        NO_SIDE_EFFECTS

        ListObligationTriggers

        NO_SIDE_EFFECTS
        - - + -

        ListResourceMappingGroupsRequest

        -

        - - - - - - - - - - - - - - - - - - - - - - - -
        FieldTypeLabelDescription
        namespace_idstring

        Optional

        paginationpolicy.PageRequest

        Optional

        - - +
        +

        policy/registeredresources/registered_resources.proto

        Top +
        +

        - -

        ListResourceMappingGroupsResponse

        +

        ActionAttributeValue

        @@ -15786,95 +16040,29 @@

        ListResourceMa - resource_mapping_groups - policy.ResourceMappingGroup - repeated -

        - - - - pagination - policy.PageResponse + action_id + string

        - - - - - - - -

        ListResourceMappingsByGroupFqnsRequest

        -

        - - - - - - - - - + - - - - - -
        FieldTypeLabelDescription
        fqnsaction_name stringrepeated

        Required -Structure of the RM Group FQN is 'https://<namespace>/resm/<group name>'

        - - - - - -

        ListResourceMappingsByGroupFqnsResponse

        -

        - - - - - - - - - - - - + - -
        FieldTypeLabelDescription
        fqn_resource_mapping_groupsListResourceMappingsByGroupFqnsResponse.FqnResourceMappingGroupsEntryrepeated

        - - - - - -

        ListResourceMappingsByGroupFqnsResponse.FqnResourceMappingGroupsEntry

        -

        - - - - - - - - - + - - + + @@ -15886,7 +16074,7 @@

        ListResourceMappingsRequest

        +

        CreateRegisteredResourceRequest

        @@ -15897,50 +16085,43 @@

        ListResourceMappings

        - + - + - - - - - - - -
        FieldTypeLabelDescription
        keyattribute_value_id string

        valueResourceMappingsByGroupattribute_value_fqnstring

        group_idname string

        Optional

        Required

        paginationpolicy.PageRequest

        Optional

        - - - - - -

        ListResourceMappingsResponse

        -

        - - - - - - - + + + + + - - - + + + - - + + + + + + + + +
        FieldTypeLabelDescription
        valuesstringrepeated

        Optional +Registered Resource Values (when provided) must be alphanumeric strings, allowing hyphens and underscores but not as the first or last character. +The stored value will be normalized to lower case.

        resource_mappingspolicy.ResourceMappingrepeatednamespace_idstring

        paginationpolicy.PageResponsenamespace_fqnstring

        metadatacommon.MetadataMutable

        Optional +Common metadata

        @@ -15948,7 +16129,7 @@

        ListResourceMapping -

        ResourceMappingsByGroup

        +

        CreateRegisteredResourceResponse

        @@ -15959,19 +16140,12 @@

        ResourceMappingsByGroup< - group - policy.ResourceMappingGroup + resource + policy.RegisteredResource

        - - mappings - policy.ResourceMapping - repeated -

        - - @@ -15979,7 +16153,7 @@

        ResourceMappingsByGroup< -

        UpdateResourceMappingGroupRequest

        +

        CreateRegisteredResourceValueRequest

        @@ -15990,38 +16164,34 @@

        UpdateResource - id + resource_id string

        Required

        - namespace_id + value string -

        Optional

        +

        Required

        - name - string - -

        Optional

        + action_attribute_values + ActionAttributeValue + repeated +

        Optional +The associated Action <> AttributeValue combinations to be utilized in authorization/entitlement decisioning +(i.e. action read -> attribute value https://example.com/attr/department/value/marketing)

        metadata common.MetadataMutable -

        Common metadata

        - - - - metadata_update_behavior - common.MetadataUpdateEnum - -

        +

        Optional +Common metadata

        @@ -16031,7 +16201,7 @@

        UpdateResource -

        UpdateResourceMappingGroupResponse

        +

        CreateRegisteredResourceValueResponse

        @@ -16042,8 +16212,8 @@

        UpdateResourc - resource_mapping_group - policy.ResourceMappingGroup + value + policy.RegisteredResourceValue

        @@ -16055,7 +16225,7 @@

        UpdateResourc -

        UpdateResourceMappingRequest

        +

        DeleteRegisteredResourceRequest

        @@ -16072,38 +16242,26 @@

        UpdateResourceMappi

        Required

        - - attribute_value_id - string - -

        Optional

        - - - - terms - string - repeated -

        Optional

        - - - - group_id - string - -

        Optional

        - - - - metadata - common.MetadataMutable - -

        Optional -Common Metadata

        - + + + + + + + +

        DeleteRegisteredResourceResponse

        +

        + + + + + + + - - + + @@ -16115,7 +16273,7 @@

        UpdateResourceMappi -

        UpdateResourceMappingResponse

        +

        DeleteRegisteredResourceValueRequest

        @@ -16126,10 +16284,10 @@

        UpdateResourceMapp

        - - + + - + @@ -16139,151 +16297,31 @@

        UpdateResourceMapp - - - - - - -

        ResourceMappingService

        -

        Resource Mapping Groups

        -
        FieldTypeLabelDescription
        metadata_update_behaviorcommon.MetadataUpdateEnumresourcepolicy.RegisteredResource

        resource_mappingpolicy.ResourceMappingidstring

        Required

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Method NameRequest TypeResponse TypeDescription
        ListResourceMappingGroupsListResourceMappingGroupsRequestListResourceMappingGroupsResponse

        GetResourceMappingGroupGetResourceMappingGroupRequestGetResourceMappingGroupResponse

        CreateResourceMappingGroupCreateResourceMappingGroupRequestCreateResourceMappingGroupResponse

        UpdateResourceMappingGroupUpdateResourceMappingGroupRequestUpdateResourceMappingGroupResponse

        DeleteResourceMappingGroupDeleteResourceMappingGroupRequestDeleteResourceMappingGroupResponse

        ListResourceMappingsListResourceMappingsRequestListResourceMappingsResponse

        ListResourceMappingsByGroupFqnsListResourceMappingsByGroupFqnsRequestListResourceMappingsByGroupFqnsResponse

        GetResourceMappingGetResourceMappingRequestGetResourceMappingResponse

        CreateResourceMappingCreateResourceMappingRequestCreateResourceMappingResponse

        UpdateResourceMappingUpdateResourceMappingRequestUpdateResourceMappingResponse

        DeleteResourceMappingDeleteResourceMappingRequestDeleteResourceMappingResponse

        +

        DeleteRegisteredResourceValueResponse

        +

        - - -

        Methods with idempotency_level option

        - +
        - - - - + - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + +
        Method NameOption
        FieldTypeLabelDescription
        ListResourceMappingGroups

        NO_SIDE_EFFECTS

        GetResourceMappingGroup

        NO_SIDE_EFFECTS

        ListResourceMappings

        NO_SIDE_EFFECTS

        ListResourceMappingsByGroupFqns

        NO_SIDE_EFFECTS

        GetResourceMapping

        NO_SIDE_EFFECTS

        valuepolicy.RegisteredResourceValue
        + - - - -
        -

        policy/subjectmapping/subject_mapping.proto

        Top -
        -

        + -

        CreateDefinitionValueEntitlementMappingRequest

        +

        GetRegisteredResourceRequest

        @@ -16294,68 +16332,33 @@

        Cr - attribute_definition_id + id string

        - attribute_definition_fqn + name string

        - value_resolver - policy.DefinitionValueResolver - -

        Required: the dynamic resolver comparing entity selector result to the resource value segment

        - - - - actions - policy.Action - repeated -

        Required: actions permitted on a matched value

        - - - - existing_subject_condition_set_id + namespace_fqn string -

        Optional static pre-gate. Reuse an existing SubjectConditionSet (prioritized) ...

        - - - - new_subject_condition_set - SubjectConditionSetCreate - -

        ... or create a new one (ignored if existing_subject_condition_set_id is provided)

        +

        namespace_id string -

        Optional: namespace ID or FQN for the mapping

        - - - - namespace_fqn - string -

        - - metadata - common.MetadataMutable - -

        Optional

        - - @@ -16363,7 +16366,7 @@

        Cr -

        CreateDefinitionValueEntitlementMappingResponse

        +

        GetRegisteredResourceResponse

        @@ -16374,8 +16377,8 @@

        C - definition_value_entitlement_mapping - policy.DefinitionValueEntitlementMapping + resource + policy.RegisteredResource

        @@ -16387,7 +16390,7 @@

        C -

        CreateSubjectConditionSetRequest

        +

        GetRegisteredResourceValueRequest

        @@ -16398,21 +16401,14 @@

        CreateSubjectCon - subject_condition_set - SubjectConditionSetCreate - -

        - - - - namespace_id + id string

        - namespace_fqn + fqn string

        @@ -16425,7 +16421,7 @@

        CreateSubjectCon -

        CreateSubjectConditionSetResponse

        +

        GetRegisteredResourceValueResponse

        @@ -16436,8 +16432,8 @@

        CreateSubjectCo - subject_condition_set - policy.SubjectConditionSet + value + policy.RegisteredResourceValue

        @@ -16449,7 +16445,7 @@

        CreateSubjectCo -

        CreateSubjectMappingRequest

        +

        GetRegisteredResourceValuesByFQNsRequest

        @@ -16460,54 +16456,94 @@

        CreateSubjectMappingR - attribute_value_id + fqns string - -

        Required -Attribute Value to be mapped to

        + repeated +

        Required

        + + + + + + + +

        GetRegisteredResourceValuesByFQNsResponse

        +

        + + + + + + + + - - + + - + + +
        FieldTypeLabelDescription
        actionspolicy.Actionfqn_value_mapGetRegisteredResourceValuesByFQNsResponse.FqnValueMapEntry repeated

        Required -The actions permitted by subjects in this mapping

        + + + + + +

        GetRegisteredResourceValuesByFQNsResponse.FqnValueMapEntry

        +

        + + + + + + + + - + - + - - + + - + - - - - - - + +
        FieldTypeLabelDescription
        existing_subject_condition_set_idkey string

        Either of the following: -Reuse existing SubjectConditionSet (NOTE: prioritized over new_subject_condition_set)

        new_subject_condition_setSubjectConditionSetCreatevaluepolicy.RegisteredResourceValue

        Create new SubjectConditionSet (NOTE: ignored if existing_subject_condition_set_id is provided)

        namespace_idstring

        Optional -Namespace ID or FQN for the subject mapping

        + + + + + +

        ListRegisteredResourceValuesRequest

        +

        + + + + + + + - + - + - - + + @@ -16519,7 +16555,7 @@

        CreateSubjectMappingR -

        CreateSubjectMappingResponse

        +

        ListRegisteredResourceValuesResponse

        @@ -16530,8 +16566,15 @@

        CreateSubjectMapping

        - - + + + + + + + + + @@ -16543,7 +16586,7 @@

        CreateSubjectMapping -

        DefinitionValueEntitlementMappingsSort

        +

        ListRegisteredResourcesRequest

        @@ -16554,19 +16597,37 @@

        Definition

        - - + + - - + + + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        namespace_fqnresource_id string

        Optional

        metadatacommon.MetadataMutablepaginationpolicy.PageRequest

        Optional

        subject_mappingpolicy.SubjectMappingvaluespolicy.RegisteredResourceValuerepeated

        paginationpolicy.PageResponse

        fieldSortDefinitionValueEntitlementMappingsTypenamespace_idstring

        directionpolicy.SortDirectionnamespace_fqnstring

        paginationpolicy.PageRequest

        Optional

        sortRegisteredResourcesSortrepeated

        Optional - CONSTRAINT: max 1 item +Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC

        @@ -16574,14 +16635,38 @@

        Definition -

        DeleteAllUnmappedSubjectConditionSetsRequest

        -

        Prune any Subject Condition Sets not utilized within a Subject Mapping

        +

        ListRegisteredResourcesResponse

        +

        + + + + + + + + + + + + + + + + + + + + + +
        FieldTypeLabelDescription
        resourcespolicy.RegisteredResourcerepeated

        paginationpolicy.PageResponse

        + + -

        DeleteAllUnmappedSubjectConditionSetsResponse

        +

        RegisteredResourcesSort

        @@ -16592,10 +16677,17 @@

        Del - subject_condition_sets - policy.SubjectConditionSet - repeated -

        Only IDs of any deleted Subject Condition Set provided

        + field + SortRegisteredResourcesType + +

        + + + + direction + policy.SortDirection + +

        @@ -16605,7 +16697,7 @@

        Del -

        DeleteDefinitionValueEntitlementMappingRequest

        +

        UpdateRegisteredResourceRequest

        @@ -16622,6 +16714,28 @@

        De

        Required

        + + name + string + +

        Optional

        + + + + metadata + common.MetadataMutable + +

        Optional +Common metadata

        + + + + metadata_update_behavior + common.MetadataUpdateEnum + +

        + + @@ -16629,7 +16743,7 @@

        De -

        DeleteDefinitionValueEntitlementMappingResponse

        +

        UpdateRegisteredResourceResponse

        @@ -16640,10 +16754,10 @@

        D - definition_value_entitlement_mapping - policy.DefinitionValueEntitlementMapping + resource + policy.RegisteredResource -

        Only ID of the deleted mapping provided

        +

        @@ -16653,7 +16767,7 @@

        D -

        DeleteSubjectConditionSetRequest

        +

        UpdateRegisteredResourceValueRequest

        @@ -16670,6 +16784,36 @@

        DeleteSubjectCon

        Required

        + + value + string + +

        Optional

        + + + + action_attribute_values + ActionAttributeValue + repeated +

        Optional +Action Attribute Values provided here will replace all existing records in the database. To delete all action attribute values, set this field to an empty list.

        + + + + metadata + common.MetadataMutable + +

        Optional +Common metadata

        + + + + metadata_update_behavior + common.MetadataUpdateEnum + +

        + + @@ -16677,7 +16821,7 @@

        DeleteSubjectCon -

        DeleteSubjectConditionSetResponse

        +

        UpdateRegisteredResourceValueResponse

        @@ -16688,10 +16832,10 @@

        DeleteSubjectCo - subject_condition_set - policy.SubjectConditionSet + value + policy.RegisteredResourceValue -

        Only ID of deleted Subject Condition Set provided

        +

        @@ -16701,7 +16845,145 @@

        DeleteSubjectCo -

        DeleteSubjectMappingRequest

        + + +

        SortRegisteredResourcesType

        +

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        NameNumberDescription
        SORT_REGISTERED_RESOURCES_TYPE_UNSPECIFIED0

        SORT_REGISTERED_RESOURCES_TYPE_NAME1

        SORT_REGISTERED_RESOURCES_TYPE_CREATED_AT2

        SORT_REGISTERED_RESOURCES_TYPE_UPDATED_AT3

        + + + + + +

        RegisteredResourcesService

        +

        Registered Resources

        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
        Method NameRequest TypeResponse TypeDescription
        CreateRegisteredResourceCreateRegisteredResourceRequestCreateRegisteredResourceResponse

        GetRegisteredResourceGetRegisteredResourceRequestGetRegisteredResourceResponse

        ListRegisteredResourcesListRegisteredResourcesRequestListRegisteredResourcesResponse

        UpdateRegisteredResourceUpdateRegisteredResourceRequestUpdateRegisteredResourceResponse

        DeleteRegisteredResourceDeleteRegisteredResourceRequestDeleteRegisteredResourceResponse

        CreateRegisteredResourceValueCreateRegisteredResourceValueRequestCreateRegisteredResourceValueResponse

        GetRegisteredResourceValueGetRegisteredResourceValueRequestGetRegisteredResourceValueResponse

        GetRegisteredResourceValuesByFQNsGetRegisteredResourceValuesByFQNsRequestGetRegisteredResourceValuesByFQNsResponse

        ListRegisteredResourceValuesListRegisteredResourceValuesRequestListRegisteredResourceValuesResponse

        UpdateRegisteredResourceValueUpdateRegisteredResourceValueRequestUpdateRegisteredResourceValueResponse

        DeleteRegisteredResourceValueDeleteRegisteredResourceValueRequestDeleteRegisteredResourceValueResponse

        + + + + +
        +

        policy/resourcemapping/resource_mapping.proto

        Top +
        +

        + + +

        CreateResourceMappingGroupRequest

        @@ -16712,12 +16994,26 @@

        DeleteSubjectMappingR - id + namespace_id + string + +

        Required

        + + + + name string

        Required

        + + metadata + common.MetadataMutable + +

        Common metadata

        + + @@ -16725,7 +17021,7 @@

        DeleteSubjectMappingR -

        DeleteSubjectMappingResponse

        +

        CreateResourceMappingGroupResponse

        @@ -16736,10 +17032,10 @@

        DeleteSubjectMapping - subject_mapping - policy.SubjectMapping + resource_mapping_group + policy.ResourceMappingGroup -

        Only ID of the updated Subject Mapping provided

        +

        @@ -16749,7 +17045,7 @@

        DeleteSubjectMapping -

        GetDefinitionValueEntitlementMappingRequest

        +

        CreateResourceMappingRequest

        @@ -16760,10 +17056,31 @@

        GetDe - id - string + attribute_value_id + string + +

        Required

        + + + + terms + string + repeated +

        Required

        + + + + group_id + string + +

        Optional

        + + + + metadata + common.MetadataMutable -

        Required

        +

        Optional

        @@ -16773,7 +17090,7 @@

        GetDe -

        GetDefinitionValueEntitlementMappingResponse

        +

        CreateResourceMappingResponse

        @@ -16784,8 +17101,8 @@

        GetD - definition_value_entitlement_mapping - policy.DefinitionValueEntitlementMapping + resource_mapping + policy.ResourceMapping

        @@ -16797,7 +17114,7 @@

        GetD -

        GetSubjectConditionSetRequest

        +

        DeleteResourceMappingGroupRequest

        @@ -16821,7 +17138,7 @@

        GetSubjectCondition -

        GetSubjectConditionSetResponse

        +

        DeleteResourceMappingGroupResponse

        @@ -16832,19 +17149,12 @@

        GetSubjectConditio - subject_condition_set - policy.SubjectConditionSet + resource_mapping_group + policy.ResourceMappingGroup

        - - associated_subject_mappings - policy.SubjectMapping - repeated -

        contextualized Subject Mappings associated with this SubjectConditionSet

        - - @@ -16852,7 +17162,7 @@

        GetSubjectConditio -

        GetSubjectMappingRequest

        +

        DeleteResourceMappingRequest

        @@ -16876,7 +17186,7 @@

        GetSubjectMappingRequest -

        GetSubjectMappingResponse

        +

        DeleteResourceMappingResponse

        @@ -16887,8 +17197,8 @@

        GetSubjectMappingRespon - subject_mapping - policy.SubjectMapping + resource_mapping + policy.ResourceMapping

        @@ -16900,7 +17210,7 @@

        GetSubjectMappingRespon -

        ListDefinitionValueEntitlementMappingsRequest

        +

        GetResourceMappingGroupRequest

        @@ -16911,32 +17221,10 @@

        Lis - namespace_id - string - -

        Optional -Namespace ID, or Attribute Definition ID to filter by

        - - - - attribute_definition_id + id string -

        - - - - pagination - policy.PageRequest - -

        Optional

        - - - - sort - DefinitionValueEntitlementMappingsSort - repeated -

        Optional - CONSTRAINT: max 1 item

        +

        Required

        @@ -16946,7 +17234,7 @@

        Lis -

        ListDefinitionValueEntitlementMappingsResponse

        +

        GetResourceMappingGroupResponse

        @@ -16957,15 +17245,8 @@

        Li - definition_value_entitlement_mappings - policy.DefinitionValueEntitlementMapping - repeated -

        - - - - pagination - policy.PageResponse + resource_mapping_group + policy.ResourceMappingGroup

        @@ -16977,7 +17258,7 @@

        Li -

        ListSubjectConditionSetsRequest

        +

        GetResourceMappingRequest

        @@ -16988,35 +17269,10 @@

        ListSubjectCondit - namespace_id - string - -

        - - - - namespace_fqn + id string -

        - - - - pagination - policy.PageRequest - -

        Optional

        - - - - sort - SubjectConditionSetsSort - repeated -

        Optional - CONSTRAINT: max 1 item -Sort defaults: - - direction UNSPECIFIED defaults to DESC for the specified field - - field UNSPECIFIED defaults to created_at with the specified direction - - both UNSPECIFIED or sort omitted defaults to created_at DESC

        +

        Required

        @@ -17026,7 +17282,7 @@

        ListSubjectCondit -

        ListSubjectConditionSetsResponse

        +

        GetResourceMappingResponse

        @@ -17037,15 +17293,8 @@

        ListSubjectCondi - subject_condition_sets - policy.SubjectConditionSet - repeated -

        - - - - pagination - policy.PageResponse + resource_mapping + policy.ResourceMapping

        @@ -17057,7 +17306,7 @@

        ListSubjectCondi -

        ListSubjectMappingsRequest

        +

        ListResourceMappingGroupsRequest

        @@ -17071,14 +17320,7 @@

        ListSubjectMappingsReq namespace_id string -

        - - - - namespace_fqn - string - -

        +

        Optional

        @@ -17088,17 +17330,6 @@

        ListSubjectMappingsReq

        Optional

        - - sort - SubjectMappingsSort - repeated -

        Optional - CONSTRAINT: max 1 item -Sort defaults: - - direction UNSPECIFIED defaults to DESC for the specified field - - field UNSPECIFIED defaults to created_at with the specified direction - - both UNSPECIFIED or sort omitted defaults to created_at DESC

        - - @@ -17106,7 +17337,7 @@

        ListSubjectMappingsReq -

        ListSubjectMappingsResponse

        +

        ListResourceMappingGroupsResponse

        @@ -17117,8 +17348,8 @@

        ListSubjectMappingsRe - subject_mappings - policy.SubjectMapping + resource_mapping_groups + policy.ResourceMappingGroup repeated

        @@ -17137,8 +17368,8 @@

        ListSubjectMappingsRe -

        MatchSubjectMappingsRequest

        -

        MatchSubjectMappingsRequest liberally returns a list of SubjectMappings based on the provided SubjectProperties.

        The SubjectMappings are returned if an external selector field matches.

        +

        ListResourceMappingsByGroupFqnsRequest

        +

        @@ -17148,10 +17379,11 @@

        MatchSubjectMappingsR

        - - + + - + @@ -17161,7 +17393,7 @@

        MatchSubjectMappingsR -

        MatchSubjectMappingsResponse

        +

        ListResourceMappingsByGroupFqnsResponse

        @@ -17172,8 +17404,8 @@

        MatchSubjectMappings

        - - + + @@ -17185,7 +17417,7 @@

        MatchSubjectMappings -

        SubjectConditionSetCreate

        +

        ListResourceMappingsByGroupFqnsResponse.FqnResourceMappingGroupsEntry

        @@ -17196,18 +17428,17 @@

        SubjectConditionSetCrea

        - - - - + + + + - - + + - + @@ -17217,7 +17448,7 @@

        SubjectConditionSetCrea -

        SubjectConditionSetsSort

        +

        ListResourceMappingsRequest

        @@ -17228,17 +17459,17 @@

        SubjectConditionSetsSort

        - - + + - + - - + + - + @@ -17248,7 +17479,7 @@

        SubjectConditionSetsSort -

        SubjectMappingsSort

        +

        ListResourceMappingsResponse

        @@ -17259,15 +17490,15 @@

        SubjectMappingsSort

        - - - + + + - - + + @@ -17279,7 +17510,7 @@

        SubjectMappingsSort

        -

        UpdateDefinitionValueEntitlementMappingRequest

        +

        ResourceMappingsByGroup

        @@ -17290,68 +17521,16 @@

        Up

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - -
        subject_propertiespolicy.SubjectPropertyfqnsstring repeated

        Required +Structure of the RM Group FQN is 'https://<namespace>/resm/<group name>'

        subject_mappingspolicy.SubjectMappingfqn_resource_mapping_groupsListResourceMappingsByGroupFqnsResponse.FqnResourceMappingGroupsEntry repeated

        subject_setspolicy.SubjectSetrepeated

        Required

        		keystring
        metadatacommon.MetadataMutablevalueResourceMappingsByGroup

        Optional -Common metadata

        fieldSortSubjectConditionSetsTypegroup_idstring

        Optional

        directionpolicy.SortDirectionpaginationpolicy.PageRequest

        Optional

        fieldSortSubjectMappingsTyperesource_mappingspolicy.ResourceMappingrepeated

        directionpolicy.SortDirectionpaginationpolicy.PageResponse

        idstring

        Required

        value_resolverpolicy.DefinitionValueResolver

        Optional: replace the dynamic resolver

        subject_condition_set_idstring

        Optional: replace the static pre-gate SubjectConditionSet by id

        actionspolicy.Actionrepeated

        Optional: replace the entire list of actions

        metadatacommon.MetadataMutable

        Common metadata

        metadata_update_behaviorcommon.MetadataUpdateEnumgrouppolicy.ResourceMappingGroup

        - - - - - -

        UpdateDefinitionValueEntitlementMappingResponse

        -

        - - - - - - - + - - - + + + @@ -17362,7 +17541,7 @@

        U -

        UpdateSubjectConditionSetRequest

        +

        UpdateResourceMappingGroupRequest

        @@ -17380,11 +17559,17 @@

        UpdateSubjectCon

        - - - - + + + + + + + + + + + @@ -17408,7 +17593,7 @@

        UpdateSubjectCon -

        UpdateSubjectConditionSetResponse

        +

        UpdateResourceMappingGroupResponse

        @@ -17419,10 +17604,10 @@

        UpdateSubjectCo

        - - + + - + @@ -17432,7 +17617,7 @@

        UpdateSubjectCo -

        UpdateSubjectMappingRequest

        +

        UpdateResourceMappingRequest

        @@ -17450,26 +17635,32 @@

        UpdateSubjectMappingR

        - + - + - - + + - + + + + + + + + - + @@ -17486,7 +17677,7 @@

        UpdateSubjectMappingR -

        UpdateSubjectMappingResponse

        +

        UpdateResourceMappingResponse

        @@ -17497,10 +17688,10 @@

        UpdateSubjectMapping

        - - + + - + @@ -17512,99 +17703,12 @@

        UpdateSubjectMapping -

        SortDefinitionValueEntitlementMappingsType

        -

        -
        FieldTypeLabelDescription
        definition_value_entitlement_mappingpolicy.DefinitionValueEntitlementMappingmappingspolicy.ResourceMappingrepeated

        subject_setspolicy.SubjectSetrepeated

        Optional -If provided, replaces entire existing structure of Subject Sets, Condition Groups, & Conditions

        		namespace_idstring

        Optional

        namestring

        Optional

        subject_condition_setpolicy.SubjectConditionSetresource_mapping_grouppolicy.ResourceMappingGroup

        Only ID of updated Subject Condition Set provided

        subject_condition_set_idattribute_value_id string

        Optional -Replaces the existing SubjectConditionSet id with a new one

        Optional

        actionspolicy.Actiontermsstring repeated

        Optional -Replaces entire list of actions permitted by subjects

        Optional

        group_idstring

        Optional

        metadata common.MetadataMutable

        Common metadata

        Optional +Common Metadata

        subject_mappingpolicy.SubjectMappingresource_mappingpolicy.ResourceMapping

        Only ID of the updated Subject Mapping provided

        - - - - - - - - - - - - - - - - - - - - - - - - -
        NameNumberDescription
        SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED0

        SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT1

        SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT2

        - -

        SortSubjectConditionSetsType

        -

        - - - - - - - - - - - - - - - - - - - - - - - - - -
        NameNumberDescription
        SORT_SUBJECT_CONDITION_SETS_TYPE_UNSPECIFIED0

        SORT_SUBJECT_CONDITION_SETS_TYPE_CREATED_AT1

        SORT_SUBJECT_CONDITION_SETS_TYPE_UPDATED_AT2

        - -

        SortSubjectMappingsType

        -

        - - - - - - - - - - - - - - - - - - - - - - - - - -
        NameNumberDescription
        SORT_SUBJECT_MAPPINGS_TYPE_UNSPECIFIED0

        SORT_SUBJECT_MAPPINGS_TYPE_CREATED_AT1

        SORT_SUBJECT_MAPPINGS_TYPE_UPDATED_AT2

        - -

        SubjectMappingService

        -

        +

        ResourceMappingService

        +

        Resource Mapping Groups

        @@ -17612,121 +17716,79 @@

        SubjectMappingService

        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + @@ -17747,32 +17809,27 @@

        Methods with idempotency_level option

        - - - - - - + - + - + - + - + diff --git a/docs/openapi/policy/dynamicvaluemapping/dynamic_value_mapping.openapi.yaml b/docs/openapi/policy/dynamicvaluemapping/dynamic_value_mapping.openapi.yaml new file mode 100644 index 0000000000..fd0fb63dc6 --- /dev/null +++ b/docs/openapi/policy/dynamicvaluemapping/dynamic_value_mapping.openapi.yaml @@ -0,0 +1,1454 @@ +openapi: 3.1.0 +info: + title: policy.dynamicvaluemapping +paths: + /policy.dynamicvaluemapping.DynamicValueMappingService/CreateDynamicValueMapping: + post: + tags: + - policy.dynamicvaluemapping.DynamicValueMappingService + summary: CreateDynamicValueMapping + operationId: policy.dynamicvaluemapping.DynamicValueMappingService.CreateDynamicValueMapping + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.dynamicvaluemapping.CreateDynamicValueMappingRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.dynamicvaluemapping.CreateDynamicValueMappingResponse' + /policy.dynamicvaluemapping.DynamicValueMappingService/DeleteDynamicValueMapping: + post: + tags: + - policy.dynamicvaluemapping.DynamicValueMappingService + summary: DeleteDynamicValueMapping + operationId: policy.dynamicvaluemapping.DynamicValueMappingService.DeleteDynamicValueMapping + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.dynamicvaluemapping.DeleteDynamicValueMappingRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.dynamicvaluemapping.DeleteDynamicValueMappingResponse' + /policy.dynamicvaluemapping.DynamicValueMappingService/GetDynamicValueMapping: + post: + tags: + - policy.dynamicvaluemapping.DynamicValueMappingService + summary: GetDynamicValueMapping + operationId: policy.dynamicvaluemapping.DynamicValueMappingService.GetDynamicValueMapping + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.dynamicvaluemapping.GetDynamicValueMappingRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.dynamicvaluemapping.GetDynamicValueMappingResponse' + /policy.dynamicvaluemapping.DynamicValueMappingService/ListDynamicValueMappings: + post: + tags: + - policy.dynamicvaluemapping.DynamicValueMappingService + summary: ListDynamicValueMappings + operationId: policy.dynamicvaluemapping.DynamicValueMappingService.ListDynamicValueMappings + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.dynamicvaluemapping.ListDynamicValueMappingsRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.dynamicvaluemapping.ListDynamicValueMappingsResponse' + /policy.dynamicvaluemapping.DynamicValueMappingService/UpdateDynamicValueMapping: + post: + tags: + - policy.dynamicvaluemapping.DynamicValueMappingService + summary: UpdateDynamicValueMapping + operationId: policy.dynamicvaluemapping.DynamicValueMappingService.UpdateDynamicValueMapping + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.dynamicvaluemapping.UpdateDynamicValueMappingRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.dynamicvaluemapping.UpdateDynamicValueMappingResponse' +components: + schemas: + common.Metadata: + type: object + properties: + createdAt: + title: created_at + description: created_at set by server (entity who created will recorded in an audit event) + $ref: '#/components/schemas/google.protobuf.Timestamp' + updatedAt: + title: updated_at + description: updated_at set by server (entity who updated will recorded in an audit event) + $ref: '#/components/schemas/google.protobuf.Timestamp' + labels: + type: object + title: labels + additionalProperties: + type: string + title: value + description: optional short description + title: Metadata + additionalProperties: false + description: Struct to uniquely identify a resource with optional additional metadata + common.Metadata.LabelsEntry: + type: object + properties: + key: + type: string + title: key + value: + type: string + title: value + title: LabelsEntry + additionalProperties: false + common.MetadataMutable: + type: object + properties: + labels: + type: object + title: labels + additionalProperties: + type: string + title: value + description: optional labels + title: MetadataMutable + additionalProperties: false + common.MetadataMutable.LabelsEntry: + type: object + properties: + key: + type: string + title: key + value: + type: string + title: value + title: LabelsEntry + additionalProperties: false + common.MetadataUpdateEnum: + type: string + title: MetadataUpdateEnum + enum: + - METADATA_UPDATE_ENUM_UNSPECIFIED + - METADATA_UPDATE_ENUM_EXTEND + - METADATA_UPDATE_ENUM_REPLACE + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + details: + type: array + items: + $ref: '#/components/schemas/connect.error_details.Any' + description: A list of messages that carry the error details. There is no limit on the number of messages. + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + connect.error_details.Any: + type: object + properties: + type: + type: string + description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.' + value: + type: string + format: binary + description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field. + debug: + oneOf: + - type: object + title: Any + additionalProperties: true + description: Detailed error information. + discriminator: + propertyName: type + title: Debug + description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic. + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details. + google.protobuf.BoolValue: + type: boolean + description: |- + Wrapper message for `bool`. + + The JSON representation for `BoolValue` is JSON `true` and `false`. + + Not recommended for use in new APIs, but still useful for legacy APIs and + has no plan to be removed. + google.protobuf.Timestamp: + type: string + examples: + - "2023-01-15T01:30:15.01Z" + - "2024-12-25T12:00:00Z" + format: date-time + description: |- + A Timestamp represents a point in time independent of any time zone or local + calendar, encoded as a count of seconds and fractions of seconds at + nanosecond resolution. The count is relative to an epoch at UTC midnight on + January 1, 1970, in the proleptic Gregorian calendar which extends the + Gregorian calendar backwards to year one. + + All minutes are 60 seconds long. Leap seconds are "smeared" so that no leap + second table is needed for interpretation, using a [24-hour linear + smear](https://developers.google.com/time/smear). + + The range is from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z. By + restricting to that range, we ensure that we can convert to and from [RFC + 3339](https://www.ietf.org/rfc/rfc3339.txt) date strings. + + # Examples + + Example 1: Compute Timestamp from POSIX `time()`. + + Timestamp timestamp; + timestamp.set_seconds(time(NULL)); + timestamp.set_nanos(0); + + Example 2: Compute Timestamp from POSIX `gettimeofday()`. + + struct timeval tv; + gettimeofday(&tv, NULL); + + Timestamp timestamp; + timestamp.set_seconds(tv.tv_sec); + timestamp.set_nanos(tv.tv_usec * 1000); + + Example 3: Compute Timestamp from Win32 `GetSystemTimeAsFileTime()`. + + FILETIME ft; + GetSystemTimeAsFileTime(&ft); + UINT64 ticks = (((UINT64)ft.dwHighDateTime) << 32) | ft.dwLowDateTime; + + // A Windows tick is 100 nanoseconds. Windows epoch 1601-01-01T00:00:00Z + // is 11644473600 seconds before Unix epoch 1970-01-01T00:00:00Z. + Timestamp timestamp; + timestamp.set_seconds((INT64) ((ticks / 10000000) - 11644473600LL)); + timestamp.set_nanos((INT32) ((ticks % 10000000) * 100)); + + Example 4: Compute Timestamp from Java `System.currentTimeMillis()`. + + long millis = System.currentTimeMillis(); + + Timestamp timestamp = Timestamp.newBuilder().setSeconds(millis / 1000) + .setNanos((int) ((millis % 1000) * 1000000)).build(); + + Example 5: Compute Timestamp from Java `Instant.now()`. + + Instant now = Instant.now(); + + Timestamp timestamp = + Timestamp.newBuilder().setSeconds(now.getEpochSecond()) + .setNanos(now.getNano()).build(); + + Example 6: Compute Timestamp from current time in Python. + + timestamp = Timestamp() + timestamp.GetCurrentTime() + + # JSON Mapping + + In JSON format, the Timestamp type is encoded as a string in the + [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. That is, the + format is "{year}-{month}-{day}T{hour}:{min}:{sec}[.{frac_sec}]Z" + where {year} is always expressed using four digits while {month}, {day}, + {hour}, {min}, and {sec} are zero-padded to two digits each. The fractional + seconds, which can go up to 9 digits (i.e. up to 1 nanosecond resolution), + are optional. The "Z" suffix indicates the timezone ("UTC"); the timezone + is required. A proto3 JSON serializer should always use UTC (as indicated by + "Z") when printing the Timestamp type and a proto3 JSON parser should be + able to accept both UTC and other timezones (as indicated by an offset). + + For example, "2017-01-15T01:30:15.01Z" encodes 15.01 seconds past + 01:30 UTC on January 15, 2017. + + In JavaScript, one can convert a Date object to this format using the + standard + [toISOString()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toISOString) + method. In Python, a standard `datetime.datetime` object can be converted + to this format using + [`strftime`](https://docs.python.org/2/library/time.html#time.strftime) with + the time format spec '%Y-%m-%dT%H:%M:%S.%fZ'. Likewise, in Java, one can use + the Joda Time's [`ISODateTimeFormat.dateTime()`]( + http://joda-time.sourceforge.net/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime() + ) to obtain a formatter capable of generating timestamps in this format. + policy.Action: + type: object + allOf: + - properties: + id: + type: string + title: id + description: Generated uuid in database + name: + type: string + title: name + namespace: + title: namespace + description: Namespace context for this action + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + - oneOf: + - type: object + properties: + custom: + type: string + title: custom + description: Deprecated + title: custom + required: + - custom + - type: object + properties: + standard: + title: standard + description: Deprecated + $ref: '#/components/schemas/policy.Action.StandardAction' + title: standard + required: + - standard + title: Action + additionalProperties: false + description: An action an entity can take + policy.Action.StandardAction: + type: string + title: StandardAction + enum: + - STANDARD_ACTION_UNSPECIFIED + - STANDARD_ACTION_DECRYPT + - STANDARD_ACTION_TRANSMIT + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + - ALGORITHM_HPQT_XWING + - ALGORITHM_HPQT_SECP256R1_MLKEM768 + - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + description: Supported key algorithms. + policy.Attribute: + type: object + properties: + id: + type: string + title: id + namespace: + title: namespace + description: namespace of the attribute + $ref: '#/components/schemas/policy.Namespace' + name: + type: string + title: name + description: attribute name + rule: + title: rule + description: attribute rule enum + $ref: '#/components/schemas/policy.AttributeRuleTypeEnum' + values: + type: array + items: + $ref: '#/components/schemas/policy.Value' + title: values + grants: + type: array + items: + $ref: '#/components/schemas/policy.KeyAccessServer' + title: grants + description: Deprecated KAS grants for the attribute. Use kas_keys instead. + fqn: + type: string + title: fqn + active: + title: active + description: active by default until explicitly deactivated + $ref: '#/components/schemas/google.protobuf.BoolValue' + kasKeys: + type: array + items: + $ref: '#/components/schemas/policy.SimpleKasKey' + title: kas_keys + description: Keys associated with the attribute + allowTraversal: + title: allow_traversal + description: |- + Whether or not we will use the attribute definition during encryption + if the attribute value is missing. + $ref: '#/components/schemas/google.protobuf.BoolValue' + metadata: + title: metadata + description: Common metadata + $ref: '#/components/schemas/common.Metadata' + title: Attribute + required: + - rule + additionalProperties: false + policy.AttributeRuleTypeEnum: + type: string + title: AttributeRuleTypeEnum + enum: + - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED + - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF + - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF + - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY + policy.Condition: + type: object + properties: + subjectExternalSelectorValue: + type: string + title: subject_external_selector_value + description: |- + a selector for a field value on a flattened Entity Representation (such as + from idP/LDAP) + operator: + title: operator + description: the evaluation operator of relation + $ref: '#/components/schemas/policy.SubjectMappingOperatorEnum' + subjectExternalValues: + type: array + items: + type: string + title: subject_external_values + minItems: 1 + description: |- + list of comparison values for the result of applying the + subject_external_selector_value on a flattened Entity Representation + (Subject), evaluated by the operator + title: Condition + required: + - subjectExternalSelectorValue + - operator + additionalProperties: false + description: |- + * + A Condition defines a rule of + policy.ConditionBooleanTypeEnum: + type: string + title: ConditionBooleanTypeEnum + enum: + - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED + - CONDITION_BOOLEAN_TYPE_ENUM_AND + - CONDITION_BOOLEAN_TYPE_ENUM_OR + policy.ConditionGroup: + type: object + properties: + conditions: + type: array + items: + $ref: '#/components/schemas/policy.Condition' + title: conditions + minItems: 1 + booleanOperator: + title: boolean_operator + description: the boolean evaluation type across the conditions + $ref: '#/components/schemas/policy.ConditionBooleanTypeEnum' + title: ConditionGroup + required: + - booleanOperator + additionalProperties: false + description: A collection of Conditions evaluated by the boolean_operator provided + policy.DynamicValueMapping: + type: object + properties: + id: + type: string + title: id + attributeDefinition: + title: attribute_definition + description: the Attribute Definition whose values are entitled dynamically + $ref: '#/components/schemas/policy.Attribute' + valueResolver: + title: value_resolver + description: the dynamic resolver matched against the requested resource value segment + $ref: '#/components/schemas/policy.DynamicValueResolver' + subjectConditionSet: + title: subject_condition_set + description: |- + optional static pre-gate on the entity, evaluated with normal SubjectConditionSet + semantics (no dynamic overload). When present, both the gate and the resolver must + pass for entitlement. + $ref: '#/components/schemas/policy.SubjectConditionSet' + actions: + type: array + items: + $ref: '#/components/schemas/policy.Action' + title: actions + description: the actions permitted by subjects in this mapping + namespace: + title: namespace + description: the namespace containing this mapping + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + title: DynamicValueMapping + additionalProperties: false + description: |- + Dynamic Value Mapping: a Policy assigning permitted action(s) to + dynamically-requested values under an Attribute Definition. It raises entitlement + authority from a concrete Attribute Value to the Attribute Definition: at decision time + the value_resolver compares the requested resource value segment against the entity + representation, avoiding pre-provisioning a value + subject mapping per discrete value. + policy.DynamicValueOperatorEnum: + type: string + title: DynamicValueOperatorEnum + enum: + - DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED + - DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN + - DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS + description: |- + Operators for dynamic, definition-level value entitlement. Unlike + SubjectMappingOperatorEnum, whose right-hand operand is a static list authored into + policy, a DynamicValueOperatorEnum's right-hand operand is the requested resource's + attribute value segment, supplied at decision time. Each value is the inversion of its + static SubjectMappingOperatorEnum counterpart. + policy.DynamicValueResolver: + type: object + properties: + subjectExternalSelectorValue: + type: string + title: subject_external_selector_value + description: |- + a selector for a field value on a flattened Entity Representation (such as from + idP/LDAP), e.g. ".patientAssignments[]" + operator: + title: operator + description: the dynamic operator comparing the selector result to the resource value segment + $ref: '#/components/schemas/policy.DynamicValueOperatorEnum' + title: DynamicValueResolver + required: + - subjectExternalSelectorValue + - operator + additionalProperties: false + description: |- + Definition Value Resolver: the dynamic half of a DynamicValueMapping. It + resolves a selector against the entity representation and compares the result to the + requested resource value segment using a DynamicValueOperatorEnum. + policy.KasPublicKey: + type: object + properties: + pem: + type: string + title: pem + maxLength: 8192 + minLength: 1 + description: x509 ASN.1 content in PEM envelope, usually + kid: + type: string + title: kid + maxLength: 32 + minLength: 1 + description: A unique string identifier for this key + alg: + not: + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + title: alg + description: |- + A known algorithm type with any additional parameters encoded. + To start, these may be `rsa:2048` for RSA-based wrapping and + `ec:secp256r1` for EC-based wrapping, but more formats may be added as needed. + $ref: '#/components/schemas/policy.KasPublicKeyAlgEnum' + title: KasPublicKey + additionalProperties: false + description: |- + Deprecated + A KAS public key and some associated metadata for further identifcation + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 + - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + policy.KasPublicKeySet: + type: object + properties: + keys: + type: array + items: + $ref: '#/components/schemas/policy.KasPublicKey' + title: keys + title: KasPublicKeySet + additionalProperties: false + description: |- + Deprecated + A list of known KAS public keys + policy.KeyAccessServer: + type: object + properties: + id: + type: string + title: id + uri: + type: string + title: uri + description: | + Address of a KAS instance + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + publicKey: + title: public_key + description: 'Deprecated: KAS can have multiple key pairs' + $ref: '#/components/schemas/policy.PublicKey' + sourceType: + title: source_type + description: 'The source of the KAS: (INTERNAL, EXTERNAL)' + $ref: '#/components/schemas/policy.SourceType' + kasKeys: + type: array + items: + $ref: '#/components/schemas/policy.SimpleKasKey' + title: kas_keys + description: Kas keys associated with this KAS + name: + type: string + title: name + description: |- + Optional + Unique name of the KAS instance + metadata: + title: metadata + description: Common metadata + $ref: '#/components/schemas/common.Metadata' + title: KeyAccessServer + additionalProperties: false + description: Key Access Server Registry + policy.Namespace: + type: object + properties: + id: + type: string + title: id + description: generated uuid in database + name: + type: string + title: name + description: |- + used to partition Attribute Definitions, support by namespace AuthN and + enable federation + fqn: + type: string + title: fqn + active: + title: active + description: active by default until explicitly deactivated + $ref: '#/components/schemas/google.protobuf.BoolValue' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + grants: + type: array + items: + $ref: '#/components/schemas/policy.KeyAccessServer' + title: grants + description: Deprecated KAS grants for the namespace. Use kas_keys instead. + kasKeys: + type: array + items: + $ref: '#/components/schemas/policy.SimpleKasKey' + title: kas_keys + description: Keys for the namespace + title: Namespace + additionalProperties: false + policy.Obligation: + type: object + properties: + id: + type: string + title: id + namespace: + title: namespace + $ref: '#/components/schemas/policy.Namespace' + name: + type: string + title: name + values: + type: array + items: + $ref: '#/components/schemas/policy.ObligationValue' + title: values + fqn: + type: string + title: fqn + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + title: Obligation + additionalProperties: false + policy.ObligationTrigger: + type: object + properties: + id: + type: string + title: id + obligationValue: + title: obligation_value + $ref: '#/components/schemas/policy.ObligationValue' + action: + title: action + $ref: '#/components/schemas/policy.Action' + attributeValue: + title: attribute_value + $ref: '#/components/schemas/policy.Value' + context: + type: array + items: + $ref: '#/components/schemas/policy.RequestContext' + title: context + namespace: + title: namespace + description: The source namespace for this trigger, derived from the attribute value and action. + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + title: ObligationTrigger + additionalProperties: false + policy.ObligationValue: + type: object + properties: + id: + type: string + title: id + obligation: + title: obligation + $ref: '#/components/schemas/policy.Obligation' + value: + type: string + title: value + triggers: + type: array + items: + $ref: '#/components/schemas/policy.ObligationTrigger' + title: triggers + fqn: + type: string + title: fqn + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + title: ObligationValue + additionalProperties: false + policy.PageRequest: + type: object + properties: + limit: + type: integer + title: limit + format: int32 + description: |- + Optional + Set to configured default limit if not provided + Maximum limit set in platform config and enforced by services + offset: + type: integer + title: offset + format: int32 + description: |- + Optional + Defaulted if not provided + title: PageRequest + additionalProperties: false + policy.PageResponse: + type: object + properties: + currentOffset: + type: integer + title: current_offset + format: int32 + description: Requested pagination offset + nextOffset: + type: integer + title: next_offset + format: int32 + description: |- + Calculated with request limit + offset or defaults + Empty when none remain after current page + total: + type: integer + title: total + format: int32 + description: Total count of entire list + title: PageResponse + additionalProperties: false + policy.PolicyEnforcementPoint: + type: object + properties: + clientId: + type: string + title: client_id + minLength: 1 + title: PolicyEnforcementPoint + additionalProperties: false + policy.PublicKey: + type: object + oneOf: + - type: object + properties: + cached: + title: cached + description: public key with additional information. Current preferred version + $ref: '#/components/schemas/policy.KasPublicKeySet' + title: cached + required: + - cached + - type: object + properties: + remote: + type: string + title: remote + description: | + kas public key url - optional since can also be retrieved via public key + uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes. + title: remote + required: + - remote + title: PublicKey + additionalProperties: false + description: Deprecated + policy.RequestContext: + type: object + properties: + pep: + title: pep + $ref: '#/components/schemas/policy.PolicyEnforcementPoint' + title: RequestContext + required: + - pep + additionalProperties: false + description: Holds the context needed for obligation fulfillment + policy.ResourceMapping: + type: object + properties: + id: + type: string + title: id + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + attributeValue: + title: attribute_value + $ref: '#/components/schemas/policy.Value' + terms: + type: array + items: + type: string + title: terms + group: + title: group + $ref: '#/components/schemas/policy.ResourceMappingGroup' + title: ResourceMapping + required: + - attributeValue + additionalProperties: false + description: |- + Resource Mappings (aka Access Control Resource Encodings aka ACRE) are + structures supporting the mapping of Resources and Attribute Values + policy.ResourceMappingGroup: + type: object + properties: + id: + type: string + title: id + namespaceId: + type: string + title: namespace_id + description: the namespace containing the group of resource mappings + name: + type: string + title: name + description: |- + the common name for the group of resource mappings, which must be unique + per namespace + fqn: + type: string + title: fqn + description: the fully qualified name of the resource mapping group + metadata: + title: metadata + description: Common metadata + $ref: '#/components/schemas/common.Metadata' + title: ResourceMappingGroup + required: + - namespaceId + - name + additionalProperties: false + description: |- + Resource Mapping Groups are namespaced collections of Resource Mappings + associated under a common group name. + policy.SimpleKasKey: + type: object + properties: + kasUri: + type: string + title: kas_uri + description: The URL of the Key Access Server + publicKey: + title: public_key + description: The public key of the Key that belongs to the KAS + $ref: '#/components/schemas/policy.SimpleKasPublicKey' + kasId: + type: string + title: kas_id + description: The ID of the Key Access Server + title: SimpleKasKey + additionalProperties: false + policy.SimpleKasPublicKey: + type: object + properties: + algorithm: + title: algorithm + $ref: '#/components/schemas/policy.Algorithm' + kid: + type: string + title: kid + pem: + type: string + title: pem + title: SimpleKasPublicKey + additionalProperties: false + policy.SortDirection: + type: string + title: SortDirection + enum: + - SORT_DIRECTION_UNSPECIFIED + - SORT_DIRECTION_ASC + - SORT_DIRECTION_DESC + description: |- + Sorting direction shared across list APIs. + When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, + the endpoint's request message defines the default ordering; see the + specific List* request docs. + policy.SourceType: + type: string + title: SourceType + enum: + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. + policy.SubjectConditionSet: + type: object + properties: + id: + type: string + title: id + namespace: + title: namespace + description: |- + the namespace containing this subject condition set + possible this is empty in the case a subject condition set + has not been migrated to a namespace. + $ref: '#/components/schemas/policy.Namespace' + subjectSets: + type: array + items: + $ref: '#/components/schemas/policy.SubjectSet' + title: subject_sets + minItems: 1 + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + title: SubjectConditionSet + additionalProperties: false + description: |- + A container for multiple Subject Sets, each containing Condition Groups, each + containing Conditions. Multiple Subject Sets in a SubjectConditionSet are + evaluated with AND logic. As each Subject Mapping has only one Attribute + Value, the SubjectConditionSet is reusable across multiple Subject Mappings / + Attribute Values and is an independent unit. + policy.SubjectMapping: + type: object + properties: + id: + type: string + title: id + attributeValue: + title: attribute_value + description: 'the Attribute Value mapped to; aka: "The Entity Entitlement Attribute"' + $ref: '#/components/schemas/policy.Value' + subjectConditionSet: + title: subject_condition_set + description: the reusable SubjectConditionSet mapped to the given Attribute Value + $ref: '#/components/schemas/policy.SubjectConditionSet' + actions: + type: array + items: + $ref: '#/components/schemas/policy.Action' + title: actions + description: The actions permitted by subjects in this mapping + namespace: + title: namespace + description: |- + the namespace containing this subject mapping + possible this is empty. If so that means + the Subject Mapping has not been migrated to a namespace. + $ref: '#/components/schemas/policy.Namespace' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + title: SubjectMapping + additionalProperties: false + description: |- + Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute + value + action(s) combination + policy.SubjectMappingOperatorEnum: + type: string + title: SubjectMappingOperatorEnum + enum: + - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED + - SUBJECT_MAPPING_OPERATOR_ENUM_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS + policy.SubjectSet: + type: object + properties: + conditionGroups: + type: array + items: + $ref: '#/components/schemas/policy.ConditionGroup' + title: condition_groups + minItems: 1 + description: multiple Condition Groups are evaluated with AND logic + title: SubjectSet + additionalProperties: false + description: A collection of Condition Groups + policy.Value: + type: object + properties: + id: + type: string + title: id + description: generated uuid in database + attribute: + title: attribute + $ref: '#/components/schemas/policy.Attribute' + value: + type: string + title: value + grants: + type: array + items: + $ref: '#/components/schemas/policy.KeyAccessServer' + title: grants + description: Deprecated KAS grants for the value. Use kas_keys instead. + fqn: + type: string + title: fqn + active: + title: active + description: active by default until explicitly deactivated + $ref: '#/components/schemas/google.protobuf.BoolValue' + subjectMappings: + type: array + items: + $ref: '#/components/schemas/policy.SubjectMapping' + title: subject_mappings + description: subject mapping + kasKeys: + type: array + items: + $ref: '#/components/schemas/policy.SimpleKasKey' + title: kas_keys + resourceMappings: + type: array + items: + $ref: '#/components/schemas/policy.ResourceMapping' + title: resource_mappings + obligations: + type: array + items: + $ref: '#/components/schemas/policy.Obligation' + title: obligations + metadata: + title: metadata + description: Common metadata + $ref: '#/components/schemas/common.Metadata' + title: Value + additionalProperties: false + policy.dynamicvaluemapping.CreateDynamicValueMappingRequest: + type: object + allOf: + - oneOf: + - required: + - attributeDefinitionId + - required: + - attributeDefinitionFqn + properties: + attributeDefinitionId: + type: string + title: attribute_definition_id + description: | + optional_uuid_format // Optional field must be a valid UUID + attributeDefinitionFqn: + type: string + title: attribute_definition_fqn + format: uri + valueResolver: + title: value_resolver + description: 'Required: the dynamic resolver comparing entity selector result to the resource value segment' + $ref: '#/components/schemas/policy.DynamicValueResolver' + actions: + type: array + items: + $ref: '#/components/schemas/policy.Action' + title: actions + minItems: 1 + description: | + Required: actions permitted on a matched value + action_name_or_id_not_empty // Action name or ID must not be empty if provided + existingSubjectConditionSetId: + type: string + title: existing_subject_condition_set_id + description: | + Optional static pre-gate. Reuse an existing SubjectConditionSet (prioritized) ... + optional_uuid_format // Optional field must be a valid UUID + newSubjectConditionSet: + title: new_subject_condition_set + description: '... or create a new one (ignored if existing_subject_condition_set_id is provided)' + $ref: '#/components/schemas/policy.subjectmapping.SubjectConditionSetCreate' + namespaceId: + type: string + title: namespace_id + description: | + Optional: namespace ID or FQN for the mapping + optional_uuid_format // Optional field must be a valid UUID + namespaceFqn: + type: string + title: namespace_fqn + format: uri + metadata: + title: metadata + description: Optional + $ref: '#/components/schemas/common.MetadataMutable' + title: CreateDynamicValueMappingRequest + required: + - valueResolver + additionalProperties: false + policy.dynamicvaluemapping.CreateDynamicValueMappingResponse: + type: object + properties: + dynamicValueMapping: + title: dynamic_value_mapping + $ref: '#/components/schemas/policy.DynamicValueMapping' + title: CreateDynamicValueMappingResponse + additionalProperties: false + policy.dynamicvaluemapping.DeleteDynamicValueMappingRequest: + type: object + properties: + id: + type: string + title: id + format: uuid + description: Required + title: DeleteDynamicValueMappingRequest + additionalProperties: false + policy.dynamicvaluemapping.DeleteDynamicValueMappingResponse: + type: object + properties: + dynamicValueMapping: + title: dynamic_value_mapping + description: Only ID of the deleted mapping provided + $ref: '#/components/schemas/policy.DynamicValueMapping' + title: DeleteDynamicValueMappingResponse + additionalProperties: false + policy.dynamicvaluemapping.DynamicValueMappingsSort: + type: object + properties: + field: + title: field + $ref: '#/components/schemas/policy.dynamicvaluemapping.SortDynamicValueMappingsType' + direction: + title: direction + $ref: '#/components/schemas/policy.SortDirection' + title: DynamicValueMappingsSort + additionalProperties: false + policy.dynamicvaluemapping.GetDynamicValueMappingRequest: + type: object + properties: + id: + type: string + title: id + format: uuid + description: Required + title: GetDynamicValueMappingRequest + additionalProperties: false + policy.dynamicvaluemapping.GetDynamicValueMappingResponse: + type: object + properties: + dynamicValueMapping: + title: dynamic_value_mapping + $ref: '#/components/schemas/policy.DynamicValueMapping' + title: GetDynamicValueMappingResponse + additionalProperties: false + policy.dynamicvaluemapping.ListDynamicValueMappingsRequest: + type: object + properties: + namespaceId: + type: string + title: namespace_id + description: | + Optional + Namespace ID, or Attribute Definition ID to filter by + optional_uuid_format // Optional field must be a valid UUID + attributeDefinitionId: + type: string + title: attribute_definition_id + description: | + optional_uuid_format // Optional field must be a valid UUID + pagination: + title: pagination + description: Optional + $ref: '#/components/schemas/policy.PageRequest' + sort: + type: array + items: + $ref: '#/components/schemas/policy.dynamicvaluemapping.DynamicValueMappingsSort' + title: sort + maxItems: 1 + description: 'Optional - CONSTRAINT: max 1 item' + title: ListDynamicValueMappingsRequest + additionalProperties: false + policy.dynamicvaluemapping.ListDynamicValueMappingsResponse: + type: object + properties: + dynamicValueMappings: + type: array + items: + $ref: '#/components/schemas/policy.DynamicValueMapping' + title: dynamic_value_mappings + pagination: + title: pagination + $ref: '#/components/schemas/policy.PageResponse' + title: ListDynamicValueMappingsResponse + additionalProperties: false + policy.dynamicvaluemapping.SortDynamicValueMappingsType: + type: string + title: SortDynamicValueMappingsType + enum: + - SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UNSPECIFIED + - SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_CREATED_AT + - SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UPDATED_AT + policy.dynamicvaluemapping.UpdateDynamicValueMappingRequest: + type: object + properties: + id: + type: string + title: id + format: uuid + description: Required + valueResolver: + title: value_resolver + description: 'Optional: replace the dynamic resolver' + $ref: '#/components/schemas/policy.DynamicValueResolver' + subjectConditionSetId: + type: string + title: subject_condition_set_id + description: | + Optional: replace the static pre-gate SubjectConditionSet by id + optional_uuid_format // Optional field must be a valid UUID + actions: + type: array + items: + $ref: '#/components/schemas/policy.Action' + title: actions + description: | + Optional: replace the entire list of actions + action_name_or_id_not_empty // Action name or ID must not be empty if provided + metadata: + title: metadata + description: Common metadata + $ref: '#/components/schemas/common.MetadataMutable' + metadataUpdateBehavior: + title: metadata_update_behavior + $ref: '#/components/schemas/common.MetadataUpdateEnum' + title: UpdateDynamicValueMappingRequest + additionalProperties: false + policy.dynamicvaluemapping.UpdateDynamicValueMappingResponse: + type: object + properties: + dynamicValueMapping: + title: dynamic_value_mapping + $ref: '#/components/schemas/policy.DynamicValueMapping' + title: UpdateDynamicValueMappingResponse + additionalProperties: false + policy.subjectmapping.SubjectConditionSetCreate: + type: object + properties: + subjectSets: + type: array + items: + $ref: '#/components/schemas/policy.SubjectSet' + title: subject_sets + minItems: 1 + description: Required + metadata: + title: metadata + description: |- + Optional + Common metadata + $ref: '#/components/schemas/common.MetadataMutable' + title: SubjectConditionSetCreate + additionalProperties: false +security: [] +tags: + - name: policy.dynamicvaluemapping.DynamicValueMappingService diff --git a/docs/openapi/policy/objects.openapi.yaml b/docs/openapi/policy/objects.openapi.yaml index 6b1ee8b279..2be6d6e904 100644 --- a/docs/openapi/policy/objects.openapi.yaml +++ b/docs/openapi/policy/objects.openapi.yaml @@ -368,7 +368,7 @@ components: - booleanOperator additionalProperties: false description: A collection of Conditions evaluated by the boolean_operator provided - policy.DefinitionValueEntitlementMapping: + policy.DynamicValueMapping: type: object properties: id: @@ -381,7 +381,7 @@ components: valueResolver: title: value_resolver description: the dynamic resolver matched against the requested resource value segment - $ref: '#/components/schemas/policy.DefinitionValueResolver' + $ref: '#/components/schemas/policy.DynamicValueResolver' subjectConditionSet: title: subject_condition_set description: |- @@ -402,15 +402,28 @@ components: metadata: title: metadata $ref: '#/components/schemas/common.Metadata' - title: DefinitionValueEntitlementMapping + title: DynamicValueMapping additionalProperties: false description: |- - Definition Value Entitlement Mapping: a Policy assigning permitted action(s) to + Dynamic Value Mapping: a Policy assigning permitted action(s) to dynamically-requested values under an Attribute Definition. It raises entitlement authority from a concrete Attribute Value to the Attribute Definition: at decision time the value_resolver compares the requested resource value segment against the entity representation, avoiding pre-provisioning a value + subject mapping per discrete value. - policy.DefinitionValueResolver: + policy.DynamicValueOperatorEnum: + type: string + title: DynamicValueOperatorEnum + enum: + - DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED + - DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN + - DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS + description: |- + Operators for dynamic, definition-level value entitlement. Unlike + SubjectMappingOperatorEnum, whose right-hand operand is a static list authored into + policy, a DynamicValueOperatorEnum's right-hand operand is the requested resource's + attribute value segment, supplied at decision time. Each value is the inversion of its + static SubjectMappingOperatorEnum counterpart. + policy.DynamicValueResolver: type: object properties: subjectExternalSelectorValue: @@ -423,28 +436,15 @@ components: title: operator description: the dynamic operator comparing the selector result to the resource value segment $ref: '#/components/schemas/policy.DynamicValueOperatorEnum' - title: DefinitionValueResolver + title: DynamicValueResolver required: - subjectExternalSelectorValue - operator additionalProperties: false description: |- - Definition Value Resolver: the dynamic half of a DefinitionValueEntitlementMapping. It + Definition Value Resolver: the dynamic half of a DynamicValueMapping. It resolves a selector against the entity representation and compares the result to the requested resource value segment using a DynamicValueOperatorEnum. - policy.DynamicValueOperatorEnum: - type: string - title: DynamicValueOperatorEnum - enum: - - DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED - - DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN - - DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS - description: |- - Operators for dynamic, definition-level value entitlement. Unlike - SubjectMappingOperatorEnum, whose right-hand operand is a static list authored into - policy, a DynamicValueOperatorEnum's right-hand operand is the requested resource's - attribute value segment, supplied at decision time. Each value is the inversion of its - static SubjectMappingOperatorEnum counterpart. policy.KasKey: type: object properties: diff --git a/docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml b/docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml index e1caccb81e..a988610cbb 100644 --- a/docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml +++ b/docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml @@ -2,41 +2,6 @@ openapi: 3.1.0 info: title: policy.subjectmapping paths: - /policy.subjectmapping.SubjectMappingService/CreateDefinitionValueEntitlementMapping: - post: - tags: - - policy.subjectmapping.SubjectMappingService - summary: CreateDefinitionValueEntitlementMapping - operationId: policy.subjectmapping.SubjectMappingService.CreateDefinitionValueEntitlementMapping - parameters: - - name: Connect-Protocol-Version - in: header - required: true - schema: - $ref: '#/components/schemas/connect-protocol-version' - - name: Connect-Timeout-Ms - in: header - schema: - $ref: '#/components/schemas/connect-timeout-header' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/policy.subjectmapping.CreateDefinitionValueEntitlementMappingRequest' - required: true - responses: - default: - description: Error - content: - application/json: - schema: - $ref: '#/components/schemas/connect.error' - "200": - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/policy.subjectmapping.CreateDefinitionValueEntitlementMappingResponse' /policy.subjectmapping.SubjectMappingService/CreateSubjectConditionSet: post: tags: @@ -142,41 +107,6 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse' - /policy.subjectmapping.SubjectMappingService/DeleteDefinitionValueEntitlementMapping: - post: - tags: - - policy.subjectmapping.SubjectMappingService - summary: DeleteDefinitionValueEntitlementMapping - operationId: policy.subjectmapping.SubjectMappingService.DeleteDefinitionValueEntitlementMapping - parameters: - - name: Connect-Protocol-Version - in: header - required: true - schema: - $ref: '#/components/schemas/connect-protocol-version' - - name: Connect-Timeout-Ms - in: header - schema: - $ref: '#/components/schemas/connect-timeout-header' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/policy.subjectmapping.DeleteDefinitionValueEntitlementMappingRequest' - required: true - responses: - default: - description: Error - content: - application/json: - schema: - $ref: '#/components/schemas/connect.error' - "200": - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/policy.subjectmapping.DeleteDefinitionValueEntitlementMappingResponse' /policy.subjectmapping.SubjectMappingService/DeleteSubjectConditionSet: post: tags: @@ -247,41 +177,6 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.subjectmapping.DeleteSubjectMappingResponse' - /policy.subjectmapping.SubjectMappingService/GetDefinitionValueEntitlementMapping: - post: - tags: - - policy.subjectmapping.SubjectMappingService - summary: GetDefinitionValueEntitlementMapping - operationId: policy.subjectmapping.SubjectMappingService.GetDefinitionValueEntitlementMapping - parameters: - - name: Connect-Protocol-Version - in: header - required: true - schema: - $ref: '#/components/schemas/connect-protocol-version' - - name: Connect-Timeout-Ms - in: header - schema: - $ref: '#/components/schemas/connect-timeout-header' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/policy.subjectmapping.GetDefinitionValueEntitlementMappingRequest' - required: true - responses: - default: - description: Error - content: - application/json: - schema: - $ref: '#/components/schemas/connect.error' - "200": - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/policy.subjectmapping.GetDefinitionValueEntitlementMappingResponse' /policy.subjectmapping.SubjectMappingService/GetSubjectConditionSet: post: tags: @@ -352,41 +247,6 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.subjectmapping.GetSubjectMappingResponse' - /policy.subjectmapping.SubjectMappingService/ListDefinitionValueEntitlementMappings: - post: - tags: - - policy.subjectmapping.SubjectMappingService - summary: ListDefinitionValueEntitlementMappings - operationId: policy.subjectmapping.SubjectMappingService.ListDefinitionValueEntitlementMappings - parameters: - - name: Connect-Protocol-Version - in: header - required: true - schema: - $ref: '#/components/schemas/connect-protocol-version' - - name: Connect-Timeout-Ms - in: header - schema: - $ref: '#/components/schemas/connect-timeout-header' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/policy.subjectmapping.ListDefinitionValueEntitlementMappingsRequest' - required: true - responses: - default: - description: Error - content: - application/json: - schema: - $ref: '#/components/schemas/connect.error' - "200": - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/policy.subjectmapping.ListDefinitionValueEntitlementMappingsResponse' /policy.subjectmapping.SubjectMappingService/ListSubjectConditionSets: post: tags: @@ -493,41 +353,6 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.subjectmapping.MatchSubjectMappingsResponse' - /policy.subjectmapping.SubjectMappingService/UpdateDefinitionValueEntitlementMapping: - post: - tags: - - policy.subjectmapping.SubjectMappingService - summary: UpdateDefinitionValueEntitlementMapping - operationId: policy.subjectmapping.SubjectMappingService.UpdateDefinitionValueEntitlementMapping - parameters: - - name: Connect-Protocol-Version - in: header - required: true - schema: - $ref: '#/components/schemas/connect-protocol-version' - - name: Connect-Timeout-Ms - in: header - schema: - $ref: '#/components/schemas/connect-timeout-header' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/policy.subjectmapping.UpdateDefinitionValueEntitlementMappingRequest' - required: true - responses: - default: - description: Error - content: - application/json: - schema: - $ref: '#/components/schemas/connect.error' - "200": - description: Success - content: - application/json: - schema: - $ref: '#/components/schemas/policy.subjectmapping.UpdateDefinitionValueEntitlementMappingResponse' /policy.subjectmapping.SubjectMappingService/UpdateSubjectConditionSet: post: tags: @@ -1018,83 +843,6 @@ components: - booleanOperator additionalProperties: false description: A collection of Conditions evaluated by the boolean_operator provided - policy.DefinitionValueEntitlementMapping: - type: object - properties: - id: - type: string - title: id - attributeDefinition: - title: attribute_definition - description: the Attribute Definition whose values are entitled dynamically - $ref: '#/components/schemas/policy.Attribute' - valueResolver: - title: value_resolver - description: the dynamic resolver matched against the requested resource value segment - $ref: '#/components/schemas/policy.DefinitionValueResolver' - subjectConditionSet: - title: subject_condition_set - description: |- - optional static pre-gate on the entity, evaluated with normal SubjectConditionSet - semantics (no dynamic overload). When present, both the gate and the resolver must - pass for entitlement. - $ref: '#/components/schemas/policy.SubjectConditionSet' - actions: - type: array - items: - $ref: '#/components/schemas/policy.Action' - title: actions - description: the actions permitted by subjects in this mapping - namespace: - title: namespace - description: the namespace containing this mapping - $ref: '#/components/schemas/policy.Namespace' - metadata: - title: metadata - $ref: '#/components/schemas/common.Metadata' - title: DefinitionValueEntitlementMapping - additionalProperties: false - description: |- - Definition Value Entitlement Mapping: a Policy assigning permitted action(s) to - dynamically-requested values under an Attribute Definition. It raises entitlement - authority from a concrete Attribute Value to the Attribute Definition: at decision time - the value_resolver compares the requested resource value segment against the entity - representation, avoiding pre-provisioning a value + subject mapping per discrete value. - policy.DefinitionValueResolver: - type: object - properties: - subjectExternalSelectorValue: - type: string - title: subject_external_selector_value - description: |- - a selector for a field value on a flattened Entity Representation (such as from - idP/LDAP), e.g. ".patientAssignments[]" - operator: - title: operator - description: the dynamic operator comparing the selector result to the resource value segment - $ref: '#/components/schemas/policy.DynamicValueOperatorEnum' - title: DefinitionValueResolver - required: - - subjectExternalSelectorValue - - operator - additionalProperties: false - description: |- - Definition Value Resolver: the dynamic half of a DefinitionValueEntitlementMapping. It - resolves a selector against the entity representation and compares the result to the - requested resource value segment using a DynamicValueOperatorEnum. - policy.DynamicValueOperatorEnum: - type: string - title: DynamicValueOperatorEnum - enum: - - DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED - - DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN - - DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS - description: |- - Operators for dynamic, definition-level value entitlement. Unlike - SubjectMappingOperatorEnum, whose right-hand operand is a static list authored into - policy, a DynamicValueOperatorEnum's right-hand operand is the requested resource's - attribute value segment, supplied at decision time. Each value is the inversion of its - static SubjectMappingOperatorEnum counterpart. policy.KasPublicKey: type: object properties: @@ -1671,73 +1419,6 @@ components: $ref: '#/components/schemas/common.Metadata' title: Value additionalProperties: false - policy.subjectmapping.CreateDefinitionValueEntitlementMappingRequest: - type: object - allOf: - - oneOf: - - required: - - attributeDefinitionId - - required: - - attributeDefinitionFqn - properties: - attributeDefinitionId: - type: string - title: attribute_definition_id - description: | - optional_uuid_format // Optional field must be a valid UUID - attributeDefinitionFqn: - type: string - title: attribute_definition_fqn - format: uri - valueResolver: - title: value_resolver - description: 'Required: the dynamic resolver comparing entity selector result to the resource value segment' - $ref: '#/components/schemas/policy.DefinitionValueResolver' - actions: - type: array - items: - $ref: '#/components/schemas/policy.Action' - title: actions - minItems: 1 - description: | - Required: actions permitted on a matched value - action_name_or_id_not_empty // Action name or ID must not be empty if provided - existingSubjectConditionSetId: - type: string - title: existing_subject_condition_set_id - description: | - Optional static pre-gate. Reuse an existing SubjectConditionSet (prioritized) ... - optional_uuid_format // Optional field must be a valid UUID - newSubjectConditionSet: - title: new_subject_condition_set - description: '... or create a new one (ignored if existing_subject_condition_set_id is provided)' - $ref: '#/components/schemas/policy.subjectmapping.SubjectConditionSetCreate' - namespaceId: - type: string - title: namespace_id - description: | - Optional: namespace ID or FQN for the mapping - optional_uuid_format // Optional field must be a valid UUID - namespaceFqn: - type: string - title: namespace_fqn - format: uri - metadata: - title: metadata - description: Optional - $ref: '#/components/schemas/common.MetadataMutable' - title: CreateDefinitionValueEntitlementMappingRequest - required: - - valueResolver - additionalProperties: false - policy.subjectmapping.CreateDefinitionValueEntitlementMappingResponse: - type: object - properties: - definitionValueEntitlementMapping: - title: definition_value_entitlement_mapping - $ref: '#/components/schemas/policy.DefinitionValueEntitlementMapping' - title: CreateDefinitionValueEntitlementMappingResponse - additionalProperties: false policy.subjectmapping.CreateSubjectConditionSetRequest: type: object properties: @@ -1822,17 +1503,6 @@ components: $ref: '#/components/schemas/policy.SubjectMapping' title: CreateSubjectMappingResponse additionalProperties: false - policy.subjectmapping.DefinitionValueEntitlementMappingsSort: - type: object - properties: - field: - title: field - $ref: '#/components/schemas/policy.subjectmapping.SortDefinitionValueEntitlementMappingsType' - direction: - title: direction - $ref: '#/components/schemas/policy.SortDirection' - title: DefinitionValueEntitlementMappingsSort - additionalProperties: false policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest: type: object title: DeleteAllUnmappedSubjectConditionSetsRequest @@ -1849,25 +1519,6 @@ components: description: Only IDs of any deleted Subject Condition Set provided title: DeleteAllUnmappedSubjectConditionSetsResponse additionalProperties: false - policy.subjectmapping.DeleteDefinitionValueEntitlementMappingRequest: - type: object - properties: - id: - type: string - title: id - format: uuid - description: Required - title: DeleteDefinitionValueEntitlementMappingRequest - additionalProperties: false - policy.subjectmapping.DeleteDefinitionValueEntitlementMappingResponse: - type: object - properties: - definitionValueEntitlementMapping: - title: definition_value_entitlement_mapping - description: Only ID of the deleted mapping provided - $ref: '#/components/schemas/policy.DefinitionValueEntitlementMapping' - title: DeleteDefinitionValueEntitlementMappingResponse - additionalProperties: false policy.subjectmapping.DeleteSubjectConditionSetRequest: type: object properties: @@ -1906,24 +1557,6 @@ components: $ref: '#/components/schemas/policy.SubjectMapping' title: DeleteSubjectMappingResponse additionalProperties: false - policy.subjectmapping.GetDefinitionValueEntitlementMappingRequest: - type: object - properties: - id: - type: string - title: id - format: uuid - description: Required - title: GetDefinitionValueEntitlementMappingRequest - additionalProperties: false - policy.subjectmapping.GetDefinitionValueEntitlementMappingResponse: - type: object - properties: - definitionValueEntitlementMapping: - title: definition_value_entitlement_mapping - $ref: '#/components/schemas/policy.DefinitionValueEntitlementMapping' - title: GetDefinitionValueEntitlementMappingResponse - additionalProperties: false policy.subjectmapping.GetSubjectConditionSetRequest: type: object properties: @@ -1966,47 +1599,6 @@ components: $ref: '#/components/schemas/policy.SubjectMapping' title: GetSubjectMappingResponse additionalProperties: false - policy.subjectmapping.ListDefinitionValueEntitlementMappingsRequest: - type: object - properties: - namespaceId: - type: string - title: namespace_id - description: | - Optional - Namespace ID, or Attribute Definition ID to filter by - optional_uuid_format // Optional field must be a valid UUID - attributeDefinitionId: - type: string - title: attribute_definition_id - description: | - optional_uuid_format // Optional field must be a valid UUID - pagination: - title: pagination - description: Optional - $ref: '#/components/schemas/policy.PageRequest' - sort: - type: array - items: - $ref: '#/components/schemas/policy.subjectmapping.DefinitionValueEntitlementMappingsSort' - title: sort - maxItems: 1 - description: 'Optional - CONSTRAINT: max 1 item' - title: ListDefinitionValueEntitlementMappingsRequest - additionalProperties: false - policy.subjectmapping.ListDefinitionValueEntitlementMappingsResponse: - type: object - properties: - definitionValueEntitlementMappings: - type: array - items: - $ref: '#/components/schemas/policy.DefinitionValueEntitlementMapping' - title: definition_value_entitlement_mappings - pagination: - title: pagination - $ref: '#/components/schemas/policy.PageResponse' - title: ListDefinitionValueEntitlementMappingsResponse - additionalProperties: false policy.subjectmapping.ListSubjectConditionSetsRequest: type: object properties: @@ -2117,13 +1709,6 @@ components: title: subject_mappings title: MatchSubjectMappingsResponse additionalProperties: false - policy.subjectmapping.SortDefinitionValueEntitlementMappingsType: - type: string - title: SortDefinitionValueEntitlementMappingsType - enum: - - SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED - - SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT - - SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT policy.subjectmapping.SortSubjectConditionSetsType: type: string title: SortSubjectConditionSetsType @@ -2178,49 +1763,6 @@ components: $ref: '#/components/schemas/policy.SortDirection' title: SubjectMappingsSort additionalProperties: false - policy.subjectmapping.UpdateDefinitionValueEntitlementMappingRequest: - type: object - properties: - id: - type: string - title: id - format: uuid - description: Required - valueResolver: - title: value_resolver - description: 'Optional: replace the dynamic resolver' - $ref: '#/components/schemas/policy.DefinitionValueResolver' - subjectConditionSetId: - type: string - title: subject_condition_set_id - description: | - Optional: replace the static pre-gate SubjectConditionSet by id - optional_uuid_format // Optional field must be a valid UUID - actions: - type: array - items: - $ref: '#/components/schemas/policy.Action' - title: actions - description: | - Optional: replace the entire list of actions - action_name_or_id_not_empty // Action name or ID must not be empty if provided - metadata: - title: metadata - description: Common metadata - $ref: '#/components/schemas/common.MetadataMutable' - metadataUpdateBehavior: - title: metadata_update_behavior - $ref: '#/components/schemas/common.MetadataUpdateEnum' - title: UpdateDefinitionValueEntitlementMappingRequest - additionalProperties: false - policy.subjectmapping.UpdateDefinitionValueEntitlementMappingResponse: - type: object - properties: - definitionValueEntitlementMapping: - title: definition_value_entitlement_mapping - $ref: '#/components/schemas/policy.DefinitionValueEntitlementMapping' - title: UpdateDefinitionValueEntitlementMappingResponse - additionalProperties: false policy.subjectmapping.UpdateSubjectConditionSetRequest: type: object properties: diff --git a/protocol/go/policy/dynamicvaluemapping/dynamic_value_mapping.pb.go b/protocol/go/policy/dynamicvaluemapping/dynamic_value_mapping.pb.go new file mode 100644 index 0000000000..5df7ef6b45 --- /dev/null +++ b/protocol/go/policy/dynamicvaluemapping/dynamic_value_mapping.pb.go @@ -0,0 +1,1312 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.33.0 +// protoc (unknown) +// source: policy/dynamicvaluemapping/dynamic_value_mapping.proto + +package dynamicvaluemapping + +import ( + _ "buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go/buf/validate" + common "github.com/opentdf/platform/protocol/go/common" + policy "github.com/opentdf/platform/protocol/go/policy" + subjectmapping "github.com/opentdf/platform/protocol/go/policy/subjectmapping" + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +type SortDynamicValueMappingsType int32 + +const ( + SortDynamicValueMappingsType_SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UNSPECIFIED SortDynamicValueMappingsType = 0 + SortDynamicValueMappingsType_SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_CREATED_AT SortDynamicValueMappingsType = 1 + SortDynamicValueMappingsType_SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UPDATED_AT SortDynamicValueMappingsType = 2 +) + +// Enum value maps for SortDynamicValueMappingsType. +var ( + SortDynamicValueMappingsType_name = map[int32]string{ + 0: "SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UNSPECIFIED", + 1: "SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_CREATED_AT", + 2: "SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UPDATED_AT", + } + SortDynamicValueMappingsType_value = map[string]int32{ + "SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UNSPECIFIED": 0, + "SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_CREATED_AT": 1, + "SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UPDATED_AT": 2, + } +) + +func (x SortDynamicValueMappingsType) Enum() *SortDynamicValueMappingsType { + p := new(SortDynamicValueMappingsType) + *p = x + return p +} + +func (x SortDynamicValueMappingsType) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (SortDynamicValueMappingsType) Descriptor() protoreflect.EnumDescriptor { + return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_enumTypes[0].Descriptor() +} + +func (SortDynamicValueMappingsType) Type() protoreflect.EnumType { + return &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_enumTypes[0] +} + +func (x SortDynamicValueMappingsType) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// Deprecated: Use SortDynamicValueMappingsType.Descriptor instead. +func (SortDynamicValueMappingsType) EnumDescriptor() ([]byte, []int) { + return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescGZIP(), []int{0} +} + +type GetDynamicValueMappingRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Required + Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` +} + +func (x *GetDynamicValueMappingRequest) Reset() { + *x = GetDynamicValueMappingRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *GetDynamicValueMappingRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetDynamicValueMappingRequest) ProtoMessage() {} + +func (x *GetDynamicValueMappingRequest) ProtoReflect() protoreflect.Message { + mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[0] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetDynamicValueMappingRequest.ProtoReflect.Descriptor instead. +func (*GetDynamicValueMappingRequest) Descriptor() ([]byte, []int) { + return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescGZIP(), []int{0} +} + +func (x *GetDynamicValueMappingRequest) GetId() string { + if x != nil { + return x.Id + } + return "" +} + +type GetDynamicValueMappingResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + DynamicValueMapping *policy.DynamicValueMapping `protobuf:"bytes,1,opt,name=dynamic_value_mapping,json=dynamicValueMapping,proto3" json:"dynamic_value_mapping,omitempty"` +} + +func (x *GetDynamicValueMappingResponse) Reset() { + *x = GetDynamicValueMappingResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *GetDynamicValueMappingResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetDynamicValueMappingResponse) ProtoMessage() {} + +func (x *GetDynamicValueMappingResponse) ProtoReflect() protoreflect.Message { + mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[1] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetDynamicValueMappingResponse.ProtoReflect.Descriptor instead. +func (*GetDynamicValueMappingResponse) Descriptor() ([]byte, []int) { + return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescGZIP(), []int{1} +} + +func (x *GetDynamicValueMappingResponse) GetDynamicValueMapping() *policy.DynamicValueMapping { + if x != nil { + return x.DynamicValueMapping + } + return nil +} + +type DynamicValueMappingsSort struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Field SortDynamicValueMappingsType `protobuf:"varint,1,opt,name=field,proto3,enum=policy.dynamicvaluemapping.SortDynamicValueMappingsType" json:"field,omitempty"` + Direction policy.SortDirection `protobuf:"varint,2,opt,name=direction,proto3,enum=policy.SortDirection" json:"direction,omitempty"` +} + +func (x *DynamicValueMappingsSort) Reset() { + *x = DynamicValueMappingsSort{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *DynamicValueMappingsSort) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DynamicValueMappingsSort) ProtoMessage() {} + +func (x *DynamicValueMappingsSort) ProtoReflect() protoreflect.Message { + mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[2] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DynamicValueMappingsSort.ProtoReflect.Descriptor instead. +func (*DynamicValueMappingsSort) Descriptor() ([]byte, []int) { + return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescGZIP(), []int{2} +} + +func (x *DynamicValueMappingsSort) GetField() SortDynamicValueMappingsType { + if x != nil { + return x.Field + } + return SortDynamicValueMappingsType_SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UNSPECIFIED +} + +func (x *DynamicValueMappingsSort) GetDirection() policy.SortDirection { + if x != nil { + return x.Direction + } + return policy.SortDirection(0) +} + +type ListDynamicValueMappingsRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Optional + // Namespace ID, or Attribute Definition ID to filter by + NamespaceId string `protobuf:"bytes,1,opt,name=namespace_id,json=namespaceId,proto3" json:"namespace_id,omitempty"` + AttributeDefinitionId string `protobuf:"bytes,2,opt,name=attribute_definition_id,json=attributeDefinitionId,proto3" json:"attribute_definition_id,omitempty"` + // Optional + Pagination *policy.PageRequest `protobuf:"bytes,10,opt,name=pagination,proto3" json:"pagination,omitempty"` + // Optional - CONSTRAINT: max 1 item + Sort []*DynamicValueMappingsSort `protobuf:"bytes,11,rep,name=sort,proto3" json:"sort,omitempty"` +} + +func (x *ListDynamicValueMappingsRequest) Reset() { + *x = ListDynamicValueMappingsRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ListDynamicValueMappingsRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ListDynamicValueMappingsRequest) ProtoMessage() {} + +func (x *ListDynamicValueMappingsRequest) ProtoReflect() protoreflect.Message { + mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[3] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ListDynamicValueMappingsRequest.ProtoReflect.Descriptor instead. +func (*ListDynamicValueMappingsRequest) Descriptor() ([]byte, []int) { + return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescGZIP(), []int{3} +} + +func (x *ListDynamicValueMappingsRequest) GetNamespaceId() string { + if x != nil { + return x.NamespaceId + } + return "" +} + +func (x *ListDynamicValueMappingsRequest) GetAttributeDefinitionId() string { + if x != nil { + return x.AttributeDefinitionId + } + return "" +} + +func (x *ListDynamicValueMappingsRequest) GetPagination() *policy.PageRequest { + if x != nil { + return x.Pagination + } + return nil +} + +func (x *ListDynamicValueMappingsRequest) GetSort() []*DynamicValueMappingsSort { + if x != nil { + return x.Sort + } + return nil +} + +type ListDynamicValueMappingsResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + DynamicValueMappings []*policy.DynamicValueMapping `protobuf:"bytes,1,rep,name=dynamic_value_mappings,json=dynamicValueMappings,proto3" json:"dynamic_value_mappings,omitempty"` + Pagination *policy.PageResponse `protobuf:"bytes,10,opt,name=pagination,proto3" json:"pagination,omitempty"` +} + +func (x *ListDynamicValueMappingsResponse) Reset() { + *x = ListDynamicValueMappingsResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[4] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ListDynamicValueMappingsResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ListDynamicValueMappingsResponse) ProtoMessage() {} + +func (x *ListDynamicValueMappingsResponse) ProtoReflect() protoreflect.Message { + mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[4] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ListDynamicValueMappingsResponse.ProtoReflect.Descriptor instead. +func (*ListDynamicValueMappingsResponse) Descriptor() ([]byte, []int) { + return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescGZIP(), []int{4} +} + +func (x *ListDynamicValueMappingsResponse) GetDynamicValueMappings() []*policy.DynamicValueMapping { + if x != nil { + return x.DynamicValueMappings + } + return nil +} + +func (x *ListDynamicValueMappingsResponse) GetPagination() *policy.PageResponse { + if x != nil { + return x.Pagination + } + return nil +} + +type CreateDynamicValueMappingRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + AttributeDefinitionId string `protobuf:"bytes,1,opt,name=attribute_definition_id,json=attributeDefinitionId,proto3" json:"attribute_definition_id,omitempty"` + AttributeDefinitionFqn string `protobuf:"bytes,2,opt,name=attribute_definition_fqn,json=attributeDefinitionFqn,proto3" json:"attribute_definition_fqn,omitempty"` + // Required: the dynamic resolver comparing entity selector result to the resource value segment + ValueResolver *policy.DynamicValueResolver `protobuf:"bytes,3,opt,name=value_resolver,json=valueResolver,proto3" json:"value_resolver,omitempty"` + // Required: actions permitted on a matched value + Actions []*policy.Action `protobuf:"bytes,4,rep,name=actions,proto3" json:"actions,omitempty"` + // Optional static pre-gate. Reuse an existing SubjectConditionSet (prioritized) ... + ExistingSubjectConditionSetId string `protobuf:"bytes,5,opt,name=existing_subject_condition_set_id,json=existingSubjectConditionSetId,proto3" json:"existing_subject_condition_set_id,omitempty"` + // ... or create a new one (ignored if existing_subject_condition_set_id is provided) + NewSubjectConditionSet *subjectmapping.SubjectConditionSetCreate `protobuf:"bytes,6,opt,name=new_subject_condition_set,json=newSubjectConditionSet,proto3" json:"new_subject_condition_set,omitempty"` + // Optional: namespace ID or FQN for the mapping + NamespaceId string `protobuf:"bytes,7,opt,name=namespace_id,json=namespaceId,proto3" json:"namespace_id,omitempty"` + NamespaceFqn string `protobuf:"bytes,8,opt,name=namespace_fqn,json=namespaceFqn,proto3" json:"namespace_fqn,omitempty"` + // Optional + Metadata *common.MetadataMutable `protobuf:"bytes,100,opt,name=metadata,proto3" json:"metadata,omitempty"` +} + +func (x *CreateDynamicValueMappingRequest) Reset() { + *x = CreateDynamicValueMappingRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[5] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *CreateDynamicValueMappingRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*CreateDynamicValueMappingRequest) ProtoMessage() {} + +func (x *CreateDynamicValueMappingRequest) ProtoReflect() protoreflect.Message { + mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[5] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use CreateDynamicValueMappingRequest.ProtoReflect.Descriptor instead. +func (*CreateDynamicValueMappingRequest) Descriptor() ([]byte, []int) { + return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescGZIP(), []int{5} +} + +func (x *CreateDynamicValueMappingRequest) GetAttributeDefinitionId() string { + if x != nil { + return x.AttributeDefinitionId + } + return "" +} + +func (x *CreateDynamicValueMappingRequest) GetAttributeDefinitionFqn() string { + if x != nil { + return x.AttributeDefinitionFqn + } + return "" +} + +func (x *CreateDynamicValueMappingRequest) GetValueResolver() *policy.DynamicValueResolver { + if x != nil { + return x.ValueResolver + } + return nil +} + +func (x *CreateDynamicValueMappingRequest) GetActions() []*policy.Action { + if x != nil { + return x.Actions + } + return nil +} + +func (x *CreateDynamicValueMappingRequest) GetExistingSubjectConditionSetId() string { + if x != nil { + return x.ExistingSubjectConditionSetId + } + return "" +} + +func (x *CreateDynamicValueMappingRequest) GetNewSubjectConditionSet() *subjectmapping.SubjectConditionSetCreate { + if x != nil { + return x.NewSubjectConditionSet + } + return nil +} + +func (x *CreateDynamicValueMappingRequest) GetNamespaceId() string { + if x != nil { + return x.NamespaceId + } + return "" +} + +func (x *CreateDynamicValueMappingRequest) GetNamespaceFqn() string { + if x != nil { + return x.NamespaceFqn + } + return "" +} + +func (x *CreateDynamicValueMappingRequest) GetMetadata() *common.MetadataMutable { + if x != nil { + return x.Metadata + } + return nil +} + +type CreateDynamicValueMappingResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + DynamicValueMapping *policy.DynamicValueMapping `protobuf:"bytes,1,opt,name=dynamic_value_mapping,json=dynamicValueMapping,proto3" json:"dynamic_value_mapping,omitempty"` +} + +func (x *CreateDynamicValueMappingResponse) Reset() { + *x = CreateDynamicValueMappingResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[6] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *CreateDynamicValueMappingResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*CreateDynamicValueMappingResponse) ProtoMessage() {} + +func (x *CreateDynamicValueMappingResponse) ProtoReflect() protoreflect.Message { + mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[6] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use CreateDynamicValueMappingResponse.ProtoReflect.Descriptor instead. +func (*CreateDynamicValueMappingResponse) Descriptor() ([]byte, []int) { + return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescGZIP(), []int{6} +} + +func (x *CreateDynamicValueMappingResponse) GetDynamicValueMapping() *policy.DynamicValueMapping { + if x != nil { + return x.DynamicValueMapping + } + return nil +} + +type UpdateDynamicValueMappingRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Required + Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` + // Optional: replace the dynamic resolver + ValueResolver *policy.DynamicValueResolver `protobuf:"bytes,2,opt,name=value_resolver,json=valueResolver,proto3" json:"value_resolver,omitempty"` + // Optional: replace the static pre-gate SubjectConditionSet by id + SubjectConditionSetId string `protobuf:"bytes,3,opt,name=subject_condition_set_id,json=subjectConditionSetId,proto3" json:"subject_condition_set_id,omitempty"` + // Optional: replace the entire list of actions + Actions []*policy.Action `protobuf:"bytes,4,rep,name=actions,proto3" json:"actions,omitempty"` + // Common metadata + Metadata *common.MetadataMutable `protobuf:"bytes,100,opt,name=metadata,proto3" json:"metadata,omitempty"` + MetadataUpdateBehavior common.MetadataUpdateEnum `protobuf:"varint,101,opt,name=metadata_update_behavior,json=metadataUpdateBehavior,proto3,enum=common.MetadataUpdateEnum" json:"metadata_update_behavior,omitempty"` +} + +func (x *UpdateDynamicValueMappingRequest) Reset() { + *x = UpdateDynamicValueMappingRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[7] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *UpdateDynamicValueMappingRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*UpdateDynamicValueMappingRequest) ProtoMessage() {} + +func (x *UpdateDynamicValueMappingRequest) ProtoReflect() protoreflect.Message { + mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[7] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use UpdateDynamicValueMappingRequest.ProtoReflect.Descriptor instead. +func (*UpdateDynamicValueMappingRequest) Descriptor() ([]byte, []int) { + return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescGZIP(), []int{7} +} + +func (x *UpdateDynamicValueMappingRequest) GetId() string { + if x != nil { + return x.Id + } + return "" +} + +func (x *UpdateDynamicValueMappingRequest) GetValueResolver() *policy.DynamicValueResolver { + if x != nil { + return x.ValueResolver + } + return nil +} + +func (x *UpdateDynamicValueMappingRequest) GetSubjectConditionSetId() string { + if x != nil { + return x.SubjectConditionSetId + } + return "" +} + +func (x *UpdateDynamicValueMappingRequest) GetActions() []*policy.Action { + if x != nil { + return x.Actions + } + return nil +} + +func (x *UpdateDynamicValueMappingRequest) GetMetadata() *common.MetadataMutable { + if x != nil { + return x.Metadata + } + return nil +} + +func (x *UpdateDynamicValueMappingRequest) GetMetadataUpdateBehavior() common.MetadataUpdateEnum { + if x != nil { + return x.MetadataUpdateBehavior + } + return common.MetadataUpdateEnum(0) +} + +type UpdateDynamicValueMappingResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + DynamicValueMapping *policy.DynamicValueMapping `protobuf:"bytes,1,opt,name=dynamic_value_mapping,json=dynamicValueMapping,proto3" json:"dynamic_value_mapping,omitempty"` +} + +func (x *UpdateDynamicValueMappingResponse) Reset() { + *x = UpdateDynamicValueMappingResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[8] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *UpdateDynamicValueMappingResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*UpdateDynamicValueMappingResponse) ProtoMessage() {} + +func (x *UpdateDynamicValueMappingResponse) ProtoReflect() protoreflect.Message { + mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[8] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use UpdateDynamicValueMappingResponse.ProtoReflect.Descriptor instead. +func (*UpdateDynamicValueMappingResponse) Descriptor() ([]byte, []int) { + return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescGZIP(), []int{8} +} + +func (x *UpdateDynamicValueMappingResponse) GetDynamicValueMapping() *policy.DynamicValueMapping { + if x != nil { + return x.DynamicValueMapping + } + return nil +} + +type DeleteDynamicValueMappingRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Required + Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` +} + +func (x *DeleteDynamicValueMappingRequest) Reset() { + *x = DeleteDynamicValueMappingRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[9] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *DeleteDynamicValueMappingRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DeleteDynamicValueMappingRequest) ProtoMessage() {} + +func (x *DeleteDynamicValueMappingRequest) ProtoReflect() protoreflect.Message { + mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[9] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DeleteDynamicValueMappingRequest.ProtoReflect.Descriptor instead. +func (*DeleteDynamicValueMappingRequest) Descriptor() ([]byte, []int) { + return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescGZIP(), []int{9} +} + +func (x *DeleteDynamicValueMappingRequest) GetId() string { + if x != nil { + return x.Id + } + return "" +} + +type DeleteDynamicValueMappingResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Only ID of the deleted mapping provided + DynamicValueMapping *policy.DynamicValueMapping `protobuf:"bytes,1,opt,name=dynamic_value_mapping,json=dynamicValueMapping,proto3" json:"dynamic_value_mapping,omitempty"` +} + +func (x *DeleteDynamicValueMappingResponse) Reset() { + *x = DeleteDynamicValueMappingResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[10] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *DeleteDynamicValueMappingResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DeleteDynamicValueMappingResponse) ProtoMessage() {} + +func (x *DeleteDynamicValueMappingResponse) ProtoReflect() protoreflect.Message { + mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[10] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DeleteDynamicValueMappingResponse.ProtoReflect.Descriptor instead. +func (*DeleteDynamicValueMappingResponse) Descriptor() ([]byte, []int) { + return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescGZIP(), []int{10} +} + +func (x *DeleteDynamicValueMappingResponse) GetDynamicValueMapping() *policy.DynamicValueMapping { + if x != nil { + return x.DynamicValueMapping + } + return nil +} + +var File_policy_dynamicvaluemapping_dynamic_value_mapping_proto protoreflect.FileDescriptor + +var file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDesc = []byte{ + 0x0a, 0x36, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, + 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2f, 0x64, 0x79, 0x6e, + 0x61, 0x6d, 0x69, 0x63, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, + 0x70, 0x69, 0x6e, 0x67, 0x1a, 0x1b, 0x62, 0x75, 0x66, 0x2f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, + 0x74, 0x65, 0x2f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x1a, 0x13, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, + 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x14, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x6f, + 0x62, 0x6a, 0x65, 0x63, 0x74, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x16, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x2b, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x73, 0x75, 0x62, + 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2f, 0x73, 0x75, 0x62, 0x6a, + 0x65, 0x63, 0x74, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x22, 0x39, 0x0a, 0x1d, 0x47, 0x65, 0x74, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, + 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, + 0x73, 0x74, 0x12, 0x18, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x08, + 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, 0x02, 0x69, 0x64, 0x22, 0x71, 0x0a, 0x1e, + 0x47, 0x65, 0x74, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, + 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x4f, + 0x0a, 0x15, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, + 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, + 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, + 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x13, 0x64, 0x79, 0x6e, 0x61, + 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x22, + 0xb3, 0x01, 0x0a, 0x18, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, + 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x53, 0x6f, 0x72, 0x74, 0x12, 0x58, 0x0a, 0x05, + 0x66, 0x69, 0x65, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x38, 0x2e, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, + 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x53, 0x6f, 0x72, 0x74, 0x44, 0x79, 0x6e, + 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x73, 0x54, 0x79, 0x70, 0x65, 0x42, 0x08, 0xba, 0x48, 0x05, 0x82, 0x01, 0x02, 0x10, 0x01, 0x52, + 0x05, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x12, 0x3d, 0x0a, 0x09, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, + 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x15, 0x2e, 0x70, 0x6f, 0x6c, 0x69, + 0x63, 0x79, 0x2e, 0x53, 0x6f, 0x72, 0x74, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, + 0x42, 0x08, 0xba, 0x48, 0x05, 0x82, 0x01, 0x02, 0x10, 0x01, 0x52, 0x09, 0x64, 0x69, 0x72, 0x65, + 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xf3, 0x04, 0x0a, 0x1f, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x79, + 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, + 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0xd7, 0x01, 0x0a, 0x0c, 0x6e, 0x61, + 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, + 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, + 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, + 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, + 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, + 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, + 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, + 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, + 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, + 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, + 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, + 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, + 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x0b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, + 0x65, 0x49, 0x64, 0x12, 0xec, 0x01, 0x0a, 0x17, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, + 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18, + 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, + 0x0a, 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, + 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, + 0x20, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, + 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, + 0x65, 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, + 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, + 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, + 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, + 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, + 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, + 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x15, 0x61, 0x74, 0x74, + 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, + 0x49, 0x64, 0x12, 0x33, 0x0a, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, + 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x50, 0x61, 0x67, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x52, 0x0a, 0x70, 0x61, 0x67, + 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x52, 0x0a, 0x04, 0x73, 0x6f, 0x72, 0x74, 0x18, + 0x0b, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x34, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, + 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x2e, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, + 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x53, 0x6f, 0x72, 0x74, 0x42, 0x08, 0xba, 0x48, 0x05, + 0x92, 0x01, 0x02, 0x10, 0x01, 0x52, 0x04, 0x73, 0x6f, 0x72, 0x74, 0x22, 0xab, 0x01, 0x0a, 0x20, + 0x4c, 0x69, 0x73, 0x74, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, + 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, + 0x12, 0x51, 0x0a, 0x16, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x5f, 0x76, 0x61, 0x6c, 0x75, + 0x65, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, + 0x32, 0x1b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, + 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x14, 0x64, + 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x73, 0x12, 0x34, 0x0a, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x50, 0x61, 0x67, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x52, 0x0a, 0x70, + 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xc9, 0x0a, 0x0a, 0x20, 0x43, 0x72, + 0x65, 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, + 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0xec, + 0x01, 0x0a, 0x17, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, + 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, + 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, + 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, + 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, + 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, + 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, + 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, + 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, + 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, + 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, + 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, + 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, + 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x15, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, + 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x64, 0x12, 0x44, 0x0a, + 0x18, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, + 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x66, 0x71, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, + 0x0a, 0xba, 0x48, 0x07, 0x72, 0x05, 0x10, 0x00, 0x88, 0x01, 0x01, 0x52, 0x16, 0x61, 0x74, 0x74, + 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, + 0x46, 0x71, 0x6e, 0x12, 0x4b, 0x0a, 0x0e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x72, 0x65, 0x73, + 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, + 0x65, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, + 0x01, 0x52, 0x0d, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, + 0x12, 0xb8, 0x01, 0x0a, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x04, 0x20, 0x03, + 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, + 0x6f, 0x6e, 0x42, 0x8d, 0x01, 0xba, 0x48, 0x89, 0x01, 0xba, 0x01, 0x80, 0x01, 0x0a, 0x1b, 0x61, + 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x5f, 0x6f, 0x72, 0x5f, 0x69, 0x64, + 0x5f, 0x6e, 0x6f, 0x74, 0x5f, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x12, 0x2f, 0x41, 0x63, 0x74, 0x69, + 0x6f, 0x6e, 0x20, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x6f, 0x72, 0x20, 0x49, 0x44, 0x20, 0x6d, 0x75, + 0x73, 0x74, 0x20, 0x6e, 0x6f, 0x74, 0x20, 0x62, 0x65, 0x20, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x20, + 0x69, 0x66, 0x20, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x64, 0x1a, 0x30, 0x74, 0x68, 0x69, + 0x73, 0x2e, 0x61, 0x6c, 0x6c, 0x28, 0x69, 0x74, 0x65, 0x6d, 0x2c, 0x20, 0x69, 0x74, 0x65, 0x6d, + 0x2e, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x21, 0x3d, 0x20, 0x27, 0x27, 0x20, 0x7c, 0x7c, 0x20, 0x69, + 0x74, 0x65, 0x6d, 0x2e, 0x69, 0x64, 0x20, 0x21, 0x3d, 0x20, 0x27, 0x27, 0x29, 0x92, 0x01, 0x02, + 0x08, 0x01, 0x52, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0xfe, 0x01, 0x0a, 0x21, + 0x65, 0x78, 0x69, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x5f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x5f, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x5f, 0x69, + 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, + 0xab, 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, + 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, + 0x61, 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, + 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, + 0x69, 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, + 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, + 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, + 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, + 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, + 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, + 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x1d, 0x65, + 0x78, 0x69, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, + 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x49, 0x64, 0x12, 0x6b, 0x0a, 0x19, + 0x6e, 0x65, 0x77, 0x5f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x64, + 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, + 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x43, 0x72, 0x65, 0x61, 0x74, + 0x65, 0x52, 0x16, 0x6e, 0x65, 0x77, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, + 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0xd7, 0x01, 0x0a, 0x0c, 0x6e, 0x61, + 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, + 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, + 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, + 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, + 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, + 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, + 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, + 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, + 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, + 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, + 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, + 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, + 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x0b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, + 0x65, 0x49, 0x64, 0x12, 0x2f, 0x0a, 0x0d, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, + 0x5f, 0x66, 0x71, 0x6e, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x42, 0x0a, 0xba, 0x48, 0x07, 0x72, + 0x05, 0x10, 0x00, 0x88, 0x01, 0x01, 0x52, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, + 0x65, 0x46, 0x71, 0x6e, 0x12, 0x33, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, + 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, + 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x4d, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x52, + 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x3a, 0x3a, 0xba, 0x48, 0x37, 0x22, 0x35, + 0x0a, 0x17, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, + 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x0a, 0x18, 0x61, 0x74, 0x74, 0x72, 0x69, + 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, + 0x66, 0x71, 0x6e, 0x10, 0x01, 0x22, 0x74, 0x0a, 0x21, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x44, + 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x4f, 0x0a, 0x15, 0x64, 0x79, + 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x6d, 0x61, 0x70, 0x70, + 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, + 0x63, 0x79, 0x2e, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, + 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x13, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, + 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x22, 0xc6, 0x05, 0x0a, 0x20, + 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, + 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, + 0x12, 0x18, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, + 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, 0x02, 0x69, 0x64, 0x12, 0x43, 0x0a, 0x0e, 0x76, 0x61, + 0x6c, 0x75, 0x65, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x79, 0x6e, 0x61, + 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, + 0x52, 0x0d, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x12, + 0xed, 0x01, 0x0a, 0x18, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x64, + 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, + 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, + 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, + 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, + 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, + 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, + 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, + 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, + 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, + 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, + 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, + 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, + 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x15, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, + 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x49, 0x64, 0x12, + 0xc7, 0x01, 0x0a, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, + 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, + 0x6e, 0x42, 0x9c, 0x01, 0xba, 0x48, 0x98, 0x01, 0xba, 0x01, 0x94, 0x01, 0x0a, 0x1b, 0x61, 0x63, + 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x5f, 0x6f, 0x72, 0x5f, 0x69, 0x64, 0x5f, + 0x6e, 0x6f, 0x74, 0x5f, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x12, 0x2f, 0x41, 0x63, 0x74, 0x69, 0x6f, + 0x6e, 0x20, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x6f, 0x72, 0x20, 0x49, 0x44, 0x20, 0x6d, 0x75, 0x73, + 0x74, 0x20, 0x6e, 0x6f, 0x74, 0x20, 0x62, 0x65, 0x20, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x20, 0x69, + 0x66, 0x20, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x64, 0x1a, 0x44, 0x74, 0x68, 0x69, 0x73, + 0x2e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, + 0x74, 0x68, 0x69, 0x73, 0x2e, 0x61, 0x6c, 0x6c, 0x28, 0x69, 0x74, 0x65, 0x6d, 0x2c, 0x20, 0x69, + 0x74, 0x65, 0x6d, 0x2e, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x21, 0x3d, 0x20, 0x27, 0x27, 0x20, 0x7c, + 0x7c, 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x69, 0x64, 0x20, 0x21, 0x3d, 0x20, 0x27, 0x27, 0x29, + 0x52, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x33, 0x0a, 0x08, 0x6d, 0x65, 0x74, + 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x63, 0x6f, + 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x4d, 0x75, 0x74, + 0x61, 0x62, 0x6c, 0x65, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x54, + 0x0a, 0x18, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x75, 0x70, 0x64, 0x61, 0x74, + 0x65, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x18, 0x65, 0x20, 0x01, 0x28, 0x0e, + 0x32, 0x1a, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, + 0x74, 0x61, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x45, 0x6e, 0x75, 0x6d, 0x52, 0x16, 0x6d, 0x65, + 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x42, 0x65, 0x68, 0x61, + 0x76, 0x69, 0x6f, 0x72, 0x22, 0x74, 0x0a, 0x21, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x79, + 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, + 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x4f, 0x0a, 0x15, 0x64, 0x79, 0x6e, + 0x61, 0x6d, 0x69, 0x63, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0x2e, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, + 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x13, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, + 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x22, 0x3c, 0x0a, 0x20, 0x44, 0x65, + 0x6c, 0x65, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, + 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, + 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, + 0x03, 0xb0, 0x01, 0x01, 0x52, 0x02, 0x69, 0x64, 0x22, 0x74, 0x0a, 0x21, 0x44, 0x65, 0x6c, 0x65, + 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, + 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x4f, 0x0a, + 0x15, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x6d, + 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x70, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, + 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x13, 0x64, 0x79, 0x6e, 0x61, 0x6d, + 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2a, 0xb2, + 0x01, 0x0a, 0x1c, 0x53, 0x6f, 0x72, 0x74, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, + 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, + 0x30, 0x0a, 0x2c, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x44, 0x59, 0x4e, 0x41, 0x4d, 0x49, 0x43, 0x5f, + 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x53, 0x5f, 0x54, + 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, + 0x00, 0x12, 0x2f, 0x0a, 0x2b, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x44, 0x59, 0x4e, 0x41, 0x4d, 0x49, + 0x43, 0x5f, 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x53, + 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x52, 0x45, 0x41, 0x54, 0x45, 0x44, 0x5f, 0x41, 0x54, + 0x10, 0x01, 0x12, 0x2f, 0x0a, 0x2b, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x44, 0x59, 0x4e, 0x41, 0x4d, + 0x49, 0x43, 0x5f, 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, + 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x50, 0x44, 0x41, 0x54, 0x45, 0x44, 0x5f, 0x41, + 0x54, 0x10, 0x02, 0x32, 0xa7, 0x06, 0x0a, 0x1a, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, + 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x53, 0x65, 0x72, 0x76, 0x69, + 0x63, 0x65, 0x12, 0x9a, 0x01, 0x0a, 0x18, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x79, 0x6e, 0x61, 0x6d, + 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, + 0x3b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, + 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x4c, 0x69, 0x73, + 0x74, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, + 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x3c, 0x2e, 0x70, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, + 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x79, + 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, + 0x67, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x03, 0x90, 0x02, 0x01, 0x12, + 0x94, 0x01, 0x0a, 0x16, 0x47, 0x65, 0x74, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, + 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x39, 0x2e, 0x70, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, + 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x79, 0x6e, 0x61, 0x6d, + 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x3a, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, + 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, + 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, + 0x65, 0x22, 0x03, 0x90, 0x02, 0x01, 0x12, 0x9a, 0x01, 0x0a, 0x19, 0x43, 0x72, 0x65, 0x61, 0x74, + 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, + 0x70, 0x69, 0x6e, 0x67, 0x12, 0x3c, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, + 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, + 0x67, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, + 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, + 0x73, 0x74, 0x1a, 0x3d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, + 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, + 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, + 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, + 0x65, 0x22, 0x00, 0x12, 0x9a, 0x01, 0x0a, 0x19, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x79, + 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, + 0x67, 0x12, 0x3c, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, + 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x55, + 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, + 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, + 0x3d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, + 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x55, 0x70, 0x64, + 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, + 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, + 0x12, 0x9a, 0x01, 0x0a, 0x19, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, + 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x3c, + 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, + 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x44, 0x65, 0x6c, 0x65, + 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, + 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x3d, 0x2e, 0x70, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, + 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, + 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, + 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x87, 0x02, + 0x0a, 0x1e, 0x63, 0x6f, 0x6d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, + 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x42, 0x18, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, + 0x70, 0x70, 0x69, 0x6e, 0x67, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x42, 0x67, 0x69, + 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, + 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, + 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x64, 0x79, 0x6e, + 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0xa2, 0x02, 0x03, 0x50, 0x44, 0x58, 0xaa, 0x02, 0x1a, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, + 0x69, 0x6e, 0x67, 0xca, 0x02, 0x1a, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x44, 0x79, 0x6e, + 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0xe2, 0x02, 0x26, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, + 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5c, 0x47, 0x50, + 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x1b, 0x50, 0x6f, 0x6c, 0x69, + 0x63, 0x79, 0x3a, 0x3a, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, + 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescOnce sync.Once + file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescData = file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDesc +) + +func file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescGZIP() []byte { + file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescOnce.Do(func() { + file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescData = protoimpl.X.CompressGZIP(file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescData) + }) + return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescData +} + +var file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_enumTypes = make([]protoimpl.EnumInfo, 1) +var file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes = make([]protoimpl.MessageInfo, 11) +var file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_goTypes = []interface{}{ + (SortDynamicValueMappingsType)(0), // 0: policy.dynamicvaluemapping.SortDynamicValueMappingsType + (*GetDynamicValueMappingRequest)(nil), // 1: policy.dynamicvaluemapping.GetDynamicValueMappingRequest + (*GetDynamicValueMappingResponse)(nil), // 2: policy.dynamicvaluemapping.GetDynamicValueMappingResponse + (*DynamicValueMappingsSort)(nil), // 3: policy.dynamicvaluemapping.DynamicValueMappingsSort + (*ListDynamicValueMappingsRequest)(nil), // 4: policy.dynamicvaluemapping.ListDynamicValueMappingsRequest + (*ListDynamicValueMappingsResponse)(nil), // 5: policy.dynamicvaluemapping.ListDynamicValueMappingsResponse + (*CreateDynamicValueMappingRequest)(nil), // 6: policy.dynamicvaluemapping.CreateDynamicValueMappingRequest + (*CreateDynamicValueMappingResponse)(nil), // 7: policy.dynamicvaluemapping.CreateDynamicValueMappingResponse + (*UpdateDynamicValueMappingRequest)(nil), // 8: policy.dynamicvaluemapping.UpdateDynamicValueMappingRequest + (*UpdateDynamicValueMappingResponse)(nil), // 9: policy.dynamicvaluemapping.UpdateDynamicValueMappingResponse + (*DeleteDynamicValueMappingRequest)(nil), // 10: policy.dynamicvaluemapping.DeleteDynamicValueMappingRequest + (*DeleteDynamicValueMappingResponse)(nil), // 11: policy.dynamicvaluemapping.DeleteDynamicValueMappingResponse + (*policy.DynamicValueMapping)(nil), // 12: policy.DynamicValueMapping + (policy.SortDirection)(0), // 13: policy.SortDirection + (*policy.PageRequest)(nil), // 14: policy.PageRequest + (*policy.PageResponse)(nil), // 15: policy.PageResponse + (*policy.DynamicValueResolver)(nil), // 16: policy.DynamicValueResolver + (*policy.Action)(nil), // 17: policy.Action + (*subjectmapping.SubjectConditionSetCreate)(nil), // 18: policy.subjectmapping.SubjectConditionSetCreate + (*common.MetadataMutable)(nil), // 19: common.MetadataMutable + (common.MetadataUpdateEnum)(0), // 20: common.MetadataUpdateEnum +} +var file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_depIdxs = []int32{ + 12, // 0: policy.dynamicvaluemapping.GetDynamicValueMappingResponse.dynamic_value_mapping:type_name -> policy.DynamicValueMapping + 0, // 1: policy.dynamicvaluemapping.DynamicValueMappingsSort.field:type_name -> policy.dynamicvaluemapping.SortDynamicValueMappingsType + 13, // 2: policy.dynamicvaluemapping.DynamicValueMappingsSort.direction:type_name -> policy.SortDirection + 14, // 3: policy.dynamicvaluemapping.ListDynamicValueMappingsRequest.pagination:type_name -> policy.PageRequest + 3, // 4: policy.dynamicvaluemapping.ListDynamicValueMappingsRequest.sort:type_name -> policy.dynamicvaluemapping.DynamicValueMappingsSort + 12, // 5: policy.dynamicvaluemapping.ListDynamicValueMappingsResponse.dynamic_value_mappings:type_name -> policy.DynamicValueMapping + 15, // 6: policy.dynamicvaluemapping.ListDynamicValueMappingsResponse.pagination:type_name -> policy.PageResponse + 16, // 7: policy.dynamicvaluemapping.CreateDynamicValueMappingRequest.value_resolver:type_name -> policy.DynamicValueResolver + 17, // 8: policy.dynamicvaluemapping.CreateDynamicValueMappingRequest.actions:type_name -> policy.Action + 18, // 9: policy.dynamicvaluemapping.CreateDynamicValueMappingRequest.new_subject_condition_set:type_name -> policy.subjectmapping.SubjectConditionSetCreate + 19, // 10: policy.dynamicvaluemapping.CreateDynamicValueMappingRequest.metadata:type_name -> common.MetadataMutable + 12, // 11: policy.dynamicvaluemapping.CreateDynamicValueMappingResponse.dynamic_value_mapping:type_name -> policy.DynamicValueMapping + 16, // 12: policy.dynamicvaluemapping.UpdateDynamicValueMappingRequest.value_resolver:type_name -> policy.DynamicValueResolver + 17, // 13: policy.dynamicvaluemapping.UpdateDynamicValueMappingRequest.actions:type_name -> policy.Action + 19, // 14: policy.dynamicvaluemapping.UpdateDynamicValueMappingRequest.metadata:type_name -> common.MetadataMutable + 20, // 15: policy.dynamicvaluemapping.UpdateDynamicValueMappingRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum + 12, // 16: policy.dynamicvaluemapping.UpdateDynamicValueMappingResponse.dynamic_value_mapping:type_name -> policy.DynamicValueMapping + 12, // 17: policy.dynamicvaluemapping.DeleteDynamicValueMappingResponse.dynamic_value_mapping:type_name -> policy.DynamicValueMapping + 4, // 18: policy.dynamicvaluemapping.DynamicValueMappingService.ListDynamicValueMappings:input_type -> policy.dynamicvaluemapping.ListDynamicValueMappingsRequest + 1, // 19: policy.dynamicvaluemapping.DynamicValueMappingService.GetDynamicValueMapping:input_type -> policy.dynamicvaluemapping.GetDynamicValueMappingRequest + 6, // 20: policy.dynamicvaluemapping.DynamicValueMappingService.CreateDynamicValueMapping:input_type -> policy.dynamicvaluemapping.CreateDynamicValueMappingRequest + 8, // 21: policy.dynamicvaluemapping.DynamicValueMappingService.UpdateDynamicValueMapping:input_type -> policy.dynamicvaluemapping.UpdateDynamicValueMappingRequest + 10, // 22: policy.dynamicvaluemapping.DynamicValueMappingService.DeleteDynamicValueMapping:input_type -> policy.dynamicvaluemapping.DeleteDynamicValueMappingRequest + 5, // 23: policy.dynamicvaluemapping.DynamicValueMappingService.ListDynamicValueMappings:output_type -> policy.dynamicvaluemapping.ListDynamicValueMappingsResponse + 2, // 24: policy.dynamicvaluemapping.DynamicValueMappingService.GetDynamicValueMapping:output_type -> policy.dynamicvaluemapping.GetDynamicValueMappingResponse + 7, // 25: policy.dynamicvaluemapping.DynamicValueMappingService.CreateDynamicValueMapping:output_type -> policy.dynamicvaluemapping.CreateDynamicValueMappingResponse + 9, // 26: policy.dynamicvaluemapping.DynamicValueMappingService.UpdateDynamicValueMapping:output_type -> policy.dynamicvaluemapping.UpdateDynamicValueMappingResponse + 11, // 27: policy.dynamicvaluemapping.DynamicValueMappingService.DeleteDynamicValueMapping:output_type -> policy.dynamicvaluemapping.DeleteDynamicValueMappingResponse + 23, // [23:28] is the sub-list for method output_type + 18, // [18:23] is the sub-list for method input_type + 18, // [18:18] is the sub-list for extension type_name + 18, // [18:18] is the sub-list for extension extendee + 0, // [0:18] is the sub-list for field type_name +} + +func init() { file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_init() } +func file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_init() { + if File_policy_dynamicvaluemapping_dynamic_value_mapping_proto != nil { + return + } + if !protoimpl.UnsafeEnabled { + file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*GetDynamicValueMappingRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*GetDynamicValueMappingResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*DynamicValueMappingsSort); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ListDynamicValueMappingsRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ListDynamicValueMappingsResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*CreateDynamicValueMappingRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*CreateDynamicValueMappingResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*UpdateDynamicValueMappingRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*UpdateDynamicValueMappingResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*DeleteDynamicValueMappingRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*DeleteDynamicValueMappingResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDesc, + NumEnums: 1, + NumMessages: 11, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_goTypes, + DependencyIndexes: file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_depIdxs, + EnumInfos: file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_enumTypes, + MessageInfos: file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes, + }.Build() + File_policy_dynamicvaluemapping_dynamic_value_mapping_proto = out.File + file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDesc = nil + file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_goTypes = nil + file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_depIdxs = nil +} diff --git a/protocol/go/policy/dynamicvaluemapping/dynamic_value_mapping_grpc.pb.go b/protocol/go/policy/dynamicvaluemapping/dynamic_value_mapping_grpc.pb.go new file mode 100644 index 0000000000..513595f0ef --- /dev/null +++ b/protocol/go/policy/dynamicvaluemapping/dynamic_value_mapping_grpc.pb.go @@ -0,0 +1,258 @@ +// Code generated by protoc-gen-go-grpc. DO NOT EDIT. +// versions: +// - protoc-gen-go-grpc v1.3.0 +// - protoc (unknown) +// source: policy/dynamicvaluemapping/dynamic_value_mapping.proto + +package dynamicvaluemapping + +import ( + context "context" + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" +) + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +// Requires gRPC-Go v1.32.0 or later. +const _ = grpc.SupportPackageIsVersion7 + +const ( + DynamicValueMappingService_ListDynamicValueMappings_FullMethodName = "/policy.dynamicvaluemapping.DynamicValueMappingService/ListDynamicValueMappings" + DynamicValueMappingService_GetDynamicValueMapping_FullMethodName = "/policy.dynamicvaluemapping.DynamicValueMappingService/GetDynamicValueMapping" + DynamicValueMappingService_CreateDynamicValueMapping_FullMethodName = "/policy.dynamicvaluemapping.DynamicValueMappingService/CreateDynamicValueMapping" + DynamicValueMappingService_UpdateDynamicValueMapping_FullMethodName = "/policy.dynamicvaluemapping.DynamicValueMappingService/UpdateDynamicValueMapping" + DynamicValueMappingService_DeleteDynamicValueMapping_FullMethodName = "/policy.dynamicvaluemapping.DynamicValueMappingService/DeleteDynamicValueMapping" +) + +// DynamicValueMappingServiceClient is the client API for DynamicValueMappingService service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. +type DynamicValueMappingServiceClient interface { + ListDynamicValueMappings(ctx context.Context, in *ListDynamicValueMappingsRequest, opts ...grpc.CallOption) (*ListDynamicValueMappingsResponse, error) + GetDynamicValueMapping(ctx context.Context, in *GetDynamicValueMappingRequest, opts ...grpc.CallOption) (*GetDynamicValueMappingResponse, error) + CreateDynamicValueMapping(ctx context.Context, in *CreateDynamicValueMappingRequest, opts ...grpc.CallOption) (*CreateDynamicValueMappingResponse, error) + UpdateDynamicValueMapping(ctx context.Context, in *UpdateDynamicValueMappingRequest, opts ...grpc.CallOption) (*UpdateDynamicValueMappingResponse, error) + DeleteDynamicValueMapping(ctx context.Context, in *DeleteDynamicValueMappingRequest, opts ...grpc.CallOption) (*DeleteDynamicValueMappingResponse, error) +} + +type dynamicValueMappingServiceClient struct { + cc grpc.ClientConnInterface +} + +func NewDynamicValueMappingServiceClient(cc grpc.ClientConnInterface) DynamicValueMappingServiceClient { + return &dynamicValueMappingServiceClient{cc} +} + +func (c *dynamicValueMappingServiceClient) ListDynamicValueMappings(ctx context.Context, in *ListDynamicValueMappingsRequest, opts ...grpc.CallOption) (*ListDynamicValueMappingsResponse, error) { + out := new(ListDynamicValueMappingsResponse) + err := c.cc.Invoke(ctx, DynamicValueMappingService_ListDynamicValueMappings_FullMethodName, in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *dynamicValueMappingServiceClient) GetDynamicValueMapping(ctx context.Context, in *GetDynamicValueMappingRequest, opts ...grpc.CallOption) (*GetDynamicValueMappingResponse, error) { + out := new(GetDynamicValueMappingResponse) + err := c.cc.Invoke(ctx, DynamicValueMappingService_GetDynamicValueMapping_FullMethodName, in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *dynamicValueMappingServiceClient) CreateDynamicValueMapping(ctx context.Context, in *CreateDynamicValueMappingRequest, opts ...grpc.CallOption) (*CreateDynamicValueMappingResponse, error) { + out := new(CreateDynamicValueMappingResponse) + err := c.cc.Invoke(ctx, DynamicValueMappingService_CreateDynamicValueMapping_FullMethodName, in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *dynamicValueMappingServiceClient) UpdateDynamicValueMapping(ctx context.Context, in *UpdateDynamicValueMappingRequest, opts ...grpc.CallOption) (*UpdateDynamicValueMappingResponse, error) { + out := new(UpdateDynamicValueMappingResponse) + err := c.cc.Invoke(ctx, DynamicValueMappingService_UpdateDynamicValueMapping_FullMethodName, in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *dynamicValueMappingServiceClient) DeleteDynamicValueMapping(ctx context.Context, in *DeleteDynamicValueMappingRequest, opts ...grpc.CallOption) (*DeleteDynamicValueMappingResponse, error) { + out := new(DeleteDynamicValueMappingResponse) + err := c.cc.Invoke(ctx, DynamicValueMappingService_DeleteDynamicValueMapping_FullMethodName, in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +// DynamicValueMappingServiceServer is the server API for DynamicValueMappingService service. +// All implementations must embed UnimplementedDynamicValueMappingServiceServer +// for forward compatibility +type DynamicValueMappingServiceServer interface { + ListDynamicValueMappings(context.Context, *ListDynamicValueMappingsRequest) (*ListDynamicValueMappingsResponse, error) + GetDynamicValueMapping(context.Context, *GetDynamicValueMappingRequest) (*GetDynamicValueMappingResponse, error) + CreateDynamicValueMapping(context.Context, *CreateDynamicValueMappingRequest) (*CreateDynamicValueMappingResponse, error) + UpdateDynamicValueMapping(context.Context, *UpdateDynamicValueMappingRequest) (*UpdateDynamicValueMappingResponse, error) + DeleteDynamicValueMapping(context.Context, *DeleteDynamicValueMappingRequest) (*DeleteDynamicValueMappingResponse, error) + mustEmbedUnimplementedDynamicValueMappingServiceServer() +} + +// UnimplementedDynamicValueMappingServiceServer must be embedded to have forward compatible implementations. +type UnimplementedDynamicValueMappingServiceServer struct { +} + +func (UnimplementedDynamicValueMappingServiceServer) ListDynamicValueMappings(context.Context, *ListDynamicValueMappingsRequest) (*ListDynamicValueMappingsResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method ListDynamicValueMappings not implemented") +} +func (UnimplementedDynamicValueMappingServiceServer) GetDynamicValueMapping(context.Context, *GetDynamicValueMappingRequest) (*GetDynamicValueMappingResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method GetDynamicValueMapping not implemented") +} +func (UnimplementedDynamicValueMappingServiceServer) CreateDynamicValueMapping(context.Context, *CreateDynamicValueMappingRequest) (*CreateDynamicValueMappingResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method CreateDynamicValueMapping not implemented") +} +func (UnimplementedDynamicValueMappingServiceServer) UpdateDynamicValueMapping(context.Context, *UpdateDynamicValueMappingRequest) (*UpdateDynamicValueMappingResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method UpdateDynamicValueMapping not implemented") +} +func (UnimplementedDynamicValueMappingServiceServer) DeleteDynamicValueMapping(context.Context, *DeleteDynamicValueMappingRequest) (*DeleteDynamicValueMappingResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method DeleteDynamicValueMapping not implemented") +} +func (UnimplementedDynamicValueMappingServiceServer) mustEmbedUnimplementedDynamicValueMappingServiceServer() { +} + +// UnsafeDynamicValueMappingServiceServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to DynamicValueMappingServiceServer will +// result in compilation errors. +type UnsafeDynamicValueMappingServiceServer interface { + mustEmbedUnimplementedDynamicValueMappingServiceServer() +} + +func RegisterDynamicValueMappingServiceServer(s grpc.ServiceRegistrar, srv DynamicValueMappingServiceServer) { + s.RegisterService(&DynamicValueMappingService_ServiceDesc, srv) +} + +func _DynamicValueMappingService_ListDynamicValueMappings_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(ListDynamicValueMappingsRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(DynamicValueMappingServiceServer).ListDynamicValueMappings(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: DynamicValueMappingService_ListDynamicValueMappings_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(DynamicValueMappingServiceServer).ListDynamicValueMappings(ctx, req.(*ListDynamicValueMappingsRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _DynamicValueMappingService_GetDynamicValueMapping_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(GetDynamicValueMappingRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(DynamicValueMappingServiceServer).GetDynamicValueMapping(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: DynamicValueMappingService_GetDynamicValueMapping_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(DynamicValueMappingServiceServer).GetDynamicValueMapping(ctx, req.(*GetDynamicValueMappingRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _DynamicValueMappingService_CreateDynamicValueMapping_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(CreateDynamicValueMappingRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(DynamicValueMappingServiceServer).CreateDynamicValueMapping(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: DynamicValueMappingService_CreateDynamicValueMapping_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(DynamicValueMappingServiceServer).CreateDynamicValueMapping(ctx, req.(*CreateDynamicValueMappingRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _DynamicValueMappingService_UpdateDynamicValueMapping_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(UpdateDynamicValueMappingRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(DynamicValueMappingServiceServer).UpdateDynamicValueMapping(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: DynamicValueMappingService_UpdateDynamicValueMapping_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(DynamicValueMappingServiceServer).UpdateDynamicValueMapping(ctx, req.(*UpdateDynamicValueMappingRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _DynamicValueMappingService_DeleteDynamicValueMapping_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(DeleteDynamicValueMappingRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(DynamicValueMappingServiceServer).DeleteDynamicValueMapping(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: DynamicValueMappingService_DeleteDynamicValueMapping_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(DynamicValueMappingServiceServer).DeleteDynamicValueMapping(ctx, req.(*DeleteDynamicValueMappingRequest)) + } + return interceptor(ctx, in, info, handler) +} + +// DynamicValueMappingService_ServiceDesc is the grpc.ServiceDesc for DynamicValueMappingService service. +// It's only intended for direct use with grpc.RegisterService, +// and not to be introspected or modified (even as a copy) +var DynamicValueMappingService_ServiceDesc = grpc.ServiceDesc{ + ServiceName: "policy.dynamicvaluemapping.DynamicValueMappingService", + HandlerType: (*DynamicValueMappingServiceServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "ListDynamicValueMappings", + Handler: _DynamicValueMappingService_ListDynamicValueMappings_Handler, + }, + { + MethodName: "GetDynamicValueMapping", + Handler: _DynamicValueMappingService_GetDynamicValueMapping_Handler, + }, + { + MethodName: "CreateDynamicValueMapping", + Handler: _DynamicValueMappingService_CreateDynamicValueMapping_Handler, + }, + { + MethodName: "UpdateDynamicValueMapping", + Handler: _DynamicValueMappingService_UpdateDynamicValueMapping_Handler, + }, + { + MethodName: "DeleteDynamicValueMapping", + Handler: _DynamicValueMappingService_DeleteDynamicValueMapping_Handler, + }, + }, + Streams: []grpc.StreamDesc{}, + Metadata: "policy/dynamicvaluemapping/dynamic_value_mapping.proto", +} diff --git a/protocol/go/policy/dynamicvaluemapping/dynamicvaluemappingconnect/dynamic_value_mapping.connect.go b/protocol/go/policy/dynamicvaluemapping/dynamicvaluemappingconnect/dynamic_value_mapping.connect.go new file mode 100644 index 0000000000..dfe90334f5 --- /dev/null +++ b/protocol/go/policy/dynamicvaluemapping/dynamicvaluemappingconnect/dynamic_value_mapping.connect.go @@ -0,0 +1,238 @@ +// Code generated by protoc-gen-connect-go. DO NOT EDIT. +// +// Source: policy/dynamicvaluemapping/dynamic_value_mapping.proto + +package dynamicvaluemappingconnect + +import ( + connect "connectrpc.com/connect" + context "context" + errors "errors" + dynamicvaluemapping "github.com/opentdf/platform/protocol/go/policy/dynamicvaluemapping" + http "net/http" + strings "strings" +) + +// This is a compile-time assertion to ensure that this generated file and the connect package are +// compatible. If you get a compiler error that this constant is not defined, this code was +// generated with a version of connect newer than the one compiled into your binary. You can fix the +// problem by either regenerating this code with an older version of connect or updating the connect +// version compiled into your binary. +const _ = connect.IsAtLeastVersion1_13_0 + +const ( + // DynamicValueMappingServiceName is the fully-qualified name of the DynamicValueMappingService + // service. + DynamicValueMappingServiceName = "policy.dynamicvaluemapping.DynamicValueMappingService" +) + +// These constants are the fully-qualified names of the RPCs defined in this package. They're +// exposed at runtime as Spec.Procedure and as the final two segments of the HTTP route. +// +// Note that these are different from the fully-qualified method names used by +// google.golang.org/protobuf/reflect/protoreflect. To convert from these constants to +// reflection-formatted method names, remove the leading slash and convert the remaining slash to a +// period. +const ( + // DynamicValueMappingServiceListDynamicValueMappingsProcedure is the fully-qualified name of the + // DynamicValueMappingService's ListDynamicValueMappings RPC. + DynamicValueMappingServiceListDynamicValueMappingsProcedure = "/policy.dynamicvaluemapping.DynamicValueMappingService/ListDynamicValueMappings" + // DynamicValueMappingServiceGetDynamicValueMappingProcedure is the fully-qualified name of the + // DynamicValueMappingService's GetDynamicValueMapping RPC. + DynamicValueMappingServiceGetDynamicValueMappingProcedure = "/policy.dynamicvaluemapping.DynamicValueMappingService/GetDynamicValueMapping" + // DynamicValueMappingServiceCreateDynamicValueMappingProcedure is the fully-qualified name of the + // DynamicValueMappingService's CreateDynamicValueMapping RPC. + DynamicValueMappingServiceCreateDynamicValueMappingProcedure = "/policy.dynamicvaluemapping.DynamicValueMappingService/CreateDynamicValueMapping" + // DynamicValueMappingServiceUpdateDynamicValueMappingProcedure is the fully-qualified name of the + // DynamicValueMappingService's UpdateDynamicValueMapping RPC. + DynamicValueMappingServiceUpdateDynamicValueMappingProcedure = "/policy.dynamicvaluemapping.DynamicValueMappingService/UpdateDynamicValueMapping" + // DynamicValueMappingServiceDeleteDynamicValueMappingProcedure is the fully-qualified name of the + // DynamicValueMappingService's DeleteDynamicValueMapping RPC. + DynamicValueMappingServiceDeleteDynamicValueMappingProcedure = "/policy.dynamicvaluemapping.DynamicValueMappingService/DeleteDynamicValueMapping" +) + +// DynamicValueMappingServiceClient is a client for the +// policy.dynamicvaluemapping.DynamicValueMappingService service. +type DynamicValueMappingServiceClient interface { + ListDynamicValueMappings(context.Context, *connect.Request[dynamicvaluemapping.ListDynamicValueMappingsRequest]) (*connect.Response[dynamicvaluemapping.ListDynamicValueMappingsResponse], error) + GetDynamicValueMapping(context.Context, *connect.Request[dynamicvaluemapping.GetDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.GetDynamicValueMappingResponse], error) + CreateDynamicValueMapping(context.Context, *connect.Request[dynamicvaluemapping.CreateDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.CreateDynamicValueMappingResponse], error) + UpdateDynamicValueMapping(context.Context, *connect.Request[dynamicvaluemapping.UpdateDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.UpdateDynamicValueMappingResponse], error) + DeleteDynamicValueMapping(context.Context, *connect.Request[dynamicvaluemapping.DeleteDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.DeleteDynamicValueMappingResponse], error) +} + +// NewDynamicValueMappingServiceClient constructs a client for the +// policy.dynamicvaluemapping.DynamicValueMappingService service. By default, it uses the Connect +// protocol with the binary Protobuf Codec, asks for gzipped responses, and sends uncompressed +// requests. To use the gRPC or gRPC-Web protocols, supply the connect.WithGRPC() or +// connect.WithGRPCWeb() options. +// +// The URL supplied here should be the base URL for the Connect or gRPC server (for example, +// http://api.acme.com or https://acme.com/grpc). +func NewDynamicValueMappingServiceClient(httpClient connect.HTTPClient, baseURL string, opts ...connect.ClientOption) DynamicValueMappingServiceClient { + baseURL = strings.TrimRight(baseURL, "/") + dynamicValueMappingServiceMethods := dynamicvaluemapping.File_policy_dynamicvaluemapping_dynamic_value_mapping_proto.Services().ByName("DynamicValueMappingService").Methods() + return &dynamicValueMappingServiceClient{ + listDynamicValueMappings: connect.NewClient[dynamicvaluemapping.ListDynamicValueMappingsRequest, dynamicvaluemapping.ListDynamicValueMappingsResponse]( + httpClient, + baseURL+DynamicValueMappingServiceListDynamicValueMappingsProcedure, + connect.WithSchema(dynamicValueMappingServiceMethods.ByName("ListDynamicValueMappings")), + connect.WithIdempotency(connect.IdempotencyNoSideEffects), + connect.WithClientOptions(opts...), + ), + getDynamicValueMapping: connect.NewClient[dynamicvaluemapping.GetDynamicValueMappingRequest, dynamicvaluemapping.GetDynamicValueMappingResponse]( + httpClient, + baseURL+DynamicValueMappingServiceGetDynamicValueMappingProcedure, + connect.WithSchema(dynamicValueMappingServiceMethods.ByName("GetDynamicValueMapping")), + connect.WithIdempotency(connect.IdempotencyNoSideEffects), + connect.WithClientOptions(opts...), + ), + createDynamicValueMapping: connect.NewClient[dynamicvaluemapping.CreateDynamicValueMappingRequest, dynamicvaluemapping.CreateDynamicValueMappingResponse]( + httpClient, + baseURL+DynamicValueMappingServiceCreateDynamicValueMappingProcedure, + connect.WithSchema(dynamicValueMappingServiceMethods.ByName("CreateDynamicValueMapping")), + connect.WithClientOptions(opts...), + ), + updateDynamicValueMapping: connect.NewClient[dynamicvaluemapping.UpdateDynamicValueMappingRequest, dynamicvaluemapping.UpdateDynamicValueMappingResponse]( + httpClient, + baseURL+DynamicValueMappingServiceUpdateDynamicValueMappingProcedure, + connect.WithSchema(dynamicValueMappingServiceMethods.ByName("UpdateDynamicValueMapping")), + connect.WithClientOptions(opts...), + ), + deleteDynamicValueMapping: connect.NewClient[dynamicvaluemapping.DeleteDynamicValueMappingRequest, dynamicvaluemapping.DeleteDynamicValueMappingResponse]( + httpClient, + baseURL+DynamicValueMappingServiceDeleteDynamicValueMappingProcedure, + connect.WithSchema(dynamicValueMappingServiceMethods.ByName("DeleteDynamicValueMapping")), + connect.WithClientOptions(opts...), + ), + } +} + +// dynamicValueMappingServiceClient implements DynamicValueMappingServiceClient. +type dynamicValueMappingServiceClient struct { + listDynamicValueMappings *connect.Client[dynamicvaluemapping.ListDynamicValueMappingsRequest, dynamicvaluemapping.ListDynamicValueMappingsResponse] + getDynamicValueMapping *connect.Client[dynamicvaluemapping.GetDynamicValueMappingRequest, dynamicvaluemapping.GetDynamicValueMappingResponse] + createDynamicValueMapping *connect.Client[dynamicvaluemapping.CreateDynamicValueMappingRequest, dynamicvaluemapping.CreateDynamicValueMappingResponse] + updateDynamicValueMapping *connect.Client[dynamicvaluemapping.UpdateDynamicValueMappingRequest, dynamicvaluemapping.UpdateDynamicValueMappingResponse] + deleteDynamicValueMapping *connect.Client[dynamicvaluemapping.DeleteDynamicValueMappingRequest, dynamicvaluemapping.DeleteDynamicValueMappingResponse] +} + +// ListDynamicValueMappings calls +// policy.dynamicvaluemapping.DynamicValueMappingService.ListDynamicValueMappings. +func (c *dynamicValueMappingServiceClient) ListDynamicValueMappings(ctx context.Context, req *connect.Request[dynamicvaluemapping.ListDynamicValueMappingsRequest]) (*connect.Response[dynamicvaluemapping.ListDynamicValueMappingsResponse], error) { + return c.listDynamicValueMappings.CallUnary(ctx, req) +} + +// GetDynamicValueMapping calls +// policy.dynamicvaluemapping.DynamicValueMappingService.GetDynamicValueMapping. +func (c *dynamicValueMappingServiceClient) GetDynamicValueMapping(ctx context.Context, req *connect.Request[dynamicvaluemapping.GetDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.GetDynamicValueMappingResponse], error) { + return c.getDynamicValueMapping.CallUnary(ctx, req) +} + +// CreateDynamicValueMapping calls +// policy.dynamicvaluemapping.DynamicValueMappingService.CreateDynamicValueMapping. +func (c *dynamicValueMappingServiceClient) CreateDynamicValueMapping(ctx context.Context, req *connect.Request[dynamicvaluemapping.CreateDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.CreateDynamicValueMappingResponse], error) { + return c.createDynamicValueMapping.CallUnary(ctx, req) +} + +// UpdateDynamicValueMapping calls +// policy.dynamicvaluemapping.DynamicValueMappingService.UpdateDynamicValueMapping. +func (c *dynamicValueMappingServiceClient) UpdateDynamicValueMapping(ctx context.Context, req *connect.Request[dynamicvaluemapping.UpdateDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.UpdateDynamicValueMappingResponse], error) { + return c.updateDynamicValueMapping.CallUnary(ctx, req) +} + +// DeleteDynamicValueMapping calls +// policy.dynamicvaluemapping.DynamicValueMappingService.DeleteDynamicValueMapping. +func (c *dynamicValueMappingServiceClient) DeleteDynamicValueMapping(ctx context.Context, req *connect.Request[dynamicvaluemapping.DeleteDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.DeleteDynamicValueMappingResponse], error) { + return c.deleteDynamicValueMapping.CallUnary(ctx, req) +} + +// DynamicValueMappingServiceHandler is an implementation of the +// policy.dynamicvaluemapping.DynamicValueMappingService service. +type DynamicValueMappingServiceHandler interface { + ListDynamicValueMappings(context.Context, *connect.Request[dynamicvaluemapping.ListDynamicValueMappingsRequest]) (*connect.Response[dynamicvaluemapping.ListDynamicValueMappingsResponse], error) + GetDynamicValueMapping(context.Context, *connect.Request[dynamicvaluemapping.GetDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.GetDynamicValueMappingResponse], error) + CreateDynamicValueMapping(context.Context, *connect.Request[dynamicvaluemapping.CreateDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.CreateDynamicValueMappingResponse], error) + UpdateDynamicValueMapping(context.Context, *connect.Request[dynamicvaluemapping.UpdateDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.UpdateDynamicValueMappingResponse], error) + DeleteDynamicValueMapping(context.Context, *connect.Request[dynamicvaluemapping.DeleteDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.DeleteDynamicValueMappingResponse], error) +} + +// NewDynamicValueMappingServiceHandler builds an HTTP handler from the service implementation. It +// returns the path on which to mount the handler and the handler itself. +// +// By default, handlers support the Connect, gRPC, and gRPC-Web protocols with the binary Protobuf +// and JSON codecs. They also support gzip compression. +func NewDynamicValueMappingServiceHandler(svc DynamicValueMappingServiceHandler, opts ...connect.HandlerOption) (string, http.Handler) { + dynamicValueMappingServiceMethods := dynamicvaluemapping.File_policy_dynamicvaluemapping_dynamic_value_mapping_proto.Services().ByName("DynamicValueMappingService").Methods() + dynamicValueMappingServiceListDynamicValueMappingsHandler := connect.NewUnaryHandler( + DynamicValueMappingServiceListDynamicValueMappingsProcedure, + svc.ListDynamicValueMappings, + connect.WithSchema(dynamicValueMappingServiceMethods.ByName("ListDynamicValueMappings")), + connect.WithIdempotency(connect.IdempotencyNoSideEffects), + connect.WithHandlerOptions(opts...), + ) + dynamicValueMappingServiceGetDynamicValueMappingHandler := connect.NewUnaryHandler( + DynamicValueMappingServiceGetDynamicValueMappingProcedure, + svc.GetDynamicValueMapping, + connect.WithSchema(dynamicValueMappingServiceMethods.ByName("GetDynamicValueMapping")), + connect.WithIdempotency(connect.IdempotencyNoSideEffects), + connect.WithHandlerOptions(opts...), + ) + dynamicValueMappingServiceCreateDynamicValueMappingHandler := connect.NewUnaryHandler( + DynamicValueMappingServiceCreateDynamicValueMappingProcedure, + svc.CreateDynamicValueMapping, + connect.WithSchema(dynamicValueMappingServiceMethods.ByName("CreateDynamicValueMapping")), + connect.WithHandlerOptions(opts...), + ) + dynamicValueMappingServiceUpdateDynamicValueMappingHandler := connect.NewUnaryHandler( + DynamicValueMappingServiceUpdateDynamicValueMappingProcedure, + svc.UpdateDynamicValueMapping, + connect.WithSchema(dynamicValueMappingServiceMethods.ByName("UpdateDynamicValueMapping")), + connect.WithHandlerOptions(opts...), + ) + dynamicValueMappingServiceDeleteDynamicValueMappingHandler := connect.NewUnaryHandler( + DynamicValueMappingServiceDeleteDynamicValueMappingProcedure, + svc.DeleteDynamicValueMapping, + connect.WithSchema(dynamicValueMappingServiceMethods.ByName("DeleteDynamicValueMapping")), + connect.WithHandlerOptions(opts...), + ) + return "/policy.dynamicvaluemapping.DynamicValueMappingService/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + switch r.URL.Path { + case DynamicValueMappingServiceListDynamicValueMappingsProcedure: + dynamicValueMappingServiceListDynamicValueMappingsHandler.ServeHTTP(w, r) + case DynamicValueMappingServiceGetDynamicValueMappingProcedure: + dynamicValueMappingServiceGetDynamicValueMappingHandler.ServeHTTP(w, r) + case DynamicValueMappingServiceCreateDynamicValueMappingProcedure: + dynamicValueMappingServiceCreateDynamicValueMappingHandler.ServeHTTP(w, r) + case DynamicValueMappingServiceUpdateDynamicValueMappingProcedure: + dynamicValueMappingServiceUpdateDynamicValueMappingHandler.ServeHTTP(w, r) + case DynamicValueMappingServiceDeleteDynamicValueMappingProcedure: + dynamicValueMappingServiceDeleteDynamicValueMappingHandler.ServeHTTP(w, r) + default: + http.NotFound(w, r) + } + }) +} + +// UnimplementedDynamicValueMappingServiceHandler returns CodeUnimplemented from all methods. +type UnimplementedDynamicValueMappingServiceHandler struct{} + +func (UnimplementedDynamicValueMappingServiceHandler) ListDynamicValueMappings(context.Context, *connect.Request[dynamicvaluemapping.ListDynamicValueMappingsRequest]) (*connect.Response[dynamicvaluemapping.ListDynamicValueMappingsResponse], error) { + return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.dynamicvaluemapping.DynamicValueMappingService.ListDynamicValueMappings is not implemented")) +} + +func (UnimplementedDynamicValueMappingServiceHandler) GetDynamicValueMapping(context.Context, *connect.Request[dynamicvaluemapping.GetDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.GetDynamicValueMappingResponse], error) { + return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.dynamicvaluemapping.DynamicValueMappingService.GetDynamicValueMapping is not implemented")) +} + +func (UnimplementedDynamicValueMappingServiceHandler) CreateDynamicValueMapping(context.Context, *connect.Request[dynamicvaluemapping.CreateDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.CreateDynamicValueMappingResponse], error) { + return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.dynamicvaluemapping.DynamicValueMappingService.CreateDynamicValueMapping is not implemented")) +} + +func (UnimplementedDynamicValueMappingServiceHandler) UpdateDynamicValueMapping(context.Context, *connect.Request[dynamicvaluemapping.UpdateDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.UpdateDynamicValueMappingResponse], error) { + return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.dynamicvaluemapping.DynamicValueMappingService.UpdateDynamicValueMapping is not implemented")) +} + +func (UnimplementedDynamicValueMappingServiceHandler) DeleteDynamicValueMapping(context.Context, *connect.Request[dynamicvaluemapping.DeleteDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.DeleteDynamicValueMappingResponse], error) { + return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.dynamicvaluemapping.DynamicValueMappingService.DeleteDynamicValueMapping is not implemented")) +} diff --git a/protocol/go/policy/objects.pb.go b/protocol/go/policy/objects.pb.go index 33dd09b721..4d90965eda 100644 --- a/protocol/go/policy/objects.pb.go +++ b/protocol/go/policy/objects.pb.go @@ -1389,10 +1389,10 @@ func (x *SubjectMapping) GetMetadata() *common.Metadata { return nil } -// Definition Value Resolver: the dynamic half of a DefinitionValueEntitlementMapping. It +// Definition Value Resolver: the dynamic half of a DynamicValueMapping. It // resolves a selector against the entity representation and compares the result to the // requested resource value segment using a DynamicValueOperatorEnum. -type DefinitionValueResolver struct { +type DynamicValueResolver struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields @@ -1404,8 +1404,8 @@ type DefinitionValueResolver struct { Operator DynamicValueOperatorEnum `protobuf:"varint,2,opt,name=operator,proto3,enum=policy.DynamicValueOperatorEnum" json:"operator,omitempty"` } -func (x *DefinitionValueResolver) Reset() { - *x = DefinitionValueResolver{} +func (x *DynamicValueResolver) Reset() { + *x = DynamicValueResolver{} if protoimpl.UnsafeEnabled { mi := &file_policy_objects_proto_msgTypes[8] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -1413,13 +1413,13 @@ func (x *DefinitionValueResolver) Reset() { } } -func (x *DefinitionValueResolver) String() string { +func (x *DynamicValueResolver) String() string { return protoimpl.X.MessageStringOf(x) } -func (*DefinitionValueResolver) ProtoMessage() {} +func (*DynamicValueResolver) ProtoMessage() {} -func (x *DefinitionValueResolver) ProtoReflect() protoreflect.Message { +func (x *DynamicValueResolver) ProtoReflect() protoreflect.Message { mi := &file_policy_objects_proto_msgTypes[8] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -1431,31 +1431,31 @@ func (x *DefinitionValueResolver) ProtoReflect() protoreflect.Message { return mi.MessageOf(x) } -// Deprecated: Use DefinitionValueResolver.ProtoReflect.Descriptor instead. -func (*DefinitionValueResolver) Descriptor() ([]byte, []int) { +// Deprecated: Use DynamicValueResolver.ProtoReflect.Descriptor instead. +func (*DynamicValueResolver) Descriptor() ([]byte, []int) { return file_policy_objects_proto_rawDescGZIP(), []int{8} } -func (x *DefinitionValueResolver) GetSubjectExternalSelectorValue() string { +func (x *DynamicValueResolver) GetSubjectExternalSelectorValue() string { if x != nil { return x.SubjectExternalSelectorValue } return "" } -func (x *DefinitionValueResolver) GetOperator() DynamicValueOperatorEnum { +func (x *DynamicValueResolver) GetOperator() DynamicValueOperatorEnum { if x != nil { return x.Operator } return DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED } -// Definition Value Entitlement Mapping: a Policy assigning permitted action(s) to +// Dynamic Value Mapping: a Policy assigning permitted action(s) to // dynamically-requested values under an Attribute Definition. It raises entitlement // authority from a concrete Attribute Value to the Attribute Definition: at decision time // the value_resolver compares the requested resource value segment against the entity // representation, avoiding pre-provisioning a value + subject mapping per discrete value. -type DefinitionValueEntitlementMapping struct { +type DynamicValueMapping struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields @@ -1464,7 +1464,7 @@ type DefinitionValueEntitlementMapping struct { // the Attribute Definition whose values are entitled dynamically AttributeDefinition *Attribute `protobuf:"bytes,2,opt,name=attribute_definition,json=attributeDefinition,proto3" json:"attribute_definition,omitempty"` // the dynamic resolver matched against the requested resource value segment - ValueResolver *DefinitionValueResolver `protobuf:"bytes,3,opt,name=value_resolver,json=valueResolver,proto3" json:"value_resolver,omitempty"` + ValueResolver *DynamicValueResolver `protobuf:"bytes,3,opt,name=value_resolver,json=valueResolver,proto3" json:"value_resolver,omitempty"` // optional static pre-gate on the entity, evaluated with normal SubjectConditionSet // semantics (no dynamic overload). When present, both the gate and the resolver must // pass for entitlement. @@ -1476,8 +1476,8 @@ type DefinitionValueEntitlementMapping struct { Metadata *common.Metadata `protobuf:"bytes,100,opt,name=metadata,proto3" json:"metadata,omitempty"` } -func (x *DefinitionValueEntitlementMapping) Reset() { - *x = DefinitionValueEntitlementMapping{} +func (x *DynamicValueMapping) Reset() { + *x = DynamicValueMapping{} if protoimpl.UnsafeEnabled { mi := &file_policy_objects_proto_msgTypes[9] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -1485,13 +1485,13 @@ func (x *DefinitionValueEntitlementMapping) Reset() { } } -func (x *DefinitionValueEntitlementMapping) String() string { +func (x *DynamicValueMapping) String() string { return protoimpl.X.MessageStringOf(x) } -func (*DefinitionValueEntitlementMapping) ProtoMessage() {} +func (*DynamicValueMapping) ProtoMessage() {} -func (x *DefinitionValueEntitlementMapping) ProtoReflect() protoreflect.Message { +func (x *DynamicValueMapping) ProtoReflect() protoreflect.Message { mi := &file_policy_objects_proto_msgTypes[9] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -1503,54 +1503,54 @@ func (x *DefinitionValueEntitlementMapping) ProtoReflect() protoreflect.Message return mi.MessageOf(x) } -// Deprecated: Use DefinitionValueEntitlementMapping.ProtoReflect.Descriptor instead. -func (*DefinitionValueEntitlementMapping) Descriptor() ([]byte, []int) { +// Deprecated: Use DynamicValueMapping.ProtoReflect.Descriptor instead. +func (*DynamicValueMapping) Descriptor() ([]byte, []int) { return file_policy_objects_proto_rawDescGZIP(), []int{9} } -func (x *DefinitionValueEntitlementMapping) GetId() string { +func (x *DynamicValueMapping) GetId() string { if x != nil { return x.Id } return "" } -func (x *DefinitionValueEntitlementMapping) GetAttributeDefinition() *Attribute { +func (x *DynamicValueMapping) GetAttributeDefinition() *Attribute { if x != nil { return x.AttributeDefinition } return nil } -func (x *DefinitionValueEntitlementMapping) GetValueResolver() *DefinitionValueResolver { +func (x *DynamicValueMapping) GetValueResolver() *DynamicValueResolver { if x != nil { return x.ValueResolver } return nil } -func (x *DefinitionValueEntitlementMapping) GetSubjectConditionSet() *SubjectConditionSet { +func (x *DynamicValueMapping) GetSubjectConditionSet() *SubjectConditionSet { if x != nil { return x.SubjectConditionSet } return nil } -func (x *DefinitionValueEntitlementMapping) GetActions() []*Action { +func (x *DynamicValueMapping) GetActions() []*Action { if x != nil { return x.Actions } return nil } -func (x *DefinitionValueEntitlementMapping) GetNamespace() *Namespace { +func (x *DynamicValueMapping) GetNamespace() *Namespace { if x != nil { return x.Namespace } return nil } -func (x *DefinitionValueEntitlementMapping) GetMetadata() *common.Metadata { +func (x *DynamicValueMapping) GetMetadata() *common.Metadata { if x != nil { return x.Metadata } @@ -3593,501 +3593,499 @@ var file_policy_objects_proto_rawDesc = []byte{ 0x61, 0x63, 0x65, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, - 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0xb3, 0x01, 0x0a, - 0x17, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, - 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x12, 0x4d, 0x0a, 0x1f, 0x73, 0x75, 0x62, 0x6a, - 0x65, 0x63, 0x74, 0x5f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x73, 0x65, 0x6c, - 0x65, 0x63, 0x74, 0x6f, 0x72, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x09, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x1c, 0x73, 0x75, 0x62, 0x6a, 0x65, - 0x63, 0x74, 0x45, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, - 0x6f, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x49, 0x0a, 0x08, 0x6f, 0x70, 0x65, 0x72, 0x61, - 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x20, 0x2e, 0x70, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x2e, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4f, - 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x45, 0x6e, 0x75, 0x6d, 0x42, 0x0b, 0xba, 0x48, 0x08, - 0xc8, 0x01, 0x01, 0x82, 0x01, 0x02, 0x10, 0x01, 0x52, 0x08, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, - 0x6f, 0x72, 0x22, 0x9b, 0x03, 0x0a, 0x21, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, - 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, - 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x44, 0x0a, 0x14, 0x61, 0x74, 0x74, 0x72, - 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, - 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, - 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x52, 0x13, 0x61, 0x74, 0x74, 0x72, 0x69, - 0x62, 0x75, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x46, - 0x0a, 0x0e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, - 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, - 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, - 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x52, 0x0d, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, - 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x12, 0x4f, 0x0a, 0x15, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, - 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x18, - 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, - 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, - 0x65, 0x74, 0x52, 0x13, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, - 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0x28, 0x0a, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, - 0x6e, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, - 0x73, 0x12, 0x2f, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x06, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4e, 0x61, - 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, - 0x63, 0x65, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, - 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, - 0x22, 0xe9, 0x01, 0x0a, 0x09, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x4d, - 0x0a, 0x1f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, - 0x61, 0x6c, 0x5f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x5f, 0x76, 0x61, 0x6c, 0x75, - 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, - 0x1c, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x45, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, - 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x4b, 0x0a, - 0x08, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, - 0x22, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x45, - 0x6e, 0x75, 0x6d, 0x42, 0x0b, 0xba, 0x48, 0x08, 0xc8, 0x01, 0x01, 0x82, 0x01, 0x02, 0x10, 0x01, - 0x52, 0x08, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x40, 0x0a, 0x17, 0x73, 0x75, - 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x76, - 0x61, 0x6c, 0x75, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, - 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x15, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x45, 0x78, - 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x22, 0xa7, 0x01, 0x0a, - 0x0e, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x12, - 0x3b, 0x0a, 0x0a, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, - 0x03, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x43, 0x6f, 0x6e, - 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, - 0x52, 0x0a, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x58, 0x0a, 0x10, - 0x62, 0x6f, 0x6f, 0x6c, 0x65, 0x61, 0x6e, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, + 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0xb0, 0x01, 0x0a, + 0x14, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, 0x73, + 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x12, 0x4d, 0x0a, 0x1f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x5f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, + 0x6f, 0x72, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x06, + 0xba, 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x1c, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x45, + 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x56, + 0x61, 0x6c, 0x75, 0x65, 0x12, 0x49, 0x0a, 0x08, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x20, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, - 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x6f, 0x6f, 0x6c, 0x65, 0x61, 0x6e, - 0x54, 0x79, 0x70, 0x65, 0x45, 0x6e, 0x75, 0x6d, 0x42, 0x0b, 0xba, 0x48, 0x08, 0xc8, 0x01, 0x01, - 0x82, 0x01, 0x02, 0x10, 0x01, 0x52, 0x0f, 0x62, 0x6f, 0x6f, 0x6c, 0x65, 0x61, 0x6e, 0x4f, 0x70, - 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x22, 0x59, 0x0a, 0x0a, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, - 0x74, 0x53, 0x65, 0x74, 0x12, 0x4b, 0x0a, 0x10, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, - 0x6e, 0x5f, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, - 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, - 0x6e, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x42, 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, - 0x52, 0x0f, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x47, 0x72, 0x6f, 0x75, 0x70, - 0x73, 0x22, 0xc5, 0x01, 0x0a, 0x13, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, - 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x2f, 0x0a, 0x09, 0x6e, 0x61, 0x6d, - 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x52, - 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x3f, 0x0a, 0x0c, 0x73, 0x75, - 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x73, 0x65, 0x74, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, - 0x32, 0x12, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, - 0x74, 0x53, 0x65, 0x74, 0x42, 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x0b, - 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x53, 0x65, 0x74, 0x73, 0x12, 0x2c, 0x0a, 0x08, 0x6d, - 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, - 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, - 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x7c, 0x0a, 0x0f, 0x53, 0x75, 0x62, - 0x6a, 0x65, 0x63, 0x74, 0x50, 0x72, 0x6f, 0x70, 0x65, 0x72, 0x74, 0x79, 0x12, 0x42, 0x0a, 0x17, - 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, - 0x72, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x0a, 0xba, - 0x48, 0x07, 0xc8, 0x01, 0x01, 0x72, 0x02, 0x10, 0x01, 0x52, 0x15, 0x65, 0x78, 0x74, 0x65, 0x72, - 0x6e, 0x61, 0x6c, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, - 0x12, 0x25, 0x0a, 0x0e, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x76, 0x61, 0x6c, - 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, - 0x61, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x22, 0xad, 0x01, 0x0a, 0x14, 0x52, 0x65, 0x73, 0x6f, - 0x75, 0x72, 0x63, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x47, 0x72, 0x6f, 0x75, 0x70, - 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, - 0x12, 0x29, 0x0a, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, - 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x0b, - 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x49, 0x64, 0x12, 0x1a, 0x0a, 0x04, 0x6e, - 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, - 0x01, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x66, 0x71, 0x6e, 0x18, 0x04, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x66, 0x71, 0x6e, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, + 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4f, 0x70, 0x65, 0x72, + 0x61, 0x74, 0x6f, 0x72, 0x45, 0x6e, 0x75, 0x6d, 0x42, 0x0b, 0xba, 0x48, 0x08, 0xc8, 0x01, 0x01, + 0x82, 0x01, 0x02, 0x10, 0x01, 0x52, 0x08, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x22, + 0x8a, 0x03, 0x0a, 0x13, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, + 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x44, 0x0a, 0x14, 0x61, 0x74, 0x74, 0x72, 0x69, + 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x18, + 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, + 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x52, 0x13, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, + 0x75, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x43, 0x0a, + 0x0e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x18, + 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, + 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x6c, + 0x76, 0x65, 0x72, 0x52, 0x0d, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, + 0x65, 0x72, 0x12, 0x4f, 0x0a, 0x15, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x63, 0x6f, + 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x1b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, + 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x13, + 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, + 0x53, 0x65, 0x74, 0x12, 0x28, 0x0a, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x05, + 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x63, + 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x2f, 0x0a, + 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, + 0x61, 0x63, 0x65, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x2c, + 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, + 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0xe9, 0x01, 0x0a, + 0x09, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x4d, 0x0a, 0x1f, 0x73, 0x75, + 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x73, + 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x09, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x1c, 0x73, 0x75, 0x62, + 0x6a, 0x65, 0x63, 0x74, 0x45, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x53, 0x65, 0x6c, 0x65, + 0x63, 0x74, 0x6f, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x4b, 0x0a, 0x08, 0x6f, 0x70, 0x65, + 0x72, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x22, 0x2e, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, + 0x69, 0x6e, 0x67, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x45, 0x6e, 0x75, 0x6d, 0x42, + 0x0b, 0xba, 0x48, 0x08, 0xc8, 0x01, 0x01, 0x82, 0x01, 0x02, 0x10, 0x01, 0x52, 0x08, 0x6f, 0x70, + 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x40, 0x0a, 0x17, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, + 0x74, 0x5f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, + 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, 0x08, + 0x01, 0x52, 0x15, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x45, 0x78, 0x74, 0x65, 0x72, 0x6e, + 0x61, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x22, 0xa7, 0x01, 0x0a, 0x0e, 0x43, 0x6f, 0x6e, + 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x12, 0x3b, 0x0a, 0x0a, 0x63, + 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, + 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, + 0x6f, 0x6e, 0x42, 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x0a, 0x63, 0x6f, + 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x58, 0x0a, 0x10, 0x62, 0x6f, 0x6f, 0x6c, + 0x65, 0x61, 0x6e, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x0e, 0x32, 0x20, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x43, 0x6f, 0x6e, 0x64, + 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x6f, 0x6f, 0x6c, 0x65, 0x61, 0x6e, 0x54, 0x79, 0x70, 0x65, + 0x45, 0x6e, 0x75, 0x6d, 0x42, 0x0b, 0xba, 0x48, 0x08, 0xc8, 0x01, 0x01, 0x82, 0x01, 0x02, 0x10, + 0x01, 0x52, 0x0f, 0x62, 0x6f, 0x6f, 0x6c, 0x65, 0x61, 0x6e, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, + 0x6f, 0x72, 0x22, 0x59, 0x0a, 0x0a, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x53, 0x65, 0x74, + 0x12, 0x4b, 0x0a, 0x10, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x67, 0x72, + 0x6f, 0x75, 0x70, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x70, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x2e, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x47, 0x72, 0x6f, + 0x75, 0x70, 0x42, 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x0f, 0x63, 0x6f, + 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x22, 0xc5, 0x01, + 0x0a, 0x13, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, + 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x2f, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, + 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x52, 0x09, 0x6e, 0x61, 0x6d, + 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x3f, 0x0a, 0x0c, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, + 0x74, 0x5f, 0x73, 0x65, 0x74, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x70, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x53, 0x65, 0x74, + 0x42, 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x0b, 0x73, 0x75, 0x62, 0x6a, + 0x65, 0x63, 0x74, 0x53, 0x65, 0x74, 0x73, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, + 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, + 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, + 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x7c, 0x0a, 0x0f, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x50, 0x72, 0x6f, 0x70, 0x65, 0x72, 0x74, 0x79, 0x12, 0x42, 0x0a, 0x17, 0x65, 0x78, 0x74, 0x65, + 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x5f, 0x76, 0x61, + 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x0a, 0xba, 0x48, 0x07, 0xc8, 0x01, + 0x01, 0x72, 0x02, 0x10, 0x01, 0x52, 0x15, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x53, + 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x25, 0x0a, 0x0e, + 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x56, 0x61, + 0x6c, 0x75, 0x65, 0x22, 0xad, 0x01, 0x0a, 0x14, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, + 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x12, 0x0e, 0x0a, 0x02, + 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x29, 0x0a, 0x0c, + 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x09, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x0b, 0x6e, 0x61, 0x6d, 0x65, + 0x73, 0x70, 0x61, 0x63, 0x65, 0x49, 0x64, 0x12, 0x1a, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, + 0x03, 0x20, 0x01, 0x28, 0x09, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x04, 0x6e, + 0x61, 0x6d, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x66, 0x71, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x03, 0x66, 0x71, 0x6e, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, + 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, + 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, + 0x61, 0x74, 0x61, 0x22, 0xd9, 0x01, 0x0a, 0x0f, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, + 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, + 0x61, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, + 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, + 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x3e, 0x0a, 0x0f, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, + 0x74, 0x65, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0d, + 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x42, 0x06, 0xba, + 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x0e, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, + 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x74, 0x65, 0x72, 0x6d, 0x73, 0x18, 0x04, + 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x74, 0x65, 0x72, 0x6d, 0x73, 0x12, 0x32, 0x0a, 0x05, 0x67, + 0x72, 0x6f, 0x75, 0x70, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x70, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x2e, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4d, 0x61, 0x70, 0x70, + 0x69, 0x6e, 0x67, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x52, 0x05, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x22, + 0x85, 0x05, 0x0a, 0x0f, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, + 0x76, 0x65, 0x72, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x02, 0x69, 0x64, 0x12, 0x87, 0x03, 0x0a, 0x03, 0x75, 0x72, 0x69, 0x18, 0x02, 0x20, 0x01, 0x28, + 0x09, 0x42, 0xf4, 0x02, 0xba, 0x48, 0xf0, 0x02, 0xba, 0x01, 0xec, 0x02, 0x0a, 0x0a, 0x75, 0x72, + 0x69, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0xcf, 0x01, 0x55, 0x52, 0x49, 0x20, 0x6d, + 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, + 0x52, 0x4c, 0x20, 0x28, 0x65, 0x2e, 0x67, 0x2e, 0x2c, 0x20, 0x27, 0x68, 0x74, 0x74, 0x70, 0x73, + 0x3a, 0x2f, 0x2f, 0x64, 0x65, 0x6d, 0x6f, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x27, 0x29, 0x20, 0x66, + 0x6f, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x20, 0x62, 0x79, 0x20, 0x61, 0x64, 0x64, 0x69, 0x74, + 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x73, 0x65, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x20, + 0x45, 0x61, 0x63, 0x68, 0x20, 0x73, 0x65, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x20, 0x6d, 0x75, 0x73, + 0x74, 0x20, 0x73, 0x74, 0x61, 0x72, 0x74, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x65, 0x6e, 0x64, 0x20, + 0x77, 0x69, 0x74, 0x68, 0x20, 0x61, 0x6e, 0x20, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x6e, 0x75, 0x6d, + 0x65, 0x72, 0x69, 0x63, 0x20, 0x63, 0x68, 0x61, 0x72, 0x61, 0x63, 0x74, 0x65, 0x72, 0x2c, 0x20, + 0x63, 0x61, 0x6e, 0x20, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20, 0x68, 0x79, 0x70, 0x68, + 0x65, 0x6e, 0x73, 0x2c, 0x20, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x6e, 0x75, 0x6d, 0x65, 0x72, 0x69, + 0x63, 0x20, 0x63, 0x68, 0x61, 0x72, 0x61, 0x63, 0x74, 0x65, 0x72, 0x73, 0x2c, 0x20, 0x61, 0x6e, + 0x64, 0x20, 0x73, 0x6c, 0x61, 0x73, 0x68, 0x65, 0x73, 0x2e, 0x1a, 0x8b, 0x01, 0x74, 0x68, 0x69, + 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5e, 0x68, 0x74, 0x74, 0x70, + 0x73, 0x3f, 0x3a, 0x2f, 0x2f, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, + 0x28, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5c, 0x5c, 0x2d, 0x5d, 0x7b, + 0x30, 0x2c, 0x36, 0x31, 0x7d, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, + 0x29, 0x3f, 0x28, 0x5c, 0x5c, 0x2e, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, + 0x5d, 0x28, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5c, 0x5c, 0x2d, 0x5d, + 0x7b, 0x30, 0x2c, 0x36, 0x31, 0x7d, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, + 0x5d, 0x29, 0x3f, 0x29, 0x2a, 0x28, 0x3a, 0x5b, 0x30, 0x2d, 0x39, 0x5d, 0x2b, 0x29, 0x3f, 0x28, + 0x2f, 0x2e, 0x2a, 0x29, 0x3f, 0x24, 0x27, 0x29, 0x52, 0x03, 0x75, 0x72, 0x69, 0x12, 0x30, 0x0a, + 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, + 0x63, 0x4b, 0x65, 0x79, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, + 0x33, 0x0a, 0x0b, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x04, + 0x20, 0x01, 0x28, 0x0e, 0x32, 0x12, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x6f, + 0x75, 0x72, 0x63, 0x65, 0x54, 0x79, 0x70, 0x65, 0x52, 0x0a, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, + 0x54, 0x79, 0x70, 0x65, 0x12, 0x2f, 0x0a, 0x08, 0x6b, 0x61, 0x73, 0x5f, 0x6b, 0x65, 0x79, 0x73, + 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x52, 0x07, 0x6b, 0x61, + 0x73, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x14, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, - 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0xd9, 0x01, 0x0a, 0x0f, 0x52, 0x65, 0x73, 0x6f, - 0x75, 0x72, 0x63, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x0e, 0x0a, 0x02, 0x69, - 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x2c, 0x0a, 0x08, 0x6d, - 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, - 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, - 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x3e, 0x0a, 0x0f, 0x61, 0x74, 0x74, - 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x03, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x0d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x56, 0x61, 0x6c, 0x75, - 0x65, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x0e, 0x61, 0x74, 0x74, 0x72, 0x69, - 0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x74, 0x65, 0x72, - 0x6d, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x74, 0x65, 0x72, 0x6d, 0x73, 0x12, - 0x32, 0x0a, 0x05, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, - 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, - 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x52, 0x05, 0x67, 0x72, - 0x6f, 0x75, 0x70, 0x22, 0x85, 0x05, 0x0a, 0x0f, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, - 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x87, 0x03, 0x0a, 0x03, 0x75, 0x72, 0x69, 0x18, - 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0xf4, 0x02, 0xba, 0x48, 0xf0, 0x02, 0xba, 0x01, 0xec, 0x02, - 0x0a, 0x0a, 0x75, 0x72, 0x69, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0xcf, 0x01, 0x55, - 0x52, 0x49, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, - 0x69, 0x64, 0x20, 0x55, 0x52, 0x4c, 0x20, 0x28, 0x65, 0x2e, 0x67, 0x2e, 0x2c, 0x20, 0x27, 0x68, - 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x64, 0x65, 0x6d, 0x6f, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, - 0x27, 0x29, 0x20, 0x66, 0x6f, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x20, 0x62, 0x79, 0x20, 0x61, - 0x64, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x73, 0x65, 0x67, 0x6d, 0x65, 0x6e, - 0x74, 0x73, 0x2e, 0x20, 0x45, 0x61, 0x63, 0x68, 0x20, 0x73, 0x65, 0x67, 0x6d, 0x65, 0x6e, 0x74, - 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x73, 0x74, 0x61, 0x72, 0x74, 0x20, 0x61, 0x6e, 0x64, 0x20, - 0x65, 0x6e, 0x64, 0x20, 0x77, 0x69, 0x74, 0x68, 0x20, 0x61, 0x6e, 0x20, 0x61, 0x6c, 0x70, 0x68, - 0x61, 0x6e, 0x75, 0x6d, 0x65, 0x72, 0x69, 0x63, 0x20, 0x63, 0x68, 0x61, 0x72, 0x61, 0x63, 0x74, - 0x65, 0x72, 0x2c, 0x20, 0x63, 0x61, 0x6e, 0x20, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20, - 0x68, 0x79, 0x70, 0x68, 0x65, 0x6e, 0x73, 0x2c, 0x20, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x6e, 0x75, - 0x6d, 0x65, 0x72, 0x69, 0x63, 0x20, 0x63, 0x68, 0x61, 0x72, 0x61, 0x63, 0x74, 0x65, 0x72, 0x73, - 0x2c, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x73, 0x6c, 0x61, 0x73, 0x68, 0x65, 0x73, 0x2e, 0x1a, 0x8b, - 0x01, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5e, - 0x68, 0x74, 0x74, 0x70, 0x73, 0x3f, 0x3a, 0x2f, 0x2f, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, - 0x30, 0x2d, 0x39, 0x5d, 0x28, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5c, - 0x5c, 0x2d, 0x5d, 0x7b, 0x30, 0x2c, 0x36, 0x31, 0x7d, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, - 0x30, 0x2d, 0x39, 0x5d, 0x29, 0x3f, 0x28, 0x5c, 0x5c, 0x2e, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, - 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x28, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, - 0x5c, 0x5c, 0x2d, 0x5d, 0x7b, 0x30, 0x2c, 0x36, 0x31, 0x7d, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, - 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x29, 0x3f, 0x29, 0x2a, 0x28, 0x3a, 0x5b, 0x30, 0x2d, 0x39, 0x5d, - 0x2b, 0x29, 0x3f, 0x28, 0x2f, 0x2e, 0x2a, 0x29, 0x3f, 0x24, 0x27, 0x29, 0x52, 0x03, 0x75, 0x72, - 0x69, 0x12, 0x30, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, - 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, - 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, - 0x4b, 0x65, 0x79, 0x12, 0x33, 0x0a, 0x0b, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x74, 0x79, - 0x70, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x12, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2e, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x54, 0x79, 0x70, 0x65, 0x52, 0x0a, 0x73, 0x6f, - 0x75, 0x72, 0x63, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x2f, 0x0a, 0x08, 0x6b, 0x61, 0x73, 0x5f, - 0x6b, 0x65, 0x79, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, - 0x52, 0x07, 0x6b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, - 0x65, 0x18, 0x14, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x2c, 0x0a, + 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x97, 0x02, 0x0a, 0x03, 0x4b, 0x65, 0x79, 0x12, + 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, + 0x37, 0x0a, 0x09, 0x69, 0x73, 0x5f, 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x08, + 0x69, 0x73, 0x41, 0x63, 0x74, 0x69, 0x76, 0x65, 0x12, 0x39, 0x0a, 0x0a, 0x77, 0x61, 0x73, 0x5f, + 0x6d, 0x61, 0x70, 0x70, 0x65, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, + 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, + 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x09, 0x77, 0x61, 0x73, 0x4d, 0x61, 0x70, + 0x70, 0x65, 0x64, 0x12, 0x33, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, + 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x09, 0x70, + 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x29, 0x0a, 0x03, 0x6b, 0x61, 0x73, 0x18, + 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, + 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x03, + 0x6b, 0x61, 0x73, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, + 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, + 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, + 0x61, 0x22, 0x84, 0x01, 0x0a, 0x0c, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, + 0x65, 0x79, 0x12, 0x1c, 0x0a, 0x03, 0x70, 0x65, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, + 0x0a, 0xba, 0x48, 0x07, 0x72, 0x05, 0x10, 0x01, 0x18, 0x80, 0x40, 0x52, 0x03, 0x70, 0x65, 0x6d, + 0x12, 0x1b, 0x0a, 0x03, 0x6b, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x09, 0xba, + 0x48, 0x06, 0x72, 0x04, 0x10, 0x01, 0x18, 0x20, 0x52, 0x03, 0x6b, 0x69, 0x64, 0x12, 0x39, 0x0a, + 0x03, 0x61, 0x6c, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1b, 0x2e, 0x70, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, + 0x41, 0x6c, 0x67, 0x45, 0x6e, 0x75, 0x6d, 0x42, 0x0a, 0xba, 0x48, 0x07, 0x82, 0x01, 0x04, 0x10, + 0x01, 0x20, 0x00, 0x52, 0x03, 0x61, 0x6c, 0x67, 0x22, 0x3b, 0x0a, 0x0f, 0x4b, 0x61, 0x73, 0x50, + 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x53, 0x65, 0x74, 0x12, 0x28, 0x0a, 0x04, 0x6b, + 0x65, 0x79, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, + 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, + 0x04, 0x6b, 0x65, 0x79, 0x73, 0x22, 0xe0, 0x03, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, + 0x4b, 0x65, 0x79, 0x12, 0x84, 0x03, 0x0a, 0x06, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x09, 0x42, 0xe9, 0x02, 0xba, 0x48, 0xe5, 0x02, 0xba, 0x01, 0xe1, 0x02, 0x0a, + 0x0a, 0x75, 0x72, 0x69, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0xcf, 0x01, 0x55, 0x52, + 0x49, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, + 0x64, 0x20, 0x55, 0x52, 0x4c, 0x20, 0x28, 0x65, 0x2e, 0x67, 0x2e, 0x2c, 0x20, 0x27, 0x68, 0x74, + 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x64, 0x65, 0x6d, 0x6f, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x27, + 0x29, 0x20, 0x66, 0x6f, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x20, 0x62, 0x79, 0x20, 0x61, 0x64, + 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x73, 0x65, 0x67, 0x6d, 0x65, 0x6e, 0x74, + 0x73, 0x2e, 0x20, 0x45, 0x61, 0x63, 0x68, 0x20, 0x73, 0x65, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x20, + 0x6d, 0x75, 0x73, 0x74, 0x20, 0x73, 0x74, 0x61, 0x72, 0x74, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x65, + 0x6e, 0x64, 0x20, 0x77, 0x69, 0x74, 0x68, 0x20, 0x61, 0x6e, 0x20, 0x61, 0x6c, 0x70, 0x68, 0x61, + 0x6e, 0x75, 0x6d, 0x65, 0x72, 0x69, 0x63, 0x20, 0x63, 0x68, 0x61, 0x72, 0x61, 0x63, 0x74, 0x65, + 0x72, 0x2c, 0x20, 0x63, 0x61, 0x6e, 0x20, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20, 0x68, + 0x79, 0x70, 0x68, 0x65, 0x6e, 0x73, 0x2c, 0x20, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x6e, 0x75, 0x6d, + 0x65, 0x72, 0x69, 0x63, 0x20, 0x63, 0x68, 0x61, 0x72, 0x61, 0x63, 0x74, 0x65, 0x72, 0x73, 0x2c, + 0x20, 0x61, 0x6e, 0x64, 0x20, 0x73, 0x6c, 0x61, 0x73, 0x68, 0x65, 0x73, 0x2e, 0x1a, 0x80, 0x01, + 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5e, 0x68, + 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, + 0x39, 0x5d, 0x28, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5c, 0x5c, 0x2d, + 0x5d, 0x7b, 0x30, 0x2c, 0x36, 0x31, 0x7d, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, + 0x39, 0x5d, 0x29, 0x3f, 0x28, 0x5c, 0x5c, 0x2e, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, + 0x2d, 0x39, 0x5d, 0x28, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5c, 0x5c, + 0x2d, 0x5d, 0x7b, 0x30, 0x2c, 0x36, 0x31, 0x7d, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, + 0x2d, 0x39, 0x5d, 0x29, 0x3f, 0x29, 0x2a, 0x28, 0x2f, 0x2e, 0x2a, 0x29, 0x3f, 0x24, 0x27, 0x29, + 0x48, 0x00, 0x52, 0x06, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x12, 0x31, 0x0a, 0x06, 0x63, 0x61, + 0x63, 0x68, 0x65, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x70, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, + 0x53, 0x65, 0x74, 0x48, 0x00, 0x52, 0x06, 0x63, 0x61, 0x63, 0x68, 0x65, 0x64, 0x42, 0x0c, 0x0a, + 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x4a, 0x04, 0x08, 0x02, 0x10, + 0x03, 0x52, 0x05, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x22, 0xd0, 0x01, 0x0a, 0x12, 0x52, 0x65, 0x67, + 0x69, 0x73, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, + 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, + 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, + 0x61, 0x6d, 0x65, 0x12, 0x37, 0x0a, 0x06, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x18, 0x03, 0x20, + 0x03, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x52, 0x65, 0x67, + 0x69, 0x73, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x56, + 0x61, 0x6c, 0x75, 0x65, 0x52, 0x06, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x12, 0x2f, 0x0a, 0x09, + 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, + 0x63, 0x65, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, - 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x97, 0x02, 0x0a, 0x03, - 0x4b, 0x65, 0x79, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x02, 0x69, 0x64, 0x12, 0x37, 0x0a, 0x09, 0x69, 0x73, 0x5f, 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, - 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, - 0x75, 0x65, 0x52, 0x08, 0x69, 0x73, 0x41, 0x63, 0x74, 0x69, 0x76, 0x65, 0x12, 0x39, 0x0a, 0x0a, - 0x77, 0x61, 0x73, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x65, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, - 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, - 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x09, 0x77, 0x61, - 0x73, 0x4d, 0x61, 0x70, 0x70, 0x65, 0x64, 0x12, 0x33, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, - 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, - 0x79, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x29, 0x0a, 0x03, - 0x6b, 0x61, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x70, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, - 0x65, 0x72, 0x52, 0x03, 0x6b, 0x61, 0x73, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, - 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, - 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, - 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x84, 0x01, 0x0a, 0x0c, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, - 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x1c, 0x0a, 0x03, 0x70, 0x65, 0x6d, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x09, 0x42, 0x0a, 0xba, 0x48, 0x07, 0x72, 0x05, 0x10, 0x01, 0x18, 0x80, 0x40, 0x52, - 0x03, 0x70, 0x65, 0x6d, 0x12, 0x1b, 0x0a, 0x03, 0x6b, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, - 0x09, 0x42, 0x09, 0xba, 0x48, 0x06, 0x72, 0x04, 0x10, 0x01, 0x18, 0x20, 0x52, 0x03, 0x6b, 0x69, - 0x64, 0x12, 0x39, 0x0a, 0x03, 0x61, 0x6c, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1b, - 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, - 0x63, 0x4b, 0x65, 0x79, 0x41, 0x6c, 0x67, 0x45, 0x6e, 0x75, 0x6d, 0x42, 0x0a, 0xba, 0x48, 0x07, - 0x82, 0x01, 0x04, 0x10, 0x01, 0x20, 0x00, 0x52, 0x03, 0x61, 0x6c, 0x67, 0x22, 0x3b, 0x0a, 0x0f, - 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x53, 0x65, 0x74, 0x12, - 0x28, 0x0a, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, - 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, - 0x4b, 0x65, 0x79, 0x52, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x22, 0xe0, 0x03, 0x0a, 0x09, 0x50, 0x75, - 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x84, 0x03, 0x0a, 0x06, 0x72, 0x65, 0x6d, 0x6f, - 0x74, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0xe9, 0x02, 0xba, 0x48, 0xe5, 0x02, 0xba, - 0x01, 0xe1, 0x02, 0x0a, 0x0a, 0x75, 0x72, 0x69, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, - 0xcf, 0x01, 0x55, 0x52, 0x49, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, - 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x52, 0x4c, 0x20, 0x28, 0x65, 0x2e, 0x67, 0x2e, 0x2c, - 0x20, 0x27, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x64, 0x65, 0x6d, 0x6f, 0x2e, 0x63, - 0x6f, 0x6d, 0x2f, 0x27, 0x29, 0x20, 0x66, 0x6f, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x20, 0x62, - 0x79, 0x20, 0x61, 0x64, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x73, 0x65, 0x67, - 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x20, 0x45, 0x61, 0x63, 0x68, 0x20, 0x73, 0x65, 0x67, 0x6d, - 0x65, 0x6e, 0x74, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x73, 0x74, 0x61, 0x72, 0x74, 0x20, 0x61, - 0x6e, 0x64, 0x20, 0x65, 0x6e, 0x64, 0x20, 0x77, 0x69, 0x74, 0x68, 0x20, 0x61, 0x6e, 0x20, 0x61, - 0x6c, 0x70, 0x68, 0x61, 0x6e, 0x75, 0x6d, 0x65, 0x72, 0x69, 0x63, 0x20, 0x63, 0x68, 0x61, 0x72, - 0x61, 0x63, 0x74, 0x65, 0x72, 0x2c, 0x20, 0x63, 0x61, 0x6e, 0x20, 0x63, 0x6f, 0x6e, 0x74, 0x61, - 0x69, 0x6e, 0x20, 0x68, 0x79, 0x70, 0x68, 0x65, 0x6e, 0x73, 0x2c, 0x20, 0x61, 0x6c, 0x70, 0x68, - 0x61, 0x6e, 0x75, 0x6d, 0x65, 0x72, 0x69, 0x63, 0x20, 0x63, 0x68, 0x61, 0x72, 0x61, 0x63, 0x74, - 0x65, 0x72, 0x73, 0x2c, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x73, 0x6c, 0x61, 0x73, 0x68, 0x65, 0x73, - 0x2e, 0x1a, 0x80, 0x01, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, - 0x28, 0x27, 0x5e, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x5b, 0x61, 0x2d, 0x7a, 0x41, - 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x28, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, - 0x39, 0x5c, 0x5c, 0x2d, 0x5d, 0x7b, 0x30, 0x2c, 0x36, 0x31, 0x7d, 0x5b, 0x61, 0x2d, 0x7a, 0x41, - 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x29, 0x3f, 0x28, 0x5c, 0x5c, 0x2e, 0x5b, 0x61, 0x2d, 0x7a, - 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x28, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, - 0x2d, 0x39, 0x5c, 0x5c, 0x2d, 0x5d, 0x7b, 0x30, 0x2c, 0x36, 0x31, 0x7d, 0x5b, 0x61, 0x2d, 0x7a, - 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x29, 0x3f, 0x29, 0x2a, 0x28, 0x2f, 0x2e, 0x2a, 0x29, - 0x3f, 0x24, 0x27, 0x29, 0x48, 0x00, 0x52, 0x06, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x12, 0x31, - 0x0a, 0x06, 0x63, 0x61, 0x63, 0x68, 0x65, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, - 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, - 0x63, 0x4b, 0x65, 0x79, 0x53, 0x65, 0x74, 0x48, 0x00, 0x52, 0x06, 0x63, 0x61, 0x63, 0x68, 0x65, - 0x64, 0x42, 0x0c, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x4a, - 0x04, 0x08, 0x02, 0x10, 0x03, 0x52, 0x05, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x22, 0xd0, 0x01, 0x0a, - 0x12, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, - 0x72, 0x63, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x37, 0x0a, 0x06, 0x76, 0x61, 0x6c, 0x75, 0x65, - 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, - 0x72, 0x63, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x06, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x73, - 0x12, 0x2f, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x04, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4e, 0x61, 0x6d, - 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, - 0x65, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, + 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0xdc, 0x03, 0x0a, 0x17, + 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, + 0x63, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x36, 0x0a, + 0x08, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x1a, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, + 0x72, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x08, 0x72, 0x65, 0x73, + 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x6c, 0x0a, 0x17, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, + 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x73, + 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x34, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, + 0x63, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x41, 0x74, + 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x15, 0x61, 0x63, + 0x74, 0x69, 0x6f, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, + 0x75, 0x65, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x66, 0x71, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x03, 0x66, 0x71, 0x6e, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, + 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, + 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, + 0x61, 0x74, 0x61, 0x1a, 0xb4, 0x01, 0x0a, 0x14, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x41, 0x74, + 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x0e, 0x0a, 0x02, + 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x26, 0x0a, 0x06, + 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x70, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, 0x61, 0x63, + 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x36, 0x0a, 0x0f, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, + 0x65, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0d, 0x2e, + 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0e, 0x61, 0x74, + 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x2c, 0x0a, 0x08, + 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, + 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, + 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x3e, 0x0a, 0x16, 0x50, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x45, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x50, + 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x24, 0x0a, 0x09, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x69, + 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xba, 0x48, 0x04, 0x72, 0x02, 0x10, 0x01, + 0x52, 0x08, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49, 0x64, 0x22, 0x4a, 0x0a, 0x0e, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x12, 0x38, 0x0a, 0x03, + 0x70, 0x65, 0x70, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, + 0x63, 0x79, 0x2e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x45, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65, + 0x6d, 0x65, 0x6e, 0x74, 0x50, 0x6f, 0x69, 0x6e, 0x74, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, + 0x01, 0x52, 0x03, 0x70, 0x65, 0x70, 0x22, 0xd2, 0x01, 0x0a, 0x0a, 0x4f, 0x62, 0x6c, 0x69, 0x67, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x2f, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, + 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x52, 0x09, 0x6e, 0x61, 0x6d, + 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x2f, 0x0a, 0x06, 0x76, 0x61, + 0x6c, 0x75, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x70, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x2e, 0x4f, 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, + 0x6c, 0x75, 0x65, 0x52, 0x06, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x66, + 0x71, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x66, 0x71, 0x6e, 0x12, 0x2c, 0x0a, + 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, + 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0xe2, 0x01, 0x0a, 0x0f, + 0x4f, 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, + 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, + 0x32, 0x0a, 0x0a, 0x6f, 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4f, 0x62, 0x6c, + 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0a, 0x6f, 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x03, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x35, 0x0a, 0x08, 0x74, 0x72, 0x69, + 0x67, 0x67, 0x65, 0x72, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4f, 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, + 0x72, 0x69, 0x67, 0x67, 0x65, 0x72, 0x52, 0x08, 0x74, 0x72, 0x69, 0x67, 0x67, 0x65, 0x72, 0x73, + 0x12, 0x10, 0x0a, 0x03, 0x66, 0x71, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x66, + 0x71, 0x6e, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, + 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, + 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, + 0x22, 0xd8, 0x02, 0x0a, 0x11, 0x4f, 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, + 0x72, 0x69, 0x67, 0x67, 0x65, 0x72, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x42, 0x0a, 0x10, 0x6f, 0x62, 0x6c, 0x69, 0x67, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x17, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4f, 0x62, 0x6c, 0x69, 0x67, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0f, 0x6f, 0x62, 0x6c, 0x69, 0x67, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x26, 0x0a, 0x06, 0x61, 0x63, + 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, + 0x6f, 0x6e, 0x12, 0x36, 0x0a, 0x0f, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, + 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0d, 0x2e, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0e, 0x61, 0x74, 0x74, 0x72, + 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x30, 0x0a, 0x07, 0x63, 0x6f, + 0x6e, 0x74, 0x65, 0x78, 0x74, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x74, + 0x65, 0x78, 0x74, 0x52, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x12, 0x2f, 0x0a, 0x09, + 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, + 0x63, 0x65, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x2c, 0x0a, + 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, + 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x61, 0x0a, 0x06, 0x4b, + 0x61, 0x73, 0x4b, 0x65, 0x79, 0x12, 0x15, 0x0a, 0x06, 0x6b, 0x61, 0x73, 0x5f, 0x69, 0x64, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6b, 0x61, 0x73, 0x49, 0x64, 0x12, 0x27, 0x0a, 0x03, + 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x70, 0x6f, 0x6c, 0x69, + 0x63, 0x79, 0x2e, 0x41, 0x73, 0x79, 0x6d, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x4b, 0x65, 0x79, + 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x17, 0x0a, 0x07, 0x6b, 0x61, 0x73, 0x5f, 0x75, 0x72, 0x69, + 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6b, 0x61, 0x73, 0x55, 0x72, 0x69, 0x22, 0x29, + 0x0a, 0x0c, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x12, 0x19, + 0x0a, 0x03, 0x70, 0x65, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xba, 0x48, 0x04, + 0x72, 0x02, 0x10, 0x01, 0x52, 0x03, 0x70, 0x65, 0x6d, 0x22, 0x50, 0x0a, 0x0d, 0x50, 0x72, 0x69, + 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x12, 0x1e, 0x0a, 0x06, 0x6b, 0x65, + 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xba, 0x48, 0x04, 0x72, + 0x02, 0x10, 0x01, 0x52, 0x05, 0x6b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x77, 0x72, + 0x61, 0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x0a, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x22, 0xd1, 0x03, 0x0a, 0x0d, + 0x41, 0x73, 0x79, 0x6d, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x0e, 0x0a, + 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x15, 0x0a, + 0x06, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6b, + 0x65, 0x79, 0x49, 0x64, 0x12, 0x36, 0x0a, 0x0d, 0x6b, 0x65, 0x79, 0x5f, 0x61, 0x6c, 0x67, 0x6f, + 0x72, 0x69, 0x74, 0x68, 0x6d, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x11, 0x2e, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x52, 0x0c, + 0x6b, 0x65, 0x79, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x30, 0x0a, 0x0a, + 0x6b, 0x65, 0x79, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, + 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x53, 0x74, 0x61, + 0x74, 0x75, 0x73, 0x52, 0x09, 0x6b, 0x65, 0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x2a, + 0x0a, 0x08, 0x6b, 0x65, 0x79, 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0e, + 0x32, 0x0f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x4d, 0x6f, 0x64, + 0x65, 0x52, 0x07, 0x6b, 0x65, 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x3a, 0x0a, 0x0e, 0x70, 0x75, + 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x63, 0x74, 0x78, 0x18, 0x06, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x75, 0x62, 0x6c, + 0x69, 0x63, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x52, 0x0c, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, + 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x12, 0x3d, 0x0a, 0x0f, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, + 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x63, 0x74, 0x78, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x15, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, + 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x52, 0x0d, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, + 0x65, 0x79, 0x43, 0x74, 0x78, 0x12, 0x42, 0x0a, 0x0f, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, + 0x72, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, + 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x50, 0x72, 0x6f, 0x76, 0x69, + 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0e, 0x70, 0x72, 0x6f, 0x76, 0x69, + 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x16, 0x0a, 0x06, 0x6c, 0x65, 0x67, + 0x61, 0x63, 0x79, 0x18, 0x09, 0x20, 0x01, 0x28, 0x08, 0x52, 0x06, 0x6c, 0x65, 0x67, 0x61, 0x63, + 0x79, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, - 0xdc, 0x03, 0x0a, 0x17, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52, 0x65, - 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, - 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x14, 0x0a, 0x05, 0x76, - 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, - 0x65, 0x12, 0x36, 0x0a, 0x08, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x18, 0x03, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x52, 0x65, 0x67, - 0x69, 0x73, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, - 0x08, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x6c, 0x0a, 0x17, 0x61, 0x63, 0x74, - 0x69, 0x6f, 0x6e, 0x5f, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x76, 0x61, - 0x6c, 0x75, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x34, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52, 0x65, - 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x2e, 0x41, 0x63, 0x74, 0x69, - 0x6f, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, - 0x52, 0x15, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, - 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x66, 0x71, 0x6e, 0x18, 0x05, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x66, 0x71, 0x6e, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, - 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, - 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, - 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x1a, 0xb4, 0x01, 0x0a, 0x14, 0x41, 0x63, 0x74, 0x69, - 0x6f, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, + 0x9e, 0x02, 0x0a, 0x0c, 0x53, 0x79, 0x6d, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, - 0x12, 0x26, 0x0a, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, - 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, - 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x36, 0x0a, 0x0f, 0x61, 0x74, 0x74, 0x72, - 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x0d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, - 0x52, 0x0e, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, - 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, - 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x3e, - 0x0a, 0x16, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x45, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x6d, - 0x65, 0x6e, 0x74, 0x50, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x24, 0x0a, 0x09, 0x63, 0x6c, 0x69, 0x65, - 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xba, 0x48, 0x04, - 0x72, 0x02, 0x10, 0x01, 0x52, 0x08, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49, 0x64, 0x22, 0x4a, - 0x0a, 0x0e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, - 0x12, 0x38, 0x0a, 0x03, 0x70, 0x65, 0x70, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1e, 0x2e, - 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x45, 0x6e, 0x66, - 0x6f, 0x72, 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x50, 0x6f, 0x69, 0x6e, 0x74, 0x42, 0x06, 0xba, - 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x03, 0x70, 0x65, 0x70, 0x22, 0xd2, 0x01, 0x0a, 0x0a, 0x4f, - 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x2f, 0x0a, 0x09, 0x6e, 0x61, 0x6d, - 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x52, - 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, - 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x2f, - 0x0a, 0x06, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x17, - 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4f, 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x06, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x12, - 0x10, 0x0a, 0x03, 0x66, 0x71, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x66, 0x71, - 0x6e, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, - 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, - 0xe2, 0x01, 0x0a, 0x0f, 0x4f, 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, - 0x6c, 0x75, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x02, 0x69, 0x64, 0x12, 0x32, 0x0a, 0x0a, 0x6f, 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x2e, 0x4f, 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0a, 0x6f, 0x62, 0x6c, - 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, - 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x35, 0x0a, - 0x08, 0x74, 0x72, 0x69, 0x67, 0x67, 0x65, 0x72, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, - 0x19, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4f, 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, - 0x69, 0x6f, 0x6e, 0x54, 0x72, 0x69, 0x67, 0x67, 0x65, 0x72, 0x52, 0x08, 0x74, 0x72, 0x69, 0x67, - 0x67, 0x65, 0x72, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x66, 0x71, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x03, 0x66, 0x71, 0x6e, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, - 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, - 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, - 0x64, 0x61, 0x74, 0x61, 0x22, 0xd8, 0x02, 0x0a, 0x11, 0x4f, 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, - 0x69, 0x6f, 0x6e, 0x54, 0x72, 0x69, 0x67, 0x67, 0x65, 0x72, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x42, 0x0a, 0x10, 0x6f, 0x62, - 0x6c, 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4f, 0x62, - 0x6c, 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0f, 0x6f, - 0x62, 0x6c, 0x69, 0x67, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x26, - 0x0a, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0e, - 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, - 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x36, 0x0a, 0x0f, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, - 0x75, 0x74, 0x65, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x0d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0e, - 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x30, - 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, - 0x16, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, - 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x52, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, - 0x12, 0x2f, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x0b, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4e, 0x61, 0x6d, - 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, - 0x65, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, - 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, - 0x61, 0x0a, 0x06, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x12, 0x15, 0x0a, 0x06, 0x6b, 0x61, 0x73, - 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6b, 0x61, 0x73, 0x49, 0x64, - 0x12, 0x27, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, - 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x73, 0x79, 0x6d, 0x6d, 0x65, 0x74, 0x72, 0x69, - 0x63, 0x4b, 0x65, 0x79, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x17, 0x0a, 0x07, 0x6b, 0x61, 0x73, - 0x5f, 0x75, 0x72, 0x69, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6b, 0x61, 0x73, 0x55, - 0x72, 0x69, 0x22, 0x29, 0x0a, 0x0c, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x43, - 0x74, 0x78, 0x12, 0x19, 0x0a, 0x03, 0x70, 0x65, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, - 0x07, 0xba, 0x48, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x03, 0x70, 0x65, 0x6d, 0x22, 0x50, 0x0a, - 0x0d, 0x50, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x12, 0x1e, - 0x0a, 0x06, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, - 0xba, 0x48, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x05, 0x6b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x1f, - 0x0a, 0x0b, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x0a, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x22, - 0xd1, 0x03, 0x0a, 0x0d, 0x41, 0x73, 0x79, 0x6d, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x4b, 0x65, - 0x79, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, - 0x64, 0x12, 0x15, 0x0a, 0x06, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x05, 0x6b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x36, 0x0a, 0x0d, 0x6b, 0x65, 0x79, 0x5f, - 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, - 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, - 0x68, 0x6d, 0x52, 0x0c, 0x6b, 0x65, 0x79, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, - 0x12, 0x30, 0x0a, 0x0a, 0x6b, 0x65, 0x79, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x04, - 0x20, 0x01, 0x28, 0x0e, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, - 0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x09, 0x6b, 0x65, 0x79, 0x53, 0x74, 0x61, 0x74, - 0x75, 0x73, 0x12, 0x2a, 0x0a, 0x08, 0x6b, 0x65, 0x79, 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x05, - 0x20, 0x01, 0x28, 0x0e, 0x32, 0x0f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, - 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x52, 0x07, 0x6b, 0x65, 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x3a, - 0x0a, 0x0e, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x63, 0x74, 0x78, - 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, - 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x52, 0x0c, 0x70, 0x75, - 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x12, 0x3d, 0x0a, 0x0f, 0x70, 0x72, - 0x69, 0x76, 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x63, 0x74, 0x78, 0x18, 0x07, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x72, 0x69, - 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x52, 0x0d, 0x70, 0x72, 0x69, 0x76, - 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x12, 0x42, 0x0a, 0x0f, 0x70, 0x72, 0x6f, - 0x76, 0x69, 0x64, 0x65, 0x72, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x08, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x50, - 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0e, 0x70, - 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x16, 0x0a, - 0x06, 0x6c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x18, 0x09, 0x20, 0x01, 0x28, 0x08, 0x52, 0x06, 0x6c, - 0x65, 0x67, 0x61, 0x63, 0x79, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, - 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, - 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, - 0x61, 0x74, 0x61, 0x22, 0x9e, 0x02, 0x0a, 0x0c, 0x53, 0x79, 0x6d, 0x6d, 0x65, 0x74, 0x72, 0x69, - 0x63, 0x4b, 0x65, 0x79, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x02, 0x69, 0x64, 0x12, 0x15, 0x0a, 0x06, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x02, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x30, 0x0a, 0x0a, 0x6b, - 0x65, 0x79, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, - 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x53, 0x74, 0x61, 0x74, - 0x75, 0x73, 0x52, 0x09, 0x6b, 0x65, 0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x2a, 0x0a, - 0x08, 0x6b, 0x65, 0x79, 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, - 0x0f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x4d, 0x6f, 0x64, 0x65, - 0x52, 0x07, 0x6b, 0x65, 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x17, 0x0a, 0x07, 0x6b, 0x65, 0x79, - 0x5f, 0x63, 0x74, 0x78, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x6b, 0x65, 0x79, 0x43, - 0x74, 0x78, 0x12, 0x42, 0x0a, 0x0f, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x5f, 0x63, - 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x70, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, - 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0e, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, - 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, - 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, - 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, - 0x64, 0x61, 0x74, 0x61, 0x2a, 0xb3, 0x01, 0x0a, 0x15, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, - 0x74, 0x65, 0x52, 0x75, 0x6c, 0x65, 0x54, 0x79, 0x70, 0x65, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x28, - 0x0a, 0x24, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, - 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, - 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x23, 0x0a, 0x1f, 0x41, 0x54, 0x54, 0x52, - 0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, - 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x41, 0x4c, 0x4c, 0x5f, 0x4f, 0x46, 0x10, 0x01, 0x12, 0x23, 0x0a, - 0x1f, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, 0x5f, - 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x41, 0x4e, 0x59, 0x5f, 0x4f, 0x46, - 0x10, 0x02, 0x12, 0x26, 0x0a, 0x22, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, - 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x48, - 0x49, 0x45, 0x52, 0x41, 0x52, 0x43, 0x48, 0x59, 0x10, 0x03, 0x2a, 0xca, 0x01, 0x0a, 0x1a, 0x53, - 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x4f, 0x70, 0x65, - 0x72, 0x61, 0x74, 0x6f, 0x72, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x2d, 0x0a, 0x29, 0x53, 0x55, 0x42, - 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, - 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, - 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x24, 0x0a, 0x20, 0x53, 0x55, 0x42, 0x4a, - 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, - 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x49, 0x4e, 0x10, 0x01, 0x12, 0x28, - 0x0a, 0x24, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, - 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, - 0x4e, 0x4f, 0x54, 0x5f, 0x49, 0x4e, 0x10, 0x02, 0x12, 0x2d, 0x0a, 0x29, 0x53, 0x55, 0x42, 0x4a, - 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, - 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x49, 0x4e, 0x5f, 0x43, 0x4f, 0x4e, - 0x54, 0x41, 0x49, 0x4e, 0x53, 0x10, 0x03, 0x2a, 0x90, 0x01, 0x0a, 0x18, 0x43, 0x6f, 0x6e, 0x64, - 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x6f, 0x6f, 0x6c, 0x65, 0x61, 0x6e, 0x54, 0x79, 0x70, 0x65, - 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x2b, 0x0a, 0x27, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, - 0x4e, 0x5f, 0x42, 0x4f, 0x4f, 0x4c, 0x45, 0x41, 0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, - 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, - 0x00, 0x12, 0x23, 0x0a, 0x1f, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x42, - 0x4f, 0x4f, 0x4c, 0x45, 0x41, 0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, - 0x5f, 0x41, 0x4e, 0x44, 0x10, 0x01, 0x12, 0x22, 0x0a, 0x1e, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, - 0x49, 0x4f, 0x4e, 0x5f, 0x42, 0x4f, 0x4f, 0x4c, 0x45, 0x41, 0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, - 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x4f, 0x52, 0x10, 0x02, 0x2a, 0xb6, 0x01, 0x0a, 0x18, 0x44, - 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4f, 0x70, 0x65, 0x72, 0x61, - 0x74, 0x6f, 0x72, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x2b, 0x0a, 0x27, 0x44, 0x59, 0x4e, 0x41, 0x4d, - 0x49, 0x43, 0x5f, 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, + 0x12, 0x15, 0x0a, 0x06, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x05, 0x6b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x30, 0x0a, 0x0a, 0x6b, 0x65, 0x79, 0x5f, 0x73, + 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x11, 0x2e, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x09, + 0x6b, 0x65, 0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x2a, 0x0a, 0x08, 0x6b, 0x65, 0x79, + 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x0f, 0x2e, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x52, 0x07, 0x6b, 0x65, + 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x17, 0x0a, 0x07, 0x6b, 0x65, 0x79, 0x5f, 0x63, 0x74, 0x78, + 0x18, 0x05, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x6b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x12, 0x42, + 0x0a, 0x0f, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, + 0x67, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x4b, 0x65, 0x79, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, + 0x69, 0x67, 0x52, 0x0e, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, + 0x69, 0x67, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, + 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, + 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, + 0x2a, 0xb3, 0x01, 0x0a, 0x15, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x52, 0x75, + 0x6c, 0x65, 0x54, 0x79, 0x70, 0x65, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x28, 0x0a, 0x24, 0x41, 0x54, + 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, + 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, + 0x45, 0x44, 0x10, 0x00, 0x12, 0x23, 0x0a, 0x1f, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, + 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, + 0x5f, 0x41, 0x4c, 0x4c, 0x5f, 0x4f, 0x46, 0x10, 0x01, 0x12, 0x23, 0x0a, 0x1f, 0x41, 0x54, 0x54, + 0x52, 0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, + 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x41, 0x4e, 0x59, 0x5f, 0x4f, 0x46, 0x10, 0x02, 0x12, 0x26, + 0x0a, 0x22, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, + 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x48, 0x49, 0x45, 0x52, 0x41, + 0x52, 0x43, 0x48, 0x59, 0x10, 0x03, 0x2a, 0xca, 0x01, 0x0a, 0x1a, 0x53, 0x75, 0x62, 0x6a, 0x65, + 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, + 0x72, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x2d, 0x0a, 0x29, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, + 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, - 0x45, 0x44, 0x10, 0x00, 0x12, 0x31, 0x0a, 0x2d, 0x44, 0x59, 0x4e, 0x41, 0x4d, 0x49, 0x43, 0x5f, - 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, - 0x4e, 0x55, 0x4d, 0x5f, 0x52, 0x45, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, 0x56, 0x41, 0x4c, - 0x55, 0x45, 0x5f, 0x49, 0x4e, 0x10, 0x01, 0x12, 0x3a, 0x0a, 0x36, 0x44, 0x59, 0x4e, 0x41, 0x4d, - 0x49, 0x43, 0x5f, 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, - 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x52, 0x45, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, - 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x49, 0x4e, 0x5f, 0x43, 0x4f, 0x4e, 0x54, 0x41, 0x49, 0x4e, - 0x53, 0x10, 0x02, 0x2a, 0x5d, 0x0a, 0x0a, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x54, 0x79, 0x70, - 0x65, 0x12, 0x1b, 0x0a, 0x17, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, - 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x18, - 0x0a, 0x14, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x49, 0x4e, - 0x54, 0x45, 0x52, 0x4e, 0x41, 0x4c, 0x10, 0x01, 0x12, 0x18, 0x0a, 0x14, 0x53, 0x4f, 0x55, 0x52, - 0x43, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x58, 0x54, 0x45, 0x52, 0x4e, 0x41, 0x4c, - 0x10, 0x02, 0x2a, 0x9b, 0x03, 0x0a, 0x13, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, - 0x4b, 0x65, 0x79, 0x41, 0x6c, 0x67, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x27, 0x0a, 0x23, 0x4b, 0x41, - 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, - 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, - 0x44, 0x10, 0x00, 0x12, 0x24, 0x0a, 0x20, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, - 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x52, - 0x53, 0x41, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x10, 0x01, 0x12, 0x24, 0x0a, 0x20, 0x4b, 0x41, 0x53, - 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, - 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x34, 0x30, 0x39, 0x36, 0x10, 0x02, 0x12, + 0x45, 0x44, 0x10, 0x00, 0x12, 0x24, 0x0a, 0x20, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, + 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, + 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x49, 0x4e, 0x10, 0x01, 0x12, 0x28, 0x0a, 0x24, 0x53, 0x55, + 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x50, + 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x4e, 0x4f, 0x54, 0x5f, + 0x49, 0x4e, 0x10, 0x02, 0x12, 0x2d, 0x0a, 0x29, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, + 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, + 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x49, 0x4e, 0x5f, 0x43, 0x4f, 0x4e, 0x54, 0x41, 0x49, 0x4e, + 0x53, 0x10, 0x03, 0x2a, 0x90, 0x01, 0x0a, 0x18, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, + 0x6e, 0x42, 0x6f, 0x6f, 0x6c, 0x65, 0x61, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x45, 0x6e, 0x75, 0x6d, + 0x12, 0x2b, 0x0a, 0x27, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x42, 0x4f, + 0x4f, 0x4c, 0x45, 0x41, 0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, + 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x23, 0x0a, + 0x1f, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x42, 0x4f, 0x4f, 0x4c, 0x45, + 0x41, 0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x41, 0x4e, 0x44, + 0x10, 0x01, 0x12, 0x22, 0x0a, 0x1e, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, + 0x42, 0x4f, 0x4f, 0x4c, 0x45, 0x41, 0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, + 0x4d, 0x5f, 0x4f, 0x52, 0x10, 0x02, 0x2a, 0xb6, 0x01, 0x0a, 0x18, 0x44, 0x79, 0x6e, 0x61, 0x6d, + 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x45, + 0x6e, 0x75, 0x6d, 0x12, 0x2b, 0x0a, 0x27, 0x44, 0x59, 0x4e, 0x41, 0x4d, 0x49, 0x43, 0x5f, 0x56, + 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, + 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, + 0x12, 0x31, 0x0a, 0x2d, 0x44, 0x59, 0x4e, 0x41, 0x4d, 0x49, 0x43, 0x5f, 0x56, 0x41, 0x4c, 0x55, + 0x45, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, + 0x52, 0x45, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x49, + 0x4e, 0x10, 0x01, 0x12, 0x3a, 0x0a, 0x36, 0x44, 0x59, 0x4e, 0x41, 0x4d, 0x49, 0x43, 0x5f, 0x56, + 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, + 0x55, 0x4d, 0x5f, 0x52, 0x45, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, 0x56, 0x41, 0x4c, 0x55, + 0x45, 0x5f, 0x49, 0x4e, 0x5f, 0x43, 0x4f, 0x4e, 0x54, 0x41, 0x49, 0x4e, 0x53, 0x10, 0x02, 0x2a, + 0x5d, 0x0a, 0x0a, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x1b, 0x0a, + 0x17, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, + 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x18, 0x0a, 0x14, 0x53, 0x4f, + 0x55, 0x52, 0x43, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x49, 0x4e, 0x54, 0x45, 0x52, 0x4e, + 0x41, 0x4c, 0x10, 0x01, 0x12, 0x18, 0x0a, 0x14, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, 0x54, + 0x59, 0x50, 0x45, 0x5f, 0x45, 0x58, 0x54, 0x45, 0x52, 0x4e, 0x41, 0x4c, 0x10, 0x02, 0x2a, 0x9b, + 0x03, 0x0a, 0x13, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x41, + 0x6c, 0x67, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x27, 0x0a, 0x23, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, + 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, + 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, + 0x24, 0x0a, 0x20, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, + 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x32, + 0x30, 0x34, 0x38, 0x10, 0x01, 0x12, 0x24, 0x0a, 0x20, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, + 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, + 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x34, 0x30, 0x39, 0x36, 0x10, 0x02, 0x12, 0x28, 0x0a, 0x24, 0x4b, + 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, + 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x32, 0x35, + 0x36, 0x52, 0x31, 0x10, 0x05, 0x12, 0x28, 0x0a, 0x24, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, + 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, + 0x5f, 0x45, 0x43, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x33, 0x38, 0x34, 0x52, 0x31, 0x10, 0x06, 0x12, 0x28, 0x0a, 0x24, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x53, 0x45, - 0x43, 0x50, 0x32, 0x35, 0x36, 0x52, 0x31, 0x10, 0x05, 0x12, 0x28, 0x0a, 0x24, 0x4b, 0x41, 0x53, + 0x43, 0x50, 0x35, 0x32, 0x31, 0x52, 0x31, 0x10, 0x07, 0x12, 0x26, 0x0a, 0x22, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, - 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x33, 0x38, 0x34, 0x52, - 0x31, 0x10, 0x06, 0x12, 0x28, 0x0a, 0x24, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, - 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x45, - 0x43, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x35, 0x32, 0x31, 0x52, 0x31, 0x10, 0x07, 0x12, 0x26, 0x0a, - 0x22, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, - 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x48, 0x50, 0x51, 0x54, 0x5f, 0x58, 0x57, - 0x49, 0x4e, 0x47, 0x10, 0x0a, 0x12, 0x33, 0x0a, 0x2f, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, - 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, - 0x5f, 0x48, 0x50, 0x51, 0x54, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x32, 0x35, 0x36, 0x52, 0x31, 0x5f, - 0x4d, 0x4c, 0x4b, 0x45, 0x4d, 0x37, 0x36, 0x38, 0x10, 0x0b, 0x12, 0x34, 0x0a, 0x30, 0x4b, 0x41, - 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, - 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x48, 0x50, 0x51, 0x54, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x33, - 0x38, 0x34, 0x52, 0x31, 0x5f, 0x4d, 0x4c, 0x4b, 0x45, 0x4d, 0x31, 0x30, 0x32, 0x34, 0x10, 0x0c, - 0x2a, 0x84, 0x02, 0x0a, 0x09, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x19, - 0x0a, 0x15, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, - 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x16, 0x0a, 0x12, 0x41, 0x4c, 0x47, - 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x10, - 0x01, 0x12, 0x16, 0x0a, 0x12, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x52, - 0x53, 0x41, 0x5f, 0x34, 0x30, 0x39, 0x36, 0x10, 0x02, 0x12, 0x15, 0x0a, 0x11, 0x41, 0x4c, 0x47, - 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x50, 0x32, 0x35, 0x36, 0x10, 0x03, - 0x12, 0x15, 0x0a, 0x11, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x45, 0x43, - 0x5f, 0x50, 0x33, 0x38, 0x34, 0x10, 0x04, 0x12, 0x15, 0x0a, 0x11, 0x41, 0x4c, 0x47, 0x4f, 0x52, - 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x50, 0x35, 0x32, 0x31, 0x10, 0x05, 0x12, 0x18, - 0x0a, 0x14, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x48, 0x50, 0x51, 0x54, - 0x5f, 0x58, 0x57, 0x49, 0x4e, 0x47, 0x10, 0x06, 0x12, 0x25, 0x0a, 0x21, 0x41, 0x4c, 0x47, 0x4f, - 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x48, 0x50, 0x51, 0x54, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x32, - 0x35, 0x36, 0x52, 0x31, 0x5f, 0x4d, 0x4c, 0x4b, 0x45, 0x4d, 0x37, 0x36, 0x38, 0x10, 0x07, 0x12, - 0x26, 0x0a, 0x22, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x48, 0x50, 0x51, - 0x54, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x33, 0x38, 0x34, 0x52, 0x31, 0x5f, 0x4d, 0x4c, 0x4b, 0x45, - 0x4d, 0x31, 0x30, 0x32, 0x34, 0x10, 0x08, 0x2a, 0x56, 0x0a, 0x09, 0x4b, 0x65, 0x79, 0x53, 0x74, - 0x61, 0x74, 0x75, 0x73, 0x12, 0x1a, 0x0a, 0x16, 0x4b, 0x45, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, - 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, - 0x12, 0x15, 0x0a, 0x11, 0x4b, 0x45, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x41, - 0x43, 0x54, 0x49, 0x56, 0x45, 0x10, 0x01, 0x12, 0x16, 0x0a, 0x12, 0x4b, 0x45, 0x59, 0x5f, 0x53, - 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x52, 0x4f, 0x54, 0x41, 0x54, 0x45, 0x44, 0x10, 0x02, 0x2a, - 0x94, 0x01, 0x0a, 0x07, 0x4b, 0x65, 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x18, 0x0a, 0x14, 0x4b, - 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, - 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44, - 0x45, 0x5f, 0x43, 0x4f, 0x4e, 0x46, 0x49, 0x47, 0x5f, 0x52, 0x4f, 0x4f, 0x54, 0x5f, 0x4b, 0x45, - 0x59, 0x10, 0x01, 0x12, 0x1e, 0x0a, 0x1a, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, - 0x50, 0x52, 0x4f, 0x56, 0x49, 0x44, 0x45, 0x52, 0x5f, 0x52, 0x4f, 0x4f, 0x54, 0x5f, 0x4b, 0x45, - 0x59, 0x10, 0x02, 0x12, 0x13, 0x0a, 0x0f, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, - 0x52, 0x45, 0x4d, 0x4f, 0x54, 0x45, 0x10, 0x03, 0x12, 0x1c, 0x0a, 0x18, 0x4b, 0x45, 0x59, 0x5f, - 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, - 0x4f, 0x4e, 0x4c, 0x59, 0x10, 0x04, 0x42, 0x82, 0x01, 0x0a, 0x0a, 0x63, 0x6f, 0x6d, 0x2e, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x42, 0x0c, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x73, 0x50, 0x72, - 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x2e, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, - 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, - 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0xa2, 0x02, 0x03, 0x50, 0x58, 0x58, 0xaa, 0x02, 0x06, 0x50, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0xca, 0x02, 0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0xe2, 0x02, 0x12, - 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, - 0x74, 0x61, 0xea, 0x02, 0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x33, + 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x48, 0x50, 0x51, 0x54, 0x5f, 0x58, 0x57, 0x49, 0x4e, 0x47, 0x10, + 0x0a, 0x12, 0x33, 0x0a, 0x2f, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, + 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x48, 0x50, 0x51, + 0x54, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x32, 0x35, 0x36, 0x52, 0x31, 0x5f, 0x4d, 0x4c, 0x4b, 0x45, + 0x4d, 0x37, 0x36, 0x38, 0x10, 0x0b, 0x12, 0x34, 0x0a, 0x30, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, + 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, + 0x4d, 0x5f, 0x48, 0x50, 0x51, 0x54, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x33, 0x38, 0x34, 0x52, 0x31, + 0x5f, 0x4d, 0x4c, 0x4b, 0x45, 0x4d, 0x31, 0x30, 0x32, 0x34, 0x10, 0x0c, 0x2a, 0x84, 0x02, 0x0a, + 0x09, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x19, 0x0a, 0x15, 0x41, 0x4c, + 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, + 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x16, 0x0a, 0x12, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, + 0x48, 0x4d, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x10, 0x01, 0x12, 0x16, 0x0a, + 0x12, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x34, + 0x30, 0x39, 0x36, 0x10, 0x02, 0x12, 0x15, 0x0a, 0x11, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, + 0x48, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x50, 0x32, 0x35, 0x36, 0x10, 0x03, 0x12, 0x15, 0x0a, 0x11, + 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x50, 0x33, 0x38, + 0x34, 0x10, 0x04, 0x12, 0x15, 0x0a, 0x11, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, + 0x5f, 0x45, 0x43, 0x5f, 0x50, 0x35, 0x32, 0x31, 0x10, 0x05, 0x12, 0x18, 0x0a, 0x14, 0x41, 0x4c, + 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x48, 0x50, 0x51, 0x54, 0x5f, 0x58, 0x57, 0x49, + 0x4e, 0x47, 0x10, 0x06, 0x12, 0x25, 0x0a, 0x21, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, + 0x4d, 0x5f, 0x48, 0x50, 0x51, 0x54, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x32, 0x35, 0x36, 0x52, 0x31, + 0x5f, 0x4d, 0x4c, 0x4b, 0x45, 0x4d, 0x37, 0x36, 0x38, 0x10, 0x07, 0x12, 0x26, 0x0a, 0x22, 0x41, + 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x48, 0x50, 0x51, 0x54, 0x5f, 0x53, 0x45, + 0x43, 0x50, 0x33, 0x38, 0x34, 0x52, 0x31, 0x5f, 0x4d, 0x4c, 0x4b, 0x45, 0x4d, 0x31, 0x30, 0x32, + 0x34, 0x10, 0x08, 0x2a, 0x56, 0x0a, 0x09, 0x4b, 0x65, 0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, + 0x12, 0x1a, 0x0a, 0x16, 0x4b, 0x45, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x55, + 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x15, 0x0a, 0x11, + 0x4b, 0x45, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x56, + 0x45, 0x10, 0x01, 0x12, 0x16, 0x0a, 0x12, 0x4b, 0x45, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, + 0x53, 0x5f, 0x52, 0x4f, 0x54, 0x41, 0x54, 0x45, 0x44, 0x10, 0x02, 0x2a, 0x94, 0x01, 0x0a, 0x07, + 0x4b, 0x65, 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x18, 0x0a, 0x14, 0x4b, 0x45, 0x59, 0x5f, 0x4d, + 0x4f, 0x44, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, + 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x43, 0x4f, + 0x4e, 0x46, 0x49, 0x47, 0x5f, 0x52, 0x4f, 0x4f, 0x54, 0x5f, 0x4b, 0x45, 0x59, 0x10, 0x01, 0x12, + 0x1e, 0x0a, 0x1a, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x50, 0x52, 0x4f, 0x56, + 0x49, 0x44, 0x45, 0x52, 0x5f, 0x52, 0x4f, 0x4f, 0x54, 0x5f, 0x4b, 0x45, 0x59, 0x10, 0x02, 0x12, + 0x13, 0x0a, 0x0f, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x52, 0x45, 0x4d, 0x4f, + 0x54, 0x45, 0x10, 0x03, 0x12, 0x1c, 0x0a, 0x18, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x45, + 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x4f, 0x4e, 0x4c, 0x59, + 0x10, 0x04, 0x42, 0x82, 0x01, 0x0a, 0x0a, 0x63, 0x6f, 0x6d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0x42, 0x0c, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, + 0x01, 0x5a, 0x2e, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, + 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0xa2, 0x02, 0x03, 0x50, 0x58, 0x58, 0xaa, 0x02, 0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0xca, 0x02, 0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0xe2, 0x02, 0x12, 0x50, 0x6f, 0x6c, 0x69, + 0x63, 0x79, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, + 0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -4123,8 +4121,8 @@ var file_policy_objects_proto_goTypes = []interface{}{ (*Value)(nil), // 15: policy.Value (*Action)(nil), // 16: policy.Action (*SubjectMapping)(nil), // 17: policy.SubjectMapping - (*DefinitionValueResolver)(nil), // 18: policy.DefinitionValueResolver - (*DefinitionValueEntitlementMapping)(nil), // 19: policy.DefinitionValueEntitlementMapping + (*DynamicValueResolver)(nil), // 18: policy.DynamicValueResolver + (*DynamicValueMapping)(nil), // 19: policy.DynamicValueMapping (*Condition)(nil), // 20: policy.Condition (*ConditionGroup)(nil), // 21: policy.ConditionGroup (*SubjectSet)(nil), // 22: policy.SubjectSet @@ -4185,13 +4183,13 @@ var file_policy_objects_proto_depIdxs = []int32{ 16, // 28: policy.SubjectMapping.actions:type_name -> policy.Action 13, // 29: policy.SubjectMapping.namespace:type_name -> policy.Namespace 45, // 30: policy.SubjectMapping.metadata:type_name -> common.Metadata - 3, // 31: policy.DefinitionValueResolver.operator:type_name -> policy.DynamicValueOperatorEnum - 14, // 32: policy.DefinitionValueEntitlementMapping.attribute_definition:type_name -> policy.Attribute - 18, // 33: policy.DefinitionValueEntitlementMapping.value_resolver:type_name -> policy.DefinitionValueResolver - 23, // 34: policy.DefinitionValueEntitlementMapping.subject_condition_set:type_name -> policy.SubjectConditionSet - 16, // 35: policy.DefinitionValueEntitlementMapping.actions:type_name -> policy.Action - 13, // 36: policy.DefinitionValueEntitlementMapping.namespace:type_name -> policy.Namespace - 45, // 37: policy.DefinitionValueEntitlementMapping.metadata:type_name -> common.Metadata + 3, // 31: policy.DynamicValueResolver.operator:type_name -> policy.DynamicValueOperatorEnum + 14, // 32: policy.DynamicValueMapping.attribute_definition:type_name -> policy.Attribute + 18, // 33: policy.DynamicValueMapping.value_resolver:type_name -> policy.DynamicValueResolver + 23, // 34: policy.DynamicValueMapping.subject_condition_set:type_name -> policy.SubjectConditionSet + 16, // 35: policy.DynamicValueMapping.actions:type_name -> policy.Action + 13, // 36: policy.DynamicValueMapping.namespace:type_name -> policy.Namespace + 45, // 37: policy.DynamicValueMapping.metadata:type_name -> common.Metadata 1, // 38: policy.Condition.operator:type_name -> policy.SubjectMappingOperatorEnum 20, // 39: policy.ConditionGroup.conditions:type_name -> policy.Condition 2, // 40: policy.ConditionGroup.boolean_operator:type_name -> policy.ConditionBooleanTypeEnum @@ -4359,7 +4357,7 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*DefinitionValueResolver); i { + switch v := v.(*DynamicValueResolver); i { case 0: return &v.state case 1: @@ -4371,7 +4369,7 @@ func file_policy_objects_proto_init() { } } file_policy_objects_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*DefinitionValueEntitlementMapping); i { + switch v := v.(*DynamicValueMapping); i { case 0: return &v.state case 1: diff --git a/protocol/go/policy/subjectmapping/subject_mapping.pb.go b/protocol/go/policy/subjectmapping/subject_mapping.pb.go index 3d8cbeb57a..3c1bf6c2f1 100644 --- a/protocol/go/policy/subjectmapping/subject_mapping.pb.go +++ b/protocol/go/policy/subjectmapping/subject_mapping.pb.go @@ -121,55 +121,6 @@ func (SortSubjectConditionSetsType) EnumDescriptor() ([]byte, []int) { return file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP(), []int{1} } -type SortDefinitionValueEntitlementMappingsType int32 - -const ( - SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED SortDefinitionValueEntitlementMappingsType = 0 - SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT SortDefinitionValueEntitlementMappingsType = 1 - SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT SortDefinitionValueEntitlementMappingsType = 2 -) - -// Enum value maps for SortDefinitionValueEntitlementMappingsType. -var ( - SortDefinitionValueEntitlementMappingsType_name = map[int32]string{ - 0: "SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED", - 1: "SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT", - 2: "SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT", - } - SortDefinitionValueEntitlementMappingsType_value = map[string]int32{ - "SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED": 0, - "SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT": 1, - "SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT": 2, - } -) - -func (x SortDefinitionValueEntitlementMappingsType) Enum() *SortDefinitionValueEntitlementMappingsType { - p := new(SortDefinitionValueEntitlementMappingsType) - *p = x - return p -} - -func (x SortDefinitionValueEntitlementMappingsType) String() string { - return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) -} - -func (SortDefinitionValueEntitlementMappingsType) Descriptor() protoreflect.EnumDescriptor { - return file_policy_subjectmapping_subject_mapping_proto_enumTypes[2].Descriptor() -} - -func (SortDefinitionValueEntitlementMappingsType) Type() protoreflect.EnumType { - return &file_policy_subjectmapping_subject_mapping_proto_enumTypes[2] -} - -func (x SortDefinitionValueEntitlementMappingsType) Number() protoreflect.EnumNumber { - return protoreflect.EnumNumber(x) -} - -// Deprecated: Use SortDefinitionValueEntitlementMappingsType.Descriptor instead. -func (SortDefinitionValueEntitlementMappingsType) EnumDescriptor() ([]byte, []int) { - return file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP(), []int{2} -} - // MatchSubjectMappingsRequest liberally returns a list of SubjectMappings based on the provided SubjectProperties. // The SubjectMappings are returned if an external selector field matches. type MatchSubjectMappingsRequest struct { @@ -1694,686 +1645,7 @@ func (x *DeleteAllUnmappedSubjectConditionSetsResponse) GetSubjectConditionSets( return nil } -type GetDefinitionValueEntitlementMappingRequest struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Required - Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` -} - -func (x *GetDefinitionValueEntitlementMappingRequest) Reset() { - *x = GetDefinitionValueEntitlementMappingRequest{} - if protoimpl.UnsafeEnabled { - mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[27] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *GetDefinitionValueEntitlementMappingRequest) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*GetDefinitionValueEntitlementMappingRequest) ProtoMessage() {} - -func (x *GetDefinitionValueEntitlementMappingRequest) ProtoReflect() protoreflect.Message { - mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[27] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use GetDefinitionValueEntitlementMappingRequest.ProtoReflect.Descriptor instead. -func (*GetDefinitionValueEntitlementMappingRequest) Descriptor() ([]byte, []int) { - return file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP(), []int{27} -} - -func (x *GetDefinitionValueEntitlementMappingRequest) GetId() string { - if x != nil { - return x.Id - } - return "" -} - -type GetDefinitionValueEntitlementMappingResponse struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - DefinitionValueEntitlementMapping *policy.DefinitionValueEntitlementMapping `protobuf:"bytes,1,opt,name=definition_value_entitlement_mapping,json=definitionValueEntitlementMapping,proto3" json:"definition_value_entitlement_mapping,omitempty"` -} - -func (x *GetDefinitionValueEntitlementMappingResponse) Reset() { - *x = GetDefinitionValueEntitlementMappingResponse{} - if protoimpl.UnsafeEnabled { - mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[28] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *GetDefinitionValueEntitlementMappingResponse) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*GetDefinitionValueEntitlementMappingResponse) ProtoMessage() {} - -func (x *GetDefinitionValueEntitlementMappingResponse) ProtoReflect() protoreflect.Message { - mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[28] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use GetDefinitionValueEntitlementMappingResponse.ProtoReflect.Descriptor instead. -func (*GetDefinitionValueEntitlementMappingResponse) Descriptor() ([]byte, []int) { - return file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP(), []int{28} -} - -func (x *GetDefinitionValueEntitlementMappingResponse) GetDefinitionValueEntitlementMapping() *policy.DefinitionValueEntitlementMapping { - if x != nil { - return x.DefinitionValueEntitlementMapping - } - return nil -} - -type DefinitionValueEntitlementMappingsSort struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Field SortDefinitionValueEntitlementMappingsType `protobuf:"varint,1,opt,name=field,proto3,enum=policy.subjectmapping.SortDefinitionValueEntitlementMappingsType" json:"field,omitempty"` - Direction policy.SortDirection `protobuf:"varint,2,opt,name=direction,proto3,enum=policy.SortDirection" json:"direction,omitempty"` -} - -func (x *DefinitionValueEntitlementMappingsSort) Reset() { - *x = DefinitionValueEntitlementMappingsSort{} - if protoimpl.UnsafeEnabled { - mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[29] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *DefinitionValueEntitlementMappingsSort) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*DefinitionValueEntitlementMappingsSort) ProtoMessage() {} - -func (x *DefinitionValueEntitlementMappingsSort) ProtoReflect() protoreflect.Message { - mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[29] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use DefinitionValueEntitlementMappingsSort.ProtoReflect.Descriptor instead. -func (*DefinitionValueEntitlementMappingsSort) Descriptor() ([]byte, []int) { - return file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP(), []int{29} -} - -func (x *DefinitionValueEntitlementMappingsSort) GetField() SortDefinitionValueEntitlementMappingsType { - if x != nil { - return x.Field - } - return SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED -} - -func (x *DefinitionValueEntitlementMappingsSort) GetDirection() policy.SortDirection { - if x != nil { - return x.Direction - } - return policy.SortDirection(0) -} - -type ListDefinitionValueEntitlementMappingsRequest struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Optional - // Namespace ID, or Attribute Definition ID to filter by - NamespaceId string `protobuf:"bytes,1,opt,name=namespace_id,json=namespaceId,proto3" json:"namespace_id,omitempty"` - AttributeDefinitionId string `protobuf:"bytes,2,opt,name=attribute_definition_id,json=attributeDefinitionId,proto3" json:"attribute_definition_id,omitempty"` - // Optional - Pagination *policy.PageRequest `protobuf:"bytes,10,opt,name=pagination,proto3" json:"pagination,omitempty"` - // Optional - CONSTRAINT: max 1 item - Sort []*DefinitionValueEntitlementMappingsSort `protobuf:"bytes,11,rep,name=sort,proto3" json:"sort,omitempty"` -} - -func (x *ListDefinitionValueEntitlementMappingsRequest) Reset() { - *x = ListDefinitionValueEntitlementMappingsRequest{} - if protoimpl.UnsafeEnabled { - mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[30] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *ListDefinitionValueEntitlementMappingsRequest) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*ListDefinitionValueEntitlementMappingsRequest) ProtoMessage() {} - -func (x *ListDefinitionValueEntitlementMappingsRequest) ProtoReflect() protoreflect.Message { - mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[30] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use ListDefinitionValueEntitlementMappingsRequest.ProtoReflect.Descriptor instead. -func (*ListDefinitionValueEntitlementMappingsRequest) Descriptor() ([]byte, []int) { - return file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP(), []int{30} -} - -func (x *ListDefinitionValueEntitlementMappingsRequest) GetNamespaceId() string { - if x != nil { - return x.NamespaceId - } - return "" -} - -func (x *ListDefinitionValueEntitlementMappingsRequest) GetAttributeDefinitionId() string { - if x != nil { - return x.AttributeDefinitionId - } - return "" -} - -func (x *ListDefinitionValueEntitlementMappingsRequest) GetPagination() *policy.PageRequest { - if x != nil { - return x.Pagination - } - return nil -} - -func (x *ListDefinitionValueEntitlementMappingsRequest) GetSort() []*DefinitionValueEntitlementMappingsSort { - if x != nil { - return x.Sort - } - return nil -} - -type ListDefinitionValueEntitlementMappingsResponse struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - DefinitionValueEntitlementMappings []*policy.DefinitionValueEntitlementMapping `protobuf:"bytes,1,rep,name=definition_value_entitlement_mappings,json=definitionValueEntitlementMappings,proto3" json:"definition_value_entitlement_mappings,omitempty"` - Pagination *policy.PageResponse `protobuf:"bytes,10,opt,name=pagination,proto3" json:"pagination,omitempty"` -} - -func (x *ListDefinitionValueEntitlementMappingsResponse) Reset() { - *x = ListDefinitionValueEntitlementMappingsResponse{} - if protoimpl.UnsafeEnabled { - mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[31] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *ListDefinitionValueEntitlementMappingsResponse) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*ListDefinitionValueEntitlementMappingsResponse) ProtoMessage() {} - -func (x *ListDefinitionValueEntitlementMappingsResponse) ProtoReflect() protoreflect.Message { - mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[31] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use ListDefinitionValueEntitlementMappingsResponse.ProtoReflect.Descriptor instead. -func (*ListDefinitionValueEntitlementMappingsResponse) Descriptor() ([]byte, []int) { - return file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP(), []int{31} -} - -func (x *ListDefinitionValueEntitlementMappingsResponse) GetDefinitionValueEntitlementMappings() []*policy.DefinitionValueEntitlementMapping { - if x != nil { - return x.DefinitionValueEntitlementMappings - } - return nil -} - -func (x *ListDefinitionValueEntitlementMappingsResponse) GetPagination() *policy.PageResponse { - if x != nil { - return x.Pagination - } - return nil -} - -type CreateDefinitionValueEntitlementMappingRequest struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - AttributeDefinitionId string `protobuf:"bytes,1,opt,name=attribute_definition_id,json=attributeDefinitionId,proto3" json:"attribute_definition_id,omitempty"` - AttributeDefinitionFqn string `protobuf:"bytes,2,opt,name=attribute_definition_fqn,json=attributeDefinitionFqn,proto3" json:"attribute_definition_fqn,omitempty"` - // Required: the dynamic resolver comparing entity selector result to the resource value segment - ValueResolver *policy.DefinitionValueResolver `protobuf:"bytes,3,opt,name=value_resolver,json=valueResolver,proto3" json:"value_resolver,omitempty"` - // Required: actions permitted on a matched value - Actions []*policy.Action `protobuf:"bytes,4,rep,name=actions,proto3" json:"actions,omitempty"` - // Optional static pre-gate. Reuse an existing SubjectConditionSet (prioritized) ... - ExistingSubjectConditionSetId string `protobuf:"bytes,5,opt,name=existing_subject_condition_set_id,json=existingSubjectConditionSetId,proto3" json:"existing_subject_condition_set_id,omitempty"` - // ... or create a new one (ignored if existing_subject_condition_set_id is provided) - NewSubjectConditionSet *SubjectConditionSetCreate `protobuf:"bytes,6,opt,name=new_subject_condition_set,json=newSubjectConditionSet,proto3" json:"new_subject_condition_set,omitempty"` - // Optional: namespace ID or FQN for the mapping - NamespaceId string `protobuf:"bytes,7,opt,name=namespace_id,json=namespaceId,proto3" json:"namespace_id,omitempty"` - NamespaceFqn string `protobuf:"bytes,8,opt,name=namespace_fqn,json=namespaceFqn,proto3" json:"namespace_fqn,omitempty"` - // Optional - Metadata *common.MetadataMutable `protobuf:"bytes,100,opt,name=metadata,proto3" json:"metadata,omitempty"` -} - -func (x *CreateDefinitionValueEntitlementMappingRequest) Reset() { - *x = CreateDefinitionValueEntitlementMappingRequest{} - if protoimpl.UnsafeEnabled { - mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[32] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *CreateDefinitionValueEntitlementMappingRequest) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*CreateDefinitionValueEntitlementMappingRequest) ProtoMessage() {} - -func (x *CreateDefinitionValueEntitlementMappingRequest) ProtoReflect() protoreflect.Message { - mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[32] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use CreateDefinitionValueEntitlementMappingRequest.ProtoReflect.Descriptor instead. -func (*CreateDefinitionValueEntitlementMappingRequest) Descriptor() ([]byte, []int) { - return file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP(), []int{32} -} - -func (x *CreateDefinitionValueEntitlementMappingRequest) GetAttributeDefinitionId() string { - if x != nil { - return x.AttributeDefinitionId - } - return "" -} - -func (x *CreateDefinitionValueEntitlementMappingRequest) GetAttributeDefinitionFqn() string { - if x != nil { - return x.AttributeDefinitionFqn - } - return "" -} - -func (x *CreateDefinitionValueEntitlementMappingRequest) GetValueResolver() *policy.DefinitionValueResolver { - if x != nil { - return x.ValueResolver - } - return nil -} - -func (x *CreateDefinitionValueEntitlementMappingRequest) GetActions() []*policy.Action { - if x != nil { - return x.Actions - } - return nil -} - -func (x *CreateDefinitionValueEntitlementMappingRequest) GetExistingSubjectConditionSetId() string { - if x != nil { - return x.ExistingSubjectConditionSetId - } - return "" -} - -func (x *CreateDefinitionValueEntitlementMappingRequest) GetNewSubjectConditionSet() *SubjectConditionSetCreate { - if x != nil { - return x.NewSubjectConditionSet - } - return nil -} - -func (x *CreateDefinitionValueEntitlementMappingRequest) GetNamespaceId() string { - if x != nil { - return x.NamespaceId - } - return "" -} - -func (x *CreateDefinitionValueEntitlementMappingRequest) GetNamespaceFqn() string { - if x != nil { - return x.NamespaceFqn - } - return "" -} - -func (x *CreateDefinitionValueEntitlementMappingRequest) GetMetadata() *common.MetadataMutable { - if x != nil { - return x.Metadata - } - return nil -} - -type CreateDefinitionValueEntitlementMappingResponse struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - DefinitionValueEntitlementMapping *policy.DefinitionValueEntitlementMapping `protobuf:"bytes,1,opt,name=definition_value_entitlement_mapping,json=definitionValueEntitlementMapping,proto3" json:"definition_value_entitlement_mapping,omitempty"` -} - -func (x *CreateDefinitionValueEntitlementMappingResponse) Reset() { - *x = CreateDefinitionValueEntitlementMappingResponse{} - if protoimpl.UnsafeEnabled { - mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[33] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *CreateDefinitionValueEntitlementMappingResponse) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*CreateDefinitionValueEntitlementMappingResponse) ProtoMessage() {} - -func (x *CreateDefinitionValueEntitlementMappingResponse) ProtoReflect() protoreflect.Message { - mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[33] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use CreateDefinitionValueEntitlementMappingResponse.ProtoReflect.Descriptor instead. -func (*CreateDefinitionValueEntitlementMappingResponse) Descriptor() ([]byte, []int) { - return file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP(), []int{33} -} - -func (x *CreateDefinitionValueEntitlementMappingResponse) GetDefinitionValueEntitlementMapping() *policy.DefinitionValueEntitlementMapping { - if x != nil { - return x.DefinitionValueEntitlementMapping - } - return nil -} - -type UpdateDefinitionValueEntitlementMappingRequest struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Required - Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` - // Optional: replace the dynamic resolver - ValueResolver *policy.DefinitionValueResolver `protobuf:"bytes,2,opt,name=value_resolver,json=valueResolver,proto3" json:"value_resolver,omitempty"` - // Optional: replace the static pre-gate SubjectConditionSet by id - SubjectConditionSetId string `protobuf:"bytes,3,opt,name=subject_condition_set_id,json=subjectConditionSetId,proto3" json:"subject_condition_set_id,omitempty"` - // Optional: replace the entire list of actions - Actions []*policy.Action `protobuf:"bytes,4,rep,name=actions,proto3" json:"actions,omitempty"` - // Common metadata - Metadata *common.MetadataMutable `protobuf:"bytes,100,opt,name=metadata,proto3" json:"metadata,omitempty"` - MetadataUpdateBehavior common.MetadataUpdateEnum `protobuf:"varint,101,opt,name=metadata_update_behavior,json=metadataUpdateBehavior,proto3,enum=common.MetadataUpdateEnum" json:"metadata_update_behavior,omitempty"` -} - -func (x *UpdateDefinitionValueEntitlementMappingRequest) Reset() { - *x = UpdateDefinitionValueEntitlementMappingRequest{} - if protoimpl.UnsafeEnabled { - mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[34] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *UpdateDefinitionValueEntitlementMappingRequest) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*UpdateDefinitionValueEntitlementMappingRequest) ProtoMessage() {} - -func (x *UpdateDefinitionValueEntitlementMappingRequest) ProtoReflect() protoreflect.Message { - mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[34] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use UpdateDefinitionValueEntitlementMappingRequest.ProtoReflect.Descriptor instead. -func (*UpdateDefinitionValueEntitlementMappingRequest) Descriptor() ([]byte, []int) { - return file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP(), []int{34} -} - -func (x *UpdateDefinitionValueEntitlementMappingRequest) GetId() string { - if x != nil { - return x.Id - } - return "" -} - -func (x *UpdateDefinitionValueEntitlementMappingRequest) GetValueResolver() *policy.DefinitionValueResolver { - if x != nil { - return x.ValueResolver - } - return nil -} - -func (x *UpdateDefinitionValueEntitlementMappingRequest) GetSubjectConditionSetId() string { - if x != nil { - return x.SubjectConditionSetId - } - return "" -} - -func (x *UpdateDefinitionValueEntitlementMappingRequest) GetActions() []*policy.Action { - if x != nil { - return x.Actions - } - return nil -} - -func (x *UpdateDefinitionValueEntitlementMappingRequest) GetMetadata() *common.MetadataMutable { - if x != nil { - return x.Metadata - } - return nil -} - -func (x *UpdateDefinitionValueEntitlementMappingRequest) GetMetadataUpdateBehavior() common.MetadataUpdateEnum { - if x != nil { - return x.MetadataUpdateBehavior - } - return common.MetadataUpdateEnum(0) -} - -type UpdateDefinitionValueEntitlementMappingResponse struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - DefinitionValueEntitlementMapping *policy.DefinitionValueEntitlementMapping `protobuf:"bytes,1,opt,name=definition_value_entitlement_mapping,json=definitionValueEntitlementMapping,proto3" json:"definition_value_entitlement_mapping,omitempty"` -} - -func (x *UpdateDefinitionValueEntitlementMappingResponse) Reset() { - *x = UpdateDefinitionValueEntitlementMappingResponse{} - if protoimpl.UnsafeEnabled { - mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[35] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *UpdateDefinitionValueEntitlementMappingResponse) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*UpdateDefinitionValueEntitlementMappingResponse) ProtoMessage() {} - -func (x *UpdateDefinitionValueEntitlementMappingResponse) ProtoReflect() protoreflect.Message { - mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[35] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use UpdateDefinitionValueEntitlementMappingResponse.ProtoReflect.Descriptor instead. -func (*UpdateDefinitionValueEntitlementMappingResponse) Descriptor() ([]byte, []int) { - return file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP(), []int{35} -} - -func (x *UpdateDefinitionValueEntitlementMappingResponse) GetDefinitionValueEntitlementMapping() *policy.DefinitionValueEntitlementMapping { - if x != nil { - return x.DefinitionValueEntitlementMapping - } - return nil -} - -type DeleteDefinitionValueEntitlementMappingRequest struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Required - Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` -} - -func (x *DeleteDefinitionValueEntitlementMappingRequest) Reset() { - *x = DeleteDefinitionValueEntitlementMappingRequest{} - if protoimpl.UnsafeEnabled { - mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[36] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *DeleteDefinitionValueEntitlementMappingRequest) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*DeleteDefinitionValueEntitlementMappingRequest) ProtoMessage() {} - -func (x *DeleteDefinitionValueEntitlementMappingRequest) ProtoReflect() protoreflect.Message { - mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[36] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use DeleteDefinitionValueEntitlementMappingRequest.ProtoReflect.Descriptor instead. -func (*DeleteDefinitionValueEntitlementMappingRequest) Descriptor() ([]byte, []int) { - return file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP(), []int{36} -} - -func (x *DeleteDefinitionValueEntitlementMappingRequest) GetId() string { - if x != nil { - return x.Id - } - return "" -} - -type DeleteDefinitionValueEntitlementMappingResponse struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Only ID of the deleted mapping provided - DefinitionValueEntitlementMapping *policy.DefinitionValueEntitlementMapping `protobuf:"bytes,1,opt,name=definition_value_entitlement_mapping,json=definitionValueEntitlementMapping,proto3" json:"definition_value_entitlement_mapping,omitempty"` -} - -func (x *DeleteDefinitionValueEntitlementMappingResponse) Reset() { - *x = DeleteDefinitionValueEntitlementMappingResponse{} - if protoimpl.UnsafeEnabled { - mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[37] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *DeleteDefinitionValueEntitlementMappingResponse) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*DeleteDefinitionValueEntitlementMappingResponse) ProtoMessage() {} - -func (x *DeleteDefinitionValueEntitlementMappingResponse) ProtoReflect() protoreflect.Message { - mi := &file_policy_subjectmapping_subject_mapping_proto_msgTypes[37] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use DeleteDefinitionValueEntitlementMappingResponse.ProtoReflect.Descriptor instead. -func (*DeleteDefinitionValueEntitlementMappingResponse) Descriptor() ([]byte, []int) { - return file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP(), []int{37} -} - -func (x *DeleteDefinitionValueEntitlementMappingResponse) GetDefinitionValueEntitlementMapping() *policy.DefinitionValueEntitlementMapping { - if x != nil { - return x.DefinitionValueEntitlementMapping - } - return nil -} - -var File_policy_subjectmapping_subject_mapping_proto protoreflect.FileDescriptor +var File_policy_subjectmapping_subject_mapping_proto protoreflect.FileDescriptor var file_policy_subjectmapping_subject_mapping_proto_rawDesc = []byte{ 0x0a, 0x2b, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, @@ -2697,477 +1969,151 @@ var file_policy_subjectmapping_subject_mapping_proto_rawDesc = []byte{ 0x03, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x14, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, - 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x73, 0x22, 0x47, 0x0a, 0x2b, 0x47, 0x65, 0x74, 0x44, 0x65, 0x66, - 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, - 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, 0x02, 0x69, 0x64, 0x22, - 0xaa, 0x01, 0x0a, 0x2c, 0x47, 0x65, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, - 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, - 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, - 0x12, 0x7a, 0x0a, 0x24, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, - 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, - 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, - 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, - 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, - 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x21, 0x64, 0x65, 0x66, 0x69, 0x6e, - 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, - 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x22, 0xca, 0x01, 0x0a, - 0x26, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, - 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, - 0x6e, 0x67, 0x73, 0x53, 0x6f, 0x72, 0x74, 0x12, 0x61, 0x0a, 0x05, 0x66, 0x69, 0x65, 0x6c, 0x64, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x41, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, - 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x53, - 0x6f, 0x72, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, - 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, - 0x70, 0x69, 0x6e, 0x67, 0x73, 0x54, 0x79, 0x70, 0x65, 0x42, 0x08, 0xba, 0x48, 0x05, 0x82, 0x01, - 0x02, 0x10, 0x01, 0x52, 0x05, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x12, 0x3d, 0x0a, 0x09, 0x64, 0x69, - 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x15, 0x2e, - 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x6f, 0x72, 0x74, 0x44, 0x69, 0x72, 0x65, 0x63, - 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x08, 0xba, 0x48, 0x05, 0x82, 0x01, 0x02, 0x10, 0x01, 0x52, 0x09, - 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x8a, 0x05, 0x0a, 0x2d, 0x4c, 0x69, - 0x73, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, - 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, - 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0xd7, 0x01, 0x0a, 0x0c, - 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, - 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, - 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, - 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, - 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, - 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, - 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, - 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, - 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, - 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, - 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, - 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x0b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, - 0x61, 0x63, 0x65, 0x49, 0x64, 0x12, 0xec, 0x01, 0x0a, 0x17, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, - 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, - 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, - 0xab, 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, - 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, - 0x61, 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, - 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, - 0x69, 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, - 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, - 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, - 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, - 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, - 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, - 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x15, 0x61, - 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, - 0x6f, 0x6e, 0x49, 0x64, 0x12, 0x33, 0x0a, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2e, 0x50, 0x61, 0x67, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x52, 0x0a, 0x70, - 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x5b, 0x0a, 0x04, 0x73, 0x6f, 0x72, - 0x74, 0x18, 0x0b, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x3d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, - 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, - 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, - 0x67, 0x73, 0x53, 0x6f, 0x72, 0x74, 0x42, 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, 0x10, 0x01, - 0x52, 0x04, 0x73, 0x6f, 0x72, 0x74, 0x22, 0xe4, 0x01, 0x0a, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x44, - 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, - 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, - 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x7c, 0x0a, 0x25, 0x64, 0x65, 0x66, - 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65, 0x6e, - 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, - 0x67, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2e, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, - 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, - 0x69, 0x6e, 0x67, 0x52, 0x22, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, - 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, - 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x34, 0x0a, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x61, 0x67, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, - 0x65, 0x52, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xda, 0x0a, - 0x0a, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, - 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, - 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, - 0x12, 0xec, 0x01, 0x0a, 0x17, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, - 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, - 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, - 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, - 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, - 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, - 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, - 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, - 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, - 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, - 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, - 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, - 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x15, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, - 0x75, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x64, 0x12, - 0x44, 0x0a, 0x18, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, - 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x66, 0x71, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, - 0x09, 0x42, 0x0a, 0xba, 0x48, 0x07, 0x72, 0x05, 0x10, 0x00, 0x88, 0x01, 0x01, 0x52, 0x16, 0x61, - 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, - 0x6f, 0x6e, 0x46, 0x71, 0x6e, 0x12, 0x4e, 0x0a, 0x0e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x72, - 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e, - 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, - 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x42, 0x06, - 0xba, 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x0d, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, 0x73, - 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x12, 0xb8, 0x01, 0x0a, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, - 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x8d, 0x01, 0xba, 0x48, 0x89, 0x01, 0xba, 0x01, - 0x80, 0x01, 0x0a, 0x1b, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x5f, - 0x6f, 0x72, 0x5f, 0x69, 0x64, 0x5f, 0x6e, 0x6f, 0x74, 0x5f, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x12, - 0x2f, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x6f, 0x72, 0x20, - 0x49, 0x44, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x6e, 0x6f, 0x74, 0x20, 0x62, 0x65, 0x20, 0x65, - 0x6d, 0x70, 0x74, 0x79, 0x20, 0x69, 0x66, 0x20, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x64, - 0x1a, 0x30, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x61, 0x6c, 0x6c, 0x28, 0x69, 0x74, 0x65, 0x6d, 0x2c, - 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x21, 0x3d, 0x20, 0x27, 0x27, - 0x20, 0x7c, 0x7c, 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x69, 0x64, 0x20, 0x21, 0x3d, 0x20, 0x27, - 0x27, 0x29, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, - 0x12, 0xfe, 0x01, 0x0a, 0x21, 0x65, 0x78, 0x69, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x5f, 0x73, 0x75, - 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, - 0x73, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, - 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, - 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, - 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, - 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, - 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, - 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, - 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, - 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, - 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, - 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, - 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, - 0x27, 0x29, 0x52, 0x1d, 0x65, 0x78, 0x69, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x53, 0x75, 0x62, 0x6a, - 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x49, - 0x64, 0x12, 0x6b, 0x0a, 0x19, 0x6e, 0x65, 0x77, 0x5f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x5f, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x18, 0x06, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, - 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x53, 0x75, 0x62, + 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x73, 0x2a, 0x9b, 0x01, 0x0a, 0x17, 0x53, 0x6f, 0x72, 0x74, 0x53, + 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x54, 0x79, + 0x70, 0x65, 0x12, 0x2a, 0x0a, 0x26, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x53, 0x55, 0x42, 0x4a, 0x45, + 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, + 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x29, + 0x0a, 0x25, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, + 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x52, 0x45, + 0x41, 0x54, 0x45, 0x44, 0x5f, 0x41, 0x54, 0x10, 0x01, 0x12, 0x29, 0x0a, 0x25, 0x53, 0x4f, 0x52, + 0x54, 0x5f, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, + 0x47, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x50, 0x44, 0x41, 0x54, 0x45, 0x44, 0x5f, + 0x41, 0x54, 0x10, 0x02, 0x2a, 0xb2, 0x01, 0x0a, 0x1c, 0x53, 0x6f, 0x72, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, - 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x52, 0x16, 0x6e, 0x65, 0x77, 0x53, 0x75, 0x62, 0x6a, 0x65, - 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0xd7, - 0x01, 0x0a, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, - 0x07, 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, - 0x0a, 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, - 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, - 0x20, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, - 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, - 0x65, 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, - 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, - 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, - 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, - 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, - 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, - 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x0b, 0x6e, 0x61, 0x6d, - 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x49, 0x64, 0x12, 0x2f, 0x0a, 0x0d, 0x6e, 0x61, 0x6d, 0x65, - 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x66, 0x71, 0x6e, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x42, - 0x0a, 0xba, 0x48, 0x07, 0x72, 0x05, 0x10, 0x00, 0x88, 0x01, 0x01, 0x52, 0x0c, 0x6e, 0x61, 0x6d, - 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x46, 0x71, 0x6e, 0x12, 0x33, 0x0a, 0x08, 0x6d, 0x65, 0x74, - 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x63, 0x6f, - 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x4d, 0x75, 0x74, - 0x61, 0x62, 0x6c, 0x65, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x3a, 0x3a, - 0xba, 0x48, 0x37, 0x22, 0x35, 0x0a, 0x17, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, - 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x0a, 0x18, - 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, - 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x66, 0x71, 0x6e, 0x10, 0x01, 0x22, 0xad, 0x01, 0x0a, 0x2f, 0x43, - 0x72, 0x65, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, - 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, - 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x7a, - 0x0a, 0x24, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, 0x61, 0x6c, - 0x75, 0x65, 0x5f, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x6d, - 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, - 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, - 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x21, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, - 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, - 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x22, 0xd7, 0x05, 0x0a, 0x2e, 0x55, - 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, - 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, - 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, - 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, - 0xb0, 0x01, 0x01, 0x52, 0x02, 0x69, 0x64, 0x12, 0x46, 0x0a, 0x0e, 0x76, 0x61, 0x6c, 0x75, 0x65, - 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x1f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, - 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, - 0x52, 0x0d, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x12, - 0xed, 0x01, 0x0a, 0x18, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x64, - 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, - 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, - 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, - 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, - 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, - 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, - 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, - 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, - 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, - 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, - 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, - 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, - 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x15, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, - 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x49, 0x64, 0x12, - 0xc7, 0x01, 0x0a, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, - 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, - 0x6e, 0x42, 0x9c, 0x01, 0xba, 0x48, 0x98, 0x01, 0xba, 0x01, 0x94, 0x01, 0x0a, 0x1b, 0x61, 0x63, - 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x5f, 0x6f, 0x72, 0x5f, 0x69, 0x64, 0x5f, - 0x6e, 0x6f, 0x74, 0x5f, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x12, 0x2f, 0x41, 0x63, 0x74, 0x69, 0x6f, - 0x6e, 0x20, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x6f, 0x72, 0x20, 0x49, 0x44, 0x20, 0x6d, 0x75, 0x73, - 0x74, 0x20, 0x6e, 0x6f, 0x74, 0x20, 0x62, 0x65, 0x20, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x20, 0x69, - 0x66, 0x20, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x64, 0x1a, 0x44, 0x74, 0x68, 0x69, 0x73, - 0x2e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, - 0x74, 0x68, 0x69, 0x73, 0x2e, 0x61, 0x6c, 0x6c, 0x28, 0x69, 0x74, 0x65, 0x6d, 0x2c, 0x20, 0x69, - 0x74, 0x65, 0x6d, 0x2e, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x21, 0x3d, 0x20, 0x27, 0x27, 0x20, 0x7c, - 0x7c, 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x69, 0x64, 0x20, 0x21, 0x3d, 0x20, 0x27, 0x27, 0x29, - 0x52, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x33, 0x0a, 0x08, 0x6d, 0x65, 0x74, - 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x63, 0x6f, - 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x4d, 0x75, 0x74, - 0x61, 0x62, 0x6c, 0x65, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x54, - 0x0a, 0x18, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x75, 0x70, 0x64, 0x61, 0x74, - 0x65, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x18, 0x65, 0x20, 0x01, 0x28, 0x0e, - 0x32, 0x1a, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, - 0x74, 0x61, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x45, 0x6e, 0x75, 0x6d, 0x52, 0x16, 0x6d, 0x65, - 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x42, 0x65, 0x68, 0x61, - 0x76, 0x69, 0x6f, 0x72, 0x22, 0xad, 0x01, 0x0a, 0x2f, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, - 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, - 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, - 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x7a, 0x0a, 0x24, 0x64, 0x65, 0x66, 0x69, - 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65, 0x6e, 0x74, - 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, - 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, - 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, - 0x67, 0x52, 0x21, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, - 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, - 0x70, 0x69, 0x6e, 0x67, 0x22, 0x4a, 0x0a, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x65, - 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, - 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, - 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, 0x02, 0x69, 0x64, - 0x22, 0xad, 0x01, 0x0a, 0x2f, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, - 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, - 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, - 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x7a, 0x0a, 0x24, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, - 0x6f, 0x6e, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, - 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x65, 0x66, 0x69, - 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, - 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x21, 0x64, - 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, - 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, - 0x2a, 0x9b, 0x01, 0x0a, 0x17, 0x53, 0x6f, 0x72, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, 0x2a, 0x0a, 0x26, - 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, - 0x50, 0x49, 0x4e, 0x47, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, - 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x29, 0x0a, 0x25, 0x53, 0x4f, 0x52, 0x54, - 0x5f, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, - 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x52, 0x45, 0x41, 0x54, 0x45, 0x44, 0x5f, 0x41, - 0x54, 0x10, 0x01, 0x12, 0x29, 0x0a, 0x25, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x53, 0x55, 0x42, 0x4a, - 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x53, 0x5f, 0x54, 0x59, 0x50, - 0x45, 0x5f, 0x55, 0x50, 0x44, 0x41, 0x54, 0x45, 0x44, 0x5f, 0x41, 0x54, 0x10, 0x02, 0x2a, 0xb2, - 0x01, 0x0a, 0x1c, 0x53, 0x6f, 0x72, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, - 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, - 0x30, 0x0a, 0x2c, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, - 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x53, 0x45, 0x54, 0x53, 0x5f, 0x54, - 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, - 0x00, 0x12, 0x2f, 0x0a, 0x2b, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, - 0x54, 0x5f, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x53, 0x45, 0x54, 0x53, - 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x52, 0x45, 0x41, 0x54, 0x45, 0x44, 0x5f, 0x41, 0x54, - 0x10, 0x01, 0x12, 0x2f, 0x0a, 0x2b, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x53, 0x55, 0x42, 0x4a, 0x45, - 0x43, 0x54, 0x5f, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x53, 0x45, 0x54, - 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x50, 0x44, 0x41, 0x54, 0x45, 0x44, 0x5f, 0x41, - 0x54, 0x10, 0x02, 0x2a, 0xed, 0x01, 0x0a, 0x2a, 0x53, 0x6f, 0x72, 0x74, 0x44, 0x65, 0x66, 0x69, - 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, - 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x54, 0x79, - 0x70, 0x65, 0x12, 0x3f, 0x0a, 0x3b, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x44, 0x45, 0x46, 0x49, 0x4e, - 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x45, 0x4e, 0x54, 0x49, - 0x54, 0x4c, 0x45, 0x4d, 0x45, 0x4e, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x53, - 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, - 0x44, 0x10, 0x00, 0x12, 0x3e, 0x0a, 0x3a, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x44, 0x45, 0x46, 0x49, - 0x4e, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x45, 0x4e, 0x54, - 0x49, 0x54, 0x4c, 0x45, 0x4d, 0x45, 0x4e, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, - 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x52, 0x45, 0x41, 0x54, 0x45, 0x44, 0x5f, 0x41, - 0x54, 0x10, 0x01, 0x12, 0x3e, 0x0a, 0x3a, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x44, 0x45, 0x46, 0x49, - 0x4e, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x45, 0x4e, 0x54, - 0x49, 0x54, 0x4c, 0x45, 0x4d, 0x45, 0x4e, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, - 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x50, 0x44, 0x41, 0x54, 0x45, 0x44, 0x5f, 0x41, - 0x54, 0x10, 0x02, 0x32, 0xe3, 0x14, 0x0a, 0x15, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, - 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x81, 0x01, - 0x0a, 0x14, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, - 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x32, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, - 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x4d, - 0x61, 0x74, 0x63, 0x68, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, - 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x33, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, - 0x6e, 0x67, 0x2e, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, - 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, - 0x00, 0x12, 0x81, 0x01, 0x0a, 0x13, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, - 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, - 0x67, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, - 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x32, 0x2e, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, - 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, - 0x22, 0x03, 0x90, 0x02, 0x01, 0x12, 0x7b, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x53, 0x75, 0x62, 0x6a, - 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x2f, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, - 0x6e, 0x67, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, - 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x30, 0x2e, 0x70, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, - 0x69, 0x6e, 0x67, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, - 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x03, 0x90, - 0x02, 0x01, 0x12, 0x81, 0x01, 0x0a, 0x14, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, - 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x32, 0x2e, 0x70, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, - 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, - 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, - 0x33, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x75, - 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, - 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x81, 0x01, 0x0a, 0x14, 0x55, 0x70, 0x64, 0x61, 0x74, - 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, - 0x32, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x53, 0x75, - 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, - 0x65, 0x73, 0x74, 0x1a, 0x33, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, - 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x55, 0x70, 0x64, 0x61, - 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, - 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x81, 0x01, 0x0a, 0x14, 0x44, - 0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, - 0x69, 0x6e, 0x67, 0x12, 0x32, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, - 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x44, 0x65, 0x6c, 0x65, - 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, - 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x33, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, - 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, - 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x90, - 0x01, 0x0a, 0x18, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, - 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x73, 0x12, 0x36, 0x2e, 0x70, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, - 0x69, 0x6e, 0x67, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, - 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, - 0x65, 0x73, 0x74, 0x1a, 0x37, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, - 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x4c, 0x69, 0x73, 0x74, - 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, - 0x53, 0x65, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x03, 0x90, 0x02, - 0x01, 0x12, 0x8a, 0x01, 0x0a, 0x16, 0x47, 0x65, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0x34, 0x2e, 0x70, + 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, 0x30, 0x0a, 0x2c, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x53, 0x55, + 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, + 0x53, 0x45, 0x54, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, + 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x2f, 0x0a, 0x2b, 0x53, 0x4f, 0x52, 0x54, 0x5f, + 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, + 0x4e, 0x5f, 0x53, 0x45, 0x54, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x52, 0x45, 0x41, + 0x54, 0x45, 0x44, 0x5f, 0x41, 0x54, 0x10, 0x01, 0x12, 0x2f, 0x0a, 0x2b, 0x53, 0x4f, 0x52, 0x54, + 0x5f, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, + 0x4f, 0x4e, 0x5f, 0x53, 0x45, 0x54, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x50, 0x44, + 0x41, 0x54, 0x45, 0x44, 0x5f, 0x41, 0x54, 0x10, 0x02, 0x32, 0xb8, 0x0d, 0x0a, 0x15, 0x53, 0x75, + 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x53, 0x65, 0x72, 0x76, + 0x69, 0x63, 0x65, 0x12, 0x81, 0x01, 0x0a, 0x14, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x53, 0x75, 0x62, + 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x32, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, - 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, - 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, - 0x73, 0x74, 0x1a, 0x35, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, - 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x75, - 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, - 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x03, 0x90, 0x02, 0x01, 0x12, 0x90, - 0x01, 0x0a, 0x19, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0x37, 0x2e, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, - 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, - 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x38, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, + 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, + 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, + 0x1a, 0x33, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, + 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x53, 0x75, + 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x73, + 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x81, 0x01, 0x0a, 0x13, 0x4c, 0x69, 0x73, 0x74, + 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, + 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x75, 0x62, 0x6a, + 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, + 0x73, 0x74, 0x1a, 0x32, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, + 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x53, + 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, + 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x03, 0x90, 0x02, 0x01, 0x12, 0x7b, 0x0a, 0x11, 0x47, + 0x65, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x12, 0x2f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, + 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x75, 0x62, 0x6a, + 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, + 0x74, 0x1a, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, + 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x75, 0x62, + 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x22, 0x03, 0x90, 0x02, 0x01, 0x12, 0x81, 0x01, 0x0a, 0x14, 0x43, 0x72, 0x65, + 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, + 0x67, 0x12, 0x32, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, + 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, + 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x33, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x72, - 0x65, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, - 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, - 0x00, 0x12, 0x90, 0x01, 0x0a, 0x19, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, - 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, - 0x37, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x53, 0x75, + 0x65, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x81, 0x01, 0x0a, + 0x14, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, + 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x32, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, + 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x55, 0x70, + 0x64, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x33, 0x2e, 0x70, 0x6f, 0x6c, 0x69, + 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, + 0x67, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, + 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, + 0x12, 0x81, 0x01, 0x0a, 0x14, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, + 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x32, 0x2e, 0x70, 0x6f, 0x6c, 0x69, + 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, + 0x67, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, + 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x33, 0x2e, + 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, + 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, + 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x22, 0x00, 0x12, 0x90, 0x01, 0x0a, 0x18, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x75, 0x62, + 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, + 0x73, 0x12, 0x36, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, + 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, - 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x38, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x37, 0x2e, 0x70, 0x6f, 0x6c, 0x69, + 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, + 0x67, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, + 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x22, 0x03, 0x90, 0x02, 0x01, 0x12, 0x8a, 0x01, 0x0a, 0x16, 0x47, 0x65, 0x74, 0x53, + 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, + 0x65, 0x74, 0x12, 0x34, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, + 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x75, + 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, + 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x35, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, - 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, - 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, - 0x73, 0x65, 0x22, 0x00, 0x12, 0x90, 0x01, 0x0a, 0x19, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, + 0x2e, 0x47, 0x65, 0x74, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, + 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, + 0x03, 0x90, 0x02, 0x01, 0x12, 0x90, 0x01, 0x0a, 0x19, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0x37, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, - 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, + 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x38, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, - 0x69, 0x6e, 0x67, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, + 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x65, 0x73, - 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0xb4, 0x01, 0x0a, 0x25, 0x44, 0x65, 0x6c, 0x65, - 0x74, 0x65, 0x41, 0x6c, 0x6c, 0x55, 0x6e, 0x6d, 0x61, 0x70, 0x70, 0x65, 0x64, 0x53, 0x75, 0x62, + 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x90, 0x01, 0x0a, 0x19, 0x55, 0x70, 0x64, 0x61, + 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, + 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0x37, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, + 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x55, 0x70, + 0x64, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, + 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x38, + 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, + 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, - 0x73, 0x12, 0x43, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, + 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x90, 0x01, 0x0a, 0x19, 0x44, + 0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, + 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0x37, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, + 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, + 0x74, 0x1a, 0x38, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, - 0x41, 0x6c, 0x6c, 0x55, 0x6e, 0x6d, 0x61, 0x70, 0x70, 0x65, 0x64, 0x53, 0x75, 0x62, 0x6a, 0x65, - 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x73, 0x52, - 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x44, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, - 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x44, - 0x65, 0x6c, 0x65, 0x74, 0x65, 0x41, 0x6c, 0x6c, 0x55, 0x6e, 0x6d, 0x61, 0x70, 0x70, 0x65, 0x64, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, - 0x53, 0x65, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0xba, - 0x01, 0x0a, 0x26, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, - 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, - 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x44, 0x2e, 0x70, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, - 0x67, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, - 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, - 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, - 0x45, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x65, 0x66, 0x69, - 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, - 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, - 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x03, 0x90, 0x02, 0x01, 0x12, 0xb4, 0x01, 0x0a, 0x24, - 0x47, 0x65, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, - 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, - 0x70, 0x69, 0x6e, 0x67, 0x12, 0x42, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, - 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x47, 0x65, 0x74, - 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, - 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, - 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x43, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, - 0x2e, 0x47, 0x65, 0x74, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, - 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, - 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x03, 0x90, - 0x02, 0x01, 0x12, 0xba, 0x01, 0x0a, 0x27, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, - 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, - 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x45, - 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, - 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, - 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, - 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x46, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, - 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x72, - 0x65, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, - 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, - 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, - 0xba, 0x01, 0x0a, 0x27, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, - 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, - 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x45, 0x2e, 0x70, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, - 0x69, 0x6e, 0x67, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, - 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, - 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, - 0x73, 0x74, 0x1a, 0x46, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, - 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, - 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, - 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, - 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0xba, 0x01, 0x0a, - 0x27, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, - 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, - 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x45, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, - 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, - 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, - 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, - 0x46, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x65, - 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x6e, 0x74, - 0x69, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, - 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0xe4, 0x01, 0x0a, 0x19, 0x63, 0x6f, - 0x6d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x42, 0x13, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x3d, - 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, - 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x73, - 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0xa2, 0x02, 0x03, - 0x50, 0x53, 0x58, 0xaa, 0x02, 0x15, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, - 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0xca, 0x02, 0x15, 0x50, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, - 0x69, 0x6e, 0x67, 0xe2, 0x02, 0x21, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x53, 0x75, 0x62, - 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5c, 0x47, 0x50, 0x42, 0x4d, - 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x16, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x3a, 0x3a, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, - 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x53, 0x65, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0xb4, 0x01, + 0x0a, 0x25, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x41, 0x6c, 0x6c, 0x55, 0x6e, 0x6d, 0x61, 0x70, + 0x70, 0x65, 0x64, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, + 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x73, 0x12, 0x43, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, + 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x41, 0x6c, 0x6c, 0x55, 0x6e, 0x6d, 0x61, 0x70, 0x70, 0x65, + 0x64, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, + 0x6e, 0x53, 0x65, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x44, 0x2e, 0x70, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, + 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x41, 0x6c, 0x6c, 0x55, 0x6e, + 0x6d, 0x61, 0x70, 0x70, 0x65, 0x64, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, + 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x22, 0x00, 0x42, 0xe4, 0x01, 0x0a, 0x19, 0x63, 0x6f, 0x6d, 0x2e, 0x70, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x42, 0x13, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x3d, 0x67, 0x69, 0x74, 0x68, 0x75, + 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, + 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, + 0x67, 0x6f, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, + 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0xa2, 0x02, 0x03, 0x50, 0x53, 0x58, 0xaa, 0x02, + 0x15, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, + 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0xca, 0x02, 0x15, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, + 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0xe2, 0x02, + 0x21, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x6d, + 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, + 0x74, 0x61, 0xea, 0x02, 0x16, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x3a, 0x3a, 0x53, 0x75, 0x62, + 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x62, 0x06, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x33, } var ( @@ -3182,157 +2128,115 @@ func file_policy_subjectmapping_subject_mapping_proto_rawDescGZIP() []byte { return file_policy_subjectmapping_subject_mapping_proto_rawDescData } -var file_policy_subjectmapping_subject_mapping_proto_enumTypes = make([]protoimpl.EnumInfo, 3) -var file_policy_subjectmapping_subject_mapping_proto_msgTypes = make([]protoimpl.MessageInfo, 38) +var file_policy_subjectmapping_subject_mapping_proto_enumTypes = make([]protoimpl.EnumInfo, 2) +var file_policy_subjectmapping_subject_mapping_proto_msgTypes = make([]protoimpl.MessageInfo, 27) var file_policy_subjectmapping_subject_mapping_proto_goTypes = []interface{}{ - (SortSubjectMappingsType)(0), // 0: policy.subjectmapping.SortSubjectMappingsType - (SortSubjectConditionSetsType)(0), // 1: policy.subjectmapping.SortSubjectConditionSetsType - (SortDefinitionValueEntitlementMappingsType)(0), // 2: policy.subjectmapping.SortDefinitionValueEntitlementMappingsType - (*MatchSubjectMappingsRequest)(nil), // 3: policy.subjectmapping.MatchSubjectMappingsRequest - (*MatchSubjectMappingsResponse)(nil), // 4: policy.subjectmapping.MatchSubjectMappingsResponse - (*GetSubjectMappingRequest)(nil), // 5: policy.subjectmapping.GetSubjectMappingRequest - (*GetSubjectMappingResponse)(nil), // 6: policy.subjectmapping.GetSubjectMappingResponse - (*SubjectMappingsSort)(nil), // 7: policy.subjectmapping.SubjectMappingsSort - (*ListSubjectMappingsRequest)(nil), // 8: policy.subjectmapping.ListSubjectMappingsRequest - (*ListSubjectMappingsResponse)(nil), // 9: policy.subjectmapping.ListSubjectMappingsResponse - (*CreateSubjectMappingRequest)(nil), // 10: policy.subjectmapping.CreateSubjectMappingRequest - (*CreateSubjectMappingResponse)(nil), // 11: policy.subjectmapping.CreateSubjectMappingResponse - (*UpdateSubjectMappingRequest)(nil), // 12: policy.subjectmapping.UpdateSubjectMappingRequest - (*UpdateSubjectMappingResponse)(nil), // 13: policy.subjectmapping.UpdateSubjectMappingResponse - (*DeleteSubjectMappingRequest)(nil), // 14: policy.subjectmapping.DeleteSubjectMappingRequest - (*DeleteSubjectMappingResponse)(nil), // 15: policy.subjectmapping.DeleteSubjectMappingResponse - (*GetSubjectConditionSetRequest)(nil), // 16: policy.subjectmapping.GetSubjectConditionSetRequest - (*GetSubjectConditionSetResponse)(nil), // 17: policy.subjectmapping.GetSubjectConditionSetResponse - (*SubjectConditionSetsSort)(nil), // 18: policy.subjectmapping.SubjectConditionSetsSort - (*ListSubjectConditionSetsRequest)(nil), // 19: policy.subjectmapping.ListSubjectConditionSetsRequest - (*ListSubjectConditionSetsResponse)(nil), // 20: policy.subjectmapping.ListSubjectConditionSetsResponse - (*SubjectConditionSetCreate)(nil), // 21: policy.subjectmapping.SubjectConditionSetCreate - (*CreateSubjectConditionSetRequest)(nil), // 22: policy.subjectmapping.CreateSubjectConditionSetRequest - (*CreateSubjectConditionSetResponse)(nil), // 23: policy.subjectmapping.CreateSubjectConditionSetResponse - (*UpdateSubjectConditionSetRequest)(nil), // 24: policy.subjectmapping.UpdateSubjectConditionSetRequest - (*UpdateSubjectConditionSetResponse)(nil), // 25: policy.subjectmapping.UpdateSubjectConditionSetResponse - (*DeleteSubjectConditionSetRequest)(nil), // 26: policy.subjectmapping.DeleteSubjectConditionSetRequest - (*DeleteSubjectConditionSetResponse)(nil), // 27: policy.subjectmapping.DeleteSubjectConditionSetResponse - (*DeleteAllUnmappedSubjectConditionSetsRequest)(nil), // 28: policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest - (*DeleteAllUnmappedSubjectConditionSetsResponse)(nil), // 29: policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse - (*GetDefinitionValueEntitlementMappingRequest)(nil), // 30: policy.subjectmapping.GetDefinitionValueEntitlementMappingRequest - (*GetDefinitionValueEntitlementMappingResponse)(nil), // 31: policy.subjectmapping.GetDefinitionValueEntitlementMappingResponse - (*DefinitionValueEntitlementMappingsSort)(nil), // 32: policy.subjectmapping.DefinitionValueEntitlementMappingsSort - (*ListDefinitionValueEntitlementMappingsRequest)(nil), // 33: policy.subjectmapping.ListDefinitionValueEntitlementMappingsRequest - (*ListDefinitionValueEntitlementMappingsResponse)(nil), // 34: policy.subjectmapping.ListDefinitionValueEntitlementMappingsResponse - (*CreateDefinitionValueEntitlementMappingRequest)(nil), // 35: policy.subjectmapping.CreateDefinitionValueEntitlementMappingRequest - (*CreateDefinitionValueEntitlementMappingResponse)(nil), // 36: policy.subjectmapping.CreateDefinitionValueEntitlementMappingResponse - (*UpdateDefinitionValueEntitlementMappingRequest)(nil), // 37: policy.subjectmapping.UpdateDefinitionValueEntitlementMappingRequest - (*UpdateDefinitionValueEntitlementMappingResponse)(nil), // 38: policy.subjectmapping.UpdateDefinitionValueEntitlementMappingResponse - (*DeleteDefinitionValueEntitlementMappingRequest)(nil), // 39: policy.subjectmapping.DeleteDefinitionValueEntitlementMappingRequest - (*DeleteDefinitionValueEntitlementMappingResponse)(nil), // 40: policy.subjectmapping.DeleteDefinitionValueEntitlementMappingResponse - (*policy.SubjectProperty)(nil), // 41: policy.SubjectProperty - (*policy.SubjectMapping)(nil), // 42: policy.SubjectMapping - (policy.SortDirection)(0), // 43: policy.SortDirection - (*policy.PageRequest)(nil), // 44: policy.PageRequest - (*policy.PageResponse)(nil), // 45: policy.PageResponse - (*policy.Action)(nil), // 46: policy.Action - (*common.MetadataMutable)(nil), // 47: common.MetadataMutable - (common.MetadataUpdateEnum)(0), // 48: common.MetadataUpdateEnum - (*policy.SubjectConditionSet)(nil), // 49: policy.SubjectConditionSet - (*policy.SubjectSet)(nil), // 50: policy.SubjectSet - (*policy.DefinitionValueEntitlementMapping)(nil), // 51: policy.DefinitionValueEntitlementMapping - (*policy.DefinitionValueResolver)(nil), // 52: policy.DefinitionValueResolver + (SortSubjectMappingsType)(0), // 0: policy.subjectmapping.SortSubjectMappingsType + (SortSubjectConditionSetsType)(0), // 1: policy.subjectmapping.SortSubjectConditionSetsType + (*MatchSubjectMappingsRequest)(nil), // 2: policy.subjectmapping.MatchSubjectMappingsRequest + (*MatchSubjectMappingsResponse)(nil), // 3: policy.subjectmapping.MatchSubjectMappingsResponse + (*GetSubjectMappingRequest)(nil), // 4: policy.subjectmapping.GetSubjectMappingRequest + (*GetSubjectMappingResponse)(nil), // 5: policy.subjectmapping.GetSubjectMappingResponse + (*SubjectMappingsSort)(nil), // 6: policy.subjectmapping.SubjectMappingsSort + (*ListSubjectMappingsRequest)(nil), // 7: policy.subjectmapping.ListSubjectMappingsRequest + (*ListSubjectMappingsResponse)(nil), // 8: policy.subjectmapping.ListSubjectMappingsResponse + (*CreateSubjectMappingRequest)(nil), // 9: policy.subjectmapping.CreateSubjectMappingRequest + (*CreateSubjectMappingResponse)(nil), // 10: policy.subjectmapping.CreateSubjectMappingResponse + (*UpdateSubjectMappingRequest)(nil), // 11: policy.subjectmapping.UpdateSubjectMappingRequest + (*UpdateSubjectMappingResponse)(nil), // 12: policy.subjectmapping.UpdateSubjectMappingResponse + (*DeleteSubjectMappingRequest)(nil), // 13: policy.subjectmapping.DeleteSubjectMappingRequest + (*DeleteSubjectMappingResponse)(nil), // 14: policy.subjectmapping.DeleteSubjectMappingResponse + (*GetSubjectConditionSetRequest)(nil), // 15: policy.subjectmapping.GetSubjectConditionSetRequest + (*GetSubjectConditionSetResponse)(nil), // 16: policy.subjectmapping.GetSubjectConditionSetResponse + (*SubjectConditionSetsSort)(nil), // 17: policy.subjectmapping.SubjectConditionSetsSort + (*ListSubjectConditionSetsRequest)(nil), // 18: policy.subjectmapping.ListSubjectConditionSetsRequest + (*ListSubjectConditionSetsResponse)(nil), // 19: policy.subjectmapping.ListSubjectConditionSetsResponse + (*SubjectConditionSetCreate)(nil), // 20: policy.subjectmapping.SubjectConditionSetCreate + (*CreateSubjectConditionSetRequest)(nil), // 21: policy.subjectmapping.CreateSubjectConditionSetRequest + (*CreateSubjectConditionSetResponse)(nil), // 22: policy.subjectmapping.CreateSubjectConditionSetResponse + (*UpdateSubjectConditionSetRequest)(nil), // 23: policy.subjectmapping.UpdateSubjectConditionSetRequest + (*UpdateSubjectConditionSetResponse)(nil), // 24: policy.subjectmapping.UpdateSubjectConditionSetResponse + (*DeleteSubjectConditionSetRequest)(nil), // 25: policy.subjectmapping.DeleteSubjectConditionSetRequest + (*DeleteSubjectConditionSetResponse)(nil), // 26: policy.subjectmapping.DeleteSubjectConditionSetResponse + (*DeleteAllUnmappedSubjectConditionSetsRequest)(nil), // 27: policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest + (*DeleteAllUnmappedSubjectConditionSetsResponse)(nil), // 28: policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse + (*policy.SubjectProperty)(nil), // 29: policy.SubjectProperty + (*policy.SubjectMapping)(nil), // 30: policy.SubjectMapping + (policy.SortDirection)(0), // 31: policy.SortDirection + (*policy.PageRequest)(nil), // 32: policy.PageRequest + (*policy.PageResponse)(nil), // 33: policy.PageResponse + (*policy.Action)(nil), // 34: policy.Action + (*common.MetadataMutable)(nil), // 35: common.MetadataMutable + (common.MetadataUpdateEnum)(0), // 36: common.MetadataUpdateEnum + (*policy.SubjectConditionSet)(nil), // 37: policy.SubjectConditionSet + (*policy.SubjectSet)(nil), // 38: policy.SubjectSet } var file_policy_subjectmapping_subject_mapping_proto_depIdxs = []int32{ - 41, // 0: policy.subjectmapping.MatchSubjectMappingsRequest.subject_properties:type_name -> policy.SubjectProperty - 42, // 1: policy.subjectmapping.MatchSubjectMappingsResponse.subject_mappings:type_name -> policy.SubjectMapping - 42, // 2: policy.subjectmapping.GetSubjectMappingResponse.subject_mapping:type_name -> policy.SubjectMapping + 29, // 0: policy.subjectmapping.MatchSubjectMappingsRequest.subject_properties:type_name -> policy.SubjectProperty + 30, // 1: policy.subjectmapping.MatchSubjectMappingsResponse.subject_mappings:type_name -> policy.SubjectMapping + 30, // 2: policy.subjectmapping.GetSubjectMappingResponse.subject_mapping:type_name -> policy.SubjectMapping 0, // 3: policy.subjectmapping.SubjectMappingsSort.field:type_name -> policy.subjectmapping.SortSubjectMappingsType - 43, // 4: policy.subjectmapping.SubjectMappingsSort.direction:type_name -> policy.SortDirection - 44, // 5: policy.subjectmapping.ListSubjectMappingsRequest.pagination:type_name -> policy.PageRequest - 7, // 6: policy.subjectmapping.ListSubjectMappingsRequest.sort:type_name -> policy.subjectmapping.SubjectMappingsSort - 42, // 7: policy.subjectmapping.ListSubjectMappingsResponse.subject_mappings:type_name -> policy.SubjectMapping - 45, // 8: policy.subjectmapping.ListSubjectMappingsResponse.pagination:type_name -> policy.PageResponse - 46, // 9: policy.subjectmapping.CreateSubjectMappingRequest.actions:type_name -> policy.Action - 21, // 10: policy.subjectmapping.CreateSubjectMappingRequest.new_subject_condition_set:type_name -> policy.subjectmapping.SubjectConditionSetCreate - 47, // 11: policy.subjectmapping.CreateSubjectMappingRequest.metadata:type_name -> common.MetadataMutable - 42, // 12: policy.subjectmapping.CreateSubjectMappingResponse.subject_mapping:type_name -> policy.SubjectMapping - 46, // 13: policy.subjectmapping.UpdateSubjectMappingRequest.actions:type_name -> policy.Action - 47, // 14: policy.subjectmapping.UpdateSubjectMappingRequest.metadata:type_name -> common.MetadataMutable - 48, // 15: policy.subjectmapping.UpdateSubjectMappingRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum - 42, // 16: policy.subjectmapping.UpdateSubjectMappingResponse.subject_mapping:type_name -> policy.SubjectMapping - 42, // 17: policy.subjectmapping.DeleteSubjectMappingResponse.subject_mapping:type_name -> policy.SubjectMapping - 49, // 18: policy.subjectmapping.GetSubjectConditionSetResponse.subject_condition_set:type_name -> policy.SubjectConditionSet - 42, // 19: policy.subjectmapping.GetSubjectConditionSetResponse.associated_subject_mappings:type_name -> policy.SubjectMapping + 31, // 4: policy.subjectmapping.SubjectMappingsSort.direction:type_name -> policy.SortDirection + 32, // 5: policy.subjectmapping.ListSubjectMappingsRequest.pagination:type_name -> policy.PageRequest + 6, // 6: policy.subjectmapping.ListSubjectMappingsRequest.sort:type_name -> policy.subjectmapping.SubjectMappingsSort + 30, // 7: policy.subjectmapping.ListSubjectMappingsResponse.subject_mappings:type_name -> policy.SubjectMapping + 33, // 8: policy.subjectmapping.ListSubjectMappingsResponse.pagination:type_name -> policy.PageResponse + 34, // 9: policy.subjectmapping.CreateSubjectMappingRequest.actions:type_name -> policy.Action + 20, // 10: policy.subjectmapping.CreateSubjectMappingRequest.new_subject_condition_set:type_name -> policy.subjectmapping.SubjectConditionSetCreate + 35, // 11: policy.subjectmapping.CreateSubjectMappingRequest.metadata:type_name -> common.MetadataMutable + 30, // 12: policy.subjectmapping.CreateSubjectMappingResponse.subject_mapping:type_name -> policy.SubjectMapping + 34, // 13: policy.subjectmapping.UpdateSubjectMappingRequest.actions:type_name -> policy.Action + 35, // 14: policy.subjectmapping.UpdateSubjectMappingRequest.metadata:type_name -> common.MetadataMutable + 36, // 15: policy.subjectmapping.UpdateSubjectMappingRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum + 30, // 16: policy.subjectmapping.UpdateSubjectMappingResponse.subject_mapping:type_name -> policy.SubjectMapping + 30, // 17: policy.subjectmapping.DeleteSubjectMappingResponse.subject_mapping:type_name -> policy.SubjectMapping + 37, // 18: policy.subjectmapping.GetSubjectConditionSetResponse.subject_condition_set:type_name -> policy.SubjectConditionSet + 30, // 19: policy.subjectmapping.GetSubjectConditionSetResponse.associated_subject_mappings:type_name -> policy.SubjectMapping 1, // 20: policy.subjectmapping.SubjectConditionSetsSort.field:type_name -> policy.subjectmapping.SortSubjectConditionSetsType - 43, // 21: policy.subjectmapping.SubjectConditionSetsSort.direction:type_name -> policy.SortDirection - 44, // 22: policy.subjectmapping.ListSubjectConditionSetsRequest.pagination:type_name -> policy.PageRequest - 18, // 23: policy.subjectmapping.ListSubjectConditionSetsRequest.sort:type_name -> policy.subjectmapping.SubjectConditionSetsSort - 49, // 24: policy.subjectmapping.ListSubjectConditionSetsResponse.subject_condition_sets:type_name -> policy.SubjectConditionSet - 45, // 25: policy.subjectmapping.ListSubjectConditionSetsResponse.pagination:type_name -> policy.PageResponse - 50, // 26: policy.subjectmapping.SubjectConditionSetCreate.subject_sets:type_name -> policy.SubjectSet - 47, // 27: policy.subjectmapping.SubjectConditionSetCreate.metadata:type_name -> common.MetadataMutable - 21, // 28: policy.subjectmapping.CreateSubjectConditionSetRequest.subject_condition_set:type_name -> policy.subjectmapping.SubjectConditionSetCreate - 49, // 29: policy.subjectmapping.CreateSubjectConditionSetResponse.subject_condition_set:type_name -> policy.SubjectConditionSet - 50, // 30: policy.subjectmapping.UpdateSubjectConditionSetRequest.subject_sets:type_name -> policy.SubjectSet - 47, // 31: policy.subjectmapping.UpdateSubjectConditionSetRequest.metadata:type_name -> common.MetadataMutable - 48, // 32: policy.subjectmapping.UpdateSubjectConditionSetRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum - 49, // 33: policy.subjectmapping.UpdateSubjectConditionSetResponse.subject_condition_set:type_name -> policy.SubjectConditionSet - 49, // 34: policy.subjectmapping.DeleteSubjectConditionSetResponse.subject_condition_set:type_name -> policy.SubjectConditionSet - 49, // 35: policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse.subject_condition_sets:type_name -> policy.SubjectConditionSet - 51, // 36: policy.subjectmapping.GetDefinitionValueEntitlementMappingResponse.definition_value_entitlement_mapping:type_name -> policy.DefinitionValueEntitlementMapping - 2, // 37: policy.subjectmapping.DefinitionValueEntitlementMappingsSort.field:type_name -> policy.subjectmapping.SortDefinitionValueEntitlementMappingsType - 43, // 38: policy.subjectmapping.DefinitionValueEntitlementMappingsSort.direction:type_name -> policy.SortDirection - 44, // 39: policy.subjectmapping.ListDefinitionValueEntitlementMappingsRequest.pagination:type_name -> policy.PageRequest - 32, // 40: policy.subjectmapping.ListDefinitionValueEntitlementMappingsRequest.sort:type_name -> policy.subjectmapping.DefinitionValueEntitlementMappingsSort - 51, // 41: policy.subjectmapping.ListDefinitionValueEntitlementMappingsResponse.definition_value_entitlement_mappings:type_name -> policy.DefinitionValueEntitlementMapping - 45, // 42: policy.subjectmapping.ListDefinitionValueEntitlementMappingsResponse.pagination:type_name -> policy.PageResponse - 52, // 43: policy.subjectmapping.CreateDefinitionValueEntitlementMappingRequest.value_resolver:type_name -> policy.DefinitionValueResolver - 46, // 44: policy.subjectmapping.CreateDefinitionValueEntitlementMappingRequest.actions:type_name -> policy.Action - 21, // 45: policy.subjectmapping.CreateDefinitionValueEntitlementMappingRequest.new_subject_condition_set:type_name -> policy.subjectmapping.SubjectConditionSetCreate - 47, // 46: policy.subjectmapping.CreateDefinitionValueEntitlementMappingRequest.metadata:type_name -> common.MetadataMutable - 51, // 47: policy.subjectmapping.CreateDefinitionValueEntitlementMappingResponse.definition_value_entitlement_mapping:type_name -> policy.DefinitionValueEntitlementMapping - 52, // 48: policy.subjectmapping.UpdateDefinitionValueEntitlementMappingRequest.value_resolver:type_name -> policy.DefinitionValueResolver - 46, // 49: policy.subjectmapping.UpdateDefinitionValueEntitlementMappingRequest.actions:type_name -> policy.Action - 47, // 50: policy.subjectmapping.UpdateDefinitionValueEntitlementMappingRequest.metadata:type_name -> common.MetadataMutable - 48, // 51: policy.subjectmapping.UpdateDefinitionValueEntitlementMappingRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum - 51, // 52: policy.subjectmapping.UpdateDefinitionValueEntitlementMappingResponse.definition_value_entitlement_mapping:type_name -> policy.DefinitionValueEntitlementMapping - 51, // 53: policy.subjectmapping.DeleteDefinitionValueEntitlementMappingResponse.definition_value_entitlement_mapping:type_name -> policy.DefinitionValueEntitlementMapping - 3, // 54: policy.subjectmapping.SubjectMappingService.MatchSubjectMappings:input_type -> policy.subjectmapping.MatchSubjectMappingsRequest - 8, // 55: policy.subjectmapping.SubjectMappingService.ListSubjectMappings:input_type -> policy.subjectmapping.ListSubjectMappingsRequest - 5, // 56: policy.subjectmapping.SubjectMappingService.GetSubjectMapping:input_type -> policy.subjectmapping.GetSubjectMappingRequest - 10, // 57: policy.subjectmapping.SubjectMappingService.CreateSubjectMapping:input_type -> policy.subjectmapping.CreateSubjectMappingRequest - 12, // 58: policy.subjectmapping.SubjectMappingService.UpdateSubjectMapping:input_type -> policy.subjectmapping.UpdateSubjectMappingRequest - 14, // 59: policy.subjectmapping.SubjectMappingService.DeleteSubjectMapping:input_type -> policy.subjectmapping.DeleteSubjectMappingRequest - 19, // 60: policy.subjectmapping.SubjectMappingService.ListSubjectConditionSets:input_type -> policy.subjectmapping.ListSubjectConditionSetsRequest - 16, // 61: policy.subjectmapping.SubjectMappingService.GetSubjectConditionSet:input_type -> policy.subjectmapping.GetSubjectConditionSetRequest - 22, // 62: policy.subjectmapping.SubjectMappingService.CreateSubjectConditionSet:input_type -> policy.subjectmapping.CreateSubjectConditionSetRequest - 24, // 63: policy.subjectmapping.SubjectMappingService.UpdateSubjectConditionSet:input_type -> policy.subjectmapping.UpdateSubjectConditionSetRequest - 26, // 64: policy.subjectmapping.SubjectMappingService.DeleteSubjectConditionSet:input_type -> policy.subjectmapping.DeleteSubjectConditionSetRequest - 28, // 65: policy.subjectmapping.SubjectMappingService.DeleteAllUnmappedSubjectConditionSets:input_type -> policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest - 33, // 66: policy.subjectmapping.SubjectMappingService.ListDefinitionValueEntitlementMappings:input_type -> policy.subjectmapping.ListDefinitionValueEntitlementMappingsRequest - 30, // 67: policy.subjectmapping.SubjectMappingService.GetDefinitionValueEntitlementMapping:input_type -> policy.subjectmapping.GetDefinitionValueEntitlementMappingRequest - 35, // 68: policy.subjectmapping.SubjectMappingService.CreateDefinitionValueEntitlementMapping:input_type -> policy.subjectmapping.CreateDefinitionValueEntitlementMappingRequest - 37, // 69: policy.subjectmapping.SubjectMappingService.UpdateDefinitionValueEntitlementMapping:input_type -> policy.subjectmapping.UpdateDefinitionValueEntitlementMappingRequest - 39, // 70: policy.subjectmapping.SubjectMappingService.DeleteDefinitionValueEntitlementMapping:input_type -> policy.subjectmapping.DeleteDefinitionValueEntitlementMappingRequest - 4, // 71: policy.subjectmapping.SubjectMappingService.MatchSubjectMappings:output_type -> policy.subjectmapping.MatchSubjectMappingsResponse - 9, // 72: policy.subjectmapping.SubjectMappingService.ListSubjectMappings:output_type -> policy.subjectmapping.ListSubjectMappingsResponse - 6, // 73: policy.subjectmapping.SubjectMappingService.GetSubjectMapping:output_type -> policy.subjectmapping.GetSubjectMappingResponse - 11, // 74: policy.subjectmapping.SubjectMappingService.CreateSubjectMapping:output_type -> policy.subjectmapping.CreateSubjectMappingResponse - 13, // 75: policy.subjectmapping.SubjectMappingService.UpdateSubjectMapping:output_type -> policy.subjectmapping.UpdateSubjectMappingResponse - 15, // 76: policy.subjectmapping.SubjectMappingService.DeleteSubjectMapping:output_type -> policy.subjectmapping.DeleteSubjectMappingResponse - 20, // 77: policy.subjectmapping.SubjectMappingService.ListSubjectConditionSets:output_type -> policy.subjectmapping.ListSubjectConditionSetsResponse - 17, // 78: policy.subjectmapping.SubjectMappingService.GetSubjectConditionSet:output_type -> policy.subjectmapping.GetSubjectConditionSetResponse - 23, // 79: policy.subjectmapping.SubjectMappingService.CreateSubjectConditionSet:output_type -> policy.subjectmapping.CreateSubjectConditionSetResponse - 25, // 80: policy.subjectmapping.SubjectMappingService.UpdateSubjectConditionSet:output_type -> policy.subjectmapping.UpdateSubjectConditionSetResponse - 27, // 81: policy.subjectmapping.SubjectMappingService.DeleteSubjectConditionSet:output_type -> policy.subjectmapping.DeleteSubjectConditionSetResponse - 29, // 82: policy.subjectmapping.SubjectMappingService.DeleteAllUnmappedSubjectConditionSets:output_type -> policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse - 34, // 83: policy.subjectmapping.SubjectMappingService.ListDefinitionValueEntitlementMappings:output_type -> policy.subjectmapping.ListDefinitionValueEntitlementMappingsResponse - 31, // 84: policy.subjectmapping.SubjectMappingService.GetDefinitionValueEntitlementMapping:output_type -> policy.subjectmapping.GetDefinitionValueEntitlementMappingResponse - 36, // 85: policy.subjectmapping.SubjectMappingService.CreateDefinitionValueEntitlementMapping:output_type -> policy.subjectmapping.CreateDefinitionValueEntitlementMappingResponse - 38, // 86: policy.subjectmapping.SubjectMappingService.UpdateDefinitionValueEntitlementMapping:output_type -> policy.subjectmapping.UpdateDefinitionValueEntitlementMappingResponse - 40, // 87: policy.subjectmapping.SubjectMappingService.DeleteDefinitionValueEntitlementMapping:output_type -> policy.subjectmapping.DeleteDefinitionValueEntitlementMappingResponse - 71, // [71:88] is the sub-list for method output_type - 54, // [54:71] is the sub-list for method input_type - 54, // [54:54] is the sub-list for extension type_name - 54, // [54:54] is the sub-list for extension extendee - 0, // [0:54] is the sub-list for field type_name + 31, // 21: policy.subjectmapping.SubjectConditionSetsSort.direction:type_name -> policy.SortDirection + 32, // 22: policy.subjectmapping.ListSubjectConditionSetsRequest.pagination:type_name -> policy.PageRequest + 17, // 23: policy.subjectmapping.ListSubjectConditionSetsRequest.sort:type_name -> policy.subjectmapping.SubjectConditionSetsSort + 37, // 24: policy.subjectmapping.ListSubjectConditionSetsResponse.subject_condition_sets:type_name -> policy.SubjectConditionSet + 33, // 25: policy.subjectmapping.ListSubjectConditionSetsResponse.pagination:type_name -> policy.PageResponse + 38, // 26: policy.subjectmapping.SubjectConditionSetCreate.subject_sets:type_name -> policy.SubjectSet + 35, // 27: policy.subjectmapping.SubjectConditionSetCreate.metadata:type_name -> common.MetadataMutable + 20, // 28: policy.subjectmapping.CreateSubjectConditionSetRequest.subject_condition_set:type_name -> policy.subjectmapping.SubjectConditionSetCreate + 37, // 29: policy.subjectmapping.CreateSubjectConditionSetResponse.subject_condition_set:type_name -> policy.SubjectConditionSet + 38, // 30: policy.subjectmapping.UpdateSubjectConditionSetRequest.subject_sets:type_name -> policy.SubjectSet + 35, // 31: policy.subjectmapping.UpdateSubjectConditionSetRequest.metadata:type_name -> common.MetadataMutable + 36, // 32: policy.subjectmapping.UpdateSubjectConditionSetRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum + 37, // 33: policy.subjectmapping.UpdateSubjectConditionSetResponse.subject_condition_set:type_name -> policy.SubjectConditionSet + 37, // 34: policy.subjectmapping.DeleteSubjectConditionSetResponse.subject_condition_set:type_name -> policy.SubjectConditionSet + 37, // 35: policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse.subject_condition_sets:type_name -> policy.SubjectConditionSet + 2, // 36: policy.subjectmapping.SubjectMappingService.MatchSubjectMappings:input_type -> policy.subjectmapping.MatchSubjectMappingsRequest + 7, // 37: policy.subjectmapping.SubjectMappingService.ListSubjectMappings:input_type -> policy.subjectmapping.ListSubjectMappingsRequest + 4, // 38: policy.subjectmapping.SubjectMappingService.GetSubjectMapping:input_type -> policy.subjectmapping.GetSubjectMappingRequest + 9, // 39: policy.subjectmapping.SubjectMappingService.CreateSubjectMapping:input_type -> policy.subjectmapping.CreateSubjectMappingRequest + 11, // 40: policy.subjectmapping.SubjectMappingService.UpdateSubjectMapping:input_type -> policy.subjectmapping.UpdateSubjectMappingRequest + 13, // 41: policy.subjectmapping.SubjectMappingService.DeleteSubjectMapping:input_type -> policy.subjectmapping.DeleteSubjectMappingRequest + 18, // 42: policy.subjectmapping.SubjectMappingService.ListSubjectConditionSets:input_type -> policy.subjectmapping.ListSubjectConditionSetsRequest + 15, // 43: policy.subjectmapping.SubjectMappingService.GetSubjectConditionSet:input_type -> policy.subjectmapping.GetSubjectConditionSetRequest + 21, // 44: policy.subjectmapping.SubjectMappingService.CreateSubjectConditionSet:input_type -> policy.subjectmapping.CreateSubjectConditionSetRequest + 23, // 45: policy.subjectmapping.SubjectMappingService.UpdateSubjectConditionSet:input_type -> policy.subjectmapping.UpdateSubjectConditionSetRequest + 25, // 46: policy.subjectmapping.SubjectMappingService.DeleteSubjectConditionSet:input_type -> policy.subjectmapping.DeleteSubjectConditionSetRequest + 27, // 47: policy.subjectmapping.SubjectMappingService.DeleteAllUnmappedSubjectConditionSets:input_type -> policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest + 3, // 48: policy.subjectmapping.SubjectMappingService.MatchSubjectMappings:output_type -> policy.subjectmapping.MatchSubjectMappingsResponse + 8, // 49: policy.subjectmapping.SubjectMappingService.ListSubjectMappings:output_type -> policy.subjectmapping.ListSubjectMappingsResponse + 5, // 50: policy.subjectmapping.SubjectMappingService.GetSubjectMapping:output_type -> policy.subjectmapping.GetSubjectMappingResponse + 10, // 51: policy.subjectmapping.SubjectMappingService.CreateSubjectMapping:output_type -> policy.subjectmapping.CreateSubjectMappingResponse + 12, // 52: policy.subjectmapping.SubjectMappingService.UpdateSubjectMapping:output_type -> policy.subjectmapping.UpdateSubjectMappingResponse + 14, // 53: policy.subjectmapping.SubjectMappingService.DeleteSubjectMapping:output_type -> policy.subjectmapping.DeleteSubjectMappingResponse + 19, // 54: policy.subjectmapping.SubjectMappingService.ListSubjectConditionSets:output_type -> policy.subjectmapping.ListSubjectConditionSetsResponse + 16, // 55: policy.subjectmapping.SubjectMappingService.GetSubjectConditionSet:output_type -> policy.subjectmapping.GetSubjectConditionSetResponse + 22, // 56: policy.subjectmapping.SubjectMappingService.CreateSubjectConditionSet:output_type -> policy.subjectmapping.CreateSubjectConditionSetResponse + 24, // 57: policy.subjectmapping.SubjectMappingService.UpdateSubjectConditionSet:output_type -> policy.subjectmapping.UpdateSubjectConditionSetResponse + 26, // 58: policy.subjectmapping.SubjectMappingService.DeleteSubjectConditionSet:output_type -> policy.subjectmapping.DeleteSubjectConditionSetResponse + 28, // 59: policy.subjectmapping.SubjectMappingService.DeleteAllUnmappedSubjectConditionSets:output_type -> policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse + 48, // [48:60] is the sub-list for method output_type + 36, // [36:48] is the sub-list for method input_type + 36, // [36:36] is the sub-list for extension type_name + 36, // [36:36] is the sub-list for extension extendee + 0, // [0:36] is the sub-list for field type_name } func init() { file_policy_subjectmapping_subject_mapping_proto_init() } @@ -3665,146 +2569,14 @@ func file_policy_subjectmapping_subject_mapping_proto_init() { return nil } } - file_policy_subjectmapping_subject_mapping_proto_msgTypes[27].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*GetDefinitionValueEntitlementMappingRequest); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_policy_subjectmapping_subject_mapping_proto_msgTypes[28].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*GetDefinitionValueEntitlementMappingResponse); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_policy_subjectmapping_subject_mapping_proto_msgTypes[29].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*DefinitionValueEntitlementMappingsSort); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_policy_subjectmapping_subject_mapping_proto_msgTypes[30].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ListDefinitionValueEntitlementMappingsRequest); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_policy_subjectmapping_subject_mapping_proto_msgTypes[31].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ListDefinitionValueEntitlementMappingsResponse); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_policy_subjectmapping_subject_mapping_proto_msgTypes[32].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*CreateDefinitionValueEntitlementMappingRequest); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_policy_subjectmapping_subject_mapping_proto_msgTypes[33].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*CreateDefinitionValueEntitlementMappingResponse); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_policy_subjectmapping_subject_mapping_proto_msgTypes[34].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*UpdateDefinitionValueEntitlementMappingRequest); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_policy_subjectmapping_subject_mapping_proto_msgTypes[35].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*UpdateDefinitionValueEntitlementMappingResponse); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_policy_subjectmapping_subject_mapping_proto_msgTypes[36].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*DeleteDefinitionValueEntitlementMappingRequest); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_policy_subjectmapping_subject_mapping_proto_msgTypes[37].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*DeleteDefinitionValueEntitlementMappingResponse); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } } type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_policy_subjectmapping_subject_mapping_proto_rawDesc, - NumEnums: 3, - NumMessages: 38, + NumEnums: 2, + NumMessages: 27, NumExtensions: 0, NumServices: 1, }, diff --git a/protocol/go/policy/subjectmapping/subject_mapping_grpc.pb.go b/protocol/go/policy/subjectmapping/subject_mapping_grpc.pb.go index 2086851938..71a4f6e635 100644 --- a/protocol/go/policy/subjectmapping/subject_mapping_grpc.pb.go +++ b/protocol/go/policy/subjectmapping/subject_mapping_grpc.pb.go @@ -19,23 +19,18 @@ import ( const _ = grpc.SupportPackageIsVersion7 const ( - SubjectMappingService_MatchSubjectMappings_FullMethodName = "/policy.subjectmapping.SubjectMappingService/MatchSubjectMappings" - SubjectMappingService_ListSubjectMappings_FullMethodName = "/policy.subjectmapping.SubjectMappingService/ListSubjectMappings" - SubjectMappingService_GetSubjectMapping_FullMethodName = "/policy.subjectmapping.SubjectMappingService/GetSubjectMapping" - SubjectMappingService_CreateSubjectMapping_FullMethodName = "/policy.subjectmapping.SubjectMappingService/CreateSubjectMapping" - SubjectMappingService_UpdateSubjectMapping_FullMethodName = "/policy.subjectmapping.SubjectMappingService/UpdateSubjectMapping" - SubjectMappingService_DeleteSubjectMapping_FullMethodName = "/policy.subjectmapping.SubjectMappingService/DeleteSubjectMapping" - SubjectMappingService_ListSubjectConditionSets_FullMethodName = "/policy.subjectmapping.SubjectMappingService/ListSubjectConditionSets" - SubjectMappingService_GetSubjectConditionSet_FullMethodName = "/policy.subjectmapping.SubjectMappingService/GetSubjectConditionSet" - SubjectMappingService_CreateSubjectConditionSet_FullMethodName = "/policy.subjectmapping.SubjectMappingService/CreateSubjectConditionSet" - SubjectMappingService_UpdateSubjectConditionSet_FullMethodName = "/policy.subjectmapping.SubjectMappingService/UpdateSubjectConditionSet" - SubjectMappingService_DeleteSubjectConditionSet_FullMethodName = "/policy.subjectmapping.SubjectMappingService/DeleteSubjectConditionSet" - SubjectMappingService_DeleteAllUnmappedSubjectConditionSets_FullMethodName = "/policy.subjectmapping.SubjectMappingService/DeleteAllUnmappedSubjectConditionSets" - SubjectMappingService_ListDefinitionValueEntitlementMappings_FullMethodName = "/policy.subjectmapping.SubjectMappingService/ListDefinitionValueEntitlementMappings" - SubjectMappingService_GetDefinitionValueEntitlementMapping_FullMethodName = "/policy.subjectmapping.SubjectMappingService/GetDefinitionValueEntitlementMapping" - SubjectMappingService_CreateDefinitionValueEntitlementMapping_FullMethodName = "/policy.subjectmapping.SubjectMappingService/CreateDefinitionValueEntitlementMapping" - SubjectMappingService_UpdateDefinitionValueEntitlementMapping_FullMethodName = "/policy.subjectmapping.SubjectMappingService/UpdateDefinitionValueEntitlementMapping" - SubjectMappingService_DeleteDefinitionValueEntitlementMapping_FullMethodName = "/policy.subjectmapping.SubjectMappingService/DeleteDefinitionValueEntitlementMapping" + SubjectMappingService_MatchSubjectMappings_FullMethodName = "/policy.subjectmapping.SubjectMappingService/MatchSubjectMappings" + SubjectMappingService_ListSubjectMappings_FullMethodName = "/policy.subjectmapping.SubjectMappingService/ListSubjectMappings" + SubjectMappingService_GetSubjectMapping_FullMethodName = "/policy.subjectmapping.SubjectMappingService/GetSubjectMapping" + SubjectMappingService_CreateSubjectMapping_FullMethodName = "/policy.subjectmapping.SubjectMappingService/CreateSubjectMapping" + SubjectMappingService_UpdateSubjectMapping_FullMethodName = "/policy.subjectmapping.SubjectMappingService/UpdateSubjectMapping" + SubjectMappingService_DeleteSubjectMapping_FullMethodName = "/policy.subjectmapping.SubjectMappingService/DeleteSubjectMapping" + SubjectMappingService_ListSubjectConditionSets_FullMethodName = "/policy.subjectmapping.SubjectMappingService/ListSubjectConditionSets" + SubjectMappingService_GetSubjectConditionSet_FullMethodName = "/policy.subjectmapping.SubjectMappingService/GetSubjectConditionSet" + SubjectMappingService_CreateSubjectConditionSet_FullMethodName = "/policy.subjectmapping.SubjectMappingService/CreateSubjectConditionSet" + SubjectMappingService_UpdateSubjectConditionSet_FullMethodName = "/policy.subjectmapping.SubjectMappingService/UpdateSubjectConditionSet" + SubjectMappingService_DeleteSubjectConditionSet_FullMethodName = "/policy.subjectmapping.SubjectMappingService/DeleteSubjectConditionSet" + SubjectMappingService_DeleteAllUnmappedSubjectConditionSets_FullMethodName = "/policy.subjectmapping.SubjectMappingService/DeleteAllUnmappedSubjectConditionSets" ) // SubjectMappingServiceClient is the client API for SubjectMappingService service. @@ -55,11 +50,6 @@ type SubjectMappingServiceClient interface { UpdateSubjectConditionSet(ctx context.Context, in *UpdateSubjectConditionSetRequest, opts ...grpc.CallOption) (*UpdateSubjectConditionSetResponse, error) DeleteSubjectConditionSet(ctx context.Context, in *DeleteSubjectConditionSetRequest, opts ...grpc.CallOption) (*DeleteSubjectConditionSetResponse, error) DeleteAllUnmappedSubjectConditionSets(ctx context.Context, in *DeleteAllUnmappedSubjectConditionSetsRequest, opts ...grpc.CallOption) (*DeleteAllUnmappedSubjectConditionSetsResponse, error) - ListDefinitionValueEntitlementMappings(ctx context.Context, in *ListDefinitionValueEntitlementMappingsRequest, opts ...grpc.CallOption) (*ListDefinitionValueEntitlementMappingsResponse, error) - GetDefinitionValueEntitlementMapping(ctx context.Context, in *GetDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*GetDefinitionValueEntitlementMappingResponse, error) - CreateDefinitionValueEntitlementMapping(ctx context.Context, in *CreateDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*CreateDefinitionValueEntitlementMappingResponse, error) - UpdateDefinitionValueEntitlementMapping(ctx context.Context, in *UpdateDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*UpdateDefinitionValueEntitlementMappingResponse, error) - DeleteDefinitionValueEntitlementMapping(ctx context.Context, in *DeleteDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*DeleteDefinitionValueEntitlementMappingResponse, error) } type subjectMappingServiceClient struct { @@ -178,51 +168,6 @@ func (c *subjectMappingServiceClient) DeleteAllUnmappedSubjectConditionSets(ctx return out, nil } -func (c *subjectMappingServiceClient) ListDefinitionValueEntitlementMappings(ctx context.Context, in *ListDefinitionValueEntitlementMappingsRequest, opts ...grpc.CallOption) (*ListDefinitionValueEntitlementMappingsResponse, error) { - out := new(ListDefinitionValueEntitlementMappingsResponse) - err := c.cc.Invoke(ctx, SubjectMappingService_ListDefinitionValueEntitlementMappings_FullMethodName, in, out, opts...) - if err != nil { - return nil, err - } - return out, nil -} - -func (c *subjectMappingServiceClient) GetDefinitionValueEntitlementMapping(ctx context.Context, in *GetDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*GetDefinitionValueEntitlementMappingResponse, error) { - out := new(GetDefinitionValueEntitlementMappingResponse) - err := c.cc.Invoke(ctx, SubjectMappingService_GetDefinitionValueEntitlementMapping_FullMethodName, in, out, opts...) - if err != nil { - return nil, err - } - return out, nil -} - -func (c *subjectMappingServiceClient) CreateDefinitionValueEntitlementMapping(ctx context.Context, in *CreateDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*CreateDefinitionValueEntitlementMappingResponse, error) { - out := new(CreateDefinitionValueEntitlementMappingResponse) - err := c.cc.Invoke(ctx, SubjectMappingService_CreateDefinitionValueEntitlementMapping_FullMethodName, in, out, opts...) - if err != nil { - return nil, err - } - return out, nil -} - -func (c *subjectMappingServiceClient) UpdateDefinitionValueEntitlementMapping(ctx context.Context, in *UpdateDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*UpdateDefinitionValueEntitlementMappingResponse, error) { - out := new(UpdateDefinitionValueEntitlementMappingResponse) - err := c.cc.Invoke(ctx, SubjectMappingService_UpdateDefinitionValueEntitlementMapping_FullMethodName, in, out, opts...) - if err != nil { - return nil, err - } - return out, nil -} - -func (c *subjectMappingServiceClient) DeleteDefinitionValueEntitlementMapping(ctx context.Context, in *DeleteDefinitionValueEntitlementMappingRequest, opts ...grpc.CallOption) (*DeleteDefinitionValueEntitlementMappingResponse, error) { - out := new(DeleteDefinitionValueEntitlementMappingResponse) - err := c.cc.Invoke(ctx, SubjectMappingService_DeleteDefinitionValueEntitlementMapping_FullMethodName, in, out, opts...) - if err != nil { - return nil, err - } - return out, nil -} - // SubjectMappingServiceServer is the server API for SubjectMappingService service. // All implementations must embed UnimplementedSubjectMappingServiceServer // for forward compatibility @@ -240,11 +185,6 @@ type SubjectMappingServiceServer interface { UpdateSubjectConditionSet(context.Context, *UpdateSubjectConditionSetRequest) (*UpdateSubjectConditionSetResponse, error) DeleteSubjectConditionSet(context.Context, *DeleteSubjectConditionSetRequest) (*DeleteSubjectConditionSetResponse, error) DeleteAllUnmappedSubjectConditionSets(context.Context, *DeleteAllUnmappedSubjectConditionSetsRequest) (*DeleteAllUnmappedSubjectConditionSetsResponse, error) - ListDefinitionValueEntitlementMappings(context.Context, *ListDefinitionValueEntitlementMappingsRequest) (*ListDefinitionValueEntitlementMappingsResponse, error) - GetDefinitionValueEntitlementMapping(context.Context, *GetDefinitionValueEntitlementMappingRequest) (*GetDefinitionValueEntitlementMappingResponse, error) - CreateDefinitionValueEntitlementMapping(context.Context, *CreateDefinitionValueEntitlementMappingRequest) (*CreateDefinitionValueEntitlementMappingResponse, error) - UpdateDefinitionValueEntitlementMapping(context.Context, *UpdateDefinitionValueEntitlementMappingRequest) (*UpdateDefinitionValueEntitlementMappingResponse, error) - DeleteDefinitionValueEntitlementMapping(context.Context, *DeleteDefinitionValueEntitlementMappingRequest) (*DeleteDefinitionValueEntitlementMappingResponse, error) mustEmbedUnimplementedSubjectMappingServiceServer() } @@ -288,21 +228,6 @@ func (UnimplementedSubjectMappingServiceServer) DeleteSubjectConditionSet(contex func (UnimplementedSubjectMappingServiceServer) DeleteAllUnmappedSubjectConditionSets(context.Context, *DeleteAllUnmappedSubjectConditionSetsRequest) (*DeleteAllUnmappedSubjectConditionSetsResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method DeleteAllUnmappedSubjectConditionSets not implemented") } -func (UnimplementedSubjectMappingServiceServer) ListDefinitionValueEntitlementMappings(context.Context, *ListDefinitionValueEntitlementMappingsRequest) (*ListDefinitionValueEntitlementMappingsResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method ListDefinitionValueEntitlementMappings not implemented") -} -func (UnimplementedSubjectMappingServiceServer) GetDefinitionValueEntitlementMapping(context.Context, *GetDefinitionValueEntitlementMappingRequest) (*GetDefinitionValueEntitlementMappingResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method GetDefinitionValueEntitlementMapping not implemented") -} -func (UnimplementedSubjectMappingServiceServer) CreateDefinitionValueEntitlementMapping(context.Context, *CreateDefinitionValueEntitlementMappingRequest) (*CreateDefinitionValueEntitlementMappingResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method CreateDefinitionValueEntitlementMapping not implemented") -} -func (UnimplementedSubjectMappingServiceServer) UpdateDefinitionValueEntitlementMapping(context.Context, *UpdateDefinitionValueEntitlementMappingRequest) (*UpdateDefinitionValueEntitlementMappingResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method UpdateDefinitionValueEntitlementMapping not implemented") -} -func (UnimplementedSubjectMappingServiceServer) DeleteDefinitionValueEntitlementMapping(context.Context, *DeleteDefinitionValueEntitlementMappingRequest) (*DeleteDefinitionValueEntitlementMappingResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method DeleteDefinitionValueEntitlementMapping not implemented") -} func (UnimplementedSubjectMappingServiceServer) mustEmbedUnimplementedSubjectMappingServiceServer() {} // UnsafeSubjectMappingServiceServer may be embedded to opt out of forward compatibility for this service. @@ -532,96 +457,6 @@ func _SubjectMappingService_DeleteAllUnmappedSubjectConditionSets_Handler(srv in return interceptor(ctx, in, info, handler) } -func _SubjectMappingService_ListDefinitionValueEntitlementMappings_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(ListDefinitionValueEntitlementMappingsRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(SubjectMappingServiceServer).ListDefinitionValueEntitlementMappings(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: SubjectMappingService_ListDefinitionValueEntitlementMappings_FullMethodName, - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(SubjectMappingServiceServer).ListDefinitionValueEntitlementMappings(ctx, req.(*ListDefinitionValueEntitlementMappingsRequest)) - } - return interceptor(ctx, in, info, handler) -} - -func _SubjectMappingService_GetDefinitionValueEntitlementMapping_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(GetDefinitionValueEntitlementMappingRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(SubjectMappingServiceServer).GetDefinitionValueEntitlementMapping(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: SubjectMappingService_GetDefinitionValueEntitlementMapping_FullMethodName, - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(SubjectMappingServiceServer).GetDefinitionValueEntitlementMapping(ctx, req.(*GetDefinitionValueEntitlementMappingRequest)) - } - return interceptor(ctx, in, info, handler) -} - -func _SubjectMappingService_CreateDefinitionValueEntitlementMapping_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(CreateDefinitionValueEntitlementMappingRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(SubjectMappingServiceServer).CreateDefinitionValueEntitlementMapping(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: SubjectMappingService_CreateDefinitionValueEntitlementMapping_FullMethodName, - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(SubjectMappingServiceServer).CreateDefinitionValueEntitlementMapping(ctx, req.(*CreateDefinitionValueEntitlementMappingRequest)) - } - return interceptor(ctx, in, info, handler) -} - -func _SubjectMappingService_UpdateDefinitionValueEntitlementMapping_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(UpdateDefinitionValueEntitlementMappingRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(SubjectMappingServiceServer).UpdateDefinitionValueEntitlementMapping(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: SubjectMappingService_UpdateDefinitionValueEntitlementMapping_FullMethodName, - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(SubjectMappingServiceServer).UpdateDefinitionValueEntitlementMapping(ctx, req.(*UpdateDefinitionValueEntitlementMappingRequest)) - } - return interceptor(ctx, in, info, handler) -} - -func _SubjectMappingService_DeleteDefinitionValueEntitlementMapping_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(DeleteDefinitionValueEntitlementMappingRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(SubjectMappingServiceServer).DeleteDefinitionValueEntitlementMapping(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: SubjectMappingService_DeleteDefinitionValueEntitlementMapping_FullMethodName, - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(SubjectMappingServiceServer).DeleteDefinitionValueEntitlementMapping(ctx, req.(*DeleteDefinitionValueEntitlementMappingRequest)) - } - return interceptor(ctx, in, info, handler) -} - // SubjectMappingService_ServiceDesc is the grpc.ServiceDesc for SubjectMappingService service. // It's only intended for direct use with grpc.RegisterService, // and not to be introspected or modified (even as a copy) @@ -677,26 +512,6 @@ var SubjectMappingService_ServiceDesc = grpc.ServiceDesc{ MethodName: "DeleteAllUnmappedSubjectConditionSets", Handler: _SubjectMappingService_DeleteAllUnmappedSubjectConditionSets_Handler, }, - { - MethodName: "ListDefinitionValueEntitlementMappings", - Handler: _SubjectMappingService_ListDefinitionValueEntitlementMappings_Handler, - }, - { - MethodName: "GetDefinitionValueEntitlementMapping", - Handler: _SubjectMappingService_GetDefinitionValueEntitlementMapping_Handler, - }, - { - MethodName: "CreateDefinitionValueEntitlementMapping", - Handler: _SubjectMappingService_CreateDefinitionValueEntitlementMapping_Handler, - }, - { - MethodName: "UpdateDefinitionValueEntitlementMapping", - Handler: _SubjectMappingService_UpdateDefinitionValueEntitlementMapping_Handler, - }, - { - MethodName: "DeleteDefinitionValueEntitlementMapping", - Handler: _SubjectMappingService_DeleteDefinitionValueEntitlementMapping_Handler, - }, }, Streams: []grpc.StreamDesc{}, Metadata: "policy/subjectmapping/subject_mapping.proto", diff --git a/protocol/go/policy/subjectmapping/subjectmappingconnect/subject_mapping.connect.go b/protocol/go/policy/subjectmapping/subjectmappingconnect/subject_mapping.connect.go index 11bd2abc9f..0838829b23 100644 --- a/protocol/go/policy/subjectmapping/subjectmappingconnect/subject_mapping.connect.go +++ b/protocol/go/policy/subjectmapping/subjectmappingconnect/subject_mapping.connect.go @@ -69,21 +69,6 @@ const ( // SubjectMappingServiceDeleteAllUnmappedSubjectConditionSetsProcedure is the fully-qualified name // of the SubjectMappingService's DeleteAllUnmappedSubjectConditionSets RPC. SubjectMappingServiceDeleteAllUnmappedSubjectConditionSetsProcedure = "/policy.subjectmapping.SubjectMappingService/DeleteAllUnmappedSubjectConditionSets" - // SubjectMappingServiceListDefinitionValueEntitlementMappingsProcedure is the fully-qualified name - // of the SubjectMappingService's ListDefinitionValueEntitlementMappings RPC. - SubjectMappingServiceListDefinitionValueEntitlementMappingsProcedure = "/policy.subjectmapping.SubjectMappingService/ListDefinitionValueEntitlementMappings" - // SubjectMappingServiceGetDefinitionValueEntitlementMappingProcedure is the fully-qualified name of - // the SubjectMappingService's GetDefinitionValueEntitlementMapping RPC. - SubjectMappingServiceGetDefinitionValueEntitlementMappingProcedure = "/policy.subjectmapping.SubjectMappingService/GetDefinitionValueEntitlementMapping" - // SubjectMappingServiceCreateDefinitionValueEntitlementMappingProcedure is the fully-qualified name - // of the SubjectMappingService's CreateDefinitionValueEntitlementMapping RPC. - SubjectMappingServiceCreateDefinitionValueEntitlementMappingProcedure = "/policy.subjectmapping.SubjectMappingService/CreateDefinitionValueEntitlementMapping" - // SubjectMappingServiceUpdateDefinitionValueEntitlementMappingProcedure is the fully-qualified name - // of the SubjectMappingService's UpdateDefinitionValueEntitlementMapping RPC. - SubjectMappingServiceUpdateDefinitionValueEntitlementMappingProcedure = "/policy.subjectmapping.SubjectMappingService/UpdateDefinitionValueEntitlementMapping" - // SubjectMappingServiceDeleteDefinitionValueEntitlementMappingProcedure is the fully-qualified name - // of the SubjectMappingService's DeleteDefinitionValueEntitlementMapping RPC. - SubjectMappingServiceDeleteDefinitionValueEntitlementMappingProcedure = "/policy.subjectmapping.SubjectMappingService/DeleteDefinitionValueEntitlementMapping" ) // SubjectMappingServiceClient is a client for the policy.subjectmapping.SubjectMappingService @@ -102,11 +87,6 @@ type SubjectMappingServiceClient interface { UpdateSubjectConditionSet(context.Context, *connect.Request[subjectmapping.UpdateSubjectConditionSetRequest]) (*connect.Response[subjectmapping.UpdateSubjectConditionSetResponse], error) DeleteSubjectConditionSet(context.Context, *connect.Request[subjectmapping.DeleteSubjectConditionSetRequest]) (*connect.Response[subjectmapping.DeleteSubjectConditionSetResponse], error) DeleteAllUnmappedSubjectConditionSets(context.Context, *connect.Request[subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest]) (*connect.Response[subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse], error) - ListDefinitionValueEntitlementMappings(context.Context, *connect.Request[subjectmapping.ListDefinitionValueEntitlementMappingsRequest]) (*connect.Response[subjectmapping.ListDefinitionValueEntitlementMappingsResponse], error) - GetDefinitionValueEntitlementMapping(context.Context, *connect.Request[subjectmapping.GetDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.GetDefinitionValueEntitlementMappingResponse], error) - CreateDefinitionValueEntitlementMapping(context.Context, *connect.Request[subjectmapping.CreateDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.CreateDefinitionValueEntitlementMappingResponse], error) - UpdateDefinitionValueEntitlementMapping(context.Context, *connect.Request[subjectmapping.UpdateDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.UpdateDefinitionValueEntitlementMappingResponse], error) - DeleteDefinitionValueEntitlementMapping(context.Context, *connect.Request[subjectmapping.DeleteDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.DeleteDefinitionValueEntitlementMappingResponse], error) } // NewSubjectMappingServiceClient constructs a client for the @@ -197,60 +177,23 @@ func NewSubjectMappingServiceClient(httpClient connect.HTTPClient, baseURL strin connect.WithSchema(subjectMappingServiceMethods.ByName("DeleteAllUnmappedSubjectConditionSets")), connect.WithClientOptions(opts...), ), - listDefinitionValueEntitlementMappings: connect.NewClient[subjectmapping.ListDefinitionValueEntitlementMappingsRequest, subjectmapping.ListDefinitionValueEntitlementMappingsResponse]( - httpClient, - baseURL+SubjectMappingServiceListDefinitionValueEntitlementMappingsProcedure, - connect.WithSchema(subjectMappingServiceMethods.ByName("ListDefinitionValueEntitlementMappings")), - connect.WithIdempotency(connect.IdempotencyNoSideEffects), - connect.WithClientOptions(opts...), - ), - getDefinitionValueEntitlementMapping: connect.NewClient[subjectmapping.GetDefinitionValueEntitlementMappingRequest, subjectmapping.GetDefinitionValueEntitlementMappingResponse]( - httpClient, - baseURL+SubjectMappingServiceGetDefinitionValueEntitlementMappingProcedure, - connect.WithSchema(subjectMappingServiceMethods.ByName("GetDefinitionValueEntitlementMapping")), - connect.WithIdempotency(connect.IdempotencyNoSideEffects), - connect.WithClientOptions(opts...), - ), - createDefinitionValueEntitlementMapping: connect.NewClient[subjectmapping.CreateDefinitionValueEntitlementMappingRequest, subjectmapping.CreateDefinitionValueEntitlementMappingResponse]( - httpClient, - baseURL+SubjectMappingServiceCreateDefinitionValueEntitlementMappingProcedure, - connect.WithSchema(subjectMappingServiceMethods.ByName("CreateDefinitionValueEntitlementMapping")), - connect.WithClientOptions(opts...), - ), - updateDefinitionValueEntitlementMapping: connect.NewClient[subjectmapping.UpdateDefinitionValueEntitlementMappingRequest, subjectmapping.UpdateDefinitionValueEntitlementMappingResponse]( - httpClient, - baseURL+SubjectMappingServiceUpdateDefinitionValueEntitlementMappingProcedure, - connect.WithSchema(subjectMappingServiceMethods.ByName("UpdateDefinitionValueEntitlementMapping")), - connect.WithClientOptions(opts...), - ), - deleteDefinitionValueEntitlementMapping: connect.NewClient[subjectmapping.DeleteDefinitionValueEntitlementMappingRequest, subjectmapping.DeleteDefinitionValueEntitlementMappingResponse]( - httpClient, - baseURL+SubjectMappingServiceDeleteDefinitionValueEntitlementMappingProcedure, - connect.WithSchema(subjectMappingServiceMethods.ByName("DeleteDefinitionValueEntitlementMapping")), - connect.WithClientOptions(opts...), - ), } } // subjectMappingServiceClient implements SubjectMappingServiceClient. type subjectMappingServiceClient struct { - matchSubjectMappings *connect.Client[subjectmapping.MatchSubjectMappingsRequest, subjectmapping.MatchSubjectMappingsResponse] - listSubjectMappings *connect.Client[subjectmapping.ListSubjectMappingsRequest, subjectmapping.ListSubjectMappingsResponse] - getSubjectMapping *connect.Client[subjectmapping.GetSubjectMappingRequest, subjectmapping.GetSubjectMappingResponse] - createSubjectMapping *connect.Client[subjectmapping.CreateSubjectMappingRequest, subjectmapping.CreateSubjectMappingResponse] - updateSubjectMapping *connect.Client[subjectmapping.UpdateSubjectMappingRequest, subjectmapping.UpdateSubjectMappingResponse] - deleteSubjectMapping *connect.Client[subjectmapping.DeleteSubjectMappingRequest, subjectmapping.DeleteSubjectMappingResponse] - listSubjectConditionSets *connect.Client[subjectmapping.ListSubjectConditionSetsRequest, subjectmapping.ListSubjectConditionSetsResponse] - getSubjectConditionSet *connect.Client[subjectmapping.GetSubjectConditionSetRequest, subjectmapping.GetSubjectConditionSetResponse] - createSubjectConditionSet *connect.Client[subjectmapping.CreateSubjectConditionSetRequest, subjectmapping.CreateSubjectConditionSetResponse] - updateSubjectConditionSet *connect.Client[subjectmapping.UpdateSubjectConditionSetRequest, subjectmapping.UpdateSubjectConditionSetResponse] - deleteSubjectConditionSet *connect.Client[subjectmapping.DeleteSubjectConditionSetRequest, subjectmapping.DeleteSubjectConditionSetResponse] - deleteAllUnmappedSubjectConditionSets *connect.Client[subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest, subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse] - listDefinitionValueEntitlementMappings *connect.Client[subjectmapping.ListDefinitionValueEntitlementMappingsRequest, subjectmapping.ListDefinitionValueEntitlementMappingsResponse] - getDefinitionValueEntitlementMapping *connect.Client[subjectmapping.GetDefinitionValueEntitlementMappingRequest, subjectmapping.GetDefinitionValueEntitlementMappingResponse] - createDefinitionValueEntitlementMapping *connect.Client[subjectmapping.CreateDefinitionValueEntitlementMappingRequest, subjectmapping.CreateDefinitionValueEntitlementMappingResponse] - updateDefinitionValueEntitlementMapping *connect.Client[subjectmapping.UpdateDefinitionValueEntitlementMappingRequest, subjectmapping.UpdateDefinitionValueEntitlementMappingResponse] - deleteDefinitionValueEntitlementMapping *connect.Client[subjectmapping.DeleteDefinitionValueEntitlementMappingRequest, subjectmapping.DeleteDefinitionValueEntitlementMappingResponse] + matchSubjectMappings *connect.Client[subjectmapping.MatchSubjectMappingsRequest, subjectmapping.MatchSubjectMappingsResponse] + listSubjectMappings *connect.Client[subjectmapping.ListSubjectMappingsRequest, subjectmapping.ListSubjectMappingsResponse] + getSubjectMapping *connect.Client[subjectmapping.GetSubjectMappingRequest, subjectmapping.GetSubjectMappingResponse] + createSubjectMapping *connect.Client[subjectmapping.CreateSubjectMappingRequest, subjectmapping.CreateSubjectMappingResponse] + updateSubjectMapping *connect.Client[subjectmapping.UpdateSubjectMappingRequest, subjectmapping.UpdateSubjectMappingResponse] + deleteSubjectMapping *connect.Client[subjectmapping.DeleteSubjectMappingRequest, subjectmapping.DeleteSubjectMappingResponse] + listSubjectConditionSets *connect.Client[subjectmapping.ListSubjectConditionSetsRequest, subjectmapping.ListSubjectConditionSetsResponse] + getSubjectConditionSet *connect.Client[subjectmapping.GetSubjectConditionSetRequest, subjectmapping.GetSubjectConditionSetResponse] + createSubjectConditionSet *connect.Client[subjectmapping.CreateSubjectConditionSetRequest, subjectmapping.CreateSubjectConditionSetResponse] + updateSubjectConditionSet *connect.Client[subjectmapping.UpdateSubjectConditionSetRequest, subjectmapping.UpdateSubjectConditionSetResponse] + deleteSubjectConditionSet *connect.Client[subjectmapping.DeleteSubjectConditionSetRequest, subjectmapping.DeleteSubjectConditionSetResponse] + deleteAllUnmappedSubjectConditionSets *connect.Client[subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest, subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse] } // MatchSubjectMappings calls policy.subjectmapping.SubjectMappingService.MatchSubjectMappings. @@ -318,36 +261,6 @@ func (c *subjectMappingServiceClient) DeleteAllUnmappedSubjectConditionSets(ctx return c.deleteAllUnmappedSubjectConditionSets.CallUnary(ctx, req) } -// ListDefinitionValueEntitlementMappings calls -// policy.subjectmapping.SubjectMappingService.ListDefinitionValueEntitlementMappings. -func (c *subjectMappingServiceClient) ListDefinitionValueEntitlementMappings(ctx context.Context, req *connect.Request[subjectmapping.ListDefinitionValueEntitlementMappingsRequest]) (*connect.Response[subjectmapping.ListDefinitionValueEntitlementMappingsResponse], error) { - return c.listDefinitionValueEntitlementMappings.CallUnary(ctx, req) -} - -// GetDefinitionValueEntitlementMapping calls -// policy.subjectmapping.SubjectMappingService.GetDefinitionValueEntitlementMapping. -func (c *subjectMappingServiceClient) GetDefinitionValueEntitlementMapping(ctx context.Context, req *connect.Request[subjectmapping.GetDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.GetDefinitionValueEntitlementMappingResponse], error) { - return c.getDefinitionValueEntitlementMapping.CallUnary(ctx, req) -} - -// CreateDefinitionValueEntitlementMapping calls -// policy.subjectmapping.SubjectMappingService.CreateDefinitionValueEntitlementMapping. -func (c *subjectMappingServiceClient) CreateDefinitionValueEntitlementMapping(ctx context.Context, req *connect.Request[subjectmapping.CreateDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.CreateDefinitionValueEntitlementMappingResponse], error) { - return c.createDefinitionValueEntitlementMapping.CallUnary(ctx, req) -} - -// UpdateDefinitionValueEntitlementMapping calls -// policy.subjectmapping.SubjectMappingService.UpdateDefinitionValueEntitlementMapping. -func (c *subjectMappingServiceClient) UpdateDefinitionValueEntitlementMapping(ctx context.Context, req *connect.Request[subjectmapping.UpdateDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.UpdateDefinitionValueEntitlementMappingResponse], error) { - return c.updateDefinitionValueEntitlementMapping.CallUnary(ctx, req) -} - -// DeleteDefinitionValueEntitlementMapping calls -// policy.subjectmapping.SubjectMappingService.DeleteDefinitionValueEntitlementMapping. -func (c *subjectMappingServiceClient) DeleteDefinitionValueEntitlementMapping(ctx context.Context, req *connect.Request[subjectmapping.DeleteDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.DeleteDefinitionValueEntitlementMappingResponse], error) { - return c.deleteDefinitionValueEntitlementMapping.CallUnary(ctx, req) -} - // SubjectMappingServiceHandler is an implementation of the // policy.subjectmapping.SubjectMappingService service. type SubjectMappingServiceHandler interface { @@ -364,11 +277,6 @@ type SubjectMappingServiceHandler interface { UpdateSubjectConditionSet(context.Context, *connect.Request[subjectmapping.UpdateSubjectConditionSetRequest]) (*connect.Response[subjectmapping.UpdateSubjectConditionSetResponse], error) DeleteSubjectConditionSet(context.Context, *connect.Request[subjectmapping.DeleteSubjectConditionSetRequest]) (*connect.Response[subjectmapping.DeleteSubjectConditionSetResponse], error) DeleteAllUnmappedSubjectConditionSets(context.Context, *connect.Request[subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest]) (*connect.Response[subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse], error) - ListDefinitionValueEntitlementMappings(context.Context, *connect.Request[subjectmapping.ListDefinitionValueEntitlementMappingsRequest]) (*connect.Response[subjectmapping.ListDefinitionValueEntitlementMappingsResponse], error) - GetDefinitionValueEntitlementMapping(context.Context, *connect.Request[subjectmapping.GetDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.GetDefinitionValueEntitlementMappingResponse], error) - CreateDefinitionValueEntitlementMapping(context.Context, *connect.Request[subjectmapping.CreateDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.CreateDefinitionValueEntitlementMappingResponse], error) - UpdateDefinitionValueEntitlementMapping(context.Context, *connect.Request[subjectmapping.UpdateDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.UpdateDefinitionValueEntitlementMappingResponse], error) - DeleteDefinitionValueEntitlementMapping(context.Context, *connect.Request[subjectmapping.DeleteDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.DeleteDefinitionValueEntitlementMappingResponse], error) } // NewSubjectMappingServiceHandler builds an HTTP handler from the service implementation. It @@ -454,38 +362,6 @@ func NewSubjectMappingServiceHandler(svc SubjectMappingServiceHandler, opts ...c connect.WithSchema(subjectMappingServiceMethods.ByName("DeleteAllUnmappedSubjectConditionSets")), connect.WithHandlerOptions(opts...), ) - subjectMappingServiceListDefinitionValueEntitlementMappingsHandler := connect.NewUnaryHandler( - SubjectMappingServiceListDefinitionValueEntitlementMappingsProcedure, - svc.ListDefinitionValueEntitlementMappings, - connect.WithSchema(subjectMappingServiceMethods.ByName("ListDefinitionValueEntitlementMappings")), - connect.WithIdempotency(connect.IdempotencyNoSideEffects), - connect.WithHandlerOptions(opts...), - ) - subjectMappingServiceGetDefinitionValueEntitlementMappingHandler := connect.NewUnaryHandler( - SubjectMappingServiceGetDefinitionValueEntitlementMappingProcedure, - svc.GetDefinitionValueEntitlementMapping, - connect.WithSchema(subjectMappingServiceMethods.ByName("GetDefinitionValueEntitlementMapping")), - connect.WithIdempotency(connect.IdempotencyNoSideEffects), - connect.WithHandlerOptions(opts...), - ) - subjectMappingServiceCreateDefinitionValueEntitlementMappingHandler := connect.NewUnaryHandler( - SubjectMappingServiceCreateDefinitionValueEntitlementMappingProcedure, - svc.CreateDefinitionValueEntitlementMapping, - connect.WithSchema(subjectMappingServiceMethods.ByName("CreateDefinitionValueEntitlementMapping")), - connect.WithHandlerOptions(opts...), - ) - subjectMappingServiceUpdateDefinitionValueEntitlementMappingHandler := connect.NewUnaryHandler( - SubjectMappingServiceUpdateDefinitionValueEntitlementMappingProcedure, - svc.UpdateDefinitionValueEntitlementMapping, - connect.WithSchema(subjectMappingServiceMethods.ByName("UpdateDefinitionValueEntitlementMapping")), - connect.WithHandlerOptions(opts...), - ) - subjectMappingServiceDeleteDefinitionValueEntitlementMappingHandler := connect.NewUnaryHandler( - SubjectMappingServiceDeleteDefinitionValueEntitlementMappingProcedure, - svc.DeleteDefinitionValueEntitlementMapping, - connect.WithSchema(subjectMappingServiceMethods.ByName("DeleteDefinitionValueEntitlementMapping")), - connect.WithHandlerOptions(opts...), - ) return "/policy.subjectmapping.SubjectMappingService/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { switch r.URL.Path { case SubjectMappingServiceMatchSubjectMappingsProcedure: @@ -512,16 +388,6 @@ func NewSubjectMappingServiceHandler(svc SubjectMappingServiceHandler, opts ...c subjectMappingServiceDeleteSubjectConditionSetHandler.ServeHTTP(w, r) case SubjectMappingServiceDeleteAllUnmappedSubjectConditionSetsProcedure: subjectMappingServiceDeleteAllUnmappedSubjectConditionSetsHandler.ServeHTTP(w, r) - case SubjectMappingServiceListDefinitionValueEntitlementMappingsProcedure: - subjectMappingServiceListDefinitionValueEntitlementMappingsHandler.ServeHTTP(w, r) - case SubjectMappingServiceGetDefinitionValueEntitlementMappingProcedure: - subjectMappingServiceGetDefinitionValueEntitlementMappingHandler.ServeHTTP(w, r) - case SubjectMappingServiceCreateDefinitionValueEntitlementMappingProcedure: - subjectMappingServiceCreateDefinitionValueEntitlementMappingHandler.ServeHTTP(w, r) - case SubjectMappingServiceUpdateDefinitionValueEntitlementMappingProcedure: - subjectMappingServiceUpdateDefinitionValueEntitlementMappingHandler.ServeHTTP(w, r) - case SubjectMappingServiceDeleteDefinitionValueEntitlementMappingProcedure: - subjectMappingServiceDeleteDefinitionValueEntitlementMappingHandler.ServeHTTP(w, r) default: http.NotFound(w, r) } @@ -578,23 +444,3 @@ func (UnimplementedSubjectMappingServiceHandler) DeleteSubjectConditionSet(conte func (UnimplementedSubjectMappingServiceHandler) DeleteAllUnmappedSubjectConditionSets(context.Context, *connect.Request[subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest]) (*connect.Response[subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse], error) { return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.subjectmapping.SubjectMappingService.DeleteAllUnmappedSubjectConditionSets is not implemented")) } - -func (UnimplementedSubjectMappingServiceHandler) ListDefinitionValueEntitlementMappings(context.Context, *connect.Request[subjectmapping.ListDefinitionValueEntitlementMappingsRequest]) (*connect.Response[subjectmapping.ListDefinitionValueEntitlementMappingsResponse], error) { - return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.subjectmapping.SubjectMappingService.ListDefinitionValueEntitlementMappings is not implemented")) -} - -func (UnimplementedSubjectMappingServiceHandler) GetDefinitionValueEntitlementMapping(context.Context, *connect.Request[subjectmapping.GetDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.GetDefinitionValueEntitlementMappingResponse], error) { - return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.subjectmapping.SubjectMappingService.GetDefinitionValueEntitlementMapping is not implemented")) -} - -func (UnimplementedSubjectMappingServiceHandler) CreateDefinitionValueEntitlementMapping(context.Context, *connect.Request[subjectmapping.CreateDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.CreateDefinitionValueEntitlementMappingResponse], error) { - return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.subjectmapping.SubjectMappingService.CreateDefinitionValueEntitlementMapping is not implemented")) -} - -func (UnimplementedSubjectMappingServiceHandler) UpdateDefinitionValueEntitlementMapping(context.Context, *connect.Request[subjectmapping.UpdateDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.UpdateDefinitionValueEntitlementMappingResponse], error) { - return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.subjectmapping.SubjectMappingService.UpdateDefinitionValueEntitlementMapping is not implemented")) -} - -func (UnimplementedSubjectMappingServiceHandler) DeleteDefinitionValueEntitlementMapping(context.Context, *connect.Request[subjectmapping.DeleteDefinitionValueEntitlementMappingRequest]) (*connect.Response[subjectmapping.DeleteDefinitionValueEntitlementMappingResponse], error) { - return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.subjectmapping.SubjectMappingService.DeleteDefinitionValueEntitlementMapping is not implemented")) -} diff --git a/sdk/codegen/main.go b/sdk/codegen/main.go index f917a9e5fc..b9dc704a02 100644 --- a/sdk/codegen/main.go +++ b/sdk/codegen/main.go @@ -66,6 +66,10 @@ var clientsToGenerateList = []runner.ClientsToGenerate{ GrpcClientInterface: "SubjectMappingServiceClient", GrpcPackagePath: "github.com/opentdf/platform/protocol/go/policy/subjectmapping", }, + { + GrpcClientInterface: "DynamicValueMappingServiceClient", + GrpcPackagePath: "github.com/opentdf/platform/protocol/go/policy/dynamicvaluemapping", + }, { GrpcClientInterface: "UnsafeServiceClient", GrpcPackagePath: "github.com/opentdf/platform/protocol/go/policy/unsafe", diff --git a/sdk/sdk.go b/sdk/sdk.go index 2b9bbca965..01f2ae04d1 100644 --- a/sdk/sdk.go +++ b/sdk/sdk.go @@ -82,23 +82,24 @@ func setPackageLogger(logger *slog.Logger) { type SDK struct { config *kasKeyCache - conn *ConnectRPCConnection - tokenSource auth.AccessTokenSource - Actions sdkconnect.ActionServiceClient - Attributes sdkconnect.AttributesServiceClient - Authorization sdkconnect.AuthorizationServiceClient - AuthorizationV2 sdkconnect.AuthorizationServiceClientV2 - EntityResoution sdkconnect.EntityResolutionServiceClient - EntityResolutionV2 sdkconnect.EntityResolutionServiceClientV2 - KeyAccessServerRegistry sdkconnect.KeyAccessServerRegistryServiceClient - Namespaces sdkconnect.NamespaceServiceClient - Obligations sdkconnect.ObligationsServiceClient - RegisteredResources sdkconnect.RegisteredResourcesServiceClient - ResourceMapping sdkconnect.ResourceMappingServiceClient - SubjectMapping sdkconnect.SubjectMappingServiceClient - Unsafe sdkconnect.UnsafeServiceClient - KeyManagement sdkconnect.KeyManagementServiceClient - wellknownConfiguration sdkconnect.WellKnownServiceClient + conn *ConnectRPCConnection + tokenSource auth.AccessTokenSource + Actions sdkconnect.ActionServiceClient + Attributes sdkconnect.AttributesServiceClient + Authorization sdkconnect.AuthorizationServiceClient + AuthorizationV2 sdkconnect.AuthorizationServiceClientV2 + EntityResoution sdkconnect.EntityResolutionServiceClient + EntityResolutionV2 sdkconnect.EntityResolutionServiceClientV2 + KeyAccessServerRegistry sdkconnect.KeyAccessServerRegistryServiceClient + Namespaces sdkconnect.NamespaceServiceClient + Obligations sdkconnect.ObligationsServiceClient + RegisteredResources sdkconnect.RegisteredResourcesServiceClient + ResourceMapping sdkconnect.ResourceMappingServiceClient + SubjectMapping sdkconnect.SubjectMappingServiceClient + DynamicValueMapping sdkconnect.DynamicValueMappingServiceClient + Unsafe sdkconnect.UnsafeServiceClient + KeyManagement sdkconnect.KeyManagementServiceClient + wellknownConfiguration sdkconnect.WellKnownServiceClient } func New(platformEndpoint string, opts ...Option) (*SDK, error) { @@ -218,25 +219,26 @@ func New(platformEndpoint string, opts ...Option) (*SDK, error) { } return &SDK{ - config: *cfg, - kasKeyCache: newKasKeyCache(), - conn: &ConnectRPCConnection{Client: platformConn.Client, Endpoint: platformConn.Endpoint, Options: platformConn.Options}, - tokenSource: accessTokenSource, - Actions: sdkconnect.NewActionServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), - Attributes: sdkconnect.NewAttributesServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), - Namespaces: sdkconnect.NewNamespaceServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), - Obligations: sdkconnect.NewObligationsServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), - RegisteredResources: sdkconnect.NewRegisteredResourcesServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), - ResourceMapping: sdkconnect.NewResourceMappingServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), - SubjectMapping: sdkconnect.NewSubjectMappingServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), - Unsafe: sdkconnect.NewUnsafeServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), - KeyAccessServerRegistry: sdkconnect.NewKeyAccessServerRegistryServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), - Authorization: sdkconnect.NewAuthorizationServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), - AuthorizationV2: sdkconnect.NewAuthorizationServiceClientV2ConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), - EntityResoution: sdkconnect.NewEntityResolutionServiceClientConnectWrapper(ersConn.Client, ersConn.Endpoint, ersConn.Options...), - EntityResolutionV2: sdkconnect.NewEntityResolutionServiceClientV2ConnectWrapper(ersConn.Client, ersConn.Endpoint, ersConn.Options...), - KeyManagement: sdkconnect.NewKeyManagementServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), - wellknownConfiguration: sdkconnect.NewWellKnownServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + config: *cfg, + kasKeyCache: newKasKeyCache(), + conn: &ConnectRPCConnection{Client: platformConn.Client, Endpoint: platformConn.Endpoint, Options: platformConn.Options}, + tokenSource: accessTokenSource, + Actions: sdkconnect.NewActionServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + Attributes: sdkconnect.NewAttributesServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + Namespaces: sdkconnect.NewNamespaceServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + Obligations: sdkconnect.NewObligationsServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + RegisteredResources: sdkconnect.NewRegisteredResourcesServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + ResourceMapping: sdkconnect.NewResourceMappingServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + SubjectMapping: sdkconnect.NewSubjectMappingServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + DynamicValueMapping: sdkconnect.NewDynamicValueMappingServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + Unsafe: sdkconnect.NewUnsafeServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + KeyAccessServerRegistry: sdkconnect.NewKeyAccessServerRegistryServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + Authorization: sdkconnect.NewAuthorizationServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + AuthorizationV2: sdkconnect.NewAuthorizationServiceClientV2ConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + EntityResoution: sdkconnect.NewEntityResolutionServiceClientConnectWrapper(ersConn.Client, ersConn.Endpoint, ersConn.Options...), + EntityResolutionV2: sdkconnect.NewEntityResolutionServiceClientV2ConnectWrapper(ersConn.Client, ersConn.Endpoint, ersConn.Options...), + KeyManagement: sdkconnect.NewKeyManagementServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), + wellknownConfiguration: sdkconnect.NewWellKnownServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...), }, nil } diff --git a/sdk/sdkconnect/dynamicvaluemapping.go b/sdk/sdkconnect/dynamicvaluemapping.go new file mode 100644 index 0000000000..7c74300686 --- /dev/null +++ b/sdk/sdkconnect/dynamicvaluemapping.go @@ -0,0 +1,70 @@ +// Wrapper for DynamicValueMappingServiceClient (generated code) DO NOT EDIT +package sdkconnect + +import ( + "connectrpc.com/connect" + "context" + "github.com/opentdf/platform/protocol/go/policy/dynamicvaluemapping" + "github.com/opentdf/platform/protocol/go/policy/dynamicvaluemapping/dynamicvaluemappingconnect" +) + +type DynamicValueMappingServiceClientConnectWrapper struct { + dynamicvaluemappingconnect.DynamicValueMappingServiceClient +} + +func NewDynamicValueMappingServiceClientConnectWrapper(httpClient connect.HTTPClient, baseURL string, opts ...connect.ClientOption) *DynamicValueMappingServiceClientConnectWrapper { + return &DynamicValueMappingServiceClientConnectWrapper{DynamicValueMappingServiceClient: dynamicvaluemappingconnect.NewDynamicValueMappingServiceClient(httpClient, baseURL, opts...)} +} + +type DynamicValueMappingServiceClient interface { + ListDynamicValueMappings(ctx context.Context, req *dynamicvaluemapping.ListDynamicValueMappingsRequest) (*dynamicvaluemapping.ListDynamicValueMappingsResponse, error) + GetDynamicValueMapping(ctx context.Context, req *dynamicvaluemapping.GetDynamicValueMappingRequest) (*dynamicvaluemapping.GetDynamicValueMappingResponse, error) + CreateDynamicValueMapping(ctx context.Context, req *dynamicvaluemapping.CreateDynamicValueMappingRequest) (*dynamicvaluemapping.CreateDynamicValueMappingResponse, error) + UpdateDynamicValueMapping(ctx context.Context, req *dynamicvaluemapping.UpdateDynamicValueMappingRequest) (*dynamicvaluemapping.UpdateDynamicValueMappingResponse, error) + DeleteDynamicValueMapping(ctx context.Context, req *dynamicvaluemapping.DeleteDynamicValueMappingRequest) (*dynamicvaluemapping.DeleteDynamicValueMappingResponse, error) +} + +func (w *DynamicValueMappingServiceClientConnectWrapper) ListDynamicValueMappings(ctx context.Context, req *dynamicvaluemapping.ListDynamicValueMappingsRequest) (*dynamicvaluemapping.ListDynamicValueMappingsResponse, error) { + // Wrap Connect RPC client request + res, err := w.DynamicValueMappingServiceClient.ListDynamicValueMappings(ctx, connect.NewRequest(req)) + if res == nil { + return nil, err + } + return res.Msg, err +} + +func (w *DynamicValueMappingServiceClientConnectWrapper) GetDynamicValueMapping(ctx context.Context, req *dynamicvaluemapping.GetDynamicValueMappingRequest) (*dynamicvaluemapping.GetDynamicValueMappingResponse, error) { + // Wrap Connect RPC client request + res, err := w.DynamicValueMappingServiceClient.GetDynamicValueMapping(ctx, connect.NewRequest(req)) + if res == nil { + return nil, err + } + return res.Msg, err +} + +func (w *DynamicValueMappingServiceClientConnectWrapper) CreateDynamicValueMapping(ctx context.Context, req *dynamicvaluemapping.CreateDynamicValueMappingRequest) (*dynamicvaluemapping.CreateDynamicValueMappingResponse, error) { + // Wrap Connect RPC client request + res, err := w.DynamicValueMappingServiceClient.CreateDynamicValueMapping(ctx, connect.NewRequest(req)) + if res == nil { + return nil, err + } + return res.Msg, err +} + +func (w *DynamicValueMappingServiceClientConnectWrapper) UpdateDynamicValueMapping(ctx context.Context, req *dynamicvaluemapping.UpdateDynamicValueMappingRequest) (*dynamicvaluemapping.UpdateDynamicValueMappingResponse, error) { + // Wrap Connect RPC client request + res, err := w.DynamicValueMappingServiceClient.UpdateDynamicValueMapping(ctx, connect.NewRequest(req)) + if res == nil { + return nil, err + } + return res.Msg, err +} + +func (w *DynamicValueMappingServiceClientConnectWrapper) DeleteDynamicValueMapping(ctx context.Context, req *dynamicvaluemapping.DeleteDynamicValueMappingRequest) (*dynamicvaluemapping.DeleteDynamicValueMappingResponse, error) { + // Wrap Connect RPC client request + res, err := w.DynamicValueMappingServiceClient.DeleteDynamicValueMapping(ctx, connect.NewRequest(req)) + if res == nil { + return nil, err + } + return res.Msg, err +} diff --git a/sdk/sdkconnect/subjectmapping.go b/sdk/sdkconnect/subjectmapping.go index a5b321fb19..90640a1d72 100644 --- a/sdk/sdkconnect/subjectmapping.go +++ b/sdk/sdkconnect/subjectmapping.go @@ -29,11 +29,6 @@ type SubjectMappingServiceClient interface { UpdateSubjectConditionSet(ctx context.Context, req *subjectmapping.UpdateSubjectConditionSetRequest) (*subjectmapping.UpdateSubjectConditionSetResponse, error) DeleteSubjectConditionSet(ctx context.Context, req *subjectmapping.DeleteSubjectConditionSetRequest) (*subjectmapping.DeleteSubjectConditionSetResponse, error) DeleteAllUnmappedSubjectConditionSets(ctx context.Context, req *subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest) (*subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse, error) - ListDefinitionValueEntitlementMappings(ctx context.Context, req *subjectmapping.ListDefinitionValueEntitlementMappingsRequest) (*subjectmapping.ListDefinitionValueEntitlementMappingsResponse, error) - GetDefinitionValueEntitlementMapping(ctx context.Context, req *subjectmapping.GetDefinitionValueEntitlementMappingRequest) (*subjectmapping.GetDefinitionValueEntitlementMappingResponse, error) - CreateDefinitionValueEntitlementMapping(ctx context.Context, req *subjectmapping.CreateDefinitionValueEntitlementMappingRequest) (*subjectmapping.CreateDefinitionValueEntitlementMappingResponse, error) - UpdateDefinitionValueEntitlementMapping(ctx context.Context, req *subjectmapping.UpdateDefinitionValueEntitlementMappingRequest) (*subjectmapping.UpdateDefinitionValueEntitlementMappingResponse, error) - DeleteDefinitionValueEntitlementMapping(ctx context.Context, req *subjectmapping.DeleteDefinitionValueEntitlementMappingRequest) (*subjectmapping.DeleteDefinitionValueEntitlementMappingResponse, error) } func (w *SubjectMappingServiceClientConnectWrapper) MatchSubjectMappings(ctx context.Context, req *subjectmapping.MatchSubjectMappingsRequest) (*subjectmapping.MatchSubjectMappingsResponse, error) { @@ -143,48 +138,3 @@ func (w *SubjectMappingServiceClientConnectWrapper) DeleteAllUnmappedSubjectCond } return res.Msg, err } - -func (w *SubjectMappingServiceClientConnectWrapper) ListDefinitionValueEntitlementMappings(ctx context.Context, req *subjectmapping.ListDefinitionValueEntitlementMappingsRequest) (*subjectmapping.ListDefinitionValueEntitlementMappingsResponse, error) { - // Wrap Connect RPC client request - res, err := w.SubjectMappingServiceClient.ListDefinitionValueEntitlementMappings(ctx, connect.NewRequest(req)) - if res == nil { - return nil, err - } - return res.Msg, err -} - -func (w *SubjectMappingServiceClientConnectWrapper) GetDefinitionValueEntitlementMapping(ctx context.Context, req *subjectmapping.GetDefinitionValueEntitlementMappingRequest) (*subjectmapping.GetDefinitionValueEntitlementMappingResponse, error) { - // Wrap Connect RPC client request - res, err := w.SubjectMappingServiceClient.GetDefinitionValueEntitlementMapping(ctx, connect.NewRequest(req)) - if res == nil { - return nil, err - } - return res.Msg, err -} - -func (w *SubjectMappingServiceClientConnectWrapper) CreateDefinitionValueEntitlementMapping(ctx context.Context, req *subjectmapping.CreateDefinitionValueEntitlementMappingRequest) (*subjectmapping.CreateDefinitionValueEntitlementMappingResponse, error) { - // Wrap Connect RPC client request - res, err := w.SubjectMappingServiceClient.CreateDefinitionValueEntitlementMapping(ctx, connect.NewRequest(req)) - if res == nil { - return nil, err - } - return res.Msg, err -} - -func (w *SubjectMappingServiceClientConnectWrapper) UpdateDefinitionValueEntitlementMapping(ctx context.Context, req *subjectmapping.UpdateDefinitionValueEntitlementMappingRequest) (*subjectmapping.UpdateDefinitionValueEntitlementMappingResponse, error) { - // Wrap Connect RPC client request - res, err := w.SubjectMappingServiceClient.UpdateDefinitionValueEntitlementMapping(ctx, connect.NewRequest(req)) - if res == nil { - return nil, err - } - return res.Msg, err -} - -func (w *SubjectMappingServiceClientConnectWrapper) DeleteDefinitionValueEntitlementMapping(ctx context.Context, req *subjectmapping.DeleteDefinitionValueEntitlementMappingRequest) (*subjectmapping.DeleteDefinitionValueEntitlementMappingResponse, error) { - // Wrap Connect RPC client request - res, err := w.SubjectMappingServiceClient.DeleteDefinitionValueEntitlementMapping(ctx, connect.NewRequest(req)) - if res == nil { - return nil, err - } - return res.Msg, err -} diff --git a/service/authorization/v2/cache.go b/service/authorization/v2/cache.go index 66701d4a60..1fd9acb767 100644 --- a/service/authorization/v2/cache.go +++ b/service/authorization/v2/cache.go @@ -14,11 +14,11 @@ import ( ) const ( - attributesCacheKey = "attributes_cache_key" - subjectMappingsCacheKey = "subject_mappings_cache_key" - definitionValueEntitlementMappingsCacheKey = "definition_value_entitlement_mappings_cache_key" - registeredResourcesCacheKey = "registered_resources_cache_key" - obligationsCacheKey = "obligations_cache_key" + attributesCacheKey = "attributes_cache_key" + subjectMappingsCacheKey = "subject_mappings_cache_key" + dynamicValueMappingsCacheKey = "dynamic_value_mappings_cache_key" + registeredResourcesCacheKey = "registered_resources_cache_key" + obligationsCacheKey = "obligations_cache_key" ) var ( @@ -61,11 +61,11 @@ type EntitlementPolicyCache struct { // The EntitlementPolicy struct holds all the cached entitlement policy, as generics allow one // data type per service cache instance. type EntitlementPolicy struct { - Attributes []*policy.Attribute - SubjectMappings []*policy.SubjectMapping - DefinitionValueEntitlementMappings []*policy.DefinitionValueEntitlementMapping - RegisteredResources []*policy.RegisteredResource - Obligations []*policy.Obligation + Attributes []*policy.Attribute + SubjectMappings []*policy.SubjectMapping + DynamicValueMappings []*policy.DynamicValueMapping + RegisteredResources []*policy.RegisteredResource + Obligations []*policy.Obligation } // NewEntitlementPolicyCache holds a platform-provided cache client and manages a periodic refresh of @@ -180,7 +180,7 @@ func (c *EntitlementPolicyCache) Refresh(ctx context.Context) error { if err != nil { return err } - definitionValueEntitlementMappings, err := c.retriever.ListAllDefinitionValueEntitlementMappings(ctx) + dynamicValueMappings, err := c.retriever.ListAllDynamicValueMappings(ctx) if err != nil { return err } @@ -206,7 +206,7 @@ func (c *EntitlementPolicyCache) Refresh(ctx context.Context) error { return errors.Join(ErrFailedToSet, err) } - err = c.cacheClient.Set(ctx, definitionValueEntitlementMappingsCacheKey, definitionValueEntitlementMappings, authzCacheTags) + err = c.cacheClient.Set(ctx, dynamicValueMappingsCacheKey, dynamicValueMappings, authzCacheTags) if err != nil { c.isCacheFilled = false return errors.Join(ErrFailedToSet, err) @@ -282,22 +282,22 @@ func (c *EntitlementPolicyCache) ListAllSubjectMappings(ctx context.Context) ([] return subjectMappings, nil } -// ListAllDefinitionValueEntitlementMappings returns the cached dynamic value entitlement mappings, or none on a cache miss -func (c *EntitlementPolicyCache) ListAllDefinitionValueEntitlementMappings(ctx context.Context) ([]*policy.DefinitionValueEntitlementMapping, error) { +// ListAllDynamicValueMappings returns the cached dynamic value entitlement mappings, or none on a cache miss +func (c *EntitlementPolicyCache) ListAllDynamicValueMappings(ctx context.Context) ([]*policy.DynamicValueMapping, error) { var ( - mappings []*policy.DefinitionValueEntitlementMapping + mappings []*policy.DynamicValueMapping ok bool ) - cached, err := c.cacheClient.Get(ctx, definitionValueEntitlementMappingsCacheKey) + cached, err := c.cacheClient.Get(ctx, dynamicValueMappingsCacheKey) if err != nil { if errors.Is(err, cache.ErrCacheMiss) { return mappings, nil } - return nil, fmt.Errorf("%w, definition value entitlement mappings: %w", ErrFailedToGet, err) + return nil, fmt.Errorf("%w, dynamic value mappings: %w", ErrFailedToGet, err) } - mappings, ok = cached.([]*policy.DefinitionValueEntitlementMapping) + mappings, ok = cached.([]*policy.DynamicValueMapping) if !ok { return nil, fmt.Errorf("%w: %T", ErrCachedTypeNotExpected, cached) } diff --git a/service/integration/definition_value_entitlement_mappings_test.go b/service/integration/dynamic_value_mappings_test.go similarity index 67% rename from service/integration/definition_value_entitlement_mappings_test.go rename to service/integration/dynamic_value_mappings_test.go index 66c039ceea..5527a84d3a 100644 --- a/service/integration/definition_value_entitlement_mappings_test.go +++ b/service/integration/dynamic_value_mappings_test.go @@ -7,6 +7,7 @@ import ( "github.com/opentdf/platform/protocol/go/policy" "github.com/opentdf/platform/protocol/go/policy/attributes" + "github.com/opentdf/platform/protocol/go/policy/dynamicvaluemapping" "github.com/opentdf/platform/protocol/go/policy/subjectmapping" "github.com/opentdf/platform/protocol/go/policy/unsafe" "github.com/opentdf/platform/service/internal/fixtures" @@ -14,7 +15,7 @@ import ( "github.com/stretchr/testify/suite" ) -type DefinitionValueEntitlementMappingsSuite struct { +type DynamicValueMappingsSuite struct { suite.Suite f fixtures.Fixtures db fixtures.DBInterface @@ -22,32 +23,32 @@ type DefinitionValueEntitlementMappingsSuite struct { ctx context.Context } -func (s *DefinitionValueEntitlementMappingsSuite) SetupSuite() { - slog.Info("setting up db.DefinitionValueEntitlementMappings test suite") +func (s *DynamicValueMappingsSuite) SetupSuite() { + slog.Info("setting up db.DynamicValueMappings test suite") s.ctx = context.Background() c := *Config - c.DB.Schema = "test_opentdf_def_value_entitlement_mappings" + c.DB.Schema = "test_opentdf_dynamic_value_mappings" s.db = fixtures.NewDBInterface(s.ctx, c) s.f = fixtures.NewFixture(s.db) s.f.Provision(s.ctx) } -func (s *DefinitionValueEntitlementMappingsSuite) TearDownSuite() { - slog.Info("tearing down db.DefinitionValueEntitlementMappings test suite") +func (s *DynamicValueMappingsSuite) TearDownSuite() { + slog.Info("tearing down db.DynamicValueMappings test suite") s.f.TearDown(s.ctx) } -func TestDefinitionValueEntitlementMappingsSuite(t *testing.T) { +func TestDynamicValueMappingsSuite(t *testing.T) { if testing.Short() { - t.Skip("skipping definition_value_entitlement_mappings integration tests") + t.Skip("skipping dynamic_value_mappings integration tests") } - suite.Run(t, new(DefinitionValueEntitlementMappingsSuite)) + suite.Run(t, new(DynamicValueMappingsSuite)) } -func (s *DefinitionValueEntitlementMappingsSuite) TestCreateAndGet() { +func (s *DynamicValueMappingsSuite) TestCreateAndGet() { attr := s.createDefinition("dvem_create_ok", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF) - created, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &subjectmapping.CreateDefinitionValueEntitlementMappingRequest{ + created, err := s.db.PolicyClient.CreateDynamicValueMapping(s.ctx, &dynamicvaluemapping.CreateDynamicValueMappingRequest{ AttributeDefinitionId: attr.GetId(), ValueResolver: s.resolver(".patientAssignments[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN), Actions: []*policy.Action{s.readAction()}, @@ -55,7 +56,7 @@ func (s *DefinitionValueEntitlementMappingsSuite) TestCreateAndGet() { s.Require().NoError(err) s.Require().NotEmpty(created.GetId()) - got, err := s.db.PolicyClient.GetDefinitionValueEntitlementMapping(s.ctx, created.GetId()) + got, err := s.db.PolicyClient.GetDynamicValueMapping(s.ctx, created.GetId()) s.Require().NoError(err) s.Equal(attr.GetId(), got.GetAttributeDefinition().GetId()) s.Equal(".patientAssignments[]", got.GetValueResolver().GetSubjectExternalSelectorValue()) @@ -64,10 +65,10 @@ func (s *DefinitionValueEntitlementMappingsSuite) TestCreateAndGet() { s.Nil(got.GetSubjectConditionSet(), "optional static pre-gate omitted") } -func (s *DefinitionValueEntitlementMappingsSuite) TestCreateWithStaticGate() { +func (s *DynamicValueMappingsSuite) TestCreateWithStaticGate() { attr := s.createDefinition("dvem_create_gate", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF) - created, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &subjectmapping.CreateDefinitionValueEntitlementMappingRequest{ + created, err := s.db.PolicyClient.CreateDynamicValueMapping(s.ctx, &dynamicvaluemapping.CreateDynamicValueMappingRequest{ AttributeDefinitionId: attr.GetId(), ValueResolver: s.resolver(".patientAssignments[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN), Actions: []*policy.Action{s.readAction()}, @@ -75,16 +76,16 @@ func (s *DefinitionValueEntitlementMappingsSuite) TestCreateWithStaticGate() { }) s.Require().NoError(err) - got, err := s.db.PolicyClient.GetDefinitionValueEntitlementMapping(s.ctx, created.GetId()) + got, err := s.db.PolicyClient.GetDynamicValueMapping(s.ctx, created.GetId()) s.Require().NoError(err) s.Require().NotNil(got.GetSubjectConditionSet(), "static pre-gate should be hydrated") s.NotEmpty(got.GetSubjectConditionSet().GetSubjectSets()) } -func (s *DefinitionValueEntitlementMappingsSuite) TestRejectsHierarchyDefinition() { +func (s *DynamicValueMappingsSuite) TestRejectsHierarchyDefinition() { attr := s.createDefinition("dvem_hierarchy", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY) - _, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &subjectmapping.CreateDefinitionValueEntitlementMappingRequest{ + _, err := s.db.PolicyClient.CreateDynamicValueMapping(s.ctx, &dynamicvaluemapping.CreateDynamicValueMappingRequest{ AttributeDefinitionId: attr.GetId(), ValueResolver: s.resolver(".x[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN), Actions: []*policy.Action{s.readAction()}, @@ -92,7 +93,7 @@ func (s *DefinitionValueEntitlementMappingsSuite) TestRejectsHierarchyDefinition s.Require().Error(err, "HIERARCHY definitions must be rejected") } -func (s *DefinitionValueEntitlementMappingsSuite) TestNoCoexistence_SubjectMappingThenDynamic() { +func (s *DynamicValueMappingsSuite) TestNoCoexistence_SubjectMappingThenDynamic() { attr := s.createDefinition("dvem_coexist_fwd", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF) val, err := s.db.PolicyClient.CreateAttributeValue(s.ctx, attr.GetId(), &attributes.CreateAttributeValueRequest{Value: "v1"}) s.Require().NoError(err) @@ -105,7 +106,7 @@ func (s *DefinitionValueEntitlementMappingsSuite) TestNoCoexistence_SubjectMappi s.Require().NoError(err) // definition now has a value-level subject mapping; a dynamic mapping must be rejected - _, err = s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &subjectmapping.CreateDefinitionValueEntitlementMappingRequest{ + _, err = s.db.PolicyClient.CreateDynamicValueMapping(s.ctx, &dynamicvaluemapping.CreateDynamicValueMappingRequest{ AttributeDefinitionId: attr.GetId(), ValueResolver: s.resolver(".x[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN), Actions: []*policy.Action{s.readAction()}, @@ -113,10 +114,10 @@ func (s *DefinitionValueEntitlementMappingsSuite) TestNoCoexistence_SubjectMappi s.Require().Error(err, "dynamic mapping must not coexist with value-level subject mappings") } -func (s *DefinitionValueEntitlementMappingsSuite) TestNoCoexistence_DynamicThenSubjectMapping() { +func (s *DynamicValueMappingsSuite) TestNoCoexistence_DynamicThenSubjectMapping() { attr := s.createDefinition("dvem_coexist_rev", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF) - _, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &subjectmapping.CreateDefinitionValueEntitlementMappingRequest{ + _, err := s.db.PolicyClient.CreateDynamicValueMapping(s.ctx, &dynamicvaluemapping.CreateDynamicValueMappingRequest{ AttributeDefinitionId: attr.GetId(), ValueResolver: s.resolver(".x[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN), Actions: []*policy.Action{s.readAction()}, @@ -135,10 +136,10 @@ func (s *DefinitionValueEntitlementMappingsSuite) TestNoCoexistence_DynamicThenS s.Require().Error(err, "value-level subject mapping must not coexist with a dynamic mapping") } -func (s *DefinitionValueEntitlementMappingsSuite) TestRejectsRuleChangeToHierarchy() { +func (s *DynamicValueMappingsSuite) TestRejectsRuleChangeToHierarchy() { attr := s.createDefinition("dvem_rule_guard", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF) - _, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &subjectmapping.CreateDefinitionValueEntitlementMappingRequest{ + _, err := s.db.PolicyClient.CreateDynamicValueMapping(s.ctx, &dynamicvaluemapping.CreateDynamicValueMappingRequest{ AttributeDefinitionId: attr.GetId(), ValueResolver: s.resolver(".x[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN), Actions: []*policy.Action{s.readAction()}, @@ -152,17 +153,17 @@ func (s *DefinitionValueEntitlementMappingsSuite) TestRejectsRuleChangeToHierarc s.Require().Error(err, "changing the rule to HIERARCHY must be rejected when a dynamic mapping exists") } -func (s *DefinitionValueEntitlementMappingsSuite) TestUpdateAndDelete() { +func (s *DynamicValueMappingsSuite) TestUpdateAndDelete() { attr := s.createDefinition("dvem_update_delete", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF) - created, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &subjectmapping.CreateDefinitionValueEntitlementMappingRequest{ + created, err := s.db.PolicyClient.CreateDynamicValueMapping(s.ctx, &dynamicvaluemapping.CreateDynamicValueMappingRequest{ AttributeDefinitionId: attr.GetId(), ValueResolver: s.resolver(".patientAssignments[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN), Actions: []*policy.Action{s.readAction()}, }) s.Require().NoError(err) - updated, err := s.db.PolicyClient.UpdateDefinitionValueEntitlementMapping(s.ctx, &subjectmapping.UpdateDefinitionValueEntitlementMappingRequest{ + updated, err := s.db.PolicyClient.UpdateDynamicValueMapping(s.ctx, &dynamicvaluemapping.UpdateDynamicValueMappingRequest{ Id: created.GetId(), ValueResolver: s.resolver(".accounts[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS), }) @@ -170,33 +171,33 @@ func (s *DefinitionValueEntitlementMappingsSuite) TestUpdateAndDelete() { s.Equal(".accounts[]", updated.GetValueResolver().GetSubjectExternalSelectorValue()) s.Equal(policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS, updated.GetValueResolver().GetOperator()) - _, err = s.db.PolicyClient.DeleteDefinitionValueEntitlementMapping(s.ctx, created.GetId()) + _, err = s.db.PolicyClient.DeleteDynamicValueMapping(s.ctx, created.GetId()) s.Require().NoError(err) - _, err = s.db.PolicyClient.GetDefinitionValueEntitlementMapping(s.ctx, created.GetId()) + _, err = s.db.PolicyClient.GetDynamicValueMapping(s.ctx, created.GetId()) s.Require().Error(err, "mapping should be gone after delete") } -func (s *DefinitionValueEntitlementMappingsSuite) TestListByDefinition() { +func (s *DynamicValueMappingsSuite) TestListByDefinition() { attr := s.createDefinition("dvem_list", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF) - _, err := s.db.PolicyClient.CreateDefinitionValueEntitlementMapping(s.ctx, &subjectmapping.CreateDefinitionValueEntitlementMappingRequest{ + _, err := s.db.PolicyClient.CreateDynamicValueMapping(s.ctx, &dynamicvaluemapping.CreateDynamicValueMappingRequest{ AttributeDefinitionId: attr.GetId(), ValueResolver: s.resolver(".patientAssignments[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN), Actions: []*policy.Action{s.readAction()}, }) s.Require().NoError(err) - resp, err := s.db.PolicyClient.ListDefinitionValueEntitlementMappings(s.ctx, &subjectmapping.ListDefinitionValueEntitlementMappingsRequest{ + resp, err := s.db.PolicyClient.ListDynamicValueMappings(s.ctx, &dynamicvaluemapping.ListDynamicValueMappingsRequest{ AttributeDefinitionId: attr.GetId(), }) s.Require().NoError(err) - s.Require().Len(resp.GetDefinitionValueEntitlementMappings(), 1) - s.Equal(attr.GetId(), resp.GetDefinitionValueEntitlementMappings()[0].GetAttributeDefinition().GetId()) + s.Require().Len(resp.GetDynamicValueMappings(), 1) + s.Equal(attr.GetId(), resp.GetDynamicValueMappings()[0].GetAttributeDefinition().GetId()) } // createDefinition makes a fresh attribute under the example.com namespace with no values // or subject mappings, so each test controls its own coexistence state. -func (s *DefinitionValueEntitlementMappingsSuite) createDefinition(name string, rule policy.AttributeRuleTypeEnum) *policy.Attribute { +func (s *DynamicValueMappingsSuite) createDefinition(name string, rule policy.AttributeRuleTypeEnum) *policy.Attribute { nsID := s.f.GetNamespaceKey("example.com").ID attr, err := s.db.PolicyClient.CreateAttribute(s.ctx, &attributes.CreateAttributeRequest{ Name: name, @@ -208,18 +209,18 @@ func (s *DefinitionValueEntitlementMappingsSuite) createDefinition(name string, return attr } -func (s *DefinitionValueEntitlementMappingsSuite) readAction() *policy.Action { +func (s *DynamicValueMappingsSuite) readAction() *policy.Action { return s.f.GetStandardAction(policydb.ActionRead.String()) } -func (s *DefinitionValueEntitlementMappingsSuite) resolver(selector string, op policy.DynamicValueOperatorEnum) *policy.DefinitionValueResolver { - return &policy.DefinitionValueResolver{ +func (s *DynamicValueMappingsSuite) resolver(selector string, op policy.DynamicValueOperatorEnum) *policy.DynamicValueResolver { + return &policy.DynamicValueResolver{ SubjectExternalSelectorValue: selector, Operator: op, } } -func (s *DefinitionValueEntitlementMappingsSuite) sampleSCSCreate() *subjectmapping.SubjectConditionSetCreate { +func (s *DynamicValueMappingsSuite) sampleSCSCreate() *subjectmapping.SubjectConditionSetCreate { return &subjectmapping.SubjectConditionSetCreate{ SubjectSets: []*policy.SubjectSet{{ ConditionGroups: []*policy.ConditionGroup{{ diff --git a/service/internal/access/v2/helpers.go b/service/internal/access/v2/helpers.go index 33ccbe0910..2df99356de 100644 --- a/service/internal/access/v2/helpers.go +++ b/service/internal/access/v2/helpers.go @@ -18,11 +18,11 @@ import ( ) var ( - ErrInvalidSubjectMapping = errors.New("access: invalid subject mapping") - ErrInvalidAttributeDefinition = errors.New("access: invalid attribute definition") - ErrInvalidRegisteredResource = errors.New("access: invalid registered resource") - ErrInvalidRegisteredResourceValue = errors.New("access: invalid registered resource value") - ErrInvalidDefinitionValueEntitlementMapping = errors.New("access: invalid definition value entitlement mapping") + ErrInvalidSubjectMapping = errors.New("access: invalid subject mapping") + ErrInvalidAttributeDefinition = errors.New("access: invalid attribute definition") + ErrInvalidRegisteredResource = errors.New("access: invalid registered resource") + ErrInvalidRegisteredResourceValue = errors.New("access: invalid registered resource value") + ErrInvalidDynamicValueMapping = errors.New("access: invalid dynamic value mapping") ) // getDefinition parses the value FQN and uses it to retrieve the definition from the provided definitions map @@ -200,7 +200,7 @@ func getResourceDecisionableAttributes( // this is needed to support direct entitlement ad-hoc attribute values entitleableAttributesByDefinitionFQN map[string]*policy.Attribute, // definitions carrying a dynamic value entitlement mapping also support synthetic values - dynamicMappingsByDefinitionFQN subjectmappingbuiltin.DefinitionValueEntitlementMappingsByDefinitionFQN, + dynamicMappingsByDefinitionFQN subjectmappingbuiltin.DynamicValueMappingsByDefinitionFQN, // action *policy.Action, resources []*authz.Resource, allowDirectEntitlements bool, diff --git a/service/internal/access/v2/just_in_time_pdp.go b/service/internal/access/v2/just_in_time_pdp.go index e24590e8a7..336b5835e3 100644 --- a/service/internal/access/v2/just_in_time_pdp.go +++ b/service/internal/access/v2/just_in_time_pdp.go @@ -91,12 +91,12 @@ func NewJustInTimePDP( if err != nil { return nil, fmt.Errorf("failed to fetch all obligations: %w", err) } - allDefinitionValueEntitlementMappings, err := store.ListAllDefinitionValueEntitlementMappings(ctx) + allDynamicValueMappings, err := store.ListAllDynamicValueMappings(ctx) if err != nil { - return nil, fmt.Errorf("failed to fetch all definition value entitlement mappings: %w", err) + return nil, fmt.Errorf("failed to fetch all dynamic value mappings: %w", err) } - pdp, err := NewPolicyDecisionPointWithDefinitionValueEntitlementMappings(ctx, log, allAttributes, allSubjectMappings, allDefinitionValueEntitlementMappings, allRegisteredResources, allowDirectEntitlements, namespacedPolicy) + pdp, err := NewPolicyDecisionPointWithDynamicValueMappings(ctx, log, allAttributes, allSubjectMappings, allDynamicValueMappings, allRegisteredResources, allowDirectEntitlements, namespacedPolicy) if err != nil { return nil, fmt.Errorf("failed to create new policy decision point: %w", err) } diff --git a/service/internal/access/v2/pdp.go b/service/internal/access/v2/pdp.go index 71d2cec80a..cb801bad0b 100644 --- a/service/internal/access/v2/pdp.go +++ b/service/internal/access/v2/pdp.go @@ -61,7 +61,7 @@ type PolicyDecisionPoint struct { allEntitleableAttributesByValueFQN map[string]*attrs.GetAttributeValuesByFqnsResponse_AttributeAndValue allRegisteredResourceValuesByFQN map[string]*policy.RegisteredResourceValue allAttributesByDefinitionFQN map[string]*policy.Attribute - dynamicMappingsByDefinitionFQN subjectmappingbuiltin.DefinitionValueEntitlementMappingsByDefinitionFQN + dynamicMappingsByDefinitionFQN subjectmappingbuiltin.DynamicValueMappingsByDefinitionFQN allowDirectEntitlements bool namespacedPolicy bool } @@ -87,7 +87,7 @@ func NewPolicyDecisionPoint( allowDirectEntitlements bool, namespacedPolicy bool, ) (*PolicyDecisionPoint, error) { - return NewPolicyDecisionPointWithDefinitionValueEntitlementMappings( + return NewPolicyDecisionPointWithDynamicValueMappings( ctx, l, allAttributeDefinitions, @@ -99,15 +99,15 @@ func NewPolicyDecisionPoint( ) } -// NewPolicyDecisionPointWithDefinitionValueEntitlementMappings is NewPolicyDecisionPoint +// NewPolicyDecisionPointWithDynamicValueMappings is NewPolicyDecisionPoint // plus the dynamic, definition-level value entitlement mappings (DSPX-2754). The mappings // argument may be nil/empty when the feature is unused. -func NewPolicyDecisionPointWithDefinitionValueEntitlementMappings( +func NewPolicyDecisionPointWithDynamicValueMappings( ctx context.Context, l *logger.Logger, allAttributeDefinitions []*policy.Attribute, allSubjectMappings []*policy.SubjectMapping, - allDefinitionValueEntitlementMappings []*policy.DefinitionValueEntitlementMapping, + allDynamicValueMappings []*policy.DynamicValueMapping, allRegisteredResources []*policy.RegisteredResource, allowDirectEntitlements bool, namespacedPolicy bool, @@ -186,12 +186,12 @@ func NewPolicyDecisionPointWithDefinitionValueEntitlementMappings( allEntitleableAttributesByValueFQN[mappedValueFQN] = mapped } - dynamicMappingsByDefinitionFQN := make(subjectmappingbuiltin.DefinitionValueEntitlementMappingsByDefinitionFQN) - for _, mapping := range allDefinitionValueEntitlementMappings { - if err := validateDefinitionValueEntitlementMapping(mapping); err != nil { + dynamicMappingsByDefinitionFQN := make(subjectmappingbuiltin.DynamicValueMappingsByDefinitionFQN) + for _, mapping := range allDynamicValueMappings { + if err := validateDynamicValueMapping(mapping); err != nil { l.WarnContext(ctx, - "invalid definition value entitlement mapping - skipping", - slog.Any("definition_value_entitlement_mapping", mapping), + "invalid dynamic value mapping - skipping", + slog.Any("dynamic_value_mapping", mapping), slog.Any("error", err), ) continue @@ -201,9 +201,9 @@ func NewPolicyDecisionPointWithDefinitionValueEntitlementMappings( ns := mapping.GetNamespace() if ns == nil || (ns.GetId() == "" && ns.GetFqn() == "") { l.TraceContext(ctx, - "unnamespaced definition value entitlement mapping in strict namespaced-policy mode - skipping", - slog.String("reason", "definition_value_entitlement_mapping_namespace_missing"), - slog.String("definition_value_entitlement_mapping_id", mapping.GetId()), + "unnamespaced dynamic value mapping in strict namespaced-policy mode - skipping", + slog.String("reason", "dynamic_value_mapping_namespace_missing"), + slog.String("dynamic_value_mapping_id", mapping.GetId()), slog.String("attribute_definition_fqn", mapping.GetAttributeDefinition().GetFqn()), ) continue @@ -213,8 +213,8 @@ func NewPolicyDecisionPointWithDefinitionValueEntitlementMappings( definitionFQN := mapping.GetAttributeDefinition().GetFqn() if _, ok := allAttributesByDefinitionFQN[definitionFQN]; !ok { l.WarnContext(ctx, - "definition value entitlement mapping references unknown attribute definition - skipping", - slog.String("definition_value_entitlement_mapping_id", mapping.GetId()), + "dynamic value mapping references unknown attribute definition - skipping", + slog.String("dynamic_value_mapping_id", mapping.GetId()), slog.String("attribute_definition_fqn", definitionFQN), ) continue @@ -369,19 +369,19 @@ func (p *PolicyDecisionPoint) GetDecision( // Evaluate dynamic, definition-level value entitlement mappings (DSPX-2754) and merge // their results into the entitled FQNs before rule evaluation. if len(p.dynamicMappingsByDefinitionFQN) > 0 { - dynamicEntitledFQNsToActions, err := subjectmappingbuiltin.EvaluateDefinitionValueEntitlementMappingsWithActions( + dynamicEntitledFQNsToActions, err := subjectmappingbuiltin.EvaluateDynamicValueMappingsWithActions( p.dynamicMappingsByDefinitionFQN, decisionableAttributes, entityRepresentation, l.Logger, ) if err != nil { - return nil, nil, fmt.Errorf("error evaluating definition value entitlement mappings: %w", err) + return nil, nil, fmt.Errorf("error evaluating dynamic value mappings: %w", err) } for fqn, actions := range dynamicEntitledFQNsToActions { entitledFQNsToActions[fqn] = append(entitledFQNsToActions[fqn], actions...) } - l.DebugContext(ctx, "evaluated definition value entitlement mappings", slog.Any("dynamic_entitled_value_fqns_to_actions", dynamicEntitledFQNsToActions)) + l.DebugContext(ctx, "evaluated dynamic value mappings", slog.Any("dynamic_entitled_value_fqns_to_actions", dynamicEntitledFQNsToActions)) } decision := &Decision{ diff --git a/service/internal/access/v2/pdp_dynamic_test.go b/service/internal/access/v2/pdp_dynamic_test.go index 0244c777eb..58e4816324 100644 --- a/service/internal/access/v2/pdp_dynamic_test.go +++ b/service/internal/access/v2/pdp_dynamic_test.go @@ -5,11 +5,11 @@ import ( "github.com/opentdf/platform/protocol/go/policy" ) -// Test_GetDecision_DefinitionValueEntitlementMapping_MultiValue exercises the full +// Test_GetDecision_DynamicValueMapping_MultiValue exercises the full // GetDecision path for dynamic, definition-level value entitlement (DSPX-2754), focused on // the multi-value rule semantics: a single resource carries two dynamic values under one // definition while the entity is entitled to only one. ANY_OF should permit, ALL_OF deny. -func (s *PDPTestSuite) Test_GetDecision_DefinitionValueEntitlementMapping_MultiValue() { +func (s *PDPTestSuite) Test_GetDecision_DynamicValueMapping_MultiValue() { const ns = "hospital.co" defFQN := createAttrFQN(ns, "mrn") v123 := createAttrValueFQN(ns, "mrn", "mrn-123") @@ -23,21 +23,21 @@ func (s *PDPTestSuite) Test_GetDecision_DefinitionValueEntitlementMapping_MultiV Rule: rule, Namespace: namespace, } - mapping := &policy.DefinitionValueEntitlementMapping{ + mapping := &policy.DynamicValueMapping{ AttributeDefinition: attr, - ValueResolver: &policy.DefinitionValueResolver{ + ValueResolver: &policy.DynamicValueResolver{ SubjectExternalSelectorValue: ".properties.patientAssignments[]", Operator: policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN, }, Actions: []*policy.Action{testActionRead}, Namespace: namespace, } - pdp, err := NewPolicyDecisionPointWithDefinitionValueEntitlementMappings( + pdp, err := NewPolicyDecisionPointWithDynamicValueMappings( s.T().Context(), s.logger, []*policy.Attribute{attr}, []*policy.SubjectMapping{}, - []*policy.DefinitionValueEntitlementMapping{mapping}, + []*policy.DynamicValueMapping{mapping}, nil, false, // allowDirectEntitlements: dynamic mappings synthesize values on their own false, // namespacedPolicy diff --git a/service/internal/access/v2/policy_store.go b/service/internal/access/v2/policy_store.go index 038ef87460..8cd71b78ac 100644 --- a/service/internal/access/v2/policy_store.go +++ b/service/internal/access/v2/policy_store.go @@ -7,6 +7,7 @@ import ( "github.com/opentdf/platform/protocol/go/common" "github.com/opentdf/platform/protocol/go/policy" attrs "github.com/opentdf/platform/protocol/go/policy/attributes" + "github.com/opentdf/platform/protocol/go/policy/dynamicvaluemapping" "github.com/opentdf/platform/protocol/go/policy/obligations" "github.com/opentdf/platform/protocol/go/policy/registeredresources" "github.com/opentdf/platform/protocol/go/policy/subjectmapping" @@ -17,7 +18,7 @@ import ( type EntitlementPolicyStore interface { ListAllAttributes(ctx context.Context) ([]*policy.Attribute, error) ListAllSubjectMappings(ctx context.Context) ([]*policy.SubjectMapping, error) - ListAllDefinitionValueEntitlementMappings(ctx context.Context) ([]*policy.DefinitionValueEntitlementMapping, error) + ListAllDynamicValueMappings(ctx context.Context) ([]*policy.DynamicValueMapping, error) ListAllRegisteredResources(ctx context.Context) ([]*policy.RegisteredResource, error) ListAllObligations(ctx context.Context) ([]*policy.Obligation, error) IsEnabled() bool @@ -25,11 +26,11 @@ type EntitlementPolicyStore interface { } var ( - ErrFailedToFetchAttributes = errors.New("failed to fetch attributes from policy service") - ErrFailedToFetchSubjectMappings = errors.New("failed to fetch subject mappings from policy service") - ErrFailedToFetchDefinitionValueEntitlementMappings = errors.New("failed to fetch definition value entitlement mappings from policy service") - ErrFailedToFetchRegisteredResources = errors.New("failed to fetch registered resources from policy service") - ErrFailedToFetchObligations = errors.New("failed to fetch obligations from policy service") + ErrFailedToFetchAttributes = errors.New("failed to fetch attributes from policy service") + ErrFailedToFetchSubjectMappings = errors.New("failed to fetch subject mappings from policy service") + ErrFailedToFetchDynamicValueMappings = errors.New("failed to fetch dynamic value mappings from policy service") + ErrFailedToFetchRegisteredResources = errors.New("failed to fetch registered resources from policy service") + ErrFailedToFetchObligations = errors.New("failed to fetch obligations from policy service") ) // EntitlementPolicyRetriever satisfies the EntitlementPolicyStore interface and fetches fresh @@ -105,24 +106,24 @@ func (p *EntitlementPolicyRetriever) ListAllSubjectMappings(ctx context.Context) return smList, nil } -func (p *EntitlementPolicyRetriever) ListAllDefinitionValueEntitlementMappings(ctx context.Context) ([]*policy.DefinitionValueEntitlementMapping, error) { +func (p *EntitlementPolicyRetriever) ListAllDynamicValueMappings(ctx context.Context) ([]*policy.DynamicValueMapping, error) { // If quantity exceeds maximum list pagination, all are needed to determine entitlements var nextOffset int32 - mappingsList := make([]*policy.DefinitionValueEntitlementMapping, 0) + mappingsList := make([]*policy.DynamicValueMapping, 0) for { - listed, err := p.SDK.SubjectMapping.ListDefinitionValueEntitlementMappings(ctx, &subjectmapping.ListDefinitionValueEntitlementMappingsRequest{ + listed, err := p.SDK.DynamicValueMapping.ListDynamicValueMappings(ctx, &dynamicvaluemapping.ListDynamicValueMappingsRequest{ // defer to service default for limit pagination Pagination: &policy.PageRequest{ Offset: nextOffset, }, }) if err != nil { - return nil, errors.Join(ErrFailedToFetchDefinitionValueEntitlementMappings, err) + return nil, errors.Join(ErrFailedToFetchDynamicValueMappings, err) } nextOffset = listed.GetPagination().GetNextOffset() - mappingsList = append(mappingsList, listed.GetDefinitionValueEntitlementMappings()...) + mappingsList = append(mappingsList, listed.GetDynamicValueMappings()...) if nextOffset <= 0 { break diff --git a/service/internal/access/v2/validators.go b/service/internal/access/v2/validators.go index 08f5b68c48..5910a95ace 100644 --- a/service/internal/access/v2/validators.go +++ b/service/internal/access/v2/validators.go @@ -127,7 +127,7 @@ func validateAttribute(attribute *policy.Attribute) error { return nil } -// validateDefinitionValueEntitlementMapping validates a dynamic value entitlement mapping +// validateDynamicValueMapping validates a dynamic value entitlement mapping // is usable for an entitlement decision. // // mapping: @@ -137,26 +137,26 @@ func validateAttribute(attribute *policy.Attribute) error { // - the definition must not be HIERARCHY (ordered static values are incompatible) // - must have a value resolver with a selector and a specified operator // - must have at least one action -func validateDefinitionValueEntitlementMapping(mapping *policy.DefinitionValueEntitlementMapping) error { +func validateDynamicValueMapping(mapping *policy.DynamicValueMapping) error { if mapping == nil { - return fmt.Errorf("definition value entitlement mapping is nil: %w", ErrInvalidDefinitionValueEntitlementMapping) + return fmt.Errorf("dynamic value mapping is nil: %w", ErrInvalidDynamicValueMapping) } def := mapping.GetAttributeDefinition() if def == nil || def.GetFqn() == "" { - return fmt.Errorf("mapping's attribute definition is missing: %w", ErrInvalidDefinitionValueEntitlementMapping) + return fmt.Errorf("mapping's attribute definition is missing: %w", ErrInvalidDynamicValueMapping) } if def.GetRule() == policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY { - return fmt.Errorf("HIERARCHY definitions are not supported for dynamic value entitlement: %w", ErrInvalidDefinitionValueEntitlementMapping) + return fmt.Errorf("HIERARCHY definitions are not supported for dynamic value entitlement: %w", ErrInvalidDynamicValueMapping) } resolver := mapping.GetValueResolver() if resolver == nil || resolver.GetSubjectExternalSelectorValue() == "" { - return fmt.Errorf("mapping's value resolver selector is empty: %w", ErrInvalidDefinitionValueEntitlementMapping) + return fmt.Errorf("mapping's value resolver selector is empty: %w", ErrInvalidDynamicValueMapping) } if resolver.GetOperator() == policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED { - return fmt.Errorf("mapping's value resolver operator is unspecified: %w", ErrInvalidDefinitionValueEntitlementMapping) + return fmt.Errorf("mapping's value resolver operator is unspecified: %w", ErrInvalidDynamicValueMapping) } if len(mapping.GetActions()) == 0 { - return fmt.Errorf("mapping's actions are empty: %w", ErrInvalidDefinitionValueEntitlementMapping) + return fmt.Errorf("mapping's actions are empty: %w", ErrInvalidDynamicValueMapping) } return nil } diff --git a/service/internal/subjectmappingbuiltin/definition_value_entitlement_builtin.go b/service/internal/subjectmappingbuiltin/dynamic_value_mapping_builtin.go similarity index 85% rename from service/internal/subjectmappingbuiltin/definition_value_entitlement_builtin.go rename to service/internal/subjectmappingbuiltin/dynamic_value_mapping_builtin.go index 210e30818a..8c3b8eccc3 100644 --- a/service/internal/subjectmappingbuiltin/definition_value_entitlement_builtin.go +++ b/service/internal/subjectmappingbuiltin/dynamic_value_mapping_builtin.go @@ -13,11 +13,11 @@ import ( "github.com/opentdf/platform/protocol/go/policy/attributes" ) -// DefinitionValueEntitlementMappingsByDefinitionFQN indexes dynamic mappings by their +// DynamicValueMappingsByDefinitionFQN indexes dynamic mappings by their // parent attribute definition FQN for O(1) lookup during decisioning. -type DefinitionValueEntitlementMappingsByDefinitionFQN map[string][]*policy.DefinitionValueEntitlementMapping +type DynamicValueMappingsByDefinitionFQN map[string][]*policy.DynamicValueMapping -// EvaluateDefinitionValueEntitlementMappingsWithActions resolves the dynamic, definition +// EvaluateDynamicValueMappingsWithActions resolves the dynamic, definition // level entitlement mappings for the resources under evaluation. For each decisionable // attribute value it finds the mappings on the value's parent definition, runs the // optional static SubjectConditionSet gate, then compares the requested resource value @@ -26,8 +26,8 @@ type DefinitionValueEntitlementMappingsByDefinitionFQN map[string][]*policy.Defi // // The output shape matches EvaluateSubjectMappingsWithActions so the PDP can merge the // two results uniformly before rule evaluation. -func EvaluateDefinitionValueEntitlementMappingsWithActions( - mappingsByDefinitionFQN DefinitionValueEntitlementMappingsByDefinitionFQN, +func EvaluateDynamicValueMappingsWithActions( + mappingsByDefinitionFQN DynamicValueMappingsByDefinitionFQN, decisionableAttributes map[string]*attributes.GetAttributeValuesByFqnsResponse_AttributeAndValue, entityRepresentation *entityresolutionV2.EntityRepresentation, l *slog.Logger, @@ -57,7 +57,7 @@ func EvaluateDefinitionValueEntitlementMappingsWithActions( // mappings on the same definition are OR-ed together for _, mapping := range mappings { - matched, err := evaluateDefinitionValueEntitlementMapping(mapping, flattenedEntity, segment) + matched, err := evaluateDynamicValueMapping(mapping, flattenedEntity, segment) if err != nil { return nil, err } @@ -78,10 +78,10 @@ func EvaluateDefinitionValueEntitlementMappingsWithActions( return entitlementsSet, nil } -// evaluateDefinitionValueEntitlementMapping returns true when the optional static gate +// evaluateDynamicValueMapping returns true when the optional static gate // passes (if present) AND the dynamic resolver matches the resource value segment. -func evaluateDefinitionValueEntitlementMapping( - mapping *policy.DefinitionValueEntitlementMapping, +func evaluateDynamicValueMapping( + mapping *policy.DynamicValueMapping, entity flattening.Flattened, segment string, ) (bool, error) { @@ -102,7 +102,7 @@ func evaluateDefinitionValueEntitlementMapping( // evaluateValueResolver compares the resource value segment against the entity values // resolved by the selector, applying the dynamic operator. Both sides are canonicalized // (lowercased + trimmed) so external systems that disagree with policy on case still match. -func evaluateValueResolver(resolver *policy.DefinitionValueResolver, entity flattening.Flattened, segment string) (bool, error) { +func evaluateValueResolver(resolver *policy.DynamicValueResolver, entity flattening.Flattened, segment string) (bool, error) { selector := resolver.GetSubjectExternalSelectorValue() entityValues := flattening.GetFromFlattened(entity, selector) target := canonicalizeValueSegment(segment) diff --git a/service/internal/subjectmappingbuiltin/definition_value_entitlement_builtin_test.go b/service/internal/subjectmappingbuiltin/dynamic_value_mapping_builtin_test.go similarity index 68% rename from service/internal/subjectmappingbuiltin/definition_value_entitlement_builtin_test.go rename to service/internal/subjectmappingbuiltin/dynamic_value_mapping_builtin_test.go index 2dbe256e85..b178a4f2f3 100644 --- a/service/internal/subjectmappingbuiltin/definition_value_entitlement_builtin_test.go +++ b/service/internal/subjectmappingbuiltin/dynamic_value_mapping_builtin_test.go @@ -47,10 +47,10 @@ func dvemDecisionable(defFQN, valueFQN, segment string) map[string]*attributes.G } } -func dvemMapping(defFQN, selector string, op policy.DynamicValueOperatorEnum, scs *policy.SubjectConditionSet, actionNames ...string) *policy.DefinitionValueEntitlementMapping { - return &policy.DefinitionValueEntitlementMapping{ +func dvemMapping(defFQN, selector string, op policy.DynamicValueOperatorEnum, scs *policy.SubjectConditionSet, actionNames ...string) *policy.DynamicValueMapping { + return &policy.DynamicValueMapping{ AttributeDefinition: &policy.Attribute{Fqn: defFQN}, - ValueResolver: &policy.DefinitionValueResolver{ + ValueResolver: &policy.DynamicValueResolver{ SubjectExternalSelectorValue: selector, Operator: op, }, @@ -59,9 +59,9 @@ func dvemMapping(defFQN, selector string, op policy.DynamicValueOperatorEnum, sc } } -// TestEvaluateDefinitionValueEntitlementMappings_MRNExample replays the ADR#266 worked +// TestEvaluateDynamicValueMappings_MRNExample replays the ADR#266 worked // example (patient / provider / nurse) against the production evaluator. -func TestEvaluateDefinitionValueEntitlementMappings_MRNExample(t *testing.T) { +func TestEvaluateDynamicValueMappings_MRNExample(t *testing.T) { const def = "https://hospital.co/attr/mrn" const valueFQN = "https://hospital.co/attr/mrn/value/mrn-123" @@ -81,9 +81,9 @@ func TestEvaluateDefinitionValueEntitlementMappings_MRNExample(t *testing.T) { for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { mapping := dvemMapping(def, tc.selector, policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN, nil, tc.acts...) - byDef := DefinitionValueEntitlementMappingsByDefinitionFQN{def: {mapping}} + byDef := DynamicValueMappingsByDefinitionFQN{def: {mapping}} - got, err := EvaluateDefinitionValueEntitlementMappingsWithActions(byDef, dvemDecisionable(def, valueFQN, "mrn-123"), dvemEntityRep(t, tc.props), slog.Default()) + got, err := EvaluateDynamicValueMappingsWithActions(byDef, dvemDecisionable(def, valueFQN, "mrn-123"), dvemEntityRep(t, tc.props), slog.Default()) require.NoError(t, err) if tc.wantMatch { assert.ElementsMatch(t, tc.acts, dvemActionNames(got[valueFQN])) @@ -94,34 +94,34 @@ func TestEvaluateDefinitionValueEntitlementMappings_MRNExample(t *testing.T) { } } -// TestEvaluateDefinitionValueEntitlementMappings_Canonicalization covers the external +// TestEvaluateDynamicValueMappings_Canonicalization covers the external // system case-mismatch concern: the IdP reports MRN-123, policy stores mrn-123. -func TestEvaluateDefinitionValueEntitlementMappings_Canonicalization(t *testing.T) { +func TestEvaluateDynamicValueMappings_Canonicalization(t *testing.T) { const def = "https://hospital.co/attr/mrn" const valueFQN = "https://hospital.co/attr/mrn/value/mrn-123" mapping := dvemMapping(def, ".medicalRecordNumber", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN, nil, "read") - byDef := DefinitionValueEntitlementMappingsByDefinitionFQN{def: {mapping}} + byDef := DynamicValueMappingsByDefinitionFQN{def: {mapping}} - got, err := EvaluateDefinitionValueEntitlementMappingsWithActions(byDef, dvemDecisionable(def, valueFQN, "mrn-123"), dvemEntityRep(t, map[string]interface{}{"medicalRecordNumber": "MRN-123"}), slog.Default()) + got, err := EvaluateDynamicValueMappingsWithActions(byDef, dvemDecisionable(def, valueFQN, "mrn-123"), dvemEntityRep(t, map[string]interface{}{"medicalRecordNumber": "MRN-123"}), slog.Default()) require.NoError(t, err) assert.Equal(t, []string{"read"}, dvemActionNames(got[valueFQN])) } -// TestEvaluateDefinitionValueEntitlementMappings_InContains covers the substring operator. -func TestEvaluateDefinitionValueEntitlementMappings_InContains(t *testing.T) { +// TestEvaluateDynamicValueMappings_InContains covers the substring operator. +func TestEvaluateDynamicValueMappings_InContains(t *testing.T) { const def = "https://acme.co/attr/group" const valueFQN = "https://acme.co/attr/group/value/team" mapping := dvemMapping(def, ".groups[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS, nil, "read") - byDef := DefinitionValueEntitlementMappingsByDefinitionFQN{def: {mapping}} + byDef := DynamicValueMappingsByDefinitionFQN{def: {mapping}} - got, err := EvaluateDefinitionValueEntitlementMappingsWithActions(byDef, dvemDecisionable(def, valueFQN, "team"), dvemEntityRep(t, map[string]interface{}{"groups": []interface{}{"prefix-team-suffix"}}), slog.Default()) + got, err := EvaluateDynamicValueMappingsWithActions(byDef, dvemDecisionable(def, valueFQN, "team"), dvemEntityRep(t, map[string]interface{}{"groups": []interface{}{"prefix-team-suffix"}}), slog.Default()) require.NoError(t, err) assert.Equal(t, []string{"read"}, dvemActionNames(got[valueFQN])) } -// TestEvaluateDefinitionValueEntitlementMappings_StaticGate covers the optional static +// TestEvaluateDynamicValueMappings_StaticGate covers the optional static // SubjectConditionSet pre-gate combined with the dynamic resolver. -func TestEvaluateDefinitionValueEntitlementMappings_StaticGate(t *testing.T) { +func TestEvaluateDynamicValueMappings_StaticGate(t *testing.T) { const def = "https://hospital.co/attr/mrn" const valueFQN = "https://hospital.co/attr/mrn/value/mrn-123" @@ -138,10 +138,10 @@ func TestEvaluateDefinitionValueEntitlementMappings_StaticGate(t *testing.T) { }}, } mapping := dvemMapping(def, ".patientAssignments[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN, scs, "read") - byDef := DefinitionValueEntitlementMappingsByDefinitionFQN{def: {mapping}} + byDef := DynamicValueMappingsByDefinitionFQN{def: {mapping}} // cardiology provider assigned to mrn-123 -> gate + resolver pass - got, err := EvaluateDefinitionValueEntitlementMappingsWithActions(byDef, dvemDecisionable(def, valueFQN, "mrn-123"), dvemEntityRep(t, map[string]interface{}{ + got, err := EvaluateDynamicValueMappingsWithActions(byDef, dvemDecisionable(def, valueFQN, "mrn-123"), dvemEntityRep(t, map[string]interface{}{ "department": "cardiology", "patientAssignments": []interface{}{"mrn-123"}, }), slog.Default()) @@ -149,7 +149,7 @@ func TestEvaluateDefinitionValueEntitlementMappings_StaticGate(t *testing.T) { assert.Equal(t, []string{"read"}, dvemActionNames(got[valueFQN])) // wrong department -> static gate fails -> no entitlement - got, err = EvaluateDefinitionValueEntitlementMappingsWithActions(byDef, dvemDecisionable(def, valueFQN, "mrn-123"), dvemEntityRep(t, map[string]interface{}{ + got, err = EvaluateDynamicValueMappingsWithActions(byDef, dvemDecisionable(def, valueFQN, "mrn-123"), dvemEntityRep(t, map[string]interface{}{ "department": "oncology", "patientAssignments": []interface{}{"mrn-123"}, }), slog.Default()) @@ -157,23 +157,23 @@ func TestEvaluateDefinitionValueEntitlementMappings_StaticGate(t *testing.T) { assert.Empty(t, got[valueFQN]) } -// TestEvaluateDefinitionValueEntitlementMappings_CrossDefinitionNoLeak verifies a mapping +// TestEvaluateDynamicValueMappings_CrossDefinitionNoLeak verifies a mapping // only applies to its own definition: the same value segment under a different definition // is not entitled. -func TestEvaluateDefinitionValueEntitlementMappings_CrossDefinitionNoLeak(t *testing.T) { +func TestEvaluateDynamicValueMappings_CrossDefinitionNoLeak(t *testing.T) { const defA = "https://a.co/attr/x" const defB = "https://b.co/attr/y" mapping := dvemMapping(defA, ".assignments[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN, nil, "read") - byDef := DefinitionValueEntitlementMappingsByDefinitionFQN{defA: {mapping}} + byDef := DynamicValueMappingsByDefinitionFQN{defA: {mapping}} entity := dvemEntityRep(t, map[string]interface{}{"assignments": []interface{}{"shared-1"}}) // under definition A -> entitled - gotA, err := EvaluateDefinitionValueEntitlementMappingsWithActions(byDef, dvemDecisionable(defA, defA+"/value/shared-1", "shared-1"), entity, slog.Default()) + gotA, err := EvaluateDynamicValueMappingsWithActions(byDef, dvemDecisionable(defA, defA+"/value/shared-1", "shared-1"), entity, slog.Default()) require.NoError(t, err) assert.Equal(t, []string{"read"}, dvemActionNames(gotA[defA+"/value/shared-1"])) // same segment under definition B -> not entitled - gotB, err := EvaluateDefinitionValueEntitlementMappingsWithActions(byDef, dvemDecisionable(defB, defB+"/value/shared-1", "shared-1"), entity, slog.Default()) + gotB, err := EvaluateDynamicValueMappingsWithActions(byDef, dvemDecisionable(defB, defB+"/value/shared-1", "shared-1"), entity, slog.Default()) require.NoError(t, err) assert.Empty(t, gotB[defB+"/value/shared-1"]) } diff --git a/service/logger/audit/constants.go b/service/logger/audit/constants.go index cf3fe5eabe..af6a06f9ba 100644 --- a/service/logger/audit/constants.go +++ b/service/logger/audit/constants.go @@ -32,7 +32,7 @@ const ( ObjectTypeKasAttributeDefinitionKeyAssignment ObjectTypeKasAttributeValueKeyAssignment ObjectTypeKasAttributeNamespaceKeyAssignment - ObjectTypeDefinitionValueEntitlementMapping + ObjectTypeDynamicValueMapping ) func (ot ObjectType) String() string { @@ -62,7 +62,7 @@ func (ot ObjectType) String() string { "kas_attribute_definition_key_assignment", "kas_attribute_value_key_assignment", "kas_attribute_namespace_key_assignment", - "definition_value_entitlement_mapping", + "dynamic_value_mapping", }[ot] } diff --git a/service/policy/adr/0005-dynamic-attribute-value-entitlements-spike.md b/service/policy/adr/0005-dynamic-attribute-value-entitlements-spike.md index a545b5e964..eb5fdaece6 100644 --- a/service/policy/adr/0005-dynamic-attribute-value-entitlements-spike.md +++ b/service/policy/adr/0005-dynamic-attribute-value-entitlements-spike.md @@ -10,20 +10,26 @@ implementation spike** the question of *how* to model it. This document records The original spike prototyped all three options as a throwaway package to make them comparable on real behavior. The recommendation below (a new primitive carrying a new operator) is now implemented as -production code: the `DefinitionValueEntitlementMapping` primitive -([`service/policy/objects.proto`](../objects.proto)), its CRUD RPCs on the existing -[`SubjectMappingService`](../subjectmapping), DB layer, and the -decision-time evaluator -([`service/internal/subjectmappingbuiltin/definition_value_entitlement_builtin.go`](../../internal/subjectmappingbuiltin/definition_value_entitlement_builtin.go)) +production code: the `DynamicValueMapping` primitive +([`service/policy/objects.proto`](../objects.proto)), its dedicated +[`DynamicValueMappingService`](../dynamicvaluemapping), DB layer, and the decision-time evaluator +([`service/internal/subjectmappingbuiltin/dynamic_value_mapping_builtin.go`](../../internal/subjectmappingbuiltin/dynamic_value_mapping_builtin.go)) wired into the PDP. The findings below record why that shape was chosen over the alternatives. +> [!NOTE] +> The upstream ADR ([virtru-corp/adr#266](https://github.com/virtru-corp/adr/pull/266)) named this +> primitive `DefinitionValueEntitlementMapping` but explicitly noted that primitive names are subject to +> change during implementation. It is implemented here as `DynamicValueMapping`, which is shorter, omits +> the redundant "Entitlement" (consistent with `SubjectMapping`/`ResourceMapping`), and avoids overloading +> the authorization-runtime term "entitlement". + ## Context How should condition-set authority be moved up from the `AttributeValue` to the `AttributeDefinition`? Four shapes were on the table (from the ADR discussion threads): reuse Subject Mappings, add a new primitive, add a new attribute rule, or add a new operator. -## Recommendation: a new primitive (`DefinitionValueEntitlementMapping`) carrying a new operator +## Recommendation: a new primitive (`DynamicValueMapping`) carrying a new operator The spike recommends a **new first-class primitive** scoped to an `AttributeDefinition`, holding a `selector`, a **new dynamic operator**, and `actions`. The four "options" are not mutually exclusive: the diff --git a/service/policy/db/attributes.go b/service/policy/db/attributes.go index 2e5ac88872..acfd648534 100644 --- a/service/policy/db/attributes.go +++ b/service/policy/db/attributes.go @@ -461,11 +461,11 @@ func (c PolicyDBClient) UnsafeUpdateAttribute(ctx context.Context, r *unsafe.Uns } } - // Guard the reverse of validateDefinitionValueEntitlementMappingAttribute: a definition + // Guard the reverse of validateDynamicValueMappingAttribute: a definition // with a dynamic value entitlement mapping cannot be changed to HIERARCHY, which requires // statically ordered values incompatible with pass-through dynamic values (DSPX-2754). if rule == policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY && before.GetRule() != policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY { - dynamicCount, err := c.queries.countDefinitionValueEntitlementMappingsByDefinitionID(ctx, id) + dynamicCount, err := c.queries.countDynamicValueMappingsByDefinitionID(ctx, id) if err != nil { return nil, db.WrapIfKnownInvalidQueryErr(err) } diff --git a/service/policy/db/definition_value_entitlement_mappings.go b/service/policy/db/dynamic_value_mappings.go similarity index 67% rename from service/policy/db/definition_value_entitlement_mappings.go rename to service/policy/db/dynamic_value_mappings.go index e535e5753b..b083b3ac47 100644 --- a/service/policy/db/definition_value_entitlement_mappings.go +++ b/service/policy/db/dynamic_value_mappings.go @@ -10,11 +10,11 @@ import ( "github.com/opentdf/platform/protocol/go/common" "github.com/opentdf/platform/protocol/go/policy" "github.com/opentdf/platform/protocol/go/policy/attributes" - "github.com/opentdf/platform/protocol/go/policy/subjectmapping" + "github.com/opentdf/platform/protocol/go/policy/dynamicvaluemapping" "github.com/opentdf/platform/service/pkg/db" ) -type definitionValueEntitlementMappingRow struct { +type dynamicValueMappingRow struct { id string attributeDefinitionID string subjectExternalSelectorValue string @@ -25,17 +25,17 @@ type definitionValueEntitlementMappingRow struct { namespace interface{} } -func (c PolicyDBClient) CreateDefinitionValueEntitlementMapping(ctx context.Context, r *subjectmapping.CreateDefinitionValueEntitlementMappingRequest) (*policy.DefinitionValueEntitlementMapping, error) { +func (c PolicyDBClient) CreateDynamicValueMapping(ctx context.Context, r *dynamicvaluemapping.CreateDynamicValueMappingRequest) (*policy.DynamicValueMapping, error) { resolver := r.GetValueResolver() if resolver.GetOperator() == policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED { return nil, errors.Join(db.ErrEnumValueInvalid, errors.New("value_resolver.operator must be specified")) } - attr, err := c.resolveDefinitionValueEntitlementMappingAttribute(ctx, r.GetAttributeDefinitionId(), r.GetAttributeDefinitionFqn()) + attr, err := c.resolveDynamicValueMappingAttribute(ctx, r.GetAttributeDefinitionId(), r.GetAttributeDefinitionFqn()) if err != nil { return nil, err } - if err := validateDefinitionValueEntitlementMappingAttribute(attr); err != nil { + if err := validateDynamicValueMappingAttribute(attr); err != nil { return nil, err } @@ -56,12 +56,12 @@ func (c PolicyDBClient) CreateDefinitionValueEntitlementMapping(ctx context.Cont return nil, err } - scs, err := c.resolveDefinitionValueEntitlementMappingSubjectConditionSet(ctx, r, resolvedNamespaceID) + scs, err := c.resolveDynamicValueMappingSubjectConditionSet(ctx, r, resolvedNamespaceID) if err != nil { return nil, err } - if err := c.validateDefinitionValueEntitlementMappingNamespaceConsistency(ctx, resolvedNamespaceID, attr, actionIDs, scs); err != nil { + if err := c.validateDynamicValueMappingNamespaceConsistency(ctx, resolvedNamespaceID, attr, actionIDs, scs); err != nil { return nil, err } @@ -70,7 +70,7 @@ func (c PolicyDBClient) CreateDefinitionValueEntitlementMapping(ctx context.Cont return nil, db.WrapIfKnownInvalidQueryErr(err) } - createdID, err := c.queries.createDefinitionValueEntitlementMapping(ctx, createDefinitionValueEntitlementMappingParams{ + createdID, err := c.queries.createDynamicValueMapping(ctx, createDynamicValueMappingParams{ AttributeDefinitionID: attr.GetId(), SubjectExternalSelectorValue: resolver.GetSubjectExternalSelectorValue(), Operator: int16(resolver.GetOperator()), @@ -83,11 +83,11 @@ func (c PolicyDBClient) CreateDefinitionValueEntitlementMapping(ctx context.Cont return nil, db.WrapIfKnownInvalidQueryErr(err) } - return c.GetDefinitionValueEntitlementMapping(ctx, createdID) + return c.GetDynamicValueMapping(ctx, createdID) } -func (c PolicyDBClient) GetDefinitionValueEntitlementMapping(ctx context.Context, id string) (*policy.DefinitionValueEntitlementMapping, error) { - row, err := c.queries.getDefinitionValueEntitlementMapping(ctx, id) +func (c PolicyDBClient) GetDynamicValueMapping(ctx context.Context, id string) (*policy.DynamicValueMapping, error) { + row, err := c.queries.getDynamicValueMapping(ctx, id) if err != nil { return nil, db.WrapIfKnownInvalidQueryErr(err) } @@ -95,7 +95,7 @@ func (c PolicyDBClient) GetDefinitionValueEntitlementMapping(ctx context.Context return nil, db.ErrNotFound } - return c.hydrateDefinitionValueEntitlementMapping(ctx, definitionValueEntitlementMappingRow{ + return c.hydrateDynamicValueMapping(ctx, dynamicValueMappingRow{ id: row.ID, attributeDefinitionID: row.AttributeDefinitionID, subjectExternalSelectorValue: row.SubjectExternalSelectorValue, @@ -107,7 +107,7 @@ func (c PolicyDBClient) GetDefinitionValueEntitlementMapping(ctx context.Context }) } -func (c PolicyDBClient) ListDefinitionValueEntitlementMappings(ctx context.Context, r *subjectmapping.ListDefinitionValueEntitlementMappingsRequest) (*subjectmapping.ListDefinitionValueEntitlementMappingsResponse, error) { +func (c PolicyDBClient) ListDynamicValueMappings(ctx context.Context, r *dynamicvaluemapping.ListDynamicValueMappingsRequest) (*dynamicvaluemapping.ListDynamicValueMappingsResponse, error) { limit, offset := c.getRequestedLimitOffset(r.GetPagination()) maxLimit := c.listCfg.limitMax @@ -115,9 +115,9 @@ func (c PolicyDBClient) ListDefinitionValueEntitlementMappings(ctx context.Conte return nil, db.ErrListLimitTooLarge } - sortField, sortDirection := GetDefinitionValueEntitlementMappingsSortParams(r.GetSort()) + sortField, sortDirection := GetDynamicValueMappingsSortParams(r.GetSort()) - rows, err := c.queries.listDefinitionValueEntitlementMappings(ctx, listDefinitionValueEntitlementMappingsParams{ + rows, err := c.queries.listDynamicValueMappings(ctx, listDynamicValueMappingsParams{ NamespaceID: pgtypeUUID(r.GetNamespaceId()), AttributeDefinitionID: pgtypeUUID(r.GetAttributeDefinitionId()), Limit: limit, @@ -129,9 +129,9 @@ func (c PolicyDBClient) ListDefinitionValueEntitlementMappings(ctx context.Conte return nil, db.WrapIfKnownInvalidQueryErr(err) } - mappings := make([]*policy.DefinitionValueEntitlementMapping, len(rows)) + mappings := make([]*policy.DynamicValueMapping, len(rows)) for i, row := range rows { - mapping, err := c.hydrateDefinitionValueEntitlementMapping(ctx, definitionValueEntitlementMappingRow{ + mapping, err := c.hydrateDynamicValueMapping(ctx, dynamicValueMappingRow{ id: row.ID, attributeDefinitionID: row.AttributeDefinitionID, subjectExternalSelectorValue: row.SubjectExternalSelectorValue, @@ -156,8 +156,8 @@ func (c PolicyDBClient) ListDefinitionValueEntitlementMappings(ctx context.Conte nextOffset = getNextOffset(offset, limit, total) } - return &subjectmapping.ListDefinitionValueEntitlementMappingsResponse{ - DefinitionValueEntitlementMappings: mappings, + return &dynamicvaluemapping.ListDynamicValueMappingsResponse{ + DynamicValueMappings: mappings, Pagination: &policy.PageResponse{ CurrentOffset: offset, Total: total, @@ -166,9 +166,9 @@ func (c PolicyDBClient) ListDefinitionValueEntitlementMappings(ctx context.Conte }, nil } -func (c PolicyDBClient) UpdateDefinitionValueEntitlementMapping(ctx context.Context, r *subjectmapping.UpdateDefinitionValueEntitlementMappingRequest) (*policy.DefinitionValueEntitlementMapping, error) { +func (c PolicyDBClient) UpdateDynamicValueMapping(ctx context.Context, r *dynamicvaluemapping.UpdateDynamicValueMappingRequest) (*policy.DynamicValueMapping, error) { id := r.GetId() - before, err := c.GetDefinitionValueEntitlementMapping(ctx, id) + before, err := c.GetDynamicValueMapping(ctx, id) if err != nil { return nil, db.WrapIfKnownInvalidQueryErr(err) } @@ -180,7 +180,7 @@ func (c PolicyDBClient) UpdateDefinitionValueEntitlementMapping(ctx context.Cont return nil, err } - updateParams := updateDefinitionValueEntitlementMappingParams{ + updateParams := updateDynamicValueMappingParams{ ID: id, Metadata: metadataJSON, SubjectConditionSetID: pgtypeUUID(r.GetSubjectConditionSetId()), @@ -203,7 +203,7 @@ func (c PolicyDBClient) UpdateDefinitionValueEntitlementMapping(ctx context.Cont updateParams.ActionIds = actionIDs } - count, err := c.queries.updateDefinitionValueEntitlementMapping(ctx, updateParams) + count, err := c.queries.updateDynamicValueMapping(ctx, updateParams) if err != nil { return nil, db.WrapIfKnownInvalidQueryErr(err) } @@ -211,11 +211,11 @@ func (c PolicyDBClient) UpdateDefinitionValueEntitlementMapping(ctx context.Cont return nil, db.ErrNotFound } - return c.GetDefinitionValueEntitlementMapping(ctx, id) + return c.GetDynamicValueMapping(ctx, id) } -func (c PolicyDBClient) DeleteDefinitionValueEntitlementMapping(ctx context.Context, id string) (*policy.DefinitionValueEntitlementMapping, error) { - count, err := c.queries.deleteDefinitionValueEntitlementMapping(ctx, id) +func (c PolicyDBClient) DeleteDynamicValueMapping(ctx context.Context, id string) (*policy.DynamicValueMapping, error) { + count, err := c.queries.deleteDynamicValueMapping(ctx, id) if err != nil { return nil, db.WrapIfKnownInvalidQueryErr(err) } @@ -223,10 +223,10 @@ func (c PolicyDBClient) DeleteDefinitionValueEntitlementMapping(ctx context.Cont return nil, db.ErrNotFound } - return &policy.DefinitionValueEntitlementMapping{Id: id}, nil + return &policy.DynamicValueMapping{Id: id}, nil } -func (c PolicyDBClient) hydrateDefinitionValueEntitlementMapping(ctx context.Context, row definitionValueEntitlementMappingRow) (*policy.DefinitionValueEntitlementMapping, error) { +func (c PolicyDBClient) hydrateDynamicValueMapping(ctx context.Context, row dynamicValueMappingRow) (*policy.DynamicValueMapping, error) { metadata := &common.Metadata{} if err := unmarshalMetadata(row.metadata, metadata); err != nil { return nil, err @@ -234,7 +234,7 @@ func (c PolicyDBClient) hydrateDefinitionValueEntitlementMapping(ctx context.Con actionsBytes, err := json.Marshal(row.actions) if err != nil { - return nil, fmt.Errorf("failed to marshal definition value entitlement mapping actions from interface{}: %w", err) + return nil, fmt.Errorf("failed to marshal dynamic value mapping actions from interface{}: %w", err) } actions := []*policy.Action{} if err := unmarshalActionsProto(actionsBytes, &actions); err != nil { @@ -251,10 +251,10 @@ func (c PolicyDBClient) hydrateDefinitionValueEntitlementMapping(ctx context.Con return nil, err } - mapping := &policy.DefinitionValueEntitlementMapping{ + mapping := &policy.DynamicValueMapping{ Id: row.id, AttributeDefinition: attr, - ValueResolver: &policy.DefinitionValueResolver{ + ValueResolver: &policy.DynamicValueResolver{ SubjectExternalSelectorValue: row.subjectExternalSelectorValue, Operator: policy.DynamicValueOperatorEnum(row.operator), }, @@ -275,7 +275,7 @@ func (c PolicyDBClient) hydrateDefinitionValueEntitlementMapping(ctx context.Con return mapping, nil } -func (c PolicyDBClient) resolveDefinitionValueEntitlementMappingAttribute(ctx context.Context, id, fqn string) (*policy.Attribute, error) { +func (c PolicyDBClient) resolveDynamicValueMappingAttribute(ctx context.Context, id, fqn string) (*policy.Attribute, error) { switch { case id != "": return c.GetAttribute(ctx, id) @@ -288,17 +288,17 @@ func (c PolicyDBClient) resolveDefinitionValueEntitlementMappingAttribute(ctx co } } -func validateDefinitionValueEntitlementMappingAttribute(attr *policy.Attribute) error { +func validateDynamicValueMappingAttribute(attr *policy.Attribute) error { switch attr.GetRule() { case policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF, policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF: return nil case policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY: - return errors.Join(db.ErrEnumValueInvalid, errors.New("definition value entitlement mappings do not support HIERARCHY attributes")) + return errors.Join(db.ErrEnumValueInvalid, errors.New("dynamic value mappings do not support HIERARCHY attributes")) case policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED: fallthrough default: - return errors.Join(db.ErrEnumValueInvalid, errors.New("definition value entitlement mappings require ALL_OF or ANY_OF attributes")) + return errors.Join(db.ErrEnumValueInvalid, errors.New("dynamic value mappings require ALL_OF or ANY_OF attributes")) } } @@ -311,15 +311,15 @@ func (c PolicyDBClient) ensureNoValueSubjectMappingCoexistence(ctx context.Conte } if count > 0 { return errors.Join(db.ErrRestrictViolation, - fmt.Errorf("attribute definition [%s] already has value-level subject mappings; it cannot also have a definition value entitlement mapping", definitionID)) + fmt.Errorf("attribute definition [%s] already has value-level subject mappings; it cannot also have a dynamic value mapping", definitionID)) } return nil } -// ensureNoDefinitionValueEntitlementMappingCoexistence rejects creation of a value-level +// ensureNoDynamicValueMappingCoexistence rejects creation of a value-level // subject mapping when the value's parent definition already has a dynamic value // entitlement mapping. -func (c PolicyDBClient) ensureNoDefinitionValueEntitlementMappingCoexistence(ctx context.Context, attributeValueID string) error { +func (c PolicyDBClient) ensureNoDynamicValueMappingCoexistence(ctx context.Context, attributeValueID string) error { if attributeValueID == "" { return nil } @@ -327,20 +327,20 @@ func (c PolicyDBClient) ensureNoDefinitionValueEntitlementMappingCoexistence(ctx if err != nil { return db.WrapIfKnownInvalidQueryErr(err) } - count, err := c.queries.countDefinitionValueEntitlementMappingsByDefinitionID(ctx, definitionID) + count, err := c.queries.countDynamicValueMappingsByDefinitionID(ctx, definitionID) if err != nil { return db.WrapIfKnownInvalidQueryErr(err) } if count > 0 { return errors.Join(db.ErrRestrictViolation, - fmt.Errorf("attribute definition [%s] has a definition value entitlement mapping; it cannot also have value-level subject mappings", definitionID)) + fmt.Errorf("attribute definition [%s] has a dynamic value mapping; it cannot also have value-level subject mappings", definitionID)) } return nil } -func (c PolicyDBClient) resolveDefinitionValueEntitlementMappingSubjectConditionSet( +func (c PolicyDBClient) resolveDynamicValueMappingSubjectConditionSet( ctx context.Context, - r *subjectmapping.CreateDefinitionValueEntitlementMappingRequest, + r *dynamicvaluemapping.CreateDynamicValueMappingRequest, namespaceID string, ) (*policy.SubjectConditionSet, error) { switch { @@ -362,7 +362,7 @@ func (c PolicyDBClient) resolveDefinitionValueEntitlementMappingSubjectCondition } } -func (c PolicyDBClient) validateDefinitionValueEntitlementMappingNamespaceConsistency( +func (c PolicyDBClient) validateDynamicValueMappingNamespaceConsistency( ctx context.Context, targetNsID string, attr *policy.Attribute, @@ -371,7 +371,7 @@ func (c PolicyDBClient) validateDefinitionValueEntitlementMappingNamespaceConsis ) error { if targetNsID != "" && attr.GetNamespace().GetId() != targetNsID { return errors.Join(db.ErrNamespaceMismatch, - fmt.Errorf("attribute definition namespace [%s] does not match the specified definition value entitlement mapping namespace [%s]", attr.GetNamespace().GetId(), targetNsID)) + fmt.Errorf("attribute definition namespace [%s] does not match the specified dynamic value mapping namespace [%s]", attr.GetNamespace().GetId(), targetNsID)) } if len(actionIDs) > 0 { @@ -383,14 +383,14 @@ func (c PolicyDBClient) validateDefinitionValueEntitlementMappingNamespaceConsis actionNsID := UUIDToString(a.NamespaceID) if actionNsID != targetNsID { return errors.Join(db.ErrNamespaceMismatch, - fmt.Errorf("action [%s] namespace [%s] does not match the specified definition value entitlement mapping namespace [%s]", a.ID, actionNsID, targetNsID)) + fmt.Errorf("action [%s] namespace [%s] does not match the specified dynamic value mapping namespace [%s]", a.ID, actionNsID, targetNsID)) } } } if scs != nil && scs.GetNamespace().GetId() != targetNsID { return errors.Join(db.ErrNamespaceMismatch, - fmt.Errorf("subject condition set [%s] namespace [%s] does not match the specified definition value entitlement mapping namespace [%s]", scs.GetId(), scs.GetNamespace().GetId(), targetNsID)) + fmt.Errorf("subject condition set [%s] namespace [%s] does not match the specified dynamic value mapping namespace [%s]", scs.GetId(), scs.GetNamespace().GetId(), targetNsID)) } return nil diff --git a/service/policy/db/definition_value_entitlement_mappings.sql.go b/service/policy/db/dynamic_value_mappings.sql.go similarity index 75% rename from service/policy/db/definition_value_entitlement_mappings.sql.go rename to service/policy/db/dynamic_value_mappings.sql.go index a43b170abb..f95277e25a 100644 --- a/service/policy/db/definition_value_entitlement_mappings.sql.go +++ b/service/policy/db/dynamic_value_mappings.sql.go @@ -1,7 +1,7 @@ // Code generated by sqlc. DO NOT EDIT. // versions: // sqlc v1.30.0 -// source: definition_value_entitlement_mappings.sql +// source: dynamic_value_mappings.sql package db @@ -11,9 +11,9 @@ import ( "github.com/jackc/pgx/v5/pgtype" ) -const countDefinitionValueEntitlementMappingsByDefinitionID = `-- name: countDefinitionValueEntitlementMappingsByDefinitionID :one +const countDynamicValueMappingsByDefinitionID = `-- name: countDynamicValueMappingsByDefinitionID :one SELECT COUNT(id) -FROM definition_value_entitlement_mappings +FROM dynamic_value_mappings WHERE attribute_definition_id = $1 ` @@ -21,10 +21,10 @@ WHERE attribute_definition_id = $1 // no-coexistence from the subject-mapping create path. // // SELECT COUNT(id) -// FROM definition_value_entitlement_mappings +// FROM dynamic_value_mappings // WHERE attribute_definition_id = $1 -func (q *Queries) countDefinitionValueEntitlementMappingsByDefinitionID(ctx context.Context, attributeDefinitionID string) (int64, error) { - row := q.db.QueryRow(ctx, countDefinitionValueEntitlementMappingsByDefinitionID, attributeDefinitionID) +func (q *Queries) countDynamicValueMappingsByDefinitionID(ctx context.Context, attributeDefinitionID string) (int64, error) { + row := q.db.QueryRow(ctx, countDynamicValueMappingsByDefinitionID, attributeDefinitionID) var count int64 err := row.Scan(&count) return count, err @@ -51,9 +51,9 @@ func (q *Queries) countValueSubjectMappingsByDefinitionID(ctx context.Context, a return count, err } -const createDefinitionValueEntitlementMapping = `-- name: createDefinitionValueEntitlementMapping :one +const createDynamicValueMapping = `-- name: createDynamicValueMapping :one WITH inserted_mapping AS ( - INSERT INTO definition_value_entitlement_mappings ( + INSERT INTO dynamic_value_mappings ( attribute_definition_id, subject_external_selector_value, operator, @@ -72,7 +72,7 @@ WITH inserted_mapping AS ( RETURNING id ), inserted_actions AS ( - INSERT INTO definition_value_entitlement_mapping_actions (definition_value_entitlement_mapping_id, action_id) + INSERT INTO dynamic_value_mapping_actions (dynamic_value_mapping_id, action_id) SELECT (SELECT id FROM inserted_mapping), unnest($7::uuid[]) @@ -80,7 +80,7 @@ inserted_actions AS ( SELECT id FROM inserted_mapping ` -type createDefinitionValueEntitlementMappingParams struct { +type createDynamicValueMappingParams struct { AttributeDefinitionID string `json:"attribute_definition_id"` SubjectExternalSelectorValue string `json:"subject_external_selector_value"` Operator int16 `json:"operator"` @@ -90,10 +90,10 @@ type createDefinitionValueEntitlementMappingParams struct { ActionIds []string `json:"action_ids"` } -// createDefinitionValueEntitlementMapping +// createDynamicValueMapping // // WITH inserted_mapping AS ( -// INSERT INTO definition_value_entitlement_mappings ( +// INSERT INTO dynamic_value_mappings ( // attribute_definition_id, // subject_external_selector_value, // operator, @@ -112,14 +112,14 @@ type createDefinitionValueEntitlementMappingParams struct { // RETURNING id // ), // inserted_actions AS ( -// INSERT INTO definition_value_entitlement_mapping_actions (definition_value_entitlement_mapping_id, action_id) +// INSERT INTO dynamic_value_mapping_actions (dynamic_value_mapping_id, action_id) // SELECT // (SELECT id FROM inserted_mapping), // unnest($7::uuid[]) // ) // SELECT id FROM inserted_mapping -func (q *Queries) createDefinitionValueEntitlementMapping(ctx context.Context, arg createDefinitionValueEntitlementMappingParams) (string, error) { - row := q.db.QueryRow(ctx, createDefinitionValueEntitlementMapping, +func (q *Queries) createDynamicValueMapping(ctx context.Context, arg createDynamicValueMappingParams) (string, error) { + row := q.db.QueryRow(ctx, createDynamicValueMapping, arg.AttributeDefinitionID, arg.SubjectExternalSelectorValue, arg.Operator, @@ -133,15 +133,15 @@ func (q *Queries) createDefinitionValueEntitlementMapping(ctx context.Context, a return id, err } -const deleteDefinitionValueEntitlementMapping = `-- name: deleteDefinitionValueEntitlementMapping :execrows -DELETE FROM definition_value_entitlement_mappings WHERE id = $1 +const deleteDynamicValueMapping = `-- name: deleteDynamicValueMapping :execrows +DELETE FROM dynamic_value_mappings WHERE id = $1 ` -// deleteDefinitionValueEntitlementMapping +// deleteDynamicValueMapping // -// DELETE FROM definition_value_entitlement_mappings WHERE id = $1 -func (q *Queries) deleteDefinitionValueEntitlementMapping(ctx context.Context, id string) (int64, error) { - result, err := q.db.Exec(ctx, deleteDefinitionValueEntitlementMapping, id) +// DELETE FROM dynamic_value_mappings WHERE id = $1 +func (q *Queries) deleteDynamicValueMapping(ctx context.Context, id string) (int64, error) { + result, err := q.db.Exec(ctx, deleteDynamicValueMapping, id) if err != nil { return 0, err } @@ -166,11 +166,11 @@ func (q *Queries) getAttributeDefinitionIDByValueID(ctx context.Context, id stri return attribute_definition_id, err } -const getDefinitionValueEntitlementMapping = `-- name: getDefinitionValueEntitlementMapping :one +const getDynamicValueMapping = `-- name: getDynamicValueMapping :one WITH mapping_actions AS ( SELECT dvm.action_id, - dvm.definition_value_entitlement_mapping_id, + dvm.dynamic_value_mapping_id, JSONB_BUILD_OBJECT( 'id', a.id, 'name', a.name, @@ -178,18 +178,18 @@ WITH mapping_actions AS ( ELSE JSONB_BUILD_OBJECT('id', ans.id, 'name', ans.name, 'fqn', ans_fqns.fqn) END ) AS action - FROM definition_value_entitlement_mapping_actions dvm + FROM dynamic_value_mapping_actions dvm JOIN actions a ON dvm.action_id = a.id LEFT JOIN attribute_namespaces ans ON ans.id = a.namespace_id LEFT JOIN attribute_fqns ans_fqns ON ans_fqns.namespace_id = ans.id AND ans_fqns.attribute_id IS NULL AND ans_fqns.value_id IS NULL - WHERE dvm.definition_value_entitlement_mapping_id = $1 + WHERE dvm.dynamic_value_mapping_id = $1 ), definition_actions AS ( SELECT - definition_value_entitlement_mapping_id, + dynamic_value_mapping_id, COALESCE(JSONB_AGG(action), '[]'::JSONB) AS actions FROM mapping_actions - GROUP BY definition_value_entitlement_mapping_id + GROUP BY dynamic_value_mapping_id ) SELECT dvem.id, @@ -203,14 +203,14 @@ SELECT WHEN dvem.namespace_id IS NULL THEN NULL ELSE JSON_BUILD_OBJECT('id', m_ns.id, 'name', m_ns.name, 'fqn', m_ns_fqns.fqn) END AS namespace -FROM definition_value_entitlement_mappings dvem -LEFT JOIN definition_actions da ON dvem.id = da.definition_value_entitlement_mapping_id +FROM dynamic_value_mappings dvem +LEFT JOIN definition_actions da ON dvem.id = da.dynamic_value_mapping_id LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL WHERE dvem.id = $1 ` -type getDefinitionValueEntitlementMappingRow struct { +type getDynamicValueMappingRow struct { ID string `json:"id"` AttributeDefinitionID string `json:"attribute_definition_id"` SubjectExternalSelectorValue string `json:"subject_external_selector_value"` @@ -221,12 +221,12 @@ type getDefinitionValueEntitlementMappingRow struct { Namespace interface{} `json:"namespace"` } -// getDefinitionValueEntitlementMapping +// getDynamicValueMapping // // WITH mapping_actions AS ( // SELECT // dvm.action_id, -// dvm.definition_value_entitlement_mapping_id, +// dvm.dynamic_value_mapping_id, // JSONB_BUILD_OBJECT( // 'id', a.id, // 'name', a.name, @@ -234,18 +234,18 @@ type getDefinitionValueEntitlementMappingRow struct { // ELSE JSONB_BUILD_OBJECT('id', ans.id, 'name', ans.name, 'fqn', ans_fqns.fqn) // END // ) AS action -// FROM definition_value_entitlement_mapping_actions dvm +// FROM dynamic_value_mapping_actions dvm // JOIN actions a ON dvm.action_id = a.id // LEFT JOIN attribute_namespaces ans ON ans.id = a.namespace_id // LEFT JOIN attribute_fqns ans_fqns ON ans_fqns.namespace_id = ans.id AND ans_fqns.attribute_id IS NULL AND ans_fqns.value_id IS NULL -// WHERE dvm.definition_value_entitlement_mapping_id = $1 +// WHERE dvm.dynamic_value_mapping_id = $1 // ), // definition_actions AS ( // SELECT -// definition_value_entitlement_mapping_id, +// dynamic_value_mapping_id, // COALESCE(JSONB_AGG(action), '[]'::JSONB) AS actions // FROM mapping_actions -// GROUP BY definition_value_entitlement_mapping_id +// GROUP BY dynamic_value_mapping_id // ) // SELECT // dvem.id, @@ -259,14 +259,14 @@ type getDefinitionValueEntitlementMappingRow struct { // WHEN dvem.namespace_id IS NULL THEN NULL // ELSE JSON_BUILD_OBJECT('id', m_ns.id, 'name', m_ns.name, 'fqn', m_ns_fqns.fqn) // END AS namespace -// FROM definition_value_entitlement_mappings dvem -// LEFT JOIN definition_actions da ON dvem.id = da.definition_value_entitlement_mapping_id +// FROM dynamic_value_mappings dvem +// LEFT JOIN definition_actions da ON dvem.id = da.dynamic_value_mapping_id // LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id // LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL // WHERE dvem.id = $1 -func (q *Queries) getDefinitionValueEntitlementMapping(ctx context.Context, id string) (getDefinitionValueEntitlementMappingRow, error) { - row := q.db.QueryRow(ctx, getDefinitionValueEntitlementMapping, id) - var i getDefinitionValueEntitlementMappingRow +func (q *Queries) getDynamicValueMapping(ctx context.Context, id string) (getDynamicValueMappingRow, error) { + row := q.db.QueryRow(ctx, getDynamicValueMapping, id) + var i getDynamicValueMappingRow err := row.Scan( &i.ID, &i.AttributeDefinitionID, @@ -280,7 +280,7 @@ func (q *Queries) getDefinitionValueEntitlementMapping(ctx context.Context, id s return i, err } -const listDefinitionValueEntitlementMappings = `-- name: listDefinitionValueEntitlementMappings :many +const listDynamicValueMappings = `-- name: listDynamicValueMappings :many WITH params AS ( SELECT @@ -290,7 +290,7 @@ WITH params AS ( mapping_actions AS ( SELECT dvm.action_id, - dvm.definition_value_entitlement_mapping_id, + dvm.dynamic_value_mapping_id, JSONB_BUILD_OBJECT( 'id', a.id, 'name', a.name, @@ -298,21 +298,21 @@ mapping_actions AS ( ELSE JSONB_BUILD_OBJECT('id', ans.id, 'name', ans.name, 'fqn', ans_fqns.fqn) END ) AS action - FROM definition_value_entitlement_mapping_actions dvm + FROM dynamic_value_mapping_actions dvm JOIN actions a ON dvm.action_id = a.id LEFT JOIN attribute_namespaces ans ON ans.id = a.namespace_id LEFT JOIN attribute_fqns ans_fqns ON ans_fqns.namespace_id = ans.id AND ans_fqns.attribute_id IS NULL AND ans_fqns.value_id IS NULL ), definition_actions AS ( SELECT - definition_value_entitlement_mapping_id, + dynamic_value_mapping_id, COALESCE(JSONB_AGG(action), '[]'::JSONB) AS actions FROM mapping_actions - GROUP BY definition_value_entitlement_mapping_id + GROUP BY dynamic_value_mapping_id ), counted AS ( SELECT COUNT(dvem.id) AS total - FROM definition_value_entitlement_mappings dvem + FROM dynamic_value_mappings dvem LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL WHERE @@ -333,10 +333,10 @@ SELECT ELSE JSON_BUILD_OBJECT('id', m_ns.id, 'name', m_ns.name, 'fqn', m_ns_fqns.fqn) END AS namespace, counted.total -FROM definition_value_entitlement_mappings dvem +FROM dynamic_value_mappings dvem CROSS JOIN counted CROSS JOIN params p -LEFT JOIN definition_actions da ON dvem.id = da.definition_value_entitlement_mapping_id +LEFT JOIN definition_actions da ON dvem.id = da.dynamic_value_mapping_id LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL WHERE @@ -360,7 +360,7 @@ LIMIT $5 OFFSET $4 ` -type listDefinitionValueEntitlementMappingsParams struct { +type listDynamicValueMappingsParams struct { NamespaceID pgtype.UUID `json:"namespace_id"` NamespaceFqn pgtype.Text `json:"namespace_fqn"` AttributeDefinitionID pgtype.UUID `json:"attribute_definition_id"` @@ -370,7 +370,7 @@ type listDefinitionValueEntitlementMappingsParams struct { SortDirection string `json:"sort_direction"` } -type listDefinitionValueEntitlementMappingsRow struct { +type listDynamicValueMappingsRow struct { ID string `json:"id"` AttributeDefinitionID string `json:"attribute_definition_id"` SubjectExternalSelectorValue string `json:"subject_external_selector_value"` @@ -394,7 +394,7 @@ type listDefinitionValueEntitlementMappingsRow struct { // mapping_actions AS ( // SELECT // dvm.action_id, -// dvm.definition_value_entitlement_mapping_id, +// dvm.dynamic_value_mapping_id, // JSONB_BUILD_OBJECT( // 'id', a.id, // 'name', a.name, @@ -402,21 +402,21 @@ type listDefinitionValueEntitlementMappingsRow struct { // ELSE JSONB_BUILD_OBJECT('id', ans.id, 'name', ans.name, 'fqn', ans_fqns.fqn) // END // ) AS action -// FROM definition_value_entitlement_mapping_actions dvm +// FROM dynamic_value_mapping_actions dvm // JOIN actions a ON dvm.action_id = a.id // LEFT JOIN attribute_namespaces ans ON ans.id = a.namespace_id // LEFT JOIN attribute_fqns ans_fqns ON ans_fqns.namespace_id = ans.id AND ans_fqns.attribute_id IS NULL AND ans_fqns.value_id IS NULL // ), // definition_actions AS ( // SELECT -// definition_value_entitlement_mapping_id, +// dynamic_value_mapping_id, // COALESCE(JSONB_AGG(action), '[]'::JSONB) AS actions // FROM mapping_actions -// GROUP BY definition_value_entitlement_mapping_id +// GROUP BY dynamic_value_mapping_id // ), // counted AS ( // SELECT COUNT(dvem.id) AS total -// FROM definition_value_entitlement_mappings dvem +// FROM dynamic_value_mappings dvem // LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id // LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL // WHERE @@ -437,10 +437,10 @@ type listDefinitionValueEntitlementMappingsRow struct { // ELSE JSON_BUILD_OBJECT('id', m_ns.id, 'name', m_ns.name, 'fqn', m_ns_fqns.fqn) // END AS namespace, // counted.total -// FROM definition_value_entitlement_mappings dvem +// FROM dynamic_value_mappings dvem // CROSS JOIN counted // CROSS JOIN params p -// LEFT JOIN definition_actions da ON dvem.id = da.definition_value_entitlement_mapping_id +// LEFT JOIN definition_actions da ON dvem.id = da.dynamic_value_mapping_id // LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id // LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL // WHERE @@ -462,8 +462,8 @@ type listDefinitionValueEntitlementMappingsRow struct { // dvem.id ASC // LIMIT $5 // OFFSET $4 -func (q *Queries) listDefinitionValueEntitlementMappings(ctx context.Context, arg listDefinitionValueEntitlementMappingsParams) ([]listDefinitionValueEntitlementMappingsRow, error) { - rows, err := q.db.Query(ctx, listDefinitionValueEntitlementMappings, +func (q *Queries) listDynamicValueMappings(ctx context.Context, arg listDynamicValueMappingsParams) ([]listDynamicValueMappingsRow, error) { + rows, err := q.db.Query(ctx, listDynamicValueMappings, arg.NamespaceID, arg.NamespaceFqn, arg.AttributeDefinitionID, @@ -476,9 +476,9 @@ func (q *Queries) listDefinitionValueEntitlementMappings(ctx context.Context, ar return nil, err } defer rows.Close() - var items []listDefinitionValueEntitlementMappingsRow + var items []listDynamicValueMappingsRow for rows.Next() { - var i listDefinitionValueEntitlementMappingsRow + var i listDynamicValueMappingsRow if err := rows.Scan( &i.ID, &i.AttributeDefinitionID, @@ -500,10 +500,10 @@ func (q *Queries) listDefinitionValueEntitlementMappings(ctx context.Context, ar return items, nil } -const updateDefinitionValueEntitlementMapping = `-- name: updateDefinitionValueEntitlementMapping :execrows +const updateDynamicValueMapping = `-- name: updateDynamicValueMapping :execrows WITH mapping_update AS ( - UPDATE definition_value_entitlement_mappings + UPDATE dynamic_value_mappings SET metadata = COALESCE($1::JSONB, metadata), subject_external_selector_value = COALESCE($2::TEXT, subject_external_selector_value), @@ -513,14 +513,14 @@ WITH RETURNING id ), action_delete AS ( - DELETE FROM definition_value_entitlement_mapping_actions + DELETE FROM dynamic_value_mapping_actions WHERE - definition_value_entitlement_mapping_id = $5 + dynamic_value_mapping_id = $5 AND $6::UUID[] IS NOT NULL AND action_id NOT IN (SELECT unnest($6::UUID[])) ), action_insert AS ( - INSERT INTO definition_value_entitlement_mapping_actions (definition_value_entitlement_mapping_id, action_id) + INSERT INTO dynamic_value_mapping_actions (dynamic_value_mapping_id, action_id) SELECT $5, a @@ -529,8 +529,8 @@ WITH $6::UUID[] IS NOT NULL AND NOT EXISTS ( SELECT 1 - FROM definition_value_entitlement_mapping_actions - WHERE definition_value_entitlement_mapping_id = $5 AND action_id = a + FROM dynamic_value_mapping_actions + WHERE dynamic_value_mapping_id = $5 AND action_id = a ) ), update_count AS ( @@ -541,7 +541,7 @@ SELECT cnt FROM update_count ` -type updateDefinitionValueEntitlementMappingParams struct { +type updateDynamicValueMappingParams struct { Metadata []byte `json:"metadata"` SubjectExternalSelectorValue pgtype.Text `json:"subject_external_selector_value"` Operator pgtype.Int2 `json:"operator"` @@ -550,11 +550,11 @@ type updateDefinitionValueEntitlementMappingParams struct { ActionIds []string `json:"action_ids"` } -// updateDefinitionValueEntitlementMapping +// updateDynamicValueMapping // // WITH // mapping_update AS ( -// UPDATE definition_value_entitlement_mappings +// UPDATE dynamic_value_mappings // SET // metadata = COALESCE($1::JSONB, metadata), // subject_external_selector_value = COALESCE($2::TEXT, subject_external_selector_value), @@ -564,14 +564,14 @@ type updateDefinitionValueEntitlementMappingParams struct { // RETURNING id // ), // action_delete AS ( -// DELETE FROM definition_value_entitlement_mapping_actions +// DELETE FROM dynamic_value_mapping_actions // WHERE -// definition_value_entitlement_mapping_id = $5 +// dynamic_value_mapping_id = $5 // AND $6::UUID[] IS NOT NULL // AND action_id NOT IN (SELECT unnest($6::UUID[])) // ), // action_insert AS ( -// INSERT INTO definition_value_entitlement_mapping_actions (definition_value_entitlement_mapping_id, action_id) +// INSERT INTO dynamic_value_mapping_actions (dynamic_value_mapping_id, action_id) // SELECT // $5, // a @@ -580,8 +580,8 @@ type updateDefinitionValueEntitlementMappingParams struct { // $6::UUID[] IS NOT NULL // AND NOT EXISTS ( // SELECT 1 -// FROM definition_value_entitlement_mapping_actions -// WHERE definition_value_entitlement_mapping_id = $5 AND action_id = a +// FROM dynamic_value_mapping_actions +// WHERE dynamic_value_mapping_id = $5 AND action_id = a // ) // ), // update_count AS ( @@ -590,8 +590,8 @@ type updateDefinitionValueEntitlementMappingParams struct { // ) // SELECT cnt // FROM update_count -func (q *Queries) updateDefinitionValueEntitlementMapping(ctx context.Context, arg updateDefinitionValueEntitlementMappingParams) (int64, error) { - result, err := q.db.Exec(ctx, updateDefinitionValueEntitlementMapping, +func (q *Queries) updateDynamicValueMapping(ctx context.Context, arg updateDynamicValueMappingParams) (int64, error) { + result, err := q.db.Exec(ctx, updateDynamicValueMapping, arg.Metadata, arg.SubjectExternalSelectorValue, arg.Operator, diff --git a/service/policy/db/migrations/20260604000000_add_definition_value_entitlement_mappings.sql b/service/policy/db/migrations/20260604000000_add_definition_value_entitlement_mappings.sql deleted file mode 100644 index 5c0a78f6f3..0000000000 --- a/service/policy/db/migrations/20260604000000_add_definition_value_entitlement_mappings.sql +++ /dev/null @@ -1,61 +0,0 @@ --- +goose Up --- +goose StatementBegin - --- Definition Value Entitlement Mappings raise entitlement authority from a concrete --- attribute value to the attribute definition. A single mapping resolves entitlement for --- dynamically-requested values under the definition by comparing the requested resource --- value segment against the entity representation (the value_resolver), optionally gated --- by a static SubjectConditionSet. -CREATE TABLE IF NOT EXISTS definition_value_entitlement_mappings ( - id UUID PRIMARY KEY DEFAULT gen_random_uuid(), - attribute_definition_id UUID NOT NULL REFERENCES attribute_definitions(id) ON DELETE CASCADE, - -- value_resolver: selector against the flattened entity representation + dynamic operator - subject_external_selector_value TEXT NOT NULL, - operator SMALLINT NOT NULL, - -- optional static pre-gate, evaluated with normal SubjectConditionSet semantics - subject_condition_set_id UUID REFERENCES subject_condition_set(id) ON DELETE CASCADE, - namespace_id UUID REFERENCES attribute_namespaces(id) ON DELETE CASCADE, - metadata JSONB, - created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP, - updated_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP -); - -COMMENT ON TABLE definition_value_entitlement_mappings IS 'Definition-scoped dynamic value entitlement mappings (DSPX-2754)'; -COMMENT ON COLUMN definition_value_entitlement_mappings.subject_external_selector_value IS 'Selector resolved against the entity representation, compared to the requested resource value segment'; -COMMENT ON COLUMN definition_value_entitlement_mappings.operator IS 'policy.DynamicValueOperatorEnum value'; - -CREATE TRIGGER definition_value_entitlement_mappings_updated_at - BEFORE UPDATE ON definition_value_entitlement_mappings - FOR EACH ROW - EXECUTE FUNCTION update_updated_at(); - -CREATE TABLE IF NOT EXISTS definition_value_entitlement_mapping_actions ( - definition_value_entitlement_mapping_id UUID NOT NULL REFERENCES definition_value_entitlement_mappings(id) ON DELETE CASCADE, - action_id UUID NOT NULL REFERENCES actions(id) ON DELETE CASCADE, - PRIMARY KEY (definition_value_entitlement_mapping_id, action_id) -); - -CREATE INDEX idx_definition_value_entitlement_mappings_definition_id - ON definition_value_entitlement_mappings(attribute_definition_id); -CREATE INDEX idx_definition_value_entitlement_mappings_scs_id - ON definition_value_entitlement_mappings(subject_condition_set_id); -CREATE INDEX idx_definition_value_entitlement_mappings_namespace_id - ON definition_value_entitlement_mappings(namespace_id); --- No separate index on definition_value_entitlement_mapping_actions: its composite --- PRIMARY KEY (definition_value_entitlement_mapping_id, action_id) already covers lookups. - --- +goose StatementEnd - --- +goose Down --- +goose StatementBegin - -DROP INDEX IF EXISTS idx_definition_value_entitlement_mappings_namespace_id; -DROP INDEX IF EXISTS idx_definition_value_entitlement_mappings_scs_id; -DROP INDEX IF EXISTS idx_definition_value_entitlement_mappings_definition_id; - -DROP TABLE IF EXISTS definition_value_entitlement_mapping_actions; - -DROP TRIGGER IF EXISTS definition_value_entitlement_mappings_updated_at ON definition_value_entitlement_mappings; -DROP TABLE IF EXISTS definition_value_entitlement_mappings; - --- +goose StatementEnd diff --git a/service/policy/db/migrations/20260604000000_add_dynamic_value_mappings.sql b/service/policy/db/migrations/20260604000000_add_dynamic_value_mappings.sql new file mode 100644 index 0000000000..6597231a8b --- /dev/null +++ b/service/policy/db/migrations/20260604000000_add_dynamic_value_mappings.sql @@ -0,0 +1,61 @@ +-- +goose Up +-- +goose StatementBegin + +-- Dynamic Value Mappings raise entitlement authority from a concrete +-- attribute value to the attribute definition. A single mapping resolves entitlement for +-- dynamically-requested values under the definition by comparing the requested resource +-- value segment against the entity representation (the value_resolver), optionally gated +-- by a static SubjectConditionSet. +CREATE TABLE IF NOT EXISTS dynamic_value_mappings ( + id UUID PRIMARY KEY DEFAULT gen_random_uuid(), + attribute_definition_id UUID NOT NULL REFERENCES attribute_definitions(id) ON DELETE CASCADE, + -- value_resolver: selector against the flattened entity representation + dynamic operator + subject_external_selector_value TEXT NOT NULL, + operator SMALLINT NOT NULL, + -- optional static pre-gate, evaluated with normal SubjectConditionSet semantics + subject_condition_set_id UUID REFERENCES subject_condition_set(id) ON DELETE CASCADE, + namespace_id UUID REFERENCES attribute_namespaces(id) ON DELETE CASCADE, + metadata JSONB, + created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP, + updated_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP +); + +COMMENT ON TABLE dynamic_value_mappings IS 'Definition-scoped dynamic value entitlement mappings (DSPX-2754)'; +COMMENT ON COLUMN dynamic_value_mappings.subject_external_selector_value IS 'Selector resolved against the entity representation, compared to the requested resource value segment'; +COMMENT ON COLUMN dynamic_value_mappings.operator IS 'policy.DynamicValueOperatorEnum value'; + +CREATE TRIGGER dynamic_value_mappings_updated_at + BEFORE UPDATE ON dynamic_value_mappings + FOR EACH ROW + EXECUTE FUNCTION update_updated_at(); + +CREATE TABLE IF NOT EXISTS dynamic_value_mapping_actions ( + dynamic_value_mapping_id UUID NOT NULL REFERENCES dynamic_value_mappings(id) ON DELETE CASCADE, + action_id UUID NOT NULL REFERENCES actions(id) ON DELETE CASCADE, + PRIMARY KEY (dynamic_value_mapping_id, action_id) +); + +CREATE INDEX idx_dynamic_value_mappings_definition_id + ON dynamic_value_mappings(attribute_definition_id); +CREATE INDEX idx_dynamic_value_mappings_scs_id + ON dynamic_value_mappings(subject_condition_set_id); +CREATE INDEX idx_dynamic_value_mappings_namespace_id + ON dynamic_value_mappings(namespace_id); +-- No separate index on dynamic_value_mapping_actions: its composite +-- PRIMARY KEY (dynamic_value_mapping_id, action_id) already covers lookups. + +-- +goose StatementEnd + +-- +goose Down +-- +goose StatementBegin + +DROP INDEX IF EXISTS idx_dynamic_value_mappings_namespace_id; +DROP INDEX IF EXISTS idx_dynamic_value_mappings_scs_id; +DROP INDEX IF EXISTS idx_dynamic_value_mappings_definition_id; + +DROP TABLE IF EXISTS dynamic_value_mapping_actions; + +DROP TRIGGER IF EXISTS dynamic_value_mappings_updated_at ON dynamic_value_mappings; +DROP TABLE IF EXISTS dynamic_value_mappings; + +-- +goose StatementEnd diff --git a/service/policy/db/models.go b/service/policy/db/models.go index 9b8f16e38f..b61f8ca3c6 100644 --- a/service/policy/db/models.go +++ b/service/policy/db/models.go @@ -235,7 +235,7 @@ type BaseKey struct { } // Definition-scoped dynamic value entitlement mappings (DSPX-2754) -type DefinitionValueEntitlementMapping struct { +type DynamicValueMapping struct { ID string `json:"id"` AttributeDefinitionID string `json:"attribute_definition_id"` // Selector resolved against the entity representation, compared to the requested resource value segment @@ -249,9 +249,9 @@ type DefinitionValueEntitlementMapping struct { UpdatedAt pgtype.Timestamptz `json:"updated_at"` } -type DefinitionValueEntitlementMappingAction struct { - DefinitionValueEntitlementMappingID string `json:"definition_value_entitlement_mapping_id"` - ActionID string `json:"action_id"` +type DynamicValueMappingAction struct { + DynamicValueMappingID string `json:"dynamic_value_mapping_id"` + ActionID string `json:"action_id"` } // Table to store the known registrations of key access servers (KASs) diff --git a/service/policy/db/queries/definition_value_entitlement_mappings.sql b/service/policy/db/queries/dynamic_value_mappings.sql similarity index 79% rename from service/policy/db/queries/definition_value_entitlement_mappings.sql rename to service/policy/db/queries/dynamic_value_mappings.sql index 6d9c8c6c30..2b9de5074d 100644 --- a/service/policy/db/queries/definition_value_entitlement_mappings.sql +++ b/service/policy/db/queries/dynamic_value_mappings.sql @@ -2,7 +2,7 @@ -- DEFINITION VALUE ENTITLEMENT MAPPINGS ---------------------------------------------------------------- --- name: listDefinitionValueEntitlementMappings :many +-- name: listDynamicValueMappings :many WITH params AS ( SELECT COALESCE(NULLIF(@sort_field::text, ''), 'created_at') AS resolved_field, @@ -11,7 +11,7 @@ WITH params AS ( mapping_actions AS ( SELECT dvm.action_id, - dvm.definition_value_entitlement_mapping_id, + dvm.dynamic_value_mapping_id, JSONB_BUILD_OBJECT( 'id', a.id, 'name', a.name, @@ -19,21 +19,21 @@ mapping_actions AS ( ELSE JSONB_BUILD_OBJECT('id', ans.id, 'name', ans.name, 'fqn', ans_fqns.fqn) END ) AS action - FROM definition_value_entitlement_mapping_actions dvm + FROM dynamic_value_mapping_actions dvm JOIN actions a ON dvm.action_id = a.id LEFT JOIN attribute_namespaces ans ON ans.id = a.namespace_id LEFT JOIN attribute_fqns ans_fqns ON ans_fqns.namespace_id = ans.id AND ans_fqns.attribute_id IS NULL AND ans_fqns.value_id IS NULL ), definition_actions AS ( SELECT - definition_value_entitlement_mapping_id, + dynamic_value_mapping_id, COALESCE(JSONB_AGG(action), '[]'::JSONB) AS actions FROM mapping_actions - GROUP BY definition_value_entitlement_mapping_id + GROUP BY dynamic_value_mapping_id ), counted AS ( SELECT COUNT(dvem.id) AS total - FROM definition_value_entitlement_mappings dvem + FROM dynamic_value_mappings dvem LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL WHERE @@ -54,10 +54,10 @@ SELECT ELSE JSON_BUILD_OBJECT('id', m_ns.id, 'name', m_ns.name, 'fqn', m_ns_fqns.fqn) END AS namespace, counted.total -FROM definition_value_entitlement_mappings dvem +FROM dynamic_value_mappings dvem CROSS JOIN counted CROSS JOIN params p -LEFT JOIN definition_actions da ON dvem.id = da.definition_value_entitlement_mapping_id +LEFT JOIN definition_actions da ON dvem.id = da.dynamic_value_mapping_id LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL WHERE @@ -80,11 +80,11 @@ ORDER BY LIMIT @limit_ OFFSET @offset_; --- name: getDefinitionValueEntitlementMapping :one +-- name: getDynamicValueMapping :one WITH mapping_actions AS ( SELECT dvm.action_id, - dvm.definition_value_entitlement_mapping_id, + dvm.dynamic_value_mapping_id, JSONB_BUILD_OBJECT( 'id', a.id, 'name', a.name, @@ -92,18 +92,18 @@ WITH mapping_actions AS ( ELSE JSONB_BUILD_OBJECT('id', ans.id, 'name', ans.name, 'fqn', ans_fqns.fqn) END ) AS action - FROM definition_value_entitlement_mapping_actions dvm + FROM dynamic_value_mapping_actions dvm JOIN actions a ON dvm.action_id = a.id LEFT JOIN attribute_namespaces ans ON ans.id = a.namespace_id LEFT JOIN attribute_fqns ans_fqns ON ans_fqns.namespace_id = ans.id AND ans_fqns.attribute_id IS NULL AND ans_fqns.value_id IS NULL - WHERE dvm.definition_value_entitlement_mapping_id = @id + WHERE dvm.dynamic_value_mapping_id = @id ), definition_actions AS ( SELECT - definition_value_entitlement_mapping_id, + dynamic_value_mapping_id, COALESCE(JSONB_AGG(action), '[]'::JSONB) AS actions FROM mapping_actions - GROUP BY definition_value_entitlement_mapping_id + GROUP BY dynamic_value_mapping_id ) SELECT dvem.id, @@ -117,15 +117,15 @@ SELECT WHEN dvem.namespace_id IS NULL THEN NULL ELSE JSON_BUILD_OBJECT('id', m_ns.id, 'name', m_ns.name, 'fqn', m_ns_fqns.fqn) END AS namespace -FROM definition_value_entitlement_mappings dvem -LEFT JOIN definition_actions da ON dvem.id = da.definition_value_entitlement_mapping_id +FROM dynamic_value_mappings dvem +LEFT JOIN definition_actions da ON dvem.id = da.dynamic_value_mapping_id LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL WHERE dvem.id = @id; --- name: createDefinitionValueEntitlementMapping :one +-- name: createDynamicValueMapping :one WITH inserted_mapping AS ( - INSERT INTO definition_value_entitlement_mappings ( + INSERT INTO dynamic_value_mappings ( attribute_definition_id, subject_external_selector_value, operator, @@ -144,17 +144,17 @@ WITH inserted_mapping AS ( RETURNING id ), inserted_actions AS ( - INSERT INTO definition_value_entitlement_mapping_actions (definition_value_entitlement_mapping_id, action_id) + INSERT INTO dynamic_value_mapping_actions (dynamic_value_mapping_id, action_id) SELECT (SELECT id FROM inserted_mapping), unnest(sqlc.arg('action_ids')::uuid[]) ) SELECT id FROM inserted_mapping; --- name: updateDefinitionValueEntitlementMapping :execrows +-- name: updateDynamicValueMapping :execrows WITH mapping_update AS ( - UPDATE definition_value_entitlement_mappings + UPDATE dynamic_value_mappings SET metadata = COALESCE(sqlc.narg('metadata')::JSONB, metadata), subject_external_selector_value = COALESCE(sqlc.narg('subject_external_selector_value')::TEXT, subject_external_selector_value), @@ -164,14 +164,14 @@ WITH RETURNING id ), action_delete AS ( - DELETE FROM definition_value_entitlement_mapping_actions + DELETE FROM dynamic_value_mapping_actions WHERE - definition_value_entitlement_mapping_id = sqlc.arg('id') + dynamic_value_mapping_id = sqlc.arg('id') AND sqlc.narg('action_ids')::UUID[] IS NOT NULL AND action_id NOT IN (SELECT unnest(sqlc.narg('action_ids')::UUID[])) ), action_insert AS ( - INSERT INTO definition_value_entitlement_mapping_actions (definition_value_entitlement_mapping_id, action_id) + INSERT INTO dynamic_value_mapping_actions (dynamic_value_mapping_id, action_id) SELECT sqlc.arg('id'), a @@ -180,8 +180,8 @@ WITH sqlc.narg('action_ids')::UUID[] IS NOT NULL AND NOT EXISTS ( SELECT 1 - FROM definition_value_entitlement_mapping_actions - WHERE definition_value_entitlement_mapping_id = sqlc.arg('id') AND action_id = a + FROM dynamic_value_mapping_actions + WHERE dynamic_value_mapping_id = sqlc.arg('id') AND action_id = a ) ), update_count AS ( @@ -191,8 +191,8 @@ WITH SELECT cnt FROM update_count; --- name: deleteDefinitionValueEntitlementMapping :execrows -DELETE FROM definition_value_entitlement_mappings WHERE id = $1; +-- name: deleteDynamicValueMapping :execrows +DELETE FROM dynamic_value_mappings WHERE id = $1; -- name: countValueSubjectMappingsByDefinitionID :one -- Counts value-level subject mappings whose attribute value belongs to the given @@ -202,11 +202,11 @@ FROM subject_mappings sm JOIN attribute_values av ON sm.attribute_value_id = av.id WHERE av.attribute_definition_id = $1; --- name: countDefinitionValueEntitlementMappingsByDefinitionID :one +-- name: countDynamicValueMappingsByDefinitionID :one -- Counts dynamic value entitlement mappings on the given definition. Used to enforce -- no-coexistence from the subject-mapping create path. SELECT COUNT(id) -FROM definition_value_entitlement_mappings +FROM dynamic_value_mappings WHERE attribute_definition_id = $1; -- name: getAttributeDefinitionIDByValueID :one diff --git a/service/policy/db/subject_mappings.go b/service/policy/db/subject_mappings.go index a2c978d91f..13d47416c1 100644 --- a/service/policy/db/subject_mappings.go +++ b/service/policy/db/subject_mappings.go @@ -267,7 +267,7 @@ func (c PolicyDBClient) CreateSubjectMapping(ctx context.Context, s *subjectmapp // Enforce no-coexistence: a value-level subject mapping cannot be created on a // definition that already has a dynamic value entitlement mapping (DSPX-2754 / ADR 0005). - if err := c.ensureNoDefinitionValueEntitlementMappingCoexistence(ctx, attributeValueID); err != nil { + if err := c.ensureNoDynamicValueMappingCoexistence(ctx, attributeValueID); err != nil { return nil, err } diff --git a/service/policy/db/utils.go b/service/policy/db/utils.go index d4eed94fce..7330819eb7 100644 --- a/service/policy/db/utils.go +++ b/service/policy/db/utils.go @@ -10,6 +10,7 @@ import ( "github.com/opentdf/platform/protocol/go/common" "github.com/opentdf/platform/protocol/go/policy" "github.com/opentdf/platform/protocol/go/policy/attributes" + "github.com/opentdf/platform/protocol/go/policy/dynamicvaluemapping" "github.com/opentdf/platform/protocol/go/policy/kasregistry" "github.com/opentdf/platform/protocol/go/policy/namespaces" "github.com/opentdf/platform/protocol/go/policy/obligations" @@ -404,24 +405,24 @@ func GetSubjectMappingsSortParams(sort []*subjectmapping.SubjectMappingsSort) (s return getSubjectMappingsSortField(sort[0].GetField()), getSortDirection(sort[0].GetDirection()) } -func getDefinitionValueEntitlementMappingsSortField(field subjectmapping.SortDefinitionValueEntitlementMappingsType) string { +func getDynamicValueMappingsSortField(field dynamicvaluemapping.SortDynamicValueMappingsType) string { switch field { - case subjectmapping.SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT: + case dynamicvaluemapping.SortDynamicValueMappingsType_SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_CREATED_AT: return sortFieldCreatedAt - case subjectmapping.SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT: + case dynamicvaluemapping.SortDynamicValueMappingsType_SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UPDATED_AT: return sortFieldUpdatedAt - case subjectmapping.SortDefinitionValueEntitlementMappingsType_SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED: + case dynamicvaluemapping.SortDynamicValueMappingsType_SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UNSPECIFIED: fallthrough default: return "" } } -func GetDefinitionValueEntitlementMappingsSortParams(sort []*subjectmapping.DefinitionValueEntitlementMappingsSort) (string, string) { +func GetDynamicValueMappingsSortParams(sort []*dynamicvaluemapping.DynamicValueMappingsSort) (string, string) { if len(sort) == 0 { return "", "" } - return getDefinitionValueEntitlementMappingsSortField(sort[0].GetField()), getSortDirection(sort[0].GetDirection()) + return getDynamicValueMappingsSortField(sort[0].GetField()), getSortDirection(sort[0].GetDirection()) } func UUIDToString(uuid pgtype.UUID) string { diff --git a/service/policy/dynamicvaluemapping/dynamic_value_mapping.go b/service/policy/dynamicvaluemapping/dynamic_value_mapping.go new file mode 100644 index 0000000000..3166f65462 --- /dev/null +++ b/service/policy/dynamicvaluemapping/dynamic_value_mapping.go @@ -0,0 +1,189 @@ +package dynamicvaluemapping + +import ( + "context" + "errors" + "fmt" + "log/slog" + + "connectrpc.com/connect" + dvm "github.com/opentdf/platform/protocol/go/policy/dynamicvaluemapping" + "github.com/opentdf/platform/protocol/go/policy/dynamicvaluemapping/dynamicvaluemappingconnect" + "github.com/opentdf/platform/service/logger" + "github.com/opentdf/platform/service/logger/audit" + "github.com/opentdf/platform/service/pkg/config" + "github.com/opentdf/platform/service/pkg/db" + "github.com/opentdf/platform/service/pkg/serviceregistry" + policyconfig "github.com/opentdf/platform/service/policy/config" + policydb "github.com/opentdf/platform/service/policy/db" +) + +type DynamicValueMappingService struct { //nolint:revive // descriptive name mirrors the policy object + dbClient policydb.PolicyDBClient + logger *logger.Logger + config *policyconfig.Config +} + +func OnConfigUpdate(svc *DynamicValueMappingService) serviceregistry.OnConfigUpdateHook { + return func(_ context.Context, cfg config.ServiceConfig) error { + sharedCfg, err := policyconfig.GetSharedPolicyConfig(cfg) + if err != nil { + return fmt.Errorf("failed to get shared policy config: %w", err) + } + svc.config = sharedCfg + svc.dbClient = policydb.NewClient(svc.dbClient.Client, svc.logger, int32(sharedCfg.ListRequestLimitMax), int32(sharedCfg.ListRequestLimitDefault)) + svc.logger.Info("dynamic value mapping service config reloaded") + return nil + } +} + +func NewRegistration(ns string, dbRegister serviceregistry.DBRegister) *serviceregistry.Service[dynamicvaluemappingconnect.DynamicValueMappingServiceHandler] { + svc := new(DynamicValueMappingService) + onUpdateConfigHook := OnConfigUpdate(svc) + + return &serviceregistry.Service[dynamicvaluemappingconnect.DynamicValueMappingServiceHandler]{ + Close: svc.Close, + ServiceOptions: serviceregistry.ServiceOptions[dynamicvaluemappingconnect.DynamicValueMappingServiceHandler]{ + Namespace: ns, + DB: dbRegister, + ServiceDesc: &dvm.DynamicValueMappingService_ServiceDesc, + ConnectRPCFunc: dynamicvaluemappingconnect.NewDynamicValueMappingServiceHandler, + OnConfigUpdate: onUpdateConfigHook, + RegisterFunc: func(srp serviceregistry.RegistrationParams) (dynamicvaluemappingconnect.DynamicValueMappingServiceHandler, serviceregistry.HandlerServer) { + logger := srp.Logger + cfg, err := policyconfig.GetSharedPolicyConfig(srp.Config) + if err != nil { + logger.Error("error getting dynamic value mapping service policy config", slog.String("error", err.Error())) + panic(err) + } + + svc.logger = logger + svc.dbClient = policydb.NewClient(srp.DBClient, logger, int32(cfg.ListRequestLimitMax), int32(cfg.ListRequestLimitDefault)) + svc.config = cfg + return svc, nil + }, + }, + } +} + +// Close gracefully shuts down the service, closing the database client. +func (s *DynamicValueMappingService) Close() { + s.logger.Info("gracefully shutting down dynamic value mapping service") + s.dbClient.Close() +} + +func (s DynamicValueMappingService) CreateDynamicValueMapping(ctx context.Context, + req *connect.Request[dvm.CreateDynamicValueMappingRequest], +) (*connect.Response[dvm.CreateDynamicValueMappingResponse], error) { + rsp := &dvm.CreateDynamicValueMappingResponse{} + s.logger.DebugContext(ctx, "creating dynamic value mapping") + if s.config.NamespacedPolicy && req.Msg.GetNamespaceId() == "" && req.Msg.GetNamespaceFqn() == "" { + return nil, connect.NewError(connect.CodeInvalidArgument, errors.New("either namespace_id or namespace_fqn must be provided")) + } + + auditParams := audit.PolicyEventParams{ + ActionType: audit.ActionTypeCreate, + ObjectType: audit.ObjectTypeDynamicValueMapping, + } + + // Creation may involve action or SubjectConditionSet creation, so use a transaction. + err := s.dbClient.RunInTx(ctx, func(txClient *policydb.PolicyDBClient) error { + mapping, err := txClient.CreateDynamicValueMapping(ctx, req.Msg) + if err != nil { + s.logger.Audit.PolicyCRUDFailure(ctx, auditParams) + return err + } + + auditParams.ObjectID = mapping.GetId() + auditParams.Original = mapping + s.logger.Audit.PolicyCRUDSuccess(ctx, auditParams) + + rsp.DynamicValueMapping = mapping + return nil + }) + if err != nil { + return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextCreationFailed, slog.String("dynamicValueMapping", req.Msg.String())) + } + return connect.NewResponse(rsp), nil +} + +func (s DynamicValueMappingService) ListDynamicValueMappings(ctx context.Context, + req *connect.Request[dvm.ListDynamicValueMappingsRequest], +) (*connect.Response[dvm.ListDynamicValueMappingsResponse], error) { + s.logger.DebugContext(ctx, "listing dynamic value mappings") + + rsp, err := s.dbClient.ListDynamicValueMappings(ctx, req.Msg) + if err != nil { + return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextListRetrievalFailed) + } + return connect.NewResponse(rsp), nil +} + +func (s DynamicValueMappingService) GetDynamicValueMapping(ctx context.Context, + req *connect.Request[dvm.GetDynamicValueMappingRequest], +) (*connect.Response[dvm.GetDynamicValueMappingResponse], error) { + s.logger.DebugContext(ctx, "getting dynamic value mapping", slog.String("id", req.Msg.GetId())) + + mapping, err := s.dbClient.GetDynamicValueMapping(ctx, req.Msg.GetId()) + if err != nil { + return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextGetRetrievalFailed, slog.String("id", req.Msg.GetId())) + } + return connect.NewResponse(&dvm.GetDynamicValueMappingResponse{DynamicValueMapping: mapping}), nil +} + +func (s DynamicValueMappingService) UpdateDynamicValueMapping(ctx context.Context, + req *connect.Request[dvm.UpdateDynamicValueMappingRequest], +) (*connect.Response[dvm.UpdateDynamicValueMappingResponse], error) { + rsp := &dvm.UpdateDynamicValueMappingResponse{} + id := req.Msg.GetId() + s.logger.DebugContext(ctx, "updating dynamic value mapping", slog.String("id", id)) + + auditParams := audit.PolicyEventParams{ + ActionType: audit.ActionTypeUpdate, + ObjectType: audit.ObjectTypeDynamicValueMapping, + ObjectID: id, + } + + original, err := s.dbClient.GetDynamicValueMapping(ctx, id) + if err != nil { + s.logger.Audit.PolicyCRUDFailure(ctx, auditParams) + return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextGetRetrievalFailed, slog.String("id", id)) + } + + updated, err := s.dbClient.UpdateDynamicValueMapping(ctx, req.Msg) + if err != nil { + s.logger.Audit.PolicyCRUDFailure(ctx, auditParams) + return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextUpdateFailed, slog.String("id", id), slog.String("dynamicValueMapping", req.Msg.String())) + } + + auditParams.Original = original + auditParams.Updated = updated + s.logger.Audit.PolicyCRUDSuccess(ctx, auditParams) + + rsp.DynamicValueMapping = updated + return connect.NewResponse(rsp), nil +} + +func (s DynamicValueMappingService) DeleteDynamicValueMapping(ctx context.Context, + req *connect.Request[dvm.DeleteDynamicValueMappingRequest], +) (*connect.Response[dvm.DeleteDynamicValueMappingResponse], error) { + rsp := &dvm.DeleteDynamicValueMappingResponse{} + id := req.Msg.GetId() + s.logger.DebugContext(ctx, "deleting dynamic value mapping", slog.String("id", id)) + + auditParams := audit.PolicyEventParams{ + ActionType: audit.ActionTypeDelete, + ObjectType: audit.ObjectTypeDynamicValueMapping, + ObjectID: id, + } + + deleted, err := s.dbClient.DeleteDynamicValueMapping(ctx, id) + if err != nil { + s.logger.Audit.PolicyCRUDFailure(ctx, auditParams) + return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextDeletionFailed, slog.String("id", id)) + } + + s.logger.Audit.PolicyCRUDSuccess(ctx, auditParams) + rsp.DynamicValueMapping = deleted + return connect.NewResponse(rsp), nil +} diff --git a/service/policy/dynamicvaluemapping/dynamic_value_mapping.proto b/service/policy/dynamicvaluemapping/dynamic_value_mapping.proto new file mode 100644 index 0000000000..a16d3aedd4 --- /dev/null +++ b/service/policy/dynamicvaluemapping/dynamic_value_mapping.proto @@ -0,0 +1,173 @@ +syntax = "proto3"; + +package policy.dynamicvaluemapping; + +import "buf/validate/validate.proto"; +import "common/common.proto"; +import "policy/objects.proto"; +import "policy/selectors.proto"; +import "policy/subjectmapping/subject_mapping.proto"; + +/* + Dynamic Value Mapping CRUD operations + + A DynamicValueMapping raises entitlement authority from a concrete AttributeValue to the + AttributeDefinition: at decision time the value_resolver compares the requested resource + value segment against the entity representation, avoiding pre-provisioning a value + + subject mapping per discrete value. +*/ + +message GetDynamicValueMappingRequest { + // Required + string id = 1 [(buf.validate.field).string.uuid = true]; +} +message GetDynamicValueMappingResponse { + policy.DynamicValueMapping dynamic_value_mapping = 1; +} + +enum SortDynamicValueMappingsType { + SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UNSPECIFIED = 0; + SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_CREATED_AT = 1; + SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UPDATED_AT = 2; +} + +message DynamicValueMappingsSort { + SortDynamicValueMappingsType field = 1 [(buf.validate.field).enum.defined_only = true]; + policy.SortDirection direction = 2 [(buf.validate.field).enum.defined_only = true]; +} + +message ListDynamicValueMappingsRequest { + // Optional + // Namespace ID, or Attribute Definition ID to filter by + string namespace_id = 1 [(buf.validate.field).cel = { + id: "optional_uuid_format" + message: "Optional field must be a valid UUID" + expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" + }]; + string attribute_definition_id = 2 [(buf.validate.field).cel = { + id: "optional_uuid_format" + message: "Optional field must be a valid UUID" + expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" + }]; + + // Optional + policy.PageRequest pagination = 10; + + // Optional - CONSTRAINT: max 1 item + repeated DynamicValueMappingsSort sort = 11 [(buf.validate.field).repeated.max_items = 1]; +} +message ListDynamicValueMappingsResponse { + repeated policy.DynamicValueMapping dynamic_value_mappings = 1; + + policy.PageResponse pagination = 10; +} + +message CreateDynamicValueMappingRequest { + // Required: Attribute Definition ID or FQN to scope the mapping to + option (buf.validate.message).oneof = { + fields: ["attribute_definition_id", "attribute_definition_fqn"] + required: true + }; + string attribute_definition_id = 1 [(buf.validate.field).cel = { + id: "optional_uuid_format" + message: "Optional field must be a valid UUID" + expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" + }]; + string attribute_definition_fqn = 2 [ + (buf.validate.field).string = { + min_len: 0 + uri: true + } + ]; + + // Required: the dynamic resolver comparing entity selector result to the resource value segment + policy.DynamicValueResolver value_resolver = 3 [(buf.validate.field).required = true]; + + // Required: actions permitted on a matched value + repeated policy.Action actions = 4 [ + (buf.validate.field).repeated.min_items = 1, + (buf.validate.field).cel = { + id: "action_name_or_id_not_empty" + message: "Action name or ID must not be empty if provided" + expression: "this.all(item, item.name != '' || item.id != '')" + } + ]; + + // Optional static pre-gate. Reuse an existing SubjectConditionSet (prioritized) ... + string existing_subject_condition_set_id = 5 [(buf.validate.field).cel = { + id: "optional_uuid_format" + message: "Optional field must be a valid UUID" + expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" + }]; + // ... or create a new one (ignored if existing_subject_condition_set_id is provided) + policy.subjectmapping.SubjectConditionSetCreate new_subject_condition_set = 6; + + // Optional: namespace ID or FQN for the mapping + string namespace_id = 7 [(buf.validate.field).cel = { + id: "optional_uuid_format" + message: "Optional field must be a valid UUID" + expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" + }]; + string namespace_fqn = 8 [ + (buf.validate.field).string = { + min_len: 0 + uri: true + } + ]; + + // Optional + common.MetadataMutable metadata = 100; +} +message CreateDynamicValueMappingResponse { + policy.DynamicValueMapping dynamic_value_mapping = 1; +} + +message UpdateDynamicValueMappingRequest { + // Required + string id = 1 [(buf.validate.field).string.uuid = true]; + + // Optional: replace the dynamic resolver + policy.DynamicValueResolver value_resolver = 2; + + // Optional: replace the static pre-gate SubjectConditionSet by id + string subject_condition_set_id = 3 [(buf.validate.field).cel = { + id: "optional_uuid_format" + message: "Optional field must be a valid UUID" + expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" + }]; + + // Optional: replace the entire list of actions + repeated policy.Action actions = 4 [(buf.validate.field).cel = { + id: "action_name_or_id_not_empty" + message: "Action name or ID must not be empty if provided" + expression: "this.size() == 0 || this.all(item, item.name != '' || item.id != '')" + }]; + + // Common metadata + common.MetadataMutable metadata = 100; + common.MetadataUpdateEnum metadata_update_behavior = 101; +} +message UpdateDynamicValueMappingResponse { + policy.DynamicValueMapping dynamic_value_mapping = 1; +} + +message DeleteDynamicValueMappingRequest { + // Required + string id = 1 [(buf.validate.field).string.uuid = true]; +} +message DeleteDynamicValueMappingResponse { + // Only ID of the deleted mapping provided + policy.DynamicValueMapping dynamic_value_mapping = 1; +} + +service DynamicValueMappingService { + rpc ListDynamicValueMappings(ListDynamicValueMappingsRequest) returns (ListDynamicValueMappingsResponse) { + option idempotency_level = NO_SIDE_EFFECTS; + } + rpc GetDynamicValueMapping(GetDynamicValueMappingRequest) returns (GetDynamicValueMappingResponse) { + option idempotency_level = NO_SIDE_EFFECTS; + } + rpc CreateDynamicValueMapping(CreateDynamicValueMappingRequest) returns (CreateDynamicValueMappingResponse) {} + rpc UpdateDynamicValueMapping(UpdateDynamicValueMappingRequest) returns (UpdateDynamicValueMappingResponse) {} + rpc DeleteDynamicValueMapping(DeleteDynamicValueMappingRequest) returns (DeleteDynamicValueMappingResponse) {} +} diff --git a/service/policy/objects.proto b/service/policy/objects.proto index cc61258168..adac99663c 100644 --- a/service/policy/objects.proto +++ b/service/policy/objects.proto @@ -220,11 +220,11 @@ message SubjectMapping { } /* - Definition Value Resolver: the dynamic half of a DefinitionValueEntitlementMapping. It + Definition Value Resolver: the dynamic half of a DynamicValueMapping. It resolves a selector against the entity representation and compares the result to the requested resource value segment using a DynamicValueOperatorEnum. */ -message DefinitionValueResolver { +message DynamicValueResolver { // a selector for a field value on a flattened Entity Representation (such as from // idP/LDAP), e.g. ".patientAssignments[]" string subject_external_selector_value = 1 [(buf.validate.field).required = true]; @@ -237,20 +237,20 @@ message DefinitionValueResolver { } /* - Definition Value Entitlement Mapping: a Policy assigning permitted action(s) to + Dynamic Value Mapping: a Policy assigning permitted action(s) to dynamically-requested values under an Attribute Definition. It raises entitlement authority from a concrete Attribute Value to the Attribute Definition: at decision time the value_resolver compares the requested resource value segment against the entity representation, avoiding pre-provisioning a value + subject mapping per discrete value. */ -message DefinitionValueEntitlementMapping { +message DynamicValueMapping { string id = 1; // the Attribute Definition whose values are entitled dynamically Attribute attribute_definition = 2; // the dynamic resolver matched against the requested resource value segment - DefinitionValueResolver value_resolver = 3; + DynamicValueResolver value_resolver = 3; // optional static pre-gate on the entity, evaluated with normal SubjectConditionSet // semantics (no dynamic overload). When present, both the gate and the resolver must diff --git a/service/policy/policy.go b/service/policy/policy.go index 4e1f479454..17273dbabf 100644 --- a/service/policy/policy.go +++ b/service/policy/policy.go @@ -7,6 +7,7 @@ import ( "github.com/opentdf/platform/service/policy/actions" "github.com/opentdf/platform/service/policy/attributes" "github.com/opentdf/platform/service/policy/db/migrations" + "github.com/opentdf/platform/service/policy/dynamicvaluemapping" "github.com/opentdf/platform/service/policy/kasregistry" "github.com/opentdf/platform/service/policy/keymanagement" "github.com/opentdf/platform/service/policy/namespaces" @@ -36,6 +37,7 @@ func NewRegistrations() []serviceregistry.IService { namespaces.NewRegistration(namespace, dbRegister), resourcemapping.NewRegistration(namespace, dbRegister), subjectmapping.NewRegistration(namespace, dbRegister), + dynamicvaluemapping.NewRegistration(namespace, dbRegister), kasregistry.NewRegistration(namespace, dbRegister), unsafe.NewRegistration(namespace, dbRegister), actions.NewRegistration(namespace, dbRegister), diff --git a/service/policy/subjectmapping/subject_mapping.go b/service/policy/subjectmapping/subject_mapping.go index 2577b53149..554a3c3ab3 100644 --- a/service/policy/subjectmapping/subject_mapping.go +++ b/service/policy/subjectmapping/subject_mapping.go @@ -397,123 +397,3 @@ func (s SubjectMappingService) DeleteAllUnmappedSubjectConditionSets(ctx context rsp.SubjectConditionSets = deleted return connect.NewResponse(rsp), nil } - -/* ----------------------------------------------------------------- - * --------- Definition Value Entitlement Mappings (DSPX-2754) ------ - * ----------------------------------------------------------------*/ - -func (s SubjectMappingService) CreateDefinitionValueEntitlementMapping(ctx context.Context, - req *connect.Request[sm.CreateDefinitionValueEntitlementMappingRequest], -) (*connect.Response[sm.CreateDefinitionValueEntitlementMappingResponse], error) { - rsp := &sm.CreateDefinitionValueEntitlementMappingResponse{} - s.logger.DebugContext(ctx, "creating definition value entitlement mapping") - if s.config.NamespacedPolicy && req.Msg.GetNamespaceId() == "" && req.Msg.GetNamespaceFqn() == "" { - return nil, connect.NewError(connect.CodeInvalidArgument, errors.New("either namespace_id or namespace_fqn must be provided")) - } - - auditParams := audit.PolicyEventParams{ - ActionType: audit.ActionTypeCreate, - ObjectType: audit.ObjectTypeDefinitionValueEntitlementMapping, - } - - // Creation may involve action or SubjectConditionSet creation, so use a transaction. - err := s.dbClient.RunInTx(ctx, func(txClient *policydb.PolicyDBClient) error { - mapping, err := txClient.CreateDefinitionValueEntitlementMapping(ctx, req.Msg) - if err != nil { - s.logger.Audit.PolicyCRUDFailure(ctx, auditParams) - return err - } - - auditParams.ObjectID = mapping.GetId() - auditParams.Original = mapping - s.logger.Audit.PolicyCRUDSuccess(ctx, auditParams) - - rsp.DefinitionValueEntitlementMapping = mapping - return nil - }) - if err != nil { - return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextCreationFailed, slog.String("definitionValueEntitlementMapping", req.Msg.String())) - } - return connect.NewResponse(rsp), nil -} - -func (s SubjectMappingService) ListDefinitionValueEntitlementMappings(ctx context.Context, - req *connect.Request[sm.ListDefinitionValueEntitlementMappingsRequest], -) (*connect.Response[sm.ListDefinitionValueEntitlementMappingsResponse], error) { - s.logger.DebugContext(ctx, "listing definition value entitlement mappings") - - rsp, err := s.dbClient.ListDefinitionValueEntitlementMappings(ctx, req.Msg) - if err != nil { - return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextListRetrievalFailed) - } - return connect.NewResponse(rsp), nil -} - -func (s SubjectMappingService) GetDefinitionValueEntitlementMapping(ctx context.Context, - req *connect.Request[sm.GetDefinitionValueEntitlementMappingRequest], -) (*connect.Response[sm.GetDefinitionValueEntitlementMappingResponse], error) { - s.logger.DebugContext(ctx, "getting definition value entitlement mapping", slog.String("id", req.Msg.GetId())) - - mapping, err := s.dbClient.GetDefinitionValueEntitlementMapping(ctx, req.Msg.GetId()) - if err != nil { - return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextGetRetrievalFailed, slog.String("id", req.Msg.GetId())) - } - return connect.NewResponse(&sm.GetDefinitionValueEntitlementMappingResponse{DefinitionValueEntitlementMapping: mapping}), nil -} - -func (s SubjectMappingService) UpdateDefinitionValueEntitlementMapping(ctx context.Context, - req *connect.Request[sm.UpdateDefinitionValueEntitlementMappingRequest], -) (*connect.Response[sm.UpdateDefinitionValueEntitlementMappingResponse], error) { - rsp := &sm.UpdateDefinitionValueEntitlementMappingResponse{} - id := req.Msg.GetId() - s.logger.DebugContext(ctx, "updating definition value entitlement mapping", slog.String("id", id)) - - auditParams := audit.PolicyEventParams{ - ActionType: audit.ActionTypeUpdate, - ObjectType: audit.ObjectTypeDefinitionValueEntitlementMapping, - ObjectID: id, - } - - original, err := s.dbClient.GetDefinitionValueEntitlementMapping(ctx, id) - if err != nil { - s.logger.Audit.PolicyCRUDFailure(ctx, auditParams) - return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextGetRetrievalFailed, slog.String("id", id)) - } - - updated, err := s.dbClient.UpdateDefinitionValueEntitlementMapping(ctx, req.Msg) - if err != nil { - s.logger.Audit.PolicyCRUDFailure(ctx, auditParams) - return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextUpdateFailed, slog.String("id", id), slog.String("definitionValueEntitlementMapping", req.Msg.String())) - } - - auditParams.Original = original - auditParams.Updated = updated - s.logger.Audit.PolicyCRUDSuccess(ctx, auditParams) - - rsp.DefinitionValueEntitlementMapping = updated - return connect.NewResponse(rsp), nil -} - -func (s SubjectMappingService) DeleteDefinitionValueEntitlementMapping(ctx context.Context, - req *connect.Request[sm.DeleteDefinitionValueEntitlementMappingRequest], -) (*connect.Response[sm.DeleteDefinitionValueEntitlementMappingResponse], error) { - rsp := &sm.DeleteDefinitionValueEntitlementMappingResponse{} - id := req.Msg.GetId() - s.logger.DebugContext(ctx, "deleting definition value entitlement mapping", slog.String("id", id)) - - auditParams := audit.PolicyEventParams{ - ActionType: audit.ActionTypeDelete, - ObjectType: audit.ObjectTypeDefinitionValueEntitlementMapping, - ObjectID: id, - } - - deleted, err := s.dbClient.DeleteDefinitionValueEntitlementMapping(ctx, id) - if err != nil { - s.logger.Audit.PolicyCRUDFailure(ctx, auditParams) - return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextDeletionFailed, slog.String("id", id)) - } - - s.logger.Audit.PolicyCRUDSuccess(ctx, auditParams) - rsp.DefinitionValueEntitlementMapping = deleted - return connect.NewResponse(rsp), nil -} diff --git a/service/policy/subjectmapping/subject_mapping.proto b/service/policy/subjectmapping/subject_mapping.proto index b33f40ff5d..af6da858ba 100644 --- a/service/policy/subjectmapping/subject_mapping.proto +++ b/service/policy/subjectmapping/subject_mapping.proto @@ -260,158 +260,6 @@ message DeleteAllUnmappedSubjectConditionSetsResponse { repeated policy.SubjectConditionSet subject_condition_sets = 1; } -/* - Definition Value Entitlement Mapping CRUD operations - - A DefinitionValueEntitlementMapping raises entitlement authority from a concrete - AttributeValue to the AttributeDefinition: at decision time the value_resolver compares - the requested resource value segment against the entity representation. These RPCs live on - the SubjectMappingService as they are entitlement-adjacent and share the SubjectConditionSet. -*/ - -message GetDefinitionValueEntitlementMappingRequest { - // Required - string id = 1 [(buf.validate.field).string.uuid = true]; -} -message GetDefinitionValueEntitlementMappingResponse { - policy.DefinitionValueEntitlementMapping definition_value_entitlement_mapping = 1; -} - -enum SortDefinitionValueEntitlementMappingsType { - SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UNSPECIFIED = 0; - SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_CREATED_AT = 1; - SORT_DEFINITION_VALUE_ENTITLEMENT_MAPPINGS_TYPE_UPDATED_AT = 2; -} - -message DefinitionValueEntitlementMappingsSort { - SortDefinitionValueEntitlementMappingsType field = 1 [(buf.validate.field).enum.defined_only = true]; - policy.SortDirection direction = 2 [(buf.validate.field).enum.defined_only = true]; -} - -message ListDefinitionValueEntitlementMappingsRequest { - // Optional - // Namespace ID, or Attribute Definition ID to filter by - string namespace_id = 1 [(buf.validate.field).cel = { - id: "optional_uuid_format" - message: "Optional field must be a valid UUID" - expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" - }]; - string attribute_definition_id = 2 [(buf.validate.field).cel = { - id: "optional_uuid_format" - message: "Optional field must be a valid UUID" - expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" - }]; - - // Optional - policy.PageRequest pagination = 10; - - // Optional - CONSTRAINT: max 1 item - repeated DefinitionValueEntitlementMappingsSort sort = 11 [(buf.validate.field).repeated.max_items = 1]; -} -message ListDefinitionValueEntitlementMappingsResponse { - repeated policy.DefinitionValueEntitlementMapping definition_value_entitlement_mappings = 1; - - policy.PageResponse pagination = 10; -} - -message CreateDefinitionValueEntitlementMappingRequest { - // Required: Attribute Definition ID or FQN to scope the mapping to - option (buf.validate.message).oneof = { - fields: ["attribute_definition_id", "attribute_definition_fqn"] - required: true - }; - string attribute_definition_id = 1 [(buf.validate.field).cel = { - id: "optional_uuid_format" - message: "Optional field must be a valid UUID" - expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" - }]; - string attribute_definition_fqn = 2 [ - (buf.validate.field).string = { - min_len: 0 - uri: true - } - ]; - - // Required: the dynamic resolver comparing entity selector result to the resource value segment - policy.DefinitionValueResolver value_resolver = 3 [(buf.validate.field).required = true]; - - // Required: actions permitted on a matched value - repeated policy.Action actions = 4 [ - (buf.validate.field).repeated.min_items = 1, - (buf.validate.field).cel = { - id: "action_name_or_id_not_empty" - message: "Action name or ID must not be empty if provided" - expression: "this.all(item, item.name != '' || item.id != '')" - } - ]; - - // Optional static pre-gate. Reuse an existing SubjectConditionSet (prioritized) ... - string existing_subject_condition_set_id = 5 [(buf.validate.field).cel = { - id: "optional_uuid_format" - message: "Optional field must be a valid UUID" - expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" - }]; - // ... or create a new one (ignored if existing_subject_condition_set_id is provided) - SubjectConditionSetCreate new_subject_condition_set = 6; - - // Optional: namespace ID or FQN for the mapping - string namespace_id = 7 [(buf.validate.field).cel = { - id: "optional_uuid_format" - message: "Optional field must be a valid UUID" - expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" - }]; - string namespace_fqn = 8 [ - (buf.validate.field).string = { - min_len: 0 - uri: true - } - ]; - - // Optional - common.MetadataMutable metadata = 100; -} -message CreateDefinitionValueEntitlementMappingResponse { - policy.DefinitionValueEntitlementMapping definition_value_entitlement_mapping = 1; -} - -message UpdateDefinitionValueEntitlementMappingRequest { - // Required - string id = 1 [(buf.validate.field).string.uuid = true]; - - // Optional: replace the dynamic resolver - policy.DefinitionValueResolver value_resolver = 2; - - // Optional: replace the static pre-gate SubjectConditionSet by id - string subject_condition_set_id = 3 [(buf.validate.field).cel = { - id: "optional_uuid_format" - message: "Optional field must be a valid UUID" - expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" - }]; - - // Optional: replace the entire list of actions - repeated policy.Action actions = 4 [(buf.validate.field).cel = { - id: "action_name_or_id_not_empty" - message: "Action name or ID must not be empty if provided" - expression: "this.size() == 0 || this.all(item, item.name != '' || item.id != '')" - }]; - - // Common metadata - common.MetadataMutable metadata = 100; - common.MetadataUpdateEnum metadata_update_behavior = 101; -} -message UpdateDefinitionValueEntitlementMappingResponse { - policy.DefinitionValueEntitlementMapping definition_value_entitlement_mapping = 1; -} - -message DeleteDefinitionValueEntitlementMappingRequest { - // Required - string id = 1 [(buf.validate.field).string.uuid = true]; -} -message DeleteDefinitionValueEntitlementMappingResponse { - // Only ID of the deleted mapping provided - policy.DefinitionValueEntitlementMapping definition_value_entitlement_mapping = 1; -} - service SubjectMappingService { // Find matching Subject Mappings for a given Subject rpc MatchSubjectMappings(MatchSubjectMappingsRequest) returns (MatchSubjectMappingsResponse) {} @@ -444,14 +292,4 @@ service SubjectMappingService { rpc DeleteSubjectConditionSet(DeleteSubjectConditionSetRequest) returns (DeleteSubjectConditionSetResponse) {} rpc DeleteAllUnmappedSubjectConditionSets(DeleteAllUnmappedSubjectConditionSetsRequest) returns (DeleteAllUnmappedSubjectConditionSetsResponse) {} - - rpc ListDefinitionValueEntitlementMappings(ListDefinitionValueEntitlementMappingsRequest) returns (ListDefinitionValueEntitlementMappingsResponse) { - option idempotency_level = NO_SIDE_EFFECTS; - } - rpc GetDefinitionValueEntitlementMapping(GetDefinitionValueEntitlementMappingRequest) returns (GetDefinitionValueEntitlementMappingResponse) { - option idempotency_level = NO_SIDE_EFFECTS; - } - rpc CreateDefinitionValueEntitlementMapping(CreateDefinitionValueEntitlementMappingRequest) returns (CreateDefinitionValueEntitlementMappingResponse) {} - rpc UpdateDefinitionValueEntitlementMapping(UpdateDefinitionValueEntitlementMappingRequest) returns (UpdateDefinitionValueEntitlementMappingResponse) {} - rpc DeleteDefinitionValueEntitlementMapping(DeleteDefinitionValueEntitlementMappingRequest) returns (DeleteDefinitionValueEntitlementMappingResponse) {} } From 6f6025c825c1c989fa773828a2a74dea429ac3f2 Mon Sep 17 00:00:00 2001 From: Krish Suchak Date: Fri, 5 Jun 2026 17:45:02 -0400 Subject: [PATCH 8/8] fix(policy): DSPX-2754 sync CreateDynamicValueMapping validation Mirror the proto validation fix from #3580 (namespace oneof, min_len:1 + uri on FQN fields, direct uuid/uri rules) so the consumer branch stays in sync. Refs: DSPX-2754, DSPX-3498 Signed-off-by: Krish Suchak --- .../dynamic_value_mapping.openapi.yaml | 10 +- .../dynamic_value_mapping.pb.go | 429 +++++++++--------- .../dynamic_value_mapping.proto | 22 +- 3 files changed, 220 insertions(+), 241 deletions(-) diff --git a/docs/openapi/policy/dynamicvaluemapping/dynamic_value_mapping.openapi.yaml b/docs/openapi/policy/dynamicvaluemapping/dynamic_value_mapping.openapi.yaml index fd0fb63dc6..0c19ff5295 100644 --- a/docs/openapi/policy/dynamicvaluemapping/dynamic_value_mapping.openapi.yaml +++ b/docs/openapi/policy/dynamicvaluemapping/dynamic_value_mapping.openapi.yaml @@ -1237,11 +1237,11 @@ components: attributeDefinitionId: type: string title: attribute_definition_id - description: | - optional_uuid_format // Optional field must be a valid UUID + format: uuid attributeDefinitionFqn: type: string title: attribute_definition_fqn + minLength: 1 format: uri valueResolver: title: value_resolver @@ -1269,12 +1269,12 @@ components: namespaceId: type: string title: namespace_id - description: | - Optional: namespace ID or FQN for the mapping - optional_uuid_format // Optional field must be a valid UUID + format: uuid + description: 'Optional: namespace ID or FQN for the mapping' namespaceFqn: type: string title: namespace_fqn + minLength: 1 format: uri metadata: title: metadata diff --git a/protocol/go/policy/dynamicvaluemapping/dynamic_value_mapping.pb.go b/protocol/go/policy/dynamicvaluemapping/dynamic_value_mapping.pb.go index 5df7ef6b45..07d2e2d39e 100644 --- a/protocol/go/policy/dynamicvaluemapping/dynamic_value_mapping.pb.go +++ b/protocol/go/policy/dynamicvaluemapping/dynamic_value_mapping.pb.go @@ -841,241 +841,222 @@ var file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDesc = []byte 0x6e, 0x67, 0x73, 0x12, 0x34, 0x0a, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x61, 0x67, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x52, 0x0a, 0x70, - 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xc9, 0x0a, 0x0a, 0x20, 0x43, 0x72, + 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x90, 0x08, 0x0a, 0x20, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, - 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0xec, - 0x01, 0x0a, 0x17, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, - 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, - 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, - 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, - 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, - 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, - 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, - 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, - 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, - 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, - 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, - 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, - 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, - 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x15, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, - 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x64, 0x12, 0x44, 0x0a, - 0x18, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, - 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x66, 0x71, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, - 0x0a, 0xba, 0x48, 0x07, 0x72, 0x05, 0x10, 0x00, 0x88, 0x01, 0x01, 0x52, 0x16, 0x61, 0x74, 0x74, - 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, - 0x46, 0x71, 0x6e, 0x12, 0x4b, 0x0a, 0x0e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x72, 0x65, 0x73, - 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x70, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, - 0x65, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, - 0x01, 0x52, 0x0d, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, - 0x12, 0xb8, 0x01, 0x0a, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x04, 0x20, 0x03, - 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, - 0x6f, 0x6e, 0x42, 0x8d, 0x01, 0xba, 0x48, 0x89, 0x01, 0xba, 0x01, 0x80, 0x01, 0x0a, 0x1b, 0x61, - 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x5f, 0x6f, 0x72, 0x5f, 0x69, 0x64, - 0x5f, 0x6e, 0x6f, 0x74, 0x5f, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x12, 0x2f, 0x41, 0x63, 0x74, 0x69, - 0x6f, 0x6e, 0x20, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x6f, 0x72, 0x20, 0x49, 0x44, 0x20, 0x6d, 0x75, - 0x73, 0x74, 0x20, 0x6e, 0x6f, 0x74, 0x20, 0x62, 0x65, 0x20, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x20, - 0x69, 0x66, 0x20, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x64, 0x1a, 0x30, 0x74, 0x68, 0x69, - 0x73, 0x2e, 0x61, 0x6c, 0x6c, 0x28, 0x69, 0x74, 0x65, 0x6d, 0x2c, 0x20, 0x69, 0x74, 0x65, 0x6d, - 0x2e, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x21, 0x3d, 0x20, 0x27, 0x27, 0x20, 0x7c, 0x7c, 0x20, 0x69, - 0x74, 0x65, 0x6d, 0x2e, 0x69, 0x64, 0x20, 0x21, 0x3d, 0x20, 0x27, 0x27, 0x29, 0x92, 0x01, 0x02, - 0x08, 0x01, 0x52, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0xfe, 0x01, 0x0a, 0x21, - 0x65, 0x78, 0x69, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x5f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x5f, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x5f, 0x69, - 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, - 0xab, 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, - 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, - 0x61, 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, - 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, - 0x69, 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, - 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, - 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, - 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, - 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, - 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, - 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x1d, 0x65, - 0x78, 0x69, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, - 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x49, 0x64, 0x12, 0x6b, 0x0a, 0x19, - 0x6e, 0x65, 0x77, 0x5f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x64, - 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, - 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, - 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x43, 0x72, 0x65, 0x61, 0x74, - 0x65, 0x52, 0x16, 0x6e, 0x65, 0x77, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, - 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0xd7, 0x01, 0x0a, 0x0c, 0x6e, 0x61, - 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, - 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, - 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, - 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, - 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, - 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, - 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, - 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, - 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, - 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, - 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, - 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, - 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x0b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, - 0x65, 0x49, 0x64, 0x12, 0x2f, 0x0a, 0x0d, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, - 0x5f, 0x66, 0x71, 0x6e, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x42, 0x0a, 0xba, 0x48, 0x07, 0x72, - 0x05, 0x10, 0x00, 0x88, 0x01, 0x01, 0x52, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, - 0x65, 0x46, 0x71, 0x6e, 0x12, 0x33, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, - 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, - 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x4d, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x52, - 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x3a, 0x3a, 0xba, 0x48, 0x37, 0x22, 0x35, + 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x40, 0x0a, 0x17, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, - 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x0a, 0x18, 0x61, 0x74, 0x74, 0x72, 0x69, - 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, - 0x66, 0x71, 0x6e, 0x10, 0x01, 0x22, 0x74, 0x0a, 0x21, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x44, - 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, - 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x4f, 0x0a, 0x15, 0x64, 0x79, - 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x6d, 0x61, 0x70, 0x70, - 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x2e, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, - 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x13, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, - 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x22, 0xc6, 0x05, 0x0a, 0x20, - 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, - 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, - 0x12, 0x18, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, - 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, 0x02, 0x69, 0x64, 0x12, 0x43, 0x0a, 0x0e, 0x76, 0x61, - 0x6c, 0x75, 0x65, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x79, 0x6e, 0x61, - 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, - 0x52, 0x0d, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x12, - 0xed, 0x01, 0x0a, 0x18, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x64, - 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, - 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, - 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, - 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, - 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, - 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, - 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, - 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, - 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, - 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, - 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, - 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, - 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x15, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, - 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x49, 0x64, 0x12, - 0xc7, 0x01, 0x0a, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, - 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, - 0x6e, 0x42, 0x9c, 0x01, 0xba, 0x48, 0x98, 0x01, 0xba, 0x01, 0x94, 0x01, 0x0a, 0x1b, 0x61, 0x63, - 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x5f, 0x6f, 0x72, 0x5f, 0x69, 0x64, 0x5f, - 0x6e, 0x6f, 0x74, 0x5f, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x12, 0x2f, 0x41, 0x63, 0x74, 0x69, 0x6f, - 0x6e, 0x20, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x6f, 0x72, 0x20, 0x49, 0x44, 0x20, 0x6d, 0x75, 0x73, - 0x74, 0x20, 0x6e, 0x6f, 0x74, 0x20, 0x62, 0x65, 0x20, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x20, 0x69, - 0x66, 0x20, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x64, 0x1a, 0x44, 0x74, 0x68, 0x69, 0x73, - 0x2e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, + 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, + 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, 0x15, 0x61, 0x74, 0x74, 0x72, 0x69, + 0x62, 0x75, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x64, + 0x12, 0x44, 0x0a, 0x18, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, + 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x66, 0x71, 0x6e, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x09, 0x42, 0x0a, 0xba, 0x48, 0x07, 0x72, 0x05, 0x10, 0x01, 0x88, 0x01, 0x01, 0x52, 0x16, + 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, + 0x69, 0x6f, 0x6e, 0x46, 0x71, 0x6e, 0x12, 0x4b, 0x0a, 0x0e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, + 0x72, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, + 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, + 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x42, 0x06, 0xba, 0x48, + 0x03, 0xc8, 0x01, 0x01, 0x52, 0x0d, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x6c, + 0x76, 0x65, 0x72, 0x12, 0xb8, 0x01, 0x0a, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, + 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, + 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x8d, 0x01, 0xba, 0x48, 0x89, 0x01, 0xba, 0x01, 0x80, 0x01, + 0x0a, 0x1b, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x5f, 0x6f, 0x72, + 0x5f, 0x69, 0x64, 0x5f, 0x6e, 0x6f, 0x74, 0x5f, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x12, 0x2f, 0x41, + 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x6f, 0x72, 0x20, 0x49, 0x44, + 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x6e, 0x6f, 0x74, 0x20, 0x62, 0x65, 0x20, 0x65, 0x6d, 0x70, + 0x74, 0x79, 0x20, 0x69, 0x66, 0x20, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x64, 0x1a, 0x30, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x61, 0x6c, 0x6c, 0x28, 0x69, 0x74, 0x65, 0x6d, 0x2c, 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x21, 0x3d, 0x20, 0x27, 0x27, 0x20, 0x7c, 0x7c, 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x69, 0x64, 0x20, 0x21, 0x3d, 0x20, 0x27, 0x27, 0x29, - 0x52, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x33, 0x0a, 0x08, 0x6d, 0x65, 0x74, - 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x63, 0x6f, - 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x4d, 0x75, 0x74, - 0x61, 0x62, 0x6c, 0x65, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x54, - 0x0a, 0x18, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x75, 0x70, 0x64, 0x61, 0x74, - 0x65, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x18, 0x65, 0x20, 0x01, 0x28, 0x0e, - 0x32, 0x1a, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, - 0x74, 0x61, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x45, 0x6e, 0x75, 0x6d, 0x52, 0x16, 0x6d, 0x65, - 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x42, 0x65, 0x68, 0x61, - 0x76, 0x69, 0x6f, 0x72, 0x22, 0x74, 0x0a, 0x21, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x79, - 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, - 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x4f, 0x0a, 0x15, 0x64, 0x79, 0x6e, - 0x61, 0x6d, 0x69, 0x63, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, - 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2e, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, - 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x13, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, - 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x22, 0x3c, 0x0a, 0x20, 0x44, 0x65, - 0x6c, 0x65, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, - 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, - 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, - 0x03, 0xb0, 0x01, 0x01, 0x52, 0x02, 0x69, 0x64, 0x22, 0x74, 0x0a, 0x21, 0x44, 0x65, 0x6c, 0x65, - 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, - 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x4f, 0x0a, - 0x15, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x6d, - 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, - 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x13, 0x64, 0x79, 0x6e, 0x61, 0x6d, - 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2a, 0xb2, - 0x01, 0x0a, 0x1c, 0x53, 0x6f, 0x72, 0x74, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, - 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, - 0x30, 0x0a, 0x2c, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x44, 0x59, 0x4e, 0x41, 0x4d, 0x49, 0x43, 0x5f, - 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x53, 0x5f, 0x54, - 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, - 0x00, 0x12, 0x2f, 0x0a, 0x2b, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x44, 0x59, 0x4e, 0x41, 0x4d, 0x49, - 0x43, 0x5f, 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x53, - 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x52, 0x45, 0x41, 0x54, 0x45, 0x44, 0x5f, 0x41, 0x54, - 0x10, 0x01, 0x12, 0x2f, 0x0a, 0x2b, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x44, 0x59, 0x4e, 0x41, 0x4d, - 0x49, 0x43, 0x5f, 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, - 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x50, 0x44, 0x41, 0x54, 0x45, 0x44, 0x5f, 0x41, - 0x54, 0x10, 0x02, 0x32, 0xa7, 0x06, 0x0a, 0x1a, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, - 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x53, 0x65, 0x72, 0x76, 0x69, - 0x63, 0x65, 0x12, 0x9a, 0x01, 0x0a, 0x18, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x79, 0x6e, 0x61, 0x6d, - 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, - 0x3b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, - 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x4c, 0x69, 0x73, - 0x74, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, - 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x3c, 0x2e, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, - 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x79, - 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, - 0x67, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x03, 0x90, 0x02, 0x01, 0x12, - 0x94, 0x01, 0x0a, 0x16, 0x47, 0x65, 0x74, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, - 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x39, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, - 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x79, 0x6e, 0x61, 0x6d, - 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x3a, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, - 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, - 0x6e, 0x67, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, - 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, - 0x65, 0x22, 0x03, 0x90, 0x02, 0x01, 0x12, 0x9a, 0x01, 0x0a, 0x19, 0x43, 0x72, 0x65, 0x61, 0x74, - 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, - 0x70, 0x69, 0x6e, 0x67, 0x12, 0x3c, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, - 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, - 0x67, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, - 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, - 0x73, 0x74, 0x1a, 0x3d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, - 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, + 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0xfe, + 0x01, 0x0a, 0x21, 0x65, 0x78, 0x69, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x5f, 0x73, 0x75, 0x62, 0x6a, + 0x65, 0x63, 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, + 0x74, 0x5f, 0x69, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, + 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, + 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, + 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, + 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, + 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, + 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, + 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, + 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, + 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, + 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, + 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, + 0x52, 0x1d, 0x65, 0x78, 0x69, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, + 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x49, 0x64, 0x12, + 0x6b, 0x0a, 0x19, 0x6e, 0x65, 0x77, 0x5f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x63, + 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x18, 0x06, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a, + 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, + 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x43, 0x72, + 0x65, 0x61, 0x74, 0x65, 0x52, 0x16, 0x6e, 0x65, 0x77, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0x2b, 0x0a, 0x0c, + 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x07, 0x20, 0x01, + 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, 0x0b, 0x6e, 0x61, + 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x49, 0x64, 0x12, 0x2f, 0x0a, 0x0d, 0x6e, 0x61, 0x6d, + 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x66, 0x71, 0x6e, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, + 0x42, 0x0a, 0xba, 0x48, 0x07, 0x72, 0x05, 0x10, 0x01, 0x88, 0x01, 0x01, 0x52, 0x0c, 0x6e, 0x61, + 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x46, 0x71, 0x6e, 0x12, 0x33, 0x0a, 0x08, 0x6d, 0x65, + 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x63, + 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x4d, 0x75, + 0x74, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x3a, + 0x5b, 0xba, 0x48, 0x58, 0x22, 0x35, 0x0a, 0x17, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, + 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x0a, + 0x18, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, + 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x66, 0x71, 0x6e, 0x10, 0x01, 0x22, 0x1f, 0x0a, 0x0c, 0x6e, + 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x0a, 0x0d, 0x6e, 0x61, 0x6d, + 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x66, 0x71, 0x6e, 0x10, 0x00, 0x22, 0x74, 0x0a, 0x21, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, - 0x65, 0x22, 0x00, 0x12, 0x9a, 0x01, 0x0a, 0x19, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x79, + 0x65, 0x12, 0x4f, 0x0a, 0x15, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x5f, 0x76, 0x61, 0x6c, + 0x75, 0x65, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x1b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, + 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x13, 0x64, + 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x22, 0xc6, 0x05, 0x0a, 0x20, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e, + 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, 0x02, 0x69, + 0x64, 0x12, 0x43, 0x0a, 0x0e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x6c, + 0x76, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x70, 0x6f, 0x6c, 0x69, + 0x63, 0x79, 0x2e, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, + 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x52, 0x0d, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, + 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x12, 0xed, 0x01, 0x0a, 0x18, 0x73, 0x75, 0x62, 0x6a, 0x65, + 0x63, 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, + 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, + 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, + 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, + 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, + 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, + 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, + 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, + 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, + 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, + 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, + 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, + 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, + 0x15, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, + 0x6e, 0x53, 0x65, 0x74, 0x49, 0x64, 0x12, 0xc7, 0x01, 0x0a, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, + 0x6e, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x9c, 0x01, 0xba, 0x48, 0x98, 0x01, 0xba, + 0x01, 0x94, 0x01, 0x0a, 0x1b, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, 0x65, + 0x5f, 0x6f, 0x72, 0x5f, 0x69, 0x64, 0x5f, 0x6e, 0x6f, 0x74, 0x5f, 0x65, 0x6d, 0x70, 0x74, 0x79, + 0x12, 0x2f, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x6f, 0x72, + 0x20, 0x49, 0x44, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x6e, 0x6f, 0x74, 0x20, 0x62, 0x65, 0x20, + 0x65, 0x6d, 0x70, 0x74, 0x79, 0x20, 0x69, 0x66, 0x20, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, + 0x64, 0x1a, 0x44, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x29, 0x20, 0x3d, + 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x61, 0x6c, 0x6c, 0x28, + 0x69, 0x74, 0x65, 0x6d, 0x2c, 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x6e, 0x61, 0x6d, 0x65, 0x20, + 0x21, 0x3d, 0x20, 0x27, 0x27, 0x20, 0x7c, 0x7c, 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x69, 0x64, + 0x20, 0x21, 0x3d, 0x20, 0x27, 0x27, 0x29, 0x52, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, + 0x12, 0x33, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, + 0x64, 0x61, 0x74, 0x61, 0x4d, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x08, 0x6d, 0x65, 0x74, + 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x54, 0x0a, 0x18, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, + 0x61, 0x5f, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, + 0x72, 0x18, 0x65, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1a, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, + 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x45, + 0x6e, 0x75, 0x6d, 0x52, 0x16, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x55, 0x70, 0x64, + 0x61, 0x74, 0x65, 0x42, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x22, 0x74, 0x0a, 0x21, 0x55, + 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, + 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, + 0x12, 0x4f, 0x0a, 0x15, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x5f, 0x76, 0x61, 0x6c, 0x75, + 0x65, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x1b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, + 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x13, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, - 0x67, 0x12, 0x3c, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, - 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x55, + 0x67, 0x22, 0x3c, 0x0a, 0x20, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, + 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, 0x02, 0x69, 0x64, 0x22, + 0x74, 0x0a, 0x21, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, + 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, + 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x4f, 0x0a, 0x15, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x5f, + 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x79, 0x6e, + 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x52, 0x13, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, + 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2a, 0xb2, 0x01, 0x0a, 0x1c, 0x53, 0x6f, 0x72, 0x74, 0x44, 0x79, + 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, + 0x67, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, 0x30, 0x0a, 0x2c, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x44, + 0x59, 0x4e, 0x41, 0x4d, 0x49, 0x43, 0x5f, 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x4d, 0x41, 0x50, + 0x50, 0x49, 0x4e, 0x47, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, + 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x2f, 0x0a, 0x2b, 0x53, 0x4f, 0x52, 0x54, + 0x5f, 0x44, 0x59, 0x4e, 0x41, 0x4d, 0x49, 0x43, 0x5f, 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x4d, + 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x52, 0x45, + 0x41, 0x54, 0x45, 0x44, 0x5f, 0x41, 0x54, 0x10, 0x01, 0x12, 0x2f, 0x0a, 0x2b, 0x53, 0x4f, 0x52, + 0x54, 0x5f, 0x44, 0x59, 0x4e, 0x41, 0x4d, 0x49, 0x43, 0x5f, 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, + 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x50, + 0x44, 0x41, 0x54, 0x45, 0x44, 0x5f, 0x41, 0x54, 0x10, 0x02, 0x32, 0xa7, 0x06, 0x0a, 0x1a, 0x44, + 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x9a, 0x01, 0x0a, 0x18, 0x4c, 0x69, + 0x73, 0x74, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, + 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x3b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, + 0x69, 0x6e, 0x67, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, + 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x1a, 0x3c, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, + 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, + 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, + 0x65, 0x22, 0x03, 0x90, 0x02, 0x01, 0x12, 0x94, 0x01, 0x0a, 0x16, 0x47, 0x65, 0x74, 0x44, 0x79, + 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, + 0x67, 0x12, 0x39, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, + 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x47, + 0x65, 0x74, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, + 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x3a, 0x2e, 0x70, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, + 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x79, 0x6e, + 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x03, 0x90, 0x02, 0x01, 0x12, 0x9a, 0x01, + 0x0a, 0x19, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, + 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x3c, 0x2e, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, + 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x44, + 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x3d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, + 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, + 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e, + 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x9a, 0x01, 0x0a, 0x19, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, - 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, - 0x3d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, - 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x55, 0x70, 0x64, - 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, - 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, - 0x12, 0x9a, 0x01, 0x0a, 0x19, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, - 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x3c, - 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, - 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x44, 0x65, 0x6c, 0x65, + 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x3c, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, + 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, + 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x3d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, + 0x69, 0x6e, 0x67, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, + 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, + 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x9a, 0x01, 0x0a, 0x19, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, - 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x3d, 0x2e, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, - 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, - 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, - 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x87, 0x02, - 0x0a, 0x1e, 0x63, 0x6f, 0x6d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, - 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, - 0x42, 0x18, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, - 0x70, 0x70, 0x69, 0x6e, 0x67, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x42, 0x67, 0x69, - 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, - 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, - 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x64, 0x79, 0x6e, - 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, - 0xa2, 0x02, 0x03, 0x50, 0x44, 0x58, 0xaa, 0x02, 0x1a, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, - 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, - 0x69, 0x6e, 0x67, 0xca, 0x02, 0x1a, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x44, 0x79, 0x6e, + 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x3c, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, + 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, + 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x1a, 0x3d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, - 0xe2, 0x02, 0x26, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, - 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5c, 0x47, 0x50, - 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x1b, 0x50, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x3a, 0x3a, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, - 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, + 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x22, 0x00, 0x42, 0x87, 0x02, 0x0a, 0x1e, 0x63, 0x6f, 0x6d, 0x2e, 0x70, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, + 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x42, 0x18, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, + 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x50, 0x72, 0x6f, 0x74, + 0x6f, 0x50, 0x01, 0x5a, 0x42, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, + 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, + 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x70, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x2f, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, + 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0xa2, 0x02, 0x03, 0x50, 0x44, 0x58, 0xaa, 0x02, 0x1a, + 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, + 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0xca, 0x02, 0x1a, 0x50, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x5c, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, + 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0xe2, 0x02, 0x26, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x5c, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, + 0x70, 0x69, 0x6e, 0x67, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, + 0xea, 0x02, 0x1b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x3a, 0x3a, 0x44, 0x79, 0x6e, 0x61, 0x6d, + 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x62, 0x06, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/service/policy/dynamicvaluemapping/dynamic_value_mapping.proto b/service/policy/dynamicvaluemapping/dynamic_value_mapping.proto index a16d3aedd4..d7ff2ac5a1 100644 --- a/service/policy/dynamicvaluemapping/dynamic_value_mapping.proto +++ b/service/policy/dynamicvaluemapping/dynamic_value_mapping.proto @@ -68,14 +68,16 @@ message CreateDynamicValueMappingRequest { fields: ["attribute_definition_id", "attribute_definition_fqn"] required: true }; - string attribute_definition_id = 1 [(buf.validate.field).cel = { - id: "optional_uuid_format" - message: "Optional field must be a valid UUID" - expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" - }]; + // Optional: Namespace ID or FQN to scope the mapping to + option (buf.validate.message).oneof = { + fields: ["namespace_id", "namespace_fqn"] + required: false + }; + + string attribute_definition_id = 1 [(buf.validate.field).string.uuid = true]; string attribute_definition_fqn = 2 [ (buf.validate.field).string = { - min_len: 0 + min_len: 1 uri: true } ]; @@ -103,14 +105,10 @@ message CreateDynamicValueMappingRequest { policy.subjectmapping.SubjectConditionSetCreate new_subject_condition_set = 6; // Optional: namespace ID or FQN for the mapping - string namespace_id = 7 [(buf.validate.field).cel = { - id: "optional_uuid_format" - message: "Optional field must be a valid UUID" - expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')" - }]; + string namespace_id = 7 [(buf.validate.field).string.uuid = true]; string namespace_fqn = 8 [ (buf.validate.field).string = { - min_len: 0 + min_len: 1 uri: true } ];
        Method NameRequest TypeResponse TypeDescription
        MatchSubjectMappingsMatchSubjectMappingsRequestMatchSubjectMappingsResponse

        Find matching Subject Mappings for a given Subject

        ListSubjectMappingsListSubjectMappingsRequestListSubjectMappingsResponse

        GetSubjectMappingGetSubjectMappingRequestGetSubjectMappingResponse

        CreateSubjectMappingCreateSubjectMappingRequestCreateSubjectMappingResponse

        UpdateSubjectMappingUpdateSubjectMappingRequestUpdateSubjectMappingResponse

        DeleteSubjectMappingDeleteSubjectMappingRequestDeleteSubjectMappingResponse

        ListSubjectConditionSetsListSubjectConditionSetsRequestListSubjectConditionSetsResponseListResourceMappingGroupsListResourceMappingGroupsRequestListResourceMappingGroupsResponse

        GetSubjectConditionSetGetSubjectConditionSetRequestGetSubjectConditionSetResponseGetResourceMappingGroupGetResourceMappingGroupRequestGetResourceMappingGroupResponse

        CreateSubjectConditionSetCreateSubjectConditionSetRequestCreateSubjectConditionSetResponseCreateResourceMappingGroupCreateResourceMappingGroupRequestCreateResourceMappingGroupResponse

        UpdateSubjectConditionSetUpdateSubjectConditionSetRequestUpdateSubjectConditionSetResponseUpdateResourceMappingGroupUpdateResourceMappingGroupRequestUpdateResourceMappingGroupResponse

        DeleteSubjectConditionSetDeleteSubjectConditionSetRequestDeleteSubjectConditionSetResponseDeleteResourceMappingGroupDeleteResourceMappingGroupRequestDeleteResourceMappingGroupResponse

        DeleteAllUnmappedSubjectConditionSetsDeleteAllUnmappedSubjectConditionSetsRequestDeleteAllUnmappedSubjectConditionSetsResponseListResourceMappingsListResourceMappingsRequestListResourceMappingsResponse

        ListDefinitionValueEntitlementMappingsListDefinitionValueEntitlementMappingsRequestListDefinitionValueEntitlementMappingsResponseListResourceMappingsByGroupFqnsListResourceMappingsByGroupFqnsRequestListResourceMappingsByGroupFqnsResponse

        GetDefinitionValueEntitlementMappingGetDefinitionValueEntitlementMappingRequestGetDefinitionValueEntitlementMappingResponseGetResourceMappingGetResourceMappingRequestGetResourceMappingResponse

        CreateDefinitionValueEntitlementMappingCreateDefinitionValueEntitlementMappingRequestCreateDefinitionValueEntitlementMappingResponseCreateResourceMappingCreateResourceMappingRequestCreateResourceMappingResponse

        UpdateDefinitionValueEntitlementMappingUpdateDefinitionValueEntitlementMappingRequestUpdateDefinitionValueEntitlementMappingResponseUpdateResourceMappingUpdateResourceMappingRequestUpdateResourceMappingResponse

        DeleteDefinitionValueEntitlementMappingDeleteDefinitionValueEntitlementMappingRequestDeleteDefinitionValueEntitlementMappingResponseDeleteResourceMappingDeleteResourceMappingRequestDeleteResourceMappingResponse

        ListSubjectMappings

        NO_SIDE_EFFECTS

        GetSubjectMappingListResourceMappingGroups

        NO_SIDE_EFFECTS
        ListSubjectConditionSetsGetResourceMappingGroup

        NO_SIDE_EFFECTS
        GetSubjectConditionSetListResourceMappings

        NO_SIDE_EFFECTS
        ListDefinitionValueEntitlementMappingsListResourceMappingsByGroupFqns

        NO_SIDE_EFFECTS
        GetDefinitionValueEntitlementMappingGetResourceMapping

        NO_SIDE_EFFECTS