diff --git a/docs/grpc/index.html b/docs/grpc/index.html
index de9226c039..60f2593124 100644
--- a/docs/grpc/index.html
+++ b/docs/grpc/index.html
@@ -687,6 +687,22 @@ Table of Contents
MGetKeyAccessServerResponse
+
+ MGrantedPolicyObject
+
+
+
+ MKeyAccessServerGrants
+
+
+
+ MListKeyAccessServerGrantsRequest
+
+
+
+ MListKeyAccessServerGrantsResponse
+
+
MListKeyAccessServersRequest
@@ -4929,6 +4945,139 @@ GetKeyAccessServerRespons
+ GrantedPolicyObject
+
Can be namespace, attribute definition, or value
+
+
+
+
+ | Field | Type | Label | Description |
+
+
+
+
+ | id |
+ string |
+ |
+ |
+
+
+
+ | fqn |
+ string |
+ |
+ |
+
+
+
+
+
+
+
+
+
+ KeyAccessServerGrants
+
+
+
+
+
+
+
+
+
+ ListKeyAccessServerGrantsRequest
+ LIST of KAS Grants returns flat response of grants to all policy objects. It does not
employ selectors for grants to specific policy objects or build the attribute tree relation.
If grants to a known namespace, attribute, or value are needed, use the respective
GET request to the specific policy object.
+
+
+
+
+ | Field | Type | Label | Description |
+
+
+
+
+ | kas_id |
+ string |
+ |
+ Optional
+Filter LIST by either ID or URI of a registered Key Access Server.
+If neither is provided, grants from all registered KASs to policy attribute objects are returned. |
+
+
+
+ | kas_uri |
+ string |
+ |
+ |
+
+
+
+
+
+
+
+
+
+ ListKeyAccessServerGrantsResponse
+
+
+
+
+
+
+
+
+
ListKeyAccessServersRequest
@@ -5085,6 +5234,13 @@ KeyAccessServerRegist
|
+
+ | ListKeyAccessServerGrants |
+ ListKeyAccessServerGrantsRequest |
+ ListKeyAccessServerGrantsResponse |
+ |
+
+
@@ -5153,6 +5309,16 @@ Methods with HTTP bindings
+
+
+
+ | ListKeyAccessServerGrants |
+ GET |
+ /key-access-servers/grants |
+ |
+
+
+
diff --git a/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json b/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json
index baef251c5f..71edf32bd5 100644
--- a/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json
+++ b/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json
@@ -68,6 +68,43 @@
]
}
},
+ "/key-access-servers/grants": {
+ "get": {
+ "operationId": "KeyAccessServerRegistryService_ListKeyAccessServerGrants",
+ "responses": {
+ "200": {
+ "description": "A successful response.",
+ "schema": {
+ "$ref": "#/definitions/kasregistryListKeyAccessServerGrantsResponse"
+ }
+ },
+ "default": {
+ "description": "An unexpected error response.",
+ "schema": {
+ "$ref": "#/definitions/rpcStatus"
+ }
+ }
+ },
+ "parameters": [
+ {
+ "name": "kasId",
+ "description": "Optional\nFilter LIST by either ID or URI of a registered Key Access Server.\nIf neither is provided, grants from all registered KASs to policy attribute objects are returned.",
+ "in": "query",
+ "required": false,
+ "type": "string"
+ },
+ {
+ "name": "kasUri",
+ "in": "query",
+ "required": false,
+ "type": "string"
+ }
+ ],
+ "tags": [
+ "KeyAccessServerRegistryService"
+ ]
+ }
+ },
"/key-access-servers/{id}": {
"get": {
"operationId": "KeyAccessServerRegistryService_GetKeyAccessServer",
@@ -265,6 +302,59 @@
}
}
},
+ "kasregistryGrantedPolicyObject": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string"
+ },
+ "fqn": {
+ "type": "string"
+ }
+ },
+ "title": "Can be namespace, attribute definition, or value"
+ },
+ "kasregistryKeyAccessServerGrants": {
+ "type": "object",
+ "properties": {
+ "keyAccessServer": {
+ "$ref": "#/definitions/policyKeyAccessServer"
+ },
+ "namespaceGrants": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "$ref": "#/definitions/kasregistryGrantedPolicyObject"
+ }
+ },
+ "attributeGrants": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "$ref": "#/definitions/kasregistryGrantedPolicyObject"
+ }
+ },
+ "valueGrants": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "$ref": "#/definitions/kasregistryGrantedPolicyObject"
+ }
+ }
+ }
+ },
+ "kasregistryListKeyAccessServerGrantsResponse": {
+ "type": "object",
+ "properties": {
+ "grants": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "$ref": "#/definitions/kasregistryKeyAccessServerGrants"
+ }
+ }
+ }
+ },
"kasregistryListKeyAccessServersResponse": {
"type": "object",
"properties": {
diff --git a/go.work.sum b/go.work.sum
index cc76dac6db..eb72397466 100644
--- a/go.work.sum
+++ b/go.work.sum
@@ -748,6 +748,7 @@ github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r
github.com/docker/docker v20.10.17+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/docker v24.0.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/docker v25.0.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v27.0.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
github.com/docker/docker-credential-helpers v0.6.4/go.mod h1:ofX3UI0Gz1TteYBjtgs07O36Pyasyp66D2uKT7H8W1c=
github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
diff --git a/protocol/go/policy/kasregistry/key_access_server_registry.pb.go b/protocol/go/policy/kasregistry/key_access_server_registry.pb.go
index 13e76eefd4..5a4a42233f 100644
--- a/protocol/go/policy/kasregistry/key_access_server_registry.pb.go
+++ b/protocol/go/policy/kasregistry/key_access_server_registry.pb.go
@@ -537,6 +537,242 @@ func (x *DeleteKeyAccessServerResponse) GetKeyAccessServer() *policy.KeyAccessSe
return nil
}
+// Can be namespace, attribute definition, or value
+type GrantedPolicyObject struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
+ Fqn string `protobuf:"bytes,2,opt,name=fqn,proto3" json:"fqn,omitempty"`
+}
+
+func (x *GrantedPolicyObject) Reset() {
+ *x = GrantedPolicyObject{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[10]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *GrantedPolicyObject) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GrantedPolicyObject) ProtoMessage() {}
+
+func (x *GrantedPolicyObject) ProtoReflect() protoreflect.Message {
+ mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[10]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use GrantedPolicyObject.ProtoReflect.Descriptor instead.
+func (*GrantedPolicyObject) Descriptor() ([]byte, []int) {
+ return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{10}
+}
+
+func (x *GrantedPolicyObject) GetId() string {
+ if x != nil {
+ return x.Id
+ }
+ return ""
+}
+
+func (x *GrantedPolicyObject) GetFqn() string {
+ if x != nil {
+ return x.Fqn
+ }
+ return ""
+}
+
+type KeyAccessServerGrants struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ KeyAccessServer *policy.KeyAccessServer `protobuf:"bytes,1,opt,name=key_access_server,json=keyAccessServer,proto3" json:"key_access_server,omitempty"`
+ NamespaceGrants []*GrantedPolicyObject `protobuf:"bytes,2,rep,name=namespace_grants,json=namespaceGrants,proto3" json:"namespace_grants,omitempty"`
+ AttributeGrants []*GrantedPolicyObject `protobuf:"bytes,3,rep,name=attribute_grants,json=attributeGrants,proto3" json:"attribute_grants,omitempty"`
+ ValueGrants []*GrantedPolicyObject `protobuf:"bytes,4,rep,name=value_grants,json=valueGrants,proto3" json:"value_grants,omitempty"`
+}
+
+func (x *KeyAccessServerGrants) Reset() {
+ *x = KeyAccessServerGrants{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[11]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *KeyAccessServerGrants) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*KeyAccessServerGrants) ProtoMessage() {}
+
+func (x *KeyAccessServerGrants) ProtoReflect() protoreflect.Message {
+ mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[11]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use KeyAccessServerGrants.ProtoReflect.Descriptor instead.
+func (*KeyAccessServerGrants) Descriptor() ([]byte, []int) {
+ return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{11}
+}
+
+func (x *KeyAccessServerGrants) GetKeyAccessServer() *policy.KeyAccessServer {
+ if x != nil {
+ return x.KeyAccessServer
+ }
+ return nil
+}
+
+func (x *KeyAccessServerGrants) GetNamespaceGrants() []*GrantedPolicyObject {
+ if x != nil {
+ return x.NamespaceGrants
+ }
+ return nil
+}
+
+func (x *KeyAccessServerGrants) GetAttributeGrants() []*GrantedPolicyObject {
+ if x != nil {
+ return x.AttributeGrants
+ }
+ return nil
+}
+
+func (x *KeyAccessServerGrants) GetValueGrants() []*GrantedPolicyObject {
+ if x != nil {
+ return x.ValueGrants
+ }
+ return nil
+}
+
+// LIST of KAS Grants returns flat response of grants to all policy objects. It does not
+// employ selectors for grants to specific policy objects or build the attribute tree relation.
+// If grants to a known namespace, attribute, or value are needed, use the respective
+// GET request to the specific policy object.
+type ListKeyAccessServerGrantsRequest struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ // Optional
+ // Filter LIST by either ID or URI of a registered Key Access Server.
+ // If neither is provided, grants from all registered KASs to policy attribute objects are returned.
+ KasId string `protobuf:"bytes,1,opt,name=kas_id,json=kasId,proto3" json:"kas_id,omitempty"`
+ KasUri string `protobuf:"bytes,2,opt,name=kas_uri,json=kasUri,proto3" json:"kas_uri,omitempty"`
+}
+
+func (x *ListKeyAccessServerGrantsRequest) Reset() {
+ *x = ListKeyAccessServerGrantsRequest{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[12]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *ListKeyAccessServerGrantsRequest) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ListKeyAccessServerGrantsRequest) ProtoMessage() {}
+
+func (x *ListKeyAccessServerGrantsRequest) ProtoReflect() protoreflect.Message {
+ mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[12]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use ListKeyAccessServerGrantsRequest.ProtoReflect.Descriptor instead.
+func (*ListKeyAccessServerGrantsRequest) Descriptor() ([]byte, []int) {
+ return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{12}
+}
+
+func (x *ListKeyAccessServerGrantsRequest) GetKasId() string {
+ if x != nil {
+ return x.KasId
+ }
+ return ""
+}
+
+func (x *ListKeyAccessServerGrantsRequest) GetKasUri() string {
+ if x != nil {
+ return x.KasUri
+ }
+ return ""
+}
+
+type ListKeyAccessServerGrantsResponse struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ Grants []*KeyAccessServerGrants `protobuf:"bytes,1,rep,name=grants,proto3" json:"grants,omitempty"`
+}
+
+func (x *ListKeyAccessServerGrantsResponse) Reset() {
+ *x = ListKeyAccessServerGrantsResponse{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[13]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *ListKeyAccessServerGrantsResponse) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ListKeyAccessServerGrantsResponse) ProtoMessage() {}
+
+func (x *ListKeyAccessServerGrantsResponse) ProtoReflect() protoreflect.Message {
+ mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[13]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use ListKeyAccessServerGrantsResponse.ProtoReflect.Descriptor instead.
+func (*ListKeyAccessServerGrantsResponse) Descriptor() ([]byte, []int) {
+ return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{13}
+}
+
+func (x *ListKeyAccessServerGrantsResponse) GetGrants() []*KeyAccessServerGrants {
+ if x != nil {
+ return x.Grants
+ }
+ return nil
+}
+
var File_policy_kasregistry_key_access_server_registry_proto protoreflect.FileDescriptor
var file_policy_kasregistry_key_access_server_registry_proto_rawDesc = []byte{
@@ -618,73 +854,120 @@ var file_policy_kasregistry_key_access_server_registry_proto_rawDesc = []byte{
0x73, 0x73, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32,
0x17, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65,
0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x0f, 0x6b, 0x65, 0x79, 0x41, 0x63, 0x63,
- 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x32, 0xb5, 0x06, 0x0a, 0x1e, 0x4b, 0x65,
- 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x67,
- 0x69, 0x73, 0x74, 0x72, 0x79, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x96, 0x01, 0x0a,
- 0x14, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65,
- 0x72, 0x76, 0x65, 0x72, 0x73, 0x12, 0x2f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b,
- 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b,
- 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x52,
- 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e,
- 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74,
- 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73,
- 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1b, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15,
- 0x12, 0x13, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65,
- 0x72, 0x76, 0x65, 0x72, 0x73, 0x12, 0x95, 0x01, 0x0a, 0x12, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79,
- 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x2d, 0x2e, 0x70,
- 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72,
- 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65,
- 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2e, 0x2e, 0x70, 0x6f,
+ 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x22, 0x37, 0x0a, 0x13, 0x47, 0x72, 0x61,
+ 0x6e, 0x74, 0x65, 0x64, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74,
+ 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64,
+ 0x12, 0x10, 0x0a, 0x03, 0x66, 0x71, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x66,
+ 0x71, 0x6e, 0x22, 0xd0, 0x02, 0x0a, 0x15, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73,
+ 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x12, 0x43, 0x0a, 0x11,
+ 0x6b, 0x65, 0x79, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x65,
+ 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79,
+ 0x2e, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
+ 0x52, 0x0f, 0x6b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65,
+ 0x72, 0x12, 0x52, 0x0a, 0x10, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x67,
+ 0x72, 0x61, 0x6e, 0x74, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x70, 0x6f,
0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79,
- 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72,
- 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x20, 0x82, 0xd3, 0xe4,
- 0x93, 0x02, 0x1a, 0x12, 0x18, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73,
- 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x2f, 0x7b, 0x69, 0x64, 0x7d, 0x12, 0x9c, 0x01,
- 0x0a, 0x15, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73,
- 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79,
- 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65,
- 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76,
- 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69,
- 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x43,
- 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65,
- 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1e, 0x82, 0xd3,
- 0xe4, 0x93, 0x02, 0x18, 0x3a, 0x01, 0x2a, 0x22, 0x13, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63,
- 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x12, 0xa1, 0x01, 0x0a,
- 0x15, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73,
- 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e,
- 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61,
- 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65,
- 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63,
- 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x55, 0x70,
- 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72,
- 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x23, 0x82, 0xd3, 0xe4,
- 0x93, 0x02, 0x1d, 0x3a, 0x01, 0x2a, 0x32, 0x18, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63,
- 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x2f, 0x7b, 0x69, 0x64, 0x7d,
- 0x12, 0x9e, 0x01, 0x0a, 0x15, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63,
- 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x30, 0x2e, 0x70, 0x6f, 0x6c,
- 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e,
- 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53,
- 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x31, 0x2e, 0x70,
- 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72,
- 0x79, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73,
- 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
- 0x20, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x2a, 0x18, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63,
- 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x2f, 0x7b, 0x69, 0x64,
- 0x7d, 0x42, 0xdb, 0x01, 0x0a, 0x16, 0x63, 0x6f, 0x6d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79,
- 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x42, 0x1c, 0x4b, 0x65,
- 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x67,
- 0x69, 0x73, 0x74, 0x72, 0x79, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x3a, 0x67, 0x69,
- 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66,
- 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63,
- 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x6b, 0x61, 0x73,
- 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xa2, 0x02, 0x03, 0x50, 0x4b, 0x58, 0xaa, 0x02,
- 0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73,
- 0x74, 0x72, 0x79, 0xca, 0x02, 0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x4b, 0x61, 0x73,
- 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xe2, 0x02, 0x1e, 0x50, 0x6f, 0x6c, 0x69, 0x63,
- 0x79, 0x5c, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x5c, 0x47, 0x50,
- 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x13, 0x50, 0x6f, 0x6c, 0x69,
- 0x63, 0x79, 0x3a, 0x3a, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x62,
- 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+ 0x2e, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x65, 0x64, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4f, 0x62,
+ 0x6a, 0x65, 0x63, 0x74, 0x52, 0x0f, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x47,
+ 0x72, 0x61, 0x6e, 0x74, 0x73, 0x12, 0x52, 0x0a, 0x10, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75,
+ 0x74, 0x65, 0x5f, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32,
+ 0x27, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69,
+ 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x65, 0x64, 0x50, 0x6f, 0x6c, 0x69,
+ 0x63, 0x79, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x52, 0x0f, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62,
+ 0x75, 0x74, 0x65, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x12, 0x4a, 0x0a, 0x0c, 0x76, 0x61, 0x6c,
+ 0x75, 0x65, 0x5f, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32,
+ 0x27, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69,
+ 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x65, 0x64, 0x50, 0x6f, 0x6c, 0x69,
+ 0x63, 0x79, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x52, 0x0b, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x47,
+ 0x72, 0x61, 0x6e, 0x74, 0x73, 0x22, 0x52, 0x0a, 0x20, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79,
+ 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x61, 0x6e,
+ 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x15, 0x0a, 0x06, 0x6b, 0x61, 0x73,
+ 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6b, 0x61, 0x73, 0x49, 0x64,
+ 0x12, 0x17, 0x0a, 0x07, 0x6b, 0x61, 0x73, 0x5f, 0x75, 0x72, 0x69, 0x18, 0x02, 0x20, 0x01, 0x28,
+ 0x09, 0x52, 0x06, 0x6b, 0x61, 0x73, 0x55, 0x72, 0x69, 0x22, 0x66, 0x0a, 0x21, 0x4c, 0x69, 0x73,
+ 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
+ 0x47, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x41,
+ 0x0a, 0x06, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x29,
+ 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73,
+ 0x74, 0x72, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72,
+ 0x76, 0x65, 0x72, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x52, 0x06, 0x67, 0x72, 0x61, 0x6e, 0x74,
+ 0x73, 0x32, 0xe4, 0x07, 0x0a, 0x1e, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53,
+ 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x53, 0x65, 0x72,
+ 0x76, 0x69, 0x63, 0x65, 0x12, 0x96, 0x01, 0x0a, 0x14, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79,
+ 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x12, 0x2f, 0x2e,
+ 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74,
+ 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73,
+ 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x30,
+ 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73,
+ 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73,
+ 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+ 0x22, 0x1b, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15, 0x12, 0x13, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61,
+ 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x12, 0x95, 0x01,
+ 0x0a, 0x12, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65,
+ 0x72, 0x76, 0x65, 0x72, 0x12, 0x2d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61,
+ 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79,
+ 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75,
+ 0x65, 0x73, 0x74, 0x1a, 0x2e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73,
+ 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x41,
+ 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f,
+ 0x6e, 0x73, 0x65, 0x22, 0x20, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x12, 0x18, 0x2f, 0x6b, 0x65,
+ 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73,
+ 0x2f, 0x7b, 0x69, 0x64, 0x7d, 0x12, 0x9c, 0x01, 0x0a, 0x15, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65,
+ 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12,
+ 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69,
+ 0x73, 0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63,
+ 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+ 0x74, 0x1a, 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65,
+ 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79,
+ 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70,
+ 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1e, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x18, 0x3a, 0x01, 0x2a, 0x22,
+ 0x13, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72,
+ 0x76, 0x65, 0x72, 0x73, 0x12, 0xa1, 0x01, 0x0a, 0x15, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b,
+ 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x30,
+ 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73,
+ 0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63,
+ 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+ 0x1a, 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67,
+ 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41,
+ 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f,
+ 0x6e, 0x73, 0x65, 0x22, 0x23, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1d, 0x3a, 0x01, 0x2a, 0x32, 0x18,
+ 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76,
+ 0x65, 0x72, 0x73, 0x2f, 0x7b, 0x69, 0x64, 0x7d, 0x12, 0x9e, 0x01, 0x0a, 0x15, 0x44, 0x65, 0x6c,
+ 0x65, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76,
+ 0x65, 0x72, 0x12, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72,
+ 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, 0x65,
+ 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71,
+ 0x75, 0x65, 0x73, 0x74, 0x1a, 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61,
+ 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65,
+ 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52,
+ 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x20, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x2a,
+ 0x18, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72,
+ 0x76, 0x65, 0x72, 0x73, 0x2f, 0x7b, 0x69, 0x64, 0x7d, 0x12, 0xac, 0x01, 0x0a, 0x19, 0x4c, 0x69,
+ 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65,
+ 0x72, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x12, 0x34, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79,
+ 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73,
+ 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
+ 0x47, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x35, 0x2e,
+ 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74,
+ 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73,
+ 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70,
+ 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x22, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1c, 0x12, 0x1a, 0x2f, 0x6b,
+ 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72,
+ 0x73, 0x2f, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x42, 0xdb, 0x01, 0x0a, 0x16, 0x63, 0x6f, 0x6d,
+ 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73,
+ 0x74, 0x72, 0x79, 0x42, 0x1c, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65,
+ 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x50, 0x72, 0x6f, 0x74,
+ 0x6f, 0x50, 0x01, 0x5a, 0x3a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
+ 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d,
+ 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x70, 0x6f, 0x6c,
+ 0x69, 0x63, 0x79, 0x2f, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xa2,
+ 0x02, 0x03, 0x50, 0x4b, 0x58, 0xaa, 0x02, 0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b,
+ 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xca, 0x02, 0x12, 0x50, 0x6f, 0x6c,
+ 0x69, 0x63, 0x79, 0x5c, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xe2,
+ 0x02, 0x1e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69,
+ 0x73, 0x74, 0x72, 0x79, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61,
+ 0xea, 0x02, 0x13, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x3a, 0x3a, 0x4b, 0x61, 0x73, 0x72, 0x65,
+ 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (
@@ -699,49 +982,60 @@ func file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP() []by
return file_policy_kasregistry_key_access_server_registry_proto_rawDescData
}
-var file_policy_kasregistry_key_access_server_registry_proto_msgTypes = make([]protoimpl.MessageInfo, 10)
+var file_policy_kasregistry_key_access_server_registry_proto_msgTypes = make([]protoimpl.MessageInfo, 14)
var file_policy_kasregistry_key_access_server_registry_proto_goTypes = []interface{}{
- (*GetKeyAccessServerRequest)(nil), // 0: policy.kasregistry.GetKeyAccessServerRequest
- (*GetKeyAccessServerResponse)(nil), // 1: policy.kasregistry.GetKeyAccessServerResponse
- (*ListKeyAccessServersRequest)(nil), // 2: policy.kasregistry.ListKeyAccessServersRequest
- (*ListKeyAccessServersResponse)(nil), // 3: policy.kasregistry.ListKeyAccessServersResponse
- (*CreateKeyAccessServerRequest)(nil), // 4: policy.kasregistry.CreateKeyAccessServerRequest
- (*CreateKeyAccessServerResponse)(nil), // 5: policy.kasregistry.CreateKeyAccessServerResponse
- (*UpdateKeyAccessServerRequest)(nil), // 6: policy.kasregistry.UpdateKeyAccessServerRequest
- (*UpdateKeyAccessServerResponse)(nil), // 7: policy.kasregistry.UpdateKeyAccessServerResponse
- (*DeleteKeyAccessServerRequest)(nil), // 8: policy.kasregistry.DeleteKeyAccessServerRequest
- (*DeleteKeyAccessServerResponse)(nil), // 9: policy.kasregistry.DeleteKeyAccessServerResponse
- (*policy.KeyAccessServer)(nil), // 10: policy.KeyAccessServer
- (*policy.PublicKey)(nil), // 11: policy.PublicKey
- (*common.MetadataMutable)(nil), // 12: common.MetadataMutable
- (common.MetadataUpdateEnum)(0), // 13: common.MetadataUpdateEnum
+ (*GetKeyAccessServerRequest)(nil), // 0: policy.kasregistry.GetKeyAccessServerRequest
+ (*GetKeyAccessServerResponse)(nil), // 1: policy.kasregistry.GetKeyAccessServerResponse
+ (*ListKeyAccessServersRequest)(nil), // 2: policy.kasregistry.ListKeyAccessServersRequest
+ (*ListKeyAccessServersResponse)(nil), // 3: policy.kasregistry.ListKeyAccessServersResponse
+ (*CreateKeyAccessServerRequest)(nil), // 4: policy.kasregistry.CreateKeyAccessServerRequest
+ (*CreateKeyAccessServerResponse)(nil), // 5: policy.kasregistry.CreateKeyAccessServerResponse
+ (*UpdateKeyAccessServerRequest)(nil), // 6: policy.kasregistry.UpdateKeyAccessServerRequest
+ (*UpdateKeyAccessServerResponse)(nil), // 7: policy.kasregistry.UpdateKeyAccessServerResponse
+ (*DeleteKeyAccessServerRequest)(nil), // 8: policy.kasregistry.DeleteKeyAccessServerRequest
+ (*DeleteKeyAccessServerResponse)(nil), // 9: policy.kasregistry.DeleteKeyAccessServerResponse
+ (*GrantedPolicyObject)(nil), // 10: policy.kasregistry.GrantedPolicyObject
+ (*KeyAccessServerGrants)(nil), // 11: policy.kasregistry.KeyAccessServerGrants
+ (*ListKeyAccessServerGrantsRequest)(nil), // 12: policy.kasregistry.ListKeyAccessServerGrantsRequest
+ (*ListKeyAccessServerGrantsResponse)(nil), // 13: policy.kasregistry.ListKeyAccessServerGrantsResponse
+ (*policy.KeyAccessServer)(nil), // 14: policy.KeyAccessServer
+ (*policy.PublicKey)(nil), // 15: policy.PublicKey
+ (*common.MetadataMutable)(nil), // 16: common.MetadataMutable
+ (common.MetadataUpdateEnum)(0), // 17: common.MetadataUpdateEnum
}
var file_policy_kasregistry_key_access_server_registry_proto_depIdxs = []int32{
- 10, // 0: policy.kasregistry.GetKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer
- 10, // 1: policy.kasregistry.ListKeyAccessServersResponse.key_access_servers:type_name -> policy.KeyAccessServer
- 11, // 2: policy.kasregistry.CreateKeyAccessServerRequest.public_key:type_name -> policy.PublicKey
- 12, // 3: policy.kasregistry.CreateKeyAccessServerRequest.metadata:type_name -> common.MetadataMutable
- 10, // 4: policy.kasregistry.CreateKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer
- 11, // 5: policy.kasregistry.UpdateKeyAccessServerRequest.public_key:type_name -> policy.PublicKey
- 12, // 6: policy.kasregistry.UpdateKeyAccessServerRequest.metadata:type_name -> common.MetadataMutable
- 13, // 7: policy.kasregistry.UpdateKeyAccessServerRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum
- 10, // 8: policy.kasregistry.UpdateKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer
- 10, // 9: policy.kasregistry.DeleteKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer
- 2, // 10: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers:input_type -> policy.kasregistry.ListKeyAccessServersRequest
- 0, // 11: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer:input_type -> policy.kasregistry.GetKeyAccessServerRequest
- 4, // 12: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer:input_type -> policy.kasregistry.CreateKeyAccessServerRequest
- 6, // 13: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer:input_type -> policy.kasregistry.UpdateKeyAccessServerRequest
- 8, // 14: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer:input_type -> policy.kasregistry.DeleteKeyAccessServerRequest
- 3, // 15: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers:output_type -> policy.kasregistry.ListKeyAccessServersResponse
- 1, // 16: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer:output_type -> policy.kasregistry.GetKeyAccessServerResponse
- 5, // 17: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer:output_type -> policy.kasregistry.CreateKeyAccessServerResponse
- 7, // 18: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer:output_type -> policy.kasregistry.UpdateKeyAccessServerResponse
- 9, // 19: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer:output_type -> policy.kasregistry.DeleteKeyAccessServerResponse
- 15, // [15:20] is the sub-list for method output_type
- 10, // [10:15] is the sub-list for method input_type
- 10, // [10:10] is the sub-list for extension type_name
- 10, // [10:10] is the sub-list for extension extendee
- 0, // [0:10] is the sub-list for field type_name
+ 14, // 0: policy.kasregistry.GetKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer
+ 14, // 1: policy.kasregistry.ListKeyAccessServersResponse.key_access_servers:type_name -> policy.KeyAccessServer
+ 15, // 2: policy.kasregistry.CreateKeyAccessServerRequest.public_key:type_name -> policy.PublicKey
+ 16, // 3: policy.kasregistry.CreateKeyAccessServerRequest.metadata:type_name -> common.MetadataMutable
+ 14, // 4: policy.kasregistry.CreateKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer
+ 15, // 5: policy.kasregistry.UpdateKeyAccessServerRequest.public_key:type_name -> policy.PublicKey
+ 16, // 6: policy.kasregistry.UpdateKeyAccessServerRequest.metadata:type_name -> common.MetadataMutable
+ 17, // 7: policy.kasregistry.UpdateKeyAccessServerRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum
+ 14, // 8: policy.kasregistry.UpdateKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer
+ 14, // 9: policy.kasregistry.DeleteKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer
+ 14, // 10: policy.kasregistry.KeyAccessServerGrants.key_access_server:type_name -> policy.KeyAccessServer
+ 10, // 11: policy.kasregistry.KeyAccessServerGrants.namespace_grants:type_name -> policy.kasregistry.GrantedPolicyObject
+ 10, // 12: policy.kasregistry.KeyAccessServerGrants.attribute_grants:type_name -> policy.kasregistry.GrantedPolicyObject
+ 10, // 13: policy.kasregistry.KeyAccessServerGrants.value_grants:type_name -> policy.kasregistry.GrantedPolicyObject
+ 11, // 14: policy.kasregistry.ListKeyAccessServerGrantsResponse.grants:type_name -> policy.kasregistry.KeyAccessServerGrants
+ 2, // 15: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers:input_type -> policy.kasregistry.ListKeyAccessServersRequest
+ 0, // 16: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer:input_type -> policy.kasregistry.GetKeyAccessServerRequest
+ 4, // 17: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer:input_type -> policy.kasregistry.CreateKeyAccessServerRequest
+ 6, // 18: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer:input_type -> policy.kasregistry.UpdateKeyAccessServerRequest
+ 8, // 19: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer:input_type -> policy.kasregistry.DeleteKeyAccessServerRequest
+ 12, // 20: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants:input_type -> policy.kasregistry.ListKeyAccessServerGrantsRequest
+ 3, // 21: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers:output_type -> policy.kasregistry.ListKeyAccessServersResponse
+ 1, // 22: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer:output_type -> policy.kasregistry.GetKeyAccessServerResponse
+ 5, // 23: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer:output_type -> policy.kasregistry.CreateKeyAccessServerResponse
+ 7, // 24: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer:output_type -> policy.kasregistry.UpdateKeyAccessServerResponse
+ 9, // 25: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer:output_type -> policy.kasregistry.DeleteKeyAccessServerResponse
+ 13, // 26: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants:output_type -> policy.kasregistry.ListKeyAccessServerGrantsResponse
+ 21, // [21:27] is the sub-list for method output_type
+ 15, // [15:21] is the sub-list for method input_type
+ 15, // [15:15] is the sub-list for extension type_name
+ 15, // [15:15] is the sub-list for extension extendee
+ 0, // [0:15] is the sub-list for field type_name
}
func init() { file_policy_kasregistry_key_access_server_registry_proto_init() }
@@ -870,6 +1164,54 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() {
return nil
}
}
+ file_policy_kasregistry_key_access_server_registry_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*GrantedPolicyObject); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_policy_kasregistry_key_access_server_registry_proto_msgTypes[11].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*KeyAccessServerGrants); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_policy_kasregistry_key_access_server_registry_proto_msgTypes[12].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*ListKeyAccessServerGrantsRequest); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_policy_kasregistry_key_access_server_registry_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*ListKeyAccessServerGrantsResponse); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
}
type x struct{}
out := protoimpl.TypeBuilder{
@@ -877,7 +1219,7 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() {
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_policy_kasregistry_key_access_server_registry_proto_rawDesc,
NumEnums: 0,
- NumMessages: 10,
+ NumMessages: 14,
NumExtensions: 0,
NumServices: 1,
},
diff --git a/protocol/go/policy/kasregistry/key_access_server_registry.pb.gw.go b/protocol/go/policy/kasregistry/key_access_server_registry.pb.gw.go
index 7cf68badf1..4f661d15b9 100644
--- a/protocol/go/policy/kasregistry/key_access_server_registry.pb.gw.go
+++ b/protocol/go/policy/kasregistry/key_access_server_registry.pb.gw.go
@@ -239,6 +239,42 @@ func local_request_KeyAccessServerRegistryService_DeleteKeyAccessServer_0(ctx co
}
+var (
+ filter_KeyAccessServerRegistryService_ListKeyAccessServerGrants_0 = &utilities.DoubleArray{Encoding: map[string]int{}, Base: []int(nil), Check: []int(nil)}
+)
+
+func request_KeyAccessServerRegistryService_ListKeyAccessServerGrants_0(ctx context.Context, marshaler runtime.Marshaler, client KeyAccessServerRegistryServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+ var protoReq ListKeyAccessServerGrantsRequest
+ var metadata runtime.ServerMetadata
+
+ if err := req.ParseForm(); err != nil {
+ return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+ }
+ if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_KeyAccessServerRegistryService_ListKeyAccessServerGrants_0); err != nil {
+ return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+ }
+
+ msg, err := client.ListKeyAccessServerGrants(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+ return msg, metadata, err
+
+}
+
+func local_request_KeyAccessServerRegistryService_ListKeyAccessServerGrants_0(ctx context.Context, marshaler runtime.Marshaler, server KeyAccessServerRegistryServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+ var protoReq ListKeyAccessServerGrantsRequest
+ var metadata runtime.ServerMetadata
+
+ if err := req.ParseForm(); err != nil {
+ return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+ }
+ if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_KeyAccessServerRegistryService_ListKeyAccessServerGrants_0); err != nil {
+ return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+ }
+
+ msg, err := server.ListKeyAccessServerGrants(ctx, &protoReq)
+ return msg, metadata, err
+
+}
+
// RegisterKeyAccessServerRegistryServiceHandlerServer registers the http handlers for service KeyAccessServerRegistryService to "mux".
// UnaryRPC :call KeyAccessServerRegistryServiceServer directly.
// StreamingRPC :currently unsupported pending https://github.com/grpc/grpc-go/issues/906.
@@ -370,6 +406,31 @@ func RegisterKeyAccessServerRegistryServiceHandlerServer(ctx context.Context, mu
})
+ mux.Handle("GET", pattern_KeyAccessServerRegistryService_ListKeyAccessServerGrants_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+ ctx, cancel := context.WithCancel(req.Context())
+ defer cancel()
+ var stream runtime.ServerTransportStream
+ ctx = grpc.NewContextWithServerTransportStream(ctx, &stream)
+ inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+ var err error
+ var annotatedContext context.Context
+ annotatedContext, err = runtime.AnnotateIncomingContext(ctx, mux, req, "/policy.kasregistry.KeyAccessServerRegistryService/ListKeyAccessServerGrants", runtime.WithHTTPPathPattern("/key-access-servers/grants"))
+ if err != nil {
+ runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+ return
+ }
+ resp, md, err := local_request_KeyAccessServerRegistryService_ListKeyAccessServerGrants_0(annotatedContext, inboundMarshaler, server, req, pathParams)
+ md.HeaderMD, md.TrailerMD = metadata.Join(md.HeaderMD, stream.Header()), metadata.Join(md.TrailerMD, stream.Trailer())
+ annotatedContext = runtime.NewServerMetadataContext(annotatedContext, md)
+ if err != nil {
+ runtime.HTTPError(annotatedContext, mux, outboundMarshaler, w, req, err)
+ return
+ }
+
+ forward_KeyAccessServerRegistryService_ListKeyAccessServerGrants_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+ })
+
return nil
}
@@ -521,6 +582,28 @@ func RegisterKeyAccessServerRegistryServiceHandlerClient(ctx context.Context, mu
})
+ mux.Handle("GET", pattern_KeyAccessServerRegistryService_ListKeyAccessServerGrants_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+ ctx, cancel := context.WithCancel(req.Context())
+ defer cancel()
+ inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+ var err error
+ var annotatedContext context.Context
+ annotatedContext, err = runtime.AnnotateContext(ctx, mux, req, "/policy.kasregistry.KeyAccessServerRegistryService/ListKeyAccessServerGrants", runtime.WithHTTPPathPattern("/key-access-servers/grants"))
+ if err != nil {
+ runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+ return
+ }
+ resp, md, err := request_KeyAccessServerRegistryService_ListKeyAccessServerGrants_0(annotatedContext, inboundMarshaler, client, req, pathParams)
+ annotatedContext = runtime.NewServerMetadataContext(annotatedContext, md)
+ if err != nil {
+ runtime.HTTPError(annotatedContext, mux, outboundMarshaler, w, req, err)
+ return
+ }
+
+ forward_KeyAccessServerRegistryService_ListKeyAccessServerGrants_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+ })
+
return nil
}
@@ -534,6 +617,8 @@ var (
pattern_KeyAccessServerRegistryService_UpdateKeyAccessServer_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1}, []string{"key-access-servers", "id"}, ""))
pattern_KeyAccessServerRegistryService_DeleteKeyAccessServer_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1}, []string{"key-access-servers", "id"}, ""))
+
+ pattern_KeyAccessServerRegistryService_ListKeyAccessServerGrants_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1}, []string{"key-access-servers", "grants"}, ""))
)
var (
@@ -546,4 +631,6 @@ var (
forward_KeyAccessServerRegistryService_UpdateKeyAccessServer_0 = runtime.ForwardResponseMessage
forward_KeyAccessServerRegistryService_DeleteKeyAccessServer_0 = runtime.ForwardResponseMessage
+
+ forward_KeyAccessServerRegistryService_ListKeyAccessServerGrants_0 = runtime.ForwardResponseMessage
)
diff --git a/protocol/go/policy/kasregistry/key_access_server_registry_grpc.pb.go b/protocol/go/policy/kasregistry/key_access_server_registry_grpc.pb.go
index 043607d17c..7dea486c13 100644
--- a/protocol/go/policy/kasregistry/key_access_server_registry_grpc.pb.go
+++ b/protocol/go/policy/kasregistry/key_access_server_registry_grpc.pb.go
@@ -19,11 +19,12 @@ import (
const _ = grpc.SupportPackageIsVersion7
const (
- KeyAccessServerRegistryService_ListKeyAccessServers_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/ListKeyAccessServers"
- KeyAccessServerRegistryService_GetKeyAccessServer_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/GetKeyAccessServer"
- KeyAccessServerRegistryService_CreateKeyAccessServer_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/CreateKeyAccessServer"
- KeyAccessServerRegistryService_UpdateKeyAccessServer_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/UpdateKeyAccessServer"
- KeyAccessServerRegistryService_DeleteKeyAccessServer_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/DeleteKeyAccessServer"
+ KeyAccessServerRegistryService_ListKeyAccessServers_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/ListKeyAccessServers"
+ KeyAccessServerRegistryService_GetKeyAccessServer_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/GetKeyAccessServer"
+ KeyAccessServerRegistryService_CreateKeyAccessServer_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/CreateKeyAccessServer"
+ KeyAccessServerRegistryService_UpdateKeyAccessServer_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/UpdateKeyAccessServer"
+ KeyAccessServerRegistryService_DeleteKeyAccessServer_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/DeleteKeyAccessServer"
+ KeyAccessServerRegistryService_ListKeyAccessServerGrants_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/ListKeyAccessServerGrants"
)
// KeyAccessServerRegistryServiceClient is the client API for KeyAccessServerRegistryService service.
@@ -35,6 +36,7 @@ type KeyAccessServerRegistryServiceClient interface {
CreateKeyAccessServer(ctx context.Context, in *CreateKeyAccessServerRequest, opts ...grpc.CallOption) (*CreateKeyAccessServerResponse, error)
UpdateKeyAccessServer(ctx context.Context, in *UpdateKeyAccessServerRequest, opts ...grpc.CallOption) (*UpdateKeyAccessServerResponse, error)
DeleteKeyAccessServer(ctx context.Context, in *DeleteKeyAccessServerRequest, opts ...grpc.CallOption) (*DeleteKeyAccessServerResponse, error)
+ ListKeyAccessServerGrants(ctx context.Context, in *ListKeyAccessServerGrantsRequest, opts ...grpc.CallOption) (*ListKeyAccessServerGrantsResponse, error)
}
type keyAccessServerRegistryServiceClient struct {
@@ -90,6 +92,15 @@ func (c *keyAccessServerRegistryServiceClient) DeleteKeyAccessServer(ctx context
return out, nil
}
+func (c *keyAccessServerRegistryServiceClient) ListKeyAccessServerGrants(ctx context.Context, in *ListKeyAccessServerGrantsRequest, opts ...grpc.CallOption) (*ListKeyAccessServerGrantsResponse, error) {
+ out := new(ListKeyAccessServerGrantsResponse)
+ err := c.cc.Invoke(ctx, KeyAccessServerRegistryService_ListKeyAccessServerGrants_FullMethodName, in, out, opts...)
+ if err != nil {
+ return nil, err
+ }
+ return out, nil
+}
+
// KeyAccessServerRegistryServiceServer is the server API for KeyAccessServerRegistryService service.
// All implementations must embed UnimplementedKeyAccessServerRegistryServiceServer
// for forward compatibility
@@ -99,6 +110,7 @@ type KeyAccessServerRegistryServiceServer interface {
CreateKeyAccessServer(context.Context, *CreateKeyAccessServerRequest) (*CreateKeyAccessServerResponse, error)
UpdateKeyAccessServer(context.Context, *UpdateKeyAccessServerRequest) (*UpdateKeyAccessServerResponse, error)
DeleteKeyAccessServer(context.Context, *DeleteKeyAccessServerRequest) (*DeleteKeyAccessServerResponse, error)
+ ListKeyAccessServerGrants(context.Context, *ListKeyAccessServerGrantsRequest) (*ListKeyAccessServerGrantsResponse, error)
mustEmbedUnimplementedKeyAccessServerRegistryServiceServer()
}
@@ -121,6 +133,9 @@ func (UnimplementedKeyAccessServerRegistryServiceServer) UpdateKeyAccessServer(c
func (UnimplementedKeyAccessServerRegistryServiceServer) DeleteKeyAccessServer(context.Context, *DeleteKeyAccessServerRequest) (*DeleteKeyAccessServerResponse, error) {
return nil, status.Errorf(codes.Unimplemented, "method DeleteKeyAccessServer not implemented")
}
+func (UnimplementedKeyAccessServerRegistryServiceServer) ListKeyAccessServerGrants(context.Context, *ListKeyAccessServerGrantsRequest) (*ListKeyAccessServerGrantsResponse, error) {
+ return nil, status.Errorf(codes.Unimplemented, "method ListKeyAccessServerGrants not implemented")
+}
func (UnimplementedKeyAccessServerRegistryServiceServer) mustEmbedUnimplementedKeyAccessServerRegistryServiceServer() {
}
@@ -225,6 +240,24 @@ func _KeyAccessServerRegistryService_DeleteKeyAccessServer_Handler(srv interface
return interceptor(ctx, in, info, handler)
}
+func _KeyAccessServerRegistryService_ListKeyAccessServerGrants_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+ in := new(ListKeyAccessServerGrantsRequest)
+ if err := dec(in); err != nil {
+ return nil, err
+ }
+ if interceptor == nil {
+ return srv.(KeyAccessServerRegistryServiceServer).ListKeyAccessServerGrants(ctx, in)
+ }
+ info := &grpc.UnaryServerInfo{
+ Server: srv,
+ FullMethod: KeyAccessServerRegistryService_ListKeyAccessServerGrants_FullMethodName,
+ }
+ handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+ return srv.(KeyAccessServerRegistryServiceServer).ListKeyAccessServerGrants(ctx, req.(*ListKeyAccessServerGrantsRequest))
+ }
+ return interceptor(ctx, in, info, handler)
+}
+
// KeyAccessServerRegistryService_ServiceDesc is the grpc.ServiceDesc for KeyAccessServerRegistryService service.
// It's only intended for direct use with grpc.RegisterService,
// and not to be introspected or modified (even as a copy)
@@ -252,6 +285,10 @@ var KeyAccessServerRegistryService_ServiceDesc = grpc.ServiceDesc{
MethodName: "DeleteKeyAccessServer",
Handler: _KeyAccessServerRegistryService_DeleteKeyAccessServer_Handler,
},
+ {
+ MethodName: "ListKeyAccessServerGrants",
+ Handler: _KeyAccessServerRegistryService_ListKeyAccessServerGrants_Handler,
+ },
},
Streams: []grpc.StreamDesc{},
Metadata: "policy/kasregistry/key_access_server_registry.proto",
diff --git a/service/integration/kas_registry_test.go b/service/integration/kas_registry_test.go
index a443c51ad9..b6ff0f67de 100644
--- a/service/integration/kas_registry_test.go
+++ b/service/integration/kas_registry_test.go
@@ -7,6 +7,7 @@ import (
"github.com/opentdf/platform/protocol/go/common"
"github.com/opentdf/platform/protocol/go/policy"
+ "github.com/opentdf/platform/protocol/go/policy/attributes"
"github.com/opentdf/platform/protocol/go/policy/kasregistry"
"github.com/opentdf/platform/service/internal/fixtures"
"github.com/opentdf/platform/service/pkg/db"
@@ -420,6 +421,132 @@ func (s *KasRegistrySuite) Test_DeleteKeyAccessServer_WithInvalidId_Fails() {
s.Require().ErrorIs(err, db.ErrUUIDInvalid)
}
+func (s *KasRegistrySuite) Test_ListKeyAccessServerGrantsByKasId() {
+ // create an attribute
+ attr := &attributes.CreateAttributeRequest{
+ Name: "test__list_key_access_server_grants_by_kas_id",
+ NamespaceId: fixtureNamespaceID,
+ Rule: policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF,
+ }
+ createdAttr, err := s.db.PolicyClient.CreateAttribute(s.ctx, attr)
+ s.Require().NoError(err)
+ s.NotNil(createdAttr)
+
+ fixtureKAS := s.f.GetKasRegistryKey("key_access_server_2")
+
+ // add a KAS to the attribute
+ aKas := &attributes.AttributeKeyAccessServer{
+ AttributeId: createdAttr.GetId(),
+ KeyAccessServerId: fixtureKAS.ID,
+ }
+ createdGrant, err := s.db.PolicyClient.AssignKeyAccessServerToAttribute(s.ctx, aKas)
+ s.Require().NoError(err)
+ s.NotNil(createdGrant)
+
+ // list grants by KAS ID
+ listedGrants, err := s.db.PolicyClient.ListKeyAccessServerGrantsByKasId(s.ctx, fixtureKAS.ID)
+ s.Require().NoError(err)
+ s.NotNil(listedGrants)
+ s.GreaterOrEqual(len(listedGrants), 1)
+ for _, g := range listedGrants {
+ s.Equal(fixtureKAS.ID, g.KasID)
+ s.Equal(fixtureKAS.URI, g.KasUri)
+ }
+}
+
+func (s *KasRegistrySuite) Test_ListKeyAccessServerGrantsByKasId_NoResultsIfNotFound() {
+ // list grants by KAS ID
+ listedGrants, err := s.db.PolicyClient.ListKeyAccessServerGrantsByKasId(s.ctx, nonExistentKasRegistryID)
+ s.Require().NoError(err)
+ s.Nil(listedGrants)
+}
+
+func (s *KasRegistrySuite) Test_ListKeyAccessServerGrantsByKasUri() {
+ fixtureKAS := s.f.GetKasRegistryKey("key_access_server_1")
+
+ // create an attribute
+ attr := &attributes.CreateAttributeRequest{
+ Name: "test__list_key_access_server_grants_by_kas_uri",
+ NamespaceId: fixtureNamespaceID,
+ Rule: policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF,
+ }
+ createdAttr, err := s.db.PolicyClient.CreateAttribute(s.ctx, attr)
+ s.Require().NoError(err)
+ s.NotNil(createdAttr)
+
+ // add a KAS to the attribute
+ aKas := &attributes.AttributeKeyAccessServer{
+ AttributeId: createdAttr.GetId(),
+ KeyAccessServerId: fixtureKAS.ID,
+ }
+ createdGrant, err := s.db.PolicyClient.AssignKeyAccessServerToAttribute(s.ctx, aKas)
+ s.Require().NoError(err)
+ s.NotNil(createdGrant)
+
+ // list grants by KAS URI
+ listedGrants, err := s.db.PolicyClient.ListKeyAccessServerGrantsByKasUri(s.ctx, fixtureKAS.URI)
+ s.Require().NoError(err)
+ s.NotNil(listedGrants)
+ s.GreaterOrEqual(len(listedGrants), 1)
+ for _, g := range listedGrants {
+ s.Equal(fixtureKAS.ID, g.KasID)
+ s.Equal(fixtureKAS.URI, g.KasUri)
+ }
+}
+
+func (s *KasRegistrySuite) Test_ListKeyAccessServerGrantsByKasUri_NoResultsIfNotFound() {
+ // list grants by KAS ID
+ listedGrants, err := s.db.PolicyClient.ListKeyAccessServerGrantsByKasUri(s.ctx, "https://notfound.com/kas/uri")
+ s.Require().NoError(err)
+ s.Nil(listedGrants)
+}
+
+func (s *KasRegistrySuite) Test_ListAllKeyAccessServerGrants() {
+ // create a KAS
+ kas := &kasregistry.CreateKeyAccessServerRequest{
+ Uri: "https://listingkasgrants.com/kas/uri",
+ PublicKey: &policy.PublicKey{
+ PublicKey: &policy.PublicKey_Local{Local: "public"},
+ },
+ }
+ createdKAS, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, kas)
+ s.Require().NoError(err)
+ s.NotNil(createdKAS)
+
+ // create an attribute
+ attr := &attributes.CreateAttributeRequest{
+ Name: "test__list_all_key_access_server_grants",
+ NamespaceId: fixtureNamespaceID,
+ Rule: policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF,
+ }
+ createdAttr, err := s.db.PolicyClient.CreateAttribute(s.ctx, attr)
+ s.Require().NoError(err)
+ s.NotNil(createdAttr)
+
+ // add a KAS to the attribute
+ aKas := &attributes.AttributeKeyAccessServer{
+ AttributeId: createdAttr.GetId(),
+ KeyAccessServerId: createdKAS.GetId(),
+ }
+ createdGrant, err := s.db.PolicyClient.AssignKeyAccessServerToAttribute(s.ctx, aKas)
+ s.Require().NoError(err)
+ s.NotNil(createdGrant)
+
+ // list all grants
+ listedGrants, err := s.db.PolicyClient.ListAllKeyAccessServerGrants(s.ctx)
+ s.Require().NoError(err)
+ s.NotNil(listedGrants)
+ s.GreaterOrEqual(len(listedGrants), 1)
+ found := false
+ for _, g := range listedGrants {
+ if g.KasID == createdKAS.GetId() {
+ found = true
+ break
+ }
+ }
+ s.True(found)
+}
+
func TestKasRegistrySuite(t *testing.T) {
if testing.Short() {
t.Skip("skipping db.KasRegistry integration tests")
diff --git a/service/policy/attributes/attributes.proto b/service/policy/attributes/attributes.proto
index 74bc08258f..4e0c8159bc 100644
--- a/service/policy/attributes/attributes.proto
+++ b/service/policy/attributes/attributes.proto
@@ -182,7 +182,7 @@ message GetAttributeValuesByFqnsResponse {
}
/*
- Assign Key Access Server to Attribute and Value
+ Assign Key Access Server (KAS Grant) to Attribute and Value
*/
message AssignKeyAccessServerToAttributeRequest {
diff --git a/service/policy/db/query.sql b/service/policy/db/query.sql
index eb21a0d63d..2c1d55c166 100644
--- a/service/policy/db/query.sql
+++ b/service/policy/db/query.sql
@@ -29,6 +29,126 @@ RETURNING id;
-- name: DeleteKeyAccessServer :execrows
DELETE FROM key_access_servers WHERE id = $1;
+----------------------------------------------------------------
+-- ATTRIBUTES
+----------------------------------------------------------------
+
+-- name: ListKeyAccessServerGrantsByKasUri :many
+SELECT
+ kas.id AS kas_id,
+ kas.uri AS kas_uri,
+ kas.public_key AS kas_public_key,
+ JSON_STRIP_NULLS(JSON_BUILD_OBJECT(
+ 'labels', kas.metadata -> 'labels',
+ 'created_at', kas.created_at,
+ 'updated_at', kas.updated_at
+ )) AS kas_metadata,
+ JSON_BUILD_OBJECT(
+ 'attribute_grants', COALESCE(json_agg(DISTINCT jsonb_build_object(
+ 'id', attrkag.attribute_definition_id,
+ 'fqn', fqns_on_attr.fqn
+ )) FILTER (WHERE attrkag.attribute_definition_id IS NOT NULL), '[]'),
+ 'value_grants', COALESCE(json_agg(DISTINCT jsonb_build_object(
+ 'id', valkag.attribute_value_id,
+ 'fqn', fqns_on_vals.fqn
+ )) FILTER (WHERE valkag.attribute_value_id IS NOT NULL), '[]')
+ ) AS grants
+FROM
+ key_access_servers kas
+LEFT JOIN
+ attribute_definition_key_access_grants attrkag
+ ON kas.id = attrkag.key_access_server_id
+LEFT JOIN
+ attribute_fqns fqns_on_attr
+ ON attrkag.attribute_definition_id = fqns_on_attr.attribute_id
+ AND fqns_on_attr.value_id IS NULL
+LEFT JOIN
+ attribute_value_key_access_grants valkag
+ ON kas.id = valkag.key_access_server_id
+LEFT JOIN
+ attribute_fqns fqns_on_vals
+ ON valkag.attribute_value_id = fqns_on_vals.value_id
+WHERE kas.uri = $1
+GROUP BY
+ kas.id;
+
+-- name: ListKeyAccessServerGrantsByKasId :many
+SELECT
+ kas.id AS kas_id,
+ kas.uri AS kas_uri,
+ kas.public_key AS kas_public_key,
+ JSON_STRIP_NULLS(JSON_BUILD_OBJECT(
+ 'labels', kas.metadata -> 'labels',
+ 'created_at', kas.created_at,
+ 'updated_at', kas.updated_at
+ )) AS kas_metadata,
+ JSON_BUILD_OBJECT(
+ 'attribute_grants', COALESCE(json_agg(DISTINCT jsonb_build_object(
+ 'id', attrkag.attribute_definition_id,
+ 'fqn', fqns_on_attr.fqn
+ )) FILTER (WHERE attrkag.attribute_definition_id IS NOT NULL), '[]'),
+ 'value_grants', COALESCE(json_agg(DISTINCT jsonb_build_object(
+ 'id', valkag.attribute_value_id,
+ 'fqn', fqns_on_vals.fqn
+ )) FILTER (WHERE valkag.attribute_value_id IS NOT NULL), '[]')
+ ) AS grants
+FROM
+ key_access_servers kas
+LEFT JOIN
+ attribute_definition_key_access_grants attrkag
+ ON kas.id = attrkag.key_access_server_id
+LEFT JOIN
+ attribute_fqns fqns_on_attr
+ ON attrkag.attribute_definition_id = fqns_on_attr.attribute_id
+ AND fqns_on_attr.value_id IS NULL
+LEFT JOIN
+ attribute_value_key_access_grants valkag
+ ON kas.id = valkag.key_access_server_id
+LEFT JOIN
+ attribute_fqns fqns_on_vals
+ ON valkag.attribute_value_id = fqns_on_vals.value_id
+WHERE kas.id = $1
+GROUP BY
+ kas.id;
+
+-- name: ListAllKeyAccessServerGrants :many
+SELECT
+ kas.id AS kas_id,
+ kas.uri AS kas_uri,
+ kas.public_key AS kas_public_key,
+ JSON_STRIP_NULLS(JSON_BUILD_OBJECT(
+ 'labels', kas.metadata -> 'labels',
+ 'created_at', kas.created_at,
+ 'updated_at', kas.updated_at
+ )) AS kas_metadata,
+ JSON_BUILD_OBJECT(
+ 'attribute_grants', COALESCE(json_agg(DISTINCT jsonb_build_object(
+ 'id', attrkag.attribute_definition_id,
+ 'fqn', fqns_on_attr.fqn
+ )) FILTER (WHERE attrkag.attribute_definition_id IS NOT NULL), '[]'),
+ 'value_grants', COALESCE(json_agg(DISTINCT jsonb_build_object(
+ 'id', valkag.attribute_value_id,
+ 'fqn', fqns_on_vals.fqn
+ )) FILTER (WHERE valkag.attribute_value_id IS NOT NULL), '[]')
+ ) AS grants
+FROM
+ key_access_servers kas
+LEFT JOIN
+ attribute_definition_key_access_grants attrkag
+ ON kas.id = attrkag.key_access_server_id
+LEFT JOIN
+ attribute_fqns fqns_on_attr
+ ON attrkag.attribute_definition_id = fqns_on_attr.attribute_id
+ AND fqns_on_attr.value_id IS NULL
+LEFT JOIN
+ attribute_value_key_access_grants valkag
+ ON kas.id = valkag.key_access_server_id
+LEFT JOIN
+ attribute_fqns fqns_on_vals
+ ON valkag.attribute_value_id = fqns_on_vals.value_id
+GROUP BY
+ kas.id;
+
----------------------------------------------------------------
-- RESOURCE MAPPING GROUPS
----------------------------------------------------------------
diff --git a/service/policy/db/query.sql.go b/service/policy/db/query.sql.go
index 7b767d9163..c12e34f2f2 100644
--- a/service/policy/db/query.sql.go
+++ b/service/policy/db/query.sql.go
@@ -136,6 +136,346 @@ func (q *Queries) GetResourceMappingGroup(ctx context.Context, id string) (Resou
return i, err
}
+const listAllKeyAccessServerGrants = `-- name: ListAllKeyAccessServerGrants :many
+SELECT
+ kas.id AS kas_id,
+ kas.uri AS kas_uri,
+ kas.public_key AS kas_public_key,
+ JSON_STRIP_NULLS(JSON_BUILD_OBJECT(
+ 'labels', kas.metadata -> 'labels',
+ 'created_at', kas.created_at,
+ 'updated_at', kas.updated_at
+ )) AS kas_metadata,
+ JSON_BUILD_OBJECT(
+ 'attribute_grants', COALESCE(json_agg(DISTINCT jsonb_build_object(
+ 'id', attrkag.attribute_definition_id,
+ 'fqn', fqns_on_attr.fqn
+ )) FILTER (WHERE attrkag.attribute_definition_id IS NOT NULL), '[]'),
+ 'value_grants', COALESCE(json_agg(DISTINCT jsonb_build_object(
+ 'id', valkag.attribute_value_id,
+ 'fqn', fqns_on_vals.fqn
+ )) FILTER (WHERE valkag.attribute_value_id IS NOT NULL), '[]')
+ ) AS grants
+FROM
+ key_access_servers kas
+LEFT JOIN
+ attribute_definition_key_access_grants attrkag
+ ON kas.id = attrkag.key_access_server_id
+LEFT JOIN
+ attribute_fqns fqns_on_attr
+ ON attrkag.attribute_definition_id = fqns_on_attr.attribute_id
+ AND fqns_on_attr.value_id IS NULL
+LEFT JOIN
+ attribute_value_key_access_grants valkag
+ ON kas.id = valkag.key_access_server_id
+LEFT JOIN
+ attribute_fqns fqns_on_vals
+ ON valkag.attribute_value_id = fqns_on_vals.value_id
+GROUP BY
+ kas.id
+`
+
+type ListAllKeyAccessServerGrantsRow struct {
+ KasID string `json:"kas_id"`
+ KasUri string `json:"kas_uri"`
+ KasPublicKey []byte `json:"kas_public_key"`
+ KasMetadata []byte `json:"kas_metadata"`
+ Grants []byte `json:"grants"`
+}
+
+// ListAllKeyAccessServerGrants
+//
+// SELECT
+// kas.id AS kas_id,
+// kas.uri AS kas_uri,
+// kas.public_key AS kas_public_key,
+// JSON_STRIP_NULLS(JSON_BUILD_OBJECT(
+// 'labels', kas.metadata -> 'labels',
+// 'created_at', kas.created_at,
+// 'updated_at', kas.updated_at
+// )) AS kas_metadata,
+// JSON_BUILD_OBJECT(
+// 'attribute_grants', COALESCE(json_agg(DISTINCT jsonb_build_object(
+// 'id', attrkag.attribute_definition_id,
+// 'fqn', fqns_on_attr.fqn
+// )) FILTER (WHERE attrkag.attribute_definition_id IS NOT NULL), '[]'),
+// 'value_grants', COALESCE(json_agg(DISTINCT jsonb_build_object(
+// 'id', valkag.attribute_value_id,
+// 'fqn', fqns_on_vals.fqn
+// )) FILTER (WHERE valkag.attribute_value_id IS NOT NULL), '[]')
+// ) AS grants
+// FROM
+// key_access_servers kas
+// LEFT JOIN
+// attribute_definition_key_access_grants attrkag
+// ON kas.id = attrkag.key_access_server_id
+// LEFT JOIN
+// attribute_fqns fqns_on_attr
+// ON attrkag.attribute_definition_id = fqns_on_attr.attribute_id
+// AND fqns_on_attr.value_id IS NULL
+// LEFT JOIN
+// attribute_value_key_access_grants valkag
+// ON kas.id = valkag.key_access_server_id
+// LEFT JOIN
+// attribute_fqns fqns_on_vals
+// ON valkag.attribute_value_id = fqns_on_vals.value_id
+// GROUP BY
+// kas.id
+func (q *Queries) ListAllKeyAccessServerGrants(ctx context.Context) ([]ListAllKeyAccessServerGrantsRow, error) {
+ rows, err := q.db.Query(ctx, listAllKeyAccessServerGrants)
+ if err != nil {
+ return nil, err
+ }
+ defer rows.Close()
+ var items []ListAllKeyAccessServerGrantsRow
+ for rows.Next() {
+ var i ListAllKeyAccessServerGrantsRow
+ if err := rows.Scan(
+ &i.KasID,
+ &i.KasUri,
+ &i.KasPublicKey,
+ &i.KasMetadata,
+ &i.Grants,
+ ); err != nil {
+ return nil, err
+ }
+ items = append(items, i)
+ }
+ if err := rows.Err(); err != nil {
+ return nil, err
+ }
+ return items, nil
+}
+
+const listKeyAccessServerGrantsByKasId = `-- name: ListKeyAccessServerGrantsByKasId :many
+SELECT
+ kas.id AS kas_id,
+ kas.uri AS kas_uri,
+ kas.public_key AS kas_public_key,
+ JSON_STRIP_NULLS(JSON_BUILD_OBJECT(
+ 'labels', kas.metadata -> 'labels',
+ 'created_at', kas.created_at,
+ 'updated_at', kas.updated_at
+ )) AS kas_metadata,
+ JSON_BUILD_OBJECT(
+ 'attribute_grants', COALESCE(json_agg(DISTINCT jsonb_build_object(
+ 'id', attrkag.attribute_definition_id,
+ 'fqn', fqns_on_attr.fqn
+ )) FILTER (WHERE attrkag.attribute_definition_id IS NOT NULL), '[]'),
+ 'value_grants', COALESCE(json_agg(DISTINCT jsonb_build_object(
+ 'id', valkag.attribute_value_id,
+ 'fqn', fqns_on_vals.fqn
+ )) FILTER (WHERE valkag.attribute_value_id IS NOT NULL), '[]')
+ ) AS grants
+FROM
+ key_access_servers kas
+LEFT JOIN
+ attribute_definition_key_access_grants attrkag
+ ON kas.id = attrkag.key_access_server_id
+LEFT JOIN
+ attribute_fqns fqns_on_attr
+ ON attrkag.attribute_definition_id = fqns_on_attr.attribute_id
+ AND fqns_on_attr.value_id IS NULL
+LEFT JOIN
+ attribute_value_key_access_grants valkag
+ ON kas.id = valkag.key_access_server_id
+LEFT JOIN
+ attribute_fqns fqns_on_vals
+ ON valkag.attribute_value_id = fqns_on_vals.value_id
+WHERE kas.id = $1
+GROUP BY
+ kas.id
+`
+
+type ListKeyAccessServerGrantsByKasIdRow struct {
+ KasID string `json:"kas_id"`
+ KasUri string `json:"kas_uri"`
+ KasPublicKey []byte `json:"kas_public_key"`
+ KasMetadata []byte `json:"kas_metadata"`
+ Grants []byte `json:"grants"`
+}
+
+// ListKeyAccessServerGrantsByKasId
+//
+// SELECT
+// kas.id AS kas_id,
+// kas.uri AS kas_uri,
+// kas.public_key AS kas_public_key,
+// JSON_STRIP_NULLS(JSON_BUILD_OBJECT(
+// 'labels', kas.metadata -> 'labels',
+// 'created_at', kas.created_at,
+// 'updated_at', kas.updated_at
+// )) AS kas_metadata,
+// JSON_BUILD_OBJECT(
+// 'attribute_grants', COALESCE(json_agg(DISTINCT jsonb_build_object(
+// 'id', attrkag.attribute_definition_id,
+// 'fqn', fqns_on_attr.fqn
+// )) FILTER (WHERE attrkag.attribute_definition_id IS NOT NULL), '[]'),
+// 'value_grants', COALESCE(json_agg(DISTINCT jsonb_build_object(
+// 'id', valkag.attribute_value_id,
+// 'fqn', fqns_on_vals.fqn
+// )) FILTER (WHERE valkag.attribute_value_id IS NOT NULL), '[]')
+// ) AS grants
+// FROM
+// key_access_servers kas
+// LEFT JOIN
+// attribute_definition_key_access_grants attrkag
+// ON kas.id = attrkag.key_access_server_id
+// LEFT JOIN
+// attribute_fqns fqns_on_attr
+// ON attrkag.attribute_definition_id = fqns_on_attr.attribute_id
+// AND fqns_on_attr.value_id IS NULL
+// LEFT JOIN
+// attribute_value_key_access_grants valkag
+// ON kas.id = valkag.key_access_server_id
+// LEFT JOIN
+// attribute_fqns fqns_on_vals
+// ON valkag.attribute_value_id = fqns_on_vals.value_id
+// WHERE kas.id = $1
+// GROUP BY
+// kas.id
+func (q *Queries) ListKeyAccessServerGrantsByKasId(ctx context.Context, id string) ([]ListKeyAccessServerGrantsByKasIdRow, error) {
+ rows, err := q.db.Query(ctx, listKeyAccessServerGrantsByKasId, id)
+ if err != nil {
+ return nil, err
+ }
+ defer rows.Close()
+ var items []ListKeyAccessServerGrantsByKasIdRow
+ for rows.Next() {
+ var i ListKeyAccessServerGrantsByKasIdRow
+ if err := rows.Scan(
+ &i.KasID,
+ &i.KasUri,
+ &i.KasPublicKey,
+ &i.KasMetadata,
+ &i.Grants,
+ ); err != nil {
+ return nil, err
+ }
+ items = append(items, i)
+ }
+ if err := rows.Err(); err != nil {
+ return nil, err
+ }
+ return items, nil
+}
+
+const listKeyAccessServerGrantsByKasUri = `-- name: ListKeyAccessServerGrantsByKasUri :many
+
+SELECT
+ kas.id AS kas_id,
+ kas.uri AS kas_uri,
+ kas.public_key AS kas_public_key,
+ JSON_STRIP_NULLS(JSON_BUILD_OBJECT(
+ 'labels', kas.metadata -> 'labels',
+ 'created_at', kas.created_at,
+ 'updated_at', kas.updated_at
+ )) AS kas_metadata,
+ JSON_BUILD_OBJECT(
+ 'attribute_grants', COALESCE(json_agg(DISTINCT jsonb_build_object(
+ 'id', attrkag.attribute_definition_id,
+ 'fqn', fqns_on_attr.fqn
+ )) FILTER (WHERE attrkag.attribute_definition_id IS NOT NULL), '[]'),
+ 'value_grants', COALESCE(json_agg(DISTINCT jsonb_build_object(
+ 'id', valkag.attribute_value_id,
+ 'fqn', fqns_on_vals.fqn
+ )) FILTER (WHERE valkag.attribute_value_id IS NOT NULL), '[]')
+ ) AS grants
+FROM
+ key_access_servers kas
+LEFT JOIN
+ attribute_definition_key_access_grants attrkag
+ ON kas.id = attrkag.key_access_server_id
+LEFT JOIN
+ attribute_fqns fqns_on_attr
+ ON attrkag.attribute_definition_id = fqns_on_attr.attribute_id
+ AND fqns_on_attr.value_id IS NULL
+LEFT JOIN
+ attribute_value_key_access_grants valkag
+ ON kas.id = valkag.key_access_server_id
+LEFT JOIN
+ attribute_fqns fqns_on_vals
+ ON valkag.attribute_value_id = fqns_on_vals.value_id
+WHERE kas.uri = $1
+GROUP BY
+ kas.id
+`
+
+type ListKeyAccessServerGrantsByKasUriRow struct {
+ KasID string `json:"kas_id"`
+ KasUri string `json:"kas_uri"`
+ KasPublicKey []byte `json:"kas_public_key"`
+ KasMetadata []byte `json:"kas_metadata"`
+ Grants []byte `json:"grants"`
+}
+
+// --------------------------------------------------------------
+// ATTRIBUTES
+// --------------------------------------------------------------
+//
+// SELECT
+// kas.id AS kas_id,
+// kas.uri AS kas_uri,
+// kas.public_key AS kas_public_key,
+// JSON_STRIP_NULLS(JSON_BUILD_OBJECT(
+// 'labels', kas.metadata -> 'labels',
+// 'created_at', kas.created_at,
+// 'updated_at', kas.updated_at
+// )) AS kas_metadata,
+// JSON_BUILD_OBJECT(
+// 'attribute_grants', COALESCE(json_agg(DISTINCT jsonb_build_object(
+// 'id', attrkag.attribute_definition_id,
+// 'fqn', fqns_on_attr.fqn
+// )) FILTER (WHERE attrkag.attribute_definition_id IS NOT NULL), '[]'),
+// 'value_grants', COALESCE(json_agg(DISTINCT jsonb_build_object(
+// 'id', valkag.attribute_value_id,
+// 'fqn', fqns_on_vals.fqn
+// )) FILTER (WHERE valkag.attribute_value_id IS NOT NULL), '[]')
+// ) AS grants
+// FROM
+// key_access_servers kas
+// LEFT JOIN
+// attribute_definition_key_access_grants attrkag
+// ON kas.id = attrkag.key_access_server_id
+// LEFT JOIN
+// attribute_fqns fqns_on_attr
+// ON attrkag.attribute_definition_id = fqns_on_attr.attribute_id
+// AND fqns_on_attr.value_id IS NULL
+// LEFT JOIN
+// attribute_value_key_access_grants valkag
+// ON kas.id = valkag.key_access_server_id
+// LEFT JOIN
+// attribute_fqns fqns_on_vals
+// ON valkag.attribute_value_id = fqns_on_vals.value_id
+// WHERE kas.uri = $1
+// GROUP BY
+// kas.id
+func (q *Queries) ListKeyAccessServerGrantsByKasUri(ctx context.Context, uri string) ([]ListKeyAccessServerGrantsByKasUriRow, error) {
+ rows, err := q.db.Query(ctx, listKeyAccessServerGrantsByKasUri, uri)
+ if err != nil {
+ return nil, err
+ }
+ defer rows.Close()
+ var items []ListKeyAccessServerGrantsByKasUriRow
+ for rows.Next() {
+ var i ListKeyAccessServerGrantsByKasUriRow
+ if err := rows.Scan(
+ &i.KasID,
+ &i.KasUri,
+ &i.KasPublicKey,
+ &i.KasMetadata,
+ &i.Grants,
+ ); err != nil {
+ return nil, err
+ }
+ items = append(items, i)
+ }
+ if err := rows.Err(); err != nil {
+ return nil, err
+ }
+ return items, nil
+}
+
const listKeyAccessServers = `-- name: ListKeyAccessServers :many
SELECT id, uri, public_key,
diff --git a/service/policy/kasregistry/key_access_server_registry.proto b/service/policy/kasregistry/key_access_server_registry.proto
index 308c08635f..c62392ba97 100644
--- a/service/policy/kasregistry/key_access_server_registry.proto
+++ b/service/policy/kasregistry/key_access_server_registry.proto
@@ -52,6 +52,35 @@ message DeleteKeyAccessServerResponse {
KeyAccessServer key_access_server = 1;
}
+// Can be namespace, attribute definition, or value
+message GrantedPolicyObject {
+ string id = 1;
+ string fqn = 2;
+}
+
+message KeyAccessServerGrants {
+ KeyAccessServer key_access_server = 1;
+ repeated GrantedPolicyObject namespace_grants = 2;
+ repeated GrantedPolicyObject attribute_grants = 3;
+ repeated GrantedPolicyObject value_grants = 4;
+}
+
+// LIST of KAS Grants returns flat response of grants to all policy objects. It does not
+// employ selectors for grants to specific policy objects or build the attribute tree relation.
+// If grants to a known namespace, attribute, or value are needed, use the respective
+// GET request to the specific policy object.
+message ListKeyAccessServerGrantsRequest {
+ // Optional
+ // Filter LIST by either ID or URI of a registered Key Access Server.
+ // If neither is provided, grants from all registered KASs to policy attribute objects are returned.
+ string kas_id = 1;
+ string kas_uri = 2;
+}
+
+message ListKeyAccessServerGrantsResponse {
+ repeated KeyAccessServerGrants grants = 1;
+}
+
service KeyAccessServerRegistryService {
rpc ListKeyAccessServers(ListKeyAccessServersRequest) returns (ListKeyAccessServersResponse) {
option (google.api.http) = {get: "/key-access-servers"};
@@ -78,4 +107,8 @@ service KeyAccessServerRegistryService {
rpc DeleteKeyAccessServer(DeleteKeyAccessServerRequest) returns (DeleteKeyAccessServerResponse) {
option (google.api.http) = {delete: "/key-access-servers/{id}"};
}
+
+ rpc ListKeyAccessServerGrants(ListKeyAccessServerGrantsRequest) returns (ListKeyAccessServerGrantsResponse) {
+ option (google.api.http) = {get: "/key-access-servers/grants"};
+ }
}