diff --git a/docs/grpc/index.html b/docs/grpc/index.html
index 69c9e362b0..2071a7b4db 100644
--- a/docs/grpc/index.html
+++ b/docs/grpc/index.html
@@ -229,6 +229,14 @@ Table of Contents
MConditionGroup
+
+ MKasPublicKey
+
+
+
+ MKasPublicKeySet
+
+
MKeyAccessServer
@@ -282,6 +290,10 @@ Table of Contents
EConditionBooleanTypeEnum
+
+ EKasPublicKeyAlgEnum
+
+
ESubjectMappingOperatorEnum
@@ -1478,6 +1490,70 @@ ConditionGroup
+ KasPublicKey
+ A KAS public key and some associated metadata for further identifcation
+
+
+
+
+ | Field | Type | Label | Description |
+
+
+
+
+ | pem |
+ string |
+ |
+ x509 ASN.1 content in PEM envelope, usually |
+
+
+
+ | kid |
+ string |
+ |
+ A unique string identifier for this key |
+
+
+
+ | alg |
+ KasPublicKeyAlgEnum |
+ |
+ A known algorithm type with any additional parameters encoded.
+To start, these may be `rsa:2048` for encrypting ZTDF files and
+`ec:secp256r1` for nanoTDF, but more formats may be added as needed. |
+
+
+
+
+
+
+
+
+
+ KasPublicKeySet
+ A list of known KAS public keys
+
+
+
+
+ | Field | Type | Label | Description |
+
+
+
+
+ | keys |
+ KasPublicKey |
+ repeated |
+ |
+
+
+
+
+
+
+
+
+
KeyAccessServer
Key Access Server Registry
@@ -1606,6 +1682,13 @@ PublicKey
public key - optional since can also be retrieved via url |
+
+ | cached |
+ KasPublicKeySet |
+ |
+ public key with additional information. Current preferred version |
+
+
@@ -2016,6 +2099,35 @@ ConditionBooleanTypeEnum
+ KasPublicKeyAlgEnum
+
+
+
+ | Name | Number | Description |
+
+
+
+
+ | KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED |
+ 0 |
+ |
+
+
+
+ | KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 |
+ 1 |
+ |
+
+
+
+ | KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 |
+ 5 |
+ |
+
+
+
+
+
SubjectMappingOperatorEnum
buflint ENUM_VALUE_PREFIX: to make sure that C++ scoping rules aren't violated when users add new enum values to an enum in a given package
diff --git a/docs/openapi/policy/attributes/attributes.swagger.json b/docs/openapi/policy/attributes/attributes.swagger.json
index 70c760d327..01d68183d2 100644
--- a/docs/openapi/policy/attributes/attributes.swagger.json
+++ b/docs/openapi/policy/attributes/attributes.swagger.json
@@ -991,6 +991,46 @@
},
"title": "A collection of Conditions evaluated by the boolean_operator provided"
},
+ "policyKasPublicKey": {
+ "type": "object",
+ "properties": {
+ "pem": {
+ "type": "string",
+ "title": "x509 ASN.1 content in PEM envelope, usually"
+ },
+ "kid": {
+ "type": "string",
+ "title": "A unique string identifier for this key"
+ },
+ "alg": {
+ "$ref": "#/definitions/policyKasPublicKeyAlgEnum",
+ "description": "A known algorithm type with any additional parameters encoded.\nTo start, these may be `rsa:2048` for encrypting ZTDF files and \n`ec:secp256r1` for nanoTDF, but more formats may be added as needed."
+ }
+ },
+ "title": "A KAS public key and some associated metadata for further identifcation"
+ },
+ "policyKasPublicKeyAlgEnum": {
+ "type": "string",
+ "enum": [
+ "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED",
+ "KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048",
+ "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1"
+ ],
+ "default": "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED"
+ },
+ "policyKasPublicKeySet": {
+ "type": "object",
+ "properties": {
+ "keys": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "$ref": "#/definitions/policyKasPublicKey"
+ }
+ }
+ },
+ "title": "A list of known KAS public keys"
+ },
"policyKeyAccessServer": {
"type": "object",
"properties": {
@@ -1052,6 +1092,10 @@
"local": {
"type": "string",
"title": "public key - optional since can also be retrieved via url"
+ },
+ "cached": {
+ "$ref": "#/definitions/policyKasPublicKeySet",
+ "title": "public key with additional information. Current preferred version"
}
}
},
diff --git a/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json b/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json
index 71edf32bd5..af67abf55a 100644
--- a/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json
+++ b/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json
@@ -375,6 +375,46 @@
}
}
},
+ "policyKasPublicKey": {
+ "type": "object",
+ "properties": {
+ "pem": {
+ "type": "string",
+ "title": "x509 ASN.1 content in PEM envelope, usually"
+ },
+ "kid": {
+ "type": "string",
+ "title": "A unique string identifier for this key"
+ },
+ "alg": {
+ "$ref": "#/definitions/policyKasPublicKeyAlgEnum",
+ "description": "A known algorithm type with any additional parameters encoded.\nTo start, these may be `rsa:2048` for encrypting ZTDF files and \n`ec:secp256r1` for nanoTDF, but more formats may be added as needed."
+ }
+ },
+ "title": "A KAS public key and some associated metadata for further identifcation"
+ },
+ "policyKasPublicKeyAlgEnum": {
+ "type": "string",
+ "enum": [
+ "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED",
+ "KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048",
+ "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1"
+ ],
+ "default": "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED"
+ },
+ "policyKasPublicKeySet": {
+ "type": "object",
+ "properties": {
+ "keys": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "$ref": "#/definitions/policyKasPublicKey"
+ }
+ }
+ },
+ "title": "A list of known KAS public keys"
+ },
"policyKeyAccessServer": {
"type": "object",
"properties": {
@@ -405,6 +445,10 @@
"local": {
"type": "string",
"title": "public key - optional since can also be retrieved via url"
+ },
+ "cached": {
+ "$ref": "#/definitions/policyKasPublicKeySet",
+ "title": "public key with additional information. Current preferred version"
}
}
},
diff --git a/docs/openapi/policy/namespaces/namespaces.swagger.json b/docs/openapi/policy/namespaces/namespaces.swagger.json
index a95a2af500..aad8b5f1ad 100644
--- a/docs/openapi/policy/namespaces/namespaces.swagger.json
+++ b/docs/openapi/policy/namespaces/namespaces.swagger.json
@@ -392,6 +392,46 @@
}
}
},
+ "policyKasPublicKey": {
+ "type": "object",
+ "properties": {
+ "pem": {
+ "type": "string",
+ "title": "x509 ASN.1 content in PEM envelope, usually"
+ },
+ "kid": {
+ "type": "string",
+ "title": "A unique string identifier for this key"
+ },
+ "alg": {
+ "$ref": "#/definitions/policyKasPublicKeyAlgEnum",
+ "description": "A known algorithm type with any additional parameters encoded.\nTo start, these may be `rsa:2048` for encrypting ZTDF files and \n`ec:secp256r1` for nanoTDF, but more formats may be added as needed."
+ }
+ },
+ "title": "A KAS public key and some associated metadata for further identifcation"
+ },
+ "policyKasPublicKeyAlgEnum": {
+ "type": "string",
+ "enum": [
+ "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED",
+ "KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048",
+ "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1"
+ ],
+ "default": "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED"
+ },
+ "policyKasPublicKeySet": {
+ "type": "object",
+ "properties": {
+ "keys": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "$ref": "#/definitions/policyKasPublicKey"
+ }
+ }
+ },
+ "title": "A list of known KAS public keys"
+ },
"policyKeyAccessServer": {
"type": "object",
"properties": {
@@ -453,6 +493,10 @@
"local": {
"type": "string",
"title": "public key - optional since can also be retrieved via url"
+ },
+ "cached": {
+ "$ref": "#/definitions/policyKasPublicKeySet",
+ "title": "public key with additional information. Current preferred version"
}
}
},
diff --git a/docs/openapi/policy/resourcemapping/resource_mapping.swagger.json b/docs/openapi/policy/resourcemapping/resource_mapping.swagger.json
index 8efe538615..63e2b9ae9d 100644
--- a/docs/openapi/policy/resourcemapping/resource_mapping.swagger.json
+++ b/docs/openapi/policy/resourcemapping/resource_mapping.swagger.json
@@ -357,6 +357,46 @@
},
"title": "A collection of Conditions evaluated by the boolean_operator provided"
},
+ "policyKasPublicKey": {
+ "type": "object",
+ "properties": {
+ "pem": {
+ "type": "string",
+ "title": "x509 ASN.1 content in PEM envelope, usually"
+ },
+ "kid": {
+ "type": "string",
+ "title": "A unique string identifier for this key"
+ },
+ "alg": {
+ "$ref": "#/definitions/policyKasPublicKeyAlgEnum",
+ "description": "A known algorithm type with any additional parameters encoded.\nTo start, these may be `rsa:2048` for encrypting ZTDF files and \n`ec:secp256r1` for nanoTDF, but more formats may be added as needed."
+ }
+ },
+ "title": "A KAS public key and some associated metadata for further identifcation"
+ },
+ "policyKasPublicKeyAlgEnum": {
+ "type": "string",
+ "enum": [
+ "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED",
+ "KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048",
+ "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1"
+ ],
+ "default": "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED"
+ },
+ "policyKasPublicKeySet": {
+ "type": "object",
+ "properties": {
+ "keys": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "$ref": "#/definitions/policyKasPublicKey"
+ }
+ }
+ },
+ "title": "A list of known KAS public keys"
+ },
"policyKeyAccessServer": {
"type": "object",
"properties": {
@@ -418,6 +458,10 @@
"local": {
"type": "string",
"title": "public key - optional since can also be retrieved via url"
+ },
+ "cached": {
+ "$ref": "#/definitions/policyKasPublicKeySet",
+ "title": "public key with additional information. Current preferred version"
}
}
},
diff --git a/docs/openapi/policy/subjectmapping/subject_mapping.swagger.json b/docs/openapi/policy/subjectmapping/subject_mapping.swagger.json
index 4bf1247fc3..c32d59a988 100644
--- a/docs/openapi/policy/subjectmapping/subject_mapping.swagger.json
+++ b/docs/openapi/policy/subjectmapping/subject_mapping.swagger.json
@@ -559,6 +559,46 @@
},
"title": "A collection of Conditions evaluated by the boolean_operator provided"
},
+ "policyKasPublicKey": {
+ "type": "object",
+ "properties": {
+ "pem": {
+ "type": "string",
+ "title": "x509 ASN.1 content in PEM envelope, usually"
+ },
+ "kid": {
+ "type": "string",
+ "title": "A unique string identifier for this key"
+ },
+ "alg": {
+ "$ref": "#/definitions/policyKasPublicKeyAlgEnum",
+ "description": "A known algorithm type with any additional parameters encoded.\nTo start, these may be `rsa:2048` for encrypting ZTDF files and \n`ec:secp256r1` for nanoTDF, but more formats may be added as needed."
+ }
+ },
+ "title": "A KAS public key and some associated metadata for further identifcation"
+ },
+ "policyKasPublicKeyAlgEnum": {
+ "type": "string",
+ "enum": [
+ "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED",
+ "KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048",
+ "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1"
+ ],
+ "default": "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED"
+ },
+ "policyKasPublicKeySet": {
+ "type": "object",
+ "properties": {
+ "keys": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "$ref": "#/definitions/policyKasPublicKey"
+ }
+ }
+ },
+ "title": "A list of known KAS public keys"
+ },
"policyKeyAccessServer": {
"type": "object",
"properties": {
@@ -620,6 +660,10 @@
"local": {
"type": "string",
"title": "public key - optional since can also be retrieved via url"
+ },
+ "cached": {
+ "$ref": "#/definitions/policyKasPublicKeySet",
+ "title": "public key with additional information. Current preferred version"
}
}
},
diff --git a/docs/openapi/policy/unsafe/unsafe.swagger.json b/docs/openapi/policy/unsafe/unsafe.swagger.json
index 855ff0c55c..a917b49d1f 100644
--- a/docs/openapi/policy/unsafe/unsafe.swagger.json
+++ b/docs/openapi/policy/unsafe/unsafe.swagger.json
@@ -505,6 +505,46 @@
},
"title": "A collection of Conditions evaluated by the boolean_operator provided"
},
+ "policyKasPublicKey": {
+ "type": "object",
+ "properties": {
+ "pem": {
+ "type": "string",
+ "title": "x509 ASN.1 content in PEM envelope, usually"
+ },
+ "kid": {
+ "type": "string",
+ "title": "A unique string identifier for this key"
+ },
+ "alg": {
+ "$ref": "#/definitions/policyKasPublicKeyAlgEnum",
+ "description": "A known algorithm type with any additional parameters encoded.\nTo start, these may be `rsa:2048` for encrypting ZTDF files and \n`ec:secp256r1` for nanoTDF, but more formats may be added as needed."
+ }
+ },
+ "title": "A KAS public key and some associated metadata for further identifcation"
+ },
+ "policyKasPublicKeyAlgEnum": {
+ "type": "string",
+ "enum": [
+ "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED",
+ "KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048",
+ "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1"
+ ],
+ "default": "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED"
+ },
+ "policyKasPublicKeySet": {
+ "type": "object",
+ "properties": {
+ "keys": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "$ref": "#/definitions/policyKasPublicKey"
+ }
+ }
+ },
+ "title": "A list of known KAS public keys"
+ },
"policyKeyAccessServer": {
"type": "object",
"properties": {
@@ -566,6 +606,10 @@
"local": {
"type": "string",
"title": "public key - optional since can also be retrieved via url"
+ },
+ "cached": {
+ "$ref": "#/definitions/policyKasPublicKeySet",
+ "title": "public key with additional information. Current preferred version"
}
}
},
diff --git a/protocol/go/policy/objects.pb.go b/protocol/go/policy/objects.pb.go
index d7526c30e4..ace9fc48d9 100644
--- a/protocol/go/policy/objects.pb.go
+++ b/protocol/go/policy/objects.pb.go
@@ -182,6 +182,55 @@ func (ConditionBooleanTypeEnum) EnumDescriptor() ([]byte, []int) {
return file_policy_objects_proto_rawDescGZIP(), []int{2}
}
+type KasPublicKeyAlgEnum int32
+
+const (
+ KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED KasPublicKeyAlgEnum = 0
+ KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 KasPublicKeyAlgEnum = 1
+ KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 KasPublicKeyAlgEnum = 5
+)
+
+// Enum value maps for KasPublicKeyAlgEnum.
+var (
+ KasPublicKeyAlgEnum_name = map[int32]string{
+ 0: "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED",
+ 1: "KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048",
+ 5: "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1",
+ }
+ KasPublicKeyAlgEnum_value = map[string]int32{
+ "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED": 0,
+ "KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048": 1,
+ "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1": 5,
+ }
+)
+
+func (x KasPublicKeyAlgEnum) Enum() *KasPublicKeyAlgEnum {
+ p := new(KasPublicKeyAlgEnum)
+ *p = x
+ return p
+}
+
+func (x KasPublicKeyAlgEnum) String() string {
+ return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (KasPublicKeyAlgEnum) Descriptor() protoreflect.EnumDescriptor {
+ return file_policy_objects_proto_enumTypes[3].Descriptor()
+}
+
+func (KasPublicKeyAlgEnum) Type() protoreflect.EnumType {
+ return &file_policy_objects_proto_enumTypes[3]
+}
+
+func (x KasPublicKeyAlgEnum) Number() protoreflect.EnumNumber {
+ return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use KasPublicKeyAlgEnum.Descriptor instead.
+func (KasPublicKeyAlgEnum) EnumDescriptor() ([]byte, []int) {
+ return file_policy_objects_proto_rawDescGZIP(), []int{3}
+}
+
// Standard actions supported by the platform
type Action_StandardAction int32
@@ -216,11 +265,11 @@ func (x Action_StandardAction) String() string {
}
func (Action_StandardAction) Descriptor() protoreflect.EnumDescriptor {
- return file_policy_objects_proto_enumTypes[3].Descriptor()
+ return file_policy_objects_proto_enumTypes[4].Descriptor()
}
func (Action_StandardAction) Type() protoreflect.EnumType {
- return &file_policy_objects_proto_enumTypes[3]
+ return &file_policy_objects_proto_enumTypes[4]
}
func (x Action_StandardAction) Number() protoreflect.EnumNumber {
@@ -1256,6 +1305,123 @@ func (x *KeyAccessServer) GetMetadata() *common.Metadata {
return nil
}
+// A KAS public key and some associated metadata for further identifcation
+type KasPublicKey struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ // x509 ASN.1 content in PEM envelope, usually
+ Pem string `protobuf:"bytes,1,opt,name=pem,proto3" json:"pem,omitempty"`
+ // A unique string identifier for this key
+ Kid string `protobuf:"bytes,2,opt,name=kid,proto3" json:"kid,omitempty"`
+ // A known algorithm type with any additional parameters encoded.
+ // To start, these may be `rsa:2048` for encrypting ZTDF files and
+ // `ec:secp256r1` for nanoTDF, but more formats may be added as needed.
+ Alg KasPublicKeyAlgEnum `protobuf:"varint,3,opt,name=alg,proto3,enum=policy.KasPublicKeyAlgEnum" json:"alg,omitempty"`
+}
+
+func (x *KasPublicKey) Reset() {
+ *x = KasPublicKey{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_policy_objects_proto_msgTypes[13]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *KasPublicKey) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*KasPublicKey) ProtoMessage() {}
+
+func (x *KasPublicKey) ProtoReflect() protoreflect.Message {
+ mi := &file_policy_objects_proto_msgTypes[13]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use KasPublicKey.ProtoReflect.Descriptor instead.
+func (*KasPublicKey) Descriptor() ([]byte, []int) {
+ return file_policy_objects_proto_rawDescGZIP(), []int{13}
+}
+
+func (x *KasPublicKey) GetPem() string {
+ if x != nil {
+ return x.Pem
+ }
+ return ""
+}
+
+func (x *KasPublicKey) GetKid() string {
+ if x != nil {
+ return x.Kid
+ }
+ return ""
+}
+
+func (x *KasPublicKey) GetAlg() KasPublicKeyAlgEnum {
+ if x != nil {
+ return x.Alg
+ }
+ return KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED
+}
+
+// A list of known KAS public keys
+type KasPublicKeySet struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ Keys []*KasPublicKey `protobuf:"bytes,1,rep,name=keys,proto3" json:"keys,omitempty"`
+}
+
+func (x *KasPublicKeySet) Reset() {
+ *x = KasPublicKeySet{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_policy_objects_proto_msgTypes[14]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *KasPublicKeySet) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*KasPublicKeySet) ProtoMessage() {}
+
+func (x *KasPublicKeySet) ProtoReflect() protoreflect.Message {
+ mi := &file_policy_objects_proto_msgTypes[14]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use KasPublicKeySet.ProtoReflect.Descriptor instead.
+func (*KasPublicKeySet) Descriptor() ([]byte, []int) {
+ return file_policy_objects_proto_rawDescGZIP(), []int{14}
+}
+
+func (x *KasPublicKeySet) GetKeys() []*KasPublicKey {
+ if x != nil {
+ return x.Keys
+ }
+ return nil
+}
+
type PublicKey struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
@@ -1265,13 +1431,14 @@ type PublicKey struct {
//
// *PublicKey_Remote
// *PublicKey_Local
+ // *PublicKey_Cached
PublicKey isPublicKey_PublicKey `protobuf_oneof:"public_key"`
}
func (x *PublicKey) Reset() {
*x = PublicKey{}
if protoimpl.UnsafeEnabled {
- mi := &file_policy_objects_proto_msgTypes[13]
+ mi := &file_policy_objects_proto_msgTypes[15]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -1284,7 +1451,7 @@ func (x *PublicKey) String() string {
func (*PublicKey) ProtoMessage() {}
func (x *PublicKey) ProtoReflect() protoreflect.Message {
- mi := &file_policy_objects_proto_msgTypes[13]
+ mi := &file_policy_objects_proto_msgTypes[15]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -1297,7 +1464,7 @@ func (x *PublicKey) ProtoReflect() protoreflect.Message {
// Deprecated: Use PublicKey.ProtoReflect.Descriptor instead.
func (*PublicKey) Descriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{13}
+ return file_policy_objects_proto_rawDescGZIP(), []int{15}
}
func (m *PublicKey) GetPublicKey() isPublicKey_PublicKey {
@@ -1321,6 +1488,13 @@ func (x *PublicKey) GetLocal() string {
return ""
}
+func (x *PublicKey) GetCached() *KasPublicKeySet {
+ if x, ok := x.GetPublicKey().(*PublicKey_Cached); ok {
+ return x.Cached
+ }
+ return nil
+}
+
type isPublicKey_PublicKey interface {
isPublicKey_PublicKey()
}
@@ -1335,10 +1509,17 @@ type PublicKey_Local struct {
Local string `protobuf:"bytes,2,opt,name=local,proto3,oneof"`
}
+type PublicKey_Cached struct {
+ // public key with additional information. Current preferred version
+ Cached *KasPublicKeySet `protobuf:"bytes,3,opt,name=cached,proto3,oneof"`
+}
+
func (*PublicKey_Remote) isPublicKey_PublicKey() {}
func (*PublicKey_Local) isPublicKey_PublicKey() {}
+func (*PublicKey_Cached) isPublicKey_PublicKey() {}
+
var File_policy_objects_proto protoreflect.FileDescriptor
var file_policy_objects_proto_rawDesc = []byte{
@@ -1537,7 +1718,17 @@ var file_policy_objects_proto_rawDesc = []byte{
0x4b, 0x65, 0x79, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x2c,
0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b,
0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61,
- 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0xb8, 0x03, 0x0a,
+ 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x61, 0x0a, 0x0c,
+ 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x10, 0x0a, 0x03,
+ 0x70, 0x65, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x70, 0x65, 0x6d, 0x12, 0x10,
+ 0x0a, 0x03, 0x6b, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x69, 0x64,
+ 0x12, 0x2d, 0x0a, 0x03, 0x61, 0x6c, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1b, 0x2e,
+ 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63,
+ 0x4b, 0x65, 0x79, 0x41, 0x6c, 0x67, 0x45, 0x6e, 0x75, 0x6d, 0x52, 0x03, 0x61, 0x6c, 0x67, 0x22,
+ 0x3b, 0x0a, 0x0f, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x53,
+ 0x65, 0x74, 0x12, 0x28, 0x0a, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b,
+ 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62,
+ 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x22, 0xeb, 0x03, 0x0a,
0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x84, 0x03, 0x0a, 0x06, 0x72,
0x65, 0x6d, 0x6f, 0x74, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0xe9, 0x02, 0xba, 0x48,
0xe5, 0x02, 0xba, 0x01, 0xe1, 0x02, 0x0a, 0x0a, 0x75, 0x72, 0x69, 0x5f, 0x66, 0x6f, 0x72, 0x6d,
@@ -1564,41 +1755,54 @@ var file_policy_objects_proto_rawDesc = []byte{
0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x29, 0x3f, 0x29, 0x2a, 0x28, 0x2f,
0x2e, 0x2a, 0x29, 0x3f, 0x24, 0x27, 0x29, 0x48, 0x00, 0x52, 0x06, 0x72, 0x65, 0x6d, 0x6f, 0x74,
0x65, 0x12, 0x16, 0x0a, 0x05, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
- 0x48, 0x00, 0x52, 0x05, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x42, 0x0c, 0x0a, 0x0a, 0x70, 0x75, 0x62,
- 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x2a, 0xb3, 0x01, 0x0a, 0x15, 0x41, 0x74, 0x74, 0x72,
- 0x69, 0x62, 0x75, 0x74, 0x65, 0x52, 0x75, 0x6c, 0x65, 0x54, 0x79, 0x70, 0x65, 0x45, 0x6e, 0x75,
- 0x6d, 0x12, 0x28, 0x0a, 0x24, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, 0x52,
- 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e,
- 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x23, 0x0a, 0x1f, 0x41,
- 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59,
- 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x41, 0x4c, 0x4c, 0x5f, 0x4f, 0x46, 0x10, 0x01,
- 0x12, 0x23, 0x0a, 0x1f, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, 0x52, 0x55,
- 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x41, 0x4e, 0x59,
- 0x5f, 0x4f, 0x46, 0x10, 0x02, 0x12, 0x26, 0x0a, 0x22, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55,
- 0x54, 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55,
- 0x4d, 0x5f, 0x48, 0x49, 0x45, 0x52, 0x41, 0x52, 0x43, 0x48, 0x59, 0x10, 0x03, 0x2a, 0xca, 0x01,
- 0x0a, 0x1a, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67,
- 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x2d, 0x0a, 0x29,
- 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f,
- 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e,
- 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x24, 0x0a, 0x20, 0x53,
- 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x4f,
- 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x49, 0x4e, 0x10,
- 0x01, 0x12, 0x28, 0x0a, 0x24, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50,
- 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e,
- 0x55, 0x4d, 0x5f, 0x4e, 0x4f, 0x54, 0x5f, 0x49, 0x4e, 0x10, 0x02, 0x12, 0x2d, 0x0a, 0x29, 0x53,
- 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x4f,
- 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x49, 0x4e, 0x5f,
- 0x43, 0x4f, 0x4e, 0x54, 0x41, 0x49, 0x4e, 0x53, 0x10, 0x03, 0x2a, 0x90, 0x01, 0x0a, 0x18, 0x43,
- 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x6f, 0x6f, 0x6c, 0x65, 0x61, 0x6e, 0x54,
- 0x79, 0x70, 0x65, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x2b, 0x0a, 0x27, 0x43, 0x4f, 0x4e, 0x44, 0x49,
+ 0x48, 0x00, 0x52, 0x05, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x12, 0x31, 0x0a, 0x06, 0x63, 0x61, 0x63,
+ 0x68, 0x65, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x70, 0x6f, 0x6c, 0x69,
+ 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x53,
+ 0x65, 0x74, 0x48, 0x00, 0x52, 0x06, 0x63, 0x61, 0x63, 0x68, 0x65, 0x64, 0x42, 0x0c, 0x0a, 0x0a,
+ 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x2a, 0xb3, 0x01, 0x0a, 0x15, 0x41,
+ 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x52, 0x75, 0x6c, 0x65, 0x54, 0x79, 0x70, 0x65,
+ 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x28, 0x0a, 0x24, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54,
+ 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d,
+ 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x23,
+ 0x0a, 0x1f, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45,
+ 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x41, 0x4c, 0x4c, 0x5f, 0x4f,
+ 0x46, 0x10, 0x01, 0x12, 0x23, 0x0a, 0x1f, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, 0x45,
+ 0x5f, 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f,
+ 0x41, 0x4e, 0x59, 0x5f, 0x4f, 0x46, 0x10, 0x02, 0x12, 0x26, 0x0a, 0x22, 0x41, 0x54, 0x54, 0x52,
+ 0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f,
+ 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x48, 0x49, 0x45, 0x52, 0x41, 0x52, 0x43, 0x48, 0x59, 0x10, 0x03,
+ 0x2a, 0xca, 0x01, 0x0a, 0x1a, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70,
+ 0x69, 0x6e, 0x67, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x45, 0x6e, 0x75, 0x6d, 0x12,
+ 0x2d, 0x0a, 0x29, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49,
+ 0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d,
+ 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x24,
+ 0x0a, 0x20, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e,
+ 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f,
+ 0x49, 0x4e, 0x10, 0x01, 0x12, 0x28, 0x0a, 0x24, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f,
+ 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52,
+ 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x4e, 0x4f, 0x54, 0x5f, 0x49, 0x4e, 0x10, 0x02, 0x12, 0x2d,
+ 0x0a, 0x29, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e,
+ 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f,
+ 0x49, 0x4e, 0x5f, 0x43, 0x4f, 0x4e, 0x54, 0x41, 0x49, 0x4e, 0x53, 0x10, 0x03, 0x2a, 0x90, 0x01,
+ 0x0a, 0x18, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x6f, 0x6f, 0x6c, 0x65,
+ 0x61, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x2b, 0x0a, 0x27, 0x43, 0x4f,
+ 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x42, 0x4f, 0x4f, 0x4c, 0x45, 0x41, 0x4e, 0x5f,
+ 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43,
+ 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x23, 0x0a, 0x1f, 0x43, 0x4f, 0x4e, 0x44, 0x49,
0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x42, 0x4f, 0x4f, 0x4c, 0x45, 0x41, 0x4e, 0x5f, 0x54, 0x59, 0x50,
- 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49,
- 0x45, 0x44, 0x10, 0x00, 0x12, 0x23, 0x0a, 0x1f, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f,
- 0x4e, 0x5f, 0x42, 0x4f, 0x4f, 0x4c, 0x45, 0x41, 0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45,
- 0x4e, 0x55, 0x4d, 0x5f, 0x41, 0x4e, 0x44, 0x10, 0x01, 0x12, 0x22, 0x0a, 0x1e, 0x43, 0x4f, 0x4e,
- 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x42, 0x4f, 0x4f, 0x4c, 0x45, 0x41, 0x4e, 0x5f, 0x54,
- 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x4f, 0x52, 0x10, 0x02, 0x42, 0x82, 0x01,
+ 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x41, 0x4e, 0x44, 0x10, 0x01, 0x12, 0x22, 0x0a, 0x1e,
+ 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x42, 0x4f, 0x4f, 0x4c, 0x45, 0x41,
+ 0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x4f, 0x52, 0x10, 0x02,
+ 0x2a, 0x9a, 0x01, 0x0a, 0x13, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65,
+ 0x79, 0x41, 0x6c, 0x67, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x27, 0x0a, 0x23, 0x4b, 0x41, 0x53, 0x5f,
+ 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45,
+ 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10,
+ 0x00, 0x12, 0x24, 0x0a, 0x20, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f,
+ 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x52, 0x53, 0x41,
+ 0x5f, 0x32, 0x30, 0x34, 0x38, 0x10, 0x01, 0x12, 0x28, 0x0a, 0x24, 0x4b, 0x41, 0x53, 0x5f, 0x50,
+ 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e,
+ 0x55, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x32, 0x35, 0x36, 0x52, 0x31, 0x10,
+ 0x05, 0x22, 0x04, 0x08, 0x02, 0x10, 0x04, 0x22, 0x04, 0x08, 0x06, 0x10, 0x64, 0x42, 0x82, 0x01,
0x0a, 0x0a, 0x63, 0x6f, 0x6d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x42, 0x0c, 0x4f, 0x62,
0x6a, 0x65, 0x63, 0x74, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x2e, 0x67, 0x69,
0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66,
@@ -1622,66 +1826,72 @@ func file_policy_objects_proto_rawDescGZIP() []byte {
return file_policy_objects_proto_rawDescData
}
-var file_policy_objects_proto_enumTypes = make([]protoimpl.EnumInfo, 4)
-var file_policy_objects_proto_msgTypes = make([]protoimpl.MessageInfo, 14)
+var file_policy_objects_proto_enumTypes = make([]protoimpl.EnumInfo, 5)
+var file_policy_objects_proto_msgTypes = make([]protoimpl.MessageInfo, 16)
var file_policy_objects_proto_goTypes = []interface{}{
(AttributeRuleTypeEnum)(0), // 0: policy.AttributeRuleTypeEnum
(SubjectMappingOperatorEnum)(0), // 1: policy.SubjectMappingOperatorEnum
(ConditionBooleanTypeEnum)(0), // 2: policy.ConditionBooleanTypeEnum
- (Action_StandardAction)(0), // 3: policy.Action.StandardAction
- (*Namespace)(nil), // 4: policy.Namespace
- (*Attribute)(nil), // 5: policy.Attribute
- (*Value)(nil), // 6: policy.Value
- (*Action)(nil), // 7: policy.Action
- (*SubjectMapping)(nil), // 8: policy.SubjectMapping
- (*Condition)(nil), // 9: policy.Condition
- (*ConditionGroup)(nil), // 10: policy.ConditionGroup
- (*SubjectSet)(nil), // 11: policy.SubjectSet
- (*SubjectConditionSet)(nil), // 12: policy.SubjectConditionSet
- (*SubjectProperty)(nil), // 13: policy.SubjectProperty
- (*ResourceMappingGroup)(nil), // 14: policy.ResourceMappingGroup
- (*ResourceMapping)(nil), // 15: policy.ResourceMapping
- (*KeyAccessServer)(nil), // 16: policy.KeyAccessServer
- (*PublicKey)(nil), // 17: policy.PublicKey
- (*wrapperspb.BoolValue)(nil), // 18: google.protobuf.BoolValue
- (*common.Metadata)(nil), // 19: common.Metadata
+ (KasPublicKeyAlgEnum)(0), // 3: policy.KasPublicKeyAlgEnum
+ (Action_StandardAction)(0), // 4: policy.Action.StandardAction
+ (*Namespace)(nil), // 5: policy.Namespace
+ (*Attribute)(nil), // 6: policy.Attribute
+ (*Value)(nil), // 7: policy.Value
+ (*Action)(nil), // 8: policy.Action
+ (*SubjectMapping)(nil), // 9: policy.SubjectMapping
+ (*Condition)(nil), // 10: policy.Condition
+ (*ConditionGroup)(nil), // 11: policy.ConditionGroup
+ (*SubjectSet)(nil), // 12: policy.SubjectSet
+ (*SubjectConditionSet)(nil), // 13: policy.SubjectConditionSet
+ (*SubjectProperty)(nil), // 14: policy.SubjectProperty
+ (*ResourceMappingGroup)(nil), // 15: policy.ResourceMappingGroup
+ (*ResourceMapping)(nil), // 16: policy.ResourceMapping
+ (*KeyAccessServer)(nil), // 17: policy.KeyAccessServer
+ (*KasPublicKey)(nil), // 18: policy.KasPublicKey
+ (*KasPublicKeySet)(nil), // 19: policy.KasPublicKeySet
+ (*PublicKey)(nil), // 20: policy.PublicKey
+ (*wrapperspb.BoolValue)(nil), // 21: google.protobuf.BoolValue
+ (*common.Metadata)(nil), // 22: common.Metadata
}
var file_policy_objects_proto_depIdxs = []int32{
- 18, // 0: policy.Namespace.active:type_name -> google.protobuf.BoolValue
- 19, // 1: policy.Namespace.metadata:type_name -> common.Metadata
- 16, // 2: policy.Namespace.grants:type_name -> policy.KeyAccessServer
- 4, // 3: policy.Attribute.namespace:type_name -> policy.Namespace
+ 21, // 0: policy.Namespace.active:type_name -> google.protobuf.BoolValue
+ 22, // 1: policy.Namespace.metadata:type_name -> common.Metadata
+ 17, // 2: policy.Namespace.grants:type_name -> policy.KeyAccessServer
+ 5, // 3: policy.Attribute.namespace:type_name -> policy.Namespace
0, // 4: policy.Attribute.rule:type_name -> policy.AttributeRuleTypeEnum
- 6, // 5: policy.Attribute.values:type_name -> policy.Value
- 16, // 6: policy.Attribute.grants:type_name -> policy.KeyAccessServer
- 18, // 7: policy.Attribute.active:type_name -> google.protobuf.BoolValue
- 19, // 8: policy.Attribute.metadata:type_name -> common.Metadata
- 5, // 9: policy.Value.attribute:type_name -> policy.Attribute
- 16, // 10: policy.Value.grants:type_name -> policy.KeyAccessServer
- 18, // 11: policy.Value.active:type_name -> google.protobuf.BoolValue
- 8, // 12: policy.Value.subject_mappings:type_name -> policy.SubjectMapping
- 19, // 13: policy.Value.metadata:type_name -> common.Metadata
- 3, // 14: policy.Action.standard:type_name -> policy.Action.StandardAction
- 6, // 15: policy.SubjectMapping.attribute_value:type_name -> policy.Value
- 12, // 16: policy.SubjectMapping.subject_condition_set:type_name -> policy.SubjectConditionSet
- 7, // 17: policy.SubjectMapping.actions:type_name -> policy.Action
- 19, // 18: policy.SubjectMapping.metadata:type_name -> common.Metadata
+ 7, // 5: policy.Attribute.values:type_name -> policy.Value
+ 17, // 6: policy.Attribute.grants:type_name -> policy.KeyAccessServer
+ 21, // 7: policy.Attribute.active:type_name -> google.protobuf.BoolValue
+ 22, // 8: policy.Attribute.metadata:type_name -> common.Metadata
+ 6, // 9: policy.Value.attribute:type_name -> policy.Attribute
+ 17, // 10: policy.Value.grants:type_name -> policy.KeyAccessServer
+ 21, // 11: policy.Value.active:type_name -> google.protobuf.BoolValue
+ 9, // 12: policy.Value.subject_mappings:type_name -> policy.SubjectMapping
+ 22, // 13: policy.Value.metadata:type_name -> common.Metadata
+ 4, // 14: policy.Action.standard:type_name -> policy.Action.StandardAction
+ 7, // 15: policy.SubjectMapping.attribute_value:type_name -> policy.Value
+ 13, // 16: policy.SubjectMapping.subject_condition_set:type_name -> policy.SubjectConditionSet
+ 8, // 17: policy.SubjectMapping.actions:type_name -> policy.Action
+ 22, // 18: policy.SubjectMapping.metadata:type_name -> common.Metadata
1, // 19: policy.Condition.operator:type_name -> policy.SubjectMappingOperatorEnum
- 9, // 20: policy.ConditionGroup.conditions:type_name -> policy.Condition
+ 10, // 20: policy.ConditionGroup.conditions:type_name -> policy.Condition
2, // 21: policy.ConditionGroup.boolean_operator:type_name -> policy.ConditionBooleanTypeEnum
- 10, // 22: policy.SubjectSet.condition_groups:type_name -> policy.ConditionGroup
- 11, // 23: policy.SubjectConditionSet.subject_sets:type_name -> policy.SubjectSet
- 19, // 24: policy.SubjectConditionSet.metadata:type_name -> common.Metadata
- 19, // 25: policy.ResourceMapping.metadata:type_name -> common.Metadata
- 6, // 26: policy.ResourceMapping.attribute_value:type_name -> policy.Value
- 14, // 27: policy.ResourceMapping.group:type_name -> policy.ResourceMappingGroup
- 17, // 28: policy.KeyAccessServer.public_key:type_name -> policy.PublicKey
- 19, // 29: policy.KeyAccessServer.metadata:type_name -> common.Metadata
- 30, // [30:30] is the sub-list for method output_type
- 30, // [30:30] is the sub-list for method input_type
- 30, // [30:30] is the sub-list for extension type_name
- 30, // [30:30] is the sub-list for extension extendee
- 0, // [0:30] is the sub-list for field type_name
+ 11, // 22: policy.SubjectSet.condition_groups:type_name -> policy.ConditionGroup
+ 12, // 23: policy.SubjectConditionSet.subject_sets:type_name -> policy.SubjectSet
+ 22, // 24: policy.SubjectConditionSet.metadata:type_name -> common.Metadata
+ 22, // 25: policy.ResourceMapping.metadata:type_name -> common.Metadata
+ 7, // 26: policy.ResourceMapping.attribute_value:type_name -> policy.Value
+ 15, // 27: policy.ResourceMapping.group:type_name -> policy.ResourceMappingGroup
+ 20, // 28: policy.KeyAccessServer.public_key:type_name -> policy.PublicKey
+ 22, // 29: policy.KeyAccessServer.metadata:type_name -> common.Metadata
+ 3, // 30: policy.KasPublicKey.alg:type_name -> policy.KasPublicKeyAlgEnum
+ 18, // 31: policy.KasPublicKeySet.keys:type_name -> policy.KasPublicKey
+ 19, // 32: policy.PublicKey.cached:type_name -> policy.KasPublicKeySet
+ 33, // [33:33] is the sub-list for method output_type
+ 33, // [33:33] is the sub-list for method input_type
+ 33, // [33:33] is the sub-list for extension type_name
+ 33, // [33:33] is the sub-list for extension extendee
+ 0, // [0:33] is the sub-list for field type_name
}
func init() { file_policy_objects_proto_init() }
@@ -1847,6 +2057,30 @@ func file_policy_objects_proto_init() {
}
}
file_policy_objects_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*KasPublicKey); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_policy_objects_proto_msgTypes[14].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*KasPublicKeySet); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_policy_objects_proto_msgTypes[15].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*PublicKey); i {
case 0:
return &v.state
@@ -1863,17 +2097,18 @@ func file_policy_objects_proto_init() {
(*Action_Standard)(nil),
(*Action_Custom)(nil),
}
- file_policy_objects_proto_msgTypes[13].OneofWrappers = []interface{}{
+ file_policy_objects_proto_msgTypes[15].OneofWrappers = []interface{}{
(*PublicKey_Remote)(nil),
(*PublicKey_Local)(nil),
+ (*PublicKey_Cached)(nil),
}
type x struct{}
out := protoimpl.TypeBuilder{
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_policy_objects_proto_rawDesc,
- NumEnums: 4,
- NumMessages: 14,
+ NumEnums: 5,
+ NumMessages: 16,
NumExtensions: 0,
NumServices: 0,
},
diff --git a/service/policy/objects.proto b/service/policy/objects.proto
index f0ac9d3850..10da55d418 100644
--- a/service/policy/objects.proto
+++ b/service/policy/objects.proto
@@ -150,21 +150,21 @@ message SubjectMapping {
}
/**
- A Condition defines a rule of
-
- Example: Subjects with a field selected by the flattened selector "'.division'" and a value of "Accounting" or "Marketing":
- {
- "subject_external_selector_value": "'.division'",
- "operator": "SUBJECT_MAPPING_OPERATOR_ENUM_IN",
- "subject_external_values" : ["Accounting", "Marketing"]
- }
-
- Example: Subjects that are not part of the Fantastic Four according to their alias field:
- {
- "subject_external_selector_value": "'.data[0].alias'",
- "operator": "SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN",
- "subject_external_values" : ["mister_fantastic", "the_thing", "human_torch", "invisible_woman"]
- }
+ A Condition defines a rule of
+
+ Example: Subjects with a field selected by the flattened selector "'.division'" and a value of "Accounting" or "Marketing":
+ {
+ "subject_external_selector_value": "'.division'",
+ "operator": "SUBJECT_MAPPING_OPERATOR_ENUM_IN",
+ "subject_external_values" : ["Accounting", "Marketing"]
+ }
+
+ Example: Subjects that are not part of the Fantastic Four according to their alias field:
+ {
+ "subject_external_selector_value": "'.data[0].alias'",
+ "operator": "SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN",
+ "subject_external_values" : ["mister_fantastic", "the_thing", "human_torch", "invisible_woman"]
+ }
*/
message Condition {
// a selector for a field value on a flattened Entity Representation (such as from idP/LDAP)
@@ -269,16 +269,46 @@ message KeyAccessServer {
common.Metadata metadata = 100;
}
+enum KasPublicKeyAlgEnum {
+ KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED = 0;
+ KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 = 1;
+ reserved 2 to 4;
+ KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 = 5;
+ reserved 6 to 100;
+}
+
+// A KAS public key and some associated metadata for further identifcation
+message KasPublicKey {
+ // x509 ASN.1 content in PEM envelope, usually
+ string pem = 1;
+
+ // A unique string identifier for this key
+ string kid = 2;
+
+ // A known algorithm type with any additional parameters encoded.
+ // To start, these may be `rsa:2048` for encrypting ZTDF files and
+ // `ec:secp256r1` for nanoTDF, but more formats may be added as needed.
+ KasPublicKeyAlgEnum alg = 3;
+}
+
+// A list of known KAS public keys
+message KasPublicKeySet {
+ repeated KasPublicKey keys = 1;
+}
+
message PublicKey {
oneof public_key {
// kas public key url - optional since can also be retrieved via public key
string remote = 1 [(buf.validate.field).cel = {
- id: "uri_format",
- message: "URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.",
+ id: "uri_format"
+ message: "URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes."
expression: "this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\\\-]{0,61}[a-zA-Z0-9])?(\\\\.[a-zA-Z0-9]([a-zA-Z0-9\\\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$')"
}];
// public key - optional since can also be retrieved via url
string local = 2;
+
+ // public key with additional information. Current preferred version
+ KasPublicKeySet cached = 3;
}
}