diff --git a/docs/grpc/index.html b/docs/grpc/index.html index bf6aea425d..c2a2f30696 100644 --- a/docs/grpc/index.html +++ b/docs/grpc/index.html @@ -1119,6 +1119,10 @@

Table of Contents

MKeyAccessServerGrants +
  • + MKeyMapping +
    • +
  • MListKeyAccessServerGrantsRequest
    • @@ -1135,6 +1139,14 @@

    Table of Contents

    MListKeyAccessServersResponse +
  • + MListKeyMappingsRequest +
    • + +
  • + MListKeyMappingsResponse +
    • +
  • MListKeysRequest
    • @@ -1171,6 +1183,10 @@

    Table of Contents

    MListPublicKeysResponse +
  • + MMappedPolicyObject +
    • +
  • MRotateKeyRequest
    • @@ -9444,6 +9460,58 @@

    KeyAccessServerGrants

    +

    KeyMapping

    +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldTypeLabelDescription
    kidstring

    kas_uristring

    namespace_mappingsMappedPolicyObjectrepeated

    List of namespaces mapped to the key

    attribute_mappingsMappedPolicyObjectrepeated

    List of attribute definitions mapped to the key

    value_mappingsMappedPolicyObjectrepeated

    List of attribute values mapped to the key

    + + + + +

    ListKeyAccessServerGrantsRequest

    LIST of KAS Grants returns flat response of grants to all policy objects. It

    does not employ selectors for grants to specific policy objects or build the

    attribute tree relation. If grants to a known namespace, attribute, or value

    are needed, use the respective GET request to the specific policy object.

    @@ -9605,6 +9673,75 @@

    ListKeyAccessServersRes +

    ListKeyMappingsRequest

    +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldTypeLabelDescription
    idstring

    The unique identifier of the key to retrieve

    keyKasKeyIdentifier

    paginationpolicy.PageRequest

    Pagination request for the list of keys

    + + + + + +

    ListKeyMappingsResponse

    +

    + + + + + + + + + + + + + + + + + + + + + + + +
    FieldTypeLabelDescription
    key_mappingsKeyMappingrepeated

    The list of key mappings

    paginationpolicy.PageResponse

    Pagination response for the list of keys

    + + + + +

    ListKeysRequest

    List all asymmetric keys managed by a specific Key Access Server or with a given algorithm

    @@ -9970,6 +10107,37 @@

    ListPublicKeysResponse

    +

    MappedPolicyObject

    +

    + + + + + + + + + + + + + + + + + + + + + + + +
    FieldTypeLabelDescription
    idstring

    The unique identifier of the policy object

    fqnstring

    The fully qualified name of the policy object

    + + + + +

    RotateKeyRequest

    @@ -10546,6 +10714,13 @@

    KeyAccessServerRegist

    Get Default kas keys

    + + ListKeyMappings + ListKeyMappingsRequest + ListKeyMappingsResponse +

    Request to list key mappings in the Key Access Service.

    + + diff --git a/docs/openapi/authorization/authorization.openapi.yaml b/docs/openapi/authorization/authorization.openapi.yaml index 582d5392ab..1f263fc4d0 100644 --- a/docs/openapi/authorization/authorization.openapi.yaml +++ b/docs/openapi/authorization/authorization.openapi.yaml @@ -662,9 +662,6 @@ components: description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. google.protobuf.Timestamp: type: string - examples: - - 1s - - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local diff --git a/docs/openapi/authorization/v2/authorization.openapi.yaml b/docs/openapi/authorization/v2/authorization.openapi.yaml index 47de4d93cf..32a36e3943 100644 --- a/docs/openapi/authorization/v2/authorization.openapi.yaml +++ b/docs/openapi/authorization/v2/authorization.openapi.yaml @@ -583,14 +583,8 @@ components: Wrapper message for `bool`. The JSON representation for `BoolValue` is JSON `true` and `false`. - - Not recommended for use in new APIs, but still useful for legacy APIs and - has no plan to be removed. google.protobuf.Timestamp: type: string - examples: - - 1s - - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local diff --git a/docs/openapi/common/common.openapi.yaml b/docs/openapi/common/common.openapi.yaml index bff7e6603e..b19945f5df 100644 --- a/docs/openapi/common/common.openapi.yaml +++ b/docs/openapi/common/common.openapi.yaml @@ -77,9 +77,6 @@ components: additionalProperties: false google.protobuf.Timestamp: type: string - examples: - - 1s - - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local diff --git a/docs/openapi/kas/kas.openapi.yaml b/docs/openapi/kas/kas.openapi.yaml index 681fa2301d..9d2cf2a1f1 100644 --- a/docs/openapi/kas/kas.openapi.yaml +++ b/docs/openapi/kas/kas.openapi.yaml @@ -126,9 +126,6 @@ components: Wrapper message for `string`. The JSON representation for `StringValue` is JSON string. - - Not recommended for use in new APIs, but still useful for legacy APIs and - has no plan to be removed. google.protobuf.Struct: type: object additionalProperties: diff --git a/docs/openapi/policy/actions/actions.openapi.yaml b/docs/openapi/policy/actions/actions.openapi.yaml index 3f4f22457f..42949f6731 100644 --- a/docs/openapi/policy/actions/actions.openapi.yaml +++ b/docs/openapi/policy/actions/actions.openapi.yaml @@ -309,14 +309,8 @@ components: Wrapper message for `bool`. The JSON representation for `BoolValue` is JSON `true` and `false`. - - Not recommended for use in new APIs, but still useful for legacy APIs and - has no plan to be removed. google.protobuf.Timestamp: type: string - examples: - - 1s - - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local diff --git a/docs/openapi/policy/attributes/attributes.openapi.yaml b/docs/openapi/policy/attributes/attributes.openapi.yaml index 07039613c0..5de458d059 100644 --- a/docs/openapi/policy/attributes/attributes.openapi.yaml +++ b/docs/openapi/policy/attributes/attributes.openapi.yaml @@ -850,14 +850,8 @@ components: Wrapper message for `bool`. The JSON representation for `BoolValue` is JSON `true` and `false`. - - Not recommended for use in new APIs, but still useful for legacy APIs and - has no plan to be removed. google.protobuf.Timestamp: type: string - examples: - - 1s - - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local diff --git a/docs/openapi/policy/kasregistry/key_access_server_registry.openapi.yaml b/docs/openapi/policy/kasregistry/key_access_server_registry.openapi.yaml index e0b20d69da..60fd075f6a 100644 --- a/docs/openapi/policy/kasregistry/key_access_server_registry.openapi.yaml +++ b/docs/openapi/policy/kasregistry/key_access_server_registry.openapi.yaml @@ -479,6 +479,42 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.kasregistry.GetBaseKeyResponse' + /policy.kasregistry.KeyAccessServerRegistryService/ListKeyMappings: + post: + tags: + - policy.kasregistry.KeyAccessServerRegistryService + summary: ListKeyMappings + description: Request to list key mappings in the Key Access Service. + operationId: policy.kasregistry.KeyAccessServerRegistryService.ListKeyMappings + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.kasregistry.ListKeyMappingsRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.kasregistry.ListKeyMappingsResponse' components: schemas: common.MetadataUpdateEnum: @@ -599,14 +635,8 @@ components: Wrapper message for `bool`. The JSON representation for `BoolValue` is JSON `true` and `false`. - - Not recommended for use in new APIs, but still useful for legacy APIs and - has no plan to be removed. google.protobuf.Timestamp: type: string - examples: - - 1s - - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -1424,6 +1454,35 @@ components: title: KeyAccessServerGrants additionalProperties: false description: Deprecated + policy.kasregistry.KeyMapping: + type: object + properties: + kid: + type: string + title: kid + kasUri: + type: string + title: kas_uri + namespaceMappings: + type: array + items: + $ref: '#/components/schemas/policy.kasregistry.MappedPolicyObject' + title: namespace_mappings + description: List of namespaces mapped to the key + attributeMappings: + type: array + items: + $ref: '#/components/schemas/policy.kasregistry.MappedPolicyObject' + title: attribute_mappings + description: List of attribute definitions mapped to the key + valueMappings: + type: array + items: + $ref: '#/components/schemas/policy.kasregistry.MappedPolicyObject' + title: value_mappings + description: List of attribute values mapped to the key + title: KeyMapping + additionalProperties: false policy.kasregistry.ListKeyAccessServerGrantsRequest: type: object properties: @@ -1515,6 +1574,47 @@ components: $ref: '#/components/schemas/policy.PageResponse' title: ListKeyAccessServersResponse additionalProperties: false + policy.kasregistry.ListKeyMappingsRequest: + type: object + oneOf: + - properties: + id: + type: string + title: id + format: uuid + description: The unique identifier of the key to retrieve + title: id + required: + - id + - properties: + key: + title: key + $ref: '#/components/schemas/policy.kasregistry.KasKeyIdentifier' + title: key + required: + - key + properties: + pagination: + title: pagination + description: Pagination request for the list of keys + $ref: '#/components/schemas/policy.PageRequest' + title: ListKeyMappingsRequest + additionalProperties: false + policy.kasregistry.ListKeyMappingsResponse: + type: object + properties: + keyMappings: + type: array + items: + $ref: '#/components/schemas/policy.kasregistry.KeyMapping' + title: key_mappings + description: The list of key mappings + pagination: + title: pagination + description: Pagination response for the list of keys + $ref: '#/components/schemas/policy.PageResponse' + title: ListKeyMappingsResponse + additionalProperties: false policy.kasregistry.ListKeysRequest: type: object oneOf: @@ -1740,6 +1840,19 @@ components: $ref: '#/components/schemas/policy.PageResponse' title: ListPublicKeysResponse additionalProperties: false + policy.kasregistry.MappedPolicyObject: + type: object + properties: + id: + type: string + title: id + description: The unique identifier of the policy object + fqn: + type: string + title: fqn + description: The fully qualified name of the policy object + title: MappedPolicyObject + additionalProperties: false policy.kasregistry.RotateKeyRequest: type: object oneOf: diff --git a/docs/openapi/policy/keymanagement/key_management.openapi.yaml b/docs/openapi/policy/keymanagement/key_management.openapi.yaml index e481df3bf2..4d28d36dc0 100644 --- a/docs/openapi/policy/keymanagement/key_management.openapi.yaml +++ b/docs/openapi/policy/keymanagement/key_management.openapi.yaml @@ -246,9 +246,6 @@ components: additionalProperties: false google.protobuf.Timestamp: type: string - examples: - - 1s - - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local diff --git a/docs/openapi/policy/namespaces/namespaces.openapi.yaml b/docs/openapi/policy/namespaces/namespaces.openapi.yaml index e5c3dfa3ad..5a5fe52ffb 100644 --- a/docs/openapi/policy/namespaces/namespaces.openapi.yaml +++ b/docs/openapi/policy/namespaces/namespaces.openapi.yaml @@ -438,14 +438,8 @@ components: Wrapper message for `bool`. The JSON representation for `BoolValue` is JSON `true` and `false`. - - Not recommended for use in new APIs, but still useful for legacy APIs and - has no plan to be removed. google.protobuf.Timestamp: type: string - examples: - - 1s - - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local diff --git a/docs/openapi/policy/objects.openapi.yaml b/docs/openapi/policy/objects.openapi.yaml index d45d5c5538..e7bc91c631 100644 --- a/docs/openapi/policy/objects.openapi.yaml +++ b/docs/openapi/policy/objects.openapi.yaml @@ -122,14 +122,8 @@ components: Wrapper message for `bool`. The JSON representation for `BoolValue` is JSON `true` and `false`. - - Not recommended for use in new APIs, but still useful for legacy APIs and - has no plan to be removed. google.protobuf.Timestamp: type: string - examples: - - 1s - - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local diff --git a/docs/openapi/policy/registeredresources/registered_resources.openapi.yaml b/docs/openapi/policy/registeredresources/registered_resources.openapi.yaml index 7bc73e2ca1..2d0a7744a0 100644 --- a/docs/openapi/policy/registeredresources/registered_resources.openapi.yaml +++ b/docs/openapi/policy/registeredresources/registered_resources.openapi.yaml @@ -519,14 +519,8 @@ components: Wrapper message for `bool`. The JSON representation for `BoolValue` is JSON `true` and `false`. - - Not recommended for use in new APIs, but still useful for legacy APIs and - has no plan to be removed. google.protobuf.Timestamp: type: string - examples: - - 1s - - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local diff --git a/docs/openapi/policy/resourcemapping/resource_mapping.openapi.yaml b/docs/openapi/policy/resourcemapping/resource_mapping.openapi.yaml index 7e13ecdde2..b82070e9b3 100644 --- a/docs/openapi/policy/resourcemapping/resource_mapping.openapi.yaml +++ b/docs/openapi/policy/resourcemapping/resource_mapping.openapi.yaml @@ -519,14 +519,8 @@ components: Wrapper message for `bool`. The JSON representation for `BoolValue` is JSON `true` and `false`. - - Not recommended for use in new APIs, but still useful for legacy APIs and - has no plan to be removed. google.protobuf.Timestamp: type: string - examples: - - 1s - - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local diff --git a/docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml b/docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml index 69d6ed3734..3f945a86d0 100644 --- a/docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml +++ b/docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml @@ -555,14 +555,8 @@ components: Wrapper message for `bool`. The JSON representation for `BoolValue` is JSON `true` and `false`. - - Not recommended for use in new APIs, but still useful for legacy APIs and - has no plan to be removed. google.protobuf.Timestamp: type: string - examples: - - 1s - - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local diff --git a/docs/openapi/policy/unsafe/unsafe.openapi.yaml b/docs/openapi/policy/unsafe/unsafe.openapi.yaml index 31f9bca7c6..c4b7835fbc 100644 --- a/docs/openapi/policy/unsafe/unsafe.openapi.yaml +++ b/docs/openapi/policy/unsafe/unsafe.openapi.yaml @@ -470,14 +470,8 @@ components: Wrapper message for `bool`. The JSON representation for `BoolValue` is JSON `true` and `false`. - - Not recommended for use in new APIs, but still useful for legacy APIs and - has no plan to be removed. google.protobuf.Timestamp: type: string - examples: - - 1s - - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local diff --git a/protocol/go/policy/kasregistry/kasregistryconnect/key_access_server_registry.connect.go b/protocol/go/policy/kasregistry/kasregistryconnect/key_access_server_registry.connect.go index 59ed07e294..562bc022cf 100644 --- a/protocol/go/policy/kasregistry/kasregistryconnect/key_access_server_registry.connect.go +++ b/protocol/go/policy/kasregistry/kasregistryconnect/key_access_server_registry.connect.go @@ -73,6 +73,9 @@ const ( // KeyAccessServerRegistryServiceGetBaseKeyProcedure is the fully-qualified name of the // KeyAccessServerRegistryService's GetBaseKey RPC. KeyAccessServerRegistryServiceGetBaseKeyProcedure = "/policy.kasregistry.KeyAccessServerRegistryService/GetBaseKey" + // KeyAccessServerRegistryServiceListKeyMappingsProcedure is the fully-qualified name of the + // KeyAccessServerRegistryService's ListKeyMappings RPC. + KeyAccessServerRegistryServiceListKeyMappingsProcedure = "/policy.kasregistry.KeyAccessServerRegistryService/ListKeyMappings" ) // These variables are the protoreflect.Descriptor objects for the RPCs defined in this package. @@ -91,6 +94,7 @@ var ( keyAccessServerRegistryServiceRotateKeyMethodDescriptor = keyAccessServerRegistryServiceServiceDescriptor.Methods().ByName("RotateKey") keyAccessServerRegistryServiceSetBaseKeyMethodDescriptor = keyAccessServerRegistryServiceServiceDescriptor.Methods().ByName("SetBaseKey") keyAccessServerRegistryServiceGetBaseKeyMethodDescriptor = keyAccessServerRegistryServiceServiceDescriptor.Methods().ByName("GetBaseKey") + keyAccessServerRegistryServiceListKeyMappingsMethodDescriptor = keyAccessServerRegistryServiceServiceDescriptor.Methods().ByName("ListKeyMappings") ) // KeyAccessServerRegistryServiceClient is a client for the @@ -120,6 +124,8 @@ type KeyAccessServerRegistryServiceClient interface { SetBaseKey(context.Context, *connect.Request[kasregistry.SetBaseKeyRequest]) (*connect.Response[kasregistry.SetBaseKeyResponse], error) // Get Default kas keys GetBaseKey(context.Context, *connect.Request[kasregistry.GetBaseKeyRequest]) (*connect.Response[kasregistry.GetBaseKeyResponse], error) + // Request to list key mappings in the Key Access Service. + ListKeyMappings(context.Context, *connect.Request[kasregistry.ListKeyMappingsRequest]) (*connect.Response[kasregistry.ListKeyMappingsResponse], error) } // NewKeyAccessServerRegistryServiceClient constructs a client for the @@ -214,6 +220,12 @@ func NewKeyAccessServerRegistryServiceClient(httpClient connect.HTTPClient, base connect.WithSchema(keyAccessServerRegistryServiceGetBaseKeyMethodDescriptor), connect.WithClientOptions(opts...), ), + listKeyMappings: connect.NewClient[kasregistry.ListKeyMappingsRequest, kasregistry.ListKeyMappingsResponse]( + httpClient, + baseURL+KeyAccessServerRegistryServiceListKeyMappingsProcedure, + connect.WithSchema(keyAccessServerRegistryServiceListKeyMappingsMethodDescriptor), + connect.WithClientOptions(opts...), + ), } } @@ -232,6 +244,7 @@ type keyAccessServerRegistryServiceClient struct { rotateKey *connect.Client[kasregistry.RotateKeyRequest, kasregistry.RotateKeyResponse] setBaseKey *connect.Client[kasregistry.SetBaseKeyRequest, kasregistry.SetBaseKeyResponse] getBaseKey *connect.Client[kasregistry.GetBaseKeyRequest, kasregistry.GetBaseKeyResponse] + listKeyMappings *connect.Client[kasregistry.ListKeyMappingsRequest, kasregistry.ListKeyMappingsResponse] } // ListKeyAccessServers calls @@ -306,6 +319,11 @@ func (c *keyAccessServerRegistryServiceClient) GetBaseKey(ctx context.Context, r return c.getBaseKey.CallUnary(ctx, req) } +// ListKeyMappings calls policy.kasregistry.KeyAccessServerRegistryService.ListKeyMappings. +func (c *keyAccessServerRegistryServiceClient) ListKeyMappings(ctx context.Context, req *connect.Request[kasregistry.ListKeyMappingsRequest]) (*connect.Response[kasregistry.ListKeyMappingsResponse], error) { + return c.listKeyMappings.CallUnary(ctx, req) +} + // KeyAccessServerRegistryServiceHandler is an implementation of the // policy.kasregistry.KeyAccessServerRegistryService service. type KeyAccessServerRegistryServiceHandler interface { @@ -333,6 +351,8 @@ type KeyAccessServerRegistryServiceHandler interface { SetBaseKey(context.Context, *connect.Request[kasregistry.SetBaseKeyRequest]) (*connect.Response[kasregistry.SetBaseKeyResponse], error) // Get Default kas keys GetBaseKey(context.Context, *connect.Request[kasregistry.GetBaseKeyRequest]) (*connect.Response[kasregistry.GetBaseKeyResponse], error) + // Request to list key mappings in the Key Access Service. + ListKeyMappings(context.Context, *connect.Request[kasregistry.ListKeyMappingsRequest]) (*connect.Response[kasregistry.ListKeyMappingsResponse], error) } // NewKeyAccessServerRegistryServiceHandler builds an HTTP handler from the service implementation. @@ -422,6 +442,12 @@ func NewKeyAccessServerRegistryServiceHandler(svc KeyAccessServerRegistryService connect.WithSchema(keyAccessServerRegistryServiceGetBaseKeyMethodDescriptor), connect.WithHandlerOptions(opts...), ) + keyAccessServerRegistryServiceListKeyMappingsHandler := connect.NewUnaryHandler( + KeyAccessServerRegistryServiceListKeyMappingsProcedure, + svc.ListKeyMappings, + connect.WithSchema(keyAccessServerRegistryServiceListKeyMappingsMethodDescriptor), + connect.WithHandlerOptions(opts...), + ) return "/policy.kasregistry.KeyAccessServerRegistryService/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { switch r.URL.Path { case KeyAccessServerRegistryServiceListKeyAccessServersProcedure: @@ -450,6 +476,8 @@ func NewKeyAccessServerRegistryServiceHandler(svc KeyAccessServerRegistryService keyAccessServerRegistryServiceSetBaseKeyHandler.ServeHTTP(w, r) case KeyAccessServerRegistryServiceGetBaseKeyProcedure: keyAccessServerRegistryServiceGetBaseKeyHandler.ServeHTTP(w, r) + case KeyAccessServerRegistryServiceListKeyMappingsProcedure: + keyAccessServerRegistryServiceListKeyMappingsHandler.ServeHTTP(w, r) default: http.NotFound(w, r) } @@ -510,3 +538,7 @@ func (UnimplementedKeyAccessServerRegistryServiceHandler) SetBaseKey(context.Con func (UnimplementedKeyAccessServerRegistryServiceHandler) GetBaseKey(context.Context, *connect.Request[kasregistry.GetBaseKeyRequest]) (*connect.Response[kasregistry.GetBaseKeyResponse], error) { return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.kasregistry.KeyAccessServerRegistryService.GetBaseKey is not implemented")) } + +func (UnimplementedKeyAccessServerRegistryServiceHandler) ListKeyMappings(context.Context, *connect.Request[kasregistry.ListKeyMappingsRequest]) (*connect.Response[kasregistry.ListKeyMappingsResponse], error) { + return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.kasregistry.KeyAccessServerRegistryService.ListKeyMappings is not implemented")) +} diff --git a/protocol/go/policy/kasregistry/key_access_server_registry.pb.go b/protocol/go/policy/kasregistry/key_access_server_registry.pb.go index c42f114142..aa0e67dc96 100644 --- a/protocol/go/policy/kasregistry/key_access_server_registry.pb.go +++ b/protocol/go/policy/kasregistry/key_access_server_registry.pb.go @@ -2990,6 +2990,284 @@ func (x *SetBaseKeyResponse) GetPreviousBaseKey() *policy.SimpleKasKey { return nil } +type MappedPolicyObject struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` // The unique identifier of the policy object + Fqn string `protobuf:"bytes,2,opt,name=fqn,proto3" json:"fqn,omitempty"` // The fully qualified name of the policy object +} + +func (x *MappedPolicyObject) Reset() { + *x = MappedPolicyObject{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[45] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *MappedPolicyObject) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*MappedPolicyObject) ProtoMessage() {} + +func (x *MappedPolicyObject) ProtoReflect() protoreflect.Message { + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[45] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use MappedPolicyObject.ProtoReflect.Descriptor instead. +func (*MappedPolicyObject) Descriptor() ([]byte, []int) { + return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{45} +} + +func (x *MappedPolicyObject) GetId() string { + if x != nil { + return x.Id + } + return "" +} + +func (x *MappedPolicyObject) GetFqn() string { + if x != nil { + return x.Fqn + } + return "" +} + +type KeyMapping struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Kid string `protobuf:"bytes,1,opt,name=kid,proto3" json:"kid,omitempty"` + KasUri string `protobuf:"bytes,2,opt,name=kas_uri,json=kasUri,proto3" json:"kas_uri,omitempty"` + NamespaceMappings []*MappedPolicyObject `protobuf:"bytes,3,rep,name=namespace_mappings,json=namespaceMappings,proto3" json:"namespace_mappings,omitempty"` // List of namespaces mapped to the key + AttributeMappings []*MappedPolicyObject `protobuf:"bytes,4,rep,name=attribute_mappings,json=attributeMappings,proto3" json:"attribute_mappings,omitempty"` // List of attribute definitions mapped to the key + ValueMappings []*MappedPolicyObject `protobuf:"bytes,5,rep,name=value_mappings,json=valueMappings,proto3" json:"value_mappings,omitempty"` // List of attribute values mapped to the key +} + +func (x *KeyMapping) Reset() { + *x = KeyMapping{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[46] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *KeyMapping) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*KeyMapping) ProtoMessage() {} + +func (x *KeyMapping) ProtoReflect() protoreflect.Message { + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[46] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use KeyMapping.ProtoReflect.Descriptor instead. +func (*KeyMapping) Descriptor() ([]byte, []int) { + return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{46} +} + +func (x *KeyMapping) GetKid() string { + if x != nil { + return x.Kid + } + return "" +} + +func (x *KeyMapping) GetKasUri() string { + if x != nil { + return x.KasUri + } + return "" +} + +func (x *KeyMapping) GetNamespaceMappings() []*MappedPolicyObject { + if x != nil { + return x.NamespaceMappings + } + return nil +} + +func (x *KeyMapping) GetAttributeMappings() []*MappedPolicyObject { + if x != nil { + return x.AttributeMappings + } + return nil +} + +func (x *KeyMapping) GetValueMappings() []*MappedPolicyObject { + if x != nil { + return x.ValueMappings + } + return nil +} + +type ListKeyMappingsRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Types that are assignable to Identifier: + // + // *ListKeyMappingsRequest_Id + // *ListKeyMappingsRequest_Key + Identifier isListKeyMappingsRequest_Identifier `protobuf_oneof:"identifier"` + Pagination *policy.PageRequest `protobuf:"bytes,10,opt,name=pagination,proto3" json:"pagination,omitempty"` // Pagination request for the list of keys +} + +func (x *ListKeyMappingsRequest) Reset() { + *x = ListKeyMappingsRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[47] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ListKeyMappingsRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ListKeyMappingsRequest) ProtoMessage() {} + +func (x *ListKeyMappingsRequest) ProtoReflect() protoreflect.Message { + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[47] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ListKeyMappingsRequest.ProtoReflect.Descriptor instead. +func (*ListKeyMappingsRequest) Descriptor() ([]byte, []int) { + return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{47} +} + +func (m *ListKeyMappingsRequest) GetIdentifier() isListKeyMappingsRequest_Identifier { + if m != nil { + return m.Identifier + } + return nil +} + +func (x *ListKeyMappingsRequest) GetId() string { + if x, ok := x.GetIdentifier().(*ListKeyMappingsRequest_Id); ok { + return x.Id + } + return "" +} + +func (x *ListKeyMappingsRequest) GetKey() *KasKeyIdentifier { + if x, ok := x.GetIdentifier().(*ListKeyMappingsRequest_Key); ok { + return x.Key + } + return nil +} + +func (x *ListKeyMappingsRequest) GetPagination() *policy.PageRequest { + if x != nil { + return x.Pagination + } + return nil +} + +type isListKeyMappingsRequest_Identifier interface { + isListKeyMappingsRequest_Identifier() +} + +type ListKeyMappingsRequest_Id struct { + Id string `protobuf:"bytes,2,opt,name=id,proto3,oneof"` // The unique identifier of the key to retrieve +} + +type ListKeyMappingsRequest_Key struct { + Key *KasKeyIdentifier `protobuf:"bytes,3,opt,name=key,proto3,oneof"` +} + +func (*ListKeyMappingsRequest_Id) isListKeyMappingsRequest_Identifier() {} + +func (*ListKeyMappingsRequest_Key) isListKeyMappingsRequest_Identifier() {} + +type ListKeyMappingsResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + KeyMappings []*KeyMapping `protobuf:"bytes,1,rep,name=key_mappings,json=keyMappings,proto3" json:"key_mappings,omitempty"` // The list of key mappings + Pagination *policy.PageResponse `protobuf:"bytes,10,opt,name=pagination,proto3" json:"pagination,omitempty"` // Pagination response for the list of keys +} + +func (x *ListKeyMappingsResponse) Reset() { + *x = ListKeyMappingsResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[48] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ListKeyMappingsResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ListKeyMappingsResponse) ProtoMessage() {} + +func (x *ListKeyMappingsResponse) ProtoReflect() protoreflect.Message { + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[48] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ListKeyMappingsResponse.ProtoReflect.Descriptor instead. +func (*ListKeyMappingsResponse) Descriptor() ([]byte, []int) { + return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{48} +} + +func (x *ListKeyMappingsResponse) GetKeyMappings() []*KeyMapping { + if x != nil { + return x.KeyMappings + } + return nil +} + +func (x *ListKeyMappingsResponse) GetPagination() *policy.PageResponse { + if x != nil { + return x.Pagination + } + return nil +} + type ListPublicKeyMappingResponse_PublicKeyMapping struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -3004,7 +3282,7 @@ type ListPublicKeyMappingResponse_PublicKeyMapping struct { func (x *ListPublicKeyMappingResponse_PublicKeyMapping) Reset() { *x = ListPublicKeyMappingResponse_PublicKeyMapping{} if protoimpl.UnsafeEnabled { - mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[45] + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[49] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -3017,7 +3295,7 @@ func (x *ListPublicKeyMappingResponse_PublicKeyMapping) String() string { func (*ListPublicKeyMappingResponse_PublicKeyMapping) ProtoMessage() {} func (x *ListPublicKeyMappingResponse_PublicKeyMapping) ProtoReflect() protoreflect.Message { - mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[45] + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[49] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -3075,7 +3353,7 @@ type ListPublicKeyMappingResponse_PublicKey struct { func (x *ListPublicKeyMappingResponse_PublicKey) Reset() { *x = ListPublicKeyMappingResponse_PublicKey{} if protoimpl.UnsafeEnabled { - mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[46] + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[50] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -3088,7 +3366,7 @@ func (x *ListPublicKeyMappingResponse_PublicKey) String() string { func (*ListPublicKeyMappingResponse_PublicKey) ProtoMessage() {} func (x *ListPublicKeyMappingResponse_PublicKey) ProtoReflect() protoreflect.Message { - mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[46] + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[50] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -3144,7 +3422,7 @@ type ListPublicKeyMappingResponse_Association struct { func (x *ListPublicKeyMappingResponse_Association) Reset() { *x = ListPublicKeyMappingResponse_Association{} if protoimpl.UnsafeEnabled { - mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[47] + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[51] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -3157,7 +3435,7 @@ func (x *ListPublicKeyMappingResponse_Association) String() string { func (*ListPublicKeyMappingResponse_Association) ProtoMessage() {} func (x *ListPublicKeyMappingResponse_Association) ProtoReflect() protoreflect.Message { - mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[47] + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[51] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -3212,7 +3490,7 @@ type RotateKeyRequest_NewKey struct { func (x *RotateKeyRequest_NewKey) Reset() { *x = RotateKeyRequest_NewKey{} if protoimpl.UnsafeEnabled { - mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[48] + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[52] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -3225,7 +3503,7 @@ func (x *RotateKeyRequest_NewKey) String() string { func (*RotateKeyRequest_NewKey) ProtoMessage() {} func (x *RotateKeyRequest_NewKey) ProtoReflect() protoreflect.Message { - mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[48] + mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[52] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -4076,114 +4354,165 @@ var file_policy_kasregistry_key_access_server_registry_proto_rawDesc = []byte{ 0x76, 0x69, 0x6f, 0x75, 0x73, 0x5f, 0x62, 0x61, 0x73, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x52, 0x0f, 0x70, 0x72, 0x65, 0x76, - 0x69, 0x6f, 0x75, 0x73, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x32, 0xc7, 0x0b, 0x0a, 0x1e, - 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, - 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x99, - 0x01, 0x0a, 0x14, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, - 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x12, 0x2f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x69, 0x6f, 0x75, 0x73, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x22, 0x36, 0x0a, 0x12, 0x4d, + 0x61, 0x70, 0x70, 0x65, 0x64, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4f, 0x62, 0x6a, 0x65, 0x63, + 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, + 0x64, 0x12, 0x10, 0x0a, 0x03, 0x66, 0x71, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, + 0x66, 0x71, 0x6e, 0x22, 0xb4, 0x02, 0x0a, 0x0a, 0x4b, 0x65, 0x79, 0x4d, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x03, 0x6b, 0x69, 0x64, 0x12, 0x17, 0x0a, 0x07, 0x6b, 0x61, 0x73, 0x5f, 0x75, 0x72, 0x69, 0x18, + 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6b, 0x61, 0x73, 0x55, 0x72, 0x69, 0x12, 0x55, 0x0a, + 0x12, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x70, 0x6f, 0x6c, 0x69, + 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4d, + 0x61, 0x70, 0x70, 0x65, 0x64, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4f, 0x62, 0x6a, 0x65, 0x63, + 0x74, 0x52, 0x11, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x4d, 0x61, 0x70, 0x70, + 0x69, 0x6e, 0x67, 0x73, 0x12, 0x55, 0x0a, 0x12, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, + 0x65, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, + 0x32, 0x26, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, + 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4d, 0x61, 0x70, 0x70, 0x65, 0x64, 0x50, 0x6f, 0x6c, 0x69, + 0x63, 0x79, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x52, 0x11, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, + 0x75, 0x74, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x4d, 0x0a, 0x0e, 0x76, + 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x18, 0x05, 0x20, + 0x03, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, + 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4d, 0x61, 0x70, 0x70, 0x65, 0x64, 0x50, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x52, 0x0d, 0x76, 0x61, 0x6c, + 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x22, 0xb8, 0x01, 0x0a, 0x16, 0x4c, + 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, + 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x48, 0x00, 0x52, 0x02, 0x69, + 0x64, 0x12, 0x38, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x24, + 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, + 0x74, 0x72, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, + 0x66, 0x69, 0x65, 0x72, 0x48, 0x00, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x33, 0x0a, 0x0a, 0x70, + 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x13, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x61, 0x67, 0x65, 0x52, 0x65, 0x71, + 0x75, 0x65, 0x73, 0x74, 0x52, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, + 0x42, 0x13, 0x0a, 0x0a, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x12, 0x05, + 0xba, 0x48, 0x02, 0x08, 0x00, 0x22, 0x92, 0x01, 0x0a, 0x17, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, + 0x79, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, + 0x65, 0x12, 0x41, 0x0a, 0x0c, 0x6b, 0x65, 0x79, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4b, 0x65, 0x79, + 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x0b, 0x6b, 0x65, 0x79, 0x4d, 0x61, 0x70, 0x70, + 0x69, 0x6e, 0x67, 0x73, 0x12, 0x34, 0x0a, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, + 0x6f, 0x6e, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0x2e, 0x50, 0x61, 0x67, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x52, 0x0a, + 0x70, 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x32, 0xb5, 0x0c, 0x0a, 0x1e, 0x4b, + 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, + 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x99, 0x01, + 0x0a, 0x14, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, + 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x12, 0x2f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, + 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, + 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, - 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, - 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, - 0x72, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1e, 0x82, 0xd3, 0xe4, 0x93, - 0x02, 0x15, 0x12, 0x13, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, - 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x90, 0x02, 0x01, 0x12, 0x78, 0x0a, 0x12, 0x47, 0x65, - 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, - 0x12, 0x2d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, - 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, - 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, - 0x2e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, + 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1e, 0x82, 0xd3, 0xe4, 0x93, 0x02, + 0x15, 0x12, 0x13, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, + 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x90, 0x02, 0x01, 0x12, 0x78, 0x0a, 0x12, 0x47, 0x65, 0x74, + 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, + 0x2d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, - 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, - 0x03, 0x90, 0x02, 0x01, 0x12, 0x7e, 0x0a, 0x15, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, - 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x30, 0x2e, - 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, - 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, - 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, - 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, - 0x73, 0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, - 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, - 0x73, 0x65, 0x22, 0x00, 0x12, 0x7e, 0x0a, 0x15, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, - 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x30, 0x2e, - 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, - 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, - 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, - 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, - 0x73, 0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, - 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, - 0x73, 0x65, 0x22, 0x00, 0x12, 0x7e, 0x0a, 0x15, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, 0x65, - 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x30, 0x2e, - 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, - 0x72, 0x79, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, - 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, - 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, - 0x73, 0x74, 0x72, 0x79, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, - 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, - 0x73, 0x65, 0x22, 0x00, 0x12, 0x90, 0x01, 0x0a, 0x19, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, - 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x61, 0x6e, - 0x74, 0x73, 0x12, 0x34, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, - 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, - 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x61, 0x6e, 0x74, - 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x35, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, - 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, - 0x72, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, - 0x06, 0x88, 0x02, 0x01, 0x90, 0x02, 0x01, 0x12, 0x5a, 0x0a, 0x09, 0x43, 0x72, 0x65, 0x61, 0x74, - 0x65, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, - 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, - 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, - 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, - 0x65, 0x22, 0x00, 0x12, 0x51, 0x0a, 0x06, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x12, 0x21, 0x2e, - 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, - 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, - 0x1a, 0x22, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, - 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, - 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x57, 0x0a, 0x08, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, - 0x79, 0x73, 0x12, 0x23, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, - 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x73, - 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, - 0x74, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, - 0x5a, 0x0a, 0x09, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x2e, 0x70, + 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2e, + 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, + 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, + 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x03, + 0x90, 0x02, 0x01, 0x12, 0x7e, 0x0a, 0x15, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, + 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x30, 0x2e, 0x70, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, + 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, + 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x31, + 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, + 0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, + 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, + 0x65, 0x22, 0x00, 0x12, 0x7e, 0x0a, 0x15, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, + 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, - 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, - 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, - 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, - 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5a, 0x0a, 0x09, 0x52, - 0x6f, 0x74, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x52, 0x6f, - 0x74, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, + 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, + 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, - 0x74, 0x72, 0x79, 0x2e, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, - 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5d, 0x0a, 0x0a, 0x53, 0x65, 0x74, 0x42, 0x61, - 0x73, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, - 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x53, 0x65, 0x74, 0x42, 0x61, - 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x26, 0x2e, 0x70, + 0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, + 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, + 0x65, 0x22, 0x00, 0x12, 0x7e, 0x0a, 0x15, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, 0x65, 0x79, + 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x30, 0x2e, 0x70, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, + 0x79, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, + 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x31, + 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, + 0x74, 0x72, 0x79, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, + 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, + 0x65, 0x22, 0x00, 0x12, 0x90, 0x01, 0x0a, 0x19, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, + 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x61, 0x6e, 0x74, + 0x73, 0x12, 0x34, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, + 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, + 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x73, + 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x35, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, + 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, + 0x47, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x06, + 0x88, 0x02, 0x01, 0x90, 0x02, 0x01, 0x12, 0x5a, 0x0a, 0x09, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, + 0x4b, 0x65, 0x79, 0x12, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, + 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, + 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, + 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x43, + 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, + 0x22, 0x00, 0x12, 0x51, 0x0a, 0x06, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x12, 0x21, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, - 0x79, 0x2e, 0x53, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, - 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5d, 0x0a, 0x0a, 0x47, 0x65, 0x74, 0x42, 0x61, 0x73, + 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, + 0x22, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, + 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x57, 0x0a, 0x08, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, + 0x73, 0x12, 0x23, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, + 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x73, 0x52, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, + 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, + 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5a, + 0x0a, 0x09, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x2e, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, + 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, + 0x74, 0x1a, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, + 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, + 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5a, 0x0a, 0x09, 0x52, 0x6f, + 0x74, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x52, 0x6f, 0x74, + 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, + 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, + 0x72, 0x79, 0x2e, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, + 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5d, 0x0a, 0x0a, 0x53, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, - 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x42, 0x61, 0x73, + 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x53, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x26, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, - 0x2e, 0x47, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, - 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0xdb, 0x01, 0x0a, 0x16, 0x63, 0x6f, 0x6d, 0x2e, 0x70, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, - 0x42, 0x1c, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, - 0x72, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, - 0x5a, 0x3a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, - 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x2f, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xa2, 0x02, 0x03, 0x50, - 0x4b, 0x58, 0xaa, 0x02, 0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x72, - 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xca, 0x02, 0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x5c, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xe2, 0x02, 0x1e, 0x50, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, - 0x79, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x13, - 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x3a, 0x3a, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, - 0x74, 0x72, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x2e, 0x53, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5d, 0x0a, 0x0a, 0x47, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, + 0x4b, 0x65, 0x79, 0x12, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, + 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, + 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x26, 0x2e, 0x70, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, + 0x47, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x22, 0x00, 0x12, 0x6c, 0x0a, 0x0f, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x4d, + 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x2a, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, + 0x74, 0x4b, 0x65, 0x79, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x1a, 0x2b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, + 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, + 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, + 0x22, 0x00, 0x42, 0xdb, 0x01, 0x0a, 0x16, 0x63, 0x6f, 0x6d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x42, 0x1c, 0x4b, + 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, + 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x3a, 0x67, + 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, + 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x6b, 0x61, + 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xa2, 0x02, 0x03, 0x50, 0x4b, 0x58, 0xaa, + 0x02, 0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, + 0x73, 0x74, 0x72, 0x79, 0xca, 0x02, 0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x4b, 0x61, + 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xe2, 0x02, 0x1e, 0x50, 0x6f, 0x6c, 0x69, + 0x63, 0x79, 0x5c, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x5c, 0x47, + 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x13, 0x50, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x3a, 0x3a, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, + 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -4198,7 +4527,7 @@ func file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP() []by return file_policy_kasregistry_key_access_server_registry_proto_rawDescData } -var file_policy_kasregistry_key_access_server_registry_proto_msgTypes = make([]protoimpl.MessageInfo, 49) +var file_policy_kasregistry_key_access_server_registry_proto_msgTypes = make([]protoimpl.MessageInfo, 53) var file_policy_kasregistry_key_access_server_registry_proto_goTypes = []interface{}{ (*GetKeyAccessServerRequest)(nil), // 0: policy.kasregistry.GetKeyAccessServerRequest (*GetKeyAccessServerResponse)(nil), // 1: policy.kasregistry.GetKeyAccessServerResponse @@ -4245,131 +4574,144 @@ var file_policy_kasregistry_key_access_server_registry_proto_goTypes = []interfa (*GetBaseKeyRequest)(nil), // 42: policy.kasregistry.GetBaseKeyRequest (*GetBaseKeyResponse)(nil), // 43: policy.kasregistry.GetBaseKeyResponse (*SetBaseKeyResponse)(nil), // 44: policy.kasregistry.SetBaseKeyResponse - (*ListPublicKeyMappingResponse_PublicKeyMapping)(nil), // 45: policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping - (*ListPublicKeyMappingResponse_PublicKey)(nil), // 46: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey - (*ListPublicKeyMappingResponse_Association)(nil), // 47: policy.kasregistry.ListPublicKeyMappingResponse.Association - (*RotateKeyRequest_NewKey)(nil), // 48: policy.kasregistry.RotateKeyRequest.NewKey - (*policy.KeyAccessServer)(nil), // 49: policy.KeyAccessServer - (*policy.PageRequest)(nil), // 50: policy.PageRequest - (*policy.PageResponse)(nil), // 51: policy.PageResponse - (*policy.PublicKey)(nil), // 52: policy.PublicKey - (policy.SourceType)(0), // 53: policy.SourceType - (*common.MetadataMutable)(nil), // 54: common.MetadataMutable - (common.MetadataUpdateEnum)(0), // 55: common.MetadataUpdateEnum - (*policy.KasPublicKey)(nil), // 56: policy.KasPublicKey - (*policy.Key)(nil), // 57: policy.Key - (policy.Algorithm)(0), // 58: policy.Algorithm - (policy.KeyMode)(0), // 59: policy.KeyMode - (*policy.PublicKeyCtx)(nil), // 60: policy.PublicKeyCtx - (*policy.PrivateKeyCtx)(nil), // 61: policy.PrivateKeyCtx - (*policy.KasKey)(nil), // 62: policy.KasKey - (*policy.SimpleKasKey)(nil), // 63: policy.SimpleKasKey + (*MappedPolicyObject)(nil), // 45: policy.kasregistry.MappedPolicyObject + (*KeyMapping)(nil), // 46: policy.kasregistry.KeyMapping + (*ListKeyMappingsRequest)(nil), // 47: policy.kasregistry.ListKeyMappingsRequest + (*ListKeyMappingsResponse)(nil), // 48: policy.kasregistry.ListKeyMappingsResponse + (*ListPublicKeyMappingResponse_PublicKeyMapping)(nil), // 49: policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping + (*ListPublicKeyMappingResponse_PublicKey)(nil), // 50: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey + (*ListPublicKeyMappingResponse_Association)(nil), // 51: policy.kasregistry.ListPublicKeyMappingResponse.Association + (*RotateKeyRequest_NewKey)(nil), // 52: policy.kasregistry.RotateKeyRequest.NewKey + (*policy.KeyAccessServer)(nil), // 53: policy.KeyAccessServer + (*policy.PageRequest)(nil), // 54: policy.PageRequest + (*policy.PageResponse)(nil), // 55: policy.PageResponse + (*policy.PublicKey)(nil), // 56: policy.PublicKey + (policy.SourceType)(0), // 57: policy.SourceType + (*common.MetadataMutable)(nil), // 58: common.MetadataMutable + (common.MetadataUpdateEnum)(0), // 59: common.MetadataUpdateEnum + (*policy.KasPublicKey)(nil), // 60: policy.KasPublicKey + (*policy.Key)(nil), // 61: policy.Key + (policy.Algorithm)(0), // 62: policy.Algorithm + (policy.KeyMode)(0), // 63: policy.KeyMode + (*policy.PublicKeyCtx)(nil), // 64: policy.PublicKeyCtx + (*policy.PrivateKeyCtx)(nil), // 65: policy.PrivateKeyCtx + (*policy.KasKey)(nil), // 66: policy.KasKey + (*policy.SimpleKasKey)(nil), // 67: policy.SimpleKasKey } var file_policy_kasregistry_key_access_server_registry_proto_depIdxs = []int32{ - 49, // 0: policy.kasregistry.GetKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer - 50, // 1: policy.kasregistry.ListKeyAccessServersRequest.pagination:type_name -> policy.PageRequest - 49, // 2: policy.kasregistry.ListKeyAccessServersResponse.key_access_servers:type_name -> policy.KeyAccessServer - 51, // 3: policy.kasregistry.ListKeyAccessServersResponse.pagination:type_name -> policy.PageResponse - 52, // 4: policy.kasregistry.CreateKeyAccessServerRequest.public_key:type_name -> policy.PublicKey - 53, // 5: policy.kasregistry.CreateKeyAccessServerRequest.source_type:type_name -> policy.SourceType - 54, // 6: policy.kasregistry.CreateKeyAccessServerRequest.metadata:type_name -> common.MetadataMutable - 49, // 7: policy.kasregistry.CreateKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer - 52, // 8: policy.kasregistry.UpdateKeyAccessServerRequest.public_key:type_name -> policy.PublicKey - 53, // 9: policy.kasregistry.UpdateKeyAccessServerRequest.source_type:type_name -> policy.SourceType - 54, // 10: policy.kasregistry.UpdateKeyAccessServerRequest.metadata:type_name -> common.MetadataMutable - 55, // 11: policy.kasregistry.UpdateKeyAccessServerRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum - 49, // 12: policy.kasregistry.UpdateKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer - 49, // 13: policy.kasregistry.DeleteKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer - 49, // 14: policy.kasregistry.KeyAccessServerGrants.key_access_server:type_name -> policy.KeyAccessServer + 53, // 0: policy.kasregistry.GetKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer + 54, // 1: policy.kasregistry.ListKeyAccessServersRequest.pagination:type_name -> policy.PageRequest + 53, // 2: policy.kasregistry.ListKeyAccessServersResponse.key_access_servers:type_name -> policy.KeyAccessServer + 55, // 3: policy.kasregistry.ListKeyAccessServersResponse.pagination:type_name -> policy.PageResponse + 56, // 4: policy.kasregistry.CreateKeyAccessServerRequest.public_key:type_name -> policy.PublicKey + 57, // 5: policy.kasregistry.CreateKeyAccessServerRequest.source_type:type_name -> policy.SourceType + 58, // 6: policy.kasregistry.CreateKeyAccessServerRequest.metadata:type_name -> common.MetadataMutable + 53, // 7: policy.kasregistry.CreateKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer + 56, // 8: policy.kasregistry.UpdateKeyAccessServerRequest.public_key:type_name -> policy.PublicKey + 57, // 9: policy.kasregistry.UpdateKeyAccessServerRequest.source_type:type_name -> policy.SourceType + 58, // 10: policy.kasregistry.UpdateKeyAccessServerRequest.metadata:type_name -> common.MetadataMutable + 59, // 11: policy.kasregistry.UpdateKeyAccessServerRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum + 53, // 12: policy.kasregistry.UpdateKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer + 53, // 13: policy.kasregistry.DeleteKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer + 53, // 14: policy.kasregistry.KeyAccessServerGrants.key_access_server:type_name -> policy.KeyAccessServer 10, // 15: policy.kasregistry.KeyAccessServerGrants.namespace_grants:type_name -> policy.kasregistry.GrantedPolicyObject 10, // 16: policy.kasregistry.KeyAccessServerGrants.attribute_grants:type_name -> policy.kasregistry.GrantedPolicyObject 10, // 17: policy.kasregistry.KeyAccessServerGrants.value_grants:type_name -> policy.kasregistry.GrantedPolicyObject - 56, // 18: policy.kasregistry.CreatePublicKeyRequest.key:type_name -> policy.KasPublicKey - 54, // 19: policy.kasregistry.CreatePublicKeyRequest.metadata:type_name -> common.MetadataMutable - 57, // 20: policy.kasregistry.CreatePublicKeyResponse.key:type_name -> policy.Key - 57, // 21: policy.kasregistry.GetPublicKeyResponse.key:type_name -> policy.Key - 50, // 22: policy.kasregistry.ListPublicKeysRequest.pagination:type_name -> policy.PageRequest - 57, // 23: policy.kasregistry.ListPublicKeysResponse.keys:type_name -> policy.Key - 51, // 24: policy.kasregistry.ListPublicKeysResponse.pagination:type_name -> policy.PageResponse - 50, // 25: policy.kasregistry.ListPublicKeyMappingRequest.pagination:type_name -> policy.PageRequest - 45, // 26: policy.kasregistry.ListPublicKeyMappingResponse.public_key_mappings:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping - 51, // 27: policy.kasregistry.ListPublicKeyMappingResponse.pagination:type_name -> policy.PageResponse - 54, // 28: policy.kasregistry.UpdatePublicKeyRequest.metadata:type_name -> common.MetadataMutable - 55, // 29: policy.kasregistry.UpdatePublicKeyRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum - 57, // 30: policy.kasregistry.UpdatePublicKeyResponse.key:type_name -> policy.Key - 57, // 31: policy.kasregistry.DeactivatePublicKeyResponse.key:type_name -> policy.Key - 57, // 32: policy.kasregistry.ActivatePublicKeyResponse.key:type_name -> policy.Key - 50, // 33: policy.kasregistry.ListKeyAccessServerGrantsRequest.pagination:type_name -> policy.PageRequest + 60, // 18: policy.kasregistry.CreatePublicKeyRequest.key:type_name -> policy.KasPublicKey + 58, // 19: policy.kasregistry.CreatePublicKeyRequest.metadata:type_name -> common.MetadataMutable + 61, // 20: policy.kasregistry.CreatePublicKeyResponse.key:type_name -> policy.Key + 61, // 21: policy.kasregistry.GetPublicKeyResponse.key:type_name -> policy.Key + 54, // 22: policy.kasregistry.ListPublicKeysRequest.pagination:type_name -> policy.PageRequest + 61, // 23: policy.kasregistry.ListPublicKeysResponse.keys:type_name -> policy.Key + 55, // 24: policy.kasregistry.ListPublicKeysResponse.pagination:type_name -> policy.PageResponse + 54, // 25: policy.kasregistry.ListPublicKeyMappingRequest.pagination:type_name -> policy.PageRequest + 49, // 26: policy.kasregistry.ListPublicKeyMappingResponse.public_key_mappings:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping + 55, // 27: policy.kasregistry.ListPublicKeyMappingResponse.pagination:type_name -> policy.PageResponse + 58, // 28: policy.kasregistry.UpdatePublicKeyRequest.metadata:type_name -> common.MetadataMutable + 59, // 29: policy.kasregistry.UpdatePublicKeyRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum + 61, // 30: policy.kasregistry.UpdatePublicKeyResponse.key:type_name -> policy.Key + 61, // 31: policy.kasregistry.DeactivatePublicKeyResponse.key:type_name -> policy.Key + 61, // 32: policy.kasregistry.ActivatePublicKeyResponse.key:type_name -> policy.Key + 54, // 33: policy.kasregistry.ListKeyAccessServerGrantsRequest.pagination:type_name -> policy.PageRequest 11, // 34: policy.kasregistry.ListKeyAccessServerGrantsResponse.grants:type_name -> policy.kasregistry.KeyAccessServerGrants - 51, // 35: policy.kasregistry.ListKeyAccessServerGrantsResponse.pagination:type_name -> policy.PageResponse - 58, // 36: policy.kasregistry.CreateKeyRequest.key_algorithm:type_name -> policy.Algorithm - 59, // 37: policy.kasregistry.CreateKeyRequest.key_mode:type_name -> policy.KeyMode - 60, // 38: policy.kasregistry.CreateKeyRequest.public_key_ctx:type_name -> policy.PublicKeyCtx - 61, // 39: policy.kasregistry.CreateKeyRequest.private_key_ctx:type_name -> policy.PrivateKeyCtx - 54, // 40: policy.kasregistry.CreateKeyRequest.metadata:type_name -> common.MetadataMutable - 62, // 41: policy.kasregistry.CreateKeyResponse.kas_key:type_name -> policy.KasKey + 55, // 35: policy.kasregistry.ListKeyAccessServerGrantsResponse.pagination:type_name -> policy.PageResponse + 62, // 36: policy.kasregistry.CreateKeyRequest.key_algorithm:type_name -> policy.Algorithm + 63, // 37: policy.kasregistry.CreateKeyRequest.key_mode:type_name -> policy.KeyMode + 64, // 38: policy.kasregistry.CreateKeyRequest.public_key_ctx:type_name -> policy.PublicKeyCtx + 65, // 39: policy.kasregistry.CreateKeyRequest.private_key_ctx:type_name -> policy.PrivateKeyCtx + 58, // 40: policy.kasregistry.CreateKeyRequest.metadata:type_name -> common.MetadataMutable + 66, // 41: policy.kasregistry.CreateKeyResponse.kas_key:type_name -> policy.KasKey 36, // 42: policy.kasregistry.GetKeyRequest.key:type_name -> policy.kasregistry.KasKeyIdentifier - 62, // 43: policy.kasregistry.GetKeyResponse.kas_key:type_name -> policy.KasKey - 58, // 44: policy.kasregistry.ListKeysRequest.key_algorithm:type_name -> policy.Algorithm - 50, // 45: policy.kasregistry.ListKeysRequest.pagination:type_name -> policy.PageRequest - 62, // 46: policy.kasregistry.ListKeysResponse.kas_keys:type_name -> policy.KasKey - 51, // 47: policy.kasregistry.ListKeysResponse.pagination:type_name -> policy.PageResponse - 54, // 48: policy.kasregistry.UpdateKeyRequest.metadata:type_name -> common.MetadataMutable - 55, // 49: policy.kasregistry.UpdateKeyRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum - 62, // 50: policy.kasregistry.UpdateKeyResponse.kas_key:type_name -> policy.KasKey + 66, // 43: policy.kasregistry.GetKeyResponse.kas_key:type_name -> policy.KasKey + 62, // 44: policy.kasregistry.ListKeysRequest.key_algorithm:type_name -> policy.Algorithm + 54, // 45: policy.kasregistry.ListKeysRequest.pagination:type_name -> policy.PageRequest + 66, // 46: policy.kasregistry.ListKeysResponse.kas_keys:type_name -> policy.KasKey + 55, // 47: policy.kasregistry.ListKeysResponse.pagination:type_name -> policy.PageResponse + 58, // 48: policy.kasregistry.UpdateKeyRequest.metadata:type_name -> common.MetadataMutable + 59, // 49: policy.kasregistry.UpdateKeyRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum + 66, // 50: policy.kasregistry.UpdateKeyResponse.kas_key:type_name -> policy.KasKey 36, // 51: policy.kasregistry.RotateKeyRequest.key:type_name -> policy.kasregistry.KasKeyIdentifier - 48, // 52: policy.kasregistry.RotateKeyRequest.new_key:type_name -> policy.kasregistry.RotateKeyRequest.NewKey - 62, // 53: policy.kasregistry.RotatedResources.rotated_out_key:type_name -> policy.KasKey + 52, // 52: policy.kasregistry.RotateKeyRequest.new_key:type_name -> policy.kasregistry.RotateKeyRequest.NewKey + 66, // 53: policy.kasregistry.RotatedResources.rotated_out_key:type_name -> policy.KasKey 38, // 54: policy.kasregistry.RotatedResources.attribute_definition_mappings:type_name -> policy.kasregistry.ChangeMappings 38, // 55: policy.kasregistry.RotatedResources.attribute_value_mappings:type_name -> policy.kasregistry.ChangeMappings 38, // 56: policy.kasregistry.RotatedResources.namespace_mappings:type_name -> policy.kasregistry.ChangeMappings - 62, // 57: policy.kasregistry.RotateKeyResponse.kas_key:type_name -> policy.KasKey + 66, // 57: policy.kasregistry.RotateKeyResponse.kas_key:type_name -> policy.KasKey 39, // 58: policy.kasregistry.RotateKeyResponse.rotated_resources:type_name -> policy.kasregistry.RotatedResources 36, // 59: policy.kasregistry.SetBaseKeyRequest.key:type_name -> policy.kasregistry.KasKeyIdentifier - 63, // 60: policy.kasregistry.GetBaseKeyResponse.base_key:type_name -> policy.SimpleKasKey - 63, // 61: policy.kasregistry.SetBaseKeyResponse.new_base_key:type_name -> policy.SimpleKasKey - 63, // 62: policy.kasregistry.SetBaseKeyResponse.previous_base_key:type_name -> policy.SimpleKasKey - 46, // 63: policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping.public_keys:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.PublicKey - 57, // 64: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.key:type_name -> policy.Key - 47, // 65: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.values:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association - 47, // 66: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.definitions:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association - 47, // 67: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.namespaces:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association - 58, // 68: policy.kasregistry.RotateKeyRequest.NewKey.algorithm:type_name -> policy.Algorithm - 59, // 69: policy.kasregistry.RotateKeyRequest.NewKey.key_mode:type_name -> policy.KeyMode - 60, // 70: policy.kasregistry.RotateKeyRequest.NewKey.public_key_ctx:type_name -> policy.PublicKeyCtx - 61, // 71: policy.kasregistry.RotateKeyRequest.NewKey.private_key_ctx:type_name -> policy.PrivateKeyCtx - 54, // 72: policy.kasregistry.RotateKeyRequest.NewKey.metadata:type_name -> common.MetadataMutable - 2, // 73: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers:input_type -> policy.kasregistry.ListKeyAccessServersRequest - 0, // 74: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer:input_type -> policy.kasregistry.GetKeyAccessServerRequest - 4, // 75: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer:input_type -> policy.kasregistry.CreateKeyAccessServerRequest - 6, // 76: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer:input_type -> policy.kasregistry.UpdateKeyAccessServerRequest - 8, // 77: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer:input_type -> policy.kasregistry.DeleteKeyAccessServerRequest - 26, // 78: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants:input_type -> policy.kasregistry.ListKeyAccessServerGrantsRequest - 28, // 79: policy.kasregistry.KeyAccessServerRegistryService.CreateKey:input_type -> policy.kasregistry.CreateKeyRequest - 30, // 80: policy.kasregistry.KeyAccessServerRegistryService.GetKey:input_type -> policy.kasregistry.GetKeyRequest - 32, // 81: policy.kasregistry.KeyAccessServerRegistryService.ListKeys:input_type -> policy.kasregistry.ListKeysRequest - 34, // 82: policy.kasregistry.KeyAccessServerRegistryService.UpdateKey:input_type -> policy.kasregistry.UpdateKeyRequest - 37, // 83: policy.kasregistry.KeyAccessServerRegistryService.RotateKey:input_type -> policy.kasregistry.RotateKeyRequest - 41, // 84: policy.kasregistry.KeyAccessServerRegistryService.SetBaseKey:input_type -> policy.kasregistry.SetBaseKeyRequest - 42, // 85: policy.kasregistry.KeyAccessServerRegistryService.GetBaseKey:input_type -> policy.kasregistry.GetBaseKeyRequest - 3, // 86: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers:output_type -> policy.kasregistry.ListKeyAccessServersResponse - 1, // 87: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer:output_type -> policy.kasregistry.GetKeyAccessServerResponse - 5, // 88: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer:output_type -> policy.kasregistry.CreateKeyAccessServerResponse - 7, // 89: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer:output_type -> policy.kasregistry.UpdateKeyAccessServerResponse - 9, // 90: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer:output_type -> policy.kasregistry.DeleteKeyAccessServerResponse - 27, // 91: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants:output_type -> policy.kasregistry.ListKeyAccessServerGrantsResponse - 29, // 92: policy.kasregistry.KeyAccessServerRegistryService.CreateKey:output_type -> policy.kasregistry.CreateKeyResponse - 31, // 93: policy.kasregistry.KeyAccessServerRegistryService.GetKey:output_type -> policy.kasregistry.GetKeyResponse - 33, // 94: policy.kasregistry.KeyAccessServerRegistryService.ListKeys:output_type -> policy.kasregistry.ListKeysResponse - 35, // 95: policy.kasregistry.KeyAccessServerRegistryService.UpdateKey:output_type -> policy.kasregistry.UpdateKeyResponse - 40, // 96: policy.kasregistry.KeyAccessServerRegistryService.RotateKey:output_type -> policy.kasregistry.RotateKeyResponse - 44, // 97: policy.kasregistry.KeyAccessServerRegistryService.SetBaseKey:output_type -> policy.kasregistry.SetBaseKeyResponse - 43, // 98: policy.kasregistry.KeyAccessServerRegistryService.GetBaseKey:output_type -> policy.kasregistry.GetBaseKeyResponse - 86, // [86:99] is the sub-list for method output_type - 73, // [73:86] is the sub-list for method input_type - 73, // [73:73] is the sub-list for extension type_name - 73, // [73:73] is the sub-list for extension extendee - 0, // [0:73] is the sub-list for field type_name + 67, // 60: policy.kasregistry.GetBaseKeyResponse.base_key:type_name -> policy.SimpleKasKey + 67, // 61: policy.kasregistry.SetBaseKeyResponse.new_base_key:type_name -> policy.SimpleKasKey + 67, // 62: policy.kasregistry.SetBaseKeyResponse.previous_base_key:type_name -> policy.SimpleKasKey + 45, // 63: policy.kasregistry.KeyMapping.namespace_mappings:type_name -> policy.kasregistry.MappedPolicyObject + 45, // 64: policy.kasregistry.KeyMapping.attribute_mappings:type_name -> policy.kasregistry.MappedPolicyObject + 45, // 65: policy.kasregistry.KeyMapping.value_mappings:type_name -> policy.kasregistry.MappedPolicyObject + 36, // 66: policy.kasregistry.ListKeyMappingsRequest.key:type_name -> policy.kasregistry.KasKeyIdentifier + 54, // 67: policy.kasregistry.ListKeyMappingsRequest.pagination:type_name -> policy.PageRequest + 46, // 68: policy.kasregistry.ListKeyMappingsResponse.key_mappings:type_name -> policy.kasregistry.KeyMapping + 55, // 69: policy.kasregistry.ListKeyMappingsResponse.pagination:type_name -> policy.PageResponse + 50, // 70: policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping.public_keys:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.PublicKey + 61, // 71: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.key:type_name -> policy.Key + 51, // 72: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.values:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association + 51, // 73: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.definitions:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association + 51, // 74: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.namespaces:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association + 62, // 75: policy.kasregistry.RotateKeyRequest.NewKey.algorithm:type_name -> policy.Algorithm + 63, // 76: policy.kasregistry.RotateKeyRequest.NewKey.key_mode:type_name -> policy.KeyMode + 64, // 77: policy.kasregistry.RotateKeyRequest.NewKey.public_key_ctx:type_name -> policy.PublicKeyCtx + 65, // 78: policy.kasregistry.RotateKeyRequest.NewKey.private_key_ctx:type_name -> policy.PrivateKeyCtx + 58, // 79: policy.kasregistry.RotateKeyRequest.NewKey.metadata:type_name -> common.MetadataMutable + 2, // 80: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers:input_type -> policy.kasregistry.ListKeyAccessServersRequest + 0, // 81: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer:input_type -> policy.kasregistry.GetKeyAccessServerRequest + 4, // 82: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer:input_type -> policy.kasregistry.CreateKeyAccessServerRequest + 6, // 83: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer:input_type -> policy.kasregistry.UpdateKeyAccessServerRequest + 8, // 84: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer:input_type -> policy.kasregistry.DeleteKeyAccessServerRequest + 26, // 85: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants:input_type -> policy.kasregistry.ListKeyAccessServerGrantsRequest + 28, // 86: policy.kasregistry.KeyAccessServerRegistryService.CreateKey:input_type -> policy.kasregistry.CreateKeyRequest + 30, // 87: policy.kasregistry.KeyAccessServerRegistryService.GetKey:input_type -> policy.kasregistry.GetKeyRequest + 32, // 88: policy.kasregistry.KeyAccessServerRegistryService.ListKeys:input_type -> policy.kasregistry.ListKeysRequest + 34, // 89: policy.kasregistry.KeyAccessServerRegistryService.UpdateKey:input_type -> policy.kasregistry.UpdateKeyRequest + 37, // 90: policy.kasregistry.KeyAccessServerRegistryService.RotateKey:input_type -> policy.kasregistry.RotateKeyRequest + 41, // 91: policy.kasregistry.KeyAccessServerRegistryService.SetBaseKey:input_type -> policy.kasregistry.SetBaseKeyRequest + 42, // 92: policy.kasregistry.KeyAccessServerRegistryService.GetBaseKey:input_type -> policy.kasregistry.GetBaseKeyRequest + 47, // 93: policy.kasregistry.KeyAccessServerRegistryService.ListKeyMappings:input_type -> policy.kasregistry.ListKeyMappingsRequest + 3, // 94: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers:output_type -> policy.kasregistry.ListKeyAccessServersResponse + 1, // 95: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer:output_type -> policy.kasregistry.GetKeyAccessServerResponse + 5, // 96: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer:output_type -> policy.kasregistry.CreateKeyAccessServerResponse + 7, // 97: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer:output_type -> policy.kasregistry.UpdateKeyAccessServerResponse + 9, // 98: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer:output_type -> policy.kasregistry.DeleteKeyAccessServerResponse + 27, // 99: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants:output_type -> policy.kasregistry.ListKeyAccessServerGrantsResponse + 29, // 100: policy.kasregistry.KeyAccessServerRegistryService.CreateKey:output_type -> policy.kasregistry.CreateKeyResponse + 31, // 101: policy.kasregistry.KeyAccessServerRegistryService.GetKey:output_type -> policy.kasregistry.GetKeyResponse + 33, // 102: policy.kasregistry.KeyAccessServerRegistryService.ListKeys:output_type -> policy.kasregistry.ListKeysResponse + 35, // 103: policy.kasregistry.KeyAccessServerRegistryService.UpdateKey:output_type -> policy.kasregistry.UpdateKeyResponse + 40, // 104: policy.kasregistry.KeyAccessServerRegistryService.RotateKey:output_type -> policy.kasregistry.RotateKeyResponse + 44, // 105: policy.kasregistry.KeyAccessServerRegistryService.SetBaseKey:output_type -> policy.kasregistry.SetBaseKeyResponse + 43, // 106: policy.kasregistry.KeyAccessServerRegistryService.GetBaseKey:output_type -> policy.kasregistry.GetBaseKeyResponse + 48, // 107: policy.kasregistry.KeyAccessServerRegistryService.ListKeyMappings:output_type -> policy.kasregistry.ListKeyMappingsResponse + 94, // [94:108] is the sub-list for method output_type + 80, // [80:94] is the sub-list for method input_type + 80, // [80:80] is the sub-list for extension type_name + 80, // [80:80] is the sub-list for extension extendee + 0, // [0:80] is the sub-list for field type_name } func init() { file_policy_kasregistry_key_access_server_registry_proto_init() } @@ -4919,7 +5261,7 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() { } } file_policy_kasregistry_key_access_server_registry_proto_msgTypes[45].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ListPublicKeyMappingResponse_PublicKeyMapping); i { + switch v := v.(*MappedPolicyObject); i { case 0: return &v.state case 1: @@ -4931,7 +5273,7 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() { } } file_policy_kasregistry_key_access_server_registry_proto_msgTypes[46].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ListPublicKeyMappingResponse_PublicKey); i { + switch v := v.(*KeyMapping); i { case 0: return &v.state case 1: @@ -4943,7 +5285,7 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() { } } file_policy_kasregistry_key_access_server_registry_proto_msgTypes[47].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ListPublicKeyMappingResponse_Association); i { + switch v := v.(*ListKeyMappingsRequest); i { case 0: return &v.state case 1: @@ -4955,6 +5297,54 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() { } } file_policy_kasregistry_key_access_server_registry_proto_msgTypes[48].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ListKeyMappingsResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_kasregistry_key_access_server_registry_proto_msgTypes[49].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ListPublicKeyMappingResponse_PublicKeyMapping); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_kasregistry_key_access_server_registry_proto_msgTypes[50].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ListPublicKeyMappingResponse_PublicKey); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_kasregistry_key_access_server_registry_proto_msgTypes[51].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ListPublicKeyMappingResponse_Association); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_policy_kasregistry_key_access_server_registry_proto_msgTypes[52].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*RotateKeyRequest_NewKey); i { case 0: return &v.state @@ -5007,13 +5397,17 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() { (*SetBaseKeyRequest_Id)(nil), (*SetBaseKeyRequest_Key)(nil), } + file_policy_kasregistry_key_access_server_registry_proto_msgTypes[47].OneofWrappers = []interface{}{ + (*ListKeyMappingsRequest_Id)(nil), + (*ListKeyMappingsRequest_Key)(nil), + } type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_policy_kasregistry_key_access_server_registry_proto_rawDesc, NumEnums: 0, - NumMessages: 49, + NumMessages: 53, NumExtensions: 0, NumServices: 1, }, diff --git a/protocol/go/policy/kasregistry/key_access_server_registry_grpc.pb.go b/protocol/go/policy/kasregistry/key_access_server_registry_grpc.pb.go index 843e3dca3a..a812323ae3 100644 --- a/protocol/go/policy/kasregistry/key_access_server_registry_grpc.pb.go +++ b/protocol/go/policy/kasregistry/key_access_server_registry_grpc.pb.go @@ -32,6 +32,7 @@ const ( KeyAccessServerRegistryService_RotateKey_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/RotateKey" KeyAccessServerRegistryService_SetBaseKey_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/SetBaseKey" KeyAccessServerRegistryService_GetBaseKey_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/GetBaseKey" + KeyAccessServerRegistryService_ListKeyMappings_FullMethodName = "/policy.kasregistry.KeyAccessServerRegistryService/ListKeyMappings" ) // KeyAccessServerRegistryServiceClient is the client API for KeyAccessServerRegistryService service. @@ -61,6 +62,8 @@ type KeyAccessServerRegistryServiceClient interface { SetBaseKey(ctx context.Context, in *SetBaseKeyRequest, opts ...grpc.CallOption) (*SetBaseKeyResponse, error) // Get Default kas keys GetBaseKey(ctx context.Context, in *GetBaseKeyRequest, opts ...grpc.CallOption) (*GetBaseKeyResponse, error) + // Request to list key mappings in the Key Access Service. + ListKeyMappings(ctx context.Context, in *ListKeyMappingsRequest, opts ...grpc.CallOption) (*ListKeyMappingsResponse, error) } type keyAccessServerRegistryServiceClient struct { @@ -189,6 +192,15 @@ func (c *keyAccessServerRegistryServiceClient) GetBaseKey(ctx context.Context, i return out, nil } +func (c *keyAccessServerRegistryServiceClient) ListKeyMappings(ctx context.Context, in *ListKeyMappingsRequest, opts ...grpc.CallOption) (*ListKeyMappingsResponse, error) { + out := new(ListKeyMappingsResponse) + err := c.cc.Invoke(ctx, KeyAccessServerRegistryService_ListKeyMappings_FullMethodName, in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + // KeyAccessServerRegistryServiceServer is the server API for KeyAccessServerRegistryService service. // All implementations must embed UnimplementedKeyAccessServerRegistryServiceServer // for forward compatibility @@ -216,6 +228,8 @@ type KeyAccessServerRegistryServiceServer interface { SetBaseKey(context.Context, *SetBaseKeyRequest) (*SetBaseKeyResponse, error) // Get Default kas keys GetBaseKey(context.Context, *GetBaseKeyRequest) (*GetBaseKeyResponse, error) + // Request to list key mappings in the Key Access Service. + ListKeyMappings(context.Context, *ListKeyMappingsRequest) (*ListKeyMappingsResponse, error) mustEmbedUnimplementedKeyAccessServerRegistryServiceServer() } @@ -262,6 +276,9 @@ func (UnimplementedKeyAccessServerRegistryServiceServer) SetBaseKey(context.Cont func (UnimplementedKeyAccessServerRegistryServiceServer) GetBaseKey(context.Context, *GetBaseKeyRequest) (*GetBaseKeyResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method GetBaseKey not implemented") } +func (UnimplementedKeyAccessServerRegistryServiceServer) ListKeyMappings(context.Context, *ListKeyMappingsRequest) (*ListKeyMappingsResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method ListKeyMappings not implemented") +} func (UnimplementedKeyAccessServerRegistryServiceServer) mustEmbedUnimplementedKeyAccessServerRegistryServiceServer() { } @@ -510,6 +527,24 @@ func _KeyAccessServerRegistryService_GetBaseKey_Handler(srv interface{}, ctx con return interceptor(ctx, in, info, handler) } +func _KeyAccessServerRegistryService_ListKeyMappings_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(ListKeyMappingsRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(KeyAccessServerRegistryServiceServer).ListKeyMappings(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: KeyAccessServerRegistryService_ListKeyMappings_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(KeyAccessServerRegistryServiceServer).ListKeyMappings(ctx, req.(*ListKeyMappingsRequest)) + } + return interceptor(ctx, in, info, handler) +} + // KeyAccessServerRegistryService_ServiceDesc is the grpc.ServiceDesc for KeyAccessServerRegistryService service. // It's only intended for direct use with grpc.RegisterService, // and not to be introspected or modified (even as a copy) @@ -569,6 +604,10 @@ var KeyAccessServerRegistryService_ServiceDesc = grpc.ServiceDesc{ MethodName: "GetBaseKey", Handler: _KeyAccessServerRegistryService_GetBaseKey_Handler, }, + { + MethodName: "ListKeyMappings", + Handler: _KeyAccessServerRegistryService_ListKeyMappings_Handler, + }, }, Streams: []grpc.StreamDesc{}, Metadata: "policy/kasregistry/key_access_server_registry.proto", diff --git a/sdk/sdkconnect/kasregistry.go b/sdk/sdkconnect/kasregistry.go index cbb740eecc..1817baa411 100644 --- a/sdk/sdkconnect/kasregistry.go +++ b/sdk/sdkconnect/kasregistry.go @@ -30,6 +30,7 @@ type KeyAccessServerRegistryServiceClient interface { RotateKey(ctx context.Context, req *kasregistry.RotateKeyRequest) (*kasregistry.RotateKeyResponse, error) SetBaseKey(ctx context.Context, req *kasregistry.SetBaseKeyRequest) (*kasregistry.SetBaseKeyResponse, error) GetBaseKey(ctx context.Context, req *kasregistry.GetBaseKeyRequest) (*kasregistry.GetBaseKeyResponse, error) + ListKeyMappings(ctx context.Context, req *kasregistry.ListKeyMappingsRequest) (*kasregistry.ListKeyMappingsResponse, error) } func (w *KeyAccessServerRegistryServiceClientConnectWrapper) ListKeyAccessServers(ctx context.Context, req *kasregistry.ListKeyAccessServersRequest) (*kasregistry.ListKeyAccessServersResponse, error) { @@ -148,3 +149,12 @@ func (w *KeyAccessServerRegistryServiceClientConnectWrapper) GetBaseKey(ctx cont } return res.Msg, err } + +func (w *KeyAccessServerRegistryServiceClientConnectWrapper) ListKeyMappings(ctx context.Context, req *kasregistry.ListKeyMappingsRequest) (*kasregistry.ListKeyMappingsResponse, error) { + // Wrap Connect RPC client request + res, err := w.KeyAccessServerRegistryServiceClient.ListKeyMappings(ctx, connect.NewRequest(req)) + if res == nil { + return nil, err + } + return res.Msg, err +} diff --git a/service/integration/kas_registry_key_test.go b/service/integration/kas_registry_key_test.go index 5326e8f018..f08d0d29da 100644 --- a/service/integration/kas_registry_key_test.go +++ b/service/integration/kas_registry_key_test.go @@ -1108,6 +1108,455 @@ func (s *KasRegistryKeySuite) Test_RotateKey_MetadataUnchanged_Success() { s.Require().Equal(labels, oldKey.GetKey().GetMetadata().GetLabels()) } +func (s *KasRegistryKeySuite) Test_ListKeyMappings_InvalidLimit_Fail() { + req := kasregistry.ListKeyMappingsRequest{ + Pagination: &policy.PageRequest{ + Limit: s.db.LimitMax + 1, + }, + } + resp, err := s.db.PolicyClient.ListKeyMappings(s.ctx, &req) + s.Require().Error(err) + s.Require().ErrorIs(err, db.ErrListLimitTooLarge) + s.Nil(resp) +} + +func (s *KasRegistryKeySuite) Test_ListKeyMappings_ByID_Invalid_UUID_Fail() { + req := kasregistry.ListKeyMappingsRequest{ + Identifier: &kasregistry.ListKeyMappingsRequest_Id{ + Id: "non_existent_key_id", + }, + } + mappingsResp, err := s.db.PolicyClient.ListKeyMappings(s.ctx, &req) + s.Require().Nil(mappingsResp) + s.Require().ErrorIs(err, db.ErrUUIDInvalid) +} + +func (s *KasRegistryKeySuite) Test_ListKeyMappings_ByID_OneAttrValue_Success() { + kasKeys := make([]*policy.KasKey, 0) + kasIDs := make([]string, 0) + namespaces := make([]*policy.Namespace, 0) + attributeDefs := make([]*policy.Attribute, 0) + attrValues := make([]*policy.Value, 0) + defer func() { + keyIDs := make([]string, 0) + for _, key := range kasKeys { + keyIDs = append(keyIDs, key.GetKey().GetId()) + } + s.cleanupKeys(keyIDs, kasIDs) + s.deleteAttributes(namespaces, attributeDefs, attrValues) + }() + kasKey := s.createKeyAndKas() + kasKeys = append(kasKeys, kasKey) + kasIDs = append(kasIDs, kasKey.GetKasId()) + namespaces = append(namespaces, s.createNamespace()) + attributeDefs = append(attributeDefs, s.createAttrDef(namespaces[0].GetId())) + attrValues = append(attrValues, s.createValue(attributeDefs[0].GetId())) + s.createValueMapping(kasKey.GetKey().GetId(), attrValues[0].GetId()) + + req := kasregistry.ListKeyMappingsRequest{ + Identifier: &kasregistry.ListKeyMappingsRequest_Id{ + Id: kasKey.GetKey().GetId(), + }, + } + mappingsResp, err := s.db.PolicyClient.ListKeyMappings(s.ctx, &req) + s.Require().NoError(err) + s.NotNil(mappingsResp) + s.Len(mappingsResp.GetKeyMappings(), 1) + s.validateKeyMapping(mappingsResp.GetKeyMappings()[0], kasKey, []*policy.Namespace{}, []*policy.Attribute{}, attrValues) + s.NotNil(mappingsResp.GetPagination()) + s.Equal(int32(1), mappingsResp.GetPagination().GetTotal()) + s.Equal(int32(0), mappingsResp.GetPagination().GetCurrentOffset()) + s.Equal(int32(0), mappingsResp.GetPagination().GetNextOffset()) +} + +func (s *KasRegistryKeySuite) Test_ListKeyMappings_By_Key_No_Kas_Identifier_Fail() { + req := kasregistry.ListKeyMappingsRequest{ + Identifier: &kasregistry.ListKeyMappingsRequest_Key{ + Key: &kasregistry.KasKeyIdentifier{ + Kid: "non_existent_key_id", + }, + }, + } + mappingsResp, err := s.db.PolicyClient.ListKeyMappings(s.ctx, &req) + s.Require().Nil(mappingsResp) + s.Require().ErrorIs(err, db.ErrUnknownSelectIdentifier) +} + +func (s *KasRegistryKeySuite) Test_ListKeyMappings_By_Key_No_Key_Id_With_Kas_Identifier_Fail() { + req := kasregistry.ListKeyMappingsRequest{ + Identifier: &kasregistry.ListKeyMappingsRequest_Key{ + Key: &kasregistry.KasKeyIdentifier{ + Identifier: &kasregistry.KasKeyIdentifier_Uri{ + Uri: "non_existent_key_uri", + }, + }, + }, + } + mappingsResp, err := s.db.PolicyClient.ListKeyMappings(s.ctx, &req) + s.Require().Nil(mappingsResp) + s.Require().ErrorIs(err, db.ErrSelectIdentifierInvalid) +} + +func (s *KasRegistryKeySuite) Test_ListKeyMappings_By_Key_Success() { + kasKeys := make([]*policy.KasKey, 0) + kasIDs := make([]string, 0) + namespaces := make([]*policy.Namespace, 0) + attributeDefs := make([]*policy.Attribute, 0) + attrValues := make([]*policy.Value, 0) + defer func() { + keyIDs := make([]string, 0) + for _, key := range kasKeys { + keyIDs = append(keyIDs, key.GetKey().GetId()) + } + s.cleanupKeys(keyIDs, kasIDs) + s.deleteAttributes(namespaces, attributeDefs, attrValues) + }() + kasKey := s.createKeyAndKas() + kasKeys = append(kasKeys, kasKey) + kasIDs = append(kasIDs, kasKey.GetKasId()) + namespaces = append(namespaces, s.createNamespace()) + attributeDefs = append(attributeDefs, s.createAttrDef(namespaces[0].GetId())) + attrValues = append(attrValues, s.createValue(attributeDefs[0].GetId())) + s.createValueMapping(kasKey.GetKey().GetId(), attrValues[0].GetId()) + + // Create a second key on the same KAS + keyReqTwo := kasregistry.CreateKeyRequest{ + KasId: kasKey.GetKasId(), + KeyId: "second-kas-key", + KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, + KeyMode: policy.KeyMode_KEY_MODE_CONFIG_ROOT_KEY, + PublicKeyCtx: &policy.PublicKeyCtx{ + Pem: keyCtx, + }, + PrivateKeyCtx: &policy.PrivateKeyCtx{ + KeyId: validKeyID1, + WrappedKey: keyCtx, + }, + } + nonSearchedKey, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReqTwo) + s.Require().NoError(err) + s.NotNil(nonSearchedKey) + kasKeys = append(kasKeys, nonSearchedKey.GetKasKey()) + s.createValueMapping(nonSearchedKey.GetKasKey().GetKey().GetId(), attrValues[0].GetId()) + + validateResp := func(resp *kasregistry.ListKeyMappingsResponse) { + s.Require().NoError(err) + s.NotNil(resp) + s.Len(resp.GetKeyMappings(), 1) + s.validateKeyMapping(resp.GetKeyMappings()[0], kasKey, []*policy.Namespace{}, []*policy.Attribute{}, attrValues) + s.NotNil(resp.GetPagination()) + s.Equal(int32(1), resp.GetPagination().GetTotal()) + s.Equal(int32(0), resp.GetPagination().GetCurrentOffset()) + s.Equal(int32(0), resp.GetPagination().GetNextOffset()) + } + + req := kasregistry.ListKeyMappingsRequest{ + Identifier: &kasregistry.ListKeyMappingsRequest_Key{ + Key: &kasregistry.KasKeyIdentifier{ + Identifier: &kasregistry.KasKeyIdentifier_Uri{ + Uri: kasKey.GetKasUri(), + }, + Kid: kasKey.GetKey().GetKeyId(), + }, + }, + } + mappingsResp, err := s.db.PolicyClient.ListKeyMappings(s.ctx, &req) + validateResp(mappingsResp) + + req = kasregistry.ListKeyMappingsRequest{ + Identifier: &kasregistry.ListKeyMappingsRequest_Key{ + Key: &kasregistry.KasKeyIdentifier{ + Identifier: &kasregistry.KasKeyIdentifier_KasId{ + KasId: kasKey.GetKasId(), + }, + Kid: kasKey.GetKey().GetKeyId(), + }, + }, + } + mappingsResp, err = s.db.PolicyClient.ListKeyMappings(s.ctx, &req) + validateResp(mappingsResp) + + // Get the kas name + kas, err := s.db.PolicyClient.GetKeyAccessServer(s.ctx, &kasregistry.GetKeyAccessServerRequest_KasId{ + KasId: kasKey.GetKasId(), + }) + s.Require().NoError(err) + s.NotNil(kas) + req = kasregistry.ListKeyMappingsRequest{ + Identifier: &kasregistry.ListKeyMappingsRequest_Key{ + Key: &kasregistry.KasKeyIdentifier{ + Identifier: &kasregistry.KasKeyIdentifier_Name{ + Name: kas.GetName(), + }, + Kid: kasKey.GetKey().GetKeyId(), + }, + }, + } + mappingsResp, err = s.db.PolicyClient.ListKeyMappings(s.ctx, &req) + validateResp(mappingsResp) +} + +func (s *KasRegistryKeySuite) Test_ListKeyMappings_SameKeyId_DifferentKas_Success() { + kasKeys := make([]*policy.KasKey, 0) + kasIDs := make([]string, 0) + namespaces := make([]*policy.Namespace, 0) + attributeDefs := make([]*policy.Attribute, 0) + attrValues := make([]*policy.Value, 0) + defer func() { + keyIDs := make([]string, 0) + for _, key := range kasKeys { + keyIDs = append(keyIDs, key.GetKey().GetId()) + } + s.cleanupKeys(keyIDs, kasIDs) + s.deleteAttributes(namespaces, attributeDefs, attrValues) + }() + + kasKey := s.createKeyAndKas() + s.NotNil(kasKey) + kasKeys = append(kasKeys, kasKey) + kasIDs = append(kasIDs, kasKey.GetKasId()) + namespaces = append(namespaces, s.createNamespace()) + attributeDefs = append(attributeDefs, s.createAttrDef(namespaces[0].GetId())) + attrValues = append(attrValues, s.createValue(attributeDefs[0].GetId())) + s.createValueMapping(kasKey.GetKey().GetId(), attrValues[0].GetId()) + + // Create another KAS + kasReq := kasregistry.CreateKeyAccessServerRequest{ + Name: "test_list_mapping_kas_2_" + uuid.NewString(), + Uri: "https://test-list-mappings-2-" + uuid.NewString() + ".opentdf.io", + } + kasTwo, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) + s.Require().NoError(err) + s.NotNil(kasTwo) + kasIDs = append(kasIDs, kasTwo.GetId()) + + keyReqTwo := kasregistry.CreateKeyRequest{ + KasId: kasTwo.GetId(), + KeyId: kasKey.GetKey().GetKeyId(), + KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, + KeyMode: policy.KeyMode_KEY_MODE_CONFIG_ROOT_KEY, + PublicKeyCtx: &policy.PublicKeyCtx{ + Pem: keyCtx, + }, + PrivateKeyCtx: &policy.PrivateKeyCtx{ + KeyId: validKeyID1, + WrappedKey: keyCtx, + }, + } + nonSearchedKey, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReqTwo) + s.Require().NoError(err) + s.NotNil(nonSearchedKey) + kasKeys = append(kasKeys, nonSearchedKey.GetKasKey()) + s.createValueMapping(nonSearchedKey.GetKasKey().GetKey().GetId(), attrValues[0].GetId()) + + listReq := kasregistry.ListKeyMappingsRequest{ + Identifier: &kasregistry.ListKeyMappingsRequest_Key{ + Key: &kasregistry.KasKeyIdentifier{ + Identifier: &kasregistry.KasKeyIdentifier_KasId{ + KasId: kasKey.GetKasId(), + }, + Kid: kasKey.GetKey().GetKeyId(), + }, + }, + } + mappingsResp, err := s.db.PolicyClient.ListKeyMappings(s.ctx, &listReq) + s.Require().NoError(err) + s.NotNil(mappingsResp) + s.Len(mappingsResp.GetKeyMappings(), 1) + s.validateKeyMapping(mappingsResp.GetKeyMappings()[0], kasKey, []*policy.Namespace{}, []*policy.Attribute{}, attrValues) + s.NotNil(mappingsResp.GetPagination()) + s.Equal(int32(1), mappingsResp.GetPagination().GetTotal()) + s.Equal(int32(0), mappingsResp.GetPagination().GetCurrentOffset()) + s.Equal(int32(0), mappingsResp.GetPagination().GetNextOffset()) +} + +func (s *KasRegistryKeySuite) Test_ListKeyMappings_By_Key_Success_EmptyMappings() { + kasKeys := make([]*policy.KasKey, 0) + kasIDs := make([]string, 0) + defer func() { + keyIDs := make([]string, 0) + for _, key := range kasKeys { + keyIDs = append(keyIDs, key.GetKey().GetId()) + } + s.cleanupKeys(keyIDs, kasIDs) + }() + kasKey := s.createKeyAndKas() + kasKeys = append(kasKeys, kasKey) + kasIDs = append(kasIDs, kasKey.GetKasId()) + + req := kasregistry.ListKeyMappingsRequest{ + Identifier: &kasregistry.ListKeyMappingsRequest_Id{ + Id: kasKey.GetKey().GetId(), + }, + } + mappingsResp, err := s.db.PolicyClient.ListKeyMappings(s.ctx, &req) + s.Require().NoError(err) + s.NotNil(mappingsResp) + s.Empty(mappingsResp.GetKeyMappings()) + s.NotNil(mappingsResp.GetPagination()) + s.Equal(int32(0), mappingsResp.GetPagination().GetTotal()) + s.Equal(int32(0), mappingsResp.GetPagination().GetCurrentOffset()) + s.Equal(int32(0), mappingsResp.GetPagination().GetNextOffset()) +} + +func (s *KasRegistryKeySuite) Test_ListKeyMappings_Multiple_Keys_Pagination_Success() { + kasKeys := make([]*policy.KasKey, 0) + kasIDs := make([]string, 0) + namespaces := make([]*policy.Namespace, 0) + attributeDefs := make([]*policy.Attribute, 0) + attrValues := make([]*policy.Value, 0) + defer func() { + keyIDs := make([]string, 0) + for _, key := range kasKeys { + keyIDs = append(keyIDs, key.GetKey().GetId()) + } + s.cleanupKeys(keyIDs, kasIDs) + s.deleteAttributes(namespaces, attributeDefs, attrValues) + }() + for i := range 2 { + kasKey := s.createKeyAndKas() + kasKeys = append(kasKeys, kasKey) + kasIDs = append(kasIDs, kasKey.GetKasId()) + namespaces = append(namespaces, s.createNamespace()) + attributeDefs = append(attributeDefs, s.createAttrDef(namespaces[i].GetId())) + attrValues = append(attrValues, s.createValue(attributeDefs[i].GetId())) + s.createNamespaceMapping(kasKey.GetKey().GetId(), namespaces[i].GetId()) + s.createAttrDefMapping(kasKey.GetKey().GetId(), attributeDefs[i].GetId()) + s.createValueMapping(kasKey.GetKey().GetId(), attrValues[i].GetId()) + } + + // List all key mappings without any identifier + req := kasregistry.ListKeyMappingsRequest{} + mappingsResp, err := s.db.PolicyClient.ListKeyMappings(s.ctx, &req) + s.Require().NoError(err) + s.NotNil(mappingsResp) + s.Len(mappingsResp.GetKeyMappings(), 2) + s.validateKeyMapping(mappingsResp.GetKeyMappings()[0], kasKeys[0], []*policy.Namespace{namespaces[0]}, []*policy.Attribute{attributeDefs[0]}, []*policy.Value{attrValues[0]}) + s.validateKeyMapping(mappingsResp.GetKeyMappings()[1], kasKeys[1], []*policy.Namespace{namespaces[1]}, []*policy.Attribute{attributeDefs[1]}, []*policy.Value{attrValues[1]}) + s.NotNil(mappingsResp.GetPagination()) + s.Equal(int32(2), mappingsResp.GetPagination().GetTotal()) + s.Equal(int32(0), mappingsResp.GetPagination().GetCurrentOffset()) + s.Equal(int32(0), mappingsResp.GetPagination().GetNextOffset()) + + req = kasregistry.ListKeyMappingsRequest{ + Pagination: &policy.PageRequest{ + Limit: 1, + }, + } + mappingsResp, err = s.db.PolicyClient.ListKeyMappings(s.ctx, &req) + s.Require().NoError(err) + s.NotNil(mappingsResp) + s.Len(mappingsResp.GetKeyMappings(), 1) + s.validateKeyMapping(mappingsResp.GetKeyMappings()[0], kasKeys[0], []*policy.Namespace{namespaces[0]}, []*policy.Attribute{attributeDefs[0]}, []*policy.Value{attrValues[0]}) + s.NotNil(mappingsResp.GetPagination()) + s.Equal(int32(2), mappingsResp.GetPagination().GetTotal()) + s.Equal(int32(0), mappingsResp.GetPagination().GetCurrentOffset()) + s.Equal(int32(1), mappingsResp.GetPagination().GetNextOffset()) + + req = kasregistry.ListKeyMappingsRequest{ + Pagination: &policy.PageRequest{ + Limit: 1, + Offset: mappingsResp.GetPagination().GetNextOffset(), + }, + } + mappingsResp, err = s.db.PolicyClient.ListKeyMappings(s.ctx, &req) + s.Require().NoError(err) + s.NotNil(mappingsResp) + s.Len(mappingsResp.GetKeyMappings(), 1) + s.validateKeyMapping(mappingsResp.GetKeyMappings()[0], kasKeys[1], []*policy.Namespace{namespaces[1]}, []*policy.Attribute{attributeDefs[1]}, []*policy.Value{attrValues[1]}) + s.NotNil(mappingsResp.GetPagination()) + s.Equal(int32(2), mappingsResp.GetPagination().GetTotal()) + s.Equal(int32(1), mappingsResp.GetPagination().GetCurrentOffset()) + s.Equal(int32(0), mappingsResp.GetPagination().GetNextOffset()) +} + +func (s *KasRegistryKeySuite) Test_ListKeyMappings_Multiple_Mixed_Mappings() { + kasKeys := make([]*policy.KasKey, 0) + kasIDs := make([]string, 0) + namespaces := make([]*policy.Namespace, 0) + attributeDefs := make([]*policy.Attribute, 0) + attrValues := make([]*policy.Value, 0) + defer func() { + keyIDs := make([]string, 0) + for _, key := range kasKeys { + keyIDs = append(keyIDs, key.GetKey().GetId()) + } + s.cleanupKeys(keyIDs, kasIDs) + s.deleteAttributes(namespaces, attributeDefs, attrValues) + }() + + for range 3 { + kasKey := s.createKeyAndKas() + s.NotNil(kasKey) + kasKeys = append(kasKeys, kasKey) + kasIDs = append(kasIDs, kasKey.GetKasId()) + } + for i := range 2 { + namespaces = append(namespaces, s.createNamespace()) + attributeDefs = append(attributeDefs, s.createAttrDef(namespaces[i].GetId())) + attrValues = append(attrValues, s.createValue(attributeDefs[i].GetId())) + s.createNamespaceMapping(kasKeys[0].GetKey().GetId(), namespaces[i].GetId()) + s.createAttrDefMapping(kasKeys[1].GetKey().GetId(), attributeDefs[i].GetId()) + s.createValueMapping(kasKeys[0].GetKey().GetId(), attrValues[i].GetId()) + } + req := kasregistry.ListKeyMappingsRequest{} + mappedResponse, err := s.db.PolicyClient.ListKeyMappings(s.ctx, &req) + s.Require().NoError(err) + s.NotNil(mappedResponse) + s.Len(mappedResponse.GetKeyMappings(), 2) + s.validateKeyMapping(mappedResponse.GetKeyMappings()[0], kasKeys[0], namespaces, []*policy.Attribute{}, attrValues) + s.validateKeyMapping(mappedResponse.GetKeyMappings()[1], kasKeys[1], []*policy.Namespace{}, attributeDefs, []*policy.Value{}) + s.NotNil(mappedResponse.GetPagination()) + s.Equal(int32(2), mappedResponse.GetPagination().GetTotal()) + s.Equal(int32(0), mappedResponse.GetPagination().GetCurrentOffset()) + s.Equal(int32(0), mappedResponse.GetPagination().GetNextOffset()) +} + +func (s *KasRegistryKeySuite) validateKeyMapping(mapping *kasregistry.KeyMapping, expectedKey *policy.KasKey, expectedNamespace []*policy.Namespace, expectedAttrDef []*policy.Attribute, expectedValue []*policy.Value) { + s.Equal(expectedKey.GetKey().GetKeyId(), mapping.GetKid()) + s.Equal(expectedKey.GetKasUri(), mapping.GetKasUri()) + s.Len(mapping.GetNamespaceMappings(), len(expectedNamespace)) + s.Len(mapping.GetAttributeMappings(), len(expectedAttrDef)) + s.Len(mapping.GetValueMappings(), len(expectedValue)) + + if len(expectedNamespace) > 0 { + for _, ns := range expectedNamespace { + found := false + for _, nsMapping := range mapping.GetNamespaceMappings() { + if nsMapping.GetId() == ns.GetId() && nsMapping.GetFqn() == ns.GetFqn() { + found = true + break + } + } + s.True(found, "Namespace mapping not found: %s", ns.GetFqn()) + } + } + if len(expectedAttrDef) > 0 { + for _, attr := range expectedAttrDef { + found := false + for _, attrMapping := range mapping.GetAttributeMappings() { + if attrMapping.GetId() == attr.GetId() && attrMapping.GetFqn() == attr.GetFqn() { + found = true + break + } + } + s.True(found, "Attribute mapping not found: %s", attr.GetFqn()) + } + } + if len(expectedValue) > 0 { + for _, val := range expectedValue { + found := false + for _, valMapping := range mapping.GetValueMappings() { + if valMapping.GetId() == val.GetId() && valMapping.GetFqn() == val.GetFqn() { + found = true + break + } + } + s.True(found, "Value mapping not found: %s", val.GetFqn()) + } + } +} + func (s *KasRegistryKeySuite) setupKeysForRotate(kasID string) map[string]*policy.KasKey { // Create a key for the KAS keyReq := kasregistry.CreateKeyRequest{ @@ -1396,3 +1845,111 @@ func validatePrivatePublicCtx(s *suite.Suite, expectedPrivCtx, expectedPubCtx [] }, }) } + +func (s *KasRegistryKeySuite) deleteAttributes(namespaces []*policy.Namespace, attributeDefs []*policy.Attribute, attrValues []*policy.Value) { + for _, value := range attrValues { + _, err := s.db.PolicyClient.DeleteAttributeValue(s.ctx, value.GetId()) + s.Require().NoError(err) + } + for _, def := range attributeDefs { + _, err := s.db.PolicyClient.DeleteAttribute(s.ctx, def.GetId()) + s.Require().NoError(err) + } + for _, ns := range namespaces { + _, err := s.db.PolicyClient.DeleteNamespace(s.ctx, ns.GetId()) + s.Require().NoError(err) + } +} + +func (s *KasRegistryKeySuite) createNamespace() *policy.Namespace { + nsReq := namespaces.CreateNamespaceRequest{ + Name: "test_namespace_" + uuid.NewString(), + } + namespace, err := s.db.PolicyClient.CreateNamespace(s.ctx, &nsReq) + s.Require().NoError(err) + s.NotNil(namespace) + return namespace +} + +func (s *KasRegistryKeySuite) createAttrDef(namespaceID string) *policy.Attribute { + attrDefReq := attributes.CreateAttributeRequest{ + Name: "test_attr_def_" + uuid.NewString(), + NamespaceId: namespaceID, + Rule: policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF, + } + attrDef, err := s.db.PolicyClient.CreateAttribute(s.ctx, &attrDefReq) + s.Require().NoError(err) + s.NotNil(attrDef) + return attrDef +} + +func (s *KasRegistryKeySuite) createValue(definitionID string) *policy.Value { + valueReq := attributes.CreateAttributeValueRequest{ + AttributeId: definitionID, + Value: "test_value_" + uuid.NewString(), + } + value, err := s.db.PolicyClient.CreateAttributeValue(s.ctx, definitionID, &valueReq) + s.Require().NoError(err) + s.NotNil(value) + return value +} + +func (s *KasRegistryKeySuite) createAttrDefMapping(keyID, attrID string) { + attrDefMapping := &attributes.AttributeKey{ + KeyId: keyID, + AttributeId: attrID, + } + mapping, err := s.db.PolicyClient.AssignPublicKeyToAttribute(s.ctx, attrDefMapping) + s.Require().NoError(err) + s.NotNil(mapping) +} + +func (s *KasRegistryKeySuite) createValueMapping(keyID, valueID string) { + valueMapping := &attributes.ValueKey{ + KeyId: keyID, + ValueId: valueID, + } + mapping, err := s.db.PolicyClient.AssignPublicKeyToValue(s.ctx, valueMapping) + s.Require().NoError(err) + s.NotNil(mapping) +} + +func (s *KasRegistryKeySuite) createNamespaceMapping(keyID, namespaceID string) { + namespaceMapping := &namespaces.NamespaceKey{ + KeyId: keyID, + NamespaceId: namespaceID, + } + mapping, err := s.db.PolicyClient.AssignPublicKeyToNamespace(s.ctx, namespaceMapping) + s.Require().NoError(err) + s.NotNil(mapping) +} + +func (s *KasRegistryKeySuite) createKeyAndKas() *policy.KasKey { + kasReq := kasregistry.CreateKeyAccessServerRequest{ + Name: "test_list_mapping_kas_" + uuid.NewString(), + Uri: "https://test-list-mappings-" + uuid.NewString() + ".opentdf.io", + } + kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasReq) + s.Require().NoError(err) + s.NotNil(kas) + + // Create key + keyReq := kasregistry.CreateKeyRequest{ + KasId: kas.GetId(), + KeyId: uuid.NewString(), + KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, + KeyMode: policy.KeyMode_KEY_MODE_CONFIG_ROOT_KEY, + PublicKeyCtx: &policy.PublicKeyCtx{ + Pem: keyCtx, + }, + PrivateKeyCtx: &policy.PrivateKeyCtx{ + KeyId: validKeyID1, + WrappedKey: keyCtx, + }, + } + keyResp, err := s.db.PolicyClient.CreateKey(s.ctx, &keyReq) + s.Require().NoError(err) + s.NotNil(keyResp) + + return keyResp.GetKasKey() +} diff --git a/service/pkg/db/marshalHelpers.go b/service/pkg/db/marshalHelpers.go index 7c878c9c67..f05c6caa08 100644 --- a/service/pkg/db/marshalHelpers.go +++ b/service/pkg/db/marshalHelpers.go @@ -105,6 +105,28 @@ func GrantedPolicyObjectProtoJSON(grantsJSON []byte) ([]*kasregistry.GrantedPoli return policyObjectGrants, nil } +func MappedPolicyObjectProtoJSON(mappingsJSON []byte) ([]*kasregistry.MappedPolicyObject, error) { + var ( + policyObjectMappings []*kasregistry.MappedPolicyObject + raw []json.RawMessage + ) + if mappingsJSON == nil { + return nil, nil + } + + if err := json.Unmarshal(mappingsJSON, &raw); err != nil { + return nil, err + } + for _, r := range raw { + mapping := kasregistry.MappedPolicyObject{} + if err := protojson.Unmarshal(r, &mapping); err != nil { + return nil, err + } + policyObjectMappings = append(policyObjectMappings, &mapping) + } + return policyObjectMappings, nil +} + func KasKeysProtoJSON(keysJSON []byte) ([]*policy.KasKey, error) { var ( keys []*policy.KasKey diff --git a/service/policy/db/key_access_server_registry.go b/service/policy/db/key_access_server_registry.go index de5c79159a..b485527d6b 100644 --- a/service/policy/db/key_access_server_registry.go +++ b/service/policy/db/key_access_server_registry.go @@ -9,6 +9,7 @@ import ( "log/slog" "strings" + "github.com/jackc/pgx/v5/pgtype" "github.com/opentdf/platform/protocol/go/common" "github.com/opentdf/platform/protocol/go/policy" "github.com/opentdf/platform/protocol/go/policy/attributes" @@ -25,6 +26,12 @@ type rotatedMappingIDs struct { AttributeValueIDs []string } +type kasParams struct { + KasID pgtype.UUID + KasURI pgtype.Text + KasName pgtype.Text +} + func (c PolicyDBClient) ListKeyAccessServers(ctx context.Context, r *kasregistry.ListKeyAccessServersRequest) (*kasregistry.ListKeyAccessServersResponse, error) { limit, offset := c.getRequestedLimitOffset(r.GetPagination()) @@ -783,6 +790,91 @@ func (c PolicyDBClient) SetBaseKeyOnWellKnownConfig(ctx context.Context) error { return nil } +func (c PolicyDBClient) ListKeyMappings(ctx context.Context, r *kasregistry.ListKeyMappingsRequest) (*kasregistry.ListKeyMappingsResponse, error) { + limit, offset := c.getRequestedLimitOffset(r.GetPagination()) + maxLimit := c.listCfg.limitMax + if maxLimit > 0 && limit > maxLimit { + return nil, db.ErrListLimitTooLarge + } + + params := listKeyMappingsParams{ + Offset: offset, + Limit: limit, + } + + if r.GetIdentifier() != nil { + switch i := r.GetIdentifier().(type) { + case *kasregistry.ListKeyMappingsRequest_Id: + pgUUID := pgtypeUUID(i.Id) + if !pgUUID.Valid { + return nil, db.ErrUUIDInvalid + } + params.ID = pgUUID + case *kasregistry.ListKeyMappingsRequest_Key: + keyID := pgtypeText(i.Key.GetKid()) + if !keyID.Valid { + return nil, db.ErrSelectIdentifierInvalid + } + kasParams, err := getParamsFromKeyIdentifier(i.Key) + if err != nil { + return nil, err + } + params.KasID = kasParams.KasID + params.KasUri = kasParams.KasURI + params.KasName = kasParams.KasName + params.Kid = keyID + default: + return nil, errors.Join(db.ErrUnknownSelectIdentifier, fmt.Errorf("type [%T] value [%v]", i, i)) + } + } + + mappingRows, err := c.Queries.listKeyMappings(ctx, params) + if err != nil { + return nil, db.WrapIfKnownInvalidQueryErr(err) + } + + // Need to build a json object + mappings := make([]*kasregistry.KeyMapping, len(mappingRows)) + for i, mapping := range mappingRows { + namespaceMappings, err := db.MappedPolicyObjectProtoJSON(mapping.NamespaceMappings) + if err != nil { + return nil, fmt.Errorf("failed to unmarshal namespace mappings: %w", err) + } + definitionMappings, err := db.MappedPolicyObjectProtoJSON(mapping.AttributeMappings) + if err != nil { + return nil, fmt.Errorf("failed to unmarshal attribute definition mappings: %w", err) + } + valueMappings, err := db.MappedPolicyObjectProtoJSON(mapping.ValueMappings) + if err != nil { + return nil, fmt.Errorf("failed to unmarshal attribute value mappings: %w", err) + } + + mappings[i] = &kasregistry.KeyMapping{ + Kid: mapping.Kid, + KasUri: mapping.KasUri, + NamespaceMappings: namespaceMappings, + AttributeMappings: definitionMappings, + ValueMappings: valueMappings, + } + } + + var total int32 + var nextOffset int32 + if len(mappingRows) > 0 { + total = int32(mappingRows[0].Total) + nextOffset = getNextOffset(offset, limit, total) + } + + return &kasregistry.ListKeyMappingsResponse{ + KeyMappings: mappings, + Pagination: &policy.PageResponse{ + CurrentOffset: offset, + Total: total, + NextOffset: nextOffset, + }, + }, nil +} + /* ********************** TESTING ONLY @@ -933,3 +1025,35 @@ func isValidBase64(s string) bool { _, err := base64.StdEncoding.DecodeString(s) return err == nil } + +func getParamsFromKeyIdentifier(i *kasregistry.KasKeyIdentifier) (*kasParams, error) { + if i == nil { + return nil, db.ErrSelectIdentifierInvalid + } + + kasParams := &kasParams{} + switch i.GetIdentifier().(type) { + case *kasregistry.KasKeyIdentifier_KasId: + kasID := pgtypeUUID(i.GetKasId()) + if !kasID.Valid { + return nil, db.ErrSelectIdentifierInvalid + } + kasParams.KasID = kasID + case *kasregistry.KasKeyIdentifier_Uri: + kasURI := pgtypeText(i.GetUri()) + if !kasURI.Valid { + return nil, db.ErrSelectIdentifierInvalid + } + kasParams.KasURI = kasURI + case *kasregistry.KasKeyIdentifier_Name: + kasName := pgtypeText(i.GetName()) + if !kasName.Valid { + return nil, db.ErrSelectIdentifierInvalid + } + kasParams.KasName = kasName + default: + return nil, errors.Join(db.ErrUnknownSelectIdentifier, fmt.Errorf("type [%T] value [%v]", i, i)) + } + + return kasParams, nil +} diff --git a/service/policy/db/query.sql b/service/policy/db/query.sql index 7d2eaa313c..e02dde3cb4 100644 --- a/service/policy/db/query.sql +++ b/service/policy/db/query.sql @@ -1696,6 +1696,113 @@ WHERE id = $1; DELETE FROM provider_config WHERE id = $1; +-- name: listKeyMappings :many +WITH filtered_keys AS ( + -- Get all keys matching the filter criteria + SELECT + kask.created_at, + kask.id AS id, + kask.key_id AS kid, + kas.id AS kas_id, + kas.uri AS kas_uri + FROM key_access_server_keys kask + INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id + WHERE ( + -- Case 1: Filter by system key ID if provided + (sqlc.narg('id')::uuid IS NOT NULL AND kask.id = sqlc.narg('id')::uuid) + -- Case 2: Filter by KID + at least one KAS identifier + OR ( + sqlc.narg('kid')::text IS NOT NULL + AND kask.key_id = sqlc.narg('kid')::text + AND ( + (sqlc.narg('kas_id')::uuid IS NOT NULL AND kas.id = sqlc.narg('kas_id')::uuid) + OR (sqlc.narg('kas_name')::text IS NOT NULL AND kas.name = sqlc.narg('kas_name')::text) + OR (sqlc.narg('kas_uri')::text IS NOT NULL AND kas.uri = sqlc.narg('kas_uri')::text) + ) + ) + -- Case 3: Return all keys if no filters are provided + OR ( + sqlc.narg('id')::uuid IS NULL + AND sqlc.narg('kid')::text IS NULL + ) + ) +), +keys_with_mappings AS ( + SELECT id + FROM filtered_keys fk + WHERE EXISTS ( + SELECT 1 FROM attribute_namespace_public_key_map anpm WHERE anpm.key_access_server_key_id = fk.id + ) OR EXISTS ( + SELECT 1 FROM attribute_definition_public_key_map adpm WHERE adpm.key_access_server_key_id = fk.id + ) OR EXISTS ( + SELECT 1 FROM attribute_value_public_key_map avpm WHERE avpm.key_access_server_key_id = fk.id + ) +), +keys_with_mappings_count AS ( + SELECT COUNT(*) AS total FROM keys_with_mappings +), +namespace_mappings AS ( + -- Get namespace mappings for each key + SELECT + fk.id as key_id, + JSON_AGG( + JSON_BUILD_OBJECT( + 'id', anpm.namespace_id, + 'fqn', fqns.fqn + ) + ) FILTER (WHERE anpm.namespace_id IS NOT NULL) AS namespace_mappings + FROM filtered_keys fk + INNER JOIN attribute_namespace_public_key_map anpm ON fk.id = anpm.key_access_server_key_id + INNER JOIN attribute_fqns fqns ON anpm.namespace_id = fqns.namespace_id AND fqns.attribute_id IS NULL AND fqns.value_id IS NULL + GROUP BY fk.id +), +definition_mappings AS ( + -- Get attribute definition mappings for each key + SELECT + fk.id as key_id, + JSON_AGG( + JSON_BUILD_OBJECT( + 'id', adpm.definition_id, + 'fqn', fqns.fqn + ) + ) FILTER (WHERE adpm.definition_id IS NOT NULL) AS definition_mappings + FROM filtered_keys fk + INNER JOIN attribute_definition_public_key_map adpm ON fk.id = adpm.key_access_server_key_id + INNER JOIN attribute_fqns fqns ON adpm.definition_id = fqns.attribute_id AND fqns.value_id IS NULL + GROUP BY fk.id +), +value_mappings AS ( + -- Get attribute value mappings for each key + SELECT + fk.id as key_id, + JSON_AGG( + JSON_BUILD_OBJECT( + 'id', avpm.value_id, + 'fqn', fqns.fqn + ) + ) FILTER (WHERE avpm.value_id IS NOT NULL) AS value_mappings + FROM filtered_keys fk + INNER JOIN attribute_value_public_key_map avpm ON fk.id = avpm.key_access_server_key_id + INNER JOIN attribute_fqns fqns ON avpm.value_id = fqns.value_id + GROUP BY fk.id +) +SELECT + fk.kid, + fk.kas_uri, + COALESCE(nm.namespace_mappings, '[]'::json) AS namespace_mappings, + COALESCE(dm.definition_mappings, '[]'::json) AS attribute_mappings, + COALESCE(vm.value_mappings, '[]'::json) AS value_mappings, + kwmc.total +FROM filtered_keys fk +INNER JOIN keys_with_mappings kwm ON fk.id = kwm.id +CROSS JOIN keys_with_mappings_count kwmc +LEFT JOIN namespace_mappings nm ON fk.id = nm.key_id +LEFT JOIN definition_mappings dm ON fk.id = dm.key_id +LEFT JOIN value_mappings vm ON fk.id = vm.key_id +ORDER BY fk.created_at +LIMIT @limit_ +OFFSET @offset_; + ---------------------------------------------------------------- -- Default KAS Keys diff --git a/service/policy/db/query.sql.go b/service/policy/db/query.sql.go index e0d46e3fd5..aabb423ed2 100644 --- a/service/policy/db/query.sql.go +++ b/service/policy/db/query.sql.go @@ -4383,6 +4383,275 @@ func (q *Queries) listAttributesByDefOrValueFqns(ctx context.Context, fqns []str return items, nil } +const listKeyMappings = `-- name: listKeyMappings :many +WITH filtered_keys AS ( + -- Get all keys matching the filter criteria + SELECT + kask.created_at, + kask.id AS id, + kask.key_id AS kid, + kas.id AS kas_id, + kas.uri AS kas_uri + FROM key_access_server_keys kask + INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id + WHERE ( + -- Case 1: Filter by system key ID if provided + ($3::uuid IS NOT NULL AND kask.id = $3::uuid) + -- Case 2: Filter by KID + at least one KAS identifier + OR ( + $4::text IS NOT NULL + AND kask.key_id = $4::text + AND ( + ($5::uuid IS NOT NULL AND kas.id = $5::uuid) + OR ($6::text IS NOT NULL AND kas.name = $6::text) + OR ($7::text IS NOT NULL AND kas.uri = $7::text) + ) + ) + -- Case 3: Return all keys if no filters are provided + OR ( + $3::uuid IS NULL + AND $4::text IS NULL + ) + ) +), +keys_with_mappings AS ( + SELECT id + FROM filtered_keys fk + WHERE EXISTS ( + SELECT 1 FROM attribute_namespace_public_key_map anpm WHERE anpm.key_access_server_key_id = fk.id + ) OR EXISTS ( + SELECT 1 FROM attribute_definition_public_key_map adpm WHERE adpm.key_access_server_key_id = fk.id + ) OR EXISTS ( + SELECT 1 FROM attribute_value_public_key_map avpm WHERE avpm.key_access_server_key_id = fk.id + ) +), +keys_with_mappings_count AS ( + SELECT COUNT(*) AS total FROM keys_with_mappings +), +namespace_mappings AS ( + -- Get namespace mappings for each key + SELECT + fk.id as key_id, + JSON_AGG( + JSON_BUILD_OBJECT( + 'id', anpm.namespace_id, + 'fqn', fqns.fqn + ) + ) FILTER (WHERE anpm.namespace_id IS NOT NULL) AS namespace_mappings + FROM filtered_keys fk + INNER JOIN attribute_namespace_public_key_map anpm ON fk.id = anpm.key_access_server_key_id + INNER JOIN attribute_fqns fqns ON anpm.namespace_id = fqns.namespace_id AND fqns.attribute_id IS NULL AND fqns.value_id IS NULL + GROUP BY fk.id +), +definition_mappings AS ( + -- Get attribute definition mappings for each key + SELECT + fk.id as key_id, + JSON_AGG( + JSON_BUILD_OBJECT( + 'id', adpm.definition_id, + 'fqn', fqns.fqn + ) + ) FILTER (WHERE adpm.definition_id IS NOT NULL) AS definition_mappings + FROM filtered_keys fk + INNER JOIN attribute_definition_public_key_map adpm ON fk.id = adpm.key_access_server_key_id + INNER JOIN attribute_fqns fqns ON adpm.definition_id = fqns.attribute_id AND fqns.value_id IS NULL + GROUP BY fk.id +), +value_mappings AS ( + -- Get attribute value mappings for each key + SELECT + fk.id as key_id, + JSON_AGG( + JSON_BUILD_OBJECT( + 'id', avpm.value_id, + 'fqn', fqns.fqn + ) + ) FILTER (WHERE avpm.value_id IS NOT NULL) AS value_mappings + FROM filtered_keys fk + INNER JOIN attribute_value_public_key_map avpm ON fk.id = avpm.key_access_server_key_id + INNER JOIN attribute_fqns fqns ON avpm.value_id = fqns.value_id + GROUP BY fk.id +) +SELECT + fk.kid, + fk.kas_uri, + COALESCE(nm.namespace_mappings, '[]'::json) AS namespace_mappings, + COALESCE(dm.definition_mappings, '[]'::json) AS attribute_mappings, + COALESCE(vm.value_mappings, '[]'::json) AS value_mappings, + kwmc.total +FROM filtered_keys fk +INNER JOIN keys_with_mappings kwm ON fk.id = kwm.id +CROSS JOIN keys_with_mappings_count kwmc +LEFT JOIN namespace_mappings nm ON fk.id = nm.key_id +LEFT JOIN definition_mappings dm ON fk.id = dm.key_id +LEFT JOIN value_mappings vm ON fk.id = vm.key_id +ORDER BY fk.created_at +LIMIT $2 +OFFSET $1 +` + +type listKeyMappingsParams struct { + Offset int32 `json:"offset_"` + Limit int32 `json:"limit_"` + ID pgtype.UUID `json:"id"` + Kid pgtype.Text `json:"kid"` + KasID pgtype.UUID `json:"kas_id"` + KasName pgtype.Text `json:"kas_name"` + KasUri pgtype.Text `json:"kas_uri"` +} + +type listKeyMappingsRow struct { + Kid string `json:"kid"` + KasUri string `json:"kas_uri"` + NamespaceMappings []byte `json:"namespace_mappings"` + AttributeMappings []byte `json:"attribute_mappings"` + ValueMappings []byte `json:"value_mappings"` + Total int64 `json:"total"` +} + +// listKeyMappings +// +// WITH filtered_keys AS ( +// -- Get all keys matching the filter criteria +// SELECT +// kask.created_at, +// kask.id AS id, +// kask.key_id AS kid, +// kas.id AS kas_id, +// kas.uri AS kas_uri +// FROM key_access_server_keys kask +// INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id +// WHERE ( +// -- Case 1: Filter by system key ID if provided +// ($3::uuid IS NOT NULL AND kask.id = $3::uuid) +// -- Case 2: Filter by KID + at least one KAS identifier +// OR ( +// $4::text IS NOT NULL +// AND kask.key_id = $4::text +// AND ( +// ($5::uuid IS NOT NULL AND kas.id = $5::uuid) +// OR ($6::text IS NOT NULL AND kas.name = $6::text) +// OR ($7::text IS NOT NULL AND kas.uri = $7::text) +// ) +// ) +// -- Case 3: Return all keys if no filters are provided +// OR ( +// $3::uuid IS NULL +// AND $4::text IS NULL +// ) +// ) +// ), +// keys_with_mappings AS ( +// SELECT id +// FROM filtered_keys fk +// WHERE EXISTS ( +// SELECT 1 FROM attribute_namespace_public_key_map anpm WHERE anpm.key_access_server_key_id = fk.id +// ) OR EXISTS ( +// SELECT 1 FROM attribute_definition_public_key_map adpm WHERE adpm.key_access_server_key_id = fk.id +// ) OR EXISTS ( +// SELECT 1 FROM attribute_value_public_key_map avpm WHERE avpm.key_access_server_key_id = fk.id +// ) +// ), +// keys_with_mappings_count AS ( +// SELECT COUNT(*) AS total FROM keys_with_mappings +// ), +// namespace_mappings AS ( +// -- Get namespace mappings for each key +// SELECT +// fk.id as key_id, +// JSON_AGG( +// JSON_BUILD_OBJECT( +// 'id', anpm.namespace_id, +// 'fqn', fqns.fqn +// ) +// ) FILTER (WHERE anpm.namespace_id IS NOT NULL) AS namespace_mappings +// FROM filtered_keys fk +// INNER JOIN attribute_namespace_public_key_map anpm ON fk.id = anpm.key_access_server_key_id +// INNER JOIN attribute_fqns fqns ON anpm.namespace_id = fqns.namespace_id AND fqns.attribute_id IS NULL AND fqns.value_id IS NULL +// GROUP BY fk.id +// ), +// definition_mappings AS ( +// -- Get attribute definition mappings for each key +// SELECT +// fk.id as key_id, +// JSON_AGG( +// JSON_BUILD_OBJECT( +// 'id', adpm.definition_id, +// 'fqn', fqns.fqn +// ) +// ) FILTER (WHERE adpm.definition_id IS NOT NULL) AS definition_mappings +// FROM filtered_keys fk +// INNER JOIN attribute_definition_public_key_map adpm ON fk.id = adpm.key_access_server_key_id +// INNER JOIN attribute_fqns fqns ON adpm.definition_id = fqns.attribute_id AND fqns.value_id IS NULL +// GROUP BY fk.id +// ), +// value_mappings AS ( +// -- Get attribute value mappings for each key +// SELECT +// fk.id as key_id, +// JSON_AGG( +// JSON_BUILD_OBJECT( +// 'id', avpm.value_id, +// 'fqn', fqns.fqn +// ) +// ) FILTER (WHERE avpm.value_id IS NOT NULL) AS value_mappings +// FROM filtered_keys fk +// INNER JOIN attribute_value_public_key_map avpm ON fk.id = avpm.key_access_server_key_id +// INNER JOIN attribute_fqns fqns ON avpm.value_id = fqns.value_id +// GROUP BY fk.id +// ) +// SELECT +// fk.kid, +// fk.kas_uri, +// COALESCE(nm.namespace_mappings, '[]'::json) AS namespace_mappings, +// COALESCE(dm.definition_mappings, '[]'::json) AS attribute_mappings, +// COALESCE(vm.value_mappings, '[]'::json) AS value_mappings, +// kwmc.total +// FROM filtered_keys fk +// INNER JOIN keys_with_mappings kwm ON fk.id = kwm.id +// CROSS JOIN keys_with_mappings_count kwmc +// LEFT JOIN namespace_mappings nm ON fk.id = nm.key_id +// LEFT JOIN definition_mappings dm ON fk.id = dm.key_id +// LEFT JOIN value_mappings vm ON fk.id = vm.key_id +// ORDER BY fk.created_at +// LIMIT $2 +// OFFSET $1 +func (q *Queries) listKeyMappings(ctx context.Context, arg listKeyMappingsParams) ([]listKeyMappingsRow, error) { + rows, err := q.db.Query(ctx, listKeyMappings, + arg.Offset, + arg.Limit, + arg.ID, + arg.Kid, + arg.KasID, + arg.KasName, + arg.KasUri, + ) + if err != nil { + return nil, err + } + defer rows.Close() + var items []listKeyMappingsRow + for rows.Next() { + var i listKeyMappingsRow + if err := rows.Scan( + &i.Kid, + &i.KasUri, + &i.NamespaceMappings, + &i.AttributeMappings, + &i.ValueMappings, + &i.Total, + ); err != nil { + return nil, err + } + items = append(items, i) + } + if err := rows.Err(); err != nil { + return nil, err + } + return items, nil +} + const listKeys = `-- name: listKeys :many WITH listed AS ( SELECT diff --git a/service/policy/kasregistry/key_access_server_registry.go b/service/policy/kasregistry/key_access_server_registry.go index 144276cced..53d12a84c6 100644 --- a/service/policy/kasregistry/key_access_server_registry.go +++ b/service/policy/kasregistry/key_access_server_registry.go @@ -502,3 +502,17 @@ func (s KeyAccessServerRegistry) GetBaseKey(ctx context.Context, _ *connect.Requ resp.BaseKey = key return connect.NewResponse(resp), nil } + +func (s KeyAccessServerRegistry) ListKeyMappings(ctx context.Context, r *connect.Request[kasr.ListKeyMappingsRequest]) (*connect.Response[kasr.ListKeyMappingsResponse], error) { + if r.Msg.GetIdentifier() != nil { + s.logger.DebugContext(ctx, "listing key mappings with identifier", slog.Any("identifier", r.Msg.GetIdentifier())) + } else { + s.logger.DebugContext(ctx, "listing key mappings without identifier") + } + + resp, err := s.dbClient.ListKeyMappings(ctx, r.Msg) + if err != nil { + return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextGetRetrievalFailed) + } + return connect.NewResponse(resp), nil +} diff --git a/service/policy/kasregistry/key_access_server_registry.proto b/service/policy/kasregistry/key_access_server_registry.proto index 084f453919..bdf7b56df8 100644 --- a/service/policy/kasregistry/key_access_server_registry.proto +++ b/service/policy/kasregistry/key_access_server_registry.proto @@ -617,6 +617,35 @@ message SetBaseKeyResponse { SimpleKasKey previous_base_key = 2; // The previous base key, if any } +message MappedPolicyObject { + string id = 1; // The unique identifier of the policy object + string fqn = 2; // The fully qualified name of the policy object +} + +message KeyMapping { + string kid = 1; + string kas_uri = 2; + repeated MappedPolicyObject namespace_mappings = 3; // List of namespaces mapped to the key + repeated MappedPolicyObject attribute_mappings = 4; // List of attribute definitions mapped to the key + repeated MappedPolicyObject value_mappings = 5; // List of attribute values mapped to the key +} + +message ListKeyMappingsRequest { + oneof identifier { + option (buf.validate.oneof).required = false; + string id = 2 [(buf.validate.field).string.uuid = true]; // The unique identifier of the key to retrieve + KasKeyIdentifier key = 3; + } + + policy.PageRequest pagination = 10; // Pagination request for the list of keys +} + +message ListKeyMappingsResponse { + repeated KeyMapping key_mappings = 1; // The list of key mappings + + policy.PageResponse pagination = 10; // Pagination response for the list of keys +} + service KeyAccessServerRegistryService { rpc ListKeyAccessServers(ListKeyAccessServersRequest) returns (ListKeyAccessServersResponse) { option (google.api.http) = {get: "/key-access-servers"}; @@ -660,4 +689,7 @@ service KeyAccessServerRegistryService { // Get Default kas keys rpc GetBaseKey(GetBaseKeyRequest) returns (GetBaseKeyResponse) {} + + // Request to list key mappings in the Key Access Service. + rpc ListKeyMappings(ListKeyMappingsRequest) returns (ListKeyMappingsResponse) {} } diff --git a/service/policy/kasregistry/key_access_server_registry_keys_test.go b/service/policy/kasregistry/key_access_server_registry_keys_test.go index edb7053153..c2eb7ce066 100644 --- a/service/policy/kasregistry/key_access_server_registry_keys_test.go +++ b/service/policy/kasregistry/key_access_server_registry_keys_test.go @@ -1274,7 +1274,9 @@ func Test_RotateKeyAccessServer_Keys(t *testing.T) { { name: "Invalid New Key - KEY_MODE_PUBLIC_KEY_ONLY - WrappedKey present", req: &kasregistry.RotateKeyRequest{ - ActiveKey: &kasregistry.RotateKeyRequest_Id{Id: validUUID}, + ActiveKey: &kasregistry.RotateKeyRequest_Id{ + Id: validUUID, + }, NewKey: &kasregistry.RotateKeyRequest_NewKey{ KeyId: validKeyID, Algorithm: policy.Algorithm_ALGORITHM_EC_P256, @@ -1294,7 +1296,9 @@ func Test_RotateKeyAccessServer_Keys(t *testing.T) { { name: "Invalid New Key - KEY_MODE_PUBLIC_KEY_ONLY - ProviderConfigId present", req: &kasregistry.RotateKeyRequest{ - ActiveKey: &kasregistry.RotateKeyRequest_Id{Id: validUUID}, + ActiveKey: &kasregistry.RotateKeyRequest_Id{ + Id: validUUID, + }, NewKey: &kasregistry.RotateKeyRequest_NewKey{ KeyId: validKeyID, Algorithm: policy.Algorithm_ALGORITHM_EC_P256, @@ -1425,3 +1429,153 @@ func Test_SetDefault_Keys(t *testing.T) { }) } } + +func Test_ListKeyMappings(t *testing.T) { + testCases := []struct { + name string + req *kasregistry.ListKeyMappingsRequest + expectError bool + errorMessage string + }{ + { + name: "No identifier", + req: &kasregistry.ListKeyMappingsRequest{}, + expectError: false, + }, + { + name: "Valid ID", + req: &kasregistry.ListKeyMappingsRequest{ + Identifier: &kasregistry.ListKeyMappingsRequest_Id{ + Id: validUUID, + }, + }, + expectError: false, + }, + { + name: "Invalid ID", + req: &kasregistry.ListKeyMappingsRequest{ + Identifier: &kasregistry.ListKeyMappingsRequest_Id{ + Id: invalidUUID, + }, + }, + expectError: true, + errorMessage: "id", + }, + { + name: "Valid Key Identifier with kas_id", + req: &kasregistry.ListKeyMappingsRequest{ + Identifier: &kasregistry.ListKeyMappingsRequest_Key{ + Key: &kasregistry.KasKeyIdentifier{ + Identifier: &kasregistry.KasKeyIdentifier_KasId{ + KasId: validUUID, + }, + Kid: validKeyID, + }, + }, + }, + expectError: false, + }, + { + name: "Invalid Key Identifier with invalid kas_id", + req: &kasregistry.ListKeyMappingsRequest{ + Identifier: &kasregistry.ListKeyMappingsRequest_Key{ + Key: &kasregistry.KasKeyIdentifier{ + Identifier: &kasregistry.KasKeyIdentifier_KasId{ + KasId: invalidUUID, + }, + Kid: validKeyID, + }, + }, + }, + expectError: true, + errorMessage: "kas_id", + }, + { + name: "Invalid Key Identifier with empty kid", + req: &kasregistry.ListKeyMappingsRequest{ + Identifier: &kasregistry.ListKeyMappingsRequest_Key{ + Key: &kasregistry.KasKeyIdentifier{ + Identifier: &kasregistry.KasKeyIdentifier_KasId{ + KasId: validUUID, + }, + Kid: "", + }, + }, + }, + expectError: true, + errorMessage: "kid", + }, + { + name: "Valid Key Identifier with name", + req: &kasregistry.ListKeyMappingsRequest{ + Identifier: &kasregistry.ListKeyMappingsRequest_Key{ + Key: &kasregistry.KasKeyIdentifier{ + Identifier: &kasregistry.KasKeyIdentifier_Name{ + Name: "valid-name", + }, + Kid: validKeyID, + }, + }, + }, + expectError: false, + }, + { + name: "Invalid Key Identifier with empty name", + req: &kasregistry.ListKeyMappingsRequest{ + Identifier: &kasregistry.ListKeyMappingsRequest_Key{ + Key: &kasregistry.KasKeyIdentifier{ + Identifier: &kasregistry.KasKeyIdentifier_Name{ + Name: "", + }, + Kid: validKeyID, + }, + }, + }, + expectError: true, + errorMessage: "name", + }, + { + name: "Valid Key Identifier with uri", + req: &kasregistry.ListKeyMappingsRequest{ + Identifier: &kasregistry.ListKeyMappingsRequest_Key{ + Key: &kasregistry.KasKeyIdentifier{ + Identifier: &kasregistry.KasKeyIdentifier_Uri{ + Uri: "https://example.com", + }, + Kid: validKeyID, + }, + }, + }, + expectError: false, + }, + { + name: "Invalid Key Identifier with invalid uri", + req: &kasregistry.ListKeyMappingsRequest{ + Identifier: &kasregistry.ListKeyMappingsRequest_Key{ + Key: &kasregistry.KasKeyIdentifier{ + Identifier: &kasregistry.KasKeyIdentifier_Uri{ + Uri: "invalid-uri", + }, + Kid: validKeyID, + }, + }, + }, + expectError: true, + errorMessage: "uri", + }, + } + + v := getValidator() + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + err := v.Validate(tc.req) + if tc.expectError { + require.Error(t, err) + require.Contains(t, err.Error(), tc.errorMessage) + } else { + require.NoError(t, err) + } + }) + } +}