diff --git a/specs/authorization/authorization.openapi.yaml b/specs/authorization/authorization.openapi.yaml index 1938f339..7c5f7208 100644 --- a/specs/authorization/authorization.openapi.yaml +++ b/specs/authorization/authorization.openapi.yaml @@ -93,9 +93,9 @@ paths: - name: decisionRequests.actions.namespace.metadata.createdAt.seconds in: query description: |- - Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. + Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must + be between -315576000000 and 315576000000 inclusive (which corresponds to + 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z). schema: type: - integer @@ -103,24 +103,26 @@ paths: title: seconds format: int64 description: |- - Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. + Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must + be between -315576000000 and 315576000000 inclusive (which corresponds to + 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z). - name: decisionRequests.actions.namespace.metadata.createdAt.nanos in: query description: |- - Non-negative fractions of a second at nanosecond resolution. Negative - second values with fractions must still have non-negative nanos values - that count forward in time. Must be from 0 to 999,999,999 + Non-negative fractions of a second at nanosecond resolution. This field is + the nanosecond portion of the duration, not an alternative to seconds. + Negative second values with fractions must still have non-negative nanos + values that count forward in time. Must be between 0 and 999,999,999 inclusive. schema: type: integer title: nanos format: int32 description: |- - Non-negative fractions of a second at nanosecond resolution. Negative - second values with fractions must still have non-negative nanos values - that count forward in time. Must be from 0 to 999,999,999 + Non-negative fractions of a second at nanosecond resolution. This field is + the nanosecond portion of the duration, not an alternative to seconds. + Negative second values with fractions must still have non-negative nanos + values that count forward in time. Must be between 0 and 999,999,999 inclusive. - name: decisionRequests.actions.namespace.metadata.labels.key in: query @@ -387,7 +389,6 @@ components: Example Request Get Decisions to answer the question - Do Bob (represented by entity chain ec1) and Alice (represented by entity chain ec2) have TRANSMIT authorization for 2 resources; resource1 (attr-set-1) defined by attributes foo:bar resource2 (attr-set-2) defined by attribute foo:bar, color:red ? - { "actions": [ { @@ -459,13 +460,11 @@ components: Example response for a Decision Request - Do Bob (represented by entity chain ec1) and Alice (represented by entity chain ec2) have TRANSMIT authorization for 2 resources; resource1 (attr-set-1) defined by attributes foo:bar resource2 (attr-set-2) defined by attribute foo:bar, color:red ? - Results: - bob has permitted authorization to transmit for a resource defined by attr-set-1 attributes and has a watermark obligation - bob has denied authorization to transmit a for a resource defined by attr-set-2 attributes - alice has permitted authorization to transmit for a resource defined by attr-set-1 attributes - alice has denied authorization to transmit a for a resource defined by attr-set-2 attributes - { "entityChainId": "ec1", "resourceAttributesId": "attr-set-1", @@ -653,9 +652,7 @@ components: additionalProperties: false description: |- Request to get entitlements for one or more entities for an optional attribute scope - Example: Get entitlements for bob and alice (both represented using an email address - { "entities": [ { @@ -686,7 +683,6 @@ components: additionalProperties: false description: |- Example Response for a request of : Get entitlements for bob and alice (both represented using an email address - { "entitlements": [ { @@ -758,7 +754,6 @@ components: Example Request Get Decisions by Token to answer the question - Do Bob and client1 (represented by token tok1) and Alice and client2 (represented by token tok2) have TRANSMIT authorization for 2 resources; resource1 (attr-set-1) defined by attributes foo:bar resource2 (attr-set-2) defined by attribute foo:bar, color:red ? - { "actions": [ { diff --git a/specs/policy/actions/actions.openapi.yaml b/specs/policy/actions/actions.openapi.yaml index ec633192..10294d2f 100644 --- a/specs/policy/actions/actions.openapi.yaml +++ b/specs/policy/actions/actions.openapi.yaml @@ -720,6 +720,10 @@ components: items: $ref: '#/components/schemas/policy.RequestContext' title: context + namespace: + title: namespace + description: The source namespace for this trigger, derived from the attribute value and action. + $ref: '#/components/schemas/policy.Namespace' metadata: title: metadata $ref: '#/components/schemas/common.Metadata' diff --git a/specs/policy/attributes/attributes.openapi.yaml b/specs/policy/attributes/attributes.openapi.yaml index 52b94d8a..e3db78cf 100644 --- a/specs/policy/attributes/attributes.openapi.yaml +++ b/specs/policy/attributes/attributes.openapi.yaml @@ -759,11 +759,9 @@ components: - SORT_DIRECTION_DESC description: |- Sorting direction shared across list APIs. - Notes: - - When a sort field is provided, UNSPECIFIED is treated as ASC. - - When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, - the endpoint's request message defines the default ordering; see the - specific List* request docs. + When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, + the endpoint's request message defines the default ordering; see the + specific List* request docs. policy.SourceType: type: string title: SourceType @@ -791,6 +789,40 @@ components: - SORT_ATTRIBUTES_TYPE_NAME - SORT_ATTRIBUTES_TYPE_CREATED_AT - SORT_ATTRIBUTES_TYPE_UPDATED_AT + common.IdFqnIdentifier: + type: object + properties: + id: + type: string + title: id + format: uuid + fqn: + type: string + title: fqn + minLength: 1 + format: uri + title: IdFqnIdentifier + additionalProperties: false + common.IdNameIdentifier: + type: object + properties: + id: + type: string + title: id + format: uuid + name: + type: string + title: name + maxLength: 253 + minLength: 1 + description: |+ + Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case.: + ``` + this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') + ``` + + title: IdNameIdentifier + additionalProperties: false common.Metadata: type: object properties: @@ -1263,6 +1295,10 @@ components: items: $ref: '#/components/schemas/policy.RequestContext' title: context + namespace: + title: namespace + description: The source namespace for this trigger, derived from the attribute value and action. + $ref: '#/components/schemas/policy.Namespace' metadata: title: metadata $ref: '#/components/schemas/common.Metadata' @@ -1710,6 +1746,30 @@ components: title: AttributeKeyAccessServer additionalProperties: false description: Deprecated + policy.attributes.AttributeValueObligationTriggerRequest: + type: object + properties: + obligationValue: + title: obligation_value + description: Required. Existing obligation value to associate with the newly created attribute value. + $ref: '#/components/schemas/common.IdFqnIdentifier' + action: + title: action + description: Required. Action that, together with the newly created attribute value, triggers the obligation value. + $ref: '#/components/schemas/common.IdNameIdentifier' + context: + title: context + description: Optional. Request context for the obligation trigger. + $ref: '#/components/schemas/policy.RequestContext' + metadata: + title: metadata + description: Optional. Common metadata for the obligation trigger. + $ref: '#/components/schemas/common.MetadataMutable' + title: AttributeValueObligationTriggerRequest + required: + - obligationValue + - action + additionalProperties: false policy.attributes.AttributesSort: type: object properties: @@ -1803,6 +1863,14 @@ components: this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') ``` + obligationTriggers: + type: array + items: + $ref: '#/components/schemas/policy.attributes.AttributeValueObligationTriggerRequest' + title: obligation_triggers + description: |- + Optional + Existing obligation values to trigger for the newly created attribute value. metadata: title: metadata description: |- @@ -2067,7 +2135,12 @@ components: $ref: '#/components/schemas/policy.attributes.AttributesSort' title: sort maxItems: 1 - description: 'Optional - CONSTRAINT: max 1 item' + description: |- + Optional - CONSTRAINT: max 1 item + Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC title: ListAttributesRequest additionalProperties: false policy.attributes.ListAttributesResponse: diff --git a/specs/policy/kasregistry/key_access_server_registry.openapi.yaml b/specs/policy/kasregistry/key_access_server_registry.openapi.yaml index 770651fb..bdfffafb 100644 --- a/specs/policy/kasregistry/key_access_server_registry.openapi.yaml +++ b/specs/policy/kasregistry/key_access_server_registry.openapi.yaml @@ -582,11 +582,9 @@ components: - SORT_DIRECTION_DESC description: |- Sorting direction shared across list APIs. - Notes: - - When a sort field is provided, UNSPECIFIED is treated as ASC. - - When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, - the endpoint's request message defines the default ordering; see the - specific List* request docs. + When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, + the endpoint's request message defines the default ordering; see the + specific List* request docs. policy.SourceType: type: string title: SourceType @@ -1647,8 +1645,10 @@ components: maxItems: 1 description: |- Optional - CONSTRAINT: max 1 item - Default ordering when omitted or when the first entry's field is UNSPECIFIED: - created_at DESC, then id ASC (tie-breaker). + Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC title: ListKeyAccessServersRequest additionalProperties: false policy.kasregistry.ListKeyAccessServersResponse: @@ -1764,8 +1764,10 @@ components: maxItems: 1 description: |- Optional - CONSTRAINT: max 1 item - Default ordering when omitted or when the first entry's field is UNSPECIFIED: - created_at DESC. + Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC title: ListKeysRequest additionalProperties: false description: List all asymmetric keys managed by a specific Key Access Server or with a given algorithm diff --git a/specs/policy/namespaces/namespaces.openapi.yaml b/specs/policy/namespaces/namespaces.openapi.yaml index e476236b..25f2b14f 100644 --- a/specs/policy/namespaces/namespaces.openapi.yaml +++ b/specs/policy/namespaces/namespaces.openapi.yaml @@ -373,11 +373,9 @@ components: - SORT_DIRECTION_DESC description: |- Sorting direction shared across list APIs. - Notes: - - When a sort field is provided, UNSPECIFIED is treated as ASC. - - When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, - the endpoint's request message defines the default ordering; see the - specific List* request docs. + When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, + the endpoint's request message defines the default ordering; see the + specific List* request docs. policy.SourceType: type: string title: SourceType @@ -930,7 +928,12 @@ components: $ref: '#/components/schemas/policy.namespaces.NamespacesSort' title: sort maxItems: 1 - description: Optional + description: |- + Optional - CONSTRAINT: max 1 item + Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC title: ListNamespacesRequest additionalProperties: false policy.namespaces.ListNamespacesResponse: diff --git a/specs/policy/objects.openapi.yaml b/specs/policy/objects.openapi.yaml index 917017b1..96a4b595 100644 --- a/specs/policy/objects.openapi.yaml +++ b/specs/policy/objects.openapi.yaml @@ -639,6 +639,10 @@ components: items: $ref: '#/components/schemas/policy.RequestContext' title: context + namespace: + title: namespace + description: The source namespace for this trigger, derived from the attribute value and action. + $ref: '#/components/schemas/policy.Namespace' metadata: title: metadata $ref: '#/components/schemas/common.Metadata' @@ -770,6 +774,9 @@ components: items: $ref: '#/components/schemas/policy.RegisteredResourceValue.ActionAttributeValue' title: action_attribute_values + fqn: + type: string + title: fqn metadata: title: metadata description: Common metadata @@ -976,7 +983,6 @@ components: authoritative source such as an IDP (Identity Provider) or User Store. Examples include such ADFS/LDAP, OKTA, etc. For now, a valid property must contain both a selector expression & a resulting value. - The external_selector_value is a specifier to select a value from a flattened external representation of an Entity (such as from idP/LDAP), and the external_value is the value selected by the external_selector_value on that diff --git a/specs/policy/obligations/obligations.openapi.yaml b/specs/policy/obligations/obligations.openapi.yaml index 882026d6..d2a89463 100644 --- a/specs/policy/obligations/obligations.openapi.yaml +++ b/specs/policy/obligations/obligations.openapi.yaml @@ -588,11 +588,9 @@ components: - SORT_DIRECTION_DESC description: |- Sorting direction shared across list APIs. - Notes: - - When a sort field is provided, UNSPECIFIED is treated as ASC. - - When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, - the endpoint's request message defines the default ordering; see the - specific List* request docs. + When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, + the endpoint's request message defines the default ordering; see the + specific List* request docs. policy.SourceType: type: string title: SourceType @@ -1127,6 +1125,10 @@ components: items: $ref: '#/components/schemas/policy.RequestContext' title: context + namespace: + title: namespace + description: The source namespace for this trigger, derived from the attribute value and action. + $ref: '#/components/schemas/policy.Namespace' metadata: title: metadata $ref: '#/components/schemas/common.Metadata' @@ -1497,6 +1499,10 @@ components: - action - attributeValue additionalProperties: false + description: |- + Obligation Triggers are owned by the namespace that owns the action and attribute value, which must + be the same. In this way, a trigger can intentionally cross namespace boundaries: associating + obligation values of a different namespace than the one that owns the action being taken or the attribute value. policy.obligations.AddObligationTriggerResponse: type: object properties: @@ -1846,8 +1852,10 @@ components: maxItems: 1 description: |- Optional - CONSTRAINT: max 1 item - Default ordering when omitted or when the first entry's field is UNSPECIFIED: - created_at DESC, then id ASC (tie-breaker). + Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC title: ListObligationsRequest additionalProperties: false policy.obligations.ListObligationsResponse: diff --git a/specs/policy/registeredresources/registered_resources.openapi.yaml b/specs/policy/registeredresources/registered_resources.openapi.yaml index 1d2fac69..14c710b7 100644 --- a/specs/policy/registeredresources/registered_resources.openapi.yaml +++ b/specs/policy/registeredresources/registered_resources.openapi.yaml @@ -448,11 +448,9 @@ components: - SORT_DIRECTION_DESC description: |- Sorting direction shared across list APIs. - Notes: - - When a sort field is provided, UNSPECIFIED is treated as ASC. - - When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, - the endpoint's request message defines the default ordering; see the - specific List* request docs. + When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, + the endpoint's request message defines the default ordering; see the + specific List* request docs. policy.SourceType: type: string title: SourceType @@ -952,6 +950,10 @@ components: items: $ref: '#/components/schemas/policy.RequestContext' title: context + namespace: + title: namespace + description: The source namespace for this trigger, derived from the attribute value and action. + $ref: '#/components/schemas/policy.Namespace' metadata: title: metadata $ref: '#/components/schemas/common.Metadata' @@ -1101,6 +1103,9 @@ components: items: $ref: '#/components/schemas/policy.RegisteredResourceValue.ActionAttributeValue' title: action_attribute_values + fqn: + type: string + title: fqn metadata: title: metadata description: Common metadata @@ -1705,8 +1710,10 @@ components: maxItems: 1 description: |- Optional - CONSTRAINT: max 1 item - Default ordering when omitted or when the first entry's field is UNSPECIFIED: - created_at DESC. + Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC title: ListRegisteredResourcesRequest additionalProperties: false policy.registeredresources.ListRegisteredResourcesResponse: diff --git a/specs/policy/resourcemapping/resource_mapping.openapi.yaml b/specs/policy/resourcemapping/resource_mapping.openapi.yaml index c768b805..bc2c45eb 100644 --- a/specs/policy/resourcemapping/resource_mapping.openapi.yaml +++ b/specs/policy/resourcemapping/resource_mapping.openapi.yaml @@ -930,6 +930,10 @@ components: items: $ref: '#/components/schemas/policy.RequestContext' title: context + namespace: + title: namespace + description: The source namespace for this trigger, derived from the attribute value and action. + $ref: '#/components/schemas/policy.Namespace' metadata: title: metadata $ref: '#/components/schemas/common.Metadata' diff --git a/specs/policy/selectors.openapi.yaml b/specs/policy/selectors.openapi.yaml index 9ed47cfa..8b885a5a 100644 --- a/specs/policy/selectors.openapi.yaml +++ b/specs/policy/selectors.openapi.yaml @@ -13,11 +13,9 @@ components: - SORT_DIRECTION_DESC description: |- Sorting direction shared across list APIs. - Notes: - - When a sort field is provided, UNSPECIFIED is treated as ASC. - - When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, - the endpoint's request message defines the default ordering; see the - specific List* request docs. + When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, + the endpoint's request message defines the default ordering; see the + specific List* request docs. policy.AttributeDefinitionSelector: type: object properties: diff --git a/specs/policy/subjectmapping/subject_mapping.openapi.yaml b/specs/policy/subjectmapping/subject_mapping.openapi.yaml index 5555a1c0..010427f9 100644 --- a/specs/policy/subjectmapping/subject_mapping.openapi.yaml +++ b/specs/policy/subjectmapping/subject_mapping.openapi.yaml @@ -484,11 +484,9 @@ components: - SORT_DIRECTION_DESC description: |- Sorting direction shared across list APIs. - Notes: - - When a sort field is provided, UNSPECIFIED is treated as ASC. - - When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, - the endpoint's request message defines the default ordering; see the - specific List* request docs. + When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED, + the endpoint's request message defines the default ordering; see the + specific List* request docs. policy.SourceType: type: string title: SourceType @@ -994,6 +992,10 @@ components: items: $ref: '#/components/schemas/policy.RequestContext' title: context + namespace: + title: namespace + description: The source namespace for this trigger, derived from the attribute value and action. + $ref: '#/components/schemas/policy.Namespace' metadata: title: metadata $ref: '#/components/schemas/common.Metadata' @@ -1285,7 +1287,6 @@ components: authoritative source such as an IDP (Identity Provider) or User Store. Examples include such ADFS/LDAP, OKTA, etc. For now, a valid property must contain both a selector expression & a resulting value. - The external_selector_value is a specifier to select a value from a flattened external representation of an Entity (such as from idP/LDAP), and the external_value is the value selected by the external_selector_value on that @@ -1568,8 +1569,10 @@ components: maxItems: 1 description: |- Optional - CONSTRAINT: max 1 item - Default ordering when omitted or when the first entry's field is UNSPECIFIED: - created_at DESC, then id ASC (tie-breaker). + Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC title: ListSubjectConditionSetsRequest additionalProperties: false policy.subjectmapping.ListSubjectConditionSetsResponse: @@ -1607,7 +1610,12 @@ components: $ref: '#/components/schemas/policy.subjectmapping.SubjectMappingsSort' title: sort maxItems: 1 - description: 'Optional - CONSTRAINT: max 1 item' + description: |- + Optional - CONSTRAINT: max 1 item + Sort defaults: + - direction UNSPECIFIED defaults to DESC for the specified field + - field UNSPECIFIED defaults to created_at with the specified direction + - both UNSPECIFIED or sort omitted defaults to created_at DESC title: ListSubjectMappingsRequest additionalProperties: false policy.subjectmapping.ListSubjectMappingsResponse: diff --git a/specs/policy/unsafe/unsafe.openapi.yaml b/specs/policy/unsafe/unsafe.openapi.yaml index f52e95b4..3b2ad2e3 100644 --- a/specs/policy/unsafe/unsafe.openapi.yaml +++ b/specs/policy/unsafe/unsafe.openapi.yaml @@ -980,6 +980,10 @@ components: items: $ref: '#/components/schemas/policy.RequestContext' title: context + namespace: + title: namespace + description: The source namespace for this trigger, derived from the attribute value and action. + $ref: '#/components/schemas/policy.Namespace' metadata: title: metadata $ref: '#/components/schemas/common.Metadata'