com.yahoo.athenz.zts.ZTSSchema Maven / Gradle / Ivy
The newest version!
//
// This file generated by rdl 1.5.2. Do not modify!
//
package com.yahoo.athenz.zts;
import com.yahoo.rdl.*;
public class ZTSSchema {
private final static Schema INSTANCE = build();
public static Schema instance() {
return INSTANCE;
}
private static Schema build() {
SchemaBuilder sb = new SchemaBuilder("ZTS");
sb.version(1);
sb.namespace("com.yahoo.athenz.zts");
sb.comment("Copyright The Athenz Authors Licensed under the terms of the Apache version 2.0 license. See LICENSE file for terms. The Authorization Token Service (ZTS) API");
sb.stringType("SimpleName")
.comment("Copyright The Athenz Authors Licensed under the terms of the Apache version 2.0 license. See LICENSE file for terms. Common name types used by several API definitions A simple identifier, an element of compound name.")
.pattern("[a-zA-Z0-9_][a-zA-Z0-9_-]*");
sb.stringType("CompoundName")
.comment("A compound name. Most names in this API are compound names.")
.pattern("([a-zA-Z0-9_][a-zA-Z0-9_-]*\\.)*[a-zA-Z0-9_][a-zA-Z0-9_-]*");
sb.stringType("DomainName")
.comment("A domain name is the general qualifier prefix, as its uniqueness is managed.")
.pattern("([a-zA-Z0-9_][a-zA-Z0-9_-]*\\.)*[a-zA-Z0-9_][a-zA-Z0-9_-]*");
sb.stringType("EntityName")
.comment("An entity name is a short form of a resource name, including only the domain and entity.")
.pattern("([a-zA-Z0-9_][a-zA-Z0-9_-]*\\.)*[a-zA-Z0-9_][a-zA-Z0-9_-]*");
sb.stringType("EntityList")
.comment("An Entity list is comma separated compound Names")
.pattern("(([a-zA-Z0-9_][a-zA-Z0-9_-]*\\.)*[a-zA-Z0-9_][a-zA-Z0-9_-]*,)*([a-zA-Z0-9_][a-zA-Z0-9_-]*\\.)*[a-zA-Z0-9_][a-zA-Z0-9_-]*");
sb.stringType("ServiceName")
.comment("A service name will generally be a unique subdomain.")
.pattern("([a-zA-Z0-9_][a-zA-Z0-9_-]*\\.)*[a-zA-Z0-9_][a-zA-Z0-9_-]*");
sb.stringType("ActionName")
.comment("An action (operation) name.")
.pattern("([a-zA-Z0-9_][a-zA-Z0-9_-]*\\.)*[a-zA-Z0-9_][a-zA-Z0-9_-]*");
sb.stringType("ResourceName")
.comment("A resource name Note that the EntityName part is optional, that is, a domain name followed by a colon is valid resource name.")
.pattern("([a-zA-Z0-9_][a-zA-Z0-9_-]*\\.)*[a-zA-Z0-9_][a-zA-Z0-9_-]*(:([a-zA-Z0-9_][a-zA-Z0-9_-]*\\.)*[a-zA-Z0-9_][a-zA-Z0-9_-]*)?");
sb.stringType("YBase64")
.comment("The Y-specific URL-safe Base64 variant.")
.pattern("[a-zA-Z0-9\\._-]+");
sb.stringType("YEncoded")
.comment("YEncoded includes ybase64 chars, as well as = and %. This can represent a user cookie and URL-encoded values.")
.pattern("[a-zA-Z0-9\\._%=-]*");
sb.stringType("AuthorityName")
.comment("Used as the prefix in a signed assertion. This uniquely identifies a signing authority.")
.pattern("([a-zA-Z0-9_][a-zA-Z0-9_-]*\\.)*[a-zA-Z0-9_][a-zA-Z0-9_-]*");
sb.stringType("SignedToken")
.comment("A signed assertion if identity. i.e. the user cookie value. This token will only make sense to the authority that generated it, so it is beneficial to have something in the value that is cheaply recognized to quickly reject if it belongs to another authority. In addition to the YEncoded set our token includes ; to separate components and , to separate roles")
.pattern("[a-zA-Z0-9\\._%=;,-]*");
sb.stringType("PathElement")
.comment("A uri-safe path element")
.pattern("[a-zA-Z0-9-\\._~=+@$,:]*");
sb.enumType("CertType")
.comment("CertType denotes various types of certs issued by Athenz")
.element("X509")
.element("SSH_HOST")
.element("SSH_USER");
sb.structType("ResourceAccess")
.comment("ResourceAccess can be checked and returned as this resource. (same as ZMS.Access)")
.field("granted", "Bool", false, "true (allowed) or false (denied)");
sb.structType("PublicKeyEntry")
.comment("The representation of the public key in a service identity object.")
.field("key", "String", false, "the public key for the service")
.field("id", "String", false, "the key identifier (version or zone name)");
sb.structType("ServiceIdentity")
.comment("The representation of the service identity object.")
.field("name", "ServiceName", false, "the full name of the service, i.e. \"sports.storage\"")
.arrayField("publicKeys", "PublicKeyEntry", true, "array of public keys for key rotation")
.field("providerEndpoint", "String", true, "if present, then this service can provision tenants via this endpoint.")
.field("modified", "Timestamp", true, "the timestamp when this entry was last modified")
.field("executable", "String", true, "the path of the executable that runs the service")
.arrayField("hosts", "String", true, "list of host names that this service can run on")
.field("user", "String", true, "local (unix) user name this service can run as")
.field("group", "String", true, "local (unix) group name this service can run as");
sb.structType("ServiceIdentityList")
.comment("The representation for an enumeration of services in the namespace.")
.arrayField("names", "EntityName", false, "list of service names");
sb.structType("HostServices")
.comment("The representation for an enumeration of services authorized to run on a specific host.")
.field("host", "String", false, "name of the host")
.arrayField("names", "EntityName", false, "list of service names authorized to run on this host");
sb.enumType("AssertionEffect")
.comment("Every assertion can have the effect of ALLOW or DENY.")
.element("ALLOW")
.element("DENY");
sb.structType("Assertion")
.comment("A representation for the encapsulation of an action to be performed on a resource by a principal.")
.field("role", "String", false, "the subject of the assertion, a role")
.field("resource", "String", false, "the object of the assertion. Must be in the local namespace. Can contain wildcards")
.field("action", "String", false, "the predicate of the assertion. Can contain wildcards")
.field("effect", "AssertionEffect", true, "the effect of the assertion in the policy language", AssertionEffect.ALLOW)
.field("id", "Int64", true, "assertion id - auto generated by server")
.field("caseSensitive", "Bool", true, "If true, we should store action and resource in their original case");
sb.structType("Policy")
.comment("The representation for a Policy with set of assertions.")
.field("name", "ResourceName", false, "name of the policy")
.field("modified", "Timestamp", true, "last modification timestamp of this policy")
.arrayField("assertions", "Assertion", false, "list of defined assertions for this policy")
.field("caseSensitive", "Bool", true, "If true, we should store action and resource in their original case")
.field("version", "SimpleName", true, "optional version string, defaults to 0")
.field("active", "Bool", true, "if multi-version policy then indicates active version");
sb.structType("PolicyData")
.field("domain", "DomainName", false, "name of the domain")
.arrayField("policies", "Policy", false, "list of policies defined in this server");
sb.structType("SignedPolicyData")
.comment("A representation of policies object defined in a given server.")
.field("policyData", "PolicyData", false, "list of policies defined in a domain")
.field("zmsSignature", "String", true, "zms signature generated based on the domain policies object")
.field("zmsKeyId", "String", true, "the identifier of the zms key used to generate the signature")
.field("modified", "Timestamp", false, "when the domain itself was last modified")
.field("expires", "Timestamp", false, "timestamp specifying the expiration time for using this set of policies");
sb.structType("DomainSignedPolicyData")
.comment("A signed bulk transfer of policies. The data is signed with server's private key.")
.field("signedPolicyData", "SignedPolicyData", false, "policy data signed by ZMS")
.field("signature", "String", false, "signature generated based on the domain policies object")
.field("keyId", "String", false, "the identifier of the key used to generate the signature");
sb.structType("JWSPolicyData")
.comment("SignedPolicyData using flattened JWS JSON Serialization syntax. https://tools.ietf.org/html/rfc7515#section-7.2.2")
.field("payload", "String", false, "")
.field("protected", "String", false, "")
.mapField("header", "String", "String", false, "")
.field("signature", "String", false, "");
sb.structType("SignedPolicyRequest")
.mapField("policyVersions", "String", "String", false, "")
.field("signatureP1363Format", "Bool", false, "true if signature must be in P1363 format instead of ASN.1 DER");
sb.structType("RoleCertificate")
.comment("Copyright The Athenz Authors Licensed under the terms of the Apache version 2.0 license. See LICENSE file for terms. RoleCertificate - a role certificate")
.field("x509Certificate", "String", false, "");
sb.structType("RoleCertificateRequest")
.comment("RoleCertificateRequest - a certificate signing request. By including the optional previous Certificate NotBefore and NotAfter dates would all the server to correctly prioritize this request in case the certificate signer is under heavy load and it can't sign all submitted requests from the Athenz Server.")
.field("csr", "String", false, "role certificate singing request")
.field("proxyForPrincipal", "EntityName", true, "this request is proxy for this principal")
.field("expiryTime", "Int64", false, "request an expiry time for the role certificate")
.field("prevCertNotBefore", "Timestamp", true, "previous role certificate not before date")
.field("prevCertNotAfter", "Timestamp", true, "previous role certificate not after date");
sb.structType("RoleAccess")
.arrayField("roles", "EntityName", false, "");
sb.structType("RoleToken")
.comment("A representation of a signed RoleToken")
.field("token", "String", false, "")
.field("expiryTime", "Int64", false, "");
sb.structType("Access")
.comment("Access can be checked and returned as this resource.")
.field("granted", "Bool", false, "true (allowed) or false (denied)");
sb.structType("TenantDomains")
.arrayField("tenantDomainNames", "DomainName", false, "");
sb.structType("Identity")
.comment("Identity - a signed assertion of service or human identity, the response could be either a client certificate or just a regular NToken (depending if the request contained a csr or not).")
.field("name", "CompoundName", false, "name of the identity, fully qualified, i.e. my.domain.service1, or aws.1232321321312.myusername")
.field("certificate", "String", true, "a certificate usable for both client and server in TLS connections")
.field("caCertBundle", "String", true, "the CA certificate chain to use with all IMS-generated certs")
.field("sshCertificate", "String", true, "the SSH certificate, signed by the CA (user or host)")
.field("sshCertificateSigner", "String", true, "the SSH CA's public key for the sshCertificate (user or host)")
.field("serviceToken", "SignedToken", true, "service token instead of TLS certificate")
.mapField("attributes", "String", "String", true, "other config-like attributes determined at boot time");
sb.structType("InstanceRefreshRequest")
.comment("InstanceRefreshRequest - a certificate refresh request")
.field("csr", "String", false, "Cert CSR signed by the service's private key (public key registered in ZMS)")
.field("expiryTime", "Int32", true, "in minutes how long token should be valid for")
.field("keyId", "String", true, "public key identifier")
.field("namespace", "SimpleName", true, "spiffe/k8s namespace value")
.field("cloud", "SimpleName", true, "optional cloud name where the instance is bootstrapped. e.g. aws / gcp / azure / openstack etc.");
sb.stringType("AWSRoleName")
.comment("AWS role name without the path")
.pattern("[a-zA-Z0-9-\\._=+@,]*");
sb.stringType("AWSRolePathElement")
.comment("AWS role path single element")
.pattern("[a-zA-Z0-9][a-zA-Z0-9-\\._]*");
sb.stringType("AWSRolePath")
.comment("AWS role path")
.pattern("([a-zA-Z0-9][a-zA-Z0-9-\\._]*/)+");
sb.stringType("AWSArnRoleName")
.comment("AWS full role name with path")
.pattern("(([a-zA-Z0-9][a-zA-Z0-9-\\._]*/)+)*[a-zA-Z0-9-\\._=+@,]*");
sb.structType("AWSTemporaryCredentials")
.field("accessKeyId", "String", false, "")
.field("secretAccessKey", "String", false, "")
.field("sessionToken", "String", false, "")
.field("expiration", "Timestamp", false, "");
sb.structType("SSHCertRequestData")
.arrayField("principals", "String", false, "principals in the ssh certificate (usually only one)")
.arrayField("sources", "String", true, "source FQDNs or ip addresses")
.arrayField("destinations", "String", true, "destination FQDNs or ip addresses")
.field("publicKey", "String", true, "public key for ssh certificate")
.field("touchPublicKey", "String", true, "yubikey/touch public key for ssh certificate")
.field("caPubKeyAlgo", "Int32", true, "CA public key algorithm: 0: Unknown, 1: RSA, 3: ECDSA")
.field("command", "String", true, "optional force command option for certificate");
sb.structType("SSHCertRequestMeta")
.field("requestor", "String", false, "requesting user")
.field("origin", "String", false, "origin FQDN or ip")
.field("clientInfo", "String", true, "client info")
.field("sshClientVersion", "String", true, "ssh client version")
.field("certType", "String", false, "cert type - user or host")
.arrayField("keyIdPrincipals", "String", true, "principals included in the keyId field in the certificate")
.field("athenzService", "EntityName", true, "ssh host cert request is for this athenz service")
.field("instanceId", "PathElement", true, "ssh host cert request is for this instance id")
.field("prevCertValidFrom", "Timestamp", true, "previous ssh certificate validity from date")
.field("prevCertValidTo", "Timestamp", true, "previous ssh certificate validity to date")
.field("transId", "String", true, "ssh request transaction id");
sb.structType("SSHCertRequest")
.field("certRequestData", "SSHCertRequestData", false, "ssh certificate request data")
.field("certRequestMeta", "SSHCertRequestMeta", false, "ssh certificate request meta")
.field("csr", "String", true, "free-form csr if not using data/meta fields.")
.field("attestationData", "String", true, "identity attestation data including document with its signature containing attributes like IP address, instance-id, account#, etc.");
sb.structType("SSHCertificate")
.field("certificate", "String", false, "the SSH certificate, signed by the CA")
.field("publicKey", "String", true, "certificate public key if generated by SSH RA")
.field("privateKey", "String", true, "certificate private key if generated by SSH Agent");
sb.structType("SSHCertificates")
.arrayField("certificates", "SSHCertificate", false, "set of user ssh certificates")
.field("certificateSigner", "String", true, "the SSH CA's public key for the sshCertificate (user or host)");
sb.structType("AccessTokenResponse")
.field("access_token", "String", false, "access token")
.field("token_type", "String", false, "token type e.g. Bearer")
.field("expires_in", "Int32", true, "expiration in seconds")
.field("scope", "String", true, "scope of the access token e.g. openid")
.field("refresh_token", "String", true, "refresh token")
.field("id_token", "String", true, "id token");
sb.structType("JWK")
.field("kty", "String", false, "key type: EC or RSA")
.field("kid", "String", false, "identifier")
.field("alg", "String", true, "key algorithm")
.field("use", "String", true, "usage: sig or enc")
.field("crv", "String", true, "ec curve name")
.field("x", "String", true, "ec x value")
.field("y", "String", true, "ec y value")
.field("n", "String", true, "rsa modulus value")
.field("e", "String", true, "rsa public exponent value");
sb.structType("OpenIDConfig")
.field("issuer", "String", false, "url using the https scheme")
.field("authorization_endpoint", "String", false, "oauth 2.0 authorization endpoint url")
.field("jwks_uri", "String", false, "public server jwk set url")
.arrayField("response_types_supported", "String", false, "list of supported response types")
.arrayField("subject_types_supported", "String", false, "list of supported subject identifier types")
.arrayField("id_token_signing_alg_values_supported", "String", false, "list of supported algorithms for issued id tokens")
.arrayField("claims_supported", "String", true, "list of supported id claims");
sb.structType("OAuthConfig")
.field("issuer", "String", false, "url using the https scheme")
.field("authorization_endpoint", "String", false, "oauth 2.0 authorization endpoint url")
.field("token_endpoint", "String", false, "authorization server token endpoint")
.field("jwks_uri", "String", false, "public server jwk set url")
.arrayField("response_types_supported", "String", false, "list of supported response types")
.arrayField("grant_types_supported", "String", false, "supported grant types")
.arrayField("token_endpoint_auth_signing_alg_values_supported", "String", false, "list of supported algorithms for issued access tokens");
sb.structType("JWKList")
.comment("JSON Web Key (JWK) List")
.arrayField("keys", "JWK", false, "array of JWKs");
sb.structType("OIDCResponse")
.field("version", "Int32", false, "version number")
.field("id_token", "String", false, "id token")
.field("token_type", "String", false, "token type e.g. urn:ietf:params:oauth:token-type:id_token")
.field("success", "Bool", false, "response status")
.field("expiration_time", "Int64", false, "expiration time in UTC");
sb.structType("InstanceRegisterInformation")
.field("provider", "ServiceName", false, "the provider service name (i.e. \"aws.us-west-2\", \"sys.openstack.cluster1\")")
.field("domain", "DomainName", false, "the domain of the instance")
.field("service", "SimpleName", false, "the service this instance is supposed to run")
.field("attestationData", "String", false, "identity attestation data including document with its signature containing attributes like IP address, instance-id, account#, etc.")
.field("csr", "String", false, "the Certificate Signing Request for the expected X.509 certificate in the response")
.field("ssh", "String", true, "deprecated - use sshCertRequest, if present, return an SSH host certificate. Format is JSON.")
.field("sshCertRequest", "SSHCertRequest", true, "if present, return an SSH host certificate")
.field("token", "Bool", true, "if true, return a service token signed by ZTS for this service")
.field("expiryTime", "Int32", true, "expiry time in minutes for the certificate (server enforces max expiry)")
.field("hostname", "DomainName", true, "optional hostname in case included in the csr SAN dnsName attribute")
.arrayField("hostCnames", "DomainName", true, "optional host CNAMEs included in the csr SAN dnsName attribute")
.field("athenzJWK", "Bool", true, "if true, return an Athenz JWK public keys file")
.field("athenzJWKModified", "Timestamp", true, "return the public keys file only if modified after the given timestamp")
.field("namespace", "SimpleName", true, "spiffe/k8s namespace value")
.field("cloud", "SimpleName", true, "optional cloud name where the instance is bootstrapped. e.g. aws / gcp / azure / openstack etc.");
sb.structType("InstanceRefreshInformation")
.field("attestationData", "String", true, "identity attestation data including document with its signature containing attributes like IP address, instance-id, account#, etc.")
.field("csr", "String", true, "the Certificate Signing Request for the expected X.509 certificate in the response")
.field("ssh", "String", true, "deprecated - use sshCertRequest, if present, return an SSH host certificate. Format is JSON.")
.field("sshCertRequest", "SSHCertRequest", true, "if present, return an SSH host certificate")
.field("token", "Bool", true, "if true, return a service token signed by ZTS for this service")
.field("expiryTime", "Int32", true, "expiry time in minutes for the certificate (server enforces max expiry)")
.field("hostname", "DomainName", true, "optional hostname in case included in the csr SAN dnsName attribute")
.arrayField("hostCnames", "DomainName", true, "optional host CNAMEs included in the csr SAN dnsName attribute")
.field("athenzJWK", "Bool", true, "if true, return an Athenz JWK public keys file")
.field("athenzJWKModified", "Timestamp", true, "return the public keys file only if modified after the given timestamp")
.field("namespace", "SimpleName", true, "spiffe/k8s namespace value")
.field("cloud", "SimpleName", true, "optional cloud name where the instance is bootstrapped. e.g. aws / gcp / azure / openstack etc.");
sb.structType("InstanceRegisterToken")
.field("provider", "ServiceName", false, "provider service name")
.field("domain", "DomainName", false, "the domain of the instance")
.field("service", "SimpleName", false, "the service this instance is supposed to run")
.field("attestationData", "String", false, "identity attestation data including document with its signature containing attributes like IP address, instance-id, account#, etc.")
.mapField("attributes", "String", "String", true, "additional non-signed attributes that assist in attestation. I.e. \"keyId\", \"accessKey\", etc");
sb.structType("AthenzJWKConfig")
.field("zms", "JWKList", false, "ZMS JSON Web Key (JWK) List")
.field("zts", "JWKList", false, "ZTS JSON Web Key (JWK) List")
.field("modified", "Timestamp", true, "the last modification timestamp of the Athenz JWK configuration");
sb.structType("InstanceIdentity")
.field("provider", "ServiceName", false, "the provider service name (i.e. \"aws.us-west-2\", \"sys.openstack.cluster1\")")
.field("name", "ServiceName", false, "name of the identity, fully qualified, i.e. my.domain.service1")
.field("instanceId", "PathElement", false, "unique instance id within provider's namespace")
.field("x509Certificate", "String", true, "an X.509 certificate usable for both client and server in TLS connections")
.field("x509CertificateSigner", "String", true, "the CA certificate chain to verify all generated X.509 certs")
.field("sshCertificate", "String", true, "the SSH certificate, signed by the CA (user or host)")
.field("sshCertificateSigner", "String", true, "the SSH CA's public key for the sshCertificate (user or host)")
.field("serviceToken", "SignedToken", true, "service token instead of TLS certificate")
.mapField("attributes", "String", "String", true, "other config-like attributes determined at boot time")
.field("athenzJWK", "AthenzJWKConfig", true, "the Athenz JSON Web Key (JWK) configuration object");
sb.structType("CertificateAuthorityBundle")
.field("name", "SimpleName", false, "name of the bundle")
.field("certs", "String", false, "set of certificates included in the bundle");
sb.enumType("DomainMetricType")
.comment("zpe metric attributes")
.element("ACCESS_ALLOWED")
.element("ACCESS_ALLOWED_DENY")
.element("ACCESS_ALLOWED_DENY_NO_MATCH")
.element("ACCESS_ALLOWED_ALLOW")
.element("ACCESS_ALLOWED_ERROR")
.element("ACCESS_ALLOWED_TOKEN_INVALID")
.element("ACCESS_Allowed_TOKEN_EXPIRED")
.element("ACCESS_ALLOWED_DOMAIN_NOT_FOUND")
.element("ACCESS_ALLOWED_DOMAIN_MISMATCH")
.element("ACCESS_ALLOWED_DOMAIN_EXPIRED")
.element("ACCESS_ALLOWED_DOMAIN_EMPTY")
.element("ACCESS_ALLOWED_TOKEN_CACHE_FAILURE")
.element("ACCESS_ALLOWED_TOKEN_CACHE_NOT_FOUND")
.element("ACCESS_ALLOWED_TOKEN_CACHE_SUCCESS")
.element("ACCESS_ALLOWED_TOKEN_VALIDATE")
.element("LOAD_FILE_FAIL")
.element("LOAD_FILE_GOOD")
.element("LOAD_DOMAIN_GOOD");
sb.structType("DomainMetric")
.field("metricType", "DomainMetricType", false, "")
.field("metricVal", "Int32", false, "");
sb.structType("DomainMetrics")
.field("domainName", "DomainName", false, "name of the domain the metrics pertain to")
.arrayField("metricList", "DomainMetric", false, "list of the domains metrics");
sb.structType("Status")
.comment("The representation for a status object")
.field("code", "Int32", false, "status message code")
.field("message", "String", false, "status message of the server");
sb.structType("Workload")
.field("domainName", "DomainName", false, "name of the domain, optional for getWorkloadsByService API call")
.field("serviceName", "EntityName", false, "name of the service, , optional for getWorkloadsByService API call")
.field("uuid", "String", false, "unique identifier for the workload, usually defined by provider")
.arrayField("ipAddresses", "String", false, "list of IP addresses associated with the workload, optional for getWorkloadsByIP API call")
.field("hostname", "String", false, "hostname associated with the workload")
.field("provider", "String", false, "infrastructure provider e.g. k8s, AWS, Azure, openstack etc.")
.field("updateTime", "Timestamp", false, "most recent update timestamp in the backend")
.field("certExpiryTime", "Timestamp", false, "certificate expiry time (ex: getNotAfter)");
sb.structType("Workloads")
.arrayField("workloadList", "Workload", false, "list of workloads");
sb.enumType("TransportDirection")
.comment("Copyright The Athenz Authors Licensed under the terms of the Apache version 2.0 license. See LICENSE file for terms.")
.element("IN")
.element("OUT");
sb.structType("TransportRule")
.field("endPoint", "String", false, "source or destination endpoints defined in terms of CIDR notation")
.field("sourcePortRange", "String", false, "range of port numbers for incoming connections")
.field("port", "Int32", false, "destination / listener port of the service")
.field("protocol", "String", false, "protocol of the connection")
.field("direction", "TransportDirection", false, "transport direction");
sb.structType("TransportRules")
.arrayField("ingressRules", "TransportRule", false, "")
.arrayField("egressRules", "TransportRule", false, "");
sb.structType("Info")
.comment("Copyright The Athenz Authors Licensed under the terms of the Apache version 2.0 license. See LICENSE file for terms. The representation for an info object")
.field("buildJdkSpec", "String", true, "jdk build version")
.field("implementationTitle", "String", true, "implementation title - e.g. athenz-zms-server")
.field("implementationVersion", "String", true, "implementation version - e.g. 1.11.1")
.field("implementationVendor", "String", true, "implementation vendor - Athenz");
sb.structType("ExternalCredentialsRequest")
.field("clientId", "ServiceName", false, "client id to be referenced in the ID token as audience")
.field("expiryTime", "Int32", true, "optional expiry period specified in seconds")
.mapField("attributes", "String", "String", true, "credential request attributes");
sb.structType("ExternalCredentialsResponse")
.mapField("attributes", "String", "String", false, "credential response attributes")
.field("expiration", "Timestamp", true, "credential expiry timestamp");
sb.structType("DomainDetails")
.field("name", "DomainName", false, "name of the athenz domain")
.field("awsAccount", "String", true, "associated aws account id")
.field("azureSubscription", "String", true, "associated azure subscription id")
.field("azureTenant", "String", true, "associated azure tenant id")
.field("azureClient", "String", true, "associated azure client id")
.field("gcpProjectId", "String", true, "associated gcp project id")
.field("gcpProjectNumber", "String", true, "associated gcp project number");
sb.stringType("rdl.Identifier")
.comment("All names need to be of this restricted string type")
.pattern("[a-zA-Z_]+[a-zA-Z_0-9]*");
sb.stringType("rdl.NamespacedIdentifier")
.comment("A Namespace is a dotted compound name, using reverse domain name order (i.e. \"com.yahoo.auth\")")
.pattern("([a-zA-Z_]+[a-zA-Z_0-9]*)(\\.[a-zA-Z_]+[a-zA-Z_0-9])*");
sb.enumType("rdl.BaseType")
.element("Bool")
.element("Int8")
.element("Int16")
.element("Int32")
.element("Int64")
.element("Float32")
.element("Float64")
.element("Bytes")
.element("String")
.element("Timestamp")
.element("Symbol")
.element("UUID")
.element("Array")
.element("Map")
.element("Struct")
.element("Enum")
.element("Union")
.element("Any");
sb.stringType("rdl.ExtendedAnnotation")
.comment("ExtendedAnnotation - parsed and preserved, but has no defined meaning in RDL. Such annotations must begin with \"x_\", and may have an associated string literal value (the value will be \"\" if the annotation is just a flag).")
.pattern("x_[a-zA-Z_0-9]*");
sb.structType("rdl.TypeDef")
.comment("TypeDef is the basic type definition.")
.field("type", "rdl.TypeRef", false, "The type this type is derived from. For base types, it is the same as the name")
.field("name", "rdl.TypeName", false, "The name of the type")
.field("comment", "String", true, "The comment for the type")
.mapField("annotations", "rdl.ExtendedAnnotation", "String", true, "additional annotations starting with \"x_\"");
sb.structType("rdl.AliasTypeDef", "rdl.TypeDef")
.comment("AliasTypeDef is used for type definitions that add no additional attributes, and thus just create an alias");
sb.structType("rdl.BytesTypeDef", "rdl.TypeDef")
.comment("Bytes allow the restriction by fixed size, or min/max size.")
.field("size", "Int32", true, "Fixed size")
.field("minSize", "Int32", true, "Min size")
.field("maxSize", "Int32", true, "Max size");
sb.structType("rdl.StringTypeDef", "rdl.TypeDef")
.comment("Strings allow the restriction by regular expression pattern or by an explicit set of values. An optional maximum size may be asserted")
.field("pattern", "String", true, "A regular expression that must be matched. Mutually exclusive with values")
.arrayField("values", "String", true, "A set of allowable values")
.field("minSize", "Int32", true, "Min size")
.field("maxSize", "Int32", true, "Max size");
sb.unionType("rdl.Number")
.comment("A numeric is any of the primitive numeric types")
.variant("Int8")
.variant("Int16")
.variant("Int32")
.variant("Int64")
.variant("Float32")
.variant("Float64");
sb.structType("rdl.NumberTypeDef", "rdl.TypeDef")
.comment("A number type definition allows the restriction of numeric values.")
.field("min", "rdl.Number", true, "Min value")
.field("max", "rdl.Number", true, "Max value");
sb.structType("rdl.ArrayTypeDef", "rdl.TypeDef")
.comment("Array types can be restricted by item type and size")
.field("items", "rdl.TypeRef", false, "The type of the items, default to any type", null)
.field("size", "Int32", true, "If present, indicate the fixed size.")
.field("minSize", "Int32", true, "If present, indicate the min size")
.field("maxSize", "Int32", true, "If present, indicate the max size");
sb.structType("rdl.MapTypeDef", "rdl.TypeDef")
.comment("Map types can be restricted by key type, item type and size")
.field("keys", "rdl.TypeRef", false, "The type of the keys, default to String.", null)
.field("items", "rdl.TypeRef", false, "The type of the items, default to Any type", null)
.field("size", "Int32", true, "If present, indicates the fixed size.")
.field("minSize", "Int32", true, "If present, indicate the min size")
.field("maxSize", "Int32", true, "If present, indicate the max size");
sb.structType("rdl.StructFieldDef")
.comment("Each field in a struct_field_spec is defined by this type")
.field("name", "rdl.Identifier", false, "The name of the field")
.field("type", "rdl.TypeRef", false, "The type of the field")
.field("optional", "Bool", false, "The field may be omitted even if specified", false)
.field("default", "Any", true, "If field is absent, what default value should be assumed.")
.field("comment", "String", true, "The comment for the field")
.field("items", "rdl.TypeRef", true, "For map or array fields, the type of the items")
.field("keys", "rdl.TypeRef", true, "For map type fields, the type of the keys")
.mapField("annotations", "rdl.ExtendedAnnotation", "String", true, "additional annotations starting with \"x_\"");
sb.structType("rdl.StructTypeDef", "rdl.TypeDef")
.comment("A struct can restrict specific named fields to specific types. By default, any field not specified is allowed, and can be of any type. Specifying closed means only those fields explicitly")
.arrayField("fields", "rdl.StructFieldDef", false, "The fields in this struct. By default, open Structs can have any fields in addition to these")
.field("closed", "Bool", false, "indicates that only the specified fields are acceptable. Default is open (any fields)", false);
sb.structType("rdl.EnumElementDef")
.comment("EnumElementDef defines one of the elements of an Enum")
.field("symbol", "rdl.Identifier", false, "The identifier representing the value")
.field("comment", "String", true, "the comment for the element")
.mapField("annotations", "rdl.ExtendedAnnotation", "String", true, "additional annotations starting with \"x_\"");
sb.structType("rdl.EnumTypeDef", "rdl.TypeDef")
.comment("Define an enumerated type. Each value of the type is represented by a symbolic identifier.")
.arrayField("elements", "rdl.EnumElementDef", false, "The enumeration of the possible elements");
sb.structType("rdl.UnionTypeDef", "rdl.TypeDef")
.comment("Define a type as one of any other specified type.")
.arrayField("variants", "rdl.TypeRef", false, "The type names of constituent types. Union types get expanded, this is a flat list");
sb.unionType("rdl.Type")
.comment("A Type can be specified by any of the above specialized Types, determined by the value of the the 'type' field")
.variant("rdl.BaseType")
.variant("rdl.StructTypeDef")
.variant("rdl.MapTypeDef")
.variant("rdl.ArrayTypeDef")
.variant("rdl.EnumTypeDef")
.variant("rdl.UnionTypeDef")
.variant("rdl.StringTypeDef")
.variant("rdl.BytesTypeDef")
.variant("rdl.NumberTypeDef")
.variant("rdl.AliasTypeDef");
sb.structType("rdl.ResourceInput")
.comment("ResourceOutput defines input characteristics of a Resource")
.field("name", "rdl.Identifier", false, "the formal name of the input")
.field("type", "rdl.TypeRef", false, "The type of the input")
.field("comment", "String", true, "The optional comment")
.field("pathParam", "Bool", false, "true of this input is a path parameter", false)
.field("queryParam", "String", true, "if present, the name of the query param name")
.field("header", "String", true, "If present, the name of the header the input is associated with")
.field("pattern", "String", true, "If present, the pattern associated with the pathParam (i.e. wildcard path matches)")
.field("default", "Any", true, "If present, the default value for optional params")
.field("optional", "Bool", false, "If present, indicates that the input is optional", false)
.field("flag", "Bool", false, "If present, indicates the queryparam is of flag style (no value)", false)
.field("context", "String", true, "If present, indicates the parameter comes form the implementation context")
.mapField("annotations", "rdl.ExtendedAnnotation", "String", true, "additional annotations starting with \"x_\"");
sb.structType("rdl.ResourceOutput")
.comment("ResourceOutput defines output characteristics of a Resource")
.field("name", "rdl.Identifier", false, "the formal name of the output")
.field("type", "rdl.TypeRef", false, "The type of the output")
.field("header", "String", false, "the name of the header associated with this output")
.field("comment", "String", true, "The optional comment for the output")
.field("optional", "Bool", false, "If present, indicates that the output is optional (the server decides)", false)
.mapField("annotations", "rdl.ExtendedAnnotation", "String", true, "additional annotations starting with \"x_\"");
sb.structType("rdl.ResourceAuth")
.comment("ResourceAuth defines authentication and authorization attributes of a resource. Presence of action, resource, or domain implies authentication; the authentication flag alone is required only when no authorization is done.")
.field("authenticate", "Bool", false, "if present and true, then the requester must be authenticated", false)
.field("action", "String", true, "the action to authorize access to. This forces authentication")
.field("resource", "String", true, "the resource identity to authorize access to")
.field("domain", "String", true, "if present, the alternate domain to check access to. This is rare.");
sb.structType("rdl.ExceptionDef")
.comment("ExceptionDef describes the exception a symbolic response code maps to.")
.field("type", "String", false, "The type of the exception")
.field("comment", "String", true, "the optional comment for the exception");
sb.structType("rdl.Resource")
.comment("A Resource of a REST service")
.field("type", "rdl.TypeRef", false, "The type of the resource")
.field("method", "String", false, "The method for the action (typically GET, POST, etc for HTTP access)")
.field("path", "String", false, "The resource path template")
.field("comment", "String", true, "The optional comment")
.arrayField("inputs", "rdl.ResourceInput", true, "An Array named inputs")
.arrayField("outputs", "rdl.ResourceOutput", true, "An Array of named outputs")
.field("auth", "rdl.ResourceAuth", true, "The optional authentication or authorization directive")
.field("expected", "String", false, "The expected symbolic response code", "OK")
.arrayField("alternatives", "String", true, "The set of alternative but non-error response codes")
.mapField("exceptions", "String", "rdl.ExceptionDef", true, "A map of symbolic response code to Exception definitions")
.field("async", "Bool", true, "A hint to server implementations that this resource would be better implemented with async I/O")
.mapField("annotations", "rdl.ExtendedAnnotation", "String", true, "additional annotations starting with \"x_\"")
.arrayField("consumes", "String", true, "Optional hint for resource acceptable input types")
.arrayField("produces", "String", true, "Optional hint for resource output content types")
.field("name", "rdl.Identifier", true, "The optional name of the resource");
sb.structType("rdl.Schema")
.comment("A Schema is a container for types and resources. It is self-contained (no external references). and is the output of the RDL parser.")
.field("namespace", "rdl.NamespacedIdentifier", true, "The namespace for the schema")
.field("name", "rdl.Identifier", true, "The name of the schema")
.field("version", "Int32", true, "The version of the schema")
.field("comment", "String", true, "The comment for the entire schema")
.arrayField("types", "rdl.Type", true, "The types this schema defines.")
.arrayField("resources", "rdl.Resource", true, "The resources for a service this schema defines")
.field("base", "String", true, "the base path for resources in the schema.")
.mapField("annotations", "rdl.ExtendedAnnotation", "String", true, "additional annotations starting with \"x_\"");
sb.resource("ResourceAccess", "GET", "/access/{action}/{resource}")
.comment("Check access for the specified operation on the specified resource for the currently authenticated user. This is the slow centralized access for control-plane purposes. Use distributed mechanisms for decentralized (data-plane) access by fetching signed policies and role tokens for users. With this endpoint the resource is part of the uri and restricted to its strict definition of resource name. If needed, you can use the GetAccessExt api that allows resource name to be less restrictive.")
.pathParam("action", "ActionName", "action as specified in the policy assertion, i.e. update or read")
.pathParam("resource", "ResourceName", "the resource to check access against, i.e. \"media.news:articles\"")
.queryParam("domain", "domain", "DomainName", null, "usually null. If present, it specifies an alternate domain for cross-domain trust relation")
.queryParam("principal", "checkPrincipal", "EntityName", null, "usually null. If present, carry out the access check for this principal")
.auth("", "", true)
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("FORBIDDEN", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("ResourceAccess", "GET", "/access/{action}")
.comment("Check access for the specified operation on the specified resource for the currently authenticated user. This is the slow centralized access for control-plane purposes.")
.name("GetResourceAccessExt")
.pathParam("action", "ActionName", "action as specified in the policy assertion, i.e. update or read")
.queryParam("resource", "resource", "String", null, "the resource to check access against, i.e. \"media.news:articles\"")
.queryParam("domain", "domain", "DomainName", null, "usually null. If present, it specifies an alternate domain for cross-domain trust relation")
.queryParam("principal", "checkPrincipal", "EntityName", null, "usually null. If present, carry out the access check for this principal")
.auth("", "", true)
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("FORBIDDEN", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("ServiceIdentity", "GET", "/domain/{domainName}/service/{serviceName}")
.comment("Get info for the specified ServiceIdentity.")
.pathParam("domainName", "DomainName", "name of the domain")
.pathParam("serviceName", "ServiceName", "name of the service to be retrieved")
.auth("", "", true)
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("ServiceIdentityList", "GET", "/domain/{domainName}/service")
.comment("Enumerate services provisioned in this domain.")
.pathParam("domainName", "DomainName", "name of the domain")
.auth("", "", true)
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("PublicKeyEntry", "GET", "/domain/{domainName}/service/{serviceName}/publickey/{keyId}")
.comment("Retrieve the specified public key from the service.")
.pathParam("domainName", "DomainName", "name of the domain")
.pathParam("serviceName", "SimpleName", "name of the service")
.pathParam("keyId", "String", "the identifier of the public key to be retrieved")
.auth("", "", true)
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("HostServices", "GET", "/host/{host}/services")
.comment("Enumerate services provisioned on a specific host")
.pathParam("host", "String", "name of the host")
.auth("", "", true)
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("DomainSignedPolicyData", "GET", "/domain/{domainName}/signed_policy_data")
.comment("Get a signed policy enumeration from the service, to transfer to a local store. An ETag is generated for the PolicyList that changes when any item in the list changes. If the If-None-Match header is provided, and it matches the ETag that would be returned, then a NOT_MODIFIED response is returned instead of the list.")
.pathParam("domainName", "DomainName", "name of the domain")
.headerParam("If-None-Match", "matchingTag", "String", null, "Retrieved from the previous request, this timestamp specifies to the server to return any policies modified since this time")
.output("ETag", "tag", "String", "The current latest modification timestamp is returned in this header")
.auth("", "", true)
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("SignedPolicyRequest", "POST", "/domain/{domainName}/policy/signed")
.comment("Get a signed policy enumeration from the service, to transfer to a local store. An ETag is generated for the PolicyList that changes when any item in the list changes. If the If-None-Match header is provided, and it matches the ETag that would be returned, then a NOT_MODIFIED response is returned instead of the list.")
.pathParam("domainName", "DomainName", "name of the domain")
.input("request", "SignedPolicyRequest", "policy version request details")
.headerParam("If-None-Match", "matchingTag", "String", null, "Retrieved from the previous request, this timestamp specifies to the server to return any policies modified since this time")
.output("ETag", "tag", "String", "The current latest modification timestamp is returned in this header")
.auth("", "", true)
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("RoleToken", "GET", "/domain/{domainName}/token")
.comment("Return a security token for the specific role in the namespace that the principal can assume. If the role is omitted, then all roles in the namespace that the authenticated user can assume are returned. the caller can specify how long the RoleToken should be valid for by specifying the minExpiryTime and maxExpiryTime parameters. The minExpiryTime specifies that the returned RoleToken must be at least valid (min/lower bound) for specified number of seconds, while maxExpiryTime specifies that the RoleToken must be at most valid (max/upper bound) for specified number of seconds. If both values are the same, the server must return a RoleToken for that many seconds. If no values are specified, the server's default RoleToken Timeout value is used.")
.pathParam("domainName", "DomainName", "name of the domain")
.queryParam("role", "role", "EntityList", null, "only interested for a token for these comma separated roles")
.queryParam("minExpiryTime", "minExpiryTime", "Int32", null, "in seconds min expiry time")
.queryParam("maxExpiryTime", "maxExpiryTime", "Int32", null, "in seconds max expiry time")
.queryParam("proxyForPrincipal", "proxyForPrincipal", "EntityName", null, "optional this request is proxy for this principal")
.auth("", "", true)
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("FORBIDDEN", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("RoleCertificateRequest", "POST", "/domain/{domainName}/role/{roleName}/token")
.comment("Return a TLS certificate for the specific role in the namespace that the principal can assume. Role certificates are valid for 30 days by default. This is deprecated and \"POST /rolecert\" api should be used instead.")
.pathParam("domainName", "DomainName", "name of the domain")
.pathParam("roleName", "EntityName", "name of role")
.input("req", "RoleCertificateRequest", "csr request")
.auth("", "", true)
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("FORBIDDEN", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("Access", "GET", "/access/domain/{domainName}/role/{roleName}/principal/{principal}")
.pathParam("domainName", "DomainName", "name of the domain")
.pathParam("roleName", "EntityName", "name of the role to check access for")
.pathParam("principal", "EntityName", "carry out the access check for this principal")
.auth("", "", true)
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("FORBIDDEN", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("RoleAccess", "GET", "/access/domain/{domainName}/principal/{principal}")
.pathParam("domainName", "DomainName", "name of the domain")
.pathParam("principal", "EntityName", "carry out the role access lookup for this principal")
.auth("", "", true)
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("TenantDomains", "GET", "/providerdomain/{providerDomainName}/user/{userName}")
.comment("Get list of tenant domains user has access to for specified provider domain and service")
.pathParam("providerDomainName", "DomainName", "name of the provider domain")
.pathParam("userName", "EntityName", "name of the user to retrieve tenant domain access for")
.queryParam("roleName", "roleName", "EntityName", null, "role name to filter on when looking for the tenants in provider")
.queryParam("serviceName", "serviceName", "ServiceName", null, "service name to filter on when looking for the tenants in provider")
.auth("", "", true)
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("InstanceRefreshRequest", "POST", "/instance/{domain}/{service}/refresh")
.comment("Refresh Service tokens into TLS Certificate")
.pathParam("domain", "CompoundName", "name of the domain requesting the refresh")
.pathParam("service", "SimpleName", "name of the service requesting the refresh")
.input("req", "InstanceRefreshRequest", "the refresh request")
.auth("", "", true)
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("FORBIDDEN", "ResourceError", "")
.exception("INTERNAL_SERVER_ERROR", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("AWSTemporaryCredentials", "GET", "/domain/{domainName}/role/{role}/creds")
.comment("perform an AWS AssumeRole of the target role and return the credentials. ZTS must have been granted the ability to assume the role in IAM, and granted the ability to assume_aws_role in Athenz for this to succeed.")
.pathParam("domainName", "DomainName", "name of the domain containing the role, which implies the target account")
.pathParam("role", "AWSArnRoleName", "the target AWS role name in the domain account, in Athenz terms, i.e. \"the.role\"")
.queryParam("durationSeconds", "durationSeconds", "Int32", null, "how long the aws temp creds should be issued for")
.queryParam("externalId", "externalId", "String", null, "aws assume role external id")
.auth("", "", true)
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("FORBIDDEN", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("InstanceRegisterInformation", "POST", "/instance")
.comment("Register a new service instance and issue an x.509 service identity certificate once the provider validates the attestation data along with the request attributes. We have an authenticate enabled for this endpoint but in most cases the service owner might need to make it optional by setting the zts servers no_auth_uri list to include this endpoint. We need the authenticate in case the request comes with a client certificate and the provider needs to know who that principal was in the client certificate")
.input("info", "InstanceRegisterInformation", "")
.output("Location", "location", "String", "return location for subsequent patch requests")
.auth("", "", true)
.expected("CREATED")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("FORBIDDEN", "ResourceError", "")
.exception("INTERNAL_SERVER_ERROR", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("InstanceRefreshInformation", "POST", "/instance/{provider}/{domain}/{service}/{instanceId}")
.comment("Refresh the given service instance and issue a new x.509 service identity certificate once the provider validates the attestation data along with the request attributes. only TLS Certificate authentication is allowed")
.pathParam("provider", "ServiceName", "the provider service name (i.e. \"aws.us-west-2\", \"paas.manhattan.corp-gq1\")")
.pathParam("domain", "DomainName", "the domain of the instance")
.pathParam("service", "SimpleName", "the service this instance is supposed to run")
.pathParam("instanceId", "PathElement", "unique instance id within provider's namespace")
.input("info", "InstanceRefreshInformation", "the refresh request")
.auth("", "", true)
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("FORBIDDEN", "ResourceError", "")
.exception("INTERNAL_SERVER_ERROR", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("InstanceRegisterToken", "GET", "/instance/{provider}/{domain}/{service}/{instanceId}/token")
.comment("Request a token for the given service to be bootstrapped for the given provider. The caller must have authorization to manage the service in the given domain. The token will be valid for 30 mins for one time use only for the initial registration. The token must be sent back in the register request as the value of the attestationData field in the InstanceRegisterInformation object")
.pathParam("provider", "ServiceName", "the provider service name (i.e. \"aws.us-west-2\")")
.pathParam("domain", "DomainName", "the domain of the instance")
.pathParam("service", "SimpleName", "the service this instance is supposed to run")
.pathParam("instanceId", "PathElement", "unique instance id within provider's namespace")
.auth("update", "{domain}:service.{service}")
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("FORBIDDEN", "ResourceError", "")
.exception("INTERNAL_SERVER_ERROR", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("InstanceIdentity", "DELETE", "/instance/{provider}/{domain}/{service}/{instanceId}")
.comment("Delete the given service instance certificate record thus blocking any future refresh requests from the given instance for this service There are two possible authorization checks for this endpoint: 1) domain admin: authorize(\"delete\", \"{domain}:instance.{instanceId}\") the authorized user can remove the instance record from the datastore 2) provider itself: if the identity of the caller is the provider itself then the provider is notifying ZTS that the instance was deleted")
.pathParam("provider", "ServiceName", "the provider service name (i.e. \"aws.us-west-2\", \"paas.manhattan.corp-gq1\")")
.pathParam("domain", "DomainName", "the domain of the instance")
.pathParam("service", "SimpleName", "the service this instance is supposed to run")
.pathParam("instanceId", "PathElement", "unique instance id within provider's namespace")
.auth("", "", true)
.expected("NO_CONTENT")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("FORBIDDEN", "ResourceError", "")
.exception("INTERNAL_SERVER_ERROR", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("CertificateAuthorityBundle", "GET", "/cacerts/{name}")
.comment("Return the request CA X.509 Certificate bundle")
.pathParam("name", "SimpleName", "name of the CA cert bundle")
.auth("", "", true)
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("Status", "GET", "/status")
.comment("Retrieve the server status")
.auth("", "", true)
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("SSHCertRequest", "POST", "/sshcert")
.input("certRequest", "SSHCertRequest", "ssh certificate request")
.auth("", "", true)
.expected("CREATED")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("FORBIDDEN", "ResourceError", "")
.exception("INTERNAL_SERVER_ERROR", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("OpenIDConfig", "GET", "/.well-known/openid-configuration")
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
;
sb.resource("OAuthConfig", "GET", "/.well-known/oauth-authorization-server")
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
;
sb.resource("JWKList", "GET", "/oauth2/keys")
.queryParam("rfc", "rfc", "Bool", false, "flag to indicate ec curve names are restricted to RFC values")
.queryParam("service", "service", "ServiceName", "zts", "service")
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
;
sb.resource("AccessTokenRequest", "POST", "/oauth2/token")
.comment("Fetch OAuth2 Access Token")
.input("request", "AccessTokenRequest", "token request details include scope")
.auth("", "", true)
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("FORBIDDEN", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("OIDCResponse", "GET", "/oauth2/auth")
.comment("Fetch OAuth OpenID Connect ID Token")
.queryParam("response_type", "responseType", "String", null, "response type - currently only supporting id tokens - id_token")
.queryParam("client_id", "clientId", "ServiceName", null, "client id - must be valid athenz service identity name")
.queryParam("redirect_uri", "redirectUri", "String", null, "redirect uri for the response")
.queryParam("scope", "scope", "String", null, "id token scope")
.queryParam("state", "state", "EntityName", null, "optional state claim included in the response location header")
.queryParam("nonce", "nonce", "EntityName", null, "nonce claim included in the id token")
.queryParam("keyType", "keyType", "SimpleName", null, "optional signing key type - RSA or EC. Might be ignored if server doesn't have the requested type configured")
.queryParam("fullArn", "fullArn", "Bool", false, "flag to indicate to use full arn in group claim (e.g. sports:role.deployer instead of deployer)")
.queryParam("expiryTime", "expiryTime", "Int32", null, "optional expiry period specified in seconds")
.queryParam("output", "output", "SimpleName", null, "optional output format of json")
.queryParam("roleInAudClaim", "roleInAudClaim", "Bool", false, "flag to indicate to include role name in the audience claim only if we have a single role in response")
.queryParam("allScopePresent", "allScopePresent", "Bool", false, "flag to indicate that all requested roles/groups in the scope must be present in the response otherwise return an error")
.output("Location", "location", "String", "return location header with id token")
.auth("", "", true)
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("FORBIDDEN", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("RoleCertificateRequest", "POST", "/rolecert")
.comment("Return a TLS certificate for a role that the principal can assume. The role arn is in the CN field of the Subject and the principal is in the SAN URI field.")
.name("PostRoleCertificateRequestExt")
.input("req", "RoleCertificateRequest", "csr request")
.auth("", "", true)
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("FORBIDDEN", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("RoleAccess", "GET", "/role/cert")
.comment("Fetch all roles that are tagged as requiring role certificates for principal")
.name("getRolesRequireRoleCert")
.queryParam("principal", "principal", "EntityName", null, "If not present, will return roles for the user making the call")
.auth("", "", true)
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("FORBIDDEN", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("Workloads", "GET", "/domain/{domainName}/service/{serviceName}/workloads")
.name("getWorkloadsByService")
.pathParam("domainName", "DomainName", "name of the domain")
.pathParam("serviceName", "EntityName", "name of the service")
.auth("", "", true)
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("FORBIDDEN", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("Workloads", "GET", "/workloads/{ip}")
.name("getWorkloadsByIP")
.pathParam("ip", "String", "ip address to query")
.auth("", "", true)
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("FORBIDDEN", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("TransportRules", "GET", "/domain/{domainName}/service/{serviceName}/transportRules")
.pathParam("domainName", "DomainName", "name of the domain")
.pathParam("serviceName", "EntityName", "name of the service")
.auth("", "", true)
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("FORBIDDEN", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("Info", "GET", "/sys/info")
.comment("Retrieve the server info. Since we're exposing server version details, the request will require authorization")
.auth("get", "sys.auth:info")
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("FORBIDDEN", "ResourceError", "")
.exception("NOT_FOUND", "ResourceError", "")
.exception("TOO_MANY_REQUESTS", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("ExternalCredentialsRequest", "POST", "/external/{provider}/domain/{domainName}/creds")
.comment("request external credentials from the specified provider based on the specified request attributes and the principal's id token (that will be internally generated by ZTS). Based on the provider, the server will carry out internal authorization checks (e.g. is the principal authorized to request a given scope in the credentials).")
.pathParam("provider", "SimpleName", "provider name to request credentials from")
.pathParam("domainName", "DomainName", "request credentials from account/project associated with this athenz domain")
.input("request", "ExternalCredentialsRequest", "request object with optional and required attributes")
.auth("", "", true)
.expected("OK")
.exception("BAD_REQUEST", "ResourceError", "")
.exception("FORBIDDEN", "ResourceError", "")
.exception("UNAUTHORIZED", "ResourceError", "")
;
sb.resource("rdl.Schema", "GET", "/schema")
.comment("Get RDL Schema")
.auth("", "", true)
.expected("OK");
return sb.build();
}
}