1use std::collections::BTreeMap;
2
3use serde::{Deserialize, Serialize};
4
5#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
6#[serde(rename_all = "snake_case")]
7pub enum AuthMode {
8 TrustedHeaders,
9 BearerToken,
10 BearerTokenOrTrustedHeaders,
11}
12
13#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
14#[serde(rename_all = "snake_case")]
15pub struct RequestContext {
16 pub tenant_id: String,
17 pub principal_id: String,
18 pub subject: String,
19 pub auth_source: String,
20 #[serde(default)]
21 pub scopes: Vec<String>,
22}
23
24#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
25#[serde(rename_all = "snake_case")]
26pub struct SdkRouteCapability {
27 pub route: String,
28 pub domain: String,
29 pub configured: bool,
30 #[serde(default)]
31 pub required_scopes: Vec<String>,
32}
33
34#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
35#[serde(rename_all = "snake_case")]
36pub struct SdkCapabilitiesResponse {
37 pub service: String,
38 pub status: String,
39 pub auth_mode: AuthMode,
40 pub caller: RequestContext,
41 #[serde(default)]
42 pub default_required_scopes: Vec<String>,
43 #[serde(default)]
44 pub routes: Vec<SdkRouteCapability>,
45}
46
47#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
48#[serde(rename_all = "snake_case")]
49pub struct CallerIdentityResponse {
50 pub service: String,
51 pub status: String,
52 pub caller: RequestContext,
53}
54
55#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
56#[serde(rename_all = "snake_case")]
57pub enum ProtectionOperation {
58 Protect,
59 Access,
60 Rewrap,
61}
62
63#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
64#[serde(rename_all = "snake_case")]
65pub enum ArtifactProfile {
66 Tdf,
67 Envelope,
68 DetachedSignature,
69}
70
71#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
72#[serde(rename_all = "snake_case")]
73pub struct PlatformDomainPlan {
74 pub domain: String,
75 pub configured: bool,
76 pub reason: String,
77}
78
79#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
80#[serde(rename_all = "snake_case")]
81pub struct SdkBootstrapResponse {
82 pub service: String,
83 pub status: String,
84 pub auth_mode: AuthMode,
85 pub caller: RequestContext,
86 pub enforcement_model: String,
87 pub plaintext_to_platform: bool,
88 pub policy_resolution_mode: String,
89 #[serde(default)]
90 pub supported_operations: Vec<ProtectionOperation>,
91 #[serde(default)]
92 pub supported_artifact_profiles: Vec<ArtifactProfile>,
93 #[serde(default)]
94 pub platform_domains: Vec<PlatformDomainPlan>,
95}
96
97#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
98#[serde(rename_all = "snake_case")]
99pub struct SdkSessionExchangeResponse {
100 pub access_token: String,
101 pub token_type: String,
102 pub expires_in: u64,
103 pub scope: String,
104 pub tenant_id: String,
105 pub client_id: String,
106 pub subject: String,
107}
108
109#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
110#[serde(rename_all = "snake_case")]
111pub struct WorkloadDescriptor {
112 pub application: String,
113 pub environment: Option<String>,
114 pub component: Option<String>,
115}
116
117#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
118#[serde(rename_all = "snake_case")]
119pub struct ResourceDescriptor {
120 pub kind: String,
121 pub id: Option<String>,
122 pub mime_type: Option<String>,
123}
124
125#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
126#[serde(rename_all = "snake_case")]
127pub struct SdkProtectionPlanRequest {
128 pub operation: ProtectionOperation,
129 pub workload: WorkloadDescriptor,
130 pub resource: ResourceDescriptor,
131 pub preferred_artifact_profile: Option<ArtifactProfile>,
132 pub content_digest: Option<String>,
133 pub content_size_bytes: Option<u64>,
134 pub purpose: Option<String>,
135 #[serde(default)]
136 pub labels: Vec<String>,
137 #[serde(default)]
138 pub attributes: BTreeMap<String, String>,
139}
140
141#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
142#[serde(rename_all = "snake_case")]
143pub struct ProtectionPlanSummary {
144 pub operation: ProtectionOperation,
145 pub workload_application: String,
146 pub workload_environment: Option<String>,
147 pub workload_component: Option<String>,
148 pub resource_kind: String,
149 pub resource_id: Option<String>,
150 pub mime_type: Option<String>,
151 pub preferred_artifact_profile: ArtifactProfile,
152 pub content_digest_present: bool,
153 pub content_size_bytes: Option<u64>,
154 pub label_count: usize,
155 pub attribute_count: usize,
156 pub purpose: Option<String>,
157}
158
159#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
160#[serde(rename_all = "snake_case")]
161pub struct ProtectionPlanDecision {
162 pub allow: bool,
163 #[serde(default)]
164 pub required_scopes: Vec<String>,
165 pub handling_mode: String,
166 pub plaintext_transport: String,
167}
168
169#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
170#[serde(rename_all = "snake_case")]
171pub struct ProtectionExecutionPlan {
172 pub protect_locally: bool,
173 pub local_enforcement_library: String,
174 pub send_plaintext_to_platform: bool,
175 #[serde(default)]
176 pub send_only: Vec<String>,
177 pub artifact_profile: ArtifactProfile,
178 pub key_strategy: String,
179 pub policy_resolution: String,
180}
181
182#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
183#[serde(rename_all = "snake_case")]
184pub struct SdkProtectionPlanResponse {
185 pub service: String,
186 pub status: String,
187 pub caller: RequestContext,
188 pub request_summary: ProtectionPlanSummary,
189 pub decision: ProtectionPlanDecision,
190 pub execution: ProtectionExecutionPlan,
191 #[serde(default)]
192 pub platform_domains: Vec<PlatformDomainPlan>,
193 #[serde(default)]
194 pub warnings: Vec<String>,
195}
196
197#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
198#[serde(rename_all = "snake_case")]
199pub struct SdkPolicyResolveRequest {
200 pub operation: ProtectionOperation,
201 pub workload: WorkloadDescriptor,
202 pub resource: ResourceDescriptor,
203 pub content_digest: Option<String>,
204 pub content_size_bytes: Option<u64>,
205 pub purpose: Option<String>,
206 #[serde(default)]
207 pub labels: Vec<String>,
208 #[serde(default)]
209 pub attributes: BTreeMap<String, String>,
210}
211
212#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
213#[serde(rename_all = "snake_case")]
214pub struct PolicyRequestSummary {
215 pub operation: ProtectionOperation,
216 pub workload_application: String,
217 pub workload_environment: Option<String>,
218 pub workload_component: Option<String>,
219 pub resource_kind: String,
220 pub resource_id: Option<String>,
221 pub mime_type: Option<String>,
222 pub content_digest_present: bool,
223 pub content_size_bytes: Option<u64>,
224 pub purpose: Option<String>,
225 pub label_count: usize,
226 pub attribute_count: usize,
227}
228
229#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
230#[serde(rename_all = "snake_case")]
231pub struct PolicyResolutionDecision {
232 pub allow: bool,
233 pub enforcement_mode: String,
234 #[serde(default)]
235 pub required_scopes: Vec<String>,
236 #[serde(default)]
237 pub policy_inputs: Vec<String>,
238 #[serde(default)]
239 pub required_actions: Vec<String>,
240}
241
242#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
243#[serde(rename_all = "snake_case")]
244pub struct PolicyHandlingGuidance {
245 pub protect_locally: bool,
246 pub plaintext_transport: String,
247 #[serde(default)]
248 pub bind_policy_to: Vec<String>,
249 #[serde(default)]
250 pub evidence_expected: Vec<String>,
251}
252
253#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
254#[serde(rename_all = "snake_case")]
255pub struct SdkPolicyResolveResponse {
256 pub service: String,
257 pub status: String,
258 pub caller: RequestContext,
259 pub request_summary: PolicyRequestSummary,
260 pub decision: PolicyResolutionDecision,
261 pub handling: PolicyHandlingGuidance,
262 #[serde(default)]
263 pub platform_domains: Vec<PlatformDomainPlan>,
264 #[serde(default)]
265 pub warnings: Vec<String>,
266}
267
268#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
269#[serde(rename_all = "snake_case")]
270pub enum KeyAccessOperation {
271 Wrap,
272 Unwrap,
273 Rewrap,
274}
275
276#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
277#[serde(rename_all = "snake_case")]
278pub struct SdkKeyAccessPlanRequest {
279 pub operation: KeyAccessOperation,
280 pub workload: WorkloadDescriptor,
281 pub resource: ResourceDescriptor,
282 pub artifact_profile: Option<ArtifactProfile>,
283 pub key_reference: Option<String>,
284 pub content_digest: Option<String>,
285 pub purpose: Option<String>,
286 #[serde(default)]
287 pub labels: Vec<String>,
288 #[serde(default)]
289 pub attributes: BTreeMap<String, String>,
290}
291
292#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
293#[serde(rename_all = "snake_case")]
294pub struct KeyAccessRequestSummary {
295 pub operation: KeyAccessOperation,
296 pub workload_application: String,
297 pub workload_environment: Option<String>,
298 pub workload_component: Option<String>,
299 pub resource_kind: String,
300 pub resource_id: Option<String>,
301 pub mime_type: Option<String>,
302 pub artifact_profile: ArtifactProfile,
303 pub key_reference_present: bool,
304 pub content_digest_present: bool,
305 pub purpose: Option<String>,
306 pub label_count: usize,
307 pub attribute_count: usize,
308}
309
310#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
311#[serde(rename_all = "snake_case")]
312pub struct KeyAccessDecision {
313 pub allow: bool,
314 #[serde(default)]
315 pub required_scopes: Vec<String>,
316 pub operation: KeyAccessOperation,
317 pub key_reference_present: bool,
318}
319
320#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
321#[serde(rename_all = "snake_case")]
322pub struct KeyAccessExecutionPlan {
323 pub local_cryptographic_operation: bool,
324 pub platform_role: String,
325 pub send_plaintext_to_platform: bool,
326 #[serde(default)]
327 pub send_only: Vec<String>,
328 pub artifact_profile: ArtifactProfile,
329 pub authorization_strategy: String,
330}
331
332#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
333#[serde(rename_all = "snake_case")]
334pub struct SdkKeyAccessPlanResponse {
335 pub service: String,
336 pub status: String,
337 pub caller: RequestContext,
338 pub request_summary: KeyAccessRequestSummary,
339 pub decision: KeyAccessDecision,
340 pub execution: KeyAccessExecutionPlan,
341 #[serde(default)]
342 pub platform_domains: Vec<PlatformDomainPlan>,
343 #[serde(default)]
344 pub warnings: Vec<String>,
345}
346
347#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
348#[serde(rename_all = "snake_case")]
349pub struct SdkArtifactRegisterRequest {
350 pub operation: ProtectionOperation,
351 pub workload: WorkloadDescriptor,
352 pub resource: ResourceDescriptor,
353 pub artifact_profile: ArtifactProfile,
354 pub artifact_digest: String,
355 pub artifact_locator: Option<String>,
356 pub decision_id: Option<String>,
357 pub key_reference: Option<String>,
358 pub purpose: Option<String>,
359 #[serde(default)]
360 pub labels: Vec<String>,
361 #[serde(default)]
362 pub attributes: BTreeMap<String, String>,
363}
364
365#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
366#[serde(rename_all = "snake_case")]
367pub struct ArtifactRegistrationSummary {
368 pub operation: ProtectionOperation,
369 pub workload_application: String,
370 pub workload_environment: Option<String>,
371 pub workload_component: Option<String>,
372 pub resource_kind: String,
373 pub resource_id: Option<String>,
374 pub mime_type: Option<String>,
375 pub artifact_profile: ArtifactProfile,
376 pub artifact_digest: String,
377 pub artifact_locator_present: bool,
378 pub decision_id_present: bool,
379 pub key_reference_present: bool,
380 pub purpose: Option<String>,
381 pub label_count: usize,
382 pub attribute_count: usize,
383}
384
385#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
386#[serde(rename_all = "snake_case")]
387pub struct ArtifactRegistrationPlan {
388 pub accepted: bool,
389 #[serde(default)]
390 pub required_scopes: Vec<String>,
391 pub artifact_transport: String,
392 pub send_plaintext_to_platform: bool,
393 #[serde(default)]
394 pub catalog_actions: Vec<String>,
395 #[serde(default)]
396 pub evidence_expected: Vec<String>,
397}
398
399#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
400#[serde(rename_all = "snake_case")]
401pub struct SdkArtifactRegisterResponse {
402 pub service: String,
403 pub status: String,
404 pub caller: RequestContext,
405 pub request_summary: ArtifactRegistrationSummary,
406 pub registration: ArtifactRegistrationPlan,
407 #[serde(default)]
408 pub platform_domains: Vec<PlatformDomainPlan>,
409 #[serde(default)]
410 pub warnings: Vec<String>,
411}
412
413#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
414#[serde(rename_all = "snake_case")]
415pub enum EvidenceEventType {
416 Protect,
417 Access,
418 Rewrap,
419 Deny,
420}
421
422#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
423#[serde(rename_all = "snake_case")]
424pub struct SdkEvidenceIngestRequest {
425 pub event_type: EvidenceEventType,
426 pub workload: WorkloadDescriptor,
427 pub resource: ResourceDescriptor,
428 pub artifact_profile: Option<ArtifactProfile>,
429 pub artifact_digest: Option<String>,
430 pub decision_id: Option<String>,
431 pub outcome: Option<String>,
432 pub occurred_at: Option<String>,
433 pub purpose: Option<String>,
434 #[serde(default)]
435 pub labels: Vec<String>,
436 #[serde(default)]
437 pub attributes: BTreeMap<String, String>,
438}
439
440#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
441#[serde(rename_all = "snake_case")]
442pub struct EvidenceIngestSummary {
443 pub event_type: EvidenceEventType,
444 pub workload_application: String,
445 pub workload_environment: Option<String>,
446 pub workload_component: Option<String>,
447 pub resource_kind: String,
448 pub resource_id: Option<String>,
449 pub mime_type: Option<String>,
450 pub artifact_profile: Option<ArtifactProfile>,
451 pub artifact_digest_present: bool,
452 pub decision_id_present: bool,
453 pub outcome: Option<String>,
454 pub occurred_at: Option<String>,
455 pub purpose: Option<String>,
456 pub label_count: usize,
457 pub attribute_count: usize,
458}
459
460#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
461#[serde(rename_all = "snake_case")]
462pub struct EvidenceIngestionPlan {
463 pub accepted: bool,
464 #[serde(default)]
465 pub required_scopes: Vec<String>,
466 pub plaintext_transport: String,
467 #[serde(default)]
468 pub send_only: Vec<String>,
469 #[serde(default)]
470 pub correlate_by: Vec<String>,
471}
472
473#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
474#[serde(rename_all = "snake_case")]
475pub struct SdkEvidenceIngestResponse {
476 pub service: String,
477 pub status: String,
478 pub caller: RequestContext,
479 pub request_summary: EvidenceIngestSummary,
480 pub ingestion: EvidenceIngestionPlan,
481 #[serde(default)]
482 pub platform_domains: Vec<PlatformDomainPlan>,
483 #[serde(default)]
484 pub warnings: Vec<String>,
485}