1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
// GENERATED by `tf-schema codegen --target rust` — DO NOT EDIT BY HAND.
#![allow(unused_imports, non_camel_case_types, non_snake_case, clippy::all)]
use serde::{Deserialize, Serialize};
use super::*;
/// Cross-trust-domain attestation: domain A signs a statement asserting that domain B's identity (or a specific actor in B) is recognized within A's trust fabric, optionally bounded by capability scope and time. Used by SPIFFE federated trust bundles, business-partner trust links, and sovereignty federations (TF-0002 "federated" identity mode).
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub struct FederationAttestation {
/// Version of the federation-attestation schema.
pub attestation_version: FederationAttestation_AttestationVersion,
/// Stable identifier for this attestation; used for revocation lookups.
pub attestation_id: String,
/// Domain making the assertion.
pub issuer_domain: TrustDomain,
/// Domain being recognized.
pub subject_domain: TrustDomain,
/// Optional specific actor inside subject_domain. When omitted the attestation covers the whole domain.
#[serde(skip_serializing_if = "Option::is_none", default)]
pub subject_actor: Option<ActorId>,
/// Optional list of action names this attestation permits cross-domain. Empty means "recognize identity only" (no implicit authority).
#[serde(skip_serializing_if = "Option::is_none", default)]
pub scope: Option<Vec<ActionName>>,
/// Maximum TrustLevel the issuer is willing to extend to subjects under this attestation.
#[serde(skip_serializing_if = "Option::is_none", default)]
pub trust_levels_granted: Option<Vec<TrustLevel>>,
/// SPIFFE-style trust bundle: the public keys / certificates of subject_domain that issuer_domain accepts. Each entry is either an X.509 PEM, a SPIFFE JWT-SVID JWK, or an opaque ed25519 public key.
pub trust_bundle: Vec<FederationAttestation_TrustBundle_Item>,
/// Optional constraints attached to the federation grant (rate limits, target globs, time windows).
#[serde(skip_serializing_if = "Option::is_none", default)]
pub constraints: Option<Vec<Constraint>>,
pub issued_at: Timestamp,
pub valid_until: Timestamp,
/// Authority within issuer_domain that signed this attestation.
pub issuer: ActorId,
pub signature: SignatureEnvelope,
}
/// Version of the federation-attestation schema.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub enum FederationAttestation_AttestationVersion {
#[serde(rename = "1")]
V1,
}
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub struct FederationAttestation_TrustBundle_Item {
/// Format of the bundle entry.
pub kind: String,
/// Encoded key material (PEM string, base64 JWK JSON, or base64 raw public key).
pub value: String,
/// Optional stable key identifier within the bundle.
#[serde(skip_serializing_if = "Option::is_none", default)]
pub key_id: Option<String>,
}