1use std::collections::BTreeMap;
2
3use serde::{Deserialize, Serialize};
4
5#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
6#[serde(rename_all = "snake_case")]
7pub enum AuthMode {
8 TrustedHeaders,
9 BearerToken,
10 BearerTokenOrTrustedHeaders,
11}
12
13#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq, Default)]
14#[serde(rename_all = "snake_case")]
15pub enum SdkAuthConfigurationMode {
16 #[default]
17 BearerTokenValidation,
18 OauthClientCredentials,
19}
20
21#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq, Default)]
22#[serde(rename_all = "snake_case")]
23pub enum SdkProofOfPossession {
24 #[default]
25 Mtls,
26 Dpop,
27}
28
29#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, Default)]
30#[serde(rename_all = "snake_case")]
31pub struct SdkAuthConfiguration {
32 pub mode: SdkAuthConfigurationMode,
33 pub proof_of_possession: SdkProofOfPossession,
34 pub oidc_issuer: Option<String>,
35 pub oidc_audience: Option<String>,
36 pub oidc_issuer_ready: bool,
37 pub mtls_ready: bool,
38}
39
40#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
41#[serde(rename_all = "snake_case")]
42pub struct RequestContext {
43 pub tenant_id: String,
44 pub principal_id: String,
45 pub subject: String,
46 pub auth_source: String,
47 #[serde(default)]
48 pub scopes: Vec<String>,
49}
50
51#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
52#[serde(rename_all = "snake_case")]
53pub struct SdkRouteCapability {
54 pub route: String,
55 pub domain: String,
56 pub configured: bool,
57 #[serde(default)]
58 pub required_scopes: Vec<String>,
59}
60
61#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
62#[serde(rename_all = "snake_case")]
63pub struct SdkCapabilitiesResponse {
64 pub service: String,
65 pub status: String,
66 pub auth_mode: AuthMode,
67 #[serde(default)]
68 pub auth_configuration: SdkAuthConfiguration,
69 pub caller: RequestContext,
70 #[serde(default)]
71 pub default_required_scopes: Vec<String>,
72 #[serde(default)]
73 pub routes: Vec<SdkRouteCapability>,
74}
75
76#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
77#[serde(rename_all = "snake_case")]
78pub struct CallerIdentityResponse {
79 pub service: String,
80 pub status: String,
81 pub caller: RequestContext,
82}
83
84#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
85#[serde(rename_all = "snake_case")]
86pub enum ProtectionOperation {
87 Protect,
88 Access,
89 Rewrap,
90}
91
92#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
93#[serde(rename_all = "snake_case")]
94pub enum ArtifactProfile {
95 Tdf,
96 Envelope,
97 DetachedSignature,
98}
99
100#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
101#[serde(rename_all = "snake_case")]
102pub enum KeyTransportMode {
103 LocalProvided,
104 WrappedKeyReference,
105 AuthorizedKeyRelease,
106 KemEncapsulatedCek,
107}
108
109#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
110#[serde(rename_all = "snake_case")]
111pub struct KeyTransportGuidance {
112 pub mode: KeyTransportMode,
113 pub key_material_origin: String,
114 pub stable_key_reference_preferred: bool,
115 pub raw_key_delivery_forbidden: bool,
116 pub public_key_distribution: Option<String>,
117 pub exchange_algorithm: Option<String>,
118}
119
120#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
121#[serde(rename_all = "snake_case")]
122pub struct PlatformDomainPlan {
123 pub domain: String,
124 pub configured: bool,
125 pub reason: String,
126}
127
128#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
129#[serde(rename_all = "snake_case")]
130pub struct SdkBootstrapResponse {
131 pub service: String,
132 pub status: String,
133 pub auth_mode: AuthMode,
134 #[serde(default)]
135 pub auth_configuration: SdkAuthConfiguration,
136 pub caller: RequestContext,
137 pub enforcement_model: String,
138 pub plaintext_to_platform: bool,
139 pub policy_resolution_mode: String,
140 #[serde(default)]
141 pub supported_operations: Vec<ProtectionOperation>,
142 #[serde(default)]
143 pub supported_artifact_profiles: Vec<ArtifactProfile>,
144 #[serde(default)]
145 pub platform_domains: Vec<PlatformDomainPlan>,
146}
147
148#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
149#[serde(rename_all = "snake_case")]
150pub struct WorkloadDescriptor {
151 pub application: String,
152 pub environment: Option<String>,
153 pub component: Option<String>,
154}
155
156#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
157#[serde(rename_all = "snake_case")]
158pub struct ResourceDescriptor {
159 pub kind: String,
160 pub id: Option<String>,
161 pub mime_type: Option<String>,
162}
163
164#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
165#[serde(rename_all = "snake_case")]
166pub struct SdkProtectionPlanRequest {
167 pub operation: ProtectionOperation,
168 pub workload: WorkloadDescriptor,
169 pub resource: ResourceDescriptor,
170 pub preferred_artifact_profile: Option<ArtifactProfile>,
171 pub content_digest: Option<String>,
172 pub content_size_bytes: Option<u64>,
173 pub purpose: Option<String>,
174 #[serde(default)]
175 pub labels: Vec<String>,
176 #[serde(default)]
177 pub attributes: BTreeMap<String, String>,
178}
179
180#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
181#[serde(rename_all = "snake_case")]
182pub struct ProtectionPlanSummary {
183 pub operation: ProtectionOperation,
184 pub workload_application: String,
185 pub workload_environment: Option<String>,
186 pub workload_component: Option<String>,
187 pub resource_kind: String,
188 pub resource_id: Option<String>,
189 pub mime_type: Option<String>,
190 pub preferred_artifact_profile: ArtifactProfile,
191 pub content_digest_present: bool,
192 pub content_size_bytes: Option<u64>,
193 pub label_count: usize,
194 pub attribute_count: usize,
195 pub purpose: Option<String>,
196}
197
198#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
199#[serde(rename_all = "snake_case")]
200pub struct ProtectionPlanDecision {
201 pub allow: bool,
202 #[serde(default)]
203 pub required_scopes: Vec<String>,
204 pub handling_mode: String,
205 pub plaintext_transport: String,
206}
207
208#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
209#[serde(rename_all = "snake_case")]
210pub struct ProtectionExecutionPlan {
211 pub protect_locally: bool,
212 pub local_enforcement_library: String,
213 pub send_plaintext_to_platform: bool,
214 #[serde(default)]
215 pub send_only: Vec<String>,
216 pub artifact_profile: ArtifactProfile,
217 pub key_strategy: String,
218 pub policy_resolution: String,
219 #[serde(default)]
220 pub key_transport: Option<KeyTransportGuidance>,
221}
222
223#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
224#[serde(rename_all = "snake_case")]
225pub struct SdkProtectionPlanResponse {
226 pub service: String,
227 pub status: String,
228 pub caller: RequestContext,
229 pub request_summary: ProtectionPlanSummary,
230 pub decision: ProtectionPlanDecision,
231 pub execution: ProtectionExecutionPlan,
232 #[serde(default)]
233 pub platform_domains: Vec<PlatformDomainPlan>,
234 #[serde(default)]
235 pub warnings: Vec<String>,
236}
237
238#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
239#[serde(rename_all = "snake_case")]
240pub struct SdkPolicyResolveRequest {
241 pub operation: ProtectionOperation,
242 pub workload: WorkloadDescriptor,
243 pub resource: ResourceDescriptor,
244 pub content_digest: Option<String>,
245 pub content_size_bytes: Option<u64>,
246 pub purpose: Option<String>,
247 #[serde(default)]
248 pub labels: Vec<String>,
249 #[serde(default)]
250 pub attributes: BTreeMap<String, String>,
251}
252
253#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
254#[serde(rename_all = "snake_case")]
255pub struct PolicyRequestSummary {
256 pub operation: ProtectionOperation,
257 pub workload_application: String,
258 pub workload_environment: Option<String>,
259 pub workload_component: Option<String>,
260 pub resource_kind: String,
261 pub resource_id: Option<String>,
262 pub mime_type: Option<String>,
263 pub content_digest_present: bool,
264 pub content_size_bytes: Option<u64>,
265 pub purpose: Option<String>,
266 pub label_count: usize,
267 pub attribute_count: usize,
268}
269
270#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
271#[serde(rename_all = "snake_case")]
272pub struct PolicyResolutionDecision {
273 pub allow: bool,
274 pub enforcement_mode: String,
275 #[serde(default)]
276 pub required_scopes: Vec<String>,
277 #[serde(default)]
278 pub policy_inputs: Vec<String>,
279 #[serde(default)]
280 pub required_actions: Vec<String>,
281}
282
283#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
284#[serde(rename_all = "snake_case")]
285pub struct PolicyHandlingGuidance {
286 pub protect_locally: bool,
287 pub plaintext_transport: String,
288 #[serde(default)]
289 pub bind_policy_to: Vec<String>,
290 #[serde(default)]
291 pub evidence_expected: Vec<String>,
292}
293
294#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
295#[serde(rename_all = "snake_case")]
296pub struct SdkPolicyResolveResponse {
297 pub service: String,
298 pub status: String,
299 pub caller: RequestContext,
300 pub request_summary: PolicyRequestSummary,
301 pub decision: PolicyResolutionDecision,
302 pub handling: PolicyHandlingGuidance,
303 #[serde(default)]
304 pub platform_domains: Vec<PlatformDomainPlan>,
305 #[serde(default)]
306 pub warnings: Vec<String>,
307}
308
309#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
310#[serde(rename_all = "snake_case")]
311pub enum KeyAccessOperation {
312 Wrap,
313 Unwrap,
314 Rewrap,
315}
316
317#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
318#[serde(rename_all = "snake_case")]
319pub struct SdkKeyAccessPlanRequest {
320 pub operation: KeyAccessOperation,
321 pub workload: WorkloadDescriptor,
322 pub resource: ResourceDescriptor,
323 pub artifact_profile: Option<ArtifactProfile>,
324 pub key_reference: Option<String>,
325 pub content_digest: Option<String>,
326 pub purpose: Option<String>,
327 #[serde(default)]
328 pub labels: Vec<String>,
329 #[serde(default)]
330 pub attributes: BTreeMap<String, String>,
331}
332
333#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
334#[serde(rename_all = "snake_case")]
335pub struct KeyAccessRequestSummary {
336 pub operation: KeyAccessOperation,
337 pub workload_application: String,
338 pub workload_environment: Option<String>,
339 pub workload_component: Option<String>,
340 pub resource_kind: String,
341 pub resource_id: Option<String>,
342 pub mime_type: Option<String>,
343 pub artifact_profile: ArtifactProfile,
344 pub key_reference_present: bool,
345 pub content_digest_present: bool,
346 pub purpose: Option<String>,
347 pub label_count: usize,
348 pub attribute_count: usize,
349}
350
351#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
352#[serde(rename_all = "snake_case")]
353pub struct KeyAccessDecision {
354 pub allow: bool,
355 #[serde(default)]
356 pub required_scopes: Vec<String>,
357 pub operation: KeyAccessOperation,
358 pub key_reference_present: bool,
359}
360
361#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
362#[serde(rename_all = "snake_case")]
363pub struct KeyAccessExecutionPlan {
364 pub local_cryptographic_operation: bool,
365 pub platform_role: String,
366 pub send_plaintext_to_platform: bool,
367 #[serde(default)]
368 pub send_only: Vec<String>,
369 pub artifact_profile: ArtifactProfile,
370 pub authorization_strategy: String,
371 #[serde(default)]
372 pub key_transport: Option<KeyTransportGuidance>,
373}
374
375#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
376#[serde(rename_all = "snake_case")]
377pub struct SdkKeyAccessPlanResponse {
378 pub service: String,
379 pub status: String,
380 pub caller: RequestContext,
381 pub request_summary: KeyAccessRequestSummary,
382 pub decision: KeyAccessDecision,
383 pub execution: KeyAccessExecutionPlan,
384 #[serde(default)]
385 pub platform_domains: Vec<PlatformDomainPlan>,
386 #[serde(default)]
387 pub warnings: Vec<String>,
388}
389
390#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
391#[serde(rename_all = "snake_case")]
392pub struct SdkArtifactRegisterRequest {
393 pub operation: ProtectionOperation,
394 pub workload: WorkloadDescriptor,
395 pub resource: ResourceDescriptor,
396 pub artifact_profile: ArtifactProfile,
397 pub artifact_digest: String,
398 pub artifact_locator: Option<String>,
399 pub decision_id: Option<String>,
400 pub key_reference: Option<String>,
401 pub purpose: Option<String>,
402 #[serde(default)]
403 pub labels: Vec<String>,
404 #[serde(default)]
405 pub attributes: BTreeMap<String, String>,
406}
407
408#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
409#[serde(rename_all = "snake_case")]
410pub struct ArtifactRegistrationSummary {
411 pub operation: ProtectionOperation,
412 pub workload_application: String,
413 pub workload_environment: Option<String>,
414 pub workload_component: Option<String>,
415 pub resource_kind: String,
416 pub resource_id: Option<String>,
417 pub mime_type: Option<String>,
418 pub artifact_profile: ArtifactProfile,
419 pub artifact_digest: String,
420 pub artifact_locator_present: bool,
421 pub decision_id_present: bool,
422 pub key_reference_present: bool,
423 pub purpose: Option<String>,
424 pub label_count: usize,
425 pub attribute_count: usize,
426}
427
428#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
429#[serde(rename_all = "snake_case")]
430pub struct ArtifactRegistrationPlan {
431 pub accepted: bool,
432 #[serde(default)]
433 pub required_scopes: Vec<String>,
434 pub artifact_transport: String,
435 pub send_plaintext_to_platform: bool,
436 #[serde(default)]
437 pub catalog_actions: Vec<String>,
438 #[serde(default)]
439 pub evidence_expected: Vec<String>,
440}
441
442#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
443#[serde(rename_all = "snake_case")]
444pub struct SdkArtifactRegisterResponse {
445 pub service: String,
446 pub status: String,
447 pub caller: RequestContext,
448 pub request_summary: ArtifactRegistrationSummary,
449 pub registration: ArtifactRegistrationPlan,
450 #[serde(default)]
451 pub platform_domains: Vec<PlatformDomainPlan>,
452 #[serde(default)]
453 pub warnings: Vec<String>,
454}
455
456#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
457#[serde(rename_all = "snake_case")]
458pub enum EvidenceEventType {
459 Protect,
460 Access,
461 Rewrap,
462 Deny,
463}
464
465#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
466#[serde(rename_all = "snake_case")]
467pub struct SdkEvidenceIngestRequest {
468 pub event_type: EvidenceEventType,
469 pub workload: WorkloadDescriptor,
470 pub resource: ResourceDescriptor,
471 pub artifact_profile: Option<ArtifactProfile>,
472 pub artifact_digest: Option<String>,
473 pub decision_id: Option<String>,
474 pub outcome: Option<String>,
475 pub occurred_at: Option<String>,
476 pub purpose: Option<String>,
477 #[serde(default)]
478 pub labels: Vec<String>,
479 #[serde(default)]
480 pub attributes: BTreeMap<String, String>,
481}
482
483#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
484#[serde(rename_all = "snake_case")]
485pub struct EvidenceIngestSummary {
486 pub event_type: EvidenceEventType,
487 pub workload_application: String,
488 pub workload_environment: Option<String>,
489 pub workload_component: Option<String>,
490 pub resource_kind: String,
491 pub resource_id: Option<String>,
492 pub mime_type: Option<String>,
493 pub artifact_profile: Option<ArtifactProfile>,
494 pub artifact_digest_present: bool,
495 pub decision_id_present: bool,
496 pub outcome: Option<String>,
497 pub occurred_at: Option<String>,
498 pub purpose: Option<String>,
499 pub label_count: usize,
500 pub attribute_count: usize,
501}
502
503#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
504#[serde(rename_all = "snake_case")]
505pub struct EvidenceIngestionPlan {
506 pub accepted: bool,
507 #[serde(default)]
508 pub required_scopes: Vec<String>,
509 pub plaintext_transport: String,
510 #[serde(default)]
511 pub send_only: Vec<String>,
512 #[serde(default)]
513 pub correlate_by: Vec<String>,
514}
515
516#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
517#[serde(rename_all = "snake_case")]
518pub struct SdkEvidenceIngestResponse {
519 pub service: String,
520 pub status: String,
521 pub caller: RequestContext,
522 pub request_summary: EvidenceIngestSummary,
523 pub ingestion: EvidenceIngestionPlan,
524 #[serde(default)]
525 pub platform_domains: Vec<PlatformDomainPlan>,
526 #[serde(default)]
527 pub warnings: Vec<String>,
528}