Skip to main content

tf_types/generated/
federation_attestation.rs

1// GENERATED by `tf-schema codegen --target rust` — DO NOT EDIT BY HAND.
2
3#![allow(unused_imports, non_camel_case_types, non_snake_case, clippy::all)]
4
5use serde::{Deserialize, Serialize};
6use super::*;
7
8/// Cross-trust-domain attestation: domain A signs a statement asserting that domain B's identity (or a specific actor in B) is recognized within A's trust fabric, optionally bounded by capability scope and time. Used by SPIFFE federated trust bundles, business-partner trust links, and sovereignty federations (TF-0002 "federated" identity mode).
9#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
10pub struct FederationAttestation {
11    /// Version of the federation-attestation schema.
12    pub attestation_version: FederationAttestation_AttestationVersion,
13    /// Stable identifier for this attestation; used for revocation lookups.
14    pub attestation_id: String,
15    /// Domain making the assertion.
16    pub issuer_domain: TrustDomain,
17    /// Domain being recognized.
18    pub subject_domain: TrustDomain,
19    /// Optional specific actor inside subject_domain. When omitted the attestation covers the whole domain.
20    #[serde(skip_serializing_if = "Option::is_none", default)]
21    pub subject_actor: Option<ActorId>,
22    /// Optional list of action names this attestation permits cross-domain. Empty means "recognize identity only" (no implicit authority).
23    #[serde(skip_serializing_if = "Option::is_none", default)]
24    pub scope: Option<Vec<ActionName>>,
25    /// Maximum TrustLevel the issuer is willing to extend to subjects under this attestation.
26    #[serde(skip_serializing_if = "Option::is_none", default)]
27    pub trust_levels_granted: Option<Vec<TrustLevel>>,
28    /// SPIFFE-style trust bundle: the public keys / certificates of subject_domain that issuer_domain accepts. Each entry is either an X.509 PEM, a SPIFFE JWT-SVID JWK, or an opaque ed25519 public key.
29    pub trust_bundle: Vec<FederationAttestation_TrustBundle_Item>,
30    /// Optional constraints attached to the federation grant (rate limits, target globs, time windows).
31    #[serde(skip_serializing_if = "Option::is_none", default)]
32    pub constraints: Option<Vec<Constraint>>,
33    pub issued_at: Timestamp,
34    pub valid_until: Timestamp,
35    /// Authority within issuer_domain that signed this attestation.
36    pub issuer: ActorId,
37    pub signature: SignatureEnvelope,
38}
39
40/// Version of the federation-attestation schema.
41#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
42pub enum FederationAttestation_AttestationVersion {
43    #[serde(rename = "1")]
44    V1,
45}
46
47#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
48pub struct FederationAttestation_TrustBundle_Item {
49    /// Format of the bundle entry.
50    pub kind: String,
51    /// Encoded key material (PEM string, base64 JWK JSON, or base64 raw public key).
52    pub value: String,
53    /// Optional stable key identifier within the bundle.
54    #[serde(skip_serializing_if = "Option::is_none", default)]
55    pub key_id: Option<String>,
56}