tf_types/generated/federation_attestation.rs
1// GENERATED by `tf-schema codegen --target rust` — DO NOT EDIT BY HAND.
2
3#![allow(unused_imports, non_camel_case_types, non_snake_case, clippy::all)]
4
5use serde::{Deserialize, Serialize};
6use super::*;
7
8/// Cross-trust-domain attestation: domain A signs a statement asserting that domain B's identity (or a specific actor in B) is recognized within A's trust fabric, optionally bounded by capability scope and time. Used by SPIFFE federated trust bundles, business-partner trust links, and sovereignty federations (TF-0002 "federated" identity mode).
9#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
10pub struct FederationAttestation {
11 /// Version of the federation-attestation schema.
12 pub attestation_version: FederationAttestation_AttestationVersion,
13 /// Stable identifier for this attestation; used for revocation lookups.
14 pub attestation_id: String,
15 /// Domain making the assertion.
16 pub issuer_domain: TrustDomain,
17 /// Domain being recognized.
18 pub subject_domain: TrustDomain,
19 /// Optional specific actor inside subject_domain. When omitted the attestation covers the whole domain.
20 #[serde(skip_serializing_if = "Option::is_none", default)]
21 pub subject_actor: Option<ActorId>,
22 /// Optional list of action names this attestation permits cross-domain. Empty means "recognize identity only" (no implicit authority).
23 #[serde(skip_serializing_if = "Option::is_none", default)]
24 pub scope: Option<Vec<ActionName>>,
25 /// Maximum TrustLevel the issuer is willing to extend to subjects under this attestation.
26 #[serde(skip_serializing_if = "Option::is_none", default)]
27 pub trust_levels_granted: Option<Vec<TrustLevel>>,
28 /// SPIFFE-style trust bundle: the public keys / certificates of subject_domain that issuer_domain accepts. Each entry is either an X.509 PEM, a SPIFFE JWT-SVID JWK, or an opaque ed25519 public key.
29 pub trust_bundle: Vec<FederationAttestation_TrustBundle_Item>,
30 /// Optional constraints attached to the federation grant (rate limits, target globs, time windows).
31 #[serde(skip_serializing_if = "Option::is_none", default)]
32 pub constraints: Option<Vec<Constraint>>,
33 pub issued_at: Timestamp,
34 pub valid_until: Timestamp,
35 /// Authority within issuer_domain that signed this attestation.
36 pub issuer: ActorId,
37 pub signature: SignatureEnvelope,
38}
39
40/// Version of the federation-attestation schema.
41#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
42pub enum FederationAttestation_AttestationVersion {
43 #[serde(rename = "1")]
44 V1,
45}
46
47#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
48pub struct FederationAttestation_TrustBundle_Item {
49 /// Format of the bundle entry.
50 pub kind: String,
51 /// Encoded key material (PEM string, base64 JWK JSON, or base64 raw public key).
52 pub value: String,
53 /// Optional stable key identifier within the bundle.
54 #[serde(skip_serializing_if = "Option::is_none", default)]
55 pub key_id: Option<String>,
56}