diff --git a/lib/src/auth/oidc-clientcredentials-provider.ts b/lib/src/auth/oidc-clientcredentials-provider.ts index 843e34e8c..e867ca9da 100644 --- a/lib/src/auth/oidc-clientcredentials-provider.ts +++ b/lib/src/auth/oidc-clientcredentials-provider.ts @@ -9,6 +9,8 @@ export class OIDCClientCredentialsProvider implements AuthProvider { clientId, clientSecret, oidcOrigin, + oidcTokenEndpoint, + oidcUserInfoEndpoint, }: Partial & Omit) { if (!clientId || !clientSecret) { throw new ConfigurationError('clientId & clientSecret required for client credentials flow'); @@ -19,6 +21,8 @@ export class OIDCClientCredentialsProvider implements AuthProvider { clientId, clientSecret, oidcOrigin, + oidcTokenEndpoint, + oidcUserInfoEndpoint, }); } diff --git a/lib/src/auth/oidc-externaljwt-provider.ts b/lib/src/auth/oidc-externaljwt-provider.ts index 4006355ad..c5724a757 100644 --- a/lib/src/auth/oidc-externaljwt-provider.ts +++ b/lib/src/auth/oidc-externaljwt-provider.ts @@ -10,6 +10,8 @@ export class OIDCExternalJwtProvider implements AuthProvider { clientId, externalJwt, oidcOrigin, + oidcTokenEndpoint, + oidcUserInfoEndpoint, }: Partial & Omit) { if (!clientId || !externalJwt) { throw new ConfigurationError('external JWT exchange reequires client id and jwt'); @@ -18,8 +20,10 @@ export class OIDCExternalJwtProvider implements AuthProvider { this.oidcAuth = new AccessToken({ exchange: 'external', clientId, - oidcOrigin, externalJwt, + oidcOrigin, + oidcTokenEndpoint, + oidcUserInfoEndpoint, }); this.externalJwt = externalJwt; diff --git a/lib/src/auth/oidc-refreshtoken-provider.ts b/lib/src/auth/oidc-refreshtoken-provider.ts index 91fa946f8..6029bc440 100644 --- a/lib/src/auth/oidc-refreshtoken-provider.ts +++ b/lib/src/auth/oidc-refreshtoken-provider.ts @@ -24,6 +24,8 @@ export class OIDCRefreshTokenProvider implements AuthProvider { clientId, refreshToken, oidcOrigin, + oidcTokenEndpoint, + oidcUserInfoEndpoint, }: Partial & Omit) { if (!clientId || !refreshToken) { throw new ConfigurationError('refresh token or client id missing'); @@ -32,8 +34,10 @@ export class OIDCRefreshTokenProvider implements AuthProvider { this.oidcAuth = new AccessToken({ exchange: 'refresh', clientId, - refreshToken: refreshToken, + refreshToken, oidcOrigin, + oidcTokenEndpoint, + oidcUserInfoEndpoint, }); this.refreshToken = refreshToken; } diff --git a/lib/src/auth/oidc.ts b/lib/src/auth/oidc.ts index 5bf237f7b..d1476aa21 100644 --- a/lib/src/auth/oidc.ts +++ b/lib/src/auth/oidc.ts @@ -12,6 +12,8 @@ export type CommonCredentials = { clientId: string; /** The endpoint of the OIDC IdP to authenticate against, ex. 'https://virtru.com/auth' */ oidcOrigin: string; + oidcTokenEndpoint?: string; + oidcUserInfoEndpoint?: string; /** Whether or not DPoP is enabled. */ dpopEnabled?: boolean; @@ -89,6 +91,8 @@ export class AccessToken { data?: AccessTokenResponse; baseUrl: string; + tokenEndpoint: string; + userInfoEndpoint: string; signingKey?: CryptoKeyPair; @@ -119,6 +123,9 @@ export class AccessToken { this.config = cfg; this.request = request; this.baseUrl = rstrip(cfg.oidcOrigin, '/'); + this.tokenEndpoint = cfg.oidcTokenEndpoint || `${this.baseUrl}/protocol/openid-connect/token`; + this.userInfoEndpoint = + cfg.oidcUserInfoEndpoint || `${this.baseUrl}/protocol/openid-connect/userinfo`; this.signingKey = cfg.signingKey; } @@ -128,21 +135,20 @@ export class AccessToken { * @returns */ async info(accessToken: string): Promise { - const url = `${this.baseUrl}/protocol/openid-connect/userinfo`; const headers = { ...this.extraHeaders, Authorization: `Bearer ${accessToken}`, } as Record; if (this.config.dpopEnabled && this.signingKey) { - headers.DPoP = await dpopFn(this.signingKey, url, 'POST'); + headers.DPoP = await dpopFn(this.signingKey, this.userInfoEndpoint, 'POST'); } - const response = await (this.request || fetch)(url, { + const response = await (this.request || fetch)(this.userInfoEndpoint, { headers, }); if (!response.ok) { console.error(await response.text()); throw new TdfError( - `auth info fail: GET [${url}] => ${response.status} ${response.statusText}` + `auth info fail: GET [${this.userInfoEndpoint}] => ${response.status} ${response.statusText}` ); } @@ -171,7 +177,6 @@ export class AccessToken { } async accessTokenLookup(cfg: OIDCCredentials) { - const url = `${this.baseUrl}/protocol/openid-connect/token`; let body; switch (cfg.exchange) { case 'client': @@ -198,11 +203,11 @@ export class AccessToken { }; break; } - const response = await this.doPost(url, body); + const response = await this.doPost(this.tokenEndpoint, body); if (!response.ok) { console.error(await response.text()); throw new TdfError( - `token/code exchange fail: POST [${url}] => ${response.status} ${response.statusText}` + `token/code exchange fail: POST [${this.tokenEndpoint}] => ${response.status} ${response.statusText}` ); } return response.json(); diff --git a/lib/src/auth/providers.ts b/lib/src/auth/providers.ts index 7c96c0754..e3f019106 100644 --- a/lib/src/auth/providers.ts +++ b/lib/src/auth/providers.ts @@ -36,6 +36,8 @@ export const clientSecretAuthProvider = async ( clientId: clientConfig.clientId, clientSecret: clientConfig.clientSecret, oidcOrigin: clientConfig.oidcOrigin, + oidcTokenEndpoint: clientConfig.oidcTokenEndpoint, + oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint, }); }; @@ -62,6 +64,8 @@ export const externalAuthProvider = async ( clientId: clientConfig.clientId, externalJwt: clientConfig.externalJwt, oidcOrigin: clientConfig.oidcOrigin, + oidcTokenEndpoint: clientConfig.oidcTokenEndpoint, + oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint, }); }; @@ -86,6 +90,8 @@ export const refreshAuthProvider = async ( clientId: clientConfig.clientId, refreshToken: clientConfig.refreshToken, oidcOrigin: clientConfig.oidcOrigin, + oidcTokenEndpoint: clientConfig.oidcTokenEndpoint, + oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint, }); }; diff --git a/lib/src/opentdf.ts b/lib/src/opentdf.ts index 425c7fa57..b23d9e019 100644 --- a/lib/src/opentdf.ts +++ b/lib/src/opentdf.ts @@ -112,7 +112,6 @@ export type MimeType = `${string}/${string}`; export type SplitStep = { /** Which KAS to use to rewrap this segment of the key. */ kas: string; - /** * An identifier for a key segment. * Leave empty to share the key. @@ -389,6 +388,7 @@ export class OpenTDF { authProvider, dpopKeys, kasEndpoint: this.platformUrl || 'https://disallow.all.invalid', + platformUrl, policyEndpoint, }); this.dpopKeys = diff --git a/lib/src/platform/entityresolution/entity_resolution_pb.ts b/lib/src/platform/entityresolution/entity_resolution_pb.ts index 1d19f2386..66e4eb0ea 100644 --- a/lib/src/platform/entityresolution/entity_resolution_pb.ts +++ b/lib/src/platform/entityresolution/entity_resolution_pb.ts @@ -213,6 +213,8 @@ export const CreateEntityChainFromJwtResponseSchema: GenMessage & * * Context or additional data specific to the public key, based on the key provider implementation * - * @generated from field: bytes public_key_ctx = 5; + * @generated from field: policy.PublicKeyCtx public_key_ctx = 5; */ - publicKeyCtx: Uint8Array; + publicKeyCtx?: PublicKeyCtx; /** - * Optional + * Conditionally Required * * Context or additional data specific to the private key, based on the key provider implementation * - * @generated from field: bytes private_key_ctx = 6; + * @generated from field: policy.PrivateKeyCtx private_key_ctx = 6; */ - privateKeyCtx: Uint8Array; + privateKeyCtx?: PrivateKeyCtx; /** * Optional @@ -1145,15 +1145,6 @@ export type UpdateKeyRequest = Message<"policy.kasregistry.UpdateKeyRequest"> & */ id: string; - /** - * Optional - * - * The new status of the key (e.g., active, inactive) - * - * @generated from field: policy.KeyStatus key_status = 2; - */ - keyStatus: KeyStatus; - /** * Optional * Common metadata @@ -1318,20 +1309,22 @@ export type RotateKeyRequest_NewKey = Message<"policy.kasregistry.RotateKeyReque /** * Required * - * Specific structure based on key provider implementation - * - * @generated from field: bytes private_key_ctx = 4; + * @generated from field: policy.PublicKeyCtx public_key_ctx = 4; */ - privateKeyCtx: Uint8Array; + publicKeyCtx?: PublicKeyCtx; /** - * Optional + * Required * - * @generated from field: bytes public_key_ctx = 5; + * @generated from field: policy.PrivateKeyCtx private_key_ctx = 5; */ - publicKeyCtx: Uint8Array; + privateKeyCtx?: PrivateKeyCtx; /** + * Conditionally Required. + * + * Validation handled by message-level CEL + * * @generated from field: string provider_config_id = 6; */ providerConfigId: string; @@ -1339,9 +1332,9 @@ export type RotateKeyRequest_NewKey = Message<"policy.kasregistry.RotateKeyReque /** * Common metadata fields * - * @generated from field: common.Metadata metadata = 100; + * @generated from field: common.MetadataMutable metadata = 100; */ - metadata?: Metadata; + metadata?: MetadataMutable; }; /** @@ -1351,6 +1344,68 @@ export type RotateKeyRequest_NewKey = Message<"policy.kasregistry.RotateKeyReque export const RotateKeyRequest_NewKeySchema: GenMessage = /*@__PURE__*/ messageDesc(file_policy_kasregistry_key_access_server_registry, 37, 0); +/** + * * + * Simplified information about the resources that were rotated as part of the key rotation process. + * + * @generated from message policy.kasregistry.ChangeMappings + */ +export type ChangeMappings = Message<"policy.kasregistry.ChangeMappings"> & { + /** + * @generated from field: string id = 1; + */ + id: string; + + /** + * @generated from field: string fqn = 2; + */ + fqn: string; +}; + +/** + * Describes the message policy.kasregistry.ChangeMappings. + * Use `create(ChangeMappingsSchema)` to create a new message. + */ +export const ChangeMappingsSchema: GenMessage = /*@__PURE__*/ + messageDesc(file_policy_kasregistry_key_access_server_registry, 38); + +/** + * + * All resources that were rotated as part of the key rotation process + * + * @generated from message policy.kasregistry.RotatedResources + */ +export type RotatedResources = Message<"policy.kasregistry.RotatedResources"> & { + /** + * The old key that was rotated out + * + * @generated from field: policy.KasKey rotated_out_key = 1; + */ + rotatedOutKey?: KasKey; + + /** + * @generated from field: repeated policy.kasregistry.ChangeMappings attribute_definition_mappings = 2; + */ + attributeDefinitionMappings: ChangeMappings[]; + + /** + * @generated from field: repeated policy.kasregistry.ChangeMappings attribute_value_mappings = 3; + */ + attributeValueMappings: ChangeMappings[]; + + /** + * @generated from field: repeated policy.kasregistry.ChangeMappings namespace_mappings = 4; + */ + namespaceMappings: ChangeMappings[]; +}; + +/** + * Describes the message policy.kasregistry.RotatedResources. + * Use `create(RotatedResourcesSchema)` to create a new message. + */ +export const RotatedResourcesSchema: GenMessage = /*@__PURE__*/ + messageDesc(file_policy_kasregistry_key_access_server_registry, 39); + /** * Response message for the RotateKey request * @@ -1363,6 +1418,13 @@ export type RotateKeyResponse = Message<"policy.kasregistry.RotateKeyResponse"> * @generated from field: policy.KasKey kas_key = 1; */ kasKey?: KasKey; + + /** + * All resources that were rotated as part of the key rotation process + * + * @generated from field: policy.kasregistry.RotatedResources rotated_resources = 2; + */ + rotatedResources?: RotatedResources; }; /** @@ -1370,7 +1432,103 @@ export type RotateKeyResponse = Message<"policy.kasregistry.RotateKeyResponse"> * Use `create(RotateKeyResponseSchema)` to create a new message. */ export const RotateKeyResponseSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_kasregistry_key_access_server_registry, 38); + messageDesc(file_policy_kasregistry_key_access_server_registry, 40); + +/** + * Sets the specified key as the base key for the Key Access Server + * Note: The key must be active. + * + * @generated from message policy.kasregistry.SetBaseKeyRequest + */ +export type SetBaseKeyRequest = Message<"policy.kasregistry.SetBaseKeyRequest"> & { + /** + * Required + * + * @generated from oneof policy.kasregistry.SetBaseKeyRequest.active_key + */ + activeKey: { + /** + * Current Key UUID tp be set as default + * + * @generated from field: string id = 1; + */ + value: string; + case: "id"; + } | { + /** + * Alternative way to specify the key using KAS ID and Key ID + * + * @generated from field: policy.kasregistry.KasKeyIdentifier key = 2; + */ + value: KasKeyIdentifier; + case: "key"; + } | { case: undefined; value?: undefined }; +}; + +/** + * Describes the message policy.kasregistry.SetBaseKeyRequest. + * Use `create(SetBaseKeyRequestSchema)` to create a new message. + */ +export const SetBaseKeyRequestSchema: GenMessage = /*@__PURE__*/ + messageDesc(file_policy_kasregistry_key_access_server_registry, 41); + +/** + * @generated from message policy.kasregistry.GetBaseKeyRequest + */ +export type GetBaseKeyRequest = Message<"policy.kasregistry.GetBaseKeyRequest"> & { +}; + +/** + * Describes the message policy.kasregistry.GetBaseKeyRequest. + * Use `create(GetBaseKeyRequestSchema)` to create a new message. + */ +export const GetBaseKeyRequestSchema: GenMessage = /*@__PURE__*/ + messageDesc(file_policy_kasregistry_key_access_server_registry, 42); + +/** + * @generated from message policy.kasregistry.GetBaseKeyResponse + */ +export type GetBaseKeyResponse = Message<"policy.kasregistry.GetBaseKeyResponse"> & { + /** + * The current base key + * + * @generated from field: policy.SimpleKasKey base_key = 1; + */ + baseKey?: SimpleKasKey; +}; + +/** + * Describes the message policy.kasregistry.GetBaseKeyResponse. + * Use `create(GetBaseKeyResponseSchema)` to create a new message. + */ +export const GetBaseKeyResponseSchema: GenMessage = /*@__PURE__*/ + messageDesc(file_policy_kasregistry_key_access_server_registry, 43); + +/** + * @generated from message policy.kasregistry.SetBaseKeyResponse + */ +export type SetBaseKeyResponse = Message<"policy.kasregistry.SetBaseKeyResponse"> & { + /** + * The key that was set as base + * + * @generated from field: policy.SimpleKasKey new_base_key = 1; + */ + newBaseKey?: SimpleKasKey; + + /** + * The previous base key, if any + * + * @generated from field: policy.SimpleKasKey previous_base_key = 2; + */ + previousBaseKey?: SimpleKasKey; +}; + +/** + * Describes the message policy.kasregistry.SetBaseKeyResponse. + * Use `create(SetBaseKeyResponseSchema)` to create a new message. + */ +export const SetBaseKeyResponseSchema: GenMessage = /*@__PURE__*/ + messageDesc(file_policy_kasregistry_key_access_server_registry, 44); /** * @generated from service policy.kasregistry.KeyAccessServerRegistryService @@ -1477,6 +1635,26 @@ export const KeyAccessServerRegistryService: GenService<{ input: typeof RotateKeyRequestSchema; output: typeof RotateKeyResponseSchema; }, + /** + * Request to set the default a default kas key. + * + * @generated from rpc policy.kasregistry.KeyAccessServerRegistryService.SetBaseKey + */ + setBaseKey: { + methodKind: "unary"; + input: typeof SetBaseKeyRequestSchema; + output: typeof SetBaseKeyResponseSchema; + }, + /** + * Get Default kas keys + * + * @generated from rpc policy.kasregistry.KeyAccessServerRegistryService.GetBaseKey + */ + getBaseKey: { + methodKind: "unary"; + input: typeof GetBaseKeyRequestSchema; + output: typeof GetBaseKeyResponseSchema; + }, }> = /*@__PURE__*/ serviceDesc(file_policy_kasregistry_key_access_server_registry, 0); diff --git a/lib/src/platform/policy/namespaces/namespaces_pb.ts b/lib/src/platform/policy/namespaces/namespaces_pb.ts index 31ca44ee7..f18d31bec 100644 --- a/lib/src/platform/policy/namespaces/namespaces_pb.ts +++ b/lib/src/platform/policy/namespaces/namespaces_pb.ts @@ -5,7 +5,6 @@ import type { GenFile, GenMessage, GenService } from "@bufbuild/protobuf/codegenv1"; import { fileDesc, messageDesc, serviceDesc } from "@bufbuild/protobuf/codegenv1"; import { file_buf_validate_validate } from "../../buf/validate/validate_pb.js"; -import { file_google_api_annotations } from "../../google/api/annotations_pb.js"; import type { ActiveStateEnum, MetadataMutable, MetadataUpdateEnum } from "../../common/common_pb.js"; import { file_common_common } from "../../common/common_pb.js"; import type { Namespace } from "../objects_pb.js"; @@ -18,7 +17,7 @@ import type { Message } from "@bufbuild/protobuf"; * Describes the file policy/namespaces/namespaces.proto. */ export const file_policy_namespaces_namespaces: GenFile = /*@__PURE__*/ - fileDesc("CiJwb2xpY3kvbmFtZXNwYWNlcy9uYW1lc3BhY2VzLnByb3RvEhFwb2xpY3kubmFtZXNwYWNlcyJiChhOYW1lc3BhY2VLZXlBY2Nlc3NTZXJ2ZXISHgoMbmFtZXNwYWNlX2lkGAEgASgJQgi6SAVyA7ABARImChRrZXlfYWNjZXNzX3NlcnZlcl9pZBgCIAEoCUIIukgFcgOwAQEiTgoMTmFtZXNwYWNlS2V5EiEKDG5hbWVzcGFjZV9pZBgBIAEoCUILukgIyAEBcgOwAQESGwoGa2V5X2lkGAIgASgJQgu6SAjIAQFyA7ABASKoAwoTR2V0TmFtZXNwYWNlUmVxdWVzdBIZCgJpZBgBIAEoCUINGAG6SAjYAQJyA7ABARIgCgxuYW1lc3BhY2VfaWQYAiABKAlCCLpIBXIDsAEBSAASGQoDZnFuGAMgASgJQgq6SAdyBRABiAEBSAA6qgK6SKYCGqIBChBleGNsdXNpdmVfZmllbGRzElBFaXRoZXIgdXNlIGRlcHJlY2F0ZWQgJ2lkJyBmaWVsZCBvciBvbmUgb2YgJ25hbWVzcGFjZV9pZCcgb3IgJ2ZxbicsIGJ1dCBub3QgYm90aBo8IShoYXModGhpcy5pZCkgJiYgKGhhcyh0aGlzLm5hbWVzcGFjZV9pZCkgfHwgaGFzKHRoaXMuZnFuKSkpGn8KD3JlcXVpcmVkX2ZpZWxkcxIzRWl0aGVyIGlkIG9yIG9uZSBvZiBuYW1lc3BhY2VfaWQgb3IgZnFuIG11c3QgYmUgc2V0GjdoYXModGhpcy5pZCkgfHwgaGFzKHRoaXMubmFtZXNwYWNlX2lkKSB8fCBoYXModGhpcy5mcW4pQgwKCmlkZW50aWZpZXIiPAoUR2V0TmFtZXNwYWNlUmVzcG9uc2USJAoJbmFtZXNwYWNlGAEgASgLMhEucG9saWN5Lk5hbWVzcGFjZSJoChVMaXN0TmFtZXNwYWNlc1JlcXVlc3QSJgoFc3RhdGUYASABKA4yFy5jb21tb24uQWN0aXZlU3RhdGVFbnVtEicKCnBhZ2luYXRpb24YCiABKAsyEy5wb2xpY3kuUGFnZVJlcXVlc3QiaQoWTGlzdE5hbWVzcGFjZXNSZXNwb25zZRIlCgpuYW1lc3BhY2VzGAEgAygLMhEucG9saWN5Lk5hbWVzcGFjZRIoCgpwYWdpbmF0aW9uGAogASgLMhQucG9saWN5LlBhZ2VSZXNwb25zZSLuBAoWQ3JlYXRlTmFtZXNwYWNlUmVxdWVzdBKoBAoEbmFtZRgBIAEoCUKZBLpIlQS6AYkEChBuYW1lc3BhY2VfZm9ybWF0EqEDTmFtZXNwYWNlIG11c3QgYmUgYSB2YWxpZCBob3N0bmFtZS4gSXQgc2hvdWxkIGluY2x1ZGUgYXQgbGVhc3Qgb25lIGRvdCwgd2l0aCBlYWNoIHNlZ21lbnQgKGxhYmVsKSBzdGFydGluZyBhbmQgZW5kaW5nIHdpdGggYW4gYWxwaGFudW1lcmljIGNoYXJhY3Rlci4gRWFjaCBsYWJlbCBtdXN0IGJlIDEgdG8gNjMgY2hhcmFjdGVycyBsb25nLCBhbGxvd2luZyBoeXBoZW5zIGJ1dCBub3QgYXMgdGhlIGZpcnN0IG9yIGxhc3QgY2hhcmFjdGVyLiBUaGUgdG9wLWxldmVsIGRvbWFpbiAodGhlIGxhc3Qgc2VnbWVudCBhZnRlciB0aGUgZmluYWwgZG90KSBtdXN0IGNvbnNpc3Qgb2YgYXQgbGVhc3QgdHdvIGFscGhhYmV0aWMgY2hhcmFjdGVycy4gVGhlIHN0b3JlZCBuYW1lc3BhY2Ugd2lsbCBiZSBub3JtYWxpemVkIHRvIGxvd2VyIGNhc2UuGlF0aGlzLm1hdGNoZXMoJ14oW2EtekEtWjAtOV0oW2EtekEtWjAtOVxcLV17MCw2MX1bYS16QS1aMC05XSk/XFwuKStbYS16QS1aXXsyLH0kJynIAQFyAxj9ARIpCghtZXRhZGF0YRhkIAEoCzIXLmNvbW1vbi5NZXRhZGF0YU11dGFibGUiPwoXQ3JlYXRlTmFtZXNwYWNlUmVzcG9uc2USJAoJbmFtZXNwYWNlGAEgASgLMhEucG9saWN5Lk5hbWVzcGFjZSKXAQoWVXBkYXRlTmFtZXNwYWNlUmVxdWVzdBIUCgJpZBgBIAEoCUIIukgFcgOwAQESKQoIbWV0YWRhdGEYZCABKAsyFy5jb21tb24uTWV0YWRhdGFNdXRhYmxlEjwKGG1ldGFkYXRhX3VwZGF0ZV9iZWhhdmlvchhlIAEoDjIaLmNvbW1vbi5NZXRhZGF0YVVwZGF0ZUVudW0iPwoXVXBkYXRlTmFtZXNwYWNlUmVzcG9uc2USJAoJbmFtZXNwYWNlGAEgASgLMhEucG9saWN5Lk5hbWVzcGFjZSIyChpEZWFjdGl2YXRlTmFtZXNwYWNlUmVxdWVzdBIUCgJpZBgBIAEoCUIIukgFcgOwAQEiHQobRGVhY3RpdmF0ZU5hbWVzcGFjZVJlc3BvbnNlInsKJ0Fzc2lnbktleUFjY2Vzc1NlcnZlclRvTmFtZXNwYWNlUmVxdWVzdBJQChtuYW1lc3BhY2Vfa2V5X2FjY2Vzc19zZXJ2ZXIYASABKAsyKy5wb2xpY3kubmFtZXNwYWNlcy5OYW1lc3BhY2VLZXlBY2Nlc3NTZXJ2ZXIifAooQXNzaWduS2V5QWNjZXNzU2VydmVyVG9OYW1lc3BhY2VSZXNwb25zZRJQChtuYW1lc3BhY2Vfa2V5X2FjY2Vzc19zZXJ2ZXIYASABKAsyKy5wb2xpY3kubmFtZXNwYWNlcy5OYW1lc3BhY2VLZXlBY2Nlc3NTZXJ2ZXIifQopUmVtb3ZlS2V5QWNjZXNzU2VydmVyRnJvbU5hbWVzcGFjZVJlcXVlc3QSUAobbmFtZXNwYWNlX2tleV9hY2Nlc3Nfc2VydmVyGAEgASgLMisucG9saWN5Lm5hbWVzcGFjZXMuTmFtZXNwYWNlS2V5QWNjZXNzU2VydmVyIn4KKlJlbW92ZUtleUFjY2Vzc1NlcnZlckZyb21OYW1lc3BhY2VSZXNwb25zZRJQChtuYW1lc3BhY2Vfa2V5X2FjY2Vzc19zZXJ2ZXIYASABKAsyKy5wb2xpY3kubmFtZXNwYWNlcy5OYW1lc3BhY2VLZXlBY2Nlc3NTZXJ2ZXIiYwohQXNzaWduUHVibGljS2V5VG9OYW1lc3BhY2VSZXF1ZXN0Ej4KDW5hbWVzcGFjZV9rZXkYASABKAsyHy5wb2xpY3kubmFtZXNwYWNlcy5OYW1lc3BhY2VLZXlCBrpIA8gBASJcCiJBc3NpZ25QdWJsaWNLZXlUb05hbWVzcGFjZVJlc3BvbnNlEjYKDW5hbWVzcGFjZV9rZXkYASABKAsyHy5wb2xpY3kubmFtZXNwYWNlcy5OYW1lc3BhY2VLZXkiZQojUmVtb3ZlUHVibGljS2V5RnJvbU5hbWVzcGFjZVJlcXVlc3QSPgoNbmFtZXNwYWNlX2tleRgBIAEoCzIfLnBvbGljeS5uYW1lc3BhY2VzLk5hbWVzcGFjZUtleUIGukgDyAEBIl4KJFJlbW92ZVB1YmxpY0tleUZyb21OYW1lc3BhY2VSZXNwb25zZRI2Cg1uYW1lc3BhY2Vfa2V5GAEgASgLMh8ucG9saWN5Lm5hbWVzcGFjZXMuTmFtZXNwYWNlS2V5MtMLChBOYW1lc3BhY2VTZXJ2aWNlEocBCgxHZXROYW1lc3BhY2USJi5wb2xpY3kubmFtZXNwYWNlcy5HZXROYW1lc3BhY2VSZXF1ZXN0GicucG9saWN5Lm5hbWVzcGFjZXMuR2V0TmFtZXNwYWNlUmVzcG9uc2UiJpACAYLT5JMCHRIbL2F0dHJpYnV0ZXMvbmFtZXNwYWNlcy97aWR9EogBCg5MaXN0TmFtZXNwYWNlcxIoLnBvbGljeS5uYW1lc3BhY2VzLkxpc3ROYW1lc3BhY2VzUmVxdWVzdBopLnBvbGljeS5uYW1lc3BhY2VzLkxpc3ROYW1lc3BhY2VzUmVzcG9uc2UiIZACAYLT5JMCGBIWL2F0dHJpYnV0ZXMvbmFtZXNwYWNlcxKLAQoPQ3JlYXRlTmFtZXNwYWNlEikucG9saWN5Lm5hbWVzcGFjZXMuQ3JlYXRlTmFtZXNwYWNlUmVxdWVzdBoqLnBvbGljeS5uYW1lc3BhY2VzLkNyZWF0ZU5hbWVzcGFjZVJlc3BvbnNlIiGC0+STAhs6ASoiFi9hdHRyaWJ1dGVzL25hbWVzcGFjZXMSkAEKD1VwZGF0ZU5hbWVzcGFjZRIpLnBvbGljeS5uYW1lc3BhY2VzLlVwZGF0ZU5hbWVzcGFjZVJlcXVlc3QaKi5wb2xpY3kubmFtZXNwYWNlcy5VcGRhdGVOYW1lc3BhY2VSZXNwb25zZSImgtPkkwIgOgEqMhsvYXR0cmlidXRlcy9uYW1lc3BhY2VzL3tpZH0SmQEKE0RlYWN0aXZhdGVOYW1lc3BhY2USLS5wb2xpY3kubmFtZXNwYWNlcy5EZWFjdGl2YXRlTmFtZXNwYWNlUmVxdWVzdBouLnBvbGljeS5uYW1lc3BhY2VzLkRlYWN0aXZhdGVOYW1lc3BhY2VSZXNwb25zZSIjgtPkkwIdKhsvYXR0cmlidXRlcy9uYW1lc3BhY2VzL3tpZH0S7wEKIEFzc2lnbktleUFjY2Vzc1NlcnZlclRvTmFtZXNwYWNlEjoucG9saWN5Lm5hbWVzcGFjZXMuQXNzaWduS2V5QWNjZXNzU2VydmVyVG9OYW1lc3BhY2VSZXF1ZXN0GjsucG9saWN5Lm5hbWVzcGFjZXMuQXNzaWduS2V5QWNjZXNzU2VydmVyVG9OYW1lc3BhY2VSZXNwb25zZSJSgtPkkwJMOhtuYW1lc3BhY2Vfa2V5X2FjY2Vzc19zZXJ2ZXIiLS9hdHRyaWJ1dGVzL25hbWVzcGFjZXMva2V5YWNjZXNzc2VydmVyL2dyYW50cxLYAQoiUmVtb3ZlS2V5QWNjZXNzU2VydmVyRnJvbU5hbWVzcGFjZRI8LnBvbGljeS5uYW1lc3BhY2VzLlJlbW92ZUtleUFjY2Vzc1NlcnZlckZyb21OYW1lc3BhY2VSZXF1ZXN0Gj0ucG9saWN5Lm5hbWVzcGFjZXMuUmVtb3ZlS2V5QWNjZXNzU2VydmVyRnJvbU5hbWVzcGFjZVJlc3BvbnNlIjWC0+STAi8qLS9hdHRyaWJ1dGVzL25hbWVzcGFjZXMva2V5YWNjZXNzc2VydmVyL2dyYW50cxKLAQoaQXNzaWduUHVibGljS2V5VG9OYW1lc3BhY2USNC5wb2xpY3kubmFtZXNwYWNlcy5Bc3NpZ25QdWJsaWNLZXlUb05hbWVzcGFjZVJlcXVlc3QaNS5wb2xpY3kubmFtZXNwYWNlcy5Bc3NpZ25QdWJsaWNLZXlUb05hbWVzcGFjZVJlc3BvbnNlIgASkQEKHFJlbW92ZVB1YmxpY0tleUZyb21OYW1lc3BhY2USNi5wb2xpY3kubmFtZXNwYWNlcy5SZW1vdmVQdWJsaWNLZXlGcm9tTmFtZXNwYWNlUmVxdWVzdBo3LnBvbGljeS5uYW1lc3BhY2VzLlJlbW92ZVB1YmxpY0tleUZyb21OYW1lc3BhY2VSZXNwb25zZSIAYgZwcm90bzM", [file_buf_validate_validate, file_google_api_annotations, file_common_common, file_policy_objects, file_policy_selectors]); + fileDesc("CiJwb2xpY3kvbmFtZXNwYWNlcy9uYW1lc3BhY2VzLnByb3RvEhFwb2xpY3kubmFtZXNwYWNlcyJiChhOYW1lc3BhY2VLZXlBY2Nlc3NTZXJ2ZXISHgoMbmFtZXNwYWNlX2lkGAEgASgJQgi6SAVyA7ABARImChRrZXlfYWNjZXNzX3NlcnZlcl9pZBgCIAEoCUIIukgFcgOwAQEiTgoMTmFtZXNwYWNlS2V5EiEKDG5hbWVzcGFjZV9pZBgBIAEoCUILukgIyAEBcgOwAQESGwoGa2V5X2lkGAIgASgJQgu6SAjIAQFyA7ABASKoAwoTR2V0TmFtZXNwYWNlUmVxdWVzdBIZCgJpZBgBIAEoCUINGAG6SAjYAQJyA7ABARIgCgxuYW1lc3BhY2VfaWQYAiABKAlCCLpIBXIDsAEBSAASGQoDZnFuGAMgASgJQgq6SAdyBRABiAEBSAA6qgK6SKYCGqIBChBleGNsdXNpdmVfZmllbGRzElBFaXRoZXIgdXNlIGRlcHJlY2F0ZWQgJ2lkJyBmaWVsZCBvciBvbmUgb2YgJ25hbWVzcGFjZV9pZCcgb3IgJ2ZxbicsIGJ1dCBub3QgYm90aBo8IShoYXModGhpcy5pZCkgJiYgKGhhcyh0aGlzLm5hbWVzcGFjZV9pZCkgfHwgaGFzKHRoaXMuZnFuKSkpGn8KD3JlcXVpcmVkX2ZpZWxkcxIzRWl0aGVyIGlkIG9yIG9uZSBvZiBuYW1lc3BhY2VfaWQgb3IgZnFuIG11c3QgYmUgc2V0GjdoYXModGhpcy5pZCkgfHwgaGFzKHRoaXMubmFtZXNwYWNlX2lkKSB8fCBoYXModGhpcy5mcW4pQgwKCmlkZW50aWZpZXIiPAoUR2V0TmFtZXNwYWNlUmVzcG9uc2USJAoJbmFtZXNwYWNlGAEgASgLMhEucG9saWN5Lk5hbWVzcGFjZSJoChVMaXN0TmFtZXNwYWNlc1JlcXVlc3QSJgoFc3RhdGUYASABKA4yFy5jb21tb24uQWN0aXZlU3RhdGVFbnVtEicKCnBhZ2luYXRpb24YCiABKAsyEy5wb2xpY3kuUGFnZVJlcXVlc3QiaQoWTGlzdE5hbWVzcGFjZXNSZXNwb25zZRIlCgpuYW1lc3BhY2VzGAEgAygLMhEucG9saWN5Lk5hbWVzcGFjZRIoCgpwYWdpbmF0aW9uGAogASgLMhQucG9saWN5LlBhZ2VSZXNwb25zZSLuBAoWQ3JlYXRlTmFtZXNwYWNlUmVxdWVzdBKoBAoEbmFtZRgBIAEoCUKZBLpIlQS6AYkEChBuYW1lc3BhY2VfZm9ybWF0EqEDTmFtZXNwYWNlIG11c3QgYmUgYSB2YWxpZCBob3N0bmFtZS4gSXQgc2hvdWxkIGluY2x1ZGUgYXQgbGVhc3Qgb25lIGRvdCwgd2l0aCBlYWNoIHNlZ21lbnQgKGxhYmVsKSBzdGFydGluZyBhbmQgZW5kaW5nIHdpdGggYW4gYWxwaGFudW1lcmljIGNoYXJhY3Rlci4gRWFjaCBsYWJlbCBtdXN0IGJlIDEgdG8gNjMgY2hhcmFjdGVycyBsb25nLCBhbGxvd2luZyBoeXBoZW5zIGJ1dCBub3QgYXMgdGhlIGZpcnN0IG9yIGxhc3QgY2hhcmFjdGVyLiBUaGUgdG9wLWxldmVsIGRvbWFpbiAodGhlIGxhc3Qgc2VnbWVudCBhZnRlciB0aGUgZmluYWwgZG90KSBtdXN0IGNvbnNpc3Qgb2YgYXQgbGVhc3QgdHdvIGFscGhhYmV0aWMgY2hhcmFjdGVycy4gVGhlIHN0b3JlZCBuYW1lc3BhY2Ugd2lsbCBiZSBub3JtYWxpemVkIHRvIGxvd2VyIGNhc2UuGlF0aGlzLm1hdGNoZXMoJ14oW2EtekEtWjAtOV0oW2EtekEtWjAtOVxcLV17MCw2MX1bYS16QS1aMC05XSk/XFwuKStbYS16QS1aXXsyLH0kJynIAQFyAxj9ARIpCghtZXRhZGF0YRhkIAEoCzIXLmNvbW1vbi5NZXRhZGF0YU11dGFibGUiPwoXQ3JlYXRlTmFtZXNwYWNlUmVzcG9uc2USJAoJbmFtZXNwYWNlGAEgASgLMhEucG9saWN5Lk5hbWVzcGFjZSKXAQoWVXBkYXRlTmFtZXNwYWNlUmVxdWVzdBIUCgJpZBgBIAEoCUIIukgFcgOwAQESKQoIbWV0YWRhdGEYZCABKAsyFy5jb21tb24uTWV0YWRhdGFNdXRhYmxlEjwKGG1ldGFkYXRhX3VwZGF0ZV9iZWhhdmlvchhlIAEoDjIaLmNvbW1vbi5NZXRhZGF0YVVwZGF0ZUVudW0iPwoXVXBkYXRlTmFtZXNwYWNlUmVzcG9uc2USJAoJbmFtZXNwYWNlGAEgASgLMhEucG9saWN5Lk5hbWVzcGFjZSIyChpEZWFjdGl2YXRlTmFtZXNwYWNlUmVxdWVzdBIUCgJpZBgBIAEoCUIIukgFcgOwAQEiHQobRGVhY3RpdmF0ZU5hbWVzcGFjZVJlc3BvbnNlInsKJ0Fzc2lnbktleUFjY2Vzc1NlcnZlclRvTmFtZXNwYWNlUmVxdWVzdBJQChtuYW1lc3BhY2Vfa2V5X2FjY2Vzc19zZXJ2ZXIYASABKAsyKy5wb2xpY3kubmFtZXNwYWNlcy5OYW1lc3BhY2VLZXlBY2Nlc3NTZXJ2ZXIifAooQXNzaWduS2V5QWNjZXNzU2VydmVyVG9OYW1lc3BhY2VSZXNwb25zZRJQChtuYW1lc3BhY2Vfa2V5X2FjY2Vzc19zZXJ2ZXIYASABKAsyKy5wb2xpY3kubmFtZXNwYWNlcy5OYW1lc3BhY2VLZXlBY2Nlc3NTZXJ2ZXIifQopUmVtb3ZlS2V5QWNjZXNzU2VydmVyRnJvbU5hbWVzcGFjZVJlcXVlc3QSUAobbmFtZXNwYWNlX2tleV9hY2Nlc3Nfc2VydmVyGAEgASgLMisucG9saWN5Lm5hbWVzcGFjZXMuTmFtZXNwYWNlS2V5QWNjZXNzU2VydmVyIn4KKlJlbW92ZUtleUFjY2Vzc1NlcnZlckZyb21OYW1lc3BhY2VSZXNwb25zZRJQChtuYW1lc3BhY2Vfa2V5X2FjY2Vzc19zZXJ2ZXIYASABKAsyKy5wb2xpY3kubmFtZXNwYWNlcy5OYW1lc3BhY2VLZXlBY2Nlc3NTZXJ2ZXIiYwohQXNzaWduUHVibGljS2V5VG9OYW1lc3BhY2VSZXF1ZXN0Ej4KDW5hbWVzcGFjZV9rZXkYASABKAsyHy5wb2xpY3kubmFtZXNwYWNlcy5OYW1lc3BhY2VLZXlCBrpIA8gBASJcCiJBc3NpZ25QdWJsaWNLZXlUb05hbWVzcGFjZVJlc3BvbnNlEjYKDW5hbWVzcGFjZV9rZXkYASABKAsyHy5wb2xpY3kubmFtZXNwYWNlcy5OYW1lc3BhY2VLZXkiZQojUmVtb3ZlUHVibGljS2V5RnJvbU5hbWVzcGFjZVJlcXVlc3QSPgoNbmFtZXNwYWNlX2tleRgBIAEoCzIfLnBvbGljeS5uYW1lc3BhY2VzLk5hbWVzcGFjZUtleUIGukgDyAEBIl4KJFJlbW92ZVB1YmxpY0tleUZyb21OYW1lc3BhY2VSZXNwb25zZRI2Cg1uYW1lc3BhY2Vfa2V5GAEgASgLMh8ucG9saWN5Lm5hbWVzcGFjZXMuTmFtZXNwYWNlS2V5MpwJChBOYW1lc3BhY2VTZXJ2aWNlEmQKDEdldE5hbWVzcGFjZRImLnBvbGljeS5uYW1lc3BhY2VzLkdldE5hbWVzcGFjZVJlcXVlc3QaJy5wb2xpY3kubmFtZXNwYWNlcy5HZXROYW1lc3BhY2VSZXNwb25zZSIDkAIBEmoKDkxpc3ROYW1lc3BhY2VzEigucG9saWN5Lm5hbWVzcGFjZXMuTGlzdE5hbWVzcGFjZXNSZXF1ZXN0GikucG9saWN5Lm5hbWVzcGFjZXMuTGlzdE5hbWVzcGFjZXNSZXNwb25zZSIDkAIBEmoKD0NyZWF0ZU5hbWVzcGFjZRIpLnBvbGljeS5uYW1lc3BhY2VzLkNyZWF0ZU5hbWVzcGFjZVJlcXVlc3QaKi5wb2xpY3kubmFtZXNwYWNlcy5DcmVhdGVOYW1lc3BhY2VSZXNwb25zZSIAEmoKD1VwZGF0ZU5hbWVzcGFjZRIpLnBvbGljeS5uYW1lc3BhY2VzLlVwZGF0ZU5hbWVzcGFjZVJlcXVlc3QaKi5wb2xpY3kubmFtZXNwYWNlcy5VcGRhdGVOYW1lc3BhY2VSZXNwb25zZSIAEnYKE0RlYWN0aXZhdGVOYW1lc3BhY2USLS5wb2xpY3kubmFtZXNwYWNlcy5EZWFjdGl2YXRlTmFtZXNwYWNlUmVxdWVzdBouLnBvbGljeS5uYW1lc3BhY2VzLkRlYWN0aXZhdGVOYW1lc3BhY2VSZXNwb25zZSIAEp0BCiBBc3NpZ25LZXlBY2Nlc3NTZXJ2ZXJUb05hbWVzcGFjZRI6LnBvbGljeS5uYW1lc3BhY2VzLkFzc2lnbktleUFjY2Vzc1NlcnZlclRvTmFtZXNwYWNlUmVxdWVzdBo7LnBvbGljeS5uYW1lc3BhY2VzLkFzc2lnbktleUFjY2Vzc1NlcnZlclRvTmFtZXNwYWNlUmVzcG9uc2UiABKjAQoiUmVtb3ZlS2V5QWNjZXNzU2VydmVyRnJvbU5hbWVzcGFjZRI8LnBvbGljeS5uYW1lc3BhY2VzLlJlbW92ZUtleUFjY2Vzc1NlcnZlckZyb21OYW1lc3BhY2VSZXF1ZXN0Gj0ucG9saWN5Lm5hbWVzcGFjZXMuUmVtb3ZlS2V5QWNjZXNzU2VydmVyRnJvbU5hbWVzcGFjZVJlc3BvbnNlIgASiwEKGkFzc2lnblB1YmxpY0tleVRvTmFtZXNwYWNlEjQucG9saWN5Lm5hbWVzcGFjZXMuQXNzaWduUHVibGljS2V5VG9OYW1lc3BhY2VSZXF1ZXN0GjUucG9saWN5Lm5hbWVzcGFjZXMuQXNzaWduUHVibGljS2V5VG9OYW1lc3BhY2VSZXNwb25zZSIAEpEBChxSZW1vdmVQdWJsaWNLZXlGcm9tTmFtZXNwYWNlEjYucG9saWN5Lm5hbWVzcGFjZXMuUmVtb3ZlUHVibGljS2V5RnJvbU5hbWVzcGFjZVJlcXVlc3QaNy5wb2xpY3kubmFtZXNwYWNlcy5SZW1vdmVQdWJsaWNLZXlGcm9tTmFtZXNwYWNlUmVzcG9uc2UiAGIGcHJvdG8z", [file_buf_validate_validate, file_common_common, file_policy_objects, file_policy_selectors]); /** * @generated from message policy.namespaces.NamespaceKeyAccessServer diff --git a/lib/src/platform/policy/objects_pb.ts b/lib/src/platform/policy/objects_pb.ts index 5c9587de7..2c6f55d46 100644 --- a/lib/src/platform/policy/objects_pb.ts +++ b/lib/src/platform/policy/objects_pb.ts @@ -14,7 +14,67 @@ import type { Message } from "@bufbuild/protobuf"; * Describes the file policy/objects.proto. */ export const file_policy_objects: GenFile = /*@__PURE__*/ - fileDesc("ChRwb2xpY3kvb2JqZWN0cy5wcm90bxIGcG9saWN5ImYKEUtleVByb3ZpZGVyQ29uZmlnEgoKAmlkGAEgASgJEgwKBG5hbWUYAiABKAkSEwoLY29uZmlnX2pzb24YAyABKAwSIgoIbWV0YWRhdGEYZCABKAsyEC5jb21tb24uTWV0YWRhdGEizQEKCU5hbWVzcGFjZRIKCgJpZBgBIAEoCRIMCgRuYW1lGAIgASgJEgsKA2ZxbhgDIAEoCRIqCgZhY3RpdmUYBCABKAsyGi5nb29nbGUucHJvdG9idWYuQm9vbFZhbHVlEiIKCG1ldGFkYXRhGAUgASgLMhAuY29tbW9uLk1ldGFkYXRhEicKBmdyYW50cxgGIAMoCzIXLnBvbGljeS5LZXlBY2Nlc3NTZXJ2ZXISIAoIa2FzX2tleXMYByADKAsyDi5wb2xpY3kuS2FzS2V5IswCCglBdHRyaWJ1dGUSCgoCaWQYASABKAkSJAoJbmFtZXNwYWNlGAIgASgLMhEucG9saWN5Lk5hbWVzcGFjZRIMCgRuYW1lGAMgASgJEjgKBHJ1bGUYBCABKA4yHS5wb2xpY3kuQXR0cmlidXRlUnVsZVR5cGVFbnVtQgu6SAjIAQGCAQIQARIdCgZ2YWx1ZXMYBSADKAsyDS5wb2xpY3kuVmFsdWUSJwoGZ3JhbnRzGAYgAygLMhcucG9saWN5LktleUFjY2Vzc1NlcnZlchILCgNmcW4YByABKAkSKgoGYWN0aXZlGAggASgLMhouZ29vZ2xlLnByb3RvYnVmLkJvb2xWYWx1ZRIgCghrYXNfa2V5cxgJIAMoCzIOLnBvbGljeS5LYXNLZXkSIgoIbWV0YWRhdGEYZCABKAsyEC5jb21tb24uTWV0YWRhdGEisQIKBVZhbHVlEgoKAmlkGAEgASgJEiQKCWF0dHJpYnV0ZRgCIAEoCzIRLnBvbGljeS5BdHRyaWJ1dGUSDQoFdmFsdWUYAyABKAkSJwoGZ3JhbnRzGAUgAygLMhcucG9saWN5LktleUFjY2Vzc1NlcnZlchILCgNmcW4YBiABKAkSKgoGYWN0aXZlGAcgASgLMhouZ29vZ2xlLnByb3RvYnVmLkJvb2xWYWx1ZRIwChBzdWJqZWN0X21hcHBpbmdzGAggAygLMhYucG9saWN5LlN1YmplY3RNYXBwaW5nEiAKCGthc19rZXlzGAkgAygLMg4ucG9saWN5Lkthc0tleRIiCghtZXRhZGF0YRhkIAEoCzIQLmNvbW1vbi5NZXRhZGF0YUoECAQQBVIHbWVtYmVycyKCAgoGQWN0aW9uEgoKAmlkGAMgASgJEjEKCHN0YW5kYXJkGAEgASgOMh0ucG9saWN5LkFjdGlvbi5TdGFuZGFyZEFjdGlvbkgAEhAKBmN1c3RvbRgCIAEoCUgAEgwKBG5hbWUYBCABKAkSIgoIbWV0YWRhdGEYZCABKAsyEC5jb21tb24uTWV0YWRhdGEibAoOU3RhbmRhcmRBY3Rpb24SHwobU1RBTkRBUkRfQUNUSU9OX1VOU1BFQ0lGSUVEEAASGwoXU1RBTkRBUkRfQUNUSU9OX0RFQ1JZUFQQARIcChhTVEFOREFSRF9BQ1RJT05fVFJBTlNNSVQQAkIHCgV2YWx1ZSLFAQoOU3ViamVjdE1hcHBpbmcSCgoCaWQYASABKAkSJgoPYXR0cmlidXRlX3ZhbHVlGAIgASgLMg0ucG9saWN5LlZhbHVlEjoKFXN1YmplY3RfY29uZGl0aW9uX3NldBgDIAEoCzIbLnBvbGljeS5TdWJqZWN0Q29uZGl0aW9uU2V0Eh8KB2FjdGlvbnMYBCADKAsyDi5wb2xpY3kuQWN0aW9uEiIKCG1ldGFkYXRhGGQgASgLMhAuY29tbW9uLk1ldGFkYXRhIqoBCglDb25kaXRpb24SLwofc3ViamVjdF9leHRlcm5hbF9zZWxlY3Rvcl92YWx1ZRgBIAEoCUIGukgDyAEBEkEKCG9wZXJhdG9yGAIgASgOMiIucG9saWN5LlN1YmplY3RNYXBwaW5nT3BlcmF0b3JFbnVtQgu6SAjIAQGCAQIQARIpChdzdWJqZWN0X2V4dGVybmFsX3ZhbHVlcxgDIAMoCUIIukgFkgECCAEiigEKDkNvbmRpdGlvbkdyb3VwEi8KCmNvbmRpdGlvbnMYASADKAsyES5wb2xpY3kuQ29uZGl0aW9uQgi6SAWSAQIIARJHChBib29sZWFuX29wZXJhdG9yGAIgASgOMiAucG9saWN5LkNvbmRpdGlvbkJvb2xlYW5UeXBlRW51bUILukgIyAEBggECEAEiSAoKU3ViamVjdFNldBI6ChBjb25kaXRpb25fZ3JvdXBzGAEgAygLMhYucG9saWN5LkNvbmRpdGlvbkdyb3VwQgi6SAWSAQIIASJ5ChNTdWJqZWN0Q29uZGl0aW9uU2V0EgoKAmlkGAEgASgJEjIKDHN1YmplY3Rfc2V0cxgDIAMoCzISLnBvbGljeS5TdWJqZWN0U2V0Qgi6SAWSAQIIARIiCghtZXRhZGF0YRhkIAEoCzIQLmNvbW1vbi5NZXRhZGF0YSJWCg9TdWJqZWN0UHJvcGVydHkSKwoXZXh0ZXJuYWxfc2VsZWN0b3JfdmFsdWUYASABKAlCCrpIB8gBAXICEAESFgoOZXh0ZXJuYWxfdmFsdWUYAiABKAkiegoUUmVzb3VyY2VNYXBwaW5nR3JvdXASCgoCaWQYASABKAkSHAoMbmFtZXNwYWNlX2lkGAIgASgJQga6SAPIAQESFAoEbmFtZRgDIAEoCUIGukgDyAEBEiIKCG1ldGFkYXRhGGQgASgLMhAuY29tbW9uLk1ldGFkYXRhIq0BCg9SZXNvdXJjZU1hcHBpbmcSCgoCaWQYASABKAkSIgoIbWV0YWRhdGEYAiABKAsyEC5jb21tb24uTWV0YWRhdGESLgoPYXR0cmlidXRlX3ZhbHVlGAMgASgLMg0ucG9saWN5LlZhbHVlQga6SAPIAQESDQoFdGVybXMYBCADKAkSKwoFZ3JvdXAYBSABKAsyHC5wb2xpY3kuUmVzb3VyY2VNYXBwaW5nR3JvdXAixgQKD0tleUFjY2Vzc1NlcnZlchIKCgJpZBgBIAEoCRKCAwoDdXJpGAIgASgJQvQCukjwAroB7AIKCnVyaV9mb3JtYXQSzwFVUkkgbXVzdCBiZSBhIHZhbGlkIFVSTCAoZS5nLiwgJ2h0dHBzOi8vZGVtby5jb20vJykgZm9sbG93ZWQgYnkgYWRkaXRpb25hbCBzZWdtZW50cy4gRWFjaCBzZWdtZW50IG11c3Qgc3RhcnQgYW5kIGVuZCB3aXRoIGFuIGFscGhhbnVtZXJpYyBjaGFyYWN0ZXIsIGNhbiBjb250YWluIGh5cGhlbnMsIGFscGhhbnVtZXJpYyBjaGFyYWN0ZXJzLCBhbmQgc2xhc2hlcy4aiwF0aGlzLm1hdGNoZXMoJ15odHRwcz86Ly9bYS16QS1aMC05XShbYS16QS1aMC05XFwtXXswLDYxfVthLXpBLVowLTldKT8oXFwuW2EtekEtWjAtOV0oW2EtekEtWjAtOVxcLV17MCw2MX1bYS16QS1aMC05XSk/KSooOlswLTldKyk/KC8uKik/JCcpEiUKCnB1YmxpY19rZXkYAyABKAsyES5wb2xpY3kuUHVibGljS2V5EicKC3NvdXJjZV90eXBlGAQgASgOMhIucG9saWN5LlNvdXJjZVR5cGUSIAoIa2FzX2tleXMYBSADKAsyDi5wb2xpY3kuS2FzS2V5EgwKBG5hbWUYFCABKAkSIgoIbWV0YWRhdGEYZCABKAsyEC5jb21tb24uTWV0YWRhdGEi5AEKA0tleRIKCgJpZBgBIAEoCRItCglpc19hY3RpdmUYAiABKAsyGi5nb29nbGUucHJvdG9idWYuQm9vbFZhbHVlEi4KCndhc19tYXBwZWQYAyABKAsyGi5nb29nbGUucHJvdG9idWYuQm9vbFZhbHVlEigKCnB1YmxpY19rZXkYBCABKAsyFC5wb2xpY3kuS2FzUHVibGljS2V5EiQKA2thcxgFIAEoCzIXLnBvbGljeS5LZXlBY2Nlc3NTZXJ2ZXISIgoIbWV0YWRhdGEYZCABKAsyEC5jb21tb24uTWV0YWRhdGEidQoMS2FzUHVibGljS2V5EhcKA3BlbRgBIAEoCUIKukgHcgUQARiAQBIWCgNraWQYAiABKAlCCbpIBnIEEAEYIBI0CgNhbGcYAyABKA4yGy5wb2xpY3kuS2FzUHVibGljS2V5QWxnRW51bUIKukgHggEEEAEgACI1Cg9LYXNQdWJsaWNLZXlTZXQSIgoEa2V5cxgBIAMoCzIULnBvbGljeS5LYXNQdWJsaWNLZXki0AMKCVB1YmxpY0tleRL8AgoGcmVtb3RlGAEgASgJQukCukjlAroB4QIKCnVyaV9mb3JtYXQSzwFVUkkgbXVzdCBiZSBhIHZhbGlkIFVSTCAoZS5nLiwgJ2h0dHBzOi8vZGVtby5jb20vJykgZm9sbG93ZWQgYnkgYWRkaXRpb25hbCBzZWdtZW50cy4gRWFjaCBzZWdtZW50IG11c3Qgc3RhcnQgYW5kIGVuZCB3aXRoIGFuIGFscGhhbnVtZXJpYyBjaGFyYWN0ZXIsIGNhbiBjb250YWluIGh5cGhlbnMsIGFscGhhbnVtZXJpYyBjaGFyYWN0ZXJzLCBhbmQgc2xhc2hlcy4agAF0aGlzLm1hdGNoZXMoJ15odHRwczovL1thLXpBLVowLTldKFthLXpBLVowLTlcXC1dezAsNjF9W2EtekEtWjAtOV0pPyhcXC5bYS16QS1aMC05XShbYS16QS1aMC05XFwtXXswLDYxfVthLXpBLVowLTldKT8pKigvLiopPyQnKUgAEikKBmNhY2hlZBgDIAEoCzIXLnBvbGljeS5LYXNQdWJsaWNLZXlTZXRIAEIMCgpwdWJsaWNfa2V5SgQIAhADUgVsb2NhbCKDAQoSUmVnaXN0ZXJlZFJlc291cmNlEgoKAmlkGAEgASgJEgwKBG5hbWUYAiABKAkSLwoGdmFsdWVzGAMgAygLMh8ucG9saWN5LlJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlEiIKCG1ldGFkYXRhGGQgASgLMhAuY29tbW9uLk1ldGFkYXRhIoYBChdSZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZRIKCgJpZBgBIAEoCRINCgV2YWx1ZRgCIAEoCRIsCghyZXNvdXJjZRgDIAEoCzIaLnBvbGljeS5SZWdpc3RlcmVkUmVzb3VyY2USIgoIbWV0YWRhdGEYZCABKAsyEC5jb21tb24uTWV0YWRhdGEiPAoGS2FzS2V5Eg4KBmthc19pZBgBIAEoCRIiCgNrZXkYAiABKAsyFS5wb2xpY3kuQXN5bW1ldHJpY0tleSKoAgoNQXN5bW1ldHJpY0tleRIKCgJpZBgBIAEoCRIOCgZrZXlfaWQYAiABKAkSKAoNa2V5X2FsZ29yaXRobRgDIAEoDjIRLnBvbGljeS5BbGdvcml0aG0SJQoKa2V5X3N0YXR1cxgEIAEoDjIRLnBvbGljeS5LZXlTdGF0dXMSIQoIa2V5X21vZGUYBSABKA4yDy5wb2xpY3kuS2V5TW9kZRIWCg5wdWJsaWNfa2V5X2N0eBgGIAEoDBIXCg9wcml2YXRlX2tleV9jdHgYByABKAwSMgoPcHJvdmlkZXJfY29uZmlnGAggASgLMhkucG9saWN5LktleVByb3ZpZGVyQ29uZmlnEiIKCG1ldGFkYXRhGGQgASgLMhAuY29tbW9uLk1ldGFkYXRhIt0BCgxTeW1tZXRyaWNLZXkSCgoCaWQYASABKAkSDgoGa2V5X2lkGAIgASgJEiUKCmtleV9zdGF0dXMYAyABKA4yES5wb2xpY3kuS2V5U3RhdHVzEiEKCGtleV9tb2RlGAQgASgOMg8ucG9saWN5LktleU1vZGUSDwoHa2V5X2N0eBgFIAEoDBIyCg9wcm92aWRlcl9jb25maWcYBiABKAsyGS5wb2xpY3kuS2V5UHJvdmlkZXJDb25maWcSIgoIbWV0YWRhdGEYZCABKAsyEC5jb21tb24uTWV0YWRhdGEqswEKFUF0dHJpYnV0ZVJ1bGVUeXBlRW51bRIoCiRBVFRSSUJVVEVfUlVMRV9UWVBFX0VOVU1fVU5TUEVDSUZJRUQQABIjCh9BVFRSSUJVVEVfUlVMRV9UWVBFX0VOVU1fQUxMX09GEAESIwofQVRUUklCVVRFX1JVTEVfVFlQRV9FTlVNX0FOWV9PRhACEiYKIkFUVFJJQlVURV9SVUxFX1RZUEVfRU5VTV9ISUVSQVJDSFkQAyrKAQoaU3ViamVjdE1hcHBpbmdPcGVyYXRvckVudW0SLQopU1VCSkVDVF9NQVBQSU5HX09QRVJBVE9SX0VOVU1fVU5TUEVDSUZJRUQQABIkCiBTVUJKRUNUX01BUFBJTkdfT1BFUkFUT1JfRU5VTV9JThABEigKJFNVQkpFQ1RfTUFQUElOR19PUEVSQVRPUl9FTlVNX05PVF9JThACEi0KKVNVQkpFQ1RfTUFQUElOR19PUEVSQVRPUl9FTlVNX0lOX0NPTlRBSU5TEAMqkAEKGENvbmRpdGlvbkJvb2xlYW5UeXBlRW51bRIrCidDT05ESVRJT05fQk9PTEVBTl9UWVBFX0VOVU1fVU5TUEVDSUZJRUQQABIjCh9DT05ESVRJT05fQk9PTEVBTl9UWVBFX0VOVU1fQU5EEAESIgoeQ09ORElUSU9OX0JPT0xFQU5fVFlQRV9FTlVNX09SEAIqXQoKU291cmNlVHlwZRIbChdTT1VSQ0VfVFlQRV9VTlNQRUNJRklFRBAAEhgKFFNPVVJDRV9UWVBFX0lOVEVSTkFMEAESGAoUU09VUkNFX1RZUEVfRVhURVJOQUwQAiqIAgoTS2FzUHVibGljS2V5QWxnRW51bRInCiNLQVNfUFVCTElDX0tFWV9BTEdfRU5VTV9VTlNQRUNJRklFRBAAEiQKIEtBU19QVUJMSUNfS0VZX0FMR19FTlVNX1JTQV8yMDQ4EAESJAogS0FTX1BVQkxJQ19LRVlfQUxHX0VOVU1fUlNBXzQwOTYQAhIoCiRLQVNfUFVCTElDX0tFWV9BTEdfRU5VTV9FQ19TRUNQMjU2UjEQBRIoCiRLQVNfUFVCTElDX0tFWV9BTEdfRU5VTV9FQ19TRUNQMzg0UjEQBhIoCiRLQVNfUFVCTElDX0tFWV9BTEdfRU5VTV9FQ19TRUNQNTIxUjEQByqbAQoJQWxnb3JpdGhtEhkKFUFMR09SSVRITV9VTlNQRUNJRklFRBAAEhYKEkFMR09SSVRITV9SU0FfMjA0OBABEhYKEkFMR09SSVRITV9SU0FfNDA5NhACEhUKEUFMR09SSVRITV9FQ19QMjU2EAMSFQoRQUxHT1JJVEhNX0VDX1AzODQQBBIVChFBTEdPUklUSE1fRUNfUDUyMRAFKnMKCUtleVN0YXR1cxIaChZLRVlfU1RBVFVTX1VOU1BFQ0lGSUVEEAASFQoRS0VZX1NUQVRVU19BQ1RJVkUQARIXChNLRVlfU1RBVFVTX0lOQUNUSVZFEAISGgoWS0VZX1NUQVRVU19DT01QUk9NSVNFRBADKkwKB0tleU1vZGUSGAoUS0VZX01PREVfVU5TUEVDSUZJRUQQABISCg5LRVlfTU9ERV9MT0NBTBABEhMKD0tFWV9NT0RFX1JFTU9URRACYgZwcm90bzM", [file_buf_validate_validate, file_common_common, file_google_protobuf_wrappers]); + fileDesc("ChRwb2xpY3kvb2JqZWN0cy5wcm90bxIGcG9saWN5IlQKElNpbXBsZUthc1B1YmxpY0tleRIkCglhbGdvcml0aG0YASABKA4yES5wb2xpY3kuQWxnb3JpdGhtEgsKA2tpZBgCIAEoCRILCgNwZW0YAyABKAkiXwoMU2ltcGxlS2FzS2V5Eg8KB2thc191cmkYASABKAkSLgoKcHVibGljX2tleRgCIAEoCzIaLnBvbGljeS5TaW1wbGVLYXNQdWJsaWNLZXkSDgoGa2FzX2lkGAMgASgJImYKEUtleVByb3ZpZGVyQ29uZmlnEgoKAmlkGAEgASgJEgwKBG5hbWUYAiABKAkSEwoLY29uZmlnX2pzb24YAyABKAwSIgoIbWV0YWRhdGEYZCABKAsyEC5jb21tb24uTWV0YWRhdGEi0wEKCU5hbWVzcGFjZRIKCgJpZBgBIAEoCRIMCgRuYW1lGAIgASgJEgsKA2ZxbhgDIAEoCRIqCgZhY3RpdmUYBCABKAsyGi5nb29nbGUucHJvdG9idWYuQm9vbFZhbHVlEiIKCG1ldGFkYXRhGAUgASgLMhAuY29tbW9uLk1ldGFkYXRhEicKBmdyYW50cxgGIAMoCzIXLnBvbGljeS5LZXlBY2Nlc3NTZXJ2ZXISJgoIa2FzX2tleXMYByADKAsyFC5wb2xpY3kuU2ltcGxlS2FzS2V5ItICCglBdHRyaWJ1dGUSCgoCaWQYASABKAkSJAoJbmFtZXNwYWNlGAIgASgLMhEucG9saWN5Lk5hbWVzcGFjZRIMCgRuYW1lGAMgASgJEjgKBHJ1bGUYBCABKA4yHS5wb2xpY3kuQXR0cmlidXRlUnVsZVR5cGVFbnVtQgu6SAjIAQGCAQIQARIdCgZ2YWx1ZXMYBSADKAsyDS5wb2xpY3kuVmFsdWUSJwoGZ3JhbnRzGAYgAygLMhcucG9saWN5LktleUFjY2Vzc1NlcnZlchILCgNmcW4YByABKAkSKgoGYWN0aXZlGAggASgLMhouZ29vZ2xlLnByb3RvYnVmLkJvb2xWYWx1ZRImCghrYXNfa2V5cxgJIAMoCzIULnBvbGljeS5TaW1wbGVLYXNLZXkSIgoIbWV0YWRhdGEYZCABKAsyEC5jb21tb24uTWV0YWRhdGEi6wIKBVZhbHVlEgoKAmlkGAEgASgJEiQKCWF0dHJpYnV0ZRgCIAEoCzIRLnBvbGljeS5BdHRyaWJ1dGUSDQoFdmFsdWUYAyABKAkSJwoGZ3JhbnRzGAUgAygLMhcucG9saWN5LktleUFjY2Vzc1NlcnZlchILCgNmcW4YBiABKAkSKgoGYWN0aXZlGAcgASgLMhouZ29vZ2xlLnByb3RvYnVmLkJvb2xWYWx1ZRIwChBzdWJqZWN0X21hcHBpbmdzGAggAygLMhYucG9saWN5LlN1YmplY3RNYXBwaW5nEiYKCGthc19rZXlzGAkgAygLMhQucG9saWN5LlNpbXBsZUthc0tleRIyChFyZXNvdXJjZV9tYXBwaW5ncxgKIAMoCzIXLnBvbGljeS5SZXNvdXJjZU1hcHBpbmcSIgoIbWV0YWRhdGEYZCABKAsyEC5jb21tb24uTWV0YWRhdGFKBAgEEAVSB21lbWJlcnMiggIKBkFjdGlvbhIKCgJpZBgDIAEoCRIxCghzdGFuZGFyZBgBIAEoDjIdLnBvbGljeS5BY3Rpb24uU3RhbmRhcmRBY3Rpb25IABIQCgZjdXN0b20YAiABKAlIABIMCgRuYW1lGAQgASgJEiIKCG1ldGFkYXRhGGQgASgLMhAuY29tbW9uLk1ldGFkYXRhImwKDlN0YW5kYXJkQWN0aW9uEh8KG1NUQU5EQVJEX0FDVElPTl9VTlNQRUNJRklFRBAAEhsKF1NUQU5EQVJEX0FDVElPTl9ERUNSWVBUEAESHAoYU1RBTkRBUkRfQUNUSU9OX1RSQU5TTUlUEAJCBwoFdmFsdWUixQEKDlN1YmplY3RNYXBwaW5nEgoKAmlkGAEgASgJEiYKD2F0dHJpYnV0ZV92YWx1ZRgCIAEoCzINLnBvbGljeS5WYWx1ZRI6ChVzdWJqZWN0X2NvbmRpdGlvbl9zZXQYAyABKAsyGy5wb2xpY3kuU3ViamVjdENvbmRpdGlvblNldBIfCgdhY3Rpb25zGAQgAygLMg4ucG9saWN5LkFjdGlvbhIiCghtZXRhZGF0YRhkIAEoCzIQLmNvbW1vbi5NZXRhZGF0YSKqAQoJQ29uZGl0aW9uEi8KH3N1YmplY3RfZXh0ZXJuYWxfc2VsZWN0b3JfdmFsdWUYASABKAlCBrpIA8gBARJBCghvcGVyYXRvchgCIAEoDjIiLnBvbGljeS5TdWJqZWN0TWFwcGluZ09wZXJhdG9yRW51bUILukgIyAEBggECEAESKQoXc3ViamVjdF9leHRlcm5hbF92YWx1ZXMYAyADKAlCCLpIBZIBAggBIooBCg5Db25kaXRpb25Hcm91cBIvCgpjb25kaXRpb25zGAEgAygLMhEucG9saWN5LkNvbmRpdGlvbkIIukgFkgECCAESRwoQYm9vbGVhbl9vcGVyYXRvchgCIAEoDjIgLnBvbGljeS5Db25kaXRpb25Cb29sZWFuVHlwZUVudW1CC7pICMgBAYIBAhABIkgKClN1YmplY3RTZXQSOgoQY29uZGl0aW9uX2dyb3VwcxgBIAMoCzIWLnBvbGljeS5Db25kaXRpb25Hcm91cEIIukgFkgECCAEieQoTU3ViamVjdENvbmRpdGlvblNldBIKCgJpZBgBIAEoCRIyCgxzdWJqZWN0X3NldHMYAyADKAsyEi5wb2xpY3kuU3ViamVjdFNldEIIukgFkgECCAESIgoIbWV0YWRhdGEYZCABKAsyEC5jb21tb24uTWV0YWRhdGEiVgoPU3ViamVjdFByb3BlcnR5EisKF2V4dGVybmFsX3NlbGVjdG9yX3ZhbHVlGAEgASgJQgq6SAfIAQFyAhABEhYKDmV4dGVybmFsX3ZhbHVlGAIgASgJInoKFFJlc291cmNlTWFwcGluZ0dyb3VwEgoKAmlkGAEgASgJEhwKDG5hbWVzcGFjZV9pZBgCIAEoCUIGukgDyAEBEhQKBG5hbWUYAyABKAlCBrpIA8gBARIiCghtZXRhZGF0YRhkIAEoCzIQLmNvbW1vbi5NZXRhZGF0YSKtAQoPUmVzb3VyY2VNYXBwaW5nEgoKAmlkGAEgASgJEiIKCG1ldGFkYXRhGAIgASgLMhAuY29tbW9uLk1ldGFkYXRhEi4KD2F0dHJpYnV0ZV92YWx1ZRgDIAEoCzINLnBvbGljeS5WYWx1ZUIGukgDyAEBEg0KBXRlcm1zGAQgAygJEisKBWdyb3VwGAUgASgLMhwucG9saWN5LlJlc291cmNlTWFwcGluZ0dyb3VwIswECg9LZXlBY2Nlc3NTZXJ2ZXISCgoCaWQYASABKAkSggMKA3VyaRgCIAEoCUL0ArpI8AK6AewCCgp1cmlfZm9ybWF0Es8BVVJJIG11c3QgYmUgYSB2YWxpZCBVUkwgKGUuZy4sICdodHRwczovL2RlbW8uY29tLycpIGZvbGxvd2VkIGJ5IGFkZGl0aW9uYWwgc2VnbWVudHMuIEVhY2ggc2VnbWVudCBtdXN0IHN0YXJ0IGFuZCBlbmQgd2l0aCBhbiBhbHBoYW51bWVyaWMgY2hhcmFjdGVyLCBjYW4gY29udGFpbiBoeXBoZW5zLCBhbHBoYW51bWVyaWMgY2hhcmFjdGVycywgYW5kIHNsYXNoZXMuGosBdGhpcy5tYXRjaGVzKCdeaHR0cHM/Oi8vW2EtekEtWjAtOV0oW2EtekEtWjAtOVxcLV17MCw2MX1bYS16QS1aMC05XSk/KFxcLlthLXpBLVowLTldKFthLXpBLVowLTlcXC1dezAsNjF9W2EtekEtWjAtOV0pPykqKDpbMC05XSspPygvLiopPyQnKRIlCgpwdWJsaWNfa2V5GAMgASgLMhEucG9saWN5LlB1YmxpY0tleRInCgtzb3VyY2VfdHlwZRgEIAEoDjISLnBvbGljeS5Tb3VyY2VUeXBlEiYKCGthc19rZXlzGAUgAygLMhQucG9saWN5LlNpbXBsZUthc0tleRIMCgRuYW1lGBQgASgJEiIKCG1ldGFkYXRhGGQgASgLMhAuY29tbW9uLk1ldGFkYXRhIuQBCgNLZXkSCgoCaWQYASABKAkSLQoJaXNfYWN0aXZlGAIgASgLMhouZ29vZ2xlLnByb3RvYnVmLkJvb2xWYWx1ZRIuCgp3YXNfbWFwcGVkGAMgASgLMhouZ29vZ2xlLnByb3RvYnVmLkJvb2xWYWx1ZRIoCgpwdWJsaWNfa2V5GAQgASgLMhQucG9saWN5Lkthc1B1YmxpY0tleRIkCgNrYXMYBSABKAsyFy5wb2xpY3kuS2V5QWNjZXNzU2VydmVyEiIKCG1ldGFkYXRhGGQgASgLMhAuY29tbW9uLk1ldGFkYXRhInUKDEthc1B1YmxpY0tleRIXCgNwZW0YASABKAlCCrpIB3IFEAEYgEASFgoDa2lkGAIgASgJQgm6SAZyBBABGCASNAoDYWxnGAMgASgOMhsucG9saWN5Lkthc1B1YmxpY0tleUFsZ0VudW1CCrpIB4IBBBABIAAiNQoPS2FzUHVibGljS2V5U2V0EiIKBGtleXMYASADKAsyFC5wb2xpY3kuS2FzUHVibGljS2V5ItADCglQdWJsaWNLZXkS/AIKBnJlbW90ZRgBIAEoCULpArpI5QK6AeECCgp1cmlfZm9ybWF0Es8BVVJJIG11c3QgYmUgYSB2YWxpZCBVUkwgKGUuZy4sICdodHRwczovL2RlbW8uY29tLycpIGZvbGxvd2VkIGJ5IGFkZGl0aW9uYWwgc2VnbWVudHMuIEVhY2ggc2VnbWVudCBtdXN0IHN0YXJ0IGFuZCBlbmQgd2l0aCBhbiBhbHBoYW51bWVyaWMgY2hhcmFjdGVyLCBjYW4gY29udGFpbiBoeXBoZW5zLCBhbHBoYW51bWVyaWMgY2hhcmFjdGVycywgYW5kIHNsYXNoZXMuGoABdGhpcy5tYXRjaGVzKCdeaHR0cHM6Ly9bYS16QS1aMC05XShbYS16QS1aMC05XFwtXXswLDYxfVthLXpBLVowLTldKT8oXFwuW2EtekEtWjAtOV0oW2EtekEtWjAtOVxcLV17MCw2MX1bYS16QS1aMC05XSk/KSooLy4qKT8kJylIABIpCgZjYWNoZWQYAyABKAsyFy5wb2xpY3kuS2FzUHVibGljS2V5U2V0SABCDAoKcHVibGljX2tleUoECAIQA1IFbG9jYWwigwEKElJlZ2lzdGVyZWRSZXNvdXJjZRIKCgJpZBgBIAEoCRIMCgRuYW1lGAIgASgJEi8KBnZhbHVlcxgDIAMoCzIfLnBvbGljeS5SZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZRIiCghtZXRhZGF0YRhkIAEoCzIQLmNvbW1vbi5NZXRhZGF0YSLuAgoXUmVnaXN0ZXJlZFJlc291cmNlVmFsdWUSCgoCaWQYASABKAkSDQoFdmFsdWUYAiABKAkSLAoIcmVzb3VyY2UYAyABKAsyGi5wb2xpY3kuUmVnaXN0ZXJlZFJlc291cmNlElUKF2FjdGlvbl9hdHRyaWJ1dGVfdmFsdWVzGAQgAygLMjQucG9saWN5LlJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlLkFjdGlvbkF0dHJpYnV0ZVZhbHVlEiIKCG1ldGFkYXRhGGQgASgLMhAuY29tbW9uLk1ldGFkYXRhGo4BChRBY3Rpb25BdHRyaWJ1dGVWYWx1ZRIKCgJpZBgBIAEoCRIeCgZhY3Rpb24YAiABKAsyDi5wb2xpY3kuQWN0aW9uEiYKD2F0dHJpYnV0ZV92YWx1ZRgDIAEoCzINLnBvbGljeS5WYWx1ZRIiCghtZXRhZGF0YRhkIAEoCzIQLmNvbW1vbi5NZXRhZGF0YSJNCgZLYXNLZXkSDgoGa2FzX2lkGAEgASgJEiIKA2tleRgCIAEoCzIVLnBvbGljeS5Bc3ltbWV0cmljS2V5Eg8KB2thc191cmkYAyABKAkiJAoMUHVibGljS2V5Q3R4EhQKA3BlbRgBIAEoCUIHukgEcgIQASI9Cg1Qcml2YXRlS2V5Q3R4EhcKBmtleV9pZBgBIAEoCUIHukgEcgIQARITCgt3cmFwcGVkX2tleRgCIAEoCSLVAgoNQXN5bW1ldHJpY0tleRIKCgJpZBgBIAEoCRIOCgZrZXlfaWQYAiABKAkSKAoNa2V5X2FsZ29yaXRobRgDIAEoDjIRLnBvbGljeS5BbGdvcml0aG0SJQoKa2V5X3N0YXR1cxgEIAEoDjIRLnBvbGljeS5LZXlTdGF0dXMSIQoIa2V5X21vZGUYBSABKA4yDy5wb2xpY3kuS2V5TW9kZRIsCg5wdWJsaWNfa2V5X2N0eBgGIAEoCzIULnBvbGljeS5QdWJsaWNLZXlDdHgSLgoPcHJpdmF0ZV9rZXlfY3R4GAcgASgLMhUucG9saWN5LlByaXZhdGVLZXlDdHgSMgoPcHJvdmlkZXJfY29uZmlnGAggASgLMhkucG9saWN5LktleVByb3ZpZGVyQ29uZmlnEiIKCG1ldGFkYXRhGGQgASgLMhAuY29tbW9uLk1ldGFkYXRhIt0BCgxTeW1tZXRyaWNLZXkSCgoCaWQYASABKAkSDgoGa2V5X2lkGAIgASgJEiUKCmtleV9zdGF0dXMYAyABKA4yES5wb2xpY3kuS2V5U3RhdHVzEiEKCGtleV9tb2RlGAQgASgOMg8ucG9saWN5LktleU1vZGUSDwoHa2V5X2N0eBgFIAEoDBIyCg9wcm92aWRlcl9jb25maWcYBiABKAsyGS5wb2xpY3kuS2V5UHJvdmlkZXJDb25maWcSIgoIbWV0YWRhdGEYZCABKAsyEC5jb21tb24uTWV0YWRhdGEqswEKFUF0dHJpYnV0ZVJ1bGVUeXBlRW51bRIoCiRBVFRSSUJVVEVfUlVMRV9UWVBFX0VOVU1fVU5TUEVDSUZJRUQQABIjCh9BVFRSSUJVVEVfUlVMRV9UWVBFX0VOVU1fQUxMX09GEAESIwofQVRUUklCVVRFX1JVTEVfVFlQRV9FTlVNX0FOWV9PRhACEiYKIkFUVFJJQlVURV9SVUxFX1RZUEVfRU5VTV9ISUVSQVJDSFkQAyrKAQoaU3ViamVjdE1hcHBpbmdPcGVyYXRvckVudW0SLQopU1VCSkVDVF9NQVBQSU5HX09QRVJBVE9SX0VOVU1fVU5TUEVDSUZJRUQQABIkCiBTVUJKRUNUX01BUFBJTkdfT1BFUkFUT1JfRU5VTV9JThABEigKJFNVQkpFQ1RfTUFQUElOR19PUEVSQVRPUl9FTlVNX05PVF9JThACEi0KKVNVQkpFQ1RfTUFQUElOR19PUEVSQVRPUl9FTlVNX0lOX0NPTlRBSU5TEAMqkAEKGENvbmRpdGlvbkJvb2xlYW5UeXBlRW51bRIrCidDT05ESVRJT05fQk9PTEVBTl9UWVBFX0VOVU1fVU5TUEVDSUZJRUQQABIjCh9DT05ESVRJT05fQk9PTEVBTl9UWVBFX0VOVU1fQU5EEAESIgoeQ09ORElUSU9OX0JPT0xFQU5fVFlQRV9FTlVNX09SEAIqXQoKU291cmNlVHlwZRIbChdTT1VSQ0VfVFlQRV9VTlNQRUNJRklFRBAAEhgKFFNPVVJDRV9UWVBFX0lOVEVSTkFMEAESGAoUU09VUkNFX1RZUEVfRVhURVJOQUwQAiqIAgoTS2FzUHVibGljS2V5QWxnRW51bRInCiNLQVNfUFVCTElDX0tFWV9BTEdfRU5VTV9VTlNQRUNJRklFRBAAEiQKIEtBU19QVUJMSUNfS0VZX0FMR19FTlVNX1JTQV8yMDQ4EAESJAogS0FTX1BVQkxJQ19LRVlfQUxHX0VOVU1fUlNBXzQwOTYQAhIoCiRLQVNfUFVCTElDX0tFWV9BTEdfRU5VTV9FQ19TRUNQMjU2UjEQBRIoCiRLQVNfUFVCTElDX0tFWV9BTEdfRU5VTV9FQ19TRUNQMzg0UjEQBhIoCiRLQVNfUFVCTElDX0tFWV9BTEdfRU5VTV9FQ19TRUNQNTIxUjEQByqbAQoJQWxnb3JpdGhtEhkKFUFMR09SSVRITV9VTlNQRUNJRklFRBAAEhYKEkFMR09SSVRITV9SU0FfMjA0OBABEhYKEkFMR09SSVRITV9SU0FfNDA5NhACEhUKEUFMR09SSVRITV9FQ19QMjU2EAMSFQoRQUxHT1JJVEhNX0VDX1AzODQQBBIVChFBTEdPUklUSE1fRUNfUDUyMRAFKlYKCUtleVN0YXR1cxIaChZLRVlfU1RBVFVTX1VOU1BFQ0lGSUVEEAASFQoRS0VZX1NUQVRVU19BQ1RJVkUQARIWChJLRVlfU1RBVFVTX1JPVEFURUQQAiqUAQoHS2V5TW9kZRIYChRLRVlfTU9ERV9VTlNQRUNJRklFRBAAEhwKGEtFWV9NT0RFX0NPTkZJR19ST09UX0tFWRABEh4KGktFWV9NT0RFX1BST1ZJREVSX1JPT1RfS0VZEAISEwoPS0VZX01PREVfUkVNT1RFEAMSHAoYS0VZX01PREVfUFVCTElDX0tFWV9PTkxZEARiBnByb3RvMw", [file_buf_validate_validate, file_common_common, file_google_protobuf_wrappers]); + +/** + * @generated from message policy.SimpleKasPublicKey + */ +export type SimpleKasPublicKey = Message<"policy.SimpleKasPublicKey"> & { + /** + * @generated from field: policy.Algorithm algorithm = 1; + */ + algorithm: Algorithm; + + /** + * @generated from field: string kid = 2; + */ + kid: string; + + /** + * @generated from field: string pem = 3; + */ + pem: string; +}; + +/** + * Describes the message policy.SimpleKasPublicKey. + * Use `create(SimpleKasPublicKeySchema)` to create a new message. + */ +export const SimpleKasPublicKeySchema: GenMessage = /*@__PURE__*/ + messageDesc(file_policy_objects, 0); + +/** + * @generated from message policy.SimpleKasKey + */ +export type SimpleKasKey = Message<"policy.SimpleKasKey"> & { + /** + * The URL of the Key Access Server + * + * @generated from field: string kas_uri = 1; + */ + kasUri: string; + + /** + * The public key of the Key that belongs to the KAS + * + * @generated from field: policy.SimpleKasPublicKey public_key = 2; + */ + publicKey?: SimpleKasPublicKey; + + /** + * The ID of the Key Access Server + * + * @generated from field: string kas_id = 3; + */ + kasId: string; +}; + +/** + * Describes the message policy.SimpleKasKey. + * Use `create(SimpleKasKeySchema)` to create a new message. + */ +export const SimpleKasKeySchema: GenMessage = /*@__PURE__*/ + messageDesc(file_policy_objects, 1); /** * @generated from message policy.KeyProviderConfig @@ -48,7 +108,7 @@ export type KeyProviderConfig = Message<"policy.KeyProviderConfig"> & { * Use `create(KeyProviderConfigSchema)` to create a new message. */ export const KeyProviderConfigSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_objects, 0); + messageDesc(file_policy_objects, 2); /** * @generated from message policy.Namespace @@ -96,9 +156,9 @@ export type Namespace = Message<"policy.Namespace"> & { /** * Keys for the namespace * - * @generated from field: repeated policy.KasKey kas_keys = 7; + * @generated from field: repeated policy.SimpleKasKey kas_keys = 7; */ - kasKeys: KasKey[]; + kasKeys: SimpleKasKey[]; }; /** @@ -106,7 +166,7 @@ export type Namespace = Message<"policy.Namespace"> & { * Use `create(NamespaceSchema)` to create a new message. */ export const NamespaceSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_objects, 1); + messageDesc(file_policy_objects, 3); /** * @generated from message policy.Attribute @@ -165,9 +225,9 @@ export type Attribute = Message<"policy.Attribute"> & { /** * Keys associated with the attribute * - * @generated from field: repeated policy.KasKey kas_keys = 9; + * @generated from field: repeated policy.SimpleKasKey kas_keys = 9; */ - kasKeys: KasKey[]; + kasKeys: SimpleKasKey[]; /** * Common metadata @@ -182,7 +242,7 @@ export type Attribute = Message<"policy.Attribute"> & { * Use `create(AttributeSchema)` to create a new message. */ export const AttributeSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_objects, 2); + messageDesc(file_policy_objects, 4); /** * @generated from message policy.Value @@ -233,9 +293,14 @@ export type Value = Message<"policy.Value"> & { subjectMappings: SubjectMapping[]; /** - * @generated from field: repeated policy.KasKey kas_keys = 9; + * @generated from field: repeated policy.SimpleKasKey kas_keys = 9; + */ + kasKeys: SimpleKasKey[]; + + /** + * @generated from field: repeated policy.ResourceMapping resource_mappings = 10; */ - kasKeys: KasKey[]; + resourceMappings: ResourceMapping[]; /** * Common metadata @@ -250,7 +315,7 @@ export type Value = Message<"policy.Value"> & { * Use `create(ValueSchema)` to create a new message. */ export const ValueSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_objects, 3); + messageDesc(file_policy_objects, 5); /** * An action an entity can take @@ -304,7 +369,7 @@ export type Action = Message<"policy.Action"> & { * Use `create(ActionSchema)` to create a new message. */ export const ActionSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_objects, 4); + messageDesc(file_policy_objects, 6); /** * @generated from enum policy.Action.StandardAction @@ -336,7 +401,7 @@ export enum Action_StandardAction { * Describes the enum policy.Action.StandardAction. */ export const Action_StandardActionSchema: GenEnum = /*@__PURE__*/ - enumDesc(file_policy_objects, 4, 0); + enumDesc(file_policy_objects, 6, 0); /** * @@ -383,7 +448,7 @@ export type SubjectMapping = Message<"policy.SubjectMapping"> & { * Use `create(SubjectMappingSchema)` to create a new message. */ export const SubjectMappingSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_objects, 5); + messageDesc(file_policy_objects, 7); /** * * @@ -423,7 +488,7 @@ export type Condition = Message<"policy.Condition"> & { * Use `create(ConditionSchema)` to create a new message. */ export const ConditionSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_objects, 6); + messageDesc(file_policy_objects, 8); /** * A collection of Conditions evaluated by the boolean_operator provided @@ -449,7 +514,7 @@ export type ConditionGroup = Message<"policy.ConditionGroup"> & { * Use `create(ConditionGroupSchema)` to create a new message. */ export const ConditionGroupSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_objects, 7); + messageDesc(file_policy_objects, 9); /** * A collection of Condition Groups @@ -470,7 +535,7 @@ export type SubjectSet = Message<"policy.SubjectSet"> & { * Use `create(SubjectSetSchema)` to create a new message. */ export const SubjectSetSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_objects, 8); + messageDesc(file_policy_objects, 10); /** * @@ -504,7 +569,7 @@ export type SubjectConditionSet = Message<"policy.SubjectConditionSet"> & { * Use `create(SubjectConditionSetSchema)` to create a new message. */ export const SubjectConditionSetSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_objects, 9); + messageDesc(file_policy_objects, 11); /** * @@ -539,7 +604,7 @@ export type SubjectProperty = Message<"policy.SubjectProperty"> & { * Use `create(SubjectPropertySchema)` to create a new message. */ export const SubjectPropertySchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_objects, 10); + messageDesc(file_policy_objects, 12); /** * @@ -582,7 +647,7 @@ export type ResourceMappingGroup = Message<"policy.ResourceMappingGroup"> & { * Use `create(ResourceMappingGroupSchema)` to create a new message. */ export const ResourceMappingGroupSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_objects, 11); + messageDesc(file_policy_objects, 13); /** * @@ -623,7 +688,7 @@ export type ResourceMapping = Message<"policy.ResourceMapping"> & { * Use `create(ResourceMappingSchema)` to create a new message. */ export const ResourceMappingSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_objects, 12); + messageDesc(file_policy_objects, 14); /** * @@ -661,9 +726,9 @@ export type KeyAccessServer = Message<"policy.KeyAccessServer"> & { /** * Kas keys associated with this KAS * - * @generated from field: repeated policy.KasKey kas_keys = 5; + * @generated from field: repeated policy.SimpleKasKey kas_keys = 5; */ - kasKeys: KasKey[]; + kasKeys: SimpleKasKey[]; /** * Optional @@ -686,7 +751,7 @@ export type KeyAccessServer = Message<"policy.KeyAccessServer"> & { * Use `create(KeyAccessServerSchema)` to create a new message. */ export const KeyAccessServerSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_objects, 13); + messageDesc(file_policy_objects, 15); /** * @generated from message policy.Key @@ -732,7 +797,7 @@ export type Key = Message<"policy.Key"> & { * Use `create(KeySchema)` to create a new message. */ export const KeySchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_objects, 14); + messageDesc(file_policy_objects, 16); /** * Deprecated @@ -770,7 +835,7 @@ export type KasPublicKey = Message<"policy.KasPublicKey"> & { * Use `create(KasPublicKeySchema)` to create a new message. */ export const KasPublicKeySchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_objects, 15); + messageDesc(file_policy_objects, 17); /** * Deprecated @@ -790,7 +855,7 @@ export type KasPublicKeySet = Message<"policy.KasPublicKeySet"> & { * Use `create(KasPublicKeySetSchema)` to create a new message. */ export const KasPublicKeySetSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_objects, 16); + messageDesc(file_policy_objects, 18); /** * Deprecated @@ -825,7 +890,7 @@ export type PublicKey = Message<"policy.PublicKey"> & { * Use `create(PublicKeySchema)` to create a new message. */ export const PublicKeySchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_objects, 17); + messageDesc(file_policy_objects, 19); /** * @generated from message policy.RegisteredResource @@ -859,7 +924,7 @@ export type RegisteredResource = Message<"policy.RegisteredResource"> & { * Use `create(RegisteredResourceSchema)` to create a new message. */ export const RegisteredResourceSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_objects, 18); + messageDesc(file_policy_objects, 20); /** * @generated from message policy.RegisteredResourceValue @@ -880,6 +945,11 @@ export type RegisteredResourceValue = Message<"policy.RegisteredResourceValue"> */ resource?: RegisteredResource; + /** + * @generated from field: repeated policy.RegisteredResourceValue.ActionAttributeValue action_attribute_values = 4; + */ + actionAttributeValues: RegisteredResourceValue_ActionAttributeValue[]; + /** * Common metadata * @@ -893,7 +963,41 @@ export type RegisteredResourceValue = Message<"policy.RegisteredResourceValue"> * Use `create(RegisteredResourceValueSchema)` to create a new message. */ export const RegisteredResourceValueSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_objects, 19); + messageDesc(file_policy_objects, 21); + +/** + * @generated from message policy.RegisteredResourceValue.ActionAttributeValue + */ +export type RegisteredResourceValue_ActionAttributeValue = Message<"policy.RegisteredResourceValue.ActionAttributeValue"> & { + /** + * @generated from field: string id = 1; + */ + id: string; + + /** + * @generated from field: policy.Action action = 2; + */ + action?: Action; + + /** + * @generated from field: policy.Value attribute_value = 3; + */ + attributeValue?: Value; + + /** + * Common metadata + * + * @generated from field: common.Metadata metadata = 100; + */ + metadata?: Metadata; +}; + +/** + * Describes the message policy.RegisteredResourceValue.ActionAttributeValue. + * Use `create(RegisteredResourceValue_ActionAttributeValueSchema)` to create a new message. + */ +export const RegisteredResourceValue_ActionAttributeValueSchema: GenMessage = /*@__PURE__*/ + messageDesc(file_policy_objects, 21, 0); /** * @generated from message policy.KasKey @@ -908,6 +1012,11 @@ export type KasKey = Message<"policy.KasKey"> & { * @generated from field: policy.AsymmetricKey key = 2; */ key?: AsymmetricKey; + + /** + * @generated from field: string kas_uri = 3; + */ + kasUri: string; }; /** @@ -915,33 +1024,94 @@ export type KasKey = Message<"policy.KasKey"> & { * Use `create(KasKeySchema)` to create a new message. */ export const KasKeySchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_objects, 20); + messageDesc(file_policy_objects, 22); + +/** + * @generated from message policy.PublicKeyCtx + */ +export type PublicKeyCtx = Message<"policy.PublicKeyCtx"> & { + /** + * Required + * + * Base64 encoded public key in PEM format + * + * @generated from field: string pem = 1; + */ + pem: string; +}; + +/** + * Describes the message policy.PublicKeyCtx. + * Use `create(PublicKeyCtxSchema)` to create a new message. + */ +export const PublicKeyCtxSchema: GenMessage = /*@__PURE__*/ + messageDesc(file_policy_objects, 23); + +/** + * @generated from message policy.PrivateKeyCtx + */ +export type PrivateKeyCtx = Message<"policy.PrivateKeyCtx"> & { + /** + * Required + * + * Key ID for the symmetric key wrapping this key. + * + * @generated from field: string key_id = 1; + */ + keyId: string; + + /** + * Optional + * + * Base64 encoded wrapped key. Conditionally required if key_mode is LOCAL. Should not be present if key_mode is REMOTE. + * + * @generated from field: string wrapped_key = 2; + */ + wrappedKey: string; +}; + +/** + * Describes the message policy.PrivateKeyCtx. + * Use `create(PrivateKeyCtxSchema)` to create a new message. + */ +export const PrivateKeyCtxSchema: GenMessage = /*@__PURE__*/ + messageDesc(file_policy_objects, 24); /** * @generated from message policy.AsymmetricKey */ export type AsymmetricKey = Message<"policy.AsymmetricKey"> & { /** + * Required + * * @generated from field: string id = 1; */ id: string; /** + * Required + * * @generated from field: string key_id = 2; */ keyId: string; /** + * Required + * * @generated from field: policy.Algorithm key_algorithm = 3; */ keyAlgorithm: Algorithm; /** + * Required + * * @generated from field: policy.KeyStatus key_status = 4; */ keyStatus: KeyStatus; /** + * Required + * * Specifies how the key is managed (local or remote) * * @generated from field: policy.KeyMode key_mode = 5; @@ -949,20 +1119,26 @@ export type AsymmetricKey = Message<"policy.AsymmetricKey"> & { keyMode: KeyMode; /** + * Required + * * Specific structure based on key provider implementation * - * @generated from field: bytes public_key_ctx = 6; + * @generated from field: policy.PublicKeyCtx public_key_ctx = 6; */ - publicKeyCtx: Uint8Array; + publicKeyCtx?: PublicKeyCtx; /** + * Optional + * * Specific structure based on key provider implementation * - * @generated from field: bytes private_key_ctx = 7; + * @generated from field: policy.PrivateKeyCtx private_key_ctx = 7; */ - privateKeyCtx: Uint8Array; + privateKeyCtx?: PrivateKeyCtx; /** + * Optional + * * Configuration for the key provider * * @generated from field: policy.KeyProviderConfig provider_config = 8; @@ -982,7 +1158,7 @@ export type AsymmetricKey = Message<"policy.AsymmetricKey"> & { * Use `create(AsymmetricKeySchema)` to create a new message. */ export const AsymmetricKeySchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_objects, 21); + messageDesc(file_policy_objects, 25); /** * @generated from message policy.SymmetricKey @@ -1037,7 +1213,7 @@ export type SymmetricKey = Message<"policy.SymmetricKey"> & { * Use `create(SymmetricKeySchema)` to create a new message. */ export const SymmetricKeySchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_objects, 22); + messageDesc(file_policy_objects, 26); /** * @generated from enum policy.AttributeRuleTypeEnum @@ -1269,14 +1445,9 @@ export enum KeyStatus { ACTIVE = 1, /** - * @generated from enum value: KEY_STATUS_INACTIVE = 2; + * @generated from enum value: KEY_STATUS_ROTATED = 2; */ - INACTIVE = 2, - - /** - * @generated from enum value: KEY_STATUS_COMPROMISED = 3; - */ - COMPROMISED = 3, + ROTATED = 2, } /** @@ -1286,29 +1457,53 @@ export const KeyStatusSchema: GenEnum = /*@__PURE__*/ enumDesc(file_policy_objects, 6); /** - * Describe how the kas private key is managed. - * If the key mode is LOCAL, then the kas private key is stored in the database. - * This could be encrypted or unencrypted. - * Remote means that the kas private key is stored in a remote key system like KMS or HSM - * and all operations are done by the remote key system. + * Describes the management and operational mode of a cryptographic key. * * @generated from enum policy.KeyMode */ export enum KeyMode { /** + * KEY_MODE_UNSPECIFIED: Default, unspecified key mode. Indicates an uninitialized or error state. + * * @generated from enum value: KEY_MODE_UNSPECIFIED = 0; */ UNSPECIFIED = 0, /** - * @generated from enum value: KEY_MODE_LOCAL = 1; + * KEY_MODE_CONFIG_ROOT_KEY: Local key management where the private key is wrapped by a Key Encryption Key (KEK) + * sourced from local configuration. Unwrapping and all cryptographic operations are performed locally. + * + * @generated from enum value: KEY_MODE_CONFIG_ROOT_KEY = 1; + */ + CONFIG_ROOT_KEY = 1, + + /** + * KEY_MODE_PROVIDER_ROOT_KEY: Local key management where the private key is wrapped by a Key Encryption Key (KEK) + * managed by an external provider (e.g., a Hardware Security Module or Cloud KMS). + * Key unwrapping is delegated to the external provider; subsequent cryptographic operations + * are performed locally using the unwrapped key. + * + * @generated from enum value: KEY_MODE_PROVIDER_ROOT_KEY = 2; */ - LOCAL = 1, + PROVIDER_ROOT_KEY = 2, /** - * @generated from enum value: KEY_MODE_REMOTE = 2; + * KEY_MODE_REMOTE: Remote key management where the private key is stored in, and all cryptographic + * operations are performed by, a remote Key Management Service (KMS) or HSM. + * The private key material never leaves the secure boundary of the remote system. + * + * @generated from enum value: KEY_MODE_REMOTE = 3; + */ + REMOTE = 3, + + /** + * KEY_MODE_PUBLIC_KEY_ONLY: Public key only mode. Used when only a public key is available or required, + * typically for wrapping operations (e.g., encrypting a Data Encryption Key (DEK) for an external KAS). + * The corresponding private key is not managed or accessible by this system. + * + * @generated from enum value: KEY_MODE_PUBLIC_KEY_ONLY = 4; */ - REMOTE = 2, + PUBLIC_KEY_ONLY = 4, } /** diff --git a/lib/src/platform/policy/registeredresources/registered_resources_pb.ts b/lib/src/platform/policy/registeredresources/registered_resources_pb.ts index 9c2df823a..d422b747b 100644 --- a/lib/src/platform/policy/registeredresources/registered_resources_pb.ts +++ b/lib/src/platform/policy/registeredresources/registered_resources_pb.ts @@ -17,7 +17,7 @@ import type { Message } from "@bufbuild/protobuf"; * Describes the file policy/registeredresources/registered_resources.proto. */ export const file_policy_registeredresources_registered_resources: GenFile = /*@__PURE__*/ - fileDesc("CjVwb2xpY3kvcmVnaXN0ZXJlZHJlc291cmNlcy9yZWdpc3RlcmVkX3Jlc291cmNlcy5wcm90bxIacG9saWN5LnJlZ2lzdGVyZWRyZXNvdXJjZXMiwQMKH0NyZWF0ZVJlZ2lzdGVyZWRSZXNvdXJjZVJlcXVlc3QSogIKBG5hbWUYASABKAlCkwK6SI8CugGDAgoOcnJfbmFtZV9mb3JtYXQSswFSZWdpc3RlcmVkIFJlc291cmNlIE5hbWUgbXVzdCBiZSBhbiBhbHBoYW51bWVyaWMgc3RyaW5nLCBhbGxvd2luZyBoeXBoZW5zIGFuZCB1bmRlcnNjb3JlcyBidXQgbm90IGFzIHRoZSBmaXJzdCBvciBsYXN0IGNoYXJhY3Rlci4gVGhlIHN0b3JlZCBuYW1lIHdpbGwgYmUgbm9ybWFsaXplZCB0byBsb3dlciBjYXNlLho7dGhpcy5tYXRjaGVzKCdeW2EtekEtWjAtOV0oPzpbYS16QS1aMC05Xy1dKlthLXpBLVowLTldKT8kJynIAQFyAxj9ARJOCgZ2YWx1ZXMYAiADKAlCPrpIO5IBOAgAGAEiMnIwGP0BMiteW2EtekEtWjAtOV0oPzpbYS16QS1aMC05Xy1dKlthLXpBLVowLTldKT8kEikKCG1ldGFkYXRhGGQgASgLMhcuY29tbW9uLk1ldGFkYXRhTXV0YWJsZSJQCiBDcmVhdGVSZWdpc3RlcmVkUmVzb3VyY2VSZXNwb25zZRIsCghyZXNvdXJjZRgBIAEoCzIaLnBvbGljeS5SZWdpc3RlcmVkUmVzb3VyY2UiigMKHEdldFJlZ2lzdGVyZWRSZXNvdXJjZVJlcXVlc3QSFgoCaWQYASABKAlCCLpIBXIDsAEBSAASvAIKBG5hbWUYAiABKAlCqwK6SKcCugGbAgoOcnJfbmFtZV9mb3JtYXQSswFSZWdpc3RlcmVkIFJlc291cmNlIE5hbWUgbXVzdCBiZSBhbiBhbHBoYW51bWVyaWMgc3RyaW5nLCBhbGxvd2luZyBoeXBoZW5zIGFuZCB1bmRlcnNjb3JlcyBidXQgbm90IGFzIHRoZSBmaXJzdCBvciBsYXN0IGNoYXJhY3Rlci4gVGhlIHN0b3JlZCBuYW1lIHdpbGwgYmUgbm9ybWFsaXplZCB0byBsb3dlciBjYXNlLhpTc2l6ZSh0aGlzKSA+IDAgPyB0aGlzLm1hdGNoZXMoJ15bYS16QS1aMC05XSg/OlthLXpBLVowLTlfLV0qW2EtekEtWjAtOV0pPyQnKSA6IHRydWXIAQByAxj9AUgAQhMKCmlkZW50aWZpZXISBbpIAggBIk0KHUdldFJlZ2lzdGVyZWRSZXNvdXJjZVJlc3BvbnNlEiwKCHJlc291cmNlGAEgASgLMhoucG9saWN5LlJlZ2lzdGVyZWRSZXNvdXJjZSJJCh5MaXN0UmVnaXN0ZXJlZFJlc291cmNlc1JlcXVlc3QSJwoKcGFnaW5hdGlvbhgKIAEoCzITLnBvbGljeS5QYWdlUmVxdWVzdCJ6Ch9MaXN0UmVnaXN0ZXJlZFJlc291cmNlc1Jlc3BvbnNlEi0KCXJlc291cmNlcxgBIAMoCzIaLnBvbGljeS5SZWdpc3RlcmVkUmVzb3VyY2USKAoKcGFnaW5hdGlvbhgKIAEoCzIULnBvbGljeS5QYWdlUmVzcG9uc2Ui3QMKH1VwZGF0ZVJlZ2lzdGVyZWRSZXNvdXJjZVJlcXVlc3QSFAoCaWQYASABKAlCCLpIBXIDsAEBEroCCgRuYW1lGAIgASgJQqsCukinAroBmwIKDnJyX25hbWVfZm9ybWF0ErMBUmVnaXN0ZXJlZCBSZXNvdXJjZSBOYW1lIG11c3QgYmUgYW4gYWxwaGFudW1lcmljIHN0cmluZywgYWxsb3dpbmcgaHlwaGVucyBhbmQgdW5kZXJzY29yZXMgYnV0IG5vdCBhcyB0aGUgZmlyc3Qgb3IgbGFzdCBjaGFyYWN0ZXIuIFRoZSBzdG9yZWQgbmFtZSB3aWxsIGJlIG5vcm1hbGl6ZWQgdG8gbG93ZXIgY2FzZS4aU3NpemUodGhpcykgPiAwID8gdGhpcy5tYXRjaGVzKCdeW2EtekEtWjAtOV0oPzpbYS16QS1aMC05Xy1dKlthLXpBLVowLTldKT8kJykgOiB0cnVlyAEAcgMY/QESKQoIbWV0YWRhdGEYZCABKAsyFy5jb21tb24uTWV0YWRhdGFNdXRhYmxlEjwKGG1ldGFkYXRhX3VwZGF0ZV9iZWhhdmlvchhlIAEoDjIaLmNvbW1vbi5NZXRhZGF0YVVwZGF0ZUVudW0iUAogVXBkYXRlUmVnaXN0ZXJlZFJlc291cmNlUmVzcG9uc2USLAoIcmVzb3VyY2UYASABKAsyGi5wb2xpY3kuUmVnaXN0ZXJlZFJlc291cmNlIjcKH0RlbGV0ZVJlZ2lzdGVyZWRSZXNvdXJjZVJlcXVlc3QSFAoCaWQYASABKAlCCLpIBXIDsAEBIlAKIERlbGV0ZVJlZ2lzdGVyZWRSZXNvdXJjZVJlc3BvbnNlEiwKCHJlc291cmNlGAEgASgLMhoucG9saWN5LlJlZ2lzdGVyZWRSZXNvdXJjZSKZAwokQ3JlYXRlUmVnaXN0ZXJlZFJlc291cmNlVmFsdWVSZXF1ZXN0Eh0KC3Jlc291cmNlX2lkGAEgASgJQgi6SAVyA7ABARKmAgoFdmFsdWUYAiABKAlClgK6SJICugGGAgoPcnJfdmFsdWVfZm9ybWF0ErUBUmVnaXN0ZXJlZCBSZXNvdXJjZSBWYWx1ZSBtdXN0IGJlIGFuIGFscGhhbnVtZXJpYyBzdHJpbmcsIGFsbG93aW5nIGh5cGhlbnMgYW5kIHVuZGVyc2NvcmVzIGJ1dCBub3QgYXMgdGhlIGZpcnN0IG9yIGxhc3QgY2hhcmFjdGVyLiBUaGUgc3RvcmVkIHZhbHVlIHdpbGwgYmUgbm9ybWFsaXplZCB0byBsb3dlciBjYXNlLho7dGhpcy5tYXRjaGVzKCdeW2EtekEtWjAtOV0oPzpbYS16QS1aMC05Xy1dKlthLXpBLVowLTldKT8kJynIAQFyAxj9ARIpCghtZXRhZGF0YRhkIAEoCzIXLmNvbW1vbi5NZXRhZGF0YU11dGFibGUiVwolQ3JlYXRlUmVnaXN0ZXJlZFJlc291cmNlVmFsdWVSZXNwb25zZRIuCgV2YWx1ZRgBIAEoCzIfLnBvbGljeS5SZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZSJrCiFHZXRSZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZVJlcXVlc3QSFgoCaWQYASABKAlCCLpIBXIDsAEBSAASGQoDZnFuGAIgASgJQgq6SAdyBRABiAEBSABCEwoKaWRlbnRpZmllchIFukgCCAEiVAoiR2V0UmVnaXN0ZXJlZFJlc291cmNlVmFsdWVSZXNwb25zZRIuCgV2YWx1ZRgBIAEoCzIfLnBvbGljeS5SZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZSJNCihHZXRSZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZXNCeUZRTnNSZXF1ZXN0EiEKBGZxbnMYASADKAlCE7pIEJIBDQgBGAEiB3IFEAGIAQEi7wEKKUdldFJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlc0J5RlFOc1Jlc3BvbnNlEm0KDWZxbl92YWx1ZV9tYXAYASADKAsyVi5wb2xpY3kucmVnaXN0ZXJlZHJlc291cmNlcy5HZXRSZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZXNCeUZRTnNSZXNwb25zZS5GcW5WYWx1ZU1hcEVudHJ5GlMKEEZxblZhbHVlTWFwRW50cnkSCwoDa2V5GAEgASgJEi4KBXZhbHVlGAIgASgLMh8ucG9saWN5LlJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlOgI4ASKaAgojTGlzdFJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlc1JlcXVlc3QSyQEKC3Jlc291cmNlX2lkGAEgASgJQrMBukivAboBqwEKFG9wdGlvbmFsX3V1aWRfZm9ybWF0EiNPcHRpb25hbCBmaWVsZCBtdXN0IGJlIGEgdmFsaWQgVVVJRBpuc2l6ZSh0aGlzKSA9PSAwIHx8IHRoaXMubWF0Y2hlcygnWzAtOWEtZkEtRl17OH0tWzAtOWEtZkEtRl17NH0tWzAtOWEtZkEtRl17NH0tWzAtOWEtZkEtRl17NH0tWzAtOWEtZkEtRl17MTJ9JykSJwoKcGFnaW5hdGlvbhgKIAEoCzITLnBvbGljeS5QYWdlUmVxdWVzdCKBAQokTGlzdFJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlc1Jlc3BvbnNlEi8KBnZhbHVlcxgBIAMoCzIfLnBvbGljeS5SZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZRIoCgpwYWdpbmF0aW9uGAogASgLMhQucG9saWN5LlBhZ2VSZXNwb25zZSLmAwokVXBkYXRlUmVnaXN0ZXJlZFJlc291cmNlVmFsdWVSZXF1ZXN0EhQKAmlkGAEgASgJQgi6SAVyA7ABARK+AgoFdmFsdWUYAiABKAlCrgK6SKoCugGeAgoPcnJfdmFsdWVfZm9ybWF0ErUBUmVnaXN0ZXJlZCBSZXNvdXJjZSBWYWx1ZSBtdXN0IGJlIGFuIGFscGhhbnVtZXJpYyBzdHJpbmcsIGFsbG93aW5nIGh5cGhlbnMgYW5kIHVuZGVyc2NvcmVzIGJ1dCBub3QgYXMgdGhlIGZpcnN0IG9yIGxhc3QgY2hhcmFjdGVyLiBUaGUgc3RvcmVkIHZhbHVlIHdpbGwgYmUgbm9ybWFsaXplZCB0byBsb3dlciBjYXNlLhpTc2l6ZSh0aGlzKSA+IDAgPyB0aGlzLm1hdGNoZXMoJ15bYS16QS1aMC05XSg/OlthLXpBLVowLTlfLV0qW2EtekEtWjAtOV0pPyQnKSA6IHRydWXIAQByAxj9ARIpCghtZXRhZGF0YRhkIAEoCzIXLmNvbW1vbi5NZXRhZGF0YU11dGFibGUSPAoYbWV0YWRhdGFfdXBkYXRlX2JlaGF2aW9yGGUgASgOMhouY29tbW9uLk1ldGFkYXRhVXBkYXRlRW51bSJXCiVVcGRhdGVSZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZVJlc3BvbnNlEi4KBXZhbHVlGAEgASgLMh8ucG9saWN5LlJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlIjwKJERlbGV0ZVJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlUmVxdWVzdBIUCgJpZBgBIAEoCUIIukgFcgOwAQEiVwolRGVsZXRlUmVnaXN0ZXJlZFJlc291cmNlVmFsdWVSZXNwb25zZRIuCgV2YWx1ZRgBIAEoCzIfLnBvbGljeS5SZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZTKIDgoaUmVnaXN0ZXJlZFJlc291cmNlc1NlcnZpY2USlwEKGENyZWF0ZVJlZ2lzdGVyZWRSZXNvdXJjZRI7LnBvbGljeS5yZWdpc3RlcmVkcmVzb3VyY2VzLkNyZWF0ZVJlZ2lzdGVyZWRSZXNvdXJjZVJlcXVlc3QaPC5wb2xpY3kucmVnaXN0ZXJlZHJlc291cmNlcy5DcmVhdGVSZWdpc3RlcmVkUmVzb3VyY2VSZXNwb25zZSIAEo4BChVHZXRSZWdpc3RlcmVkUmVzb3VyY2USOC5wb2xpY3kucmVnaXN0ZXJlZHJlc291cmNlcy5HZXRSZWdpc3RlcmVkUmVzb3VyY2VSZXF1ZXN0GjkucG9saWN5LnJlZ2lzdGVyZWRyZXNvdXJjZXMuR2V0UmVnaXN0ZXJlZFJlc291cmNlUmVzcG9uc2UiABKUAQoXTGlzdFJlZ2lzdGVyZWRSZXNvdXJjZXMSOi5wb2xpY3kucmVnaXN0ZXJlZHJlc291cmNlcy5MaXN0UmVnaXN0ZXJlZFJlc291cmNlc1JlcXVlc3QaOy5wb2xpY3kucmVnaXN0ZXJlZHJlc291cmNlcy5MaXN0UmVnaXN0ZXJlZFJlc291cmNlc1Jlc3BvbnNlIgASlwEKGFVwZGF0ZVJlZ2lzdGVyZWRSZXNvdXJjZRI7LnBvbGljeS5yZWdpc3RlcmVkcmVzb3VyY2VzLlVwZGF0ZVJlZ2lzdGVyZWRSZXNvdXJjZVJlcXVlc3QaPC5wb2xpY3kucmVnaXN0ZXJlZHJlc291cmNlcy5VcGRhdGVSZWdpc3RlcmVkUmVzb3VyY2VSZXNwb25zZSIAEpcBChhEZWxldGVSZWdpc3RlcmVkUmVzb3VyY2USOy5wb2xpY3kucmVnaXN0ZXJlZHJlc291cmNlcy5EZWxldGVSZWdpc3RlcmVkUmVzb3VyY2VSZXF1ZXN0GjwucG9saWN5LnJlZ2lzdGVyZWRyZXNvdXJjZXMuRGVsZXRlUmVnaXN0ZXJlZFJlc291cmNlUmVzcG9uc2UiABKmAQodQ3JlYXRlUmVnaXN0ZXJlZFJlc291cmNlVmFsdWUSQC5wb2xpY3kucmVnaXN0ZXJlZHJlc291cmNlcy5DcmVhdGVSZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZVJlcXVlc3QaQS5wb2xpY3kucmVnaXN0ZXJlZHJlc291cmNlcy5DcmVhdGVSZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZVJlc3BvbnNlIgASnQEKGkdldFJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlEj0ucG9saWN5LnJlZ2lzdGVyZWRyZXNvdXJjZXMuR2V0UmVnaXN0ZXJlZFJlc291cmNlVmFsdWVSZXF1ZXN0Gj4ucG9saWN5LnJlZ2lzdGVyZWRyZXNvdXJjZXMuR2V0UmVnaXN0ZXJlZFJlc291cmNlVmFsdWVSZXNwb25zZSIAErIBCiFHZXRSZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZXNCeUZRTnMSRC5wb2xpY3kucmVnaXN0ZXJlZHJlc291cmNlcy5HZXRSZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZXNCeUZRTnNSZXF1ZXN0GkUucG9saWN5LnJlZ2lzdGVyZWRyZXNvdXJjZXMuR2V0UmVnaXN0ZXJlZFJlc291cmNlVmFsdWVzQnlGUU5zUmVzcG9uc2UiABKjAQocTGlzdFJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlcxI/LnBvbGljeS5yZWdpc3RlcmVkcmVzb3VyY2VzLkxpc3RSZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZXNSZXF1ZXN0GkAucG9saWN5LnJlZ2lzdGVyZWRyZXNvdXJjZXMuTGlzdFJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlc1Jlc3BvbnNlIgASpgEKHVVwZGF0ZVJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlEkAucG9saWN5LnJlZ2lzdGVyZWRyZXNvdXJjZXMuVXBkYXRlUmVnaXN0ZXJlZFJlc291cmNlVmFsdWVSZXF1ZXN0GkEucG9saWN5LnJlZ2lzdGVyZWRyZXNvdXJjZXMuVXBkYXRlUmVnaXN0ZXJlZFJlc291cmNlVmFsdWVSZXNwb25zZSIAEqYBCh1EZWxldGVSZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZRJALnBvbGljeS5yZWdpc3RlcmVkcmVzb3VyY2VzLkRlbGV0ZVJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlUmVxdWVzdBpBLnBvbGljeS5yZWdpc3RlcmVkcmVzb3VyY2VzLkRlbGV0ZVJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlUmVzcG9uc2UiAGIGcHJvdG8z", [file_buf_validate_validate, file_common_common, file_policy_objects, file_policy_selectors]); + fileDesc("CjVwb2xpY3kvcmVnaXN0ZXJlZHJlc291cmNlcy9yZWdpc3RlcmVkX3Jlc291cmNlcy5wcm90bxIacG9saWN5LnJlZ2lzdGVyZWRyZXNvdXJjZXMiwQMKH0NyZWF0ZVJlZ2lzdGVyZWRSZXNvdXJjZVJlcXVlc3QSogIKBG5hbWUYASABKAlCkwK6SI8CugGDAgoOcnJfbmFtZV9mb3JtYXQSswFSZWdpc3RlcmVkIFJlc291cmNlIE5hbWUgbXVzdCBiZSBhbiBhbHBoYW51bWVyaWMgc3RyaW5nLCBhbGxvd2luZyBoeXBoZW5zIGFuZCB1bmRlcnNjb3JlcyBidXQgbm90IGFzIHRoZSBmaXJzdCBvciBsYXN0IGNoYXJhY3Rlci4gVGhlIHN0b3JlZCBuYW1lIHdpbGwgYmUgbm9ybWFsaXplZCB0byBsb3dlciBjYXNlLho7dGhpcy5tYXRjaGVzKCdeW2EtekEtWjAtOV0oPzpbYS16QS1aMC05Xy1dKlthLXpBLVowLTldKT8kJynIAQFyAxj9ARJOCgZ2YWx1ZXMYAiADKAlCPrpIO5IBOAgAGAEiMnIwGP0BMiteW2EtekEtWjAtOV0oPzpbYS16QS1aMC05Xy1dKlthLXpBLVowLTldKT8kEikKCG1ldGFkYXRhGGQgASgLMhcuY29tbW9uLk1ldGFkYXRhTXV0YWJsZSJQCiBDcmVhdGVSZWdpc3RlcmVkUmVzb3VyY2VSZXNwb25zZRIsCghyZXNvdXJjZRgBIAEoCzIaLnBvbGljeS5SZWdpc3RlcmVkUmVzb3VyY2UiigMKHEdldFJlZ2lzdGVyZWRSZXNvdXJjZVJlcXVlc3QSFgoCaWQYASABKAlCCLpIBXIDsAEBSAASvAIKBG5hbWUYAiABKAlCqwK6SKcCugGbAgoOcnJfbmFtZV9mb3JtYXQSswFSZWdpc3RlcmVkIFJlc291cmNlIE5hbWUgbXVzdCBiZSBhbiBhbHBoYW51bWVyaWMgc3RyaW5nLCBhbGxvd2luZyBoeXBoZW5zIGFuZCB1bmRlcnNjb3JlcyBidXQgbm90IGFzIHRoZSBmaXJzdCBvciBsYXN0IGNoYXJhY3Rlci4gVGhlIHN0b3JlZCBuYW1lIHdpbGwgYmUgbm9ybWFsaXplZCB0byBsb3dlciBjYXNlLhpTc2l6ZSh0aGlzKSA+IDAgPyB0aGlzLm1hdGNoZXMoJ15bYS16QS1aMC05XSg/OlthLXpBLVowLTlfLV0qW2EtekEtWjAtOV0pPyQnKSA6IHRydWXIAQByAxj9AUgAQhMKCmlkZW50aWZpZXISBbpIAggBIk0KHUdldFJlZ2lzdGVyZWRSZXNvdXJjZVJlc3BvbnNlEiwKCHJlc291cmNlGAEgASgLMhoucG9saWN5LlJlZ2lzdGVyZWRSZXNvdXJjZSJJCh5MaXN0UmVnaXN0ZXJlZFJlc291cmNlc1JlcXVlc3QSJwoKcGFnaW5hdGlvbhgKIAEoCzITLnBvbGljeS5QYWdlUmVxdWVzdCJ6Ch9MaXN0UmVnaXN0ZXJlZFJlc291cmNlc1Jlc3BvbnNlEi0KCXJlc291cmNlcxgBIAMoCzIaLnBvbGljeS5SZWdpc3RlcmVkUmVzb3VyY2USKAoKcGFnaW5hdGlvbhgKIAEoCzIULnBvbGljeS5QYWdlUmVzcG9uc2Ui3QMKH1VwZGF0ZVJlZ2lzdGVyZWRSZXNvdXJjZVJlcXVlc3QSFAoCaWQYASABKAlCCLpIBXIDsAEBEroCCgRuYW1lGAIgASgJQqsCukinAroBmwIKDnJyX25hbWVfZm9ybWF0ErMBUmVnaXN0ZXJlZCBSZXNvdXJjZSBOYW1lIG11c3QgYmUgYW4gYWxwaGFudW1lcmljIHN0cmluZywgYWxsb3dpbmcgaHlwaGVucyBhbmQgdW5kZXJzY29yZXMgYnV0IG5vdCBhcyB0aGUgZmlyc3Qgb3IgbGFzdCBjaGFyYWN0ZXIuIFRoZSBzdG9yZWQgbmFtZSB3aWxsIGJlIG5vcm1hbGl6ZWQgdG8gbG93ZXIgY2FzZS4aU3NpemUodGhpcykgPiAwID8gdGhpcy5tYXRjaGVzKCdeW2EtekEtWjAtOV0oPzpbYS16QS1aMC05Xy1dKlthLXpBLVowLTldKT8kJykgOiB0cnVlyAEAcgMY/QESKQoIbWV0YWRhdGEYZCABKAsyFy5jb21tb24uTWV0YWRhdGFNdXRhYmxlEjwKGG1ldGFkYXRhX3VwZGF0ZV9iZWhhdmlvchhlIAEoDjIaLmNvbW1vbi5NZXRhZGF0YVVwZGF0ZUVudW0iUAogVXBkYXRlUmVnaXN0ZXJlZFJlc291cmNlUmVzcG9uc2USLAoIcmVzb3VyY2UYASABKAsyGi5wb2xpY3kuUmVnaXN0ZXJlZFJlc291cmNlIjcKH0RlbGV0ZVJlZ2lzdGVyZWRSZXNvdXJjZVJlcXVlc3QSFAoCaWQYASABKAlCCLpIBXIDsAEBIlAKIERlbGV0ZVJlZ2lzdGVyZWRSZXNvdXJjZVJlc3BvbnNlEiwKCHJlc291cmNlGAEgASgLMhoucG9saWN5LlJlZ2lzdGVyZWRSZXNvdXJjZSLyAwoUQWN0aW9uQXR0cmlidXRlVmFsdWUSHQoJYWN0aW9uX2lkGAEgASgJQgi6SAVyA7ABAUgAEqYCCgthY3Rpb25fbmFtZRgCIAEoCUKOArpIigK6AYECChJhY3Rpb25fbmFtZV9mb3JtYXQSrQFBY3Rpb24gbmFtZSBtdXN0IGJlIGFuIGFscGhhbnVtZXJpYyBzdHJpbmcsIGFsbG93aW5nIGh5cGhlbnMgYW5kIHVuZGVyc2NvcmVzIGJ1dCBub3QgYXMgdGhlIGZpcnN0IG9yIGxhc3QgY2hhcmFjdGVyLiBUaGUgc3RvcmVkIGFjdGlvbiBuYW1lIHdpbGwgYmUgbm9ybWFsaXplZCB0byBsb3dlciBjYXNlLho7dGhpcy5tYXRjaGVzKCdeW2EtekEtWjAtOV0oPzpbYS16QS1aMC05Xy1dKlthLXpBLVowLTldKT8kJylyAxj9AUgAEiYKEmF0dHJpYnV0ZV92YWx1ZV9pZBgDIAEoCUIIukgFcgOwAQFIARIpChNhdHRyaWJ1dGVfdmFsdWVfZnFuGAQgASgJQgq6SAdyBRABiAEBSAFCGgoRYWN0aW9uX2lkZW50aWZpZXISBbpIAggBQiMKGmF0dHJpYnV0ZV92YWx1ZV9pZGVudGlmaWVyEgW6SAIIASLsAwokQ3JlYXRlUmVnaXN0ZXJlZFJlc291cmNlVmFsdWVSZXF1ZXN0Eh0KC3Jlc291cmNlX2lkGAEgASgJQgi6SAVyA7ABARKmAgoFdmFsdWUYAiABKAlClgK6SJICugGGAgoPcnJfdmFsdWVfZm9ybWF0ErUBUmVnaXN0ZXJlZCBSZXNvdXJjZSBWYWx1ZSBtdXN0IGJlIGFuIGFscGhhbnVtZXJpYyBzdHJpbmcsIGFsbG93aW5nIGh5cGhlbnMgYW5kIHVuZGVyc2NvcmVzIGJ1dCBub3QgYXMgdGhlIGZpcnN0IG9yIGxhc3QgY2hhcmFjdGVyLiBUaGUgc3RvcmVkIHZhbHVlIHdpbGwgYmUgbm9ybWFsaXplZCB0byBsb3dlciBjYXNlLho7dGhpcy5tYXRjaGVzKCdeW2EtekEtWjAtOV0oPzpbYS16QS1aMC05Xy1dKlthLXpBLVowLTldKT8kJynIAQFyAxj9ARJRChdhY3Rpb25fYXR0cmlidXRlX3ZhbHVlcxgDIAMoCzIwLnBvbGljeS5yZWdpc3RlcmVkcmVzb3VyY2VzLkFjdGlvbkF0dHJpYnV0ZVZhbHVlEikKCG1ldGFkYXRhGGQgASgLMhcuY29tbW9uLk1ldGFkYXRhTXV0YWJsZSJXCiVDcmVhdGVSZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZVJlc3BvbnNlEi4KBXZhbHVlGAEgASgLMh8ucG9saWN5LlJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlImsKIUdldFJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlUmVxdWVzdBIWCgJpZBgBIAEoCUIIukgFcgOwAQFIABIZCgNmcW4YAiABKAlCCrpIB3IFEAGIAQFIAEITCgppZGVudGlmaWVyEgW6SAIIASJUCiJHZXRSZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZVJlc3BvbnNlEi4KBXZhbHVlGAEgASgLMh8ucG9saWN5LlJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlIk0KKEdldFJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlc0J5RlFOc1JlcXVlc3QSIQoEZnFucxgBIAMoCUITukgQkgENCAEYASIHcgUQAYgBASLvAQopR2V0UmVnaXN0ZXJlZFJlc291cmNlVmFsdWVzQnlGUU5zUmVzcG9uc2USbQoNZnFuX3ZhbHVlX21hcBgBIAMoCzJWLnBvbGljeS5yZWdpc3RlcmVkcmVzb3VyY2VzLkdldFJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlc0J5RlFOc1Jlc3BvbnNlLkZxblZhbHVlTWFwRW50cnkaUwoQRnFuVmFsdWVNYXBFbnRyeRILCgNrZXkYASABKAkSLgoFdmFsdWUYAiABKAsyHy5wb2xpY3kuUmVnaXN0ZXJlZFJlc291cmNlVmFsdWU6AjgBIpoCCiNMaXN0UmVnaXN0ZXJlZFJlc291cmNlVmFsdWVzUmVxdWVzdBLJAQoLcmVzb3VyY2VfaWQYASABKAlCswG6SK8BugGrAQoUb3B0aW9uYWxfdXVpZF9mb3JtYXQSI09wdGlvbmFsIGZpZWxkIG11c3QgYmUgYSB2YWxpZCBVVUlEGm5zaXplKHRoaXMpID09IDAgfHwgdGhpcy5tYXRjaGVzKCdbMC05YS1mQS1GXXs4fS1bMC05YS1mQS1GXXs0fS1bMC05YS1mQS1GXXs0fS1bMC05YS1mQS1GXXs0fS1bMC05YS1mQS1GXXsxMn0nKRInCgpwYWdpbmF0aW9uGAogASgLMhMucG9saWN5LlBhZ2VSZXF1ZXN0IoEBCiRMaXN0UmVnaXN0ZXJlZFJlc291cmNlVmFsdWVzUmVzcG9uc2USLwoGdmFsdWVzGAEgAygLMh8ucG9saWN5LlJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlEigKCnBhZ2luYXRpb24YCiABKAsyFC5wb2xpY3kuUGFnZVJlc3BvbnNlIrkECiRVcGRhdGVSZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZVJlcXVlc3QSFAoCaWQYASABKAlCCLpIBXIDsAEBEr4CCgV2YWx1ZRgCIAEoCUKuArpIqgK6AZ4CCg9ycl92YWx1ZV9mb3JtYXQStQFSZWdpc3RlcmVkIFJlc291cmNlIFZhbHVlIG11c3QgYmUgYW4gYWxwaGFudW1lcmljIHN0cmluZywgYWxsb3dpbmcgaHlwaGVucyBhbmQgdW5kZXJzY29yZXMgYnV0IG5vdCBhcyB0aGUgZmlyc3Qgb3IgbGFzdCBjaGFyYWN0ZXIuIFRoZSBzdG9yZWQgdmFsdWUgd2lsbCBiZSBub3JtYWxpemVkIHRvIGxvd2VyIGNhc2UuGlNzaXplKHRoaXMpID4gMCA/IHRoaXMubWF0Y2hlcygnXlthLXpBLVowLTldKD86W2EtekEtWjAtOV8tXSpbYS16QS1aMC05XSk/JCcpIDogdHJ1ZcgBAHIDGP0BElEKF2FjdGlvbl9hdHRyaWJ1dGVfdmFsdWVzGAMgAygLMjAucG9saWN5LnJlZ2lzdGVyZWRyZXNvdXJjZXMuQWN0aW9uQXR0cmlidXRlVmFsdWUSKQoIbWV0YWRhdGEYZCABKAsyFy5jb21tb24uTWV0YWRhdGFNdXRhYmxlEjwKGG1ldGFkYXRhX3VwZGF0ZV9iZWhhdmlvchhlIAEoDjIaLmNvbW1vbi5NZXRhZGF0YVVwZGF0ZUVudW0iVwolVXBkYXRlUmVnaXN0ZXJlZFJlc291cmNlVmFsdWVSZXNwb25zZRIuCgV2YWx1ZRgBIAEoCzIfLnBvbGljeS5SZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZSI8CiREZWxldGVSZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZVJlcXVlc3QSFAoCaWQYASABKAlCCLpIBXIDsAEBIlcKJURlbGV0ZVJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlUmVzcG9uc2USLgoFdmFsdWUYASABKAsyHy5wb2xpY3kuUmVnaXN0ZXJlZFJlc291cmNlVmFsdWUyiA4KGlJlZ2lzdGVyZWRSZXNvdXJjZXNTZXJ2aWNlEpcBChhDcmVhdGVSZWdpc3RlcmVkUmVzb3VyY2USOy5wb2xpY3kucmVnaXN0ZXJlZHJlc291cmNlcy5DcmVhdGVSZWdpc3RlcmVkUmVzb3VyY2VSZXF1ZXN0GjwucG9saWN5LnJlZ2lzdGVyZWRyZXNvdXJjZXMuQ3JlYXRlUmVnaXN0ZXJlZFJlc291cmNlUmVzcG9uc2UiABKOAQoVR2V0UmVnaXN0ZXJlZFJlc291cmNlEjgucG9saWN5LnJlZ2lzdGVyZWRyZXNvdXJjZXMuR2V0UmVnaXN0ZXJlZFJlc291cmNlUmVxdWVzdBo5LnBvbGljeS5yZWdpc3RlcmVkcmVzb3VyY2VzLkdldFJlZ2lzdGVyZWRSZXNvdXJjZVJlc3BvbnNlIgASlAEKF0xpc3RSZWdpc3RlcmVkUmVzb3VyY2VzEjoucG9saWN5LnJlZ2lzdGVyZWRyZXNvdXJjZXMuTGlzdFJlZ2lzdGVyZWRSZXNvdXJjZXNSZXF1ZXN0GjsucG9saWN5LnJlZ2lzdGVyZWRyZXNvdXJjZXMuTGlzdFJlZ2lzdGVyZWRSZXNvdXJjZXNSZXNwb25zZSIAEpcBChhVcGRhdGVSZWdpc3RlcmVkUmVzb3VyY2USOy5wb2xpY3kucmVnaXN0ZXJlZHJlc291cmNlcy5VcGRhdGVSZWdpc3RlcmVkUmVzb3VyY2VSZXF1ZXN0GjwucG9saWN5LnJlZ2lzdGVyZWRyZXNvdXJjZXMuVXBkYXRlUmVnaXN0ZXJlZFJlc291cmNlUmVzcG9uc2UiABKXAQoYRGVsZXRlUmVnaXN0ZXJlZFJlc291cmNlEjsucG9saWN5LnJlZ2lzdGVyZWRyZXNvdXJjZXMuRGVsZXRlUmVnaXN0ZXJlZFJlc291cmNlUmVxdWVzdBo8LnBvbGljeS5yZWdpc3RlcmVkcmVzb3VyY2VzLkRlbGV0ZVJlZ2lzdGVyZWRSZXNvdXJjZVJlc3BvbnNlIgASpgEKHUNyZWF0ZVJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlEkAucG9saWN5LnJlZ2lzdGVyZWRyZXNvdXJjZXMuQ3JlYXRlUmVnaXN0ZXJlZFJlc291cmNlVmFsdWVSZXF1ZXN0GkEucG9saWN5LnJlZ2lzdGVyZWRyZXNvdXJjZXMuQ3JlYXRlUmVnaXN0ZXJlZFJlc291cmNlVmFsdWVSZXNwb25zZSIAEp0BChpHZXRSZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZRI9LnBvbGljeS5yZWdpc3RlcmVkcmVzb3VyY2VzLkdldFJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlUmVxdWVzdBo+LnBvbGljeS5yZWdpc3RlcmVkcmVzb3VyY2VzLkdldFJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlUmVzcG9uc2UiABKyAQohR2V0UmVnaXN0ZXJlZFJlc291cmNlVmFsdWVzQnlGUU5zEkQucG9saWN5LnJlZ2lzdGVyZWRyZXNvdXJjZXMuR2V0UmVnaXN0ZXJlZFJlc291cmNlVmFsdWVzQnlGUU5zUmVxdWVzdBpFLnBvbGljeS5yZWdpc3RlcmVkcmVzb3VyY2VzLkdldFJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlc0J5RlFOc1Jlc3BvbnNlIgASowEKHExpc3RSZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZXMSPy5wb2xpY3kucmVnaXN0ZXJlZHJlc291cmNlcy5MaXN0UmVnaXN0ZXJlZFJlc291cmNlVmFsdWVzUmVxdWVzdBpALnBvbGljeS5yZWdpc3RlcmVkcmVzb3VyY2VzLkxpc3RSZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZXNSZXNwb25zZSIAEqYBCh1VcGRhdGVSZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZRJALnBvbGljeS5yZWdpc3RlcmVkcmVzb3VyY2VzLlVwZGF0ZVJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlUmVxdWVzdBpBLnBvbGljeS5yZWdpc3RlcmVkcmVzb3VyY2VzLlVwZGF0ZVJlZ2lzdGVyZWRSZXNvdXJjZVZhbHVlUmVzcG9uc2UiABKmAQodRGVsZXRlUmVnaXN0ZXJlZFJlc291cmNlVmFsdWUSQC5wb2xpY3kucmVnaXN0ZXJlZHJlc291cmNlcy5EZWxldGVSZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZVJlcXVlc3QaQS5wb2xpY3kucmVnaXN0ZXJlZHJlc291cmNlcy5EZWxldGVSZWdpc3RlcmVkUmVzb3VyY2VWYWx1ZVJlc3BvbnNlIgBiBnByb3RvMw", [file_buf_validate_validate, file_common_common, file_policy_objects, file_policy_selectors]); /** * @generated from message policy.registeredresources.CreateRegisteredResourceRequest @@ -251,6 +251,56 @@ export type DeleteRegisteredResourceResponse = Message<"policy.registeredresourc export const DeleteRegisteredResourceResponseSchema: GenMessage = /*@__PURE__*/ messageDesc(file_policy_registeredresources_registered_resources, 9); +/** + * @generated from message policy.registeredresources.ActionAttributeValue + */ +export type ActionAttributeValue = Message<"policy.registeredresources.ActionAttributeValue"> & { + /** + * Required + * + * @generated from oneof policy.registeredresources.ActionAttributeValue.action_identifier + */ + actionIdentifier: { + /** + * @generated from field: string action_id = 1; + */ + value: string; + case: "actionId"; + } | { + /** + * @generated from field: string action_name = 2; + */ + value: string; + case: "actionName"; + } | { case: undefined; value?: undefined }; + + /** + * Required + * + * @generated from oneof policy.registeredresources.ActionAttributeValue.attribute_value_identifier + */ + attributeValueIdentifier: { + /** + * @generated from field: string attribute_value_id = 3; + */ + value: string; + case: "attributeValueId"; + } | { + /** + * @generated from field: string attribute_value_fqn = 4; + */ + value: string; + case: "attributeValueFqn"; + } | { case: undefined; value?: undefined }; +}; + +/** + * Describes the message policy.registeredresources.ActionAttributeValue. + * Use `create(ActionAttributeValueSchema)` to create a new message. + */ +export const ActionAttributeValueSchema: GenMessage = /*@__PURE__*/ + messageDesc(file_policy_registeredresources_registered_resources, 10); + /** * @generated from message policy.registeredresources.CreateRegisteredResourceValueRequest */ @@ -269,6 +319,15 @@ export type CreateRegisteredResourceValueRequest = Message<"policy.registeredres */ value: string; + /** + * Optional + * The associated Action <> AttributeValue combinations to be utilized in authorization/entitlement decisioning + * (i.e. action read -> attribute value https://example.com/attr/department/value/marketing) + * + * @generated from field: repeated policy.registeredresources.ActionAttributeValue action_attribute_values = 3; + */ + actionAttributeValues: ActionAttributeValue[]; + /** * Optional * Common metadata @@ -283,7 +342,7 @@ export type CreateRegisteredResourceValueRequest = Message<"policy.registeredres * Use `create(CreateRegisteredResourceValueRequestSchema)` to create a new message. */ export const CreateRegisteredResourceValueRequestSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_registeredresources_registered_resources, 10); + messageDesc(file_policy_registeredresources_registered_resources, 11); /** * @generated from message policy.registeredresources.CreateRegisteredResourceValueResponse @@ -300,7 +359,7 @@ export type CreateRegisteredResourceValueResponse = Message<"policy.registeredre * Use `create(CreateRegisteredResourceValueResponseSchema)` to create a new message. */ export const CreateRegisteredResourceValueResponseSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_registeredresources_registered_resources, 11); + messageDesc(file_policy_registeredresources_registered_resources, 12); /** * @generated from message policy.registeredresources.GetRegisteredResourceValueRequest @@ -329,7 +388,7 @@ export type GetRegisteredResourceValueRequest = Message<"policy.registeredresour * Use `create(GetRegisteredResourceValueRequestSchema)` to create a new message. */ export const GetRegisteredResourceValueRequestSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_registeredresources_registered_resources, 12); + messageDesc(file_policy_registeredresources_registered_resources, 13); /** * @generated from message policy.registeredresources.GetRegisteredResourceValueResponse @@ -346,7 +405,7 @@ export type GetRegisteredResourceValueResponse = Message<"policy.registeredresou * Use `create(GetRegisteredResourceValueResponseSchema)` to create a new message. */ export const GetRegisteredResourceValueResponseSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_registeredresources_registered_resources, 13); + messageDesc(file_policy_registeredresources_registered_resources, 14); /** * @generated from message policy.registeredresources.GetRegisteredResourceValuesByFQNsRequest @@ -365,7 +424,7 @@ export type GetRegisteredResourceValuesByFQNsRequest = Message<"policy.registere * Use `create(GetRegisteredResourceValuesByFQNsRequestSchema)` to create a new message. */ export const GetRegisteredResourceValuesByFQNsRequestSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_registeredresources_registered_resources, 14); + messageDesc(file_policy_registeredresources_registered_resources, 15); /** * @generated from message policy.registeredresources.GetRegisteredResourceValuesByFQNsResponse @@ -382,7 +441,7 @@ export type GetRegisteredResourceValuesByFQNsResponse = Message<"policy.register * Use `create(GetRegisteredResourceValuesByFQNsResponseSchema)` to create a new message. */ export const GetRegisteredResourceValuesByFQNsResponseSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_registeredresources_registered_resources, 15); + messageDesc(file_policy_registeredresources_registered_resources, 16); /** * @generated from message policy.registeredresources.ListRegisteredResourceValuesRequest @@ -408,7 +467,7 @@ export type ListRegisteredResourceValuesRequest = Message<"policy.registeredreso * Use `create(ListRegisteredResourceValuesRequestSchema)` to create a new message. */ export const ListRegisteredResourceValuesRequestSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_registeredresources_registered_resources, 16); + messageDesc(file_policy_registeredresources_registered_resources, 17); /** * @generated from message policy.registeredresources.ListRegisteredResourceValuesResponse @@ -430,7 +489,7 @@ export type ListRegisteredResourceValuesResponse = Message<"policy.registeredres * Use `create(ListRegisteredResourceValuesResponseSchema)` to create a new message. */ export const ListRegisteredResourceValuesResponseSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_registeredresources_registered_resources, 17); + messageDesc(file_policy_registeredresources_registered_resources, 18); /** * @generated from message policy.registeredresources.UpdateRegisteredResourceValueRequest @@ -450,6 +509,14 @@ export type UpdateRegisteredResourceValueRequest = Message<"policy.registeredres */ value: string; + /** + * Optional + * Action Attribute Values provided here will replace all existing records in the database. To delete all action attribute values, set this field to an empty list. + * + * @generated from field: repeated policy.registeredresources.ActionAttributeValue action_attribute_values = 3; + */ + actionAttributeValues: ActionAttributeValue[]; + /** * Optional * Common metadata @@ -469,7 +536,7 @@ export type UpdateRegisteredResourceValueRequest = Message<"policy.registeredres * Use `create(UpdateRegisteredResourceValueRequestSchema)` to create a new message. */ export const UpdateRegisteredResourceValueRequestSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_registeredresources_registered_resources, 18); + messageDesc(file_policy_registeredresources_registered_resources, 19); /** * @generated from message policy.registeredresources.UpdateRegisteredResourceValueResponse @@ -486,7 +553,7 @@ export type UpdateRegisteredResourceValueResponse = Message<"policy.registeredre * Use `create(UpdateRegisteredResourceValueResponseSchema)` to create a new message. */ export const UpdateRegisteredResourceValueResponseSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_registeredresources_registered_resources, 19); + messageDesc(file_policy_registeredresources_registered_resources, 20); /** * @generated from message policy.registeredresources.DeleteRegisteredResourceValueRequest @@ -505,7 +572,7 @@ export type DeleteRegisteredResourceValueRequest = Message<"policy.registeredres * Use `create(DeleteRegisteredResourceValueRequestSchema)` to create a new message. */ export const DeleteRegisteredResourceValueRequestSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_registeredresources_registered_resources, 20); + messageDesc(file_policy_registeredresources_registered_resources, 21); /** * @generated from message policy.registeredresources.DeleteRegisteredResourceValueResponse @@ -522,7 +589,7 @@ export type DeleteRegisteredResourceValueResponse = Message<"policy.registeredre * Use `create(DeleteRegisteredResourceValueResponseSchema)` to create a new message. */ export const DeleteRegisteredResourceValueResponseSchema: GenMessage = /*@__PURE__*/ - messageDesc(file_policy_registeredresources_registered_resources, 21); + messageDesc(file_policy_registeredresources_registered_resources, 22); /** * Registered Resources diff --git a/lib/src/platform/policy/resourcemapping/resource_mapping_pb.ts b/lib/src/platform/policy/resourcemapping/resource_mapping_pb.ts index 33b23f9e6..b856f55a8 100644 --- a/lib/src/platform/policy/resourcemapping/resource_mapping_pb.ts +++ b/lib/src/platform/policy/resourcemapping/resource_mapping_pb.ts @@ -5,7 +5,6 @@ import type { GenFile, GenMessage, GenService } from "@bufbuild/protobuf/codegenv1"; import { fileDesc, messageDesc, serviceDesc } from "@bufbuild/protobuf/codegenv1"; import { file_buf_validate_validate } from "../../buf/validate/validate_pb.js"; -import { file_google_api_annotations } from "../../google/api/annotations_pb.js"; import type { MetadataMutable, MetadataUpdateEnum } from "../../common/common_pb.js"; import { file_common_common } from "../../common/common_pb.js"; import type { ResourceMapping, ResourceMappingGroup } from "../objects_pb.js"; @@ -18,7 +17,7 @@ import type { Message } from "@bufbuild/protobuf"; * Describes the file policy/resourcemapping/resource_mapping.proto. */ export const file_policy_resourcemapping_resource_mapping: GenFile = /*@__PURE__*/ - fileDesc("Ci1wb2xpY3kvcmVzb3VyY2VtYXBwaW5nL3Jlc291cmNlX21hcHBpbmcucHJvdG8SFnBvbGljeS5yZXNvdXJjZW1hcHBpbmcimAIKIExpc3RSZXNvdXJjZU1hcHBpbmdHcm91cHNSZXF1ZXN0EsoBCgxuYW1lc3BhY2VfaWQYASABKAlCswG6SK8BugGrAQoUb3B0aW9uYWxfdXVpZF9mb3JtYXQSI09wdGlvbmFsIGZpZWxkIG11c3QgYmUgYSB2YWxpZCBVVUlEGm5zaXplKHRoaXMpID09IDAgfHwgdGhpcy5tYXRjaGVzKCdbMC05YS1mQS1GXXs4fS1bMC05YS1mQS1GXXs0fS1bMC05YS1mQS1GXXs0fS1bMC05YS1mQS1GXXs0fS1bMC05YS1mQS1GXXsxMn0nKRInCgpwYWdpbmF0aW9uGAogASgLMhMucG9saWN5LlBhZ2VSZXF1ZXN0IowBCiFMaXN0UmVzb3VyY2VNYXBwaW5nR3JvdXBzUmVzcG9uc2USPQoXcmVzb3VyY2VfbWFwcGluZ19ncm91cHMYASADKAsyHC5wb2xpY3kuUmVzb3VyY2VNYXBwaW5nR3JvdXASKAoKcGFnaW5hdGlvbhgKIAEoCzIULnBvbGljeS5QYWdlUmVzcG9uc2UiNgoeR2V0UmVzb3VyY2VNYXBwaW5nR3JvdXBSZXF1ZXN0EhQKAmlkGAEgASgJQgi6SAVyA7ABASJfCh9HZXRSZXNvdXJjZU1hcHBpbmdHcm91cFJlc3BvbnNlEjwKFnJlc291cmNlX21hcHBpbmdfZ3JvdXAYASABKAsyHC5wb2xpY3kuUmVzb3VyY2VNYXBwaW5nR3JvdXAihAEKIUNyZWF0ZVJlc291cmNlTWFwcGluZ0dyb3VwUmVxdWVzdBIeCgxuYW1lc3BhY2VfaWQYASABKAlCCLpIBXIDsAEBEhQKBG5hbWUYAiABKAlCBrpIA8gBARIpCghtZXRhZGF0YRhkIAEoCzIXLmNvbW1vbi5NZXRhZGF0YU11dGFibGUiYgoiQ3JlYXRlUmVzb3VyY2VNYXBwaW5nR3JvdXBSZXNwb25zZRI8ChZyZXNvdXJjZV9tYXBwaW5nX2dyb3VwGAEgASgLMhwucG9saWN5LlJlc291cmNlTWFwcGluZ0dyb3VwIqYFCiFVcGRhdGVSZXNvdXJjZU1hcHBpbmdHcm91cFJlcXVlc3QSFAoCaWQYASABKAlCCLpIBXIDsAEBEsoBCgxuYW1lc3BhY2VfaWQYAiABKAlCswG6SK8BugGrAQoUb3B0aW9uYWxfdXVpZF9mb3JtYXQSI09wdGlvbmFsIGZpZWxkIG11c3QgYmUgYSB2YWxpZCBVVUlEGm5zaXplKHRoaXMpID09IDAgfHwgdGhpcy5tYXRjaGVzKCdbMC05YS1mQS1GXXs4fS1bMC05YS1mQS1GXXs0fS1bMC05YS1mQS1GXXs0fS1bMC05YS1mQS1GXXs0fS1bMC05YS1mQS1GXXsxMn0nKRK0AgoEbmFtZRgDIAEoCUKlArpIoQK6AZgCChRvcHRpb25hbF9uYW1lX2Zvcm1hdBKvAU9wdGlvbmFsIGZpZWxkIG11c3QgYmUgYW4gYWxwaGFudW1lcmljIHN0cmluZywgYWxsb3dpbmcgaHlwaGVucyBhbmQgdW5kZXJzY29yZXMgYnV0IG5vdCBhcyB0aGUgZmlyc3Qgb3IgbGFzdCBjaGFyYWN0ZXIuIFRoZSBzdG9yZWQgZ3JvdXAgbmFtZSB3aWxsIGJlIG5vcm1hbGl6ZWQgdG8gbG93ZXIgY2FzZS4aTnNpemUodGhpcykgPT0gMCB8fCB0aGlzLm1hdGNoZXMoJ15bYS16QS1aMC05XSg/OlthLXpBLVowLTlfLV0qW2EtekEtWjAtOV0pPyQnKXIDGP0BEikKCG1ldGFkYXRhGGQgASgLMhcuY29tbW9uLk1ldGFkYXRhTXV0YWJsZRI8ChhtZXRhZGF0YV91cGRhdGVfYmVoYXZpb3IYZSABKA4yGi5jb21tb24uTWV0YWRhdGFVcGRhdGVFbnVtImIKIlVwZGF0ZVJlc291cmNlTWFwcGluZ0dyb3VwUmVzcG9uc2USPAoWcmVzb3VyY2VfbWFwcGluZ19ncm91cBgBIAEoCzIcLnBvbGljeS5SZXNvdXJjZU1hcHBpbmdHcm91cCI5CiFEZWxldGVSZXNvdXJjZU1hcHBpbmdHcm91cFJlcXVlc3QSFAoCaWQYASABKAlCCLpIBXIDsAEBImIKIkRlbGV0ZVJlc291cmNlTWFwcGluZ0dyb3VwUmVzcG9uc2USPAoWcmVzb3VyY2VfbWFwcGluZ19ncm91cBgBIAEoCzIcLnBvbGljeS5SZXNvdXJjZU1hcHBpbmdHcm91cCKPAgobTGlzdFJlc291cmNlTWFwcGluZ3NSZXF1ZXN0EsYBCghncm91cF9pZBgBIAEoCUKzAbpIrwG6AasBChRvcHRpb25hbF91dWlkX2Zvcm1hdBIjT3B0aW9uYWwgZmllbGQgbXVzdCBiZSBhIHZhbGlkIFVVSUQabnNpemUodGhpcykgPT0gMCB8fCB0aGlzLm1hdGNoZXMoJ1swLTlhLWZBLUZdezh9LVswLTlhLWZBLUZdezR9LVswLTlhLWZBLUZdezR9LVswLTlhLWZBLUZdezR9LVswLTlhLWZBLUZdezEyfScpEicKCnBhZ2luYXRpb24YCiABKAsyEy5wb2xpY3kuUGFnZVJlcXVlc3QifAocTGlzdFJlc291cmNlTWFwcGluZ3NSZXNwb25zZRIyChFyZXNvdXJjZV9tYXBwaW5ncxgBIAMoCzIXLnBvbGljeS5SZXNvdXJjZU1hcHBpbmcSKAoKcGFnaW5hdGlvbhgKIAEoCzIULnBvbGljeS5QYWdlUmVzcG9uc2UiygIKJkxpc3RSZXNvdXJjZU1hcHBpbmdzQnlHcm91cEZxbnNSZXF1ZXN0Ep8CCgRmcW5zGAEgAygJQpACukiMApIBiAIIASKDAroB/wEKGHJlc291cmNlbWFwcGluZ2dyb3VwX2ZxbhJYUmVzb3VyY2UgTWFwcGluZyBHcm91cCBGUU4gbXVzdCBiZSBpbiB0aGUgZm9ybWF0ICdodHRwczovLzxuYW1lc3BhY2U+L3Jlc20vPGdyb3VwIG5hbWU+JxqIAXRoaXMubWF0Y2hlcygnXmh0dHBzOi8vKFthLXpBLVowLTldKFthLXpBLVowLTlcXC1dezAsNjF9W2EtekEtWjAtOV0pP1xcLikrW2EtekEtWl17Mix9L3Jlc20vW2EtekEtWjAtOV0oPzpbYS16QS1aMC05Xy1dKlthLXpBLVowLTldKT8kJykicQoXUmVzb3VyY2VNYXBwaW5nc0J5R3JvdXASKwoFZ3JvdXAYASABKAsyHC5wb2xpY3kuUmVzb3VyY2VNYXBwaW5nR3JvdXASKQoIbWFwcGluZ3MYAiADKAsyFy5wb2xpY3kuUmVzb3VyY2VNYXBwaW5nIqACCidMaXN0UmVzb3VyY2VNYXBwaW5nc0J5R3JvdXBGcW5zUmVzcG9uc2USggEKG2Zxbl9yZXNvdXJjZV9tYXBwaW5nX2dyb3VwcxgBIAMoCzJdLnBvbGljeS5yZXNvdXJjZW1hcHBpbmcuTGlzdFJlc291cmNlTWFwcGluZ3NCeUdyb3VwRnFuc1Jlc3BvbnNlLkZxblJlc291cmNlTWFwcGluZ0dyb3Vwc0VudHJ5GnAKHUZxblJlc291cmNlTWFwcGluZ0dyb3Vwc0VudHJ5EgsKA2tleRgBIAEoCRI+CgV2YWx1ZRgCIAEoCzIvLnBvbGljeS5yZXNvdXJjZW1hcHBpbmcuUmVzb3VyY2VNYXBwaW5nc0J5R3JvdXA6AjgBIjEKGUdldFJlc291cmNlTWFwcGluZ1JlcXVlc3QSFAoCaWQYASABKAlCCLpIBXIDsAEBIk8KGkdldFJlc291cmNlTWFwcGluZ1Jlc3BvbnNlEjEKEHJlc291cmNlX21hcHBpbmcYASABKAsyFy5wb2xpY3kuUmVzb3VyY2VNYXBwaW5nItQCChxDcmVhdGVSZXNvdXJjZU1hcHBpbmdSZXF1ZXN0EiQKEmF0dHJpYnV0ZV92YWx1ZV9pZBgBIAEoCUIIukgFcgOwAQESGgoFdGVybXMYAiADKAlCC7pICJIBBQgBEOgHEsYBCghncm91cF9pZBgDIAEoCUKzAbpIrwG6AasBChRvcHRpb25hbF91dWlkX2Zvcm1hdBIjT3B0aW9uYWwgZmllbGQgbXVzdCBiZSBhIHZhbGlkIFVVSUQabnNpemUodGhpcykgPT0gMCB8fCB0aGlzLm1hdGNoZXMoJ1swLTlhLWZBLUZdezh9LVswLTlhLWZBLUZdezR9LVswLTlhLWZBLUZdezR9LVswLTlhLWZBLUZdezR9LVswLTlhLWZBLUZdezEyfScpEikKCG1ldGFkYXRhGGQgASgLMhcuY29tbW9uLk1ldGFkYXRhTXV0YWJsZSJSCh1DcmVhdGVSZXNvdXJjZU1hcHBpbmdSZXNwb25zZRIxChByZXNvdXJjZV9tYXBwaW5nGAEgASgLMhcucG9saWN5LlJlc291cmNlTWFwcGluZyLTBAocVXBkYXRlUmVzb3VyY2VNYXBwaW5nUmVxdWVzdBIUCgJpZBgBIAEoCUIIukgFcgOwAQES0AEKEmF0dHJpYnV0ZV92YWx1ZV9pZBgEIAEoCUKzAbpIrwG6AasBChRvcHRpb25hbF91dWlkX2Zvcm1hdBIjT3B0aW9uYWwgZmllbGQgbXVzdCBiZSBhIHZhbGlkIFVVSUQabnNpemUodGhpcykgPT0gMCB8fCB0aGlzLm1hdGNoZXMoJ1swLTlhLWZBLUZdezh9LVswLTlhLWZBLUZdezR9LVswLTlhLWZBLUZdezR9LVswLTlhLWZBLUZdezR9LVswLTlhLWZBLUZdezEyfScpEhgKBXRlcm1zGAUgAygJQgm6SAaSAQMQ6AcSxgEKCGdyb3VwX2lkGAYgASgJQrMBukivAboBqwEKFG9wdGlvbmFsX3V1aWRfZm9ybWF0EiNPcHRpb25hbCBmaWVsZCBtdXN0IGJlIGEgdmFsaWQgVVVJRBpuc2l6ZSh0aGlzKSA9PSAwIHx8IHRoaXMubWF0Y2hlcygnWzAtOWEtZkEtRl17OH0tWzAtOWEtZkEtRl17NH0tWzAtOWEtZkEtRl17NH0tWzAtOWEtZkEtRl17NH0tWzAtOWEtZkEtRl17MTJ9JykSKQoIbWV0YWRhdGEYZCABKAsyFy5jb21tb24uTWV0YWRhdGFNdXRhYmxlEjwKGG1ldGFkYXRhX3VwZGF0ZV9iZWhhdmlvchhlIAEoDjIaLmNvbW1vbi5NZXRhZGF0YVVwZGF0ZUVudW0iUgodVXBkYXRlUmVzb3VyY2VNYXBwaW5nUmVzcG9uc2USMQoQcmVzb3VyY2VfbWFwcGluZxgBIAEoCzIXLnBvbGljeS5SZXNvdXJjZU1hcHBpbmciNAocRGVsZXRlUmVzb3VyY2VNYXBwaW5nUmVxdWVzdBIUCgJpZBgBIAEoCUIIukgFcgOwAQEiUgodRGVsZXRlUmVzb3VyY2VNYXBwaW5nUmVzcG9uc2USMQoQcmVzb3VyY2VfbWFwcGluZxgBIAEoCzIXLnBvbGljeS5SZXNvdXJjZU1hcHBpbmcyzA8KFlJlc291cmNlTWFwcGluZ1NlcnZpY2UStQEKGUxpc3RSZXNvdXJjZU1hcHBpbmdHcm91cHMSOC5wb2xpY3kucmVzb3VyY2VtYXBwaW5nLkxpc3RSZXNvdXJjZU1hcHBpbmdHcm91cHNSZXF1ZXN0GjkucG9saWN5LnJlc291cmNlbWFwcGluZy5MaXN0UmVzb3VyY2VNYXBwaW5nR3JvdXBzUmVzcG9uc2UiI5ACAYLT5JMCGhIYL3Jlc291cmNlLW1hcHBpbmctZ3JvdXBzErQBChdHZXRSZXNvdXJjZU1hcHBpbmdHcm91cBI2LnBvbGljeS5yZXNvdXJjZW1hcHBpbmcuR2V0UmVzb3VyY2VNYXBwaW5nR3JvdXBSZXF1ZXN0GjcucG9saWN5LnJlc291cmNlbWFwcGluZy5HZXRSZXNvdXJjZU1hcHBpbmdHcm91cFJlc3BvbnNlIiiQAgGC0+STAh8SHS9yZXNvdXJjZS1tYXBwaW5nLWdyb3Vwcy97aWR9ErgBChpDcmVhdGVSZXNvdXJjZU1hcHBpbmdHcm91cBI5LnBvbGljeS5yZXNvdXJjZW1hcHBpbmcuQ3JlYXRlUmVzb3VyY2VNYXBwaW5nR3JvdXBSZXF1ZXN0GjoucG9saWN5LnJlc291cmNlbWFwcGluZy5DcmVhdGVSZXNvdXJjZU1hcHBpbmdHcm91cFJlc3BvbnNlIiOC0+STAh06ASoiGC9yZXNvdXJjZS1tYXBwaW5nLWdyb3VwcxK9AQoaVXBkYXRlUmVzb3VyY2VNYXBwaW5nR3JvdXASOS5wb2xpY3kucmVzb3VyY2VtYXBwaW5nLlVwZGF0ZVJlc291cmNlTWFwcGluZ0dyb3VwUmVxdWVzdBo6LnBvbGljeS5yZXNvdXJjZW1hcHBpbmcuVXBkYXRlUmVzb3VyY2VNYXBwaW5nR3JvdXBSZXNwb25zZSIogtPkkwIiOgEqMh0vcmVzb3VyY2UtbWFwcGluZy1ncm91cHMve2lkfRK6AQoaRGVsZXRlUmVzb3VyY2VNYXBwaW5nR3JvdXASOS5wb2xpY3kucmVzb3VyY2VtYXBwaW5nLkRlbGV0ZVJlc291cmNlTWFwcGluZ0dyb3VwUmVxdWVzdBo6LnBvbGljeS5yZXNvdXJjZW1hcHBpbmcuRGVsZXRlUmVzb3VyY2VNYXBwaW5nR3JvdXBSZXNwb25zZSIlgtPkkwIfKh0vcmVzb3VyY2UtbWFwcGluZy1ncm91cHMve2lkfRKgAQoUTGlzdFJlc291cmNlTWFwcGluZ3MSMy5wb2xpY3kucmVzb3VyY2VtYXBwaW5nLkxpc3RSZXNvdXJjZU1hcHBpbmdzUmVxdWVzdBo0LnBvbGljeS5yZXNvdXJjZW1hcHBpbmcuTGlzdFJlc291cmNlTWFwcGluZ3NSZXNwb25zZSIdkAIBgtPkkwIUEhIvcmVzb3VyY2UtbWFwcGluZ3MSzAEKH0xpc3RSZXNvdXJjZU1hcHBpbmdzQnlHcm91cEZxbnMSPi5wb2xpY3kucmVzb3VyY2VtYXBwaW5nLkxpc3RSZXNvdXJjZU1hcHBpbmdzQnlHcm91cEZxbnNSZXF1ZXN0Gj8ucG9saWN5LnJlc291cmNlbWFwcGluZy5MaXN0UmVzb3VyY2VNYXBwaW5nc0J5R3JvdXBGcW5zUmVzcG9uc2UiKJACAYLT5JMCHxIdL3Jlc291cmNlLW1hcHBpbmdzL2dyb3VwLWZxbnMSnwEKEkdldFJlc291cmNlTWFwcGluZxIxLnBvbGljeS5yZXNvdXJjZW1hcHBpbmcuR2V0UmVzb3VyY2VNYXBwaW5nUmVxdWVzdBoyLnBvbGljeS5yZXNvdXJjZW1hcHBpbmcuR2V0UmVzb3VyY2VNYXBwaW5nUmVzcG9uc2UiIpACAYLT5JMCGRIXL3Jlc291cmNlLW1hcHBpbmdzL3tpZH0SowEKFUNyZWF0ZVJlc291cmNlTWFwcGluZxI0LnBvbGljeS5yZXNvdXJjZW1hcHBpbmcuQ3JlYXRlUmVzb3VyY2VNYXBwaW5nUmVxdWVzdBo1LnBvbGljeS5yZXNvdXJjZW1hcHBpbmcuQ3JlYXRlUmVzb3VyY2VNYXBwaW5nUmVzcG9uc2UiHYLT5JMCFzoBKiISL3Jlc291cmNlLW1hcHBpbmdzEqgBChVVcGRhdGVSZXNvdXJjZU1hcHBpbmcSNC5wb2xpY3kucmVzb3VyY2VtYXBwaW5nLlVwZGF0ZVJlc291cmNlTWFwcGluZ1JlcXVlc3QaNS5wb2xpY3kucmVzb3VyY2VtYXBwaW5nLlVwZGF0ZVJlc291cmNlTWFwcGluZ1Jlc3BvbnNlIiKC0+STAhw6ASoyFy9yZXNvdXJjZS1tYXBwaW5ncy97aWR9EqUBChVEZWxldGVSZXNvdXJjZU1hcHBpbmcSNC5wb2xpY3kucmVzb3VyY2VtYXBwaW5nLkRlbGV0ZVJlc291cmNlTWFwcGluZ1JlcXVlc3QaNS5wb2xpY3kucmVzb3VyY2VtYXBwaW5nLkRlbGV0ZVJlc291cmNlTWFwcGluZ1Jlc3BvbnNlIh+C0+STAhkqFy9yZXNvdXJjZS1tYXBwaW5ncy97aWR9YgZwcm90bzM", [file_buf_validate_validate, file_google_api_annotations, file_common_common, file_policy_objects, file_policy_selectors]); + fileDesc("Ci1wb2xpY3kvcmVzb3VyY2VtYXBwaW5nL3Jlc291cmNlX21hcHBpbmcucHJvdG8SFnBvbGljeS5yZXNvdXJjZW1hcHBpbmcimAIKIExpc3RSZXNvdXJjZU1hcHBpbmdHcm91cHNSZXF1ZXN0EsoBCgxuYW1lc3BhY2VfaWQYASABKAlCswG6SK8BugGrAQoUb3B0aW9uYWxfdXVpZF9mb3JtYXQSI09wdGlvbmFsIGZpZWxkIG11c3QgYmUgYSB2YWxpZCBVVUlEGm5zaXplKHRoaXMpID09IDAgfHwgdGhpcy5tYXRjaGVzKCdbMC05YS1mQS1GXXs4fS1bMC05YS1mQS1GXXs0fS1bMC05YS1mQS1GXXs0fS1bMC05YS1mQS1GXXs0fS1bMC05YS1mQS1GXXsxMn0nKRInCgpwYWdpbmF0aW9uGAogASgLMhMucG9saWN5LlBhZ2VSZXF1ZXN0IowBCiFMaXN0UmVzb3VyY2VNYXBwaW5nR3JvdXBzUmVzcG9uc2USPQoXcmVzb3VyY2VfbWFwcGluZ19ncm91cHMYASADKAsyHC5wb2xpY3kuUmVzb3VyY2VNYXBwaW5nR3JvdXASKAoKcGFnaW5hdGlvbhgKIAEoCzIULnBvbGljeS5QYWdlUmVzcG9uc2UiNgoeR2V0UmVzb3VyY2VNYXBwaW5nR3JvdXBSZXF1ZXN0EhQKAmlkGAEgASgJQgi6SAVyA7ABASJfCh9HZXRSZXNvdXJjZU1hcHBpbmdHcm91cFJlc3BvbnNlEjwKFnJlc291cmNlX21hcHBpbmdfZ3JvdXAYASABKAsyHC5wb2xpY3kuUmVzb3VyY2VNYXBwaW5nR3JvdXAihAEKIUNyZWF0ZVJlc291cmNlTWFwcGluZ0dyb3VwUmVxdWVzdBIeCgxuYW1lc3BhY2VfaWQYASABKAlCCLpIBXIDsAEBEhQKBG5hbWUYAiABKAlCBrpIA8gBARIpCghtZXRhZGF0YRhkIAEoCzIXLmNvbW1vbi5NZXRhZGF0YU11dGFibGUiYgoiQ3JlYXRlUmVzb3VyY2VNYXBwaW5nR3JvdXBSZXNwb25zZRI8ChZyZXNvdXJjZV9tYXBwaW5nX2dyb3VwGAEgASgLMhwucG9saWN5LlJlc291cmNlTWFwcGluZ0dyb3VwIqYFCiFVcGRhdGVSZXNvdXJjZU1hcHBpbmdHcm91cFJlcXVlc3QSFAoCaWQYASABKAlCCLpIBXIDsAEBEsoBCgxuYW1lc3BhY2VfaWQYAiABKAlCswG6SK8BugGrAQoUb3B0aW9uYWxfdXVpZF9mb3JtYXQSI09wdGlvbmFsIGZpZWxkIG11c3QgYmUgYSB2YWxpZCBVVUlEGm5zaXplKHRoaXMpID09IDAgfHwgdGhpcy5tYXRjaGVzKCdbMC05YS1mQS1GXXs4fS1bMC05YS1mQS1GXXs0fS1bMC05YS1mQS1GXXs0fS1bMC05YS1mQS1GXXs0fS1bMC05YS1mQS1GXXsxMn0nKRK0AgoEbmFtZRgDIAEoCUKlArpIoQK6AZgCChRvcHRpb25hbF9uYW1lX2Zvcm1hdBKvAU9wdGlvbmFsIGZpZWxkIG11c3QgYmUgYW4gYWxwaGFudW1lcmljIHN0cmluZywgYWxsb3dpbmcgaHlwaGVucyBhbmQgdW5kZXJzY29yZXMgYnV0IG5vdCBhcyB0aGUgZmlyc3Qgb3IgbGFzdCBjaGFyYWN0ZXIuIFRoZSBzdG9yZWQgZ3JvdXAgbmFtZSB3aWxsIGJlIG5vcm1hbGl6ZWQgdG8gbG93ZXIgY2FzZS4aTnNpemUodGhpcykgPT0gMCB8fCB0aGlzLm1hdGNoZXMoJ15bYS16QS1aMC05XSg/OlthLXpBLVowLTlfLV0qW2EtekEtWjAtOV0pPyQnKXIDGP0BEikKCG1ldGFkYXRhGGQgASgLMhcuY29tbW9uLk1ldGFkYXRhTXV0YWJsZRI8ChhtZXRhZGF0YV91cGRhdGVfYmVoYXZpb3IYZSABKA4yGi5jb21tb24uTWV0YWRhdGFVcGRhdGVFbnVtImIKIlVwZGF0ZVJlc291cmNlTWFwcGluZ0dyb3VwUmVzcG9uc2USPAoWcmVzb3VyY2VfbWFwcGluZ19ncm91cBgBIAEoCzIcLnBvbGljeS5SZXNvdXJjZU1hcHBpbmdHcm91cCI5CiFEZWxldGVSZXNvdXJjZU1hcHBpbmdHcm91cFJlcXVlc3QSFAoCaWQYASABKAlCCLpIBXIDsAEBImIKIkRlbGV0ZVJlc291cmNlTWFwcGluZ0dyb3VwUmVzcG9uc2USPAoWcmVzb3VyY2VfbWFwcGluZ19ncm91cBgBIAEoCzIcLnBvbGljeS5SZXNvdXJjZU1hcHBpbmdHcm91cCKPAgobTGlzdFJlc291cmNlTWFwcGluZ3NSZXF1ZXN0EsYBCghncm91cF9pZBgBIAEoCUKzAbpIrwG6AasBChRvcHRpb25hbF91dWlkX2Zvcm1hdBIjT3B0aW9uYWwgZmllbGQgbXVzdCBiZSBhIHZhbGlkIFVVSUQabnNpemUodGhpcykgPT0gMCB8fCB0aGlzLm1hdGNoZXMoJ1swLTlhLWZBLUZdezh9LVswLTlhLWZBLUZdezR9LVswLTlhLWZBLUZdezR9LVswLTlhLWZBLUZdezR9LVswLTlhLWZBLUZdezEyfScpEicKCnBhZ2luYXRpb24YCiABKAsyEy5wb2xpY3kuUGFnZVJlcXVlc3QifAocTGlzdFJlc291cmNlTWFwcGluZ3NSZXNwb25zZRIyChFyZXNvdXJjZV9tYXBwaW5ncxgBIAMoCzIXLnBvbGljeS5SZXNvdXJjZU1hcHBpbmcSKAoKcGFnaW5hdGlvbhgKIAEoCzIULnBvbGljeS5QYWdlUmVzcG9uc2UiygIKJkxpc3RSZXNvdXJjZU1hcHBpbmdzQnlHcm91cEZxbnNSZXF1ZXN0Ep8CCgRmcW5zGAEgAygJQpACukiMApIBiAIIASKDAroB/wEKGHJlc291cmNlbWFwcGluZ2dyb3VwX2ZxbhJYUmVzb3VyY2UgTWFwcGluZyBHcm91cCBGUU4gbXVzdCBiZSBpbiB0aGUgZm9ybWF0ICdodHRwczovLzxuYW1lc3BhY2U+L3Jlc20vPGdyb3VwIG5hbWU+JxqIAXRoaXMubWF0Y2hlcygnXmh0dHBzOi8vKFthLXpBLVowLTldKFthLXpBLVowLTlcXC1dezAsNjF9W2EtekEtWjAtOV0pP1xcLikrW2EtekEtWl17Mix9L3Jlc20vW2EtekEtWjAtOV0oPzpbYS16QS1aMC05Xy1dKlthLXpBLVowLTldKT8kJykicQoXUmVzb3VyY2VNYXBwaW5nc0J5R3JvdXASKwoFZ3JvdXAYASABKAsyHC5wb2xpY3kuUmVzb3VyY2VNYXBwaW5nR3JvdXASKQoIbWFwcGluZ3MYAiADKAsyFy5wb2xpY3kuUmVzb3VyY2VNYXBwaW5nIqACCidMaXN0UmVzb3VyY2VNYXBwaW5nc0J5R3JvdXBGcW5zUmVzcG9uc2USggEKG2Zxbl9yZXNvdXJjZV9tYXBwaW5nX2dyb3VwcxgBIAMoCzJdLnBvbGljeS5yZXNvdXJjZW1hcHBpbmcuTGlzdFJlc291cmNlTWFwcGluZ3NCeUdyb3VwRnFuc1Jlc3BvbnNlLkZxblJlc291cmNlTWFwcGluZ0dyb3Vwc0VudHJ5GnAKHUZxblJlc291cmNlTWFwcGluZ0dyb3Vwc0VudHJ5EgsKA2tleRgBIAEoCRI+CgV2YWx1ZRgCIAEoCzIvLnBvbGljeS5yZXNvdXJjZW1hcHBpbmcuUmVzb3VyY2VNYXBwaW5nc0J5R3JvdXA6AjgBIjEKGUdldFJlc291cmNlTWFwcGluZ1JlcXVlc3QSFAoCaWQYASABKAlCCLpIBXIDsAEBIk8KGkdldFJlc291cmNlTWFwcGluZ1Jlc3BvbnNlEjEKEHJlc291cmNlX21hcHBpbmcYASABKAsyFy5wb2xpY3kuUmVzb3VyY2VNYXBwaW5nItQCChxDcmVhdGVSZXNvdXJjZU1hcHBpbmdSZXF1ZXN0EiQKEmF0dHJpYnV0ZV92YWx1ZV9pZBgBIAEoCUIIukgFcgOwAQESGgoFdGVybXMYAiADKAlCC7pICJIBBQgBEOgHEsYBCghncm91cF9pZBgDIAEoCUKzAbpIrwG6AasBChRvcHRpb25hbF91dWlkX2Zvcm1hdBIjT3B0aW9uYWwgZmllbGQgbXVzdCBiZSBhIHZhbGlkIFVVSUQabnNpemUodGhpcykgPT0gMCB8fCB0aGlzLm1hdGNoZXMoJ1swLTlhLWZBLUZdezh9LVswLTlhLWZBLUZdezR9LVswLTlhLWZBLUZdezR9LVswLTlhLWZBLUZdezR9LVswLTlhLWZBLUZdezEyfScpEikKCG1ldGFkYXRhGGQgASgLMhcuY29tbW9uLk1ldGFkYXRhTXV0YWJsZSJSCh1DcmVhdGVSZXNvdXJjZU1hcHBpbmdSZXNwb25zZRIxChByZXNvdXJjZV9tYXBwaW5nGAEgASgLMhcucG9saWN5LlJlc291cmNlTWFwcGluZyLTBAocVXBkYXRlUmVzb3VyY2VNYXBwaW5nUmVxdWVzdBIUCgJpZBgBIAEoCUIIukgFcgOwAQES0AEKEmF0dHJpYnV0ZV92YWx1ZV9pZBgEIAEoCUKzAbpIrwG6AasBChRvcHRpb25hbF91dWlkX2Zvcm1hdBIjT3B0aW9uYWwgZmllbGQgbXVzdCBiZSBhIHZhbGlkIFVVSUQabnNpemUodGhpcykgPT0gMCB8fCB0aGlzLm1hdGNoZXMoJ1swLTlhLWZBLUZdezh9LVswLTlhLWZBLUZdezR9LVswLTlhLWZBLUZdezR9LVswLTlhLWZBLUZdezR9LVswLTlhLWZBLUZdezEyfScpEhgKBXRlcm1zGAUgAygJQgm6SAaSAQMQ6AcSxgEKCGdyb3VwX2lkGAYgASgJQrMBukivAboBqwEKFG9wdGlvbmFsX3V1aWRfZm9ybWF0EiNPcHRpb25hbCBmaWVsZCBtdXN0IGJlIGEgdmFsaWQgVVVJRBpuc2l6ZSh0aGlzKSA9PSAwIHx8IHRoaXMubWF0Y2hlcygnWzAtOWEtZkEtRl17OH0tWzAtOWEtZkEtRl17NH0tWzAtOWEtZkEtRl17NH0tWzAtOWEtZkEtRl17NH0tWzAtOWEtZkEtRl17MTJ9JykSKQoIbWV0YWRhdGEYZCABKAsyFy5jb21tb24uTWV0YWRhdGFNdXRhYmxlEjwKGG1ldGFkYXRhX3VwZGF0ZV9iZWhhdmlvchhlIAEoDjIaLmNvbW1vbi5NZXRhZGF0YVVwZGF0ZUVudW0iUgodVXBkYXRlUmVzb3VyY2VNYXBwaW5nUmVzcG9uc2USMQoQcmVzb3VyY2VfbWFwcGluZxgBIAEoCzIXLnBvbGljeS5SZXNvdXJjZU1hcHBpbmciNAocRGVsZXRlUmVzb3VyY2VNYXBwaW5nUmVxdWVzdBIUCgJpZBgBIAEoCUIIukgFcgOwAQEiUgodRGVsZXRlUmVzb3VyY2VNYXBwaW5nUmVzcG9uc2USMQoQcmVzb3VyY2VfbWFwcGluZxgBIAEoCzIXLnBvbGljeS5SZXNvdXJjZU1hcHBpbmcy2wwKFlJlc291cmNlTWFwcGluZ1NlcnZpY2USlQEKGUxpc3RSZXNvdXJjZU1hcHBpbmdHcm91cHMSOC5wb2xpY3kucmVzb3VyY2VtYXBwaW5nLkxpc3RSZXNvdXJjZU1hcHBpbmdHcm91cHNSZXF1ZXN0GjkucG9saWN5LnJlc291cmNlbWFwcGluZy5MaXN0UmVzb3VyY2VNYXBwaW5nR3JvdXBzUmVzcG9uc2UiA5ACARKPAQoXR2V0UmVzb3VyY2VNYXBwaW5nR3JvdXASNi5wb2xpY3kucmVzb3VyY2VtYXBwaW5nLkdldFJlc291cmNlTWFwcGluZ0dyb3VwUmVxdWVzdBo3LnBvbGljeS5yZXNvdXJjZW1hcHBpbmcuR2V0UmVzb3VyY2VNYXBwaW5nR3JvdXBSZXNwb25zZSIDkAIBEpUBChpDcmVhdGVSZXNvdXJjZU1hcHBpbmdHcm91cBI5LnBvbGljeS5yZXNvdXJjZW1hcHBpbmcuQ3JlYXRlUmVzb3VyY2VNYXBwaW5nR3JvdXBSZXF1ZXN0GjoucG9saWN5LnJlc291cmNlbWFwcGluZy5DcmVhdGVSZXNvdXJjZU1hcHBpbmdHcm91cFJlc3BvbnNlIgASlQEKGlVwZGF0ZVJlc291cmNlTWFwcGluZ0dyb3VwEjkucG9saWN5LnJlc291cmNlbWFwcGluZy5VcGRhdGVSZXNvdXJjZU1hcHBpbmdHcm91cFJlcXVlc3QaOi5wb2xpY3kucmVzb3VyY2VtYXBwaW5nLlVwZGF0ZVJlc291cmNlTWFwcGluZ0dyb3VwUmVzcG9uc2UiABKVAQoaRGVsZXRlUmVzb3VyY2VNYXBwaW5nR3JvdXASOS5wb2xpY3kucmVzb3VyY2VtYXBwaW5nLkRlbGV0ZVJlc291cmNlTWFwcGluZ0dyb3VwUmVxdWVzdBo6LnBvbGljeS5yZXNvdXJjZW1hcHBpbmcuRGVsZXRlUmVzb3VyY2VNYXBwaW5nR3JvdXBSZXNwb25zZSIAEoYBChRMaXN0UmVzb3VyY2VNYXBwaW5ncxIzLnBvbGljeS5yZXNvdXJjZW1hcHBpbmcuTGlzdFJlc291cmNlTWFwcGluZ3NSZXF1ZXN0GjQucG9saWN5LnJlc291cmNlbWFwcGluZy5MaXN0UmVzb3VyY2VNYXBwaW5nc1Jlc3BvbnNlIgOQAgESpwEKH0xpc3RSZXNvdXJjZU1hcHBpbmdzQnlHcm91cEZxbnMSPi5wb2xpY3kucmVzb3VyY2VtYXBwaW5nLkxpc3RSZXNvdXJjZU1hcHBpbmdzQnlHcm91cEZxbnNSZXF1ZXN0Gj8ucG9saWN5LnJlc291cmNlbWFwcGluZy5MaXN0UmVzb3VyY2VNYXBwaW5nc0J5R3JvdXBGcW5zUmVzcG9uc2UiA5ACARKAAQoSR2V0UmVzb3VyY2VNYXBwaW5nEjEucG9saWN5LnJlc291cmNlbWFwcGluZy5HZXRSZXNvdXJjZU1hcHBpbmdSZXF1ZXN0GjIucG9saWN5LnJlc291cmNlbWFwcGluZy5HZXRSZXNvdXJjZU1hcHBpbmdSZXNwb25zZSIDkAIBEoYBChVDcmVhdGVSZXNvdXJjZU1hcHBpbmcSNC5wb2xpY3kucmVzb3VyY2VtYXBwaW5nLkNyZWF0ZVJlc291cmNlTWFwcGluZ1JlcXVlc3QaNS5wb2xpY3kucmVzb3VyY2VtYXBwaW5nLkNyZWF0ZVJlc291cmNlTWFwcGluZ1Jlc3BvbnNlIgAShgEKFVVwZGF0ZVJlc291cmNlTWFwcGluZxI0LnBvbGljeS5yZXNvdXJjZW1hcHBpbmcuVXBkYXRlUmVzb3VyY2VNYXBwaW5nUmVxdWVzdBo1LnBvbGljeS5yZXNvdXJjZW1hcHBpbmcuVXBkYXRlUmVzb3VyY2VNYXBwaW5nUmVzcG9uc2UiABKGAQoVRGVsZXRlUmVzb3VyY2VNYXBwaW5nEjQucG9saWN5LnJlc291cmNlbWFwcGluZy5EZWxldGVSZXNvdXJjZU1hcHBpbmdSZXF1ZXN0GjUucG9saWN5LnJlc291cmNlbWFwcGluZy5EZWxldGVSZXNvdXJjZU1hcHBpbmdSZXNwb25zZSIAYgZwcm90bzM", [file_buf_validate_validate, file_common_common, file_policy_objects, file_policy_selectors]); /** * @generated from message policy.resourcemapping.ListResourceMappingGroupsRequest diff --git a/lib/src/platform/policy/subjectmapping/subject_mapping_pb.ts b/lib/src/platform/policy/subjectmapping/subject_mapping_pb.ts index 6a0bfa2de..7204de704 100644 --- a/lib/src/platform/policy/subjectmapping/subject_mapping_pb.ts +++ b/lib/src/platform/policy/subjectmapping/subject_mapping_pb.ts @@ -5,7 +5,6 @@ import type { GenFile, GenMessage, GenService } from "@bufbuild/protobuf/codegenv1"; import { fileDesc, messageDesc, serviceDesc } from "@bufbuild/protobuf/codegenv1"; import { file_buf_validate_validate } from "../../buf/validate/validate_pb.js"; -import { file_google_api_annotations } from "../../google/api/annotations_pb.js"; import type { MetadataMutable, MetadataUpdateEnum } from "../../common/common_pb.js"; import { file_common_common } from "../../common/common_pb.js"; import type { Action, SubjectConditionSet, SubjectMapping, SubjectProperty, SubjectSet } from "../objects_pb.js"; @@ -18,7 +17,7 @@ import type { Message } from "@bufbuild/protobuf"; * Describes the file policy/subjectmapping/subject_mapping.proto. */ export const file_policy_subjectmapping_subject_mapping: GenFile = /*@__PURE__*/ - fileDesc("Citwb2xpY3kvc3ViamVjdG1hcHBpbmcvc3ViamVjdF9tYXBwaW5nLnByb3RvEhVwb2xpY3kuc3ViamVjdG1hcHBpbmciXAobTWF0Y2hTdWJqZWN0TWFwcGluZ3NSZXF1ZXN0Ej0KEnN1YmplY3RfcHJvcGVydGllcxgBIAMoCzIXLnBvbGljeS5TdWJqZWN0UHJvcGVydHlCCLpIBZIBAggBIlAKHE1hdGNoU3ViamVjdE1hcHBpbmdzUmVzcG9uc2USMAoQc3ViamVjdF9tYXBwaW5ncxgBIAMoCzIWLnBvbGljeS5TdWJqZWN0TWFwcGluZyIwChhHZXRTdWJqZWN0TWFwcGluZ1JlcXVlc3QSFAoCaWQYASABKAlCCLpIBXIDsAEBIkwKGUdldFN1YmplY3RNYXBwaW5nUmVzcG9uc2USLwoPc3ViamVjdF9tYXBwaW5nGAEgASgLMhYucG9saWN5LlN1YmplY3RNYXBwaW5nIkUKGkxpc3RTdWJqZWN0TWFwcGluZ3NSZXF1ZXN0EicKCnBhZ2luYXRpb24YCiABKAsyEy5wb2xpY3kuUGFnZVJlcXVlc3QieQobTGlzdFN1YmplY3RNYXBwaW5nc1Jlc3BvbnNlEjAKEHN1YmplY3RfbWFwcGluZ3MYASADKAsyFi5wb2xpY3kuU3ViamVjdE1hcHBpbmcSKAoKcGFnaW5hdGlvbhgKIAEoCzIULnBvbGljeS5QYWdlUmVzcG9uc2Ui0AMKG0NyZWF0ZVN1YmplY3RNYXBwaW5nUmVxdWVzdBIkChJhdHRyaWJ1dGVfdmFsdWVfaWQYASABKAlCCLpIBXIDsAEBEikKB2FjdGlvbnMYAiADKAsyDi5wb2xpY3kuQWN0aW9uQgi6SAWSAQIIARLfAQohZXhpc3Rpbmdfc3ViamVjdF9jb25kaXRpb25fc2V0X2lkGAMgASgJQrMBukivAboBqwEKFG9wdGlvbmFsX3V1aWRfZm9ybWF0EiNPcHRpb25hbCBmaWVsZCBtdXN0IGJlIGEgdmFsaWQgVVVJRBpuc2l6ZSh0aGlzKSA9PSAwIHx8IHRoaXMubWF0Y2hlcygnWzAtOWEtZkEtRl17OH0tWzAtOWEtZkEtRl17NH0tWzAtOWEtZkEtRl17NH0tWzAtOWEtZkEtRl17NH0tWzAtOWEtZkEtRl17MTJ9JykSUwoZbmV3X3N1YmplY3RfY29uZGl0aW9uX3NldBgEIAEoCzIwLnBvbGljeS5zdWJqZWN0bWFwcGluZy5TdWJqZWN0Q29uZGl0aW9uU2V0Q3JlYXRlEikKCG1ldGFkYXRhGGQgASgLMhcuY29tbW9uLk1ldGFkYXRhTXV0YWJsZSJPChxDcmVhdGVTdWJqZWN0TWFwcGluZ1Jlc3BvbnNlEi8KD3N1YmplY3RfbWFwcGluZxgBIAEoCzIWLnBvbGljeS5TdWJqZWN0TWFwcGluZyKWAwobVXBkYXRlU3ViamVjdE1hcHBpbmdSZXF1ZXN0EhQKAmlkGAEgASgJQgi6SAVyA7ABARLWAQoYc3ViamVjdF9jb25kaXRpb25fc2V0X2lkGAIgASgJQrMBukivAboBqwEKFG9wdGlvbmFsX3V1aWRfZm9ybWF0EiNPcHRpb25hbCBmaWVsZCBtdXN0IGJlIGEgdmFsaWQgVVVJRBpuc2l6ZSh0aGlzKSA9PSAwIHx8IHRoaXMubWF0Y2hlcygnWzAtOWEtZkEtRl17OH0tWzAtOWEtZkEtRl17NH0tWzAtOWEtZkEtRl17NH0tWzAtOWEtZkEtRl17NH0tWzAtOWEtZkEtRl17MTJ9JykSHwoHYWN0aW9ucxgDIAMoCzIOLnBvbGljeS5BY3Rpb24SKQoIbWV0YWRhdGEYZCABKAsyFy5jb21tb24uTWV0YWRhdGFNdXRhYmxlEjwKGG1ldGFkYXRhX3VwZGF0ZV9iZWhhdmlvchhlIAEoDjIaLmNvbW1vbi5NZXRhZGF0YVVwZGF0ZUVudW0iTwocVXBkYXRlU3ViamVjdE1hcHBpbmdSZXNwb25zZRIvCg9zdWJqZWN0X21hcHBpbmcYASABKAsyFi5wb2xpY3kuU3ViamVjdE1hcHBpbmciMwobRGVsZXRlU3ViamVjdE1hcHBpbmdSZXF1ZXN0EhQKAmlkGAEgASgJQgi6SAVyA7ABASJPChxEZWxldGVTdWJqZWN0TWFwcGluZ1Jlc3BvbnNlEi8KD3N1YmplY3RfbWFwcGluZxgBIAEoCzIWLnBvbGljeS5TdWJqZWN0TWFwcGluZyI1Ch1HZXRTdWJqZWN0Q29uZGl0aW9uU2V0UmVxdWVzdBIUCgJpZBgBIAEoCUIIukgFcgOwAQEimQEKHkdldFN1YmplY3RDb25kaXRpb25TZXRSZXNwb25zZRI6ChVzdWJqZWN0X2NvbmRpdGlvbl9zZXQYASABKAsyGy5wb2xpY3kuU3ViamVjdENvbmRpdGlvblNldBI7Chthc3NvY2lhdGVkX3N1YmplY3RfbWFwcGluZ3MYAiADKAsyFi5wb2xpY3kuU3ViamVjdE1hcHBpbmciSgofTGlzdFN1YmplY3RDb25kaXRpb25TZXRzUmVxdWVzdBInCgpwYWdpbmF0aW9uGAogASgLMhMucG9saWN5LlBhZ2VSZXF1ZXN0IokBCiBMaXN0U3ViamVjdENvbmRpdGlvblNldHNSZXNwb25zZRI7ChZzdWJqZWN0X2NvbmRpdGlvbl9zZXRzGAEgAygLMhsucG9saWN5LlN1YmplY3RDb25kaXRpb25TZXQSKAoKcGFnaW5hdGlvbhgKIAEoCzIULnBvbGljeS5QYWdlUmVzcG9uc2UiegoZU3ViamVjdENvbmRpdGlvblNldENyZWF0ZRIyCgxzdWJqZWN0X3NldHMYASADKAsyEi5wb2xpY3kuU3ViamVjdFNldEIIukgFkgECCAESKQoIbWV0YWRhdGEYZCABKAsyFy5jb21tb24uTWV0YWRhdGFNdXRhYmxlInMKIENyZWF0ZVN1YmplY3RDb25kaXRpb25TZXRSZXF1ZXN0Ek8KFXN1YmplY3RfY29uZGl0aW9uX3NldBgBIAEoCzIwLnBvbGljeS5zdWJqZWN0bWFwcGluZy5TdWJqZWN0Q29uZGl0aW9uU2V0Q3JlYXRlIl8KIUNyZWF0ZVN1YmplY3RDb25kaXRpb25TZXRSZXNwb25zZRI6ChVzdWJqZWN0X2NvbmRpdGlvbl9zZXQYASABKAsyGy5wb2xpY3kuU3ViamVjdENvbmRpdGlvblNldCLLAQogVXBkYXRlU3ViamVjdENvbmRpdGlvblNldFJlcXVlc3QSFAoCaWQYASABKAlCCLpIBXIDsAEBEigKDHN1YmplY3Rfc2V0cxgCIAMoCzISLnBvbGljeS5TdWJqZWN0U2V0EikKCG1ldGFkYXRhGGQgASgLMhcuY29tbW9uLk1ldGFkYXRhTXV0YWJsZRI8ChhtZXRhZGF0YV91cGRhdGVfYmVoYXZpb3IYZSABKA4yGi5jb21tb24uTWV0YWRhdGFVcGRhdGVFbnVtIl8KIVVwZGF0ZVN1YmplY3RDb25kaXRpb25TZXRSZXNwb25zZRI6ChVzdWJqZWN0X2NvbmRpdGlvbl9zZXQYASABKAsyGy5wb2xpY3kuU3ViamVjdENvbmRpdGlvblNldCI4CiBEZWxldGVTdWJqZWN0Q29uZGl0aW9uU2V0UmVxdWVzdBIUCgJpZBgBIAEoCUIIukgFcgOwAQEiXwohRGVsZXRlU3ViamVjdENvbmRpdGlvblNldFJlc3BvbnNlEjoKFXN1YmplY3RfY29uZGl0aW9uX3NldBgBIAEoCzIbLnBvbGljeS5TdWJqZWN0Q29uZGl0aW9uU2V0Ii4KLERlbGV0ZUFsbFVubWFwcGVkU3ViamVjdENvbmRpdGlvblNldHNSZXF1ZXN0ImwKLURlbGV0ZUFsbFVubWFwcGVkU3ViamVjdENvbmRpdGlvblNldHNSZXNwb25zZRI7ChZzdWJqZWN0X2NvbmRpdGlvbl9zZXRzGAEgAygLMhsucG9saWN5LlN1YmplY3RDb25kaXRpb25TZXQy1hAKFVN1YmplY3RNYXBwaW5nU2VydmljZRK0AQoUTWF0Y2hTdWJqZWN0TWFwcGluZ3MSMi5wb2xpY3kuc3ViamVjdG1hcHBpbmcuTWF0Y2hTdWJqZWN0TWFwcGluZ3NSZXF1ZXN0GjMucG9saWN5LnN1YmplY3RtYXBwaW5nLk1hdGNoU3ViamVjdE1hcHBpbmdzUmVzcG9uc2UiM4LT5JMCLToSc3ViamVjdF9wcm9wZXJ0aWVzIhcvc3ViamVjdC1tYXBwaW5ncy9tYXRjaBKaAQoTTGlzdFN1YmplY3RNYXBwaW5ncxIxLnBvbGljeS5zdWJqZWN0bWFwcGluZy5MaXN0U3ViamVjdE1hcHBpbmdzUmVxdWVzdBoyLnBvbGljeS5zdWJqZWN0bWFwcGluZy5MaXN0U3ViamVjdE1hcHBpbmdzUmVzcG9uc2UiHJACAYLT5JMCExIRL3N1YmplY3QtbWFwcGluZ3MSmQEKEUdldFN1YmplY3RNYXBwaW5nEi8ucG9saWN5LnN1YmplY3RtYXBwaW5nLkdldFN1YmplY3RNYXBwaW5nUmVxdWVzdBowLnBvbGljeS5zdWJqZWN0bWFwcGluZy5HZXRTdWJqZWN0TWFwcGluZ1Jlc3BvbnNlIiGQAgGC0+STAhgSFi9zdWJqZWN0LW1hcHBpbmdzL3tpZH0SnQEKFENyZWF0ZVN1YmplY3RNYXBwaW5nEjIucG9saWN5LnN1YmplY3RtYXBwaW5nLkNyZWF0ZVN1YmplY3RNYXBwaW5nUmVxdWVzdBozLnBvbGljeS5zdWJqZWN0bWFwcGluZy5DcmVhdGVTdWJqZWN0TWFwcGluZ1Jlc3BvbnNlIhyC0+STAhY6ASoiES9zdWJqZWN0LW1hcHBpbmdzEqIBChRVcGRhdGVTdWJqZWN0TWFwcGluZxIyLnBvbGljeS5zdWJqZWN0bWFwcGluZy5VcGRhdGVTdWJqZWN0TWFwcGluZ1JlcXVlc3QaMy5wb2xpY3kuc3ViamVjdG1hcHBpbmcuVXBkYXRlU3ViamVjdE1hcHBpbmdSZXNwb25zZSIhgtPkkwIbOgEqMhYvc3ViamVjdC1tYXBwaW5ncy97aWR9Ep8BChREZWxldGVTdWJqZWN0TWFwcGluZxIyLnBvbGljeS5zdWJqZWN0bWFwcGluZy5EZWxldGVTdWJqZWN0TWFwcGluZ1JlcXVlc3QaMy5wb2xpY3kuc3ViamVjdG1hcHBpbmcuRGVsZXRlU3ViamVjdE1hcHBpbmdSZXNwb25zZSIegtPkkwIYKhYvc3ViamVjdC1tYXBwaW5ncy97aWR9Eq8BChhMaXN0U3ViamVjdENvbmRpdGlvblNldHMSNi5wb2xpY3kuc3ViamVjdG1hcHBpbmcuTGlzdFN1YmplY3RDb25kaXRpb25TZXRzUmVxdWVzdBo3LnBvbGljeS5zdWJqZWN0bWFwcGluZy5MaXN0U3ViamVjdENvbmRpdGlvblNldHNSZXNwb25zZSIikAIBgtPkkwIZEhcvc3ViamVjdC1jb25kaXRpb24tc2V0cxKuAQoWR2V0U3ViamVjdENvbmRpdGlvblNldBI0LnBvbGljeS5zdWJqZWN0bWFwcGluZy5HZXRTdWJqZWN0Q29uZGl0aW9uU2V0UmVxdWVzdBo1LnBvbGljeS5zdWJqZWN0bWFwcGluZy5HZXRTdWJqZWN0Q29uZGl0aW9uU2V0UmVzcG9uc2UiJ5ACAYLT5JMCHhIcL3N1YmplY3QtY29uZGl0aW9uLXNldHMve2lkfRKyAQoZQ3JlYXRlU3ViamVjdENvbmRpdGlvblNldBI3LnBvbGljeS5zdWJqZWN0bWFwcGluZy5DcmVhdGVTdWJqZWN0Q29uZGl0aW9uU2V0UmVxdWVzdBo4LnBvbGljeS5zdWJqZWN0bWFwcGluZy5DcmVhdGVTdWJqZWN0Q29uZGl0aW9uU2V0UmVzcG9uc2UiIoLT5JMCHDoBKiIXL3N1YmplY3QtY29uZGl0aW9uLXNldHMStwEKGVVwZGF0ZVN1YmplY3RDb25kaXRpb25TZXQSNy5wb2xpY3kuc3ViamVjdG1hcHBpbmcuVXBkYXRlU3ViamVjdENvbmRpdGlvblNldFJlcXVlc3QaOC5wb2xpY3kuc3ViamVjdG1hcHBpbmcuVXBkYXRlU3ViamVjdENvbmRpdGlvblNldFJlc3BvbnNlIieC0+STAiE6ASoyHC9zdWJqZWN0LWNvbmRpdGlvbi1zZXRzL3tpZH0StAEKGURlbGV0ZVN1YmplY3RDb25kaXRpb25TZXQSNy5wb2xpY3kuc3ViamVjdG1hcHBpbmcuRGVsZXRlU3ViamVjdENvbmRpdGlvblNldFJlcXVlc3QaOC5wb2xpY3kuc3ViamVjdG1hcHBpbmcuRGVsZXRlU3ViamVjdENvbmRpdGlvblNldFJlc3BvbnNlIiSC0+STAh4qHC9zdWJqZWN0LWNvbmRpdGlvbi1zZXRzL3tpZH0S3AEKJURlbGV0ZUFsbFVubWFwcGVkU3ViamVjdENvbmRpdGlvblNldHMSQy5wb2xpY3kuc3ViamVjdG1hcHBpbmcuRGVsZXRlQWxsVW5tYXBwZWRTdWJqZWN0Q29uZGl0aW9uU2V0c1JlcXVlc3QaRC5wb2xpY3kuc3ViamVjdG1hcHBpbmcuRGVsZXRlQWxsVW5tYXBwZWRTdWJqZWN0Q29uZGl0aW9uU2V0c1Jlc3BvbnNlIiiC0+STAiIqIC9zdWJqZWN0LWNvbmRpdGlvbi1zZXRzL3VubWFwcGVkYgZwcm90bzM", [file_buf_validate_validate, file_google_api_annotations, file_common_common, file_policy_objects, file_policy_selectors]); + fileDesc("Citwb2xpY3kvc3ViamVjdG1hcHBpbmcvc3ViamVjdF9tYXBwaW5nLnByb3RvEhVwb2xpY3kuc3ViamVjdG1hcHBpbmciXAobTWF0Y2hTdWJqZWN0TWFwcGluZ3NSZXF1ZXN0Ej0KEnN1YmplY3RfcHJvcGVydGllcxgBIAMoCzIXLnBvbGljeS5TdWJqZWN0UHJvcGVydHlCCLpIBZIBAggBIlAKHE1hdGNoU3ViamVjdE1hcHBpbmdzUmVzcG9uc2USMAoQc3ViamVjdF9tYXBwaW5ncxgBIAMoCzIWLnBvbGljeS5TdWJqZWN0TWFwcGluZyIwChhHZXRTdWJqZWN0TWFwcGluZ1JlcXVlc3QSFAoCaWQYASABKAlCCLpIBXIDsAEBIkwKGUdldFN1YmplY3RNYXBwaW5nUmVzcG9uc2USLwoPc3ViamVjdF9tYXBwaW5nGAEgASgLMhYucG9saWN5LlN1YmplY3RNYXBwaW5nIkUKGkxpc3RTdWJqZWN0TWFwcGluZ3NSZXF1ZXN0EicKCnBhZ2luYXRpb24YCiABKAsyEy5wb2xpY3kuUGFnZVJlcXVlc3QieQobTGlzdFN1YmplY3RNYXBwaW5nc1Jlc3BvbnNlEjAKEHN1YmplY3RfbWFwcGluZ3MYASADKAsyFi5wb2xpY3kuU3ViamVjdE1hcHBpbmcSKAoKcGFnaW5hdGlvbhgKIAEoCzIULnBvbGljeS5QYWdlUmVzcG9uc2Ui1wQKG0NyZWF0ZVN1YmplY3RNYXBwaW5nUmVxdWVzdBIkChJhdHRyaWJ1dGVfdmFsdWVfaWQYASABKAlCCLpIBXIDsAEBEq8BCgdhY3Rpb25zGAIgAygLMg4ucG9saWN5LkFjdGlvbkKNAbpIiQG6AYABChthY3Rpb25fbmFtZV9vcl9pZF9ub3RfZW1wdHkSL0FjdGlvbiBuYW1lIG9yIElEIG11c3Qgbm90IGJlIGVtcHR5IGlmIHByb3ZpZGVkGjB0aGlzLmFsbChpdGVtLCBpdGVtLm5hbWUgIT0gJycgfHwgaXRlbS5pZCAhPSAnJymSAQIIARLfAQohZXhpc3Rpbmdfc3ViamVjdF9jb25kaXRpb25fc2V0X2lkGAMgASgJQrMBukivAboBqwEKFG9wdGlvbmFsX3V1aWRfZm9ybWF0EiNPcHRpb25hbCBmaWVsZCBtdXN0IGJlIGEgdmFsaWQgVVVJRBpuc2l6ZSh0aGlzKSA9PSAwIHx8IHRoaXMubWF0Y2hlcygnWzAtOWEtZkEtRl17OH0tWzAtOWEtZkEtRl17NH0tWzAtOWEtZkEtRl17NH0tWzAtOWEtZkEtRl17NH0tWzAtOWEtZkEtRl17MTJ9JykSUwoZbmV3X3N1YmplY3RfY29uZGl0aW9uX3NldBgEIAEoCzIwLnBvbGljeS5zdWJqZWN0bWFwcGluZy5TdWJqZWN0Q29uZGl0aW9uU2V0Q3JlYXRlEikKCG1ldGFkYXRhGGQgASgLMhcuY29tbW9uLk1ldGFkYXRhTXV0YWJsZSJPChxDcmVhdGVTdWJqZWN0TWFwcGluZ1Jlc3BvbnNlEi8KD3N1YmplY3RfbWFwcGluZxgBIAEoCzIWLnBvbGljeS5TdWJqZWN0TWFwcGluZyK2BAobVXBkYXRlU3ViamVjdE1hcHBpbmdSZXF1ZXN0EhQKAmlkGAEgASgJQgi6SAVyA7ABARLWAQoYc3ViamVjdF9jb25kaXRpb25fc2V0X2lkGAIgASgJQrMBukivAboBqwEKFG9wdGlvbmFsX3V1aWRfZm9ybWF0EiNPcHRpb25hbCBmaWVsZCBtdXN0IGJlIGEgdmFsaWQgVVVJRBpuc2l6ZSh0aGlzKSA9PSAwIHx8IHRoaXMubWF0Y2hlcygnWzAtOWEtZkEtRl17OH0tWzAtOWEtZkEtRl17NH0tWzAtOWEtZkEtRl17NH0tWzAtOWEtZkEtRl17NH0tWzAtOWEtZkEtRl17MTJ9JykSvgEKB2FjdGlvbnMYAyADKAsyDi5wb2xpY3kuQWN0aW9uQpwBukiYAboBlAEKG2FjdGlvbl9uYW1lX29yX2lkX25vdF9lbXB0eRIvQWN0aW9uIG5hbWUgb3IgSUQgbXVzdCBub3QgYmUgZW1wdHkgaWYgcHJvdmlkZWQaRHRoaXMuc2l6ZSgpID09IDAgfHwgdGhpcy5hbGwoaXRlbSwgaXRlbS5uYW1lICE9ICcnIHx8IGl0ZW0uaWQgIT0gJycpEikKCG1ldGFkYXRhGGQgASgLMhcuY29tbW9uLk1ldGFkYXRhTXV0YWJsZRI8ChhtZXRhZGF0YV91cGRhdGVfYmVoYXZpb3IYZSABKA4yGi5jb21tb24uTWV0YWRhdGFVcGRhdGVFbnVtIk8KHFVwZGF0ZVN1YmplY3RNYXBwaW5nUmVzcG9uc2USLwoPc3ViamVjdF9tYXBwaW5nGAEgASgLMhYucG9saWN5LlN1YmplY3RNYXBwaW5nIjMKG0RlbGV0ZVN1YmplY3RNYXBwaW5nUmVxdWVzdBIUCgJpZBgBIAEoCUIIukgFcgOwAQEiTwocRGVsZXRlU3ViamVjdE1hcHBpbmdSZXNwb25zZRIvCg9zdWJqZWN0X21hcHBpbmcYASABKAsyFi5wb2xpY3kuU3ViamVjdE1hcHBpbmciNQodR2V0U3ViamVjdENvbmRpdGlvblNldFJlcXVlc3QSFAoCaWQYASABKAlCCLpIBXIDsAEBIpkBCh5HZXRTdWJqZWN0Q29uZGl0aW9uU2V0UmVzcG9uc2USOgoVc3ViamVjdF9jb25kaXRpb25fc2V0GAEgASgLMhsucG9saWN5LlN1YmplY3RDb25kaXRpb25TZXQSOwobYXNzb2NpYXRlZF9zdWJqZWN0X21hcHBpbmdzGAIgAygLMhYucG9saWN5LlN1YmplY3RNYXBwaW5nIkoKH0xpc3RTdWJqZWN0Q29uZGl0aW9uU2V0c1JlcXVlc3QSJwoKcGFnaW5hdGlvbhgKIAEoCzITLnBvbGljeS5QYWdlUmVxdWVzdCKJAQogTGlzdFN1YmplY3RDb25kaXRpb25TZXRzUmVzcG9uc2USOwoWc3ViamVjdF9jb25kaXRpb25fc2V0cxgBIAMoCzIbLnBvbGljeS5TdWJqZWN0Q29uZGl0aW9uU2V0EigKCnBhZ2luYXRpb24YCiABKAsyFC5wb2xpY3kuUGFnZVJlc3BvbnNlInoKGVN1YmplY3RDb25kaXRpb25TZXRDcmVhdGUSMgoMc3ViamVjdF9zZXRzGAEgAygLMhIucG9saWN5LlN1YmplY3RTZXRCCLpIBZIBAggBEikKCG1ldGFkYXRhGGQgASgLMhcuY29tbW9uLk1ldGFkYXRhTXV0YWJsZSJ7CiBDcmVhdGVTdWJqZWN0Q29uZGl0aW9uU2V0UmVxdWVzdBJXChVzdWJqZWN0X2NvbmRpdGlvbl9zZXQYASABKAsyMC5wb2xpY3kuc3ViamVjdG1hcHBpbmcuU3ViamVjdENvbmRpdGlvblNldENyZWF0ZUIGukgDyAEBIl8KIUNyZWF0ZVN1YmplY3RDb25kaXRpb25TZXRSZXNwb25zZRI6ChVzdWJqZWN0X2NvbmRpdGlvbl9zZXQYASABKAsyGy5wb2xpY3kuU3ViamVjdENvbmRpdGlvblNldCLLAQogVXBkYXRlU3ViamVjdENvbmRpdGlvblNldFJlcXVlc3QSFAoCaWQYASABKAlCCLpIBXIDsAEBEigKDHN1YmplY3Rfc2V0cxgCIAMoCzISLnBvbGljeS5TdWJqZWN0U2V0EikKCG1ldGFkYXRhGGQgASgLMhcuY29tbW9uLk1ldGFkYXRhTXV0YWJsZRI8ChhtZXRhZGF0YV91cGRhdGVfYmVoYXZpb3IYZSABKA4yGi5jb21tb24uTWV0YWRhdGFVcGRhdGVFbnVtIl8KIVVwZGF0ZVN1YmplY3RDb25kaXRpb25TZXRSZXNwb25zZRI6ChVzdWJqZWN0X2NvbmRpdGlvbl9zZXQYASABKAsyGy5wb2xpY3kuU3ViamVjdENvbmRpdGlvblNldCI4CiBEZWxldGVTdWJqZWN0Q29uZGl0aW9uU2V0UmVxdWVzdBIUCgJpZBgBIAEoCUIIukgFcgOwAQEiXwohRGVsZXRlU3ViamVjdENvbmRpdGlvblNldFJlc3BvbnNlEjoKFXN1YmplY3RfY29uZGl0aW9uX3NldBgBIAEoCzIbLnBvbGljeS5TdWJqZWN0Q29uZGl0aW9uU2V0Ii4KLERlbGV0ZUFsbFVubWFwcGVkU3ViamVjdENvbmRpdGlvblNldHNSZXF1ZXN0ImwKLURlbGV0ZUFsbFVubWFwcGVkU3ViamVjdENvbmRpdGlvblNldHNSZXNwb25zZRI7ChZzdWJqZWN0X2NvbmRpdGlvbl9zZXRzGAEgAygLMhsucG9saWN5LlN1YmplY3RDb25kaXRpb25TZXQyuA0KFVN1YmplY3RNYXBwaW5nU2VydmljZRKBAQoUTWF0Y2hTdWJqZWN0TWFwcGluZ3MSMi5wb2xpY3kuc3ViamVjdG1hcHBpbmcuTWF0Y2hTdWJqZWN0TWFwcGluZ3NSZXF1ZXN0GjMucG9saWN5LnN1YmplY3RtYXBwaW5nLk1hdGNoU3ViamVjdE1hcHBpbmdzUmVzcG9uc2UiABKBAQoTTGlzdFN1YmplY3RNYXBwaW5ncxIxLnBvbGljeS5zdWJqZWN0bWFwcGluZy5MaXN0U3ViamVjdE1hcHBpbmdzUmVxdWVzdBoyLnBvbGljeS5zdWJqZWN0bWFwcGluZy5MaXN0U3ViamVjdE1hcHBpbmdzUmVzcG9uc2UiA5ACARJ7ChFHZXRTdWJqZWN0TWFwcGluZxIvLnBvbGljeS5zdWJqZWN0bWFwcGluZy5HZXRTdWJqZWN0TWFwcGluZ1JlcXVlc3QaMC5wb2xpY3kuc3ViamVjdG1hcHBpbmcuR2V0U3ViamVjdE1hcHBpbmdSZXNwb25zZSIDkAIBEoEBChRDcmVhdGVTdWJqZWN0TWFwcGluZxIyLnBvbGljeS5zdWJqZWN0bWFwcGluZy5DcmVhdGVTdWJqZWN0TWFwcGluZ1JlcXVlc3QaMy5wb2xpY3kuc3ViamVjdG1hcHBpbmcuQ3JlYXRlU3ViamVjdE1hcHBpbmdSZXNwb25zZSIAEoEBChRVcGRhdGVTdWJqZWN0TWFwcGluZxIyLnBvbGljeS5zdWJqZWN0bWFwcGluZy5VcGRhdGVTdWJqZWN0TWFwcGluZ1JlcXVlc3QaMy5wb2xpY3kuc3ViamVjdG1hcHBpbmcuVXBkYXRlU3ViamVjdE1hcHBpbmdSZXNwb25zZSIAEoEBChREZWxldGVTdWJqZWN0TWFwcGluZxIyLnBvbGljeS5zdWJqZWN0bWFwcGluZy5EZWxldGVTdWJqZWN0TWFwcGluZ1JlcXVlc3QaMy5wb2xpY3kuc3ViamVjdG1hcHBpbmcuRGVsZXRlU3ViamVjdE1hcHBpbmdSZXNwb25zZSIAEpABChhMaXN0U3ViamVjdENvbmRpdGlvblNldHMSNi5wb2xpY3kuc3ViamVjdG1hcHBpbmcuTGlzdFN1YmplY3RDb25kaXRpb25TZXRzUmVxdWVzdBo3LnBvbGljeS5zdWJqZWN0bWFwcGluZy5MaXN0U3ViamVjdENvbmRpdGlvblNldHNSZXNwb25zZSIDkAIBEooBChZHZXRTdWJqZWN0Q29uZGl0aW9uU2V0EjQucG9saWN5LnN1YmplY3RtYXBwaW5nLkdldFN1YmplY3RDb25kaXRpb25TZXRSZXF1ZXN0GjUucG9saWN5LnN1YmplY3RtYXBwaW5nLkdldFN1YmplY3RDb25kaXRpb25TZXRSZXNwb25zZSIDkAIBEpABChlDcmVhdGVTdWJqZWN0Q29uZGl0aW9uU2V0EjcucG9saWN5LnN1YmplY3RtYXBwaW5nLkNyZWF0ZVN1YmplY3RDb25kaXRpb25TZXRSZXF1ZXN0GjgucG9saWN5LnN1YmplY3RtYXBwaW5nLkNyZWF0ZVN1YmplY3RDb25kaXRpb25TZXRSZXNwb25zZSIAEpABChlVcGRhdGVTdWJqZWN0Q29uZGl0aW9uU2V0EjcucG9saWN5LnN1YmplY3RtYXBwaW5nLlVwZGF0ZVN1YmplY3RDb25kaXRpb25TZXRSZXF1ZXN0GjgucG9saWN5LnN1YmplY3RtYXBwaW5nLlVwZGF0ZVN1YmplY3RDb25kaXRpb25TZXRSZXNwb25zZSIAEpABChlEZWxldGVTdWJqZWN0Q29uZGl0aW9uU2V0EjcucG9saWN5LnN1YmplY3RtYXBwaW5nLkRlbGV0ZVN1YmplY3RDb25kaXRpb25TZXRSZXF1ZXN0GjgucG9saWN5LnN1YmplY3RtYXBwaW5nLkRlbGV0ZVN1YmplY3RDb25kaXRpb25TZXRSZXNwb25zZSIAErQBCiVEZWxldGVBbGxVbm1hcHBlZFN1YmplY3RDb25kaXRpb25TZXRzEkMucG9saWN5LnN1YmplY3RtYXBwaW5nLkRlbGV0ZUFsbFVubWFwcGVkU3ViamVjdENvbmRpdGlvblNldHNSZXF1ZXN0GkQucG9saWN5LnN1YmplY3RtYXBwaW5nLkRlbGV0ZUFsbFVubWFwcGVkU3ViamVjdENvbmRpdGlvblNldHNSZXNwb25zZSIAYgZwcm90bzM", [file_buf_validate_validate, file_common_common, file_policy_objects, file_policy_selectors]); /** * MatchSubjectMappingsRequest liberally returns a list of SubjectMappings based on the provided SubjectProperties. diff --git a/lib/src/platform/policy/unsafe/unsafe_pb.ts b/lib/src/platform/policy/unsafe/unsafe_pb.ts index 4e7b9c559..fd8469955 100644 --- a/lib/src/platform/policy/unsafe/unsafe_pb.ts +++ b/lib/src/platform/policy/unsafe/unsafe_pb.ts @@ -5,7 +5,6 @@ import type { GenFile, GenMessage, GenService } from "@bufbuild/protobuf/codegenv1"; import { fileDesc, messageDesc, serviceDesc } from "@bufbuild/protobuf/codegenv1"; import { file_buf_validate_validate } from "../../buf/validate/validate_pb.js"; -import { file_google_api_annotations } from "../../google/api/annotations_pb.js"; import type { Attribute, AttributeRuleTypeEnum, Key, Namespace, Value } from "../objects_pb.js"; import { file_policy_objects } from "../objects_pb.js"; import type { Message } from "@bufbuild/protobuf"; @@ -14,7 +13,7 @@ import type { Message } from "@bufbuild/protobuf"; * Describes the file policy/unsafe/unsafe.proto. */ export const file_policy_unsafe_unsafe: GenFile = /*@__PURE__*/ - fileDesc("Chpwb2xpY3kvdW5zYWZlL3Vuc2FmZS5wcm90bxINcG9saWN5LnVuc2FmZSLhBAocVW5zYWZlVXBkYXRlTmFtZXNwYWNlUmVxdWVzdBIUCgJpZBgBIAEoCUIIukgFcgOwAQESqgQKBG5hbWUYAiABKAlCmwS6SJcEugGOBAoVbmFtZXNwYWNlX25hbWVfZm9ybWF0EqEDTmFtZXNwYWNlIG11c3QgYmUgYSB2YWxpZCBob3N0bmFtZS4gSXQgc2hvdWxkIGluY2x1ZGUgYXQgbGVhc3Qgb25lIGRvdCwgd2l0aCBlYWNoIHNlZ21lbnQgKGxhYmVsKSBzdGFydGluZyBhbmQgZW5kaW5nIHdpdGggYW4gYWxwaGFudW1lcmljIGNoYXJhY3Rlci4gRWFjaCBsYWJlbCBtdXN0IGJlIDEgdG8gNjMgY2hhcmFjdGVycyBsb25nLCBhbGxvd2luZyBoeXBoZW5zIGJ1dCBub3QgYXMgdGhlIGZpcnN0IG9yIGxhc3QgY2hhcmFjdGVyLiBUaGUgdG9wLWxldmVsIGRvbWFpbiAodGhlIGxhc3Qgc2VnbWVudCBhZnRlciB0aGUgZmluYWwgZG90KSBtdXN0IGNvbnNpc3Qgb2YgYXQgbGVhc3QgdHdvIGFscGhhYmV0aWMgY2hhcmFjdGVycy4gVGhlIHN0b3JlZCBuYW1lc3BhY2Ugd2lsbCBiZSBub3JtYWxpemVkIHRvIGxvd2VyIGNhc2UuGlF0aGlzLm1hdGNoZXMoJ14oW2EtekEtWjAtOV0oW2EtekEtWjAtOVxcLV17MCw2MX1bYS16QS1aMC05XSk/XFwuKStbYS16QS1aXXsyLH0kJylyAxj9ASJFCh1VbnNhZmVVcGRhdGVOYW1lc3BhY2VSZXNwb25zZRIkCgluYW1lc3BhY2UYASABKAsyES5wb2xpY3kuTmFtZXNwYWNlIjgKIFVuc2FmZVJlYWN0aXZhdGVOYW1lc3BhY2VSZXF1ZXN0EhQKAmlkGAEgASgJQgi6SAVyA7ABASJJCiFVbnNhZmVSZWFjdGl2YXRlTmFtZXNwYWNlUmVzcG9uc2USJAoJbmFtZXNwYWNlGAEgASgLMhEucG9saWN5Lk5hbWVzcGFjZSJJChxVbnNhZmVEZWxldGVOYW1lc3BhY2VSZXF1ZXN0EhQKAmlkGAEgASgJQgi6SAVyA7ABARITCgNmcW4YAiABKAlCBrpIA8gBASJFCh1VbnNhZmVEZWxldGVOYW1lc3BhY2VSZXNwb25zZRIkCgluYW1lc3BhY2UYASABKAsyES5wb2xpY3kuTmFtZXNwYWNlIsUDChxVbnNhZmVVcGRhdGVBdHRyaWJ1dGVSZXF1ZXN0EhQKAmlkGAEgASgJQgi6SAVyA7ABARLBAgoEbmFtZRgCIAEoCUKyArpIrgK6AaICChVhdHRyaWJ1dGVfbmFtZV9mb3JtYXQSswFBdHRyaWJ1dGUgbmFtZSBtdXN0IGJlIGFuIGFscGhhbnVtZXJpYyBzdHJpbmcsIGFsbG93aW5nIGh5cGhlbnMgYW5kIHVuZGVyc2NvcmVzIGJ1dCBub3QgYXMgdGhlIGZpcnN0IG9yIGxhc3QgY2hhcmFjdGVyLiBUaGUgc3RvcmVkIGF0dHJpYnV0ZSBuYW1lIHdpbGwgYmUgbm9ybWFsaXplZCB0byBsb3dlciBjYXNlLhpTc2l6ZSh0aGlzKSA+IDAgPyB0aGlzLm1hdGNoZXMoJ15bYS16QS1aMC05XSg/OlthLXpBLVowLTlfLV0qW2EtekEtWjAtOV0pPyQnKSA6IHRydWXIAQByAxj9ARI1CgRydWxlGAMgASgOMh0ucG9saWN5LkF0dHJpYnV0ZVJ1bGVUeXBlRW51bUIIukgFggECEAESFAoMdmFsdWVzX29yZGVyGAQgAygJIkUKHVVuc2FmZVVwZGF0ZUF0dHJpYnV0ZVJlc3BvbnNlEiQKCWF0dHJpYnV0ZRgBIAEoCzIRLnBvbGljeS5BdHRyaWJ1dGUiOAogVW5zYWZlUmVhY3RpdmF0ZUF0dHJpYnV0ZVJlcXVlc3QSFAoCaWQYASABKAlCCLpIBXIDsAEBIkkKIVVuc2FmZVJlYWN0aXZhdGVBdHRyaWJ1dGVSZXNwb25zZRIkCglhdHRyaWJ1dGUYASABKAsyES5wb2xpY3kuQXR0cmlidXRlIkkKHFVuc2FmZURlbGV0ZUF0dHJpYnV0ZVJlcXVlc3QSFAoCaWQYASABKAlCCLpIBXIDsAEBEhMKA2ZxbhgCIAEoCUIGukgDyAEBIkUKHVVuc2FmZURlbGV0ZUF0dHJpYnV0ZVJlc3BvbnNlEiQKCWF0dHJpYnV0ZRgBIAEoCzIRLnBvbGljeS5BdHRyaWJ1dGUi3AIKIVVuc2FmZVVwZGF0ZUF0dHJpYnV0ZVZhbHVlUmVxdWVzdBIUCgJpZBgBIAEoCUIIukgFcgOwAQESoAIKBXZhbHVlGAIgASgJQpACukiMAroBgwIKDHZhbHVlX2Zvcm1hdBK1AUF0dHJpYnV0ZSBWYWx1ZSBtdXN0IGJlIGFuIGFscGhhbnVtZXJpYyBzdHJpbmcsIGFsbG93aW5nIGh5cGhlbnMgYW5kIHVuZGVyc2NvcmVzIGJ1dCBub3QgYXMgdGhlIGZpcnN0IG9yIGxhc3QgY2hhcmFjdGVyLiBUaGUgc3RvcmVkIGF0dHJpYnV0ZSB2YWx1ZSB3aWxsIGJlIG5vcm1hbGl6ZWQgdG8gbG93ZXIgY2FzZS4aO3RoaXMubWF0Y2hlcygnXlthLXpBLVowLTldKD86W2EtekEtWjAtOV8tXSpbYS16QS1aMC05XSk/JCcpcgMY/QEiQgoiVW5zYWZlVXBkYXRlQXR0cmlidXRlVmFsdWVSZXNwb25zZRIcCgV2YWx1ZRgBIAEoCzINLnBvbGljeS5WYWx1ZSI9CiVVbnNhZmVSZWFjdGl2YXRlQXR0cmlidXRlVmFsdWVSZXF1ZXN0EhQKAmlkGAEgASgJQgi6SAVyA7ABASJGCiZVbnNhZmVSZWFjdGl2YXRlQXR0cmlidXRlVmFsdWVSZXNwb25zZRIcCgV2YWx1ZRgBIAEoCzINLnBvbGljeS5WYWx1ZSJOCiFVbnNhZmVEZWxldGVBdHRyaWJ1dGVWYWx1ZVJlcXVlc3QSFAoCaWQYASABKAlCCLpIBXIDsAEBEhMKA2ZxbhgCIAEoCUIGukgDyAEBIkIKIlVuc2FmZURlbGV0ZUF0dHJpYnV0ZVZhbHVlUmVzcG9uc2USHAoFdmFsdWUYASABKAsyDS5wb2xpY3kuVmFsdWUiMQoZVW5zYWZlRGVsZXRlS2FzS2V5UmVxdWVzdBIUCgJpZBgBIAEoCUIIukgFcgOwAQEiNgoaVW5zYWZlRGVsZXRlS2FzS2V5UmVzcG9uc2USGAoDa2V5GAEgASgLMgsucG9saWN5LktleTLJDAoNVW5zYWZlU2VydmljZRKTAQoVVW5zYWZlVXBkYXRlTmFtZXNwYWNlEisucG9saWN5LnVuc2FmZS5VbnNhZmVVcGRhdGVOYW1lc3BhY2VSZXF1ZXN0GiwucG9saWN5LnVuc2FmZS5VbnNhZmVVcGRhdGVOYW1lc3BhY2VSZXNwb25zZSIfgtPkkwIZMhcvdW5zYWZlL25hbWVzcGFjZXMve2lkfRKqAQoZVW5zYWZlUmVhY3RpdmF0ZU5hbWVzcGFjZRIvLnBvbGljeS51bnNhZmUuVW5zYWZlUmVhY3RpdmF0ZU5hbWVzcGFjZVJlcXVlc3QaMC5wb2xpY3kudW5zYWZlLlVuc2FmZVJlYWN0aXZhdGVOYW1lc3BhY2VSZXNwb25zZSIqgtPkkwIkIiIvdW5zYWZlL25hbWVzcGFjZXMve2lkfS9yZWFjdGl2YXRlEpMBChVVbnNhZmVEZWxldGVOYW1lc3BhY2USKy5wb2xpY3kudW5zYWZlLlVuc2FmZURlbGV0ZU5hbWVzcGFjZVJlcXVlc3QaLC5wb2xpY3kudW5zYWZlLlVuc2FmZURlbGV0ZU5hbWVzcGFjZVJlc3BvbnNlIh+C0+STAhkqFy91bnNhZmUvbmFtZXNwYWNlcy97aWR9EpMBChVVbnNhZmVVcGRhdGVBdHRyaWJ1dGUSKy5wb2xpY3kudW5zYWZlLlVuc2FmZVVwZGF0ZUF0dHJpYnV0ZVJlcXVlc3QaLC5wb2xpY3kudW5zYWZlLlVuc2FmZVVwZGF0ZUF0dHJpYnV0ZVJlc3BvbnNlIh+C0+STAhkyFy91bnNhZmUvYXR0cmlidXRlcy97aWR9EqoBChlVbnNhZmVSZWFjdGl2YXRlQXR0cmlidXRlEi8ucG9saWN5LnVuc2FmZS5VbnNhZmVSZWFjdGl2YXRlQXR0cmlidXRlUmVxdWVzdBowLnBvbGljeS51bnNhZmUuVW5zYWZlUmVhY3RpdmF0ZUF0dHJpYnV0ZVJlc3BvbnNlIiqC0+STAiQiIi91bnNhZmUvYXR0cmlidXRlcy97aWR9L3JlYWN0aXZhdGUSkwEKFVVuc2FmZURlbGV0ZUF0dHJpYnV0ZRIrLnBvbGljeS51bnNhZmUuVW5zYWZlRGVsZXRlQXR0cmlidXRlUmVxdWVzdBosLnBvbGljeS51bnNhZmUuVW5zYWZlRGVsZXRlQXR0cmlidXRlUmVzcG9uc2UiH4LT5JMCGSoXL3Vuc2FmZS9hdHRyaWJ1dGVzL3tpZH0SqQEKGlVuc2FmZVVwZGF0ZUF0dHJpYnV0ZVZhbHVlEjAucG9saWN5LnVuc2FmZS5VbnNhZmVVcGRhdGVBdHRyaWJ1dGVWYWx1ZVJlcXVlc3QaMS5wb2xpY3kudW5zYWZlLlVuc2FmZVVwZGF0ZUF0dHJpYnV0ZVZhbHVlUmVzcG9uc2UiJoLT5JMCIDIeL3Vuc2FmZS9hdHRyaWJ1dGVzL3ZhbHVlcy97aWR9EsABCh5VbnNhZmVSZWFjdGl2YXRlQXR0cmlidXRlVmFsdWUSNC5wb2xpY3kudW5zYWZlLlVuc2FmZVJlYWN0aXZhdGVBdHRyaWJ1dGVWYWx1ZVJlcXVlc3QaNS5wb2xpY3kudW5zYWZlLlVuc2FmZVJlYWN0aXZhdGVBdHRyaWJ1dGVWYWx1ZVJlc3BvbnNlIjGC0+STAisiKS91bnNhZmUvYXR0cmlidXRlcy92YWx1ZXMve2lkfS9yZWFjdGl2YXRlEqkBChpVbnNhZmVEZWxldGVBdHRyaWJ1dGVWYWx1ZRIwLnBvbGljeS51bnNhZmUuVW5zYWZlRGVsZXRlQXR0cmlidXRlVmFsdWVSZXF1ZXN0GjEucG9saWN5LnVuc2FmZS5VbnNhZmVEZWxldGVBdHRyaWJ1dGVWYWx1ZVJlc3BvbnNlIiaC0+STAiAqHi91bnNhZmUvYXR0cmlidXRlcy92YWx1ZXMve2lkfRJrChJVbnNhZmVEZWxldGVLYXNLZXkSKC5wb2xpY3kudW5zYWZlLlVuc2FmZURlbGV0ZUthc0tleVJlcXVlc3QaKS5wb2xpY3kudW5zYWZlLlVuc2FmZURlbGV0ZUthc0tleVJlc3BvbnNlIgBiBnByb3RvMw", [file_buf_validate_validate, file_google_api_annotations, file_policy_objects]); + fileDesc("Chpwb2xpY3kvdW5zYWZlL3Vuc2FmZS5wcm90bxINcG9saWN5LnVuc2FmZSLhBAocVW5zYWZlVXBkYXRlTmFtZXNwYWNlUmVxdWVzdBIUCgJpZBgBIAEoCUIIukgFcgOwAQESqgQKBG5hbWUYAiABKAlCmwS6SJcEugGOBAoVbmFtZXNwYWNlX25hbWVfZm9ybWF0EqEDTmFtZXNwYWNlIG11c3QgYmUgYSB2YWxpZCBob3N0bmFtZS4gSXQgc2hvdWxkIGluY2x1ZGUgYXQgbGVhc3Qgb25lIGRvdCwgd2l0aCBlYWNoIHNlZ21lbnQgKGxhYmVsKSBzdGFydGluZyBhbmQgZW5kaW5nIHdpdGggYW4gYWxwaGFudW1lcmljIGNoYXJhY3Rlci4gRWFjaCBsYWJlbCBtdXN0IGJlIDEgdG8gNjMgY2hhcmFjdGVycyBsb25nLCBhbGxvd2luZyBoeXBoZW5zIGJ1dCBub3QgYXMgdGhlIGZpcnN0IG9yIGxhc3QgY2hhcmFjdGVyLiBUaGUgdG9wLWxldmVsIGRvbWFpbiAodGhlIGxhc3Qgc2VnbWVudCBhZnRlciB0aGUgZmluYWwgZG90KSBtdXN0IGNvbnNpc3Qgb2YgYXQgbGVhc3QgdHdvIGFscGhhYmV0aWMgY2hhcmFjdGVycy4gVGhlIHN0b3JlZCBuYW1lc3BhY2Ugd2lsbCBiZSBub3JtYWxpemVkIHRvIGxvd2VyIGNhc2UuGlF0aGlzLm1hdGNoZXMoJ14oW2EtekEtWjAtOV0oW2EtekEtWjAtOVxcLV17MCw2MX1bYS16QS1aMC05XSk/XFwuKStbYS16QS1aXXsyLH0kJylyAxj9ASJFCh1VbnNhZmVVcGRhdGVOYW1lc3BhY2VSZXNwb25zZRIkCgluYW1lc3BhY2UYASABKAsyES5wb2xpY3kuTmFtZXNwYWNlIjgKIFVuc2FmZVJlYWN0aXZhdGVOYW1lc3BhY2VSZXF1ZXN0EhQKAmlkGAEgASgJQgi6SAVyA7ABASJJCiFVbnNhZmVSZWFjdGl2YXRlTmFtZXNwYWNlUmVzcG9uc2USJAoJbmFtZXNwYWNlGAEgASgLMhEucG9saWN5Lk5hbWVzcGFjZSJJChxVbnNhZmVEZWxldGVOYW1lc3BhY2VSZXF1ZXN0EhQKAmlkGAEgASgJQgi6SAVyA7ABARITCgNmcW4YAiABKAlCBrpIA8gBASJFCh1VbnNhZmVEZWxldGVOYW1lc3BhY2VSZXNwb25zZRIkCgluYW1lc3BhY2UYASABKAsyES5wb2xpY3kuTmFtZXNwYWNlIsUDChxVbnNhZmVVcGRhdGVBdHRyaWJ1dGVSZXF1ZXN0EhQKAmlkGAEgASgJQgi6SAVyA7ABARLBAgoEbmFtZRgCIAEoCUKyArpIrgK6AaICChVhdHRyaWJ1dGVfbmFtZV9mb3JtYXQSswFBdHRyaWJ1dGUgbmFtZSBtdXN0IGJlIGFuIGFscGhhbnVtZXJpYyBzdHJpbmcsIGFsbG93aW5nIGh5cGhlbnMgYW5kIHVuZGVyc2NvcmVzIGJ1dCBub3QgYXMgdGhlIGZpcnN0IG9yIGxhc3QgY2hhcmFjdGVyLiBUaGUgc3RvcmVkIGF0dHJpYnV0ZSBuYW1lIHdpbGwgYmUgbm9ybWFsaXplZCB0byBsb3dlciBjYXNlLhpTc2l6ZSh0aGlzKSA+IDAgPyB0aGlzLm1hdGNoZXMoJ15bYS16QS1aMC05XSg/OlthLXpBLVowLTlfLV0qW2EtekEtWjAtOV0pPyQnKSA6IHRydWXIAQByAxj9ARI1CgRydWxlGAMgASgOMh0ucG9saWN5LkF0dHJpYnV0ZVJ1bGVUeXBlRW51bUIIukgFggECEAESFAoMdmFsdWVzX29yZGVyGAQgAygJIkUKHVVuc2FmZVVwZGF0ZUF0dHJpYnV0ZVJlc3BvbnNlEiQKCWF0dHJpYnV0ZRgBIAEoCzIRLnBvbGljeS5BdHRyaWJ1dGUiOAogVW5zYWZlUmVhY3RpdmF0ZUF0dHJpYnV0ZVJlcXVlc3QSFAoCaWQYASABKAlCCLpIBXIDsAEBIkkKIVVuc2FmZVJlYWN0aXZhdGVBdHRyaWJ1dGVSZXNwb25zZRIkCglhdHRyaWJ1dGUYASABKAsyES5wb2xpY3kuQXR0cmlidXRlIkkKHFVuc2FmZURlbGV0ZUF0dHJpYnV0ZVJlcXVlc3QSFAoCaWQYASABKAlCCLpIBXIDsAEBEhMKA2ZxbhgCIAEoCUIGukgDyAEBIkUKHVVuc2FmZURlbGV0ZUF0dHJpYnV0ZVJlc3BvbnNlEiQKCWF0dHJpYnV0ZRgBIAEoCzIRLnBvbGljeS5BdHRyaWJ1dGUi3AIKIVVuc2FmZVVwZGF0ZUF0dHJpYnV0ZVZhbHVlUmVxdWVzdBIUCgJpZBgBIAEoCUIIukgFcgOwAQESoAIKBXZhbHVlGAIgASgJQpACukiMAroBgwIKDHZhbHVlX2Zvcm1hdBK1AUF0dHJpYnV0ZSBWYWx1ZSBtdXN0IGJlIGFuIGFscGhhbnVtZXJpYyBzdHJpbmcsIGFsbG93aW5nIGh5cGhlbnMgYW5kIHVuZGVyc2NvcmVzIGJ1dCBub3QgYXMgdGhlIGZpcnN0IG9yIGxhc3QgY2hhcmFjdGVyLiBUaGUgc3RvcmVkIGF0dHJpYnV0ZSB2YWx1ZSB3aWxsIGJlIG5vcm1hbGl6ZWQgdG8gbG93ZXIgY2FzZS4aO3RoaXMubWF0Y2hlcygnXlthLXpBLVowLTldKD86W2EtekEtWjAtOV8tXSpbYS16QS1aMC05XSk/JCcpcgMY/QEiQgoiVW5zYWZlVXBkYXRlQXR0cmlidXRlVmFsdWVSZXNwb25zZRIcCgV2YWx1ZRgBIAEoCzINLnBvbGljeS5WYWx1ZSI9CiVVbnNhZmVSZWFjdGl2YXRlQXR0cmlidXRlVmFsdWVSZXF1ZXN0EhQKAmlkGAEgASgJQgi6SAVyA7ABASJGCiZVbnNhZmVSZWFjdGl2YXRlQXR0cmlidXRlVmFsdWVSZXNwb25zZRIcCgV2YWx1ZRgBIAEoCzINLnBvbGljeS5WYWx1ZSJOCiFVbnNhZmVEZWxldGVBdHRyaWJ1dGVWYWx1ZVJlcXVlc3QSFAoCaWQYASABKAlCCLpIBXIDsAEBEhMKA2ZxbhgCIAEoCUIGukgDyAEBIkIKIlVuc2FmZURlbGV0ZUF0dHJpYnV0ZVZhbHVlUmVzcG9uc2USHAoFdmFsdWUYASABKAsyDS5wb2xpY3kuVmFsdWUiMQoZVW5zYWZlRGVsZXRlS2FzS2V5UmVxdWVzdBIUCgJpZBgBIAEoCUIIukgFcgOwAQEiNgoaVW5zYWZlRGVsZXRlS2FzS2V5UmVzcG9uc2USGAoDa2V5GAEgASgLMgsucG9saWN5LktleTL4CQoNVW5zYWZlU2VydmljZRJ0ChVVbnNhZmVVcGRhdGVOYW1lc3BhY2USKy5wb2xpY3kudW5zYWZlLlVuc2FmZVVwZGF0ZU5hbWVzcGFjZVJlcXVlc3QaLC5wb2xpY3kudW5zYWZlLlVuc2FmZVVwZGF0ZU5hbWVzcGFjZVJlc3BvbnNlIgASgAEKGVVuc2FmZVJlYWN0aXZhdGVOYW1lc3BhY2USLy5wb2xpY3kudW5zYWZlLlVuc2FmZVJlYWN0aXZhdGVOYW1lc3BhY2VSZXF1ZXN0GjAucG9saWN5LnVuc2FmZS5VbnNhZmVSZWFjdGl2YXRlTmFtZXNwYWNlUmVzcG9uc2UiABJ0ChVVbnNhZmVEZWxldGVOYW1lc3BhY2USKy5wb2xpY3kudW5zYWZlLlVuc2FmZURlbGV0ZU5hbWVzcGFjZVJlcXVlc3QaLC5wb2xpY3kudW5zYWZlLlVuc2FmZURlbGV0ZU5hbWVzcGFjZVJlc3BvbnNlIgASdAoVVW5zYWZlVXBkYXRlQXR0cmlidXRlEisucG9saWN5LnVuc2FmZS5VbnNhZmVVcGRhdGVBdHRyaWJ1dGVSZXF1ZXN0GiwucG9saWN5LnVuc2FmZS5VbnNhZmVVcGRhdGVBdHRyaWJ1dGVSZXNwb25zZSIAEoABChlVbnNhZmVSZWFjdGl2YXRlQXR0cmlidXRlEi8ucG9saWN5LnVuc2FmZS5VbnNhZmVSZWFjdGl2YXRlQXR0cmlidXRlUmVxdWVzdBowLnBvbGljeS51bnNhZmUuVW5zYWZlUmVhY3RpdmF0ZUF0dHJpYnV0ZVJlc3BvbnNlIgASdAoVVW5zYWZlRGVsZXRlQXR0cmlidXRlEisucG9saWN5LnVuc2FmZS5VbnNhZmVEZWxldGVBdHRyaWJ1dGVSZXF1ZXN0GiwucG9saWN5LnVuc2FmZS5VbnNhZmVEZWxldGVBdHRyaWJ1dGVSZXNwb25zZSIAEoMBChpVbnNhZmVVcGRhdGVBdHRyaWJ1dGVWYWx1ZRIwLnBvbGljeS51bnNhZmUuVW5zYWZlVXBkYXRlQXR0cmlidXRlVmFsdWVSZXF1ZXN0GjEucG9saWN5LnVuc2FmZS5VbnNhZmVVcGRhdGVBdHRyaWJ1dGVWYWx1ZVJlc3BvbnNlIgASjwEKHlVuc2FmZVJlYWN0aXZhdGVBdHRyaWJ1dGVWYWx1ZRI0LnBvbGljeS51bnNhZmUuVW5zYWZlUmVhY3RpdmF0ZUF0dHJpYnV0ZVZhbHVlUmVxdWVzdBo1LnBvbGljeS51bnNhZmUuVW5zYWZlUmVhY3RpdmF0ZUF0dHJpYnV0ZVZhbHVlUmVzcG9uc2UiABKDAQoaVW5zYWZlRGVsZXRlQXR0cmlidXRlVmFsdWUSMC5wb2xpY3kudW5zYWZlLlVuc2FmZURlbGV0ZUF0dHJpYnV0ZVZhbHVlUmVxdWVzdBoxLnBvbGljeS51bnNhZmUuVW5zYWZlRGVsZXRlQXR0cmlidXRlVmFsdWVSZXNwb25zZSIAEmsKElVuc2FmZURlbGV0ZUthc0tleRIoLnBvbGljeS51bnNhZmUuVW5zYWZlRGVsZXRlS2FzS2V5UmVxdWVzdBopLnBvbGljeS51bnNhZmUuVW5zYWZlRGVsZXRlS2FzS2V5UmVzcG9uc2UiAGIGcHJvdG8z", [file_buf_validate_validate, file_policy_objects]); /** * WARNING!! @@ -486,7 +485,6 @@ export const UnsafeDeleteKasKeyResponseSchema: GenMessage> = {}; - // KAS detail by KAS url - const kasInfo: Record = {}; - // Attribute definitions in use - const prefixes: Set = new Set(); + const granters: Record> = Object.create(null); // Values grouped by normalized attribute prefix - const allClauses: Record = {}; - // Values by normalized FQN - const allValues: Record = {}; + const allClauses: Record = Object.create(null); - const addGrants = (val: string, gs?: KeyAccessServer[]): boolean => { + const addGrants = (valueFQN: string, gs?: KeyHolder[]): boolean => { + if (!(valueFQN in granters)) { + granters[valueFQN] = new Set(); + } if (!gs?.length) { - if (!(val in grants)) { - grants[val] = new Set(); - } return false; } for (const g of gs) { - if (val in grants) { - grants[val].add(g.uri); - } else { - grants[val] = new Set([g.uri]); - } - kasInfo[g.uri] = g; + granters[valueFQN].add(g); } return true; }; for (const v of dataAttrs) { - const { attribute, fqn } = v; + const { attribute, fqn, kasKeys } = v; if (!attribute) { throw new ConfigurationError(`attribute not defined for [${fqn}]`); } const valFqn = fqn.toLowerCase(); const attrFqn = attribute.fqn.toLowerCase(); - if (!prefixes.has(attrFqn)) { - prefixes.add(attrFqn); + if (!(attrFqn in allClauses)) { allClauses[attrFqn] = { def: attribute, values: [], }; } allClauses[attrFqn].values.push(valFqn); - allValues[valFqn] = v; - if (!addGrants(valFqn, v.grants)) { + const validKasKeys = kasKeys + .map((kasKey) => { + if (!kasKey.publicKey) { + return null; + } + return Object.assign({ kasUri: kasKey.kasUri }, kasKey.publicKey); + }) + .filter((kasKey) => kasKey !== null); + if (validKasKeys.length) { + addGrants(valFqn, validKasKeys); + } else if (!addGrants(valFqn, v.grants)) { if (!addGrants(valFqn, attribute.grants)) { addGrants(valFqn, attribute.namespace?.grants); } @@ -103,64 +105,80 @@ export function plan(dataAttrs: Value[]): KeySplitStep[] { } const kcs: ComplexBooleanClause[] = []; for (const attrClause of Object.values(allClauses)) { - const ccv: BooleanClause[] = []; - for (const term of attrClause.values) { - const grantsForTerm = Array.from(grants[term] || []); - if (grantsForTerm?.length) { - ccv.push({ + // Create wrapper clauses for each value, [(ANY_OF Value-1), (ANY_OF Value-2)] + const individualValueClauses: BooleanClause[] = []; + for (const attrValue of attrClause.values) { + const grantersForAttr = granters[attrValue] || new Set(); + if (grantersForAttr.size) { + individualValueClauses.push({ op: 'anyOf', - kases: grantsForTerm, + granters: Array.from(grantersForAttr.values()), }); } } + // Use proper boolean operation with wrapped values. const op = booleanOperatorFor(attrClause.def?.rule); kcs.push({ op, - children: ccv, + children: individualValueClauses, }); } - return simplify(kcs, kasInfo); + return simplify(kcs); } -function simplify( - clauses: ComplexBooleanClause[], - kasInfo: Record -): KeySplitStep[] { - const conjunction: Record = {}; - function keyFor(kases: string[]): string { - const k = Array.from(new Set([kases])).sort(); - return k.join('|'); +function simplify(clauses: ComplexBooleanClause[]): KeySplitStep[] { + const conjunction: Record = {}; + function keyFor(granters: KeyHolder[]): string { + const keyParts = granters + .map((keyHolder) => { + const keyParts: string[] = []; + if ('kid' in keyHolder) { + keyParts.push(keyHolder.kasUri); + keyParts.push(keyHolder.kid); + } else { + keyParts.push(keyHolder.uri); + keyParts.push(''); + } + return [keyHolder, keyParts.join('/')] as [KeyHolder, string]; + }) + .sort(([, sortKeyA], [, sortKeyB]) => { + return sortKeyA.localeCompare(sortKeyB); + }) + .map(([, sortKey]) => { + return sortKey; + }); + return keyParts.join(':'); } for (const { op, children } of clauses) { if (!children) { continue; } if (op === 'anyOf') { - const anyKids = []; + const granters: KeyHolder[] = []; for (const bc of children) { if (bc.op != 'anyOf') { throw new Error('internal: autoconfigure inversion in disjunction'); } - if (!bc.kases?.length) { + if (!bc.granters.length) { continue; } - anyKids.push(...bc.kases); + granters.push(...bc.granters); } - if (!anyKids?.length) { + if (!granters.length) { continue; } - const k = keyFor(anyKids); - conjunction[k] = anyKids; + const k = keyFor(granters); + conjunction[k] = granters; } else { for (const bc of children) { if (bc.op != 'anyOf') { - throw new Error('insternal: autoconfigure inversion in conjunction'); + throw new Error('internal: autoconfigure inversion in conjunction'); } - if (!bc.kases?.length) { + if (!bc.granters.length) { continue; } - const k = keyFor(bc.kases); - conjunction[k] = bc.kases; + const k = keyFor(bc.granters); + conjunction[k] = bc.granters; } } } @@ -173,7 +191,15 @@ function simplify( i += 1; const sid = '' + i; for (const kas of conjunction[k]) { - t.push({ sid, kas: kasInfo[kas] }); + if ('kid' in kas) { + t.push({ sid, kas: kas, kid: kas.kid }); + } else if (kas.publicKey && kas.publicKey.publicKey.case === 'cached') { + kas.publicKey.publicKey.value.keys.forEach((key) => { + t.push({ sid, kas: kas, kid: key.kid }); + }); + } else { + t.push({ sid, kas: kas }); + } } } return t; diff --git a/lib/tdf3/src/client/builders.ts b/lib/tdf3/src/client/builders.ts index a426634a2..36fc388fd 100644 --- a/lib/tdf3/src/client/builders.ts +++ b/lib/tdf3/src/client/builders.ts @@ -31,6 +31,7 @@ export type EncryptStreamMiddleware = ( export type SplitStep = { kas: string; + kid?: string; sid?: string; }; diff --git a/lib/tdf3/src/client/index.ts b/lib/tdf3/src/client/index.ts index 0988fc3ae..0e138fbb7 100644 --- a/lib/tdf3/src/client/index.ts +++ b/lib/tdf3/src/client/index.ts @@ -1,8 +1,8 @@ import { v4 } from 'uuid'; import { - ZipReader, - streamToBuffer, keyMiddleware as defaultKeyMiddleware, + streamToBuffer, + ZipReader, } from '../utils/index.js'; import { base64 } from '../../../src/encodings/index.js'; import { @@ -10,8 +10,8 @@ import { type EncryptConfiguration, fetchKasPublicKey, loadTDFStream, - validatePolicyObject, readStream, + validatePolicyObject, writeStream, } from '../tdf.js'; import { unwrapHtml } from '../utils/unwrap.js'; @@ -27,22 +27,18 @@ import { } from '../../../src/utils.js'; import { - type EncryptParams, type DecryptParams, - type Scope, + DecryptParamsBuilder, + type DecryptSource, type DecryptStreamMiddleware, + DEFAULT_SEGMENT_SIZE, type EncryptKeyMiddleware, + type EncryptParams, + EncryptParamsBuilder, type EncryptStreamMiddleware, - type SplitStep, + type Scope, } from './builders.js'; import { DecoratedReadableStream } from './DecoratedReadableStream.js'; - -import { - DEFAULT_SEGMENT_SIZE, - DecryptParamsBuilder, - type DecryptSource, - EncryptParamsBuilder, -} from './builders.js'; import { fetchKeyAccessServers, type KasPublicKeyInfo, @@ -62,8 +58,8 @@ import { } from '../models/index.js'; import { plan } from '../../../src/policy/granter.js'; import { attributeFQNsAsValues } from '../../../src/policy/api.js'; -import { type Value } from '../../../src/policy/attributes.js'; import { type Chunker, fromBuffer, fromSource } from '../../../src/seekable.js'; +import { Algorithm, SimpleKasKey } from '../../../src/platform/policy/objects_pb.js'; const GLOBAL_BYTE_LIMIT = 64 * 1000 * 1000 * 1000; // 64 GB, see WS-9363. @@ -72,6 +68,11 @@ const defaultClientConfig = { oidcOrigin: '', cryptoService: defaultCryptoServic const getFirstTwoBytes = async (chunker: Chunker) => new TextDecoder().decode(await chunker(0, 2)); +async function algorithmFromPEM(pem: string) { + const k: CryptoKey = await pemToCryptoPublicKey(pem); + return keyAlgorithmToPublicKeyAlgorithm(k); +} + // Convert a PEM string to a CryptoKey export const resolveKasInfo = async ( pem: string, @@ -227,6 +228,95 @@ function asPolicy(scope: Scope): Policy { }; } +type KasKeyInfoCache = [ + ...Parameters, + keyInfoPromise: ReturnType, +][]; + +export function findEntryInCache( + cache: KasKeyInfoCache, + ...params: Parameters +) { + const [wantedKas, wantedAlgorithm, wantedKid] = params; + for (const item of cache) { + const [itemKas, itemAlgorithm, itemKid, itemKeyInfoPromise] = item; + if (itemKas !== wantedKas) { + continue; + } + // This makes undefined only match with undefined (base key). + // We could potentially consider any key a match if undefined algorithm? + if (itemAlgorithm !== wantedAlgorithm) { + continue; + } + if (wantedKid && itemKid !== wantedKid) { + continue; + } + return itemKeyInfoPromise; + } + return null; +} + +const fetchKasKeyWithCache = ( + cache: KasKeyInfoCache, + ...params: Parameters +): ReturnType => { + const cachedEntry = findEntryInCache(cache, ...params); + if (cachedEntry !== null) { + return cachedEntry; + } + const keyInfoPromise = fetchKasPublicKey(...params); + cache.push([...params, keyInfoPromise]); + return keyInfoPromise; +}; + +function algorithmEnumValueToString(algorithmEnumValue: Algorithm) { + switch (algorithmEnumValue) { + case Algorithm.RSA_2048: + return 'rsa:2048'; + case Algorithm.RSA_4096: + return 'rsa:4096'; + case Algorithm.EC_P256: + return 'ec:secp256r1'; + case Algorithm.EC_P384: + return 'ec:secp384r1'; + case Algorithm.EC_P521: + return 'ec:secp521r1'; + case Algorithm.UNSPECIFIED: + // Not entirely sure undefined is correct here, but since we need to generate a key for our cache + // synchonously, it seems to be the best approach for now. + return undefined; + default: + return undefined; + } +} + +const putKasKeyIntoCache = ( + cache: KasKeyInfoCache, + kasKey: Omit & { + publicKey: Exclude; + } +): ReturnType => { + const algorithmString = algorithmEnumValueToString(kasKey.publicKey.algorithm); + const cachedEntry = findEntryInCache(cache, kasKey.kasUri, algorithmString, kasKey.publicKey.kid); + if (cachedEntry) { + return cachedEntry; + } + const keyInfoPromise = (async function () { + const keyPromise = pemToCryptoPublicKey(kasKey.publicKey.pem); + const key = await keyPromise; + const algorithm = keyAlgorithmToPublicKeyAlgorithm(key); + return { + algorithm: algorithm, + key: keyPromise, + kid: kasKey.publicKey.kid, + publicKey: kasKey.publicKey.pem, + url: kasKey.kasUri, + }; + })(); + cache.push([kasKey.kasUri, algorithmString, kasKey.publicKey.kid, keyInfoPromise]); + return keyInfoPromise; +}; + export class Client { readonly cryptoService: CryptoService; @@ -252,7 +342,7 @@ export class Client { */ readonly platformUrl?: string; - readonly kasKeys: Record[]> = {}; + readonly kasKeyInfoCache: KasKeyInfoCache = []; readonly easEndpoint?: string; @@ -360,11 +450,13 @@ export class Client { cryptoService: this.cryptoService, dpopKeys: clientConfig.dpopKeys, }); - if (clientConfig.kasPublicKey) { - this.kasKeys[this.kasEndpoint] = [ - resolveKasInfo(clientConfig.kasPublicKey, this.kasEndpoint), - ]; - } + } + + /** Necessary only for testing. A dependency-injection approach should be preferred, but that is difficult currently */ + _doFetchKasKeyWithCache( + ...params: Parameters + ): ReturnType { + return fetchKasKeyWithCache(...params); } /** @@ -396,62 +488,165 @@ export class Client { mimeType = 'unknown', windowSize = DEFAULT_SEGMENT_SIZE, keyMiddleware = defaultKeyMiddleware, + splitPlan: preconfiguredSplitPlan, streamMiddleware = async (stream: DecoratedReadableStream) => stream, tdfSpecVersion, wrappingKeyAlgorithm, } = opts; const scope = opts.scope ?? { attributes: [], dissem: [] }; + for (const attributeValue of scope.attributeValues || []) { + for (const kasKey of attributeValue.kasKeys) { + if (kasKey.publicKey !== undefined) { + await putKasKeyIntoCache(this.kasKeyInfoCache, { + // TypeScript is silly and cannot infer that publicKey is not undefined, without re-referencing it like this, even though we checked already. + ...kasKey, + publicKey: kasKey.publicKey, + }); + } + } + } + const policyObject = asPolicy(scope); validatePolicyObject(policyObject); - let splitPlan = opts.splitPlan; - if (!splitPlan && autoconfigure) { - let avs: Value[] = scope.attributeValues ?? []; - const fqns: string[] = scope.attributes - ? scope.attributes.map((attribute) => - typeof attribute === 'string' ? attribute : attribute.attribute - ) - : []; - - if (!avs.length && fqns.length) { - // Hydrate avs from policy endpoint givnen the fqns - if (!this.policyEndpoint) { - throw new ConfigurationError('policyEndpoint not set in TDF3 Client constructor'); + const splitPlan: { + kas: string; + kid?: string; + pem: string; + sid?: string; + }[] = []; + if (preconfiguredSplitPlan) { + for (const preconfiguredSplit of preconfiguredSplitPlan) { + const kasPublicKeyInfo = await this._doFetchKasKeyWithCache( + this.kasKeyInfoCache, + preconfiguredSplit.kas, + wrappingKeyAlgorithm, + preconfiguredSplit.kid + ); + splitPlan.push({ + kas: kasPublicKeyInfo.url, + kid: kasPublicKeyInfo.kid, + pem: kasPublicKeyInfo.publicKey, + sid: preconfiguredSplit.sid, + }); + } + } else if (autoconfigure) { + const attributeValues = scope.attributeValues ?? []; + if (!scope.attributes) { + scope.attributes = attributeValues.map(({ fqn }) => fqn); + } + const attributeFQNs = (scope.attributes ?? []).map((attribute) => + typeof attribute === 'string' ? attribute : attribute.attribute + ); + const fqnsWithoutValues = attributeFQNs.filter((fqn) => + attributeValues.every((av) => av.fqn !== fqn) + ); + + if (fqnsWithoutValues.length) { + // Hydrate missing avs from policy endpoint given the fqns + if (!this.platformUrl) { + throw new ConfigurationError('platformUrl not set in TDF3 Client constructor'); } - avs = await attributeFQNsAsValues( - this.policyEndpoint, + const fetchedFQNValues = await attributeFQNsAsValues( + this.platformUrl, this.authProvider as AuthProvider, - ...fqns + ...fqnsWithoutValues ); - } else if (scope.attributeValues) { - avs = scope.attributeValues; - if (!scope.attributes) { - scope.attributes = avs.map(({ fqn }) => fqn); - } + fetchedFQNValues.forEach((fetchedValue) => { + attributeValues.push(fetchedValue); + }); } - if ( - avs.length != (scope.attributes?.length || 0) || - !avs.map(({ fqn }) => fqn).every((a) => fqns.indexOf(a) >= 0) - ) { + + const hasAllFQNs = attributeFQNs.every((fqn) => + attributeValues.some((attributeValue) => attributeValue.fqn === fqn) + ); + if (attributeFQNs.length != attributeValues.length || !hasAllFQNs) { throw new ConfigurationError( - `Attribute mismatch between [${fqns}] and explicit values ${JSON.stringify( - avs.map(({ fqn }) => fqn) + `Attribute mismatch between [${attributeFQNs}] and explicit values ${JSON.stringify( + attributeValues.map(({ fqn }) => fqn) )}` ); } - const detailedPlan = plan(avs); - splitPlan = detailedPlan.map((kat) => { - const { kas, sid } = kat; - const pubKey = kas.publicKey?.publicKey; - if (pubKey?.case === 'cached' && pubKey.value.keys && !(kas.uri in this.kasKeys)) { - const keys = pubKey.value.keys; - if (keys?.length) { - this.kasKeys[kas.uri] = keys.map((key) => resolveKasInfo(key.pem, kas.uri, key.kid)); + + for (const attributeValue of attributeValues) { + for (const kasKey of attributeValue.kasKeys) { + if (kasKey.publicKey !== undefined) { + await putKasKeyIntoCache(this.kasKeyInfoCache, { + // TypeScript is silly and cannot infer that publicKey is not undefined, without re-referencing it like this, even though we checked already. + ...kasKey, + publicKey: kasKey.publicKey, + }); } } - return { kas: kas.uri, sid }; - }); + } + + const detailedPlan = plan(attributeValues); + for (const item of detailedPlan) { + if ('kid' in item.kas) { + const pemAlgorithm = await algorithmFromPEM(item.kas.pem); + const kasPublicKeyInfo = await this._doFetchKasKeyWithCache( + this.kasKeyInfoCache, + item.kas.kasUri, + pemAlgorithm, + item.kas.kid + ); + splitPlan.push({ + kas: kasPublicKeyInfo.url, + kid: kasPublicKeyInfo.kid, + pem: kasPublicKeyInfo.publicKey, + sid: item.sid, + }); + continue; + } + + if (!item.kas.publicKey) { + const kasPublicKeyInfo = await this._doFetchKasKeyWithCache( + this.kasKeyInfoCache, + item.kas.uri, + wrappingKeyAlgorithm, + undefined + ); + splitPlan.push({ + kas: kasPublicKeyInfo.url, + kid: kasPublicKeyInfo.kid, + pem: kasPublicKeyInfo.publicKey, + sid: item.sid, + }); + continue; + } + + switch (item.kas.publicKey.publicKey.case) { + case 'remote': + const kasPublicKeyInfo = await this._doFetchKasKeyWithCache( + this.kasKeyInfoCache, + item.kas.publicKey.publicKey.value, + wrappingKeyAlgorithm, + undefined + ); + splitPlan.push({ + kas: kasPublicKeyInfo.url, + kid: kasPublicKeyInfo.kid, + pem: kasPublicKeyInfo.publicKey, + sid: item.sid, + }); + break; + + case 'cached': + for (const cachedPublicKey of item.kas.publicKey.publicKey.value.keys) { + splitPlan.push({ + kas: item.kas.uri, + kid: cachedPublicKey.kid, + pem: cachedPublicKey.pem, + sid: item.sid, + }); + } + break; + + default: + throw new Error(`Unknown public key type: ${item.kas.publicKey.publicKey.case}`); + } + } } // TODO: Refactor underlying builder to remove some of this unnecessary config. @@ -462,37 +657,47 @@ export class Client { ? maxByteLimit : opts.byteLimit; const encryptionInformation = new SplitKey(new AesGcmCipher(this.cryptoService)); - const splits: SplitStep[] = splitPlan?.length - ? splitPlan - : [{ kas: opts.defaultKASEndpoint ?? this.kasEndpoint }]; + if (splitPlan.length === 0) { + const kasPublicKeyInfo = await this._doFetchKasKeyWithCache( + this.kasKeyInfoCache, + opts.defaultKASEndpoint ?? this.kasEndpoint, + wrappingKeyAlgorithm, + undefined + ); + splitPlan.push({ + kas: kasPublicKeyInfo.url, + kid: kasPublicKeyInfo.kid, + pem: kasPublicKeyInfo.publicKey, + }); + } encryptionInformation.keyAccess = await Promise.all( - splits.map(async ({ kas, sid }) => { - if (!(kas in this.kasKeys)) { - this.kasKeys[kas] = [fetchKasPublicKey(kas, wrappingKeyAlgorithm)]; - } - const kasPublicKey = await Promise.any(this.kasKeys[kas]); - if (kasPublicKey.algorithm !== wrappingKeyAlgorithm) { + splitPlan.map(async ({ kas, kid, pem, sid }) => { + const algorithm = await algorithmFromPEM(pem); + if (algorithm !== wrappingKeyAlgorithm) { console.warn( - `Mismatched wrapping key algorithm: [${kasPublicKey.algorithm}] is not requested type, [${wrappingKeyAlgorithm}]` + `Mismatched wrapping key algorithm: [${algorithm}] is not requested type, [${wrappingKeyAlgorithm}]` ); } let type: KeyAccessType; - switch (kasPublicKey.algorithm) { + switch (algorithm) { case 'rsa:2048': + case 'rsa:4096': type = 'wrapped'; break; + case 'ec:secp384r1': + case 'ec:secp521r1': case 'ec:secp256r1': type = 'ec-wrapped'; break; default: - throw new ConfigurationError(`Unsupported algorithm ${kasPublicKey.algorithm}`); + throw new ConfigurationError(`Unsupported algorithm ${algorithm}`); } return buildKeyAccess({ - alg: kasPublicKey.algorithm, + alg: algorithm, type, - url: kasPublicKey.url, - kid: kasPublicKey.kid, - publicKey: kasPublicKey.publicKey, + url: kas, + kid: kid, + publicKey: pem, metadata, sid, }); diff --git a/lib/tdf3/src/client/validation.ts b/lib/tdf3/src/client/validation.ts index 8f08fdfa0..ef98c051b 100644 --- a/lib/tdf3/src/client/validation.ts +++ b/lib/tdf3/src/client/validation.ts @@ -21,10 +21,10 @@ const IP_HOST_PORT = '([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}:[0-9]{1 const HOST = `(${HOST_PORT}|${WWW_HOST}|${IP_HOST_PORT})`; // validate attr name be like `/attr/` -export const ATTR_NAME = `(/${ATTR_NAME_PROP_NAME}/[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]?)`; +export const ATTR_NAME = `(/${ATTR_NAME_PROP_NAME}/(%[0-9a-fA-F][0-9a-fA-F]|[a-zA-Z0-9])+((%[0-9a-fA-F][0-9a-fA-F]|[a-zA-Z0-9-])+[a-zA-Z0-9])?)`; // validate value pattern -export const ATTR_VALUE = `(/${ATTR_VALUE_PROP_NAME}/[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]?)`; +export const ATTR_VALUE = `(/${ATTR_VALUE_PROP_NAME}/(%[0-9a-fA-F][0-9a-fA-F]|[a-zA-Z0-9])+((%[0-9a-fA-F][0-9a-fA-F]|[a-zA-Z0-9-])+[a-zA-Z0-9])?)`; // validate attribute authority e.g. https://example.com const ATTR_AUTHORITY_PATTERN = `(${SCHEME}${HOST})`; diff --git a/lib/tdf3/src/tdf.ts b/lib/tdf3/src/tdf.ts index 36bf312f4..0ae86a54e 100644 --- a/lib/tdf3/src/tdf.ts +++ b/lib/tdf3/src/tdf.ts @@ -197,8 +197,15 @@ export type RewrapResponse = { */ export async function fetchKasPublicKey( kas: string, - algorithm?: KasPublicKeyAlgorithm + algorithm?: KasPublicKeyAlgorithm, + kid?: string ): Promise { + if (kid) { + // Some specific thing for fetching a key by kid? + // Currently this is just "using" `kid` so TypeScript doesn't complain and + // we can use the type for our cache parameters. + // So this empty `if` is actually doing something. + } return fetchKasPubKeyV2(kas, algorithm); } diff --git a/lib/tests/mocha/encrypt-decrypt.spec.ts b/lib/tests/mocha/encrypt-decrypt.spec.ts index a71dd22f8..1ff560993 100644 --- a/lib/tests/mocha/encrypt-decrypt.spec.ts +++ b/lib/tests/mocha/encrypt-decrypt.spec.ts @@ -201,8 +201,7 @@ describe('rewrap error cases', function () { }); assert.fail('Expected NetworkError'); } catch (error) { - const err = error.errors[0]; - assert.instanceOf(err, NetworkError); + assert.instanceOf(error, NetworkError); } }); diff --git a/lib/tests/mocha/kas-key-cache.spec.ts b/lib/tests/mocha/kas-key-cache.spec.ts new file mode 100644 index 000000000..9bf54db5f --- /dev/null +++ b/lib/tests/mocha/kas-key-cache.spec.ts @@ -0,0 +1,470 @@ +import { expect, assert } from 'chai'; +import sinon from 'sinon'; +import { Client, findEntryInCache, HttpRequest } from '../../tdf3/src/client/index.js'; +import { getMocks } from '../mocks/index.js'; +import { EncryptParams, EncryptParamsBuilder } from '../../tdf3/src/client/builders.js'; +import { KasPublicKeyInfo } from '../../src/access.js'; +import { pemToCryptoPublicKey } from '../../src/utils.js'; +import { valClassA, valueFor } from '../web/policy/mock-attrs.js'; +import { KeyAccessServer } from '../../src/policy/attributes.js'; +import { SourceType, Value } from '../../src/platform/policy/objects_pb.js'; + +const Mocks = getMocks(); +const kasUrl = 'http://localhost:3000/kas'; +const platformUrl = 'http://localhost:3000'; + +const authProvider = { + updateClientPublicKey: async () => {}, + withCreds: async (httpReq: HttpRequest) => ({ + ...httpReq, + headers: { ...httpReq.headers, Authorization: 'Bearer dummy-auth-token' }, + }), +}; + +const createFakeResponse = (body: unknown, ok = true, status = 200) => { + const bodyString = JSON.stringify(body); + return Promise.resolve({ + ok, + status, + headers: new Headers({ 'Content-Type': 'application/json' }), + json: () => Promise.resolve(JSON.parse(bodyString)), + text: () => Promise.resolve(bodyString), + } as Response); +}; + +describe('Client Caching Behavior', () => { + let client: Client; + let fetchStub: sinon.SinonStub; + + beforeEach(async () => { + client = new Client({ + kasEndpoint: kasUrl, + platformUrl: platformUrl, + dpopKeys: Mocks.entityKeyPair(), + clientId: 'id', + authProvider, + }); + fetchStub = sinon.stub(globalThis, 'fetch'); + }); + + afterEach(() => { + sinon.restore(); + }); + + describe('when using default KAS endpoint', () => { + it('should not fetch KAS public key if it is already in the cache', async () => { + const mockPublicKeyResponse: KasPublicKeyInfo = { + algorithm: 'rsa:2048', + key: pemToCryptoPublicKey(Mocks.kasPublicKey), + kid: 'kas-ca-kid-rsa', + publicKey: Mocks.kasPublicKey, + url: 'https://kas.ca/kas', + }; + + fetchStub.returns(createFakeResponse({ error: 'Not Found' }, false, 404)); + fetchStub.onCall(2).returns(createFakeResponse(mockPublicKeyResponse)); + fetchStub.onCall(5).returns(createFakeResponse(mockPublicKeyResponse)); + + const cacheSpy = sinon.spy(client, '_doFetchKasKeyWithCache'); + + await client.encrypt( + new EncryptParamsBuilder() + .withStringSource('some data to encrypt') + .withAutoconfigure() + .build() + ); + + expect(Object.keys(client.kasKeyInfoCache)).to.have.lengthOf(1); + const initialFetchCount = fetchStub.callCount; + + await client.encrypt( + new EncryptParamsBuilder() + .withStringSource('some other data to encrypt') + .withAutoconfigure() + .build() + ); + + assert.isTrue( + cacheSpy.callCount === 2, + '_doFetchKasKeyWithCache should be called a second time' + ); + assert.equal( + fetchStub.callCount, + initialFetchCount, + 'fetch call count should not increase on cache hit' + ); + }); + }); + + describe('when using autoconfigure with attributes', () => { + it('should only fetch keys for KASes not already in the cache', async () => { + const kasAuUri = 'https://kas.au/kas'; + const kasCaUri = 'https://kas.ca/kas'; + const kasUsUri = 'https://kas.us/kas'; + + const mockKasAuKeyResponse: KasPublicKeyInfo = { + algorithm: 'ec:secp256r1', + key: pemToCryptoPublicKey(Mocks.entityECPublicKey), + kid: 'kas-au-kid-ec', + publicKey: Mocks.entityECPublicKey, + url: 'https://kas.au/kas', + }; + const mockKasCaKeyResponse: KasPublicKeyInfo = { + algorithm: 'rsa:2048', + key: pemToCryptoPublicKey(Mocks.kasPublicKey), + kid: 'kas-ca-kid-rsa', + publicKey: Mocks.kasPublicKey, + url: 'https://kas.ca/kas', + }; + const mockKasUsKeyResponse: KasPublicKeyInfo = { + algorithm: 'ec:secp256r1', + key: pemToCryptoPublicKey(Mocks.extraECPublicKey), + kid: 'kas-us-kid-ec', + publicKey: Mocks.extraECPublicKey, + url: 'https://kas.us/kas', + }; + + fetchStub.returns(createFakeResponse({ error: 'Not Found' }, false, 404)); + fetchStub.onCall(2).returns(createFakeResponse(mockKasAuKeyResponse)); + fetchStub.onCall(5).returns(createFakeResponse(mockKasCaKeyResponse)); + fetchStub.onCall(8).returns(createFakeResponse(mockKasUsKeyResponse)); + + const cacheSpy = sinon.spy(client, '_doFetchKasKeyWithCache'); + + const encryptParams1: EncryptParams = { + ...new EncryptParamsBuilder() + .withStringSource('some data to encrypt') + .withAutoconfigure() + .build(), + splitPlan: [ + { kas: kasAuUri, sid: '1' }, + { kas: kasCaUri, sid: '1' }, + ], + }; + await client.encrypt(encryptParams1); + + assert.isTrue( + cacheSpy.calledTwice, + '_doFetchKasKeyWithCache should be called twice initially' + ); + assert.isAtLeast(fetchStub.callCount, 2, 'fetch should be called at least twice'); + expect(Object.keys(client.kasKeyInfoCache)).to.have.lengthOf(2); + const fetchCountAfterFirstEncrypt = fetchStub.callCount; + + const encryptParams2: EncryptParams = { + ...new EncryptParamsBuilder().withStringSource('some other data to encrypt').build(), + splitPlan: [ + { kas: kasCaUri, sid: '1' }, // This one is cached + { kas: kasUsUri, sid: '2' }, // This one is new + ], + }; + await client.encrypt(encryptParams2); + + assert.equal( + cacheSpy.callCount, + 4, + '_doFetchKasKeyWithCache should be called two more times' + ); + // Additional 3 calls for base key + RPC + HTTP + assert.equal( + fetchStub.callCount, + fetchCountAfterFirstEncrypt + 3, + 'fetch call count should increase for the new KAS' + ); + expect(Object.keys(client.kasKeyInfoCache)).to.have.lengthOf(3); + }); + }); + + describe('when using attributeValues with embedded keys', () => { + it('should pre-populate the cache from attributes and only fetch non-pre-populated keys', async () => { + const kasPrepopulatedUri = 'https://prepopulated.com/kas'; + const kasFetchedUri = 'https://fetched.com/kas'; + + // 1. Define the attribute that contains a pre-populated KAS key. + // This simulates data coming from a policy service that includes the key material. + const prepopulatedAttributeValue: Value = { + $typeName: 'policy.Value', + fqn: 'http://example.com/attr/prepopulated/value/one', + kasKeys: [ + { + $typeName: 'policy.SimpleKasKey', + kasId: 'prepopulated-kas-1', + kasUri: kasPrepopulatedUri, + publicKey: { + $typeName: 'policy.SimpleKasPublicKey', + pem: Mocks.kasPublicKey, // The key to be pre-populated + kid: 'prepopulated-kid', + algorithm: 1, // Corresponds to Algorithm.RSA_2048 + }, + }, + ], + // Add other required Value properties with empty/default values + id: 'value-id-1', + attribute: { + $typeName: 'policy.Attribute', + id: 'attr-id-1', + name: 'prepopulated', + fqn: 'http://example.com/attr/prepopulated', + rule: 0, + values: [], + grants: [], + kasKeys: [], + }, + value: 'one', + grants: [], + active: true, + subjectMappings: [], + resourceMappings: [], + }; + const fetchedAttributeValue: Value = valueFor(valClassA); + fetchedAttributeValue.grants.push({ + $typeName: 'policy.KeyAccessServer', + id: kasFetchedUri, + kasKeys: [], + uri: kasFetchedUri, + publicKey: { + $typeName: 'policy.PublicKey', + publicKey: { + case: 'remote', + value: kasFetchedUri, + }, + }, + sourceType: SourceType.EXTERNAL, + name: kasFetchedUri, + } as KeyAccessServer); + + // 2. Define the key that we expect the client to fetch over the network. + const mockKasFetchedKeyResponse: KasPublicKeyInfo = { + algorithm: 'ec:secp256r1', + key: pemToCryptoPublicKey(Mocks.entityECPublicKey), + kid: 'fetched-kid', + publicKey: Mocks.entityECPublicKey, + url: kasFetchedUri, + }; + + // 3. Set up the fetch stub. It should only succeed for the *fetched* key. + // If the code tries to fetch the prepopulated key, it will get a 404, causing a failure. + fetchStub.returns(createFakeResponse({ error: 'Not Found' }, false, 404)); + fetchStub.onCall(2).returns(createFakeResponse(mockKasFetchedKeyResponse)); // Succeeds on 3rd attempt + + // const cacheSpy = sinon.spy(client, '_doFetchKasKeyWithCache'); + + const encryptParams: EncryptParams = { + ...new EncryptParamsBuilder() + .withStringSource('some data to encrypt') + .withAutoconfigure() + .build(), + // Provide both the attribute with the embedded key. + scope: { + attributeValues: [prepopulatedAttributeValue, fetchedAttributeValue], + }, + }; + + await client.encrypt(encryptParams); + + const cachedEntry = findEntryInCache( + client.kasKeyInfoCache, + kasPrepopulatedUri, + 'rsa:2048', + undefined + ); + assert(cachedEntry !== null, 'Key should be cached'); + + assert.equal( + fetchStub.callCount, + 3, + 'fetch was only called 3 times (base key, RPC, HTTP) for the one non-prepopulated key' + ); + }); + + it('should handle multiple pre-populated keys with different KIDs for the same KAS', async () => { + const kasSameUri = 'https://same-kas.com/kas'; + + // 1. Define an attribute value that contains a KAS with two different EC keys (and KIDs). + const attributeWithMultipleKeys: Value = { + $typeName: 'policy.Value', + fqn: 'http://example.com/attr/multi-key/value/one', + kasKeys: [ + { + $typeName: 'policy.SimpleKasKey', + kasId: 'same-kas-id-1', + kasUri: kasSameUri, + publicKey: { + $typeName: 'policy.SimpleKasPublicKey', + pem: Mocks.entityECPublicKey, // First EC key + kid: 'ec-key-kid-1', + algorithm: 3, // Corresponds to Algorithm.EC_P256 + }, + }, + { + $typeName: 'policy.SimpleKasKey', + kasId: 'same-kas-id-2', + kasUri: kasSameUri, + publicKey: { + $typeName: 'policy.SimpleKasPublicKey', + pem: Mocks.extraECPublicKey, // Second EC key + kid: 'ec-key-kid-2', + algorithm: 3, // Corresponds to Algorithm.EC_P256 + }, + }, + ], + // Boilerplate for the Value type + id: 'value-id-multi', + attribute: { + $typeName: 'policy.Attribute', + id: 'attr-id-multi', + name: 'multi-key', + fqn: 'http://example.com/attr/multi-key', + rule: 0, + values: [], + grants: [], + kasKeys: [], + }, + value: 'one', + grants: [], + active: true, + subjectMappings: [], + resourceMappings: [], + }; + + fetchStub.returns(createFakeResponse({ error: 'Not Found' }, false, 404)); + const cacheSpy = sinon.spy(client, '_doFetchKasKeyWithCache'); + + const encryptParams: EncryptParams = { + ...new EncryptParamsBuilder() + .withStringSource('some data to encrypt') + .withAutoconfigure() + .build(), + scope: { + attributeValues: [attributeWithMultipleKeys], + }, + }; + + await client.encrypt(encryptParams); + + assert.isTrue(cacheSpy.calledTwice, 'cache method was called for both keys in splitPlan'); + assert.equal(fetchStub.callCount, 0, 'fetch should not be called at all'); + + // Verify both keys are in the cache, distinguished by their KID. + const cachedEntry1 = findEntryInCache( + client.kasKeyInfoCache, + kasSameUri, + 'ec:secp256r1', + 'ec-key-kid-1' + ); + const cachedEntry2 = findEntryInCache( + client.kasKeyInfoCache, + kasSameUri, + 'ec:secp256r1', + 'ec-key-kid-2' + ); + + assert(cachedEntry1 !== null, 'First key (kid-1) should be in the cache'); + assert(cachedEntry2 !== null, 'Second key (kid-2) should be in the cache'); + }); + + it('should pre-populate the cache from two different attributeValues', async () => { + const kasSameUri = 'https://two-attrs.com/kas'; + + // 1. Define the first attributeValue with one EC key. + const attributeValue1: Value = { + $typeName: 'policy.Value', + fqn: 'http://example.com/attr/two-attrs/value/val1', + kasKeys: [ + { + $typeName: 'policy.SimpleKasKey', + kasId: 'two-attrs-kas-1', + kasUri: kasSameUri, + publicKey: { + $typeName: 'policy.SimpleKasPublicKey', + pem: Mocks.entityECPublicKey, // First EC key + kid: 'two-attrs-kid-1', + algorithm: 3, // Corresponds to Algorithm.EC_P256 + }, + }, + ], + // Boilerplate + id: 'value-id-two-attrs-1', + attribute: { + $typeName: 'policy.Attribute', + id: 'attr-id-two-attrs', + name: 'two-attrs', + fqn: 'http://example.com/attr/two-attrs', + rule: 0, + values: [], + grants: [], + kasKeys: [], + }, + value: 'val1', + grants: [], + active: true, + subjectMappings: [], + resourceMappings: [], + }; + + // 2. Define the second attributeValue with a different EC key for the same KAS. + const attributeValue2: Value = { + $typeName: 'policy.Value', + fqn: 'http://example.com/attr/two-attrs/value/val2', + kasKeys: [ + { + $typeName: 'policy.SimpleKasKey', + kasId: 'two-attrs-kas-2', + kasUri: kasSameUri, + publicKey: { + $typeName: 'policy.SimpleKasPublicKey', + pem: Mocks.extraECPublicKey, // Second EC key + kid: 'two-attrs-kid-2', + algorithm: 3, // Corresponds to Algorithm.EC_P256 + }, + }, + ], + // Boilerplate + id: 'value-id-two-attrs-2', + attribute: attributeValue1.attribute, // Share the same parent attribute + value: 'val2', + grants: [], + active: true, + subjectMappings: [], + resourceMappings: [], + }; + + // Set up the fetch stub to always fail. + // This proves no network calls are made. + fetchStub.returns(createFakeResponse({ error: 'Not Found' }, false, 404)); + const cacheSpy = sinon.spy(client, '_doFetchKasKeyWithCache'); + + const encryptParams: EncryptParams = { + ...new EncryptParamsBuilder() + .withStringSource('some data to encrypt') + .withAutoconfigure() + .build(), + scope: { + // Provide both attribute values. + attributeValues: [attributeValue1, attributeValue2], + }, + }; + + await client.encrypt(encryptParams); + + assert.isTrue(cacheSpy.calledTwice, 'cache method was called once for the splitPlan'); + assert.equal(fetchStub.callCount, 0, 'fetch should not be called'); + + // Verify both keys are in the cache, distinguished by their KID. + const cachedEntry1 = findEntryInCache( + client.kasKeyInfoCache, + kasSameUri, + 'ec:secp256r1', + 'two-attrs-kid-1' + ); + const cachedEntry2 = findEntryInCache( + client.kasKeyInfoCache, + kasSameUri, + 'ec:secp256r1', + 'two-attrs-kid-2' + ); + assert(cachedEntry1 !== null, 'First key (kid-1) from attribute 1 should be in the cache'); + assert(cachedEntry2 !== null, 'Second key (kid-2) from attribute 2 should be in the cache'); + }); + }); +}); diff --git a/lib/tests/mocha/kas-key-splits.spec.ts b/lib/tests/mocha/kas-key-splits.spec.ts new file mode 100644 index 000000000..8e48a5c0c --- /dev/null +++ b/lib/tests/mocha/kas-key-splits.spec.ts @@ -0,0 +1,490 @@ +import { assert } from 'chai'; +import sinon from 'sinon'; +import { Client, HttpRequest } from '../../tdf3/src/client/index.js'; +import { getMocks } from '../mocks/index.js'; +import { EncryptParamsBuilder } from '../../tdf3/src/client/builders.js'; +import { GetAttributeValuesByFqnsResponse } from '../../src/platform/policy/attributes/attributes_pb.js'; +import { + Attribute, + AttributeRuleType, + KeyAccessServer, + Namespace, + Value, +} from '../../src/policy/attributes.js'; +import { SourceType } from '../../src/platform/policy/objects_pb.js'; +import { KasPublicKeyInfo } from '../../src/access.js'; +import { pemToCryptoPublicKey } from '../../src/utils.js'; + +const Mocks = getMocks(); +const kasUrl = 'http://localhost:3000/kas'; +const platformUrl = 'http://localhost:3000'; + +const authProvider = { + updateClientPublicKey: async () => {}, + withCreds: async (httpReq: HttpRequest) => ({ + ...httpReq, + headers: { ...httpReq.headers, Authorization: 'Bearer dummy-auth-token' }, + }), +}; + +// const _createFakeResponse = (body: unknown, ok = true, status = 200) => { +// const bodyString = JSON.stringify(body); +// return Promise.resolve({ +// ok, +// status, +// headers: new Headers({ 'Content-Type': 'application/json' }), +// json: () => Promise.resolve(JSON.parse(bodyString)), +// text: () => Promise.resolve(bodyString), +// } as Response); +// }; + +const createFakeResponse = (body: unknown, ok = true, status = 200) => { + const bodyString = JSON.stringify(body); + return Promise.resolve({ + ok, + status, + headers: new Headers({ 'Content-Type': 'application/json' }), + json: () => Promise.resolve(JSON.parse(bodyString)), + text: () => Promise.resolve(bodyString), + } as Response); +}; + +describe('Client Caching Behavior', () => { + let client: Client; + let fetchStub: sinon.SinonStub; + + beforeEach(async () => { + client = new Client({ + kasEndpoint: kasUrl, + platformUrl: platformUrl, + dpopKeys: Mocks.entityKeyPair(), + clientId: 'id', + authProvider, + }); + fetchStub = sinon.stub(globalThis, 'fetch'); + }); + + afterEach(() => { + sinon.restore(); + }); + + describe('attributeValues with cached keys', () => { + describe('same kids, different uri', () => { + it('should create multiple splits for ALL_OF', async () => { + const nsOne: Namespace = { + $typeName: 'policy.Namespace', + fqn: 'https://ns-one.example', + name: 'ns-one.example', + active: true, + grants: [], + id: 'ns-one.example', + kasKeys: [], + }; + + const kasOne: KeyAccessServer = { + $typeName: 'policy.KeyAccessServer', + id: 'kas-one-id', + kasKeys: [], + uri: 'https://kas-one.example/kas', + publicKey: { + $typeName: 'policy.PublicKey', + remote: 'https://kas-one.example/kas', + } as unknown as KeyAccessServer['publicKey'], + sourceType: SourceType.EXTERNAL, + name: 'kas-one.example', + }; + const kasTwo: KeyAccessServer = { + $typeName: 'policy.KeyAccessServer', + id: 'kas-two-id', + kasKeys: [], + uri: 'https://kas-two.example/kas', + publicKey: { + remote: 'https://kas-two.example/kas', + } as unknown as KeyAccessServer['publicKey'], + sourceType: SourceType.EXTERNAL, + name: 'kas-two.example', + }; + + const attrOne: Attribute = { + fqn: 'https://kas-one.example/attr/attr-to-test', + namespace: nsOne, + active: true, + name: 'Classification', + rule: AttributeRuleType.ALL_OF, + $typeName: 'policy.Attribute', + grants: [], + id: 'attr-one-id', + kasKeys: [], + values: [], + }; + + const attrOneValueOneKey = { + algorithm: 'ec:secp256r1', + key: pemToCryptoPublicKey(Mocks.entityECPublicKey), + kid: 'same-kid-as-other-keys', + publicKey: Mocks.entityECPublicKey, + url: kasOne.uri, + } satisfies KasPublicKeyInfo; + const attrOneValueTwoKey = { + algorithm: 'ec:secp256r1', + key: pemToCryptoPublicKey(Mocks.extraECPublicKey), + kid: 'same-kid-as-other-keys', + publicKey: Mocks.extraECPublicKey, + url: kasTwo.uri, + } satisfies KasPublicKeyInfo; + + const attrOneValueOne: Value = { + $typeName: 'policy.Value', + fqn: 'https://kas-one.example/attr/attr-to-test/value/one', + kasKeys: [ + { + $typeName: 'policy.SimpleKasKey', + kasId: kasOne.id, + kasUri: kasOne.uri, + publicKey: { + $typeName: 'policy.SimpleKasPublicKey', + algorithm: 3, + kid: attrOneValueOneKey.kid, + pem: attrOneValueOneKey.publicKey, + }, + }, + ], + id: 'attr-value-one-id', + attribute: attrOne, + value: 'one', + grants: [], + active: true, + subjectMappings: [], + resourceMappings: [], + }; + const attrOneValueTwo: Value = { + $typeName: 'policy.Value', + fqn: 'https://kas-one.example/attr/attr-to-test/value/two', + kasKeys: [ + { + $typeName: 'policy.SimpleKasKey', + kasId: kasTwo.id, + kasUri: kasTwo.uri, + publicKey: { + $typeName: 'policy.SimpleKasPublicKey', + algorithm: 3, + kid: attrOneValueTwoKey.kid, + pem: attrOneValueTwoKey.publicKey, + }, + }, + ], + id: 'attr-value-two-id', + attribute: attrOne, + value: 'two', + grants: [], + active: true, + subjectMappings: [], + resourceMappings: [], + }; + + const attrValueByFqnResponse: GetAttributeValuesByFqnsResponse = { + $typeName: 'policy.attributes.GetAttributeValuesByFqnsResponse', + fqnAttributeValues: { + [attrOneValueOne.fqn]: { + $typeName: 'policy.attributes.GetAttributeValuesByFqnsResponse.AttributeAndValue', + attribute: attrOne, + value: attrOneValueOne, + }, + [attrOneValueTwo.fqn]: { + $typeName: 'policy.attributes.GetAttributeValuesByFqnsResponse.AttributeAndValue', + attribute: attrOne, + value: attrOneValueTwo, + }, + }, + }; + + fetchStub.returns(createFakeResponse({ error: 'Not Found' }, false, 404)); + fetchStub.onCall(0).returns(createFakeResponse(attrValueByFqnResponse)); + fetchStub.onCall(3).returns(createFakeResponse(attrOneValueOneKey)); + fetchStub.onCall(6).returns(createFakeResponse(attrOneValueTwoKey)); + + const encryptParams = new EncryptParamsBuilder() + .withStringSource('some data to encrypt') + .withAttributes([attrOneValueOne.fqn, attrOneValueTwo.fqn]) + .withAutoconfigure() + .build(); + + const stream = await client.encrypt(encryptParams); + assert( + stream.manifest.encryptionInformation.keyAccess.length === 2, + 'Should have 2 items in KAO' + ); + }); + }); + + it('should create multiple splits for ALL_OF', async () => { + const nsOne: Namespace = { + $typeName: 'policy.Namespace', + fqn: 'https://ns-one.example', + name: 'ns-one.example', + active: true, + grants: [], + id: 'ns-one.example', + kasKeys: [], + }; + + const kasOne: KeyAccessServer = { + $typeName: 'policy.KeyAccessServer', + id: 'kas-one-id', + kasKeys: [], + uri: 'https://kas-one.example/kas', + publicKey: { + $typeName: 'policy.PublicKey', + remote: 'https://kas-one.example/kas', + } as unknown as KeyAccessServer['publicKey'], + sourceType: SourceType.EXTERNAL, + name: 'kas-one.example', + }; + const kasTwo: KeyAccessServer = { + $typeName: 'policy.KeyAccessServer', + id: 'kas-two-id', + kasKeys: [], + uri: 'https://kas-two.example/kas', + publicKey: { + remote: 'https://kas-two.example/kas', + } as unknown as KeyAccessServer['publicKey'], + sourceType: SourceType.EXTERNAL, + name: 'kas-two.example', + }; + + const attrOne: Attribute = { + fqn: 'https://kas-one.example/attr/attr-to-test', + namespace: nsOne, + active: true, + name: 'Classification', + rule: AttributeRuleType.ALL_OF, + $typeName: 'policy.Attribute', + grants: [], + id: 'attr-one-id', + kasKeys: [], + values: [], + }; + + const attrOneValueOneKey = { + algorithm: 'ec:secp256r1', + key: pemToCryptoPublicKey(Mocks.entityECPublicKey), + kid: 'attr-one-value-one-key', + publicKey: Mocks.entityECPublicKey, + url: kasOne.uri, + } satisfies KasPublicKeyInfo; + const attrOneValueTwoKey = { + algorithm: 'ec:secp256r1', + key: pemToCryptoPublicKey(Mocks.extraECPublicKey), + kid: 'attr-one-value-two-key', + publicKey: Mocks.extraECPublicKey, + url: kasTwo.uri, + } satisfies KasPublicKeyInfo; + + const attrOneValueOne: Value = { + $typeName: 'policy.Value', + fqn: 'https://kas-one.example/attr/attr-to-test/value/one', + kasKeys: [ + { + $typeName: 'policy.SimpleKasKey', + kasId: kasOne.id, + kasUri: kasOne.uri, + publicKey: { + $typeName: 'policy.SimpleKasPublicKey', + algorithm: 3, + kid: attrOneValueOneKey.kid, + pem: attrOneValueOneKey.publicKey, + }, + }, + ], + id: 'attr-value-one-id', + attribute: attrOne, + value: 'one', + grants: [], + active: true, + subjectMappings: [], + resourceMappings: [], + }; + const attrOneValueTwo: Value = { + $typeName: 'policy.Value', + fqn: 'https://kas-one.example/attr/attr-to-test/value/two', + kasKeys: [ + { + $typeName: 'policy.SimpleKasKey', + kasId: kasTwo.id, + kasUri: kasTwo.uri, + publicKey: { + $typeName: 'policy.SimpleKasPublicKey', + algorithm: 3, + kid: attrOneValueTwoKey.kid, + pem: attrOneValueTwoKey.publicKey, + }, + }, + ], + id: 'attr-value-two-id', + attribute: attrOne, + value: 'two', + grants: [], + active: true, + subjectMappings: [], + resourceMappings: [], + }; + + const attrValueByFqnResponse: GetAttributeValuesByFqnsResponse = { + $typeName: 'policy.attributes.GetAttributeValuesByFqnsResponse', + fqnAttributeValues: { + [attrOneValueOne.fqn]: { + $typeName: 'policy.attributes.GetAttributeValuesByFqnsResponse.AttributeAndValue', + attribute: attrOne, + value: attrOneValueOne, + }, + [attrOneValueTwo.fqn]: { + $typeName: 'policy.attributes.GetAttributeValuesByFqnsResponse.AttributeAndValue', + attribute: attrOne, + value: attrOneValueTwo, + }, + }, + }; + + fetchStub.returns(createFakeResponse({ error: 'Not Found' }, false, 404)); + fetchStub.onCall(0).returns(createFakeResponse(attrValueByFqnResponse)); + fetchStub.onCall(3).returns(createFakeResponse(attrOneValueOneKey)); + fetchStub.onCall(6).returns(createFakeResponse(attrOneValueTwoKey)); + + const encryptParams = new EncryptParamsBuilder() + .withStringSource('some data to encrypt') + .withAttributes([attrOneValueOne.fqn, attrOneValueTwo.fqn]) + .withAutoconfigure() + .build(); + + const stream = await client.encrypt(encryptParams); + assert( + stream.manifest.encryptionInformation.keyAccess.length === 2, + 'Should have 2 items in KAO' + ); + }); + }); + + describe('attributeValues with grants', () => { + it('should create multiple splits for ALL_OF', async () => { + const nsOne: Namespace = { + $typeName: 'policy.Namespace', + fqn: 'https://ns-one.example', + name: 'ns-one.example', + active: true, + grants: [], + id: 'ns-one.example', + kasKeys: [], + }; + + const kasOne: KeyAccessServer = { + $typeName: 'policy.KeyAccessServer', + id: 'kas-one-id', + kasKeys: [], + uri: 'https://kas-one.example/kas', + publicKey: { + $typeName: 'policy.PublicKey', + remote: 'https://kas-one.example/kas', + } as unknown as KeyAccessServer['publicKey'], + sourceType: SourceType.EXTERNAL, + name: 'kas-one.example', + }; + const kasTwo: KeyAccessServer = { + $typeName: 'policy.KeyAccessServer', + id: 'kas-two-id', + kasKeys: [], + uri: 'https://kas-two.example/kas', + publicKey: { + remote: 'https://kas-two.example/kas', + } as unknown as KeyAccessServer['publicKey'], + sourceType: SourceType.EXTERNAL, + name: 'kas-two.example', + }; + + const attrOne: Attribute = { + fqn: 'https://kas-one.example/attr/attr-to-test', + namespace: nsOne, + active: true, + name: 'Classification', + rule: AttributeRuleType.ALL_OF, + $typeName: 'policy.Attribute', + grants: [], + id: 'attr-one-id', + kasKeys: [], + values: [], + }; + + const attrOneValueOne: Value = { + $typeName: 'policy.Value', + fqn: 'https://kas-one.example/attr/attr-to-test/value/one', + kasKeys: [], + id: 'attr-value-one-id', + attribute: attrOne, + value: 'one', + grants: [kasOne], + active: true, + subjectMappings: [], + resourceMappings: [], + }; + const attrOneValueTwo: Value = { + $typeName: 'policy.Value', + fqn: 'https://kas-one.example/attr/attr-to-test/value/two', + kasKeys: [], + id: 'attr-value-two-id', + attribute: attrOne, + value: 'two', + grants: [kasTwo], + active: true, + subjectMappings: [], + resourceMappings: [], + }; + + const attrValueByFqnResponse: GetAttributeValuesByFqnsResponse = { + $typeName: 'policy.attributes.GetAttributeValuesByFqnsResponse', + fqnAttributeValues: { + [attrOneValueOne.fqn]: { + $typeName: 'policy.attributes.GetAttributeValuesByFqnsResponse.AttributeAndValue', + attribute: attrOne, + value: attrOneValueOne, + }, + [attrOneValueTwo.fqn]: { + $typeName: 'policy.attributes.GetAttributeValuesByFqnsResponse.AttributeAndValue', + attribute: attrOne, + value: attrOneValueTwo, + }, + }, + }; + + const attrOneValueOneKey: KasPublicKeyInfo = { + algorithm: 'ec:secp256r1', + key: pemToCryptoPublicKey(Mocks.entityECPublicKey), + kid: 'attr-one-value-one-key', + publicKey: Mocks.entityECPublicKey, + url: kasOne.uri, + }; + const attrOneValueTwoKey: KasPublicKeyInfo = { + algorithm: 'ec:secp256r1', + key: pemToCryptoPublicKey(Mocks.extraECPublicKey), + kid: 'attr-one-value-two-key', + publicKey: Mocks.extraECPublicKey, + url: kasTwo.uri, + }; + + fetchStub.returns(createFakeResponse({ error: 'Not Found' }, false, 404)); + fetchStub.onCall(0).returns(createFakeResponse(attrValueByFqnResponse)); + fetchStub.onCall(3).returns(createFakeResponse(attrOneValueOneKey)); + fetchStub.onCall(6).returns(createFakeResponse(attrOneValueTwoKey)); + + const encryptParams = new EncryptParamsBuilder() + .withStringSource('some data to encrypt') + .withAttributes([attrOneValueOne.fqn, attrOneValueTwo.fqn]) + .withAutoconfigure() + .build(); + + const stream = await client.encrypt(encryptParams); + assert( + stream.manifest.encryptionInformation.keyAccess.length === 2, + 'Should have 2 items in KAO' + ); + }); + }); +}); diff --git a/lib/tests/mocks/pems.ts b/lib/tests/mocks/pems.ts index 70478e7d5..b5089dffd 100644 --- a/lib/tests/mocks/pems.ts +++ b/lib/tests/mocks/pems.ts @@ -1,53 +1,40 @@ -export const kasPublicKey = `-----BEGIN CERTIFICATE----- -MIIDsTCCApmgAwIBAgIJAONESzw+N+3SMA0GCSqGSIb3DQEBDAUAMHUxCzAJBgNV -BAYTAlVTMQswCQYDVQQIDAJEQzETMBEGA1UEBwwKV2FzaGluZ3RvbjEPMA0GA1UE -CgwGVmlydHJ1MREwDwYDVQQDDAhhY2NvdW50czEgMB4GCSqGSIb3DQEJARYRZGV2 -b3BzQHZpcnRydS5jb20wIBcNMTgxMDE4MTY1MjIxWhgPMzAxODAyMTgxNjUyMjFa -MHUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJEQzETMBEGA1UEBwwKV2FzaGluZ3Rv -bjEPMA0GA1UECgwGVmlydHJ1MREwDwYDVQQDDAhhY2NvdW50czEgMB4GCSqGSIb3 -DQEJARYRZGV2b3BzQHZpcnRydS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw -ggEKAoIBAQC3GdLoh0BHjsu9doR2D3+MekHB9VR/cmqV7v6R7xEWZJkuymrJzPy8 -reKSLK7yDhUEZNA9jslVReMpQHaR0/ND0fevJZ0yoo8IXGSIYv+prX6wZbqp4Ykc -ahWMx5nFzpCDSJfd2ZBnCvnsz4x95eX8jme9qNYcELFDEkeLFCushNLXdg8NKrWh -/Ew8VEZGf4hmtb30J11Uj5P2cv6zgATpa6xqjpg8hUarQYTyQi01DTKZ9iR8Kw/x -AH+ocXtbJdy046bMb9uMpeJ/LlMpELSN5pqamVJis/NkWJOVRdwD//p7WQdz9T4T -GzvvrO8KUQoORYERf0EtwBtufv5SDpNhAgMBAAGjQjBAMB0GA1UdDgQWBBTVPQ3Y -oYYXHWbZfK2sonPrOE7nszAfBgNVHSMEGDAWgBTVPQ3YoYYXHWbZfK2sonPrOE7n -szANBgkqhkiG9w0BAQwFAAOCAQEAT2ZjAJPQSf0tME0vbAqHzB8iIhR5KniGgJMJ -mRrXbTl2HBH6WnRwfgY1Ok1X224ph4uBGaAUGs8ONBKli0673jE+IgVob7TCu2yV -gHaKcybDegK4esVNRdsDmOWT+eTxGYAzejdIgdFo6R7Xvs87RbqwM4Cko4xoWGVF -ghWsBqUmyg/rZoggL5H1V166hvoLPKU7SrCInZ8Wd6x4rsNDaxNiC9El102pKXu4 -wCiqJZ0XwklGkH9X0Z5x0txc68tqmSlE/z4i/96oxMp0C2thWfy90ub85f5FrB9m -tN5S0umLPkMUJ6zBIxh1RQK1ZYjfuKij+EEimbqtte9rYyQr3Q== ------END CERTIFICATE-----`; +export const kasPublicKey = `-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7Vu3AIXlvnS5mN63rjbc +HrM0yX+Z8mm7jeq8OdZrO7d/SjAcVT8nbcxwlRk2tZJcCogmB9Jx88EPxSWEPfWM +0ueZ/oCyf55cLRUA58WlJrQBkYg9yr/WeNYNCAQ2DomCCYnNrsjDL3LiUPJxJ+Ie +WHpQCTEHZj7rjh8Hq0b0utEXrj2OUmfa1Sf1Gzj4JXbjFOtJl2cuqCX5uwjF0kPB +ciFXzvYrJXxYM2N5y7QJCgtY3ed94b/sMoZ1P/E8pCdBpXN//zkSYHCAShiXPteN +XDyerbR/HdCM1lSugONE4ZxoOFMzlKNnEfepYmvygDQ6i6Os01ESRpe8h5orxC0k +pQIDAQAB +-----END PUBLIC KEY-----`; export const kasPrivateKey = `-----BEGIN PRIVATE KEY----- -MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC3GdLoh0BHjsu9 -doR2D3+MekHB9VR/cmqV7v6R7xEWZJkuymrJzPy8reKSLK7yDhUEZNA9jslVReMp -QHaR0/ND0fevJZ0yoo8IXGSIYv+prX6wZbqp4YkcahWMx5nFzpCDSJfd2ZBnCvns -z4x95eX8jme9qNYcELFDEkeLFCushNLXdg8NKrWh/Ew8VEZGf4hmtb30J11Uj5P2 -cv6zgATpa6xqjpg8hUarQYTyQi01DTKZ9iR8Kw/xAH+ocXtbJdy046bMb9uMpeJ/ -LlMpELSN5pqamVJis/NkWJOVRdwD//p7WQdz9T4TGzvvrO8KUQoORYERf0EtwBtu -fv5SDpNhAgMBAAECggEBAI7tk5t76ItzRktRNrlKA9DOpoIXVaxeziDX/NRB/96x -DHpf+9gnMaq/ObvNMYs1vuY9I+jJixQLh/VtoqDXCHAKeQO5ouohxvFJ3hgw302+ -ZsSfxIRTz8nkbYoFTV4BjwFMK3A8IuKsyMc4hHzKdyscppKANxKVXSn0HPDOAAGc -Ivdah2o68kef3eeMxwwxEjUCGbv98AsnXOcygb41ZOTFdWjnSZ9/aV2EVTmNs6lL -hU9uD2RTsz7ohbaM2abDeRNCDlQNQe7eQS8B6mItSPahg4eeYC1at2ZbYIcDchUj -Iqz4fMiuAInLNahua6wjN2P9v6wHFax/WXsxTHiHgyECgYEA4nsaTllXq/8ZtK1U -D7e9mqiipKPf/JcHBrG20kSwAgGtzXh0qeVl/KKfSGzTYUF91+q0/XjLvQeaVpDo -VQShe09mAjDPOnqgqV8dqsNRP49JlnkF3V83pBrmMjXDAzA552RwkwZmNQegU19V -jtIsEQQheFe5ZrrzBsc4wd4BFu0CgYEAzvdHLAlki2E9lDqRcwMsJNE4AWS8u+ZR -4G8VLo+fr6qHmv+HYM9vjPvnoS8yiorywLQaBCSDmxPvY9Wy7ErSZ799LLgSpx1e -Z/KFr9VFYZQ+Y0Dm9OPOHPCzOqjNJwdKNsIaRuKAL+NCJQZ1MyZJC3VsThf8gnfm -cQvnK3ryy8UCgYEAhlRLkwLsvCgvP/m6LSRnAg9ZgFtuY6vUUAUiEW8KEfaa9o6m -a4qTRhfSb6uUaE/m6yTbuqdl+DVFNmj2VE7N1IyQTWZT0zSejDbNKtZ0H0XGeMhJ -UTbDksMdm9RFWWPGRFdPafTWtEdUsX6PCYng9yrDC1TEs4jY0kFhiaM6dDUCgYB6 -X19nvE4E04QzhsXFeVS6mDJDMKsfdrlmuIePtkA2/9+aWAhVx5EvjSqR9XQu0qVi -J5tSY7ylDw52uz5F1J+/1EtRC62LviO51n4RT0rsvVh+Gzv0BFY0amWvA2v57aeF -5RLgYsBkkDzl44GcssBx1AYrzqbxBa/tm5od7V5t+QKBgQCdR+BwAsIHF2KzRQhW -BK7+TM6jTOpG5CmxyHhalOdGc56l67NPw10FIZx7zGihAzYbyRv4IBUj2R3nTASb -7uDr0bAL0hHapZgRGzQPG0WX3ifFcfJ+LZoRklm/jHMxYGC/XrCtCfL3ROBL8rcF -3JkIg040ZMZ8wNzpy8zgA7D3KA== +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDtW7cAheW+dLmY +3reuNtweszTJf5nyabuN6rw51ms7t39KMBxVPydtzHCVGTa1klwKiCYH0nHzwQ/F +JYQ99YzS55n+gLJ/nlwtFQDnxaUmtAGRiD3Kv9Z41g0IBDYOiYIJic2uyMMvcuJQ +8nEn4h5YelAJMQdmPuuOHwerRvS60ReuPY5SZ9rVJ/UbOPglduMU60mXZy6oJfm7 +CMXSQ8FyIVfO9islfFgzY3nLtAkKC1jd533hv+wyhnU/8TykJ0Glc3//ORJgcIBK +GJc+141cPJ6ttH8d0IzWVK6A40ThnGg4UzOUo2cR96lia/KANDqLo6zTURJGl7yH +mivELSSlAgMBAAECggEARJGUtdl4i8MjpLZeYL0nbNT/YGB05DNIQ9C2jIzVUJyL +cK6iWLwUU2NWeLQeemisHzzCo8rXMYAp4p2abN3FT14pvfyG1Fg2r61cJBiUQ7CH +rXeqxioSNrk7bX/t79gokUHWgfIsdMYe/Bx1tPxdINlAys73oMF3ggiTyhaG93qG +ill+aJs1PoQT+CFhl8bRIft3p0SG8MRs0O1UAv9xGBcE7Ac44LWaaOSEn8uWADFE +ooClxoZ4cLGy+0BjRSaaTmSNf0ey1lczp4kxYY8BR5SBhYr0sEcFzDDDtnZMzYZT +FnUF3TD8/QhsTY89w9HbWlah4w5rh5E7B3LS6g5oJwKBgQD5e++BLizAd7vgWBkt +NiFYKZM3KVvKQcvdy0rFmt/IpNKi90TqwyAXj3+1t6Je3TZ++vadTqv6HMzo2hET +/zfeT3u+oLVrtVj6KKVB+D6M27JkdQIYxKgQ/55czqEc4EdktnQxpLJ0hpuX9bty +M5SfulS9aROHslQWLv1KQZFCtwKBgQDzjrSCOYoeg1ik0d8kcJbqJhS+2VLKc3aO +xY8plOhJlkr0N90ajSZtfCuuVMttzbrDZyjFtFu55l6uGfyZ9ml2dKFVLyUgOKgz +HhsgEjdPSQeIJzvfPG9lvA2jD2qJChllGLYQ80NFopPf2qrz764lIPAeK6obJ1D0 +MDLI2SMHgwKBgGGjyKOFH8yfz67Iq+nO4pPviYcwL5Vj1NbUBkp6B5UuNKXFInrC +rR+rcK781JZN+1MNA1GjhZkYhnWnSsHJw+LEtshvezFRQyZ8m9jKwCg+n33DcXOi +G6izchYeZF25xRc8dRMsww7p06FQcfELEOLGeP28TwFvoIsiDs1uBdzXAoGAB2Yz +d61V0917qO4zUEEXZJ+pi67AhCQD2wyHb+T1NZ8aQdccoXzeSP83uIEc+QYCAYO1 +ymPTUY99Gt7xPKAuzgl3CUZ4Y0U1XvAwNMY45fC7CNjgScTlQXr4ExcZznX/FYIt +rdAmIAxzX56eCPEkIj6g7Nm4vkBwhiqcsFtgZA8CgYAeKkvyDoRhvQUqujC9oKmB +o1kUgdAi6dXMJ7d6woM513t2WAzFX4cf2riWtiYtX29vGEVchwLQtcOucvyH14bl +52gZo9p4IIf8doMOuxQmW9GSh3zNOnFlaDkW8QjsIT5ZkNmEM0D2XU7qRQ5Isg7T +x/Rg+O4+TXvjt58+T7bWiA== -----END PRIVATE KEY-----`; export const entityPrivateKey = `-----BEGIN PRIVATE KEY----- @@ -106,18 +93,16 @@ wVe4nK42SFZAIV9e6A+cgJXYX9OhRANCAATcxKDDwNy1YXcBV3cZCuw1EKf6Gp0e 4UmHCa+2KQc7uk8C1KS8ZSIyvXI6xvjrtohHRDescslzBKodHbeCWzjC -----END PRIVATE KEY-----`; -export const entityECPublicKey = `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg/2aDZn2NqUdPwZGR\ -D6YnmBySTcC1QSi9XNSK4MtT5zmhRANCAAR37xrx2fCXv0teqQfdRM6cfm0Da6Wf -WbnkPacc6p5eITXg9D0fcCcRbf2AQi+KAsF5zttJ+NOdUgfGRGqmtKYT ------END PRIVATE KEY----- -`; +export const entityECPublicKey = `-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEC+eSM/d4I4EaBVOvTbCHDr/piRe3 +nJQIpc8XSibdC9XIvJ0Nj4qXUMHrOREXIGbSVf7dZkQJcTrxb2REsP37YA== +-----END PUBLIC KEY-----`; -export const entityECPrivateKey = `-----BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEd+8a8dnwl79LXqkH3UTOnH5tA2ul -n1m55D2nHOqeXiE14PQ9H3AnEW39gEIvigLBec7bSfjTnVIHxkRqprSmEw== ------END PUBLIC KEY----- -`; +export const entityECPrivateKey = `-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgIhZ8g2Y35LrzOXe7 +k0OBB4zsyTXvyV1thB5T6cp0vwahRANCAAQL55Iz93gjgRoFU69NsIcOv+mJF7ec +lAilzxdKJt0L1ci8nQ2PipdQwes5ERcgZtJV/t1mRAlxOvFvZESw/ftg +-----END PRIVATE KEY-----`; export const extraECPublicKey = `-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwajvY7i+B74K2vrVy4pbL7WOpBUn diff --git a/lib/tests/web/access/access-fetch.test.ts b/lib/tests/web/access/access-fetch.test.ts new file mode 100644 index 000000000..a607aaf5b --- /dev/null +++ b/lib/tests/web/access/access-fetch.test.ts @@ -0,0 +1,366 @@ +import { expect } from '@esm-bundle/chai'; +import sinon from 'sinon'; + +// --- Adjust the import paths to match your project structure --- +import { + fetchWrappedKey, + fetchKeyAccessServers, + fetchKasPubKey, +} from '../../../src/access/access-fetch.js'; +import { + ConfigurationError, + InvalidFileError, + NetworkError, + PermissionDeniedError, + ServiceError, + UnauthenticatedError, +} from '../../../src/errors.js'; +import { OriginAllowList } from '../../../src/access.js'; +import type { AuthProvider } from '../../../src/index.js'; +// ------------------------------------------------------------- + +describe('access-fetch.js', () => { + let fetchStub: sinon.SinonStub; + + // A mock authProvider for testing purposes + const mockAuthProvider: AuthProvider = { + withCreds: sinon.stub().callsFake(async (req) => ({ + ...req, + headers: { ...req.headers, Authorization: 'Bearer test-token' }, + })), + } as unknown as AuthProvider; + + // Helper to create mock fetch responses + // @ts-expect-error Not caring about any in tests. + const createMockResponse = (body, ok = true, status = 200, statusText = 'OK') => { + return Promise.resolve({ + ok, + status, + statusText, + json: () => Promise.resolve(body), + text: () => Promise.resolve(typeof body === 'string' ? body : JSON.stringify(body)), + } as Response); + }; + + beforeEach(() => { + // Stub window.fetch before each test + fetchStub = sinon.stub(window, 'fetch'); + // Reset any previous stub behavior + // @ts-expect-error Stub + mockAuthProvider.withCreds.resetHistory(); + }); + + afterEach(() => { + // Restore all stubs + sinon.restore(); + }); + + describe('fetchWrappedKey', () => { + const url = 'https://kas.example.com/rewrap'; + const requestBody = { signedRequestToken: 'test-token' }; + + it('should return a rewrapped key on a successful request', async () => { + const mockResponseData = { + metadata: { a: 1 }, + entityWrappedKey: 'ewk-abc', + sessionPublicKey: 'spk-xyz', + schemaVersion: '1.0.0', + }; + fetchStub.returns(createMockResponse(mockResponseData)); + + const result = await fetchWrappedKey(url, requestBody, mockAuthProvider); + + expect(result).to.deep.equal(mockResponseData); + // @ts-expect-error Stub is not typed. + expect(mockAuthProvider.withCreds.calledOnce).to.be.true; + expect(fetchStub.calledOnce).to.be.true; + const fetchCall = fetchStub.getCall(0); + expect(fetchCall.args[0]).to.equal(url); + expect(JSON.parse(fetchCall.args[1].body as string)).to.deep.equal(requestBody); + }); + + it('should throw NetworkError if the fetch call fails', async () => { + const fetchError = new Error('Network failure'); + fetchStub.rejects(fetchError); + + try { + await fetchWrappedKey(url, requestBody, mockAuthProvider); + expect.fail('Should have thrown'); + } catch (e) { + expect(e).to.be.instanceOf(NetworkError); + expect(e.message).to.equal(`unable to fetch wrapped key from [${url}]`); + } + }); + + it('should throw InvalidFileError for a 400 Bad Request response', async () => { + const errorText = 'Invalid token format'; + fetchStub.returns(createMockResponse(errorText, false, 400, 'Bad Request')); + + try { + await fetchWrappedKey(url, requestBody, mockAuthProvider); + expect.fail('Should have thrown'); + } catch (e) { + expect(e).to.be.instanceOf(InvalidFileError); + expect(e.message).to.equal(`400 for [${url}]: rewrap bad request [${errorText}]`); + } + }); + + it('should throw UnauthenticatedError for a 401 Unauthorized response', async () => { + fetchStub.returns(createMockResponse('Auth failed', false, 401, 'Unauthorized')); + + try { + await fetchWrappedKey(url, requestBody, mockAuthProvider); + expect.fail('Should have thrown'); + } catch (e) { + expect(e).to.be.instanceOf(UnauthenticatedError); + expect(e.message).to.equal(`401 for [${url}]; rewrap auth failure`); + } + }); + + it('should throw PermissionDeniedError for a 403 Forbidden response', async () => { + fetchStub.returns(createMockResponse('Forbidden', false, 403, 'Forbidden')); + + try { + await fetchWrappedKey(url, requestBody, mockAuthProvider); + expect.fail('Should have thrown'); + } catch (e) { + expect(e).to.be.instanceOf(PermissionDeniedError); + expect(e.message).to.equal(`403 for [${url}]; rewrap permission denied`); + } + }); + + it('should throw ServiceError for a 5xx server error response', async () => { + const errorText = 'Internal Server Error'; + fetchStub.returns(createMockResponse(errorText, false, 500, 'Internal Server Error')); + + try { + await fetchWrappedKey(url, requestBody, mockAuthProvider); + expect.fail('Should have thrown'); + } catch (e) { + expect(e).to.be.instanceOf(ServiceError); + expect(e.message).to.equal( + `500 for [${url}]: rewrap failure due to service error [${errorText}]` + ); + } + }); + + it('should throw NetworkError for other non-ok responses', async () => { + fetchStub.returns(createMockResponse('Not Found', false, 404, 'Not Found')); + + try { + await fetchWrappedKey(url, requestBody, mockAuthProvider); + expect.fail('Should have thrown'); + } catch (e) { + expect(e).to.be.instanceOf(NetworkError); + expect(e.message).to.equal(`POST ${url} => 404 Not Found`); + } + }); + }); + + describe('fetchKeyAccessServers', () => { + const platformUrl = 'https://platform.example.com'; + + it('should fetch a list of servers with a single page', async () => { + const mockResponse = { + keyAccessServers: [{ uri: 'https://kas1.example.com' }], + pagination: { nextOffset: 0 }, + }; + fetchStub.returns(createMockResponse(mockResponse)); + + const result = await fetchKeyAccessServers(platformUrl, mockAuthProvider); + + expect(result).to.be.instanceOf(OriginAllowList); + expect(result.origins).to.have.members([ + 'https://platform.example.com', + 'https://kas1.example.com', + ]); + expect(fetchStub.calledOnce).to.be.true; + }); + + it('should handle pagination and combine results from multiple pages', async () => { + const page1Response = { + keyAccessServers: [{ uri: 'https://kas1.example.com' }], + pagination: { nextOffset: 1 }, + }; + const page2Response = { + keyAccessServers: [{ uri: 'https://kas2.example.com' }], + pagination: { nextOffset: 0 }, + }; + + fetchStub.onCall(0).returns(createMockResponse(page1Response)); + fetchStub.onCall(1).returns(createMockResponse(page2Response)); + + const result = await fetchKeyAccessServers(platformUrl, mockAuthProvider); + + expect(result).to.be.instanceOf(OriginAllowList); + expect(result.origins).to.have.members([ + 'https://kas1.example.com', + 'https://kas2.example.com', + 'https://platform.example.com', + ]); + expect(fetchStub.calledTwice).to.be.true; + expect(fetchStub.getCall(0).args[0]).to.include('offset=0'); + expect(fetchStub.getCall(1).args[0]).to.include('offset=1'); + }); + + it('should throw a NetworkError if the fetch call fails', async () => { + const fetchError = new Error('Network failure'); + fetchStub.rejects(fetchError); + + try { + await fetchKeyAccessServers(platformUrl, mockAuthProvider); + expect.fail('Should have thrown'); + } catch (e) { + expect(e).to.be.instanceOf(NetworkError); + expect(e.message).to.include('unable to fetch kas list'); + } + }); + + it('should throw a ServiceError for a non-ok HTTP response', async () => { + fetchStub.returns(createMockResponse('Service Unavailable', false, 503)); + + try { + await fetchKeyAccessServers(platformUrl, mockAuthProvider); + expect.fail('Should have thrown'); + } catch (e) { + expect(e).to.be.instanceOf(ServiceError); + expect(e.message).to.include('unable to fetch kas list'); + expect(e.message).to.include('status: 503'); + } + }); + }); + + describe('fetchKasPubKey', () => { + const kasEndpoint = 'https://kas.example.com'; + // FIX: Provide a real, valid base64-encoded key. The `...` is not valid. + const mockPemKey = `-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2p7wtvu1GQY5f4YdPiTa +qabW7JVRX8y548pme3m4R25hdAbTXsNuqAAy9DaqWT+iUJ5BE2oSvHZwwUfRAMTN +D3VxNnBRxLkj2FL+tnVAMZ+qyJ++2cpJhotuXlROcCIZXltjrqYcfaUMBnqrGlI9 +CHoIvVqOLHWNxsEr1QzgBjUH2Yrispnb3r11yB8jdfAtxewtX9pPXP10mNeVr9/C +EAnqlA1Io0Qv3SZZ3h0VWtCMwQkrF76p5c8onD/pgRCO3Udx6K+RLbSkEJell5kj +1EuR3P3E1anNU/NoWdh23c5GXtQvXz4yKy+05kUTZ5xmh/H/0T8WqOrjcnOZycBn +ywIDAQAB +-----END PUBLIC KEY-----`; + const mockCryptoKey = { type: 'public' }; // Mock CryptoKey object + + it('should fetch and return KAS public key info on success', async () => { + const mockResponse = { publicKey: mockPemKey, kid: 'test-kid' }; + fetchStub.returns(createMockResponse(mockResponse)); + + const result = await fetchKasPubKey(kasEndpoint); + + const { key, ...resultWithoutKey } = result; + + expect((await key).type).to.deep.equal(mockCryptoKey.type); + expect(resultWithoutKey).to.deep.equal({ + publicKey: mockPemKey, + url: kasEndpoint, + algorithm: 'rsa:2048', + kid: 'test-kid', + }); + + // expect(validateSecureUrlStub.calledWith(kasEndpoint)).to.be.true; + // expect(pemToCryptoPublicKeyStub.calledWith(mockPemKey)).to.be.true; + + // IMPROVEMENT: Test URL components instead of a hardcoded string. + const fetchedUrl = new URL(fetchStub.firstCall.args[0]); + expect(fetchedUrl.origin).to.equal(kasEndpoint); + expect(fetchedUrl.pathname).to.equal('/v2/kas_public_key'); + expect(fetchedUrl.searchParams.get('algorithm')).to.equal('rsa:2048'); + expect(fetchedUrl.searchParams.get('v')).to.equal('2'); + }); + + it('should throw ConfigurationError if kasEndpoint is missing', async () => { + try { + await fetchKasPubKey(''); + expect.fail('Should have thrown'); + } catch (e) { + expect(e).to.be.instanceOf(ConfigurationError); + expect(e.message).to.equal('KAS definition not found'); + } + }); + + it('should throw ConfigurationError for an invalid kasEndpoint URL', async () => { + const invalidUrl = 'not-a-url'; + // validateSecureUrlStub.throws(new ConfigurationError(`KAS definition invalid: [${invalidUrl}]`)); + try { + await fetchKasPubKey(invalidUrl); + expect.fail('Should have thrown'); + } catch (e) { + expect(e).to.be.instanceOf(ConfigurationError); + expect(e.message).to.equal(`KAS definition invalid: [${invalidUrl}]`); + } + }); + + it('should throw NetworkError if fetch fails', async () => { + const fetchError = new Error('Network failure'); + fetchStub.rejects(fetchError); + + try { + await fetchKasPubKey(kasEndpoint); + expect.fail('Should have thrown'); + } catch (e) { + expect(e).to.be.instanceOf(NetworkError); + expect(e.message).to.include('unable to fetch public key'); + } + }); + + it('should throw ConfigurationError for a 404 response', async () => { + fetchStub.returns(createMockResponse('Not Found', false, 404)); + + try { + await fetchKasPubKey(kasEndpoint); + expect.fail('Should have thrown'); + } catch (e) { + expect(e).to.be.instanceOf(ConfigurationError); + // IMPROVEMENT: Make error message assertion less brittle + expect(e.message).to.include('404 for'); + expect(e.message).to.include('kas.example.com/v2/kas_public_key'); + } + }); + + it('should throw UnauthenticatedError for a 401 response', async () => { + fetchStub.returns(createMockResponse('Unauthorized', false, 401)); + + try { + await fetchKasPubKey(kasEndpoint); + expect.fail('Should have thrown'); + } catch (e) { + expect(e).to.be.instanceOf(UnauthenticatedError); + // IMPROVEMENT: Make error message assertion less brittle + expect(e.message).to.include('401 for'); + expect(e.message).to.include('kas.example.com/v2/kas_public_key'); + } + }); + + it('should throw PermissionDeniedError for a 403 response', async () => { + fetchStub.returns(createMockResponse('Forbidden', false, 403)); + + try { + await fetchKasPubKey(kasEndpoint); + expect.fail('Should have thrown'); + } catch (e) { + expect(e).to.be.instanceOf(PermissionDeniedError); + // IMPROVEMENT: Make error message assertion less brittle + expect(e.message).to.include('403 for'); + expect(e.message).to.include('kas.example.com/v2/kas_public_key'); + } + }); + + it('should throw NetworkError if response JSON is missing publicKey', async () => { + const invalidResponse = { kid: 'only-a-kid' }; + fetchStub.returns(createMockResponse(invalidResponse)); + + try { + await fetchKasPubKey(kasEndpoint); + expect.fail('Should have thrown'); + } catch (e) { + expect(e).to.be.instanceOf(NetworkError); + expect(e.message).to.equal( + `invalid response from public key endpoint [${JSON.stringify(invalidResponse)}]` + ); + } + }); + }); +}); diff --git a/lib/tests/web/policy/granter.test.ts b/lib/tests/web/policy/granter.test.ts index 762fb5f65..2f48da9f4 100644 --- a/lib/tests/web/policy/granter.test.ts +++ b/lib/tests/web/policy/granter.test.ts @@ -51,29 +51,76 @@ describe('policy/granter', () => { }); describe('grant overloading', () => { - for (const { name, e } of [ - { name: 'UUU', e: [] }, - { name: 'UUG', e: [{ kas: matr.evenMoreSpecificKas, sid: '1' }] }, - { name: 'UGU', e: [{ kas: matr.specifiedKas, sid: '1' }] }, - { name: 'UGG', e: [{ kas: matr.evenMoreSpecificKas, sid: '1' }] }, - { name: 'GUU', e: [{ kas: matr.lessSpecificKas, sid: '1' }] }, - { name: 'GUG', e: [{ kas: matr.evenMoreSpecificKas, sid: '1' }] }, - { name: 'GGU', e: [{ kas: matr.specifiedKas, sid: '1' }] }, - { name: 'GGG', e: [{ kas: matr.evenMoreSpecificKas, sid: '1' }] }, - { name: 'UUU+UUG', e: [{ kas: matr.evenMoreSpecificKas, sid: '1' }] }, + for (const { attrs, expectedPlan } of [ + { + attrs: [{ fqn: `${matr.nsUngranted}/attr/ungranted/value/ungranted` }], + expectedPlan: [], + }, + { + attrs: [{ fqn: `${matr.nsUngranted}/attr/ungranted/value/granted` }], + expectedPlan: [ + { kas: matr.kases[matr.evenMoreSpecificKas], sid: '1', kid: 'e1' }, + { kas: matr.kases[matr.evenMoreSpecificKas], sid: '1', kid: 'r1' }, + ], + }, + { + attrs: [{ fqn: `${matr.nsUngranted}/attr/granted/value/ungranted` }], + expectedPlan: [ + { kas: matr.kases[matr.specifiedKas], sid: '1', kid: 'e1' }, + { kas: matr.kases[matr.specifiedKas], sid: '1', kid: 'r1' }, + ], + }, + { + attrs: [{ fqn: `${matr.nsUngranted}/attr/granted/value/granted` }], + expectedPlan: [ + { kas: matr.kases[matr.evenMoreSpecificKas], sid: '1', kid: 'e1' }, + { kas: matr.kases[matr.evenMoreSpecificKas], sid: '1', kid: 'r1' }, + ], + }, + { + attrs: [{ fqn: `${matr.nsGranted}/attr/ungranted/value/ungranted` }], + expectedPlan: [ + { kas: matr.kases[matr.lessSpecificKas], sid: '1', kid: 'e1' }, + { kas: matr.kases[matr.lessSpecificKas], sid: '1', kid: 'r1' }, + ], + }, + { + attrs: [{ fqn: `${matr.nsGranted}/attr/ungranted/value/granted` }], + expectedPlan: [ + { kas: matr.kases[matr.evenMoreSpecificKas], sid: '1', kid: 'e1' }, + { kas: matr.kases[matr.evenMoreSpecificKas], sid: '1', kid: 'r1' }, + ], + }, + { + attrs: [{ fqn: `${matr.nsGranted}/attr/granted/value/ungranted` }], + expectedPlan: [ + { kas: matr.kases[matr.specifiedKas], sid: '1', kid: 'e1' }, + { kas: matr.kases[matr.specifiedKas], sid: '1', kid: 'r1' }, + ], + }, + { + attrs: [{ fqn: `${matr.nsGranted}/attr/granted/value/granted` }], + expectedPlan: [ + { kas: matr.kases[matr.evenMoreSpecificKas], sid: '1', kid: 'e1' }, + { kas: matr.kases[matr.evenMoreSpecificKas], sid: '1', kid: 'r1' }, + ], + }, + { + attrs: [ + { fqn: `${matr.nsUngranted}/attr/ungranted/value/ungranted` }, + { fqn: `${matr.nsUngranted}/attr/ungranted/value/granted` }, + ], + expectedPlan: [ + { kas: matr.kases[matr.evenMoreSpecificKas], sid: '1', kid: 'e1' }, + { kas: matr.kases[matr.evenMoreSpecificKas], sid: '1', kid: 'r1' }, + ], + }, ]) { - const attrs = matr.valuesFor( - name.split('+').map((s) => { - const [n, a, v] = s; - const ns = n == 'G' ? matr.nsGranted : matr.nsUngranted; - const attr = `${ns}/attr/${a == 'G' ? '' : 'un'}granted`; - return `${attr}/value/${v == 'G' ? '' : 'un'}granted`; - }) - ); - const expected = e.map(({ kas, sid }) => ({ kas: matr.kases[kas], sid })); - it(name, async () => { - const p = plan(attrs); - expect(p).to.deep.equal(expected); + const name = attrs.map((attr) => attr.fqn).join('+'); + it.only(name, async () => { + const platformAttrs = attrs.map((attr) => matr.valueFor(attr.fqn)); + const p = plan(platformAttrs); + expect(p).to.deep.equal(expectedPlan); }); } }); diff --git a/lib/tests/web/policy/mock-attrs.ts b/lib/tests/web/policy/mock-attrs.ts index d396fbdc5..42e456f3f 100644 --- a/lib/tests/web/policy/mock-attrs.ts +++ b/lib/tests/web/policy/mock-attrs.ts @@ -1,11 +1,12 @@ import { Attribute, + AttributeRuleType, KeyAccessServer, Namespace, Value, - AttributeRuleType, } from '../../../src/policy/attributes.js'; import { kasECCert, kasPublicKey } from '../../mocks/pems.js'; +import { KasPublicKeyAlgEnum, SourceType } from '../../../src/platform/policy/objects_pb.js'; export const kasAu = 'https://kas.au/'; export const kasCa = 'https://kas.ca/'; @@ -75,24 +76,35 @@ export const kases: Record = Object.fromEntries( k, { $typeName: 'policy.KeyAccessServer', + id: k, + kasKeys: [], uri: k, publicKey: { - cached: { - keys: [ - { - pem: kasECCert, - kid: 'e1', - alg: 'KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1', - }, - { - pem: kasPublicKey, - kid: 'r1', - alg: 'KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048', - }, - ], + $typeName: 'policy.PublicKey', + publicKey: { + case: 'cached', + value: { + $typeName: 'policy.KasPublicKeySet', + keys: [ + { + $typeName: 'policy.KasPublicKey', + pem: kasECCert, + kid: 'e1', + alg: KasPublicKeyAlgEnum.EC_SECP256R1, + }, + { + $typeName: 'policy.KasPublicKey', + pem: kasPublicKey, + kid: 'r1', + alg: KasPublicKeyAlgEnum.RSA_2048, + }, + ], + }, }, }, - } as unknown as KeyAccessServer, + sourceType: SourceType.INTERNAL, + name: k, + } as KeyAccessServer, ]) ); @@ -269,6 +281,7 @@ for (const fqn of [ active: true, id: '', kasKeys: [], + resourceMappings: [], subjectMappings: [], grants: [], ...(grants && { grants: grants.map((g) => kases[g]) }), @@ -282,7 +295,7 @@ export function valueFor(attr: string): Value { if (!(attr in values)) { throw new Error(`invalid FQN [${attr}]`); } - console.log('value for', attr, 'is', values[attr]); + // console.log('value for', attr, 'is', values[attr]); return values[attr]; }