sdkms

package
v0.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 3, 2023 License: MPL-2.0 Imports: 15 Imported by: 4

Documentation

Overview

Package sdkms is a Go client library for Fortanix Self Defending Key Management Service (SDKMS).

NOTE: This is work in progress.

Conventions

Optional fields are always pointer types and have json tag omitempty.

Index

Examples

Constants

View Source 
const (
	// DefaultAPIEndpoint is used if no Endpoint is specified in Client
	DefaultAPIEndpoint string = "https://apps.smartkey.io"
)

Variables

This section is empty.

Functions

func Some added in v0.3.5 

func Some[T any](x T) *T

Turns a value into a non-nil pointer. This is a convenience function since it's not possible to take the address of a literal in Go.

Example 
test := func(x *string) {
	if x != nil {
		fmt.Printf("%v\n", *x)
	}
}

test(Some("hello"))
test(nil)

Output:

hello

Types

type APIKey 

type APIKey string

APIKey is used for app authentication

type Account 

type Account struct {
	AcctID         UUID                   `json:"acct_id"`
	ApprovalPolicy *AccountApprovalPolicy `json:"approval_policy,omitempty"`
	// Configurations for group-level or account-level approval requests.
	ApprovalRequestSettings  ApprovalRequestSettings                   `json:"approval_request_settings"`
	AuthConfig               *AuthConfig                               `json:"auth_config,omitempty"`
	ClientConfigurations     *ClientConfigurations                     `json:"client_configurations,omitempty"`
	Country                  *string                                   `json:"country,omitempty"`
	CreatedAt                *Time                                     `json:"created_at,omitempty"`
	CryptographicPolicy      *CryptographicPolicy                      `json:"cryptographic_policy,omitempty"`
	CustomMetadata           *map[string]string                        `json:"custom_metadata,omitempty"`
	CustomMetadataAttributes *map[string]CustomAttributeSearchMetadata `json:"custom_metadata_attributes,omitempty"`
	Description              *string                                   `json:"description,omitempty"`
	DisabledAt               *Time                                     `json:"disabled_at,omitempty"`
	Enabled                  bool                                      `json:"enabled"`
	InitialPurchaseAt        *Time                                     `json:"initial_purchase_at,omitempty"`
	KeyHistoryPolicy         *KeyHistoryPolicy                         `json:"key_history_policy,omitempty"`
	KeyMetadataPolicy        *KeyMetadataPolicy                        `json:"key_metadata_policy,omitempty"`
	LogBadRequests           *bool                                     `json:"log_bad_requests,omitempty"`
	LogRetentionDays         *uint64                                   `json:"log_retention_days,omitempty"`
	LoggingConfigs           map[UUID]LoggingConfig                    `json:"logging_configs"`
	// Enable the user to opt out from the current behaviour of key being marked as disabled at time of deactivation.
	MarkKeyDisableWhenDeactivated    bool                       `json:"mark_key_disable_when_deactivated"`
	MaxApp                           *uint32                    `json:"max_app,omitempty"`
	MaxGroup                         *uint32                    `json:"max_group,omitempty"`
	MaxOperation                     *uint64                    `json:"max_operation,omitempty"`
	MaxPlugin                        *uint32                    `json:"max_plugin,omitempty"`
	MaxSobj                          *uint32                    `json:"max_sobj,omitempty"`
	MaxUser                          *uint32                    `json:"max_user,omitempty"`
	Name                             string                     `json:"name"`
	NotificationPref                 *NotificationPref          `json:"notification_pref,omitempty"`
	Organization                     *string                    `json:"organization,omitempty"`
	ParentAcctID                     *UUID                      `json:"parent_acct_id,omitempty"`
	PendingSubscriptionChangeRequest *SubscriptionChangeRequest `json:"pending_subscription_change_request,omitempty"`
	Phone                            *string                    `json:"phone,omitempty"`
	PluginEnabled                    *bool                      `json:"plugin_enabled,omitempty"`
	Subscription                     Subscription               `json:"subscription"`
	Totals                           *ObjectCounts              `json:"totals,omitempty"`
	TrialExpiresAt                   *Time                      `json:"trial_expires_at,omitempty"`
	WorkspaceCseConfig               *WorkspaceCseConfig        `json:"workspace_cse_config,omitempty"`
}

func (Account) MarshalJSON added in v0.2.6 

func (x Account) MarshalJSON() ([]byte, error)

func (*Account) UnmarshalJSON added in v0.2.6 

func (x *Account) UnmarshalJSON(data []byte) error

type AccountApprovalPolicy 

type AccountApprovalPolicy struct {
	Policy       QuorumPolicy `json:"policy"`
	ManageGroups *bool        `json:"manage_groups,omitempty"`
	// When this is true, changes to the account authentication methods require approval.
	ProtectAuthenticationMethods *bool `json:"protect_authentication_methods,omitempty"`
	// When this is true, changes to the account cryptographic policy requires approval.
	ProtectCryptographicPolicy *bool `json:"protect_cryptographic_policy,omitempty"`
	// When this is true, changes to logging configuration require approval.
	ProtectLoggingConfig *bool `json:"protect_logging_config,omitempty"`
	// When set to true, updating custom roles would require approval.
	ProtectCustomRoleUpdates *bool `json:"protect_custom_role_updates,omitempty"`
}

Account approval policy.

type AccountPermissions added in v0.2.6 

type AccountPermissions uint64
const (
	//  Permission to manage logging integrations, and enable/disable error
	//  logging.
	AccountPermissionsManageLogging AccountPermissions = 1 << iota
	//  Permission to manage SSO and password policy.
	AccountPermissionsManageAuth
	//  Permission to manage Workspace CSE configuration.
	AccountPermissionsManageWorkspaceCse
	//  Permission required for Workspace CSE PrivilegedUnwrap API. Note
	//  that `UNWRAP_WORKSPACE_CSE` permission in the group where the key is
	//  stored is also required.
	AccountPermissionsUnwrapWorkspaceCsePrivileged
	//  Permission to manage account level client configurations.
	AccountPermissionsManageAccountClientConfigs
	//  Permission to create account-level approval policy. Note that
	//  updating/deleting the approval policy is protected by the approval
	//  policy itself.
	AccountPermissionsCreateAccountApprovalPolicy
	//  Permission to set approval request expiry for all approval requests
	//  created in the account.
	AccountPermissionsSetApprovalRequestExpiry
	//  Permission to update account's custom metadata attributes.
	AccountPermissionsUpdateAccountCustomMetadataAttributes
	//  Permission to manage account subscription (only relevant for SaaS
	//  accounts).
	AccountPermissionsManageAccountSubscription
	//  Permission to update account name, custom logo, and other profile
	//  information.
	AccountPermissionsManageAccountProfile
	//  Permission to delete the account.
	AccountPermissionsDeleteAccount
	//  Permission to create administrative apps. Implies `GET_ADMIN_APPS`.
	AccountPermissionsCreateAdminApps
	//  Permission to update administrative apps. Implies `GET_ADMIN_APPS`.
	AccountPermissionsUpdateAdminApps
	//  Permission to delete administrative apps. Implies `GET_ADMIN_APPS`.
	AccountPermissionsDeleteAdminApps
	//  Permission to retrieve administrative apps' secrets. Note that not
	//  all admin app credentials contain secrets. If an admin app's
	//  credential does not contain any secrets, `GET_ADMIN_APPS` permission
	//  is sufficient to call the `GetAppCredential` API. Implies
	//  `GET_ADMIN_APPS`.
	AccountPermissionsRetrieveAdminAppSecrets
	//  Currently implies `CREATE_ADMIN_APPS`, `UPDATE_ADMIN_APPS`,
	//  `DELETE_ADMIN_APPS`, `RETRIEVE_ADMIN_APP_SECRETS` and
	//  `GET_ADMIN_APPS` permissions.
	AccountPermissionsManageAdminApps
	//  Permission to create custom user roles. Implies `GET_CUSTOM_ROLES`.
	AccountPermissionsCreateCustomRoles
	//  Permission to update custom user roles. Implies `GET_CUSTOM_ROLES`.
	AccountPermissionsUpdateCustomRoles
	//  Permission to delete custom user roles. Implies `GET_CUSTOM_ROLES`.
	AccountPermissionsDeleteCustomRoles
	//  Currently implies `CREATE_CUSTOM_ROLES`, `UPDATE_CUSTOM_ROLES`,
	//  `DELETE_CUSTOM_ROLES` and `GET_CUSTOM_ROLES` permissions.
	AccountPermissionsManageCustomRoles
	//  Permission to invite users to the account. Implies `GET_ALL_USERS`.
	AccountPermissionsInviteUsersToAccount
	//  Permission to remove users from the account. Implies
	//  `GET_ALL_USERS`.
	AccountPermissionsDeleteUsersFromAccount
	//  Permission to change users' role in the account. Implies
	//  `GET_ALL_USERS`.
	AccountPermissionsUpdateUsersAccountRole
	//  Permission to enable/disable users in the account. Implies
	//  `GET_ALL_USERS`.
	AccountPermissionsUpdateUsersAccountEnabledState
	//  Currently implies `INVITE_USERS_TO_ACCOUNT`,
	//  `DELETE_USERS_FROM_ACCOUNT`, `UPDATE_USERS_ACCOUNT_ROLE`,
	//  `UPDATE_USERS_ACCOUNT_ENABLED_STATE` and `GET_ALL_USERS`
	//  permissions.
	AccountPermissionsManageAccountUsers
	//  Permission to create external roles. Implies `GET_EXTERNAL_ROLES`.
	AccountPermissionsCreateExternalRoles
	//  Permission to synchronize external roles. Implies
	//  `GET_EXTERNAL_ROLES`.
	AccountPermissionsSyncExternalRoles
	//  Permission to delete external roles. Implies `GET_EXTERNAL_ROLES`.
	AccountPermissionsDeleteExternalRoles
	//  Currently implies `CREATE_EXTERNAL_ROLES`, `SYNC_EXTERNAL_ROLES`,
	//  `DELETE_EXTERNAL_ROLES` and `GET_EXTERNAL_ROLES` permissions.
	AccountPermissionsManageExternalRoles
	//  Permission to create various account-level security object policies
	//  including cryptographic policy, key metadata policy and key history
	//  policy.
	AccountPermissionsCreateAccountSobjectPolicies
	//  Permission to update various account-level security object policies
	//  including cryptographic policy, key metadata policy and key history
	//  policy.
	AccountPermissionsUpdateAccountSobjectPolicies
	//  Permission to delete various account-level security object policies
	//  including cryptographic policy, key metadata policy and key history
	//  policy.
	AccountPermissionsDeleteAccountSobjectPolicies
	//  Currently implies `CREATE_ACCOUNT_SOBJECT_POLICIES`,
	//  `UPDATE_ACCOUNT_SOBJECT_POLICIES`, and
	//  `DELETE_ACCOUNT_SOBJECT_POLICIES` permissions.
	AccountPermissionsManageAccountSobjectPolicies
	//  Permission to create child accounts. Note that this is only
	//  applicable to SaaS accounts with reseller subscription. Implies
	//  `GET_CHILD_ACCOUNTS`.
	AccountPermissionsCreateChildAccounts
	//  Permission to update child accounts. Note that this is only
	//  applicable to SaaS accounts with reseller subscription. Implies
	//  `GET_CHILD_ACCOUNTS`.
	AccountPermissionsUpdateChildAccounts
	//  Permission to delete child accounts. Note that this is only
	//  applicable to SaaS accounts with reseller subscription. Implies
	//  `GET_CHILD_ACCOUNTS`.
	AccountPermissionsDeleteChildAccounts
	//  Permission to create users in child accounts. Note that this is only
	//  applicable to SaaS accounts with reseller subscription. Implies
	//  `GET_CHILD_ACCOUNTS` and `GET_CHILD_ACCOUNT_USERS`.
	AccountPermissionsCreateChildAccountUsers
	//  Permission to get child accounts. Note that this is only applicable
	//  to SaaS accounts with reseller subscription.
	AccountPermissionsGetChildAccounts
	//  Permission to get child account users. Note that this is only
	//  applicable to SaaS accounts with reseller subscription.
	AccountPermissionsGetChildAccountUsers
	//  Currently implies `CREATE_CHILD_ACCOUNTS`, `UPDATE_CHILD_ACCOUNTS`,
	//  `DELETE_CHILD_ACCOUNTS`, `CREATE_CHILD_ACCOUNT_USERS`,
	//  `GET_CHILD_ACCOUNTS`, and `GET_CHILD_ACCOUNT_USERS` permissions.
	AccountPermissionsManageChildAccounts
	//  Permission to create new local groups.
	AccountPermissionsCreateLocalGroups
	//  Permission to create new group backed by external HSM/KMS.
	AccountPermissionsCreateExternalGroups
	//  Controls if the user can act as an approval policy reviewer.
	AccountPermissionsAllowQuorumReviewer
	//  Controls if the user can act as a key custodian.
	AccountPermissionsAllowKeyCustodian
	//  Grants read access to **all** approval requests in the account. Note
	//  that there is a related group-level permission that is restricted to
	//  approval requests related to one group.
	AccountPermissionsGetAllApprovalRequests
	//  Permission to get administrative apps.
	AccountPermissionsGetAdminApps
	//  Permission to get custom user roles.
	AccountPermissionsGetCustomRoles
	//  Permission to get external roles.
	AccountPermissionsGetExternalRoles
	//  Permission to get all users. Note that users can always get
	//  themselves.
	AccountPermissionsGetAllUsers
	//  Grants access to accounts::GetAccountUsage API.
	AccountPermissionsGetAccountUsage
)

List of supported AccountPermissions values

func (AccountPermissions) MarshalJSON added in v0.2.6 

func (x AccountPermissions) MarshalJSON() ([]byte, error)

MarshalJSON converts AccountPermissions to an array of strings

func (*AccountPermissions) UnmarshalJSON added in v0.2.6 

func (x *AccountPermissions) UnmarshalJSON(data []byte) error

UnmarshalJSON converts array of strings to AccountPermissions

type AccountRequest 

type AccountRequest struct {
	AddLdap           *[]AuthConfigLdap       `json:"add_ldap,omitempty"`
	AddLoggingConfigs *[]LoggingConfigRequest `json:"add_logging_configs,omitempty"`
	ApprovalPolicy    *AccountApprovalPolicy  `json:"approval_policy,omitempty"`
	// Configurations for group-level or account-level approval requests.
	ApprovalRequestSettings  *ApprovalRequestSettingsRequest           `json:"approval_request_settings,omitempty"`
	AuthConfig               *AuthConfig                               `json:"auth_config,omitempty"`
	ClientConfigurations     *ClientConfigurationsRequest              `json:"client_configurations,omitempty"`
	Country                  *string                                   `json:"country,omitempty"`
	CryptographicPolicy      *Removable[CryptographicPolicy]           `json:"cryptographic_policy,omitempty"`
	CustomMetadata           *map[string]string                        `json:"custom_metadata,omitempty"`
	CustomMetadataAttributes *map[string]CustomAttributeSearchMetadata `json:"custom_metadata_attributes,omitempty"`
	DelLdap                  *[]UUID                                   `json:"del_ldap,omitempty"`
	DelLoggingConfigs        *[]UUID                                   `json:"del_logging_configs,omitempty"`
	Description              *string                                   `json:"description,omitempty"`
	Enabled                  *bool                                     `json:"enabled,omitempty"`
	KeyHistoryPolicy         *Removable[KeyHistoryPolicy]              `json:"key_history_policy,omitempty"`
	KeyMetadataPolicy        *Removable[KeyMetadataPolicy]             `json:"key_metadata_policy,omitempty"`
	LogBadRequests           *bool                                     `json:"log_bad_requests,omitempty"`
	LogRetentionDays         *uint64                                   `json:"log_retention_days,omitempty"`
	// Enable the user to opt out from the current behaviour of key being marked as disabled at time of deactivation.
	MarkKeyDisableWhenDeactivated    *bool                          `json:"mark_key_disable_when_deactivated,omitempty"`
	ModLdap                          *map[UUID]AuthConfigLdap       `json:"mod_ldap,omitempty"`
	ModLoggingConfigs                *map[UUID]LoggingConfigRequest `json:"mod_logging_configs,omitempty"`
	Name                             *string                        `json:"name,omitempty"`
	NotificationPref                 *NotificationPref              `json:"notification_pref,omitempty"`
	Organization                     *string                        `json:"organization,omitempty"`
	ParentAcctID                     *UUID                          `json:"parent_acct_id,omitempty"`
	PendingSubscriptionChangeRequest *SubscriptionChangeRequest     `json:"pending_subscription_change_request,omitempty"`
	Phone                            *string                        `json:"phone,omitempty"`
	PluginEnabled                    *bool                          `json:"plugin_enabled,omitempty"`
	Subscription                     *Subscription                  `json:"subscription,omitempty"`
	WorkspaceCseConfig               *Removable[WorkspaceCseConfig] `json:"workspace_cse_config,omitempty"`
}

func (AccountRequest) MarshalJSON added in v0.2.6 

func (x AccountRequest) MarshalJSON() ([]byte, error)

func (*AccountRequest) UnmarshalJSON added in v0.2.6 

func (x *AccountRequest) UnmarshalJSON(data []byte) error

type AccountRole added in v0.2.6 

type AccountRole struct {
	Permissions AccountPermissions `json:"permissions"`
	Exclusive   *bool              `json:"exclusive,omitempty"`
	// If specified, users with this account role will have the specified role
	// in all groups. The uuid should refer to an existing `Role` of kind
	// `RoleKind::Group`.
	AllGroupsRole *UUID `json:"all_groups_role,omitempty"`
}

type AccountSort added in v0.2.6 

type AccountSort struct {
	ByAccountID *AccountSortByAccountId
}

type AccountSortByAccountId added in v0.2.6 

type AccountSortByAccountId struct {
	Order Order `json:"order"`
}

type ActionType added in v0.2.6 

type ActionType string
const (
	ActionTypeAdministrative  ActionType = "ADMINISTRATIVE"
	ActionTypeAuth            ActionType = "AUTH"
	ActionTypeCryptoOperation ActionType = "CRYPTOOPERATION"
	ActionTypeRunPlugin       ActionType = "RUNPLUGIN"
	ActionTypeCustom          ActionType = "CUSTOM"
	ActionTypeOther           ActionType = "OTHER"
)

List of supported ActionType values

type AesOptions added in v0.2.6 

type AesOptions struct {
	KeySizes   *[]uint32   `json:"key_sizes,omitempty"`
	Fpe        *FpeOptions `json:"fpe,omitempty"`
	TagLength  *int32      `json:"tag_length,omitempty"`
	CipherMode *CipherMode `json:"cipher_mode,omitempty"`
	RandomIv   *bool       `json:"random_iv,omitempty"`
	IvLength   *int32      `json:"iv_length,omitempty"`
}

type AgreeKeyMechanism 

type AgreeKeyMechanism string

Options to use for key agreement mechanism. 

const (
	// Diffie-Hellman key exchange mechanism
	AgreeKeyMechanismDiffieHellman AgreeKeyMechanism = "diffie_hellman"
)

List of supported AgreeKeyMechanism values

type AgreeKeyRequest 

type AgreeKeyRequest struct {
	// Activation date of the agreed key
	ActivationDate *Time `json:"activation_date,omitempty"`
	// Deactivation date of the agreed key
	DeactivationDate *Time `json:"deactivation_date,omitempty"`
	// Identifier of the private key used for agreement
	PrivateKey SobjectDescriptor `json:"private_key"`
	// Identifier of the public key used for agreement
	PublicKey SobjectDescriptor `json:"public_key"`
	// Mechanism to use for key derivation.
	Mechanism AgreeKeyMechanism `json:"mechanism"`
	// Name of the agreed-upon key. Key names must be unique within an account.
	// The name is ignored for transient keys.
	Name *string `json:"name,omitempty"`
	// Group ID of the security group that this security object should belong to. The user or
	// application creating this security object must be a member of this group. If no group is
	// specified, the default group for the requesting application will be used.
	GroupID *UUID `json:"group_id,omitempty"`
	// Type of key to be derived. NB. for security reasons, you shouldn't specify anything but HMAC or Secret.
	KeyType ObjectType `json:"key_type"`
	// Key size in bits. If less than the output size of the algorithm, the secret's most-significant bits will be truncated.
	KeySize uint32 `json:"key_size"`
	// Whether the agreed key should have cryptographic operations enabled
	Enabled *bool `json:"enabled,omitempty"`
	// Description of the agreed key
	Description *string `json:"description,omitempty"`
	// User-defined metadata for this key stored as key-value pairs.
	CustomMetadata *map[string]string `json:"custom_metadata,omitempty"`
	// Optional array of key operations to be enabled for this security object. If not
	// provided the service will provide a default set of key operations. Note that if you
	// provide an empty array, all key operations will be disabled.
	KeyOps *KeyOperations `json:"key_ops,omitempty"`
	// State of the agreed key
	State *SobjectState `json:"state,omitempty"`
	// If set to true, the resulting key will be transient.
	Transient *bool `json:"transient,omitempty"`
}

Request body to perform key agreement.

type Algorithm 

type Algorithm string

A cryptographic algorithm. 

const (
	AlgorithmAes        Algorithm = "AES"
	AlgorithmAria       Algorithm = "ARIA"
	AlgorithmDes        Algorithm = "DES"
	AlgorithmDes3       Algorithm = "DES3"
	AlgorithmSeed       Algorithm = "SEED"
	AlgorithmRsa        Algorithm = "RSA"
	AlgorithmDsa        Algorithm = "DSA"
	AlgorithmKcdsa      Algorithm = "KCDSA"
	AlgorithmEc         Algorithm = "EC"
	AlgorithmEcKcdsa    Algorithm = "ECKCDSA"
	AlgorithmBip32      Algorithm = "BIP32"
	AlgorithmBls        Algorithm = "BLS"
	AlgorithmLms        Algorithm = "LMS"
	AlgorithmHmac       Algorithm = "HMAC"
	AlgorithmLedaBeta   Algorithm = "LEDABETA"
	AlgorithmRound5Beta Algorithm = "ROUND5BETA"
	AlgorithmPbe        Algorithm = "PBE"
)

List of supported Algorithm values

type All added in v0.2.6 

type All string

A helper enum with a single variant, All, which indicates that something should apply to an entire part. (This is here mainly to allow other untagged enums to work properly.) 

const (
	AllAll All = "all"
)

List of supported All values

type ApiPath added in v0.2.6 

type ApiPath struct {
	APIPath string          `json:"api_path"`
	Method  HyperHttpMethod `json:"method"`
	Context TepKeyContext   `json:"context"`
	KeyPath string          `json:"key_path"`
}

type App 

type App struct {
	// The id of the Account that this application belongs to.
	AcctID UUID `json:"acct_id"`
	// Unique id to identify the application.
	AppID UUID `json:"app_id"`
	// The user-defined type of this application.
	AppType string `json:"app_type"`
	// The authentication mechanisms for an application.
	AuthType *AppAuthType `json:"auth_type,omitempty"`
	// Certificate expiration date.
	CertNotAfter *Time `json:"cert_not_after,omitempty"`
	// Client configurations that are set on the application level.
	// App level client configs override those set at group or account level.
	ClientConfigurations ClientConfigurations `json:"client_configurations"`
	// Timestamp when the application was created.
	CreatedAt Time `json:"created_at"`
	// Creator of this application.
	Creator Principal `json:"creator"`
	// The default group an application belongs to.
	DefaultGroup *UUID `json:"default_group,omitempty"`
	// Description of this application.
	Description *string `json:"description,omitempty"`
	// Whether this application is enabled.
	Enabled bool `json:"enabled"`
	// Mapping for all groups an application is part of and the permissions it has within each of those groups.
	Groups AppGroups `json:"groups"`
	// Interface used with this application (PKCS11, CNG, JCE, KMIP, etc).
	Interface *string `json:"interface,omitempty"`
	// The IPs that are allowed for an application. ipv4 or ipv6 both are acceptable types.
	IpAddressPolicy IpAddressPolicy           `json:"ip_address_policy"`
	LastOperations  LastAppOperationTimestamp `json:"last_operations"`
	// Timestamp when the application was most recently used.
	LastusedAt *Time `json:"lastused_at,omitempty"`
	// If a requester is updating an App or retrieving its credentials,
	// they must have the relevant permissions in all Groups that App has access to.
	// But for legacy Apps, requester is required to have relevant permissions
	// in any of the groups that App has access to.
	LegacyAccess bool `json:"legacy_access"`
	// Name of this application, which must be unique within an account.
	Name string `json:"name"`
	// OAuth settings for an app. If enabled, an app can request to act on behalf of a user.
	OauthConfig *AppOauthConfig `json:"oauth_config,omitempty"`
	// Application's role.
	Role AppRole `json:"role"`
}

type AppAuthType 

type AppAuthType string

Authentication method of an app. 

const (
	AppAuthTypeSecret               AppAuthType = "Secret"
	AppAuthTypeCertificate          AppAuthType = "Certificate"
	AppAuthTypeTrustedCa            AppAuthType = "TrustedCa"
	AppAuthTypeGoogleServiceAccount AppAuthType = "GoogleServiceAccount"
	AppAuthTypeSignedJwt            AppAuthType = "SignedJwt"
	AppAuthTypeLdap                 AppAuthType = "Ldap"
	AppAuthTypeAwsIam               AppAuthType = "AwsIam"
	AppAuthTypeAwsXks               AppAuthType = "AwsXks"
	AppAuthTypeGoogleWorkspaceCSE   AppAuthType = "GoogleWorkspaceCSE"
)

List of supported AppAuthType values

type AppCredential 

type AppCredential struct {
	// Authenticating credentials of an App.
	Secret *string
	// PKI Certificate based authentication.
	Certificate *Blob
	// PKI certificate with Trusted CA based authentication.
	TrustedCa *TrustAnchor
	// An App's service account for communicating with Google APIs and Cloud. Google OAuth 2.0
	GoogleServiceAccount *AppCredentialGoogleServiceAccount
	// Authentication using a signed JWT directly as a bearer token.
	SignedJwt *AppCredentialSignedJwt
	// LDAP credentials of an App used for authentication.
	Ldap *UUID
	// Sign-in credentials to authenticate with AWS for it's services and resources.
	AwsIam *struct{}
	// SigV4 credentials used for AWS XKS APIs
	AwsXks             *AppCredentialAwsXks
	GoogleWorkspaceCse *struct{}
}

App authentication mechanisms.

func (AppCredential) MarshalJSON 

func (x AppCredential) MarshalJSON() ([]byte, error)

func (*AppCredential) UnmarshalJSON 

func (x *AppCredential) UnmarshalJSON(data []byte) error

type AppCredentialAwsXks added in v0.2.6 

type AppCredentialAwsXks struct {
	AccessKeyID *string `json:"access_key_id,omitempty"`
	SecretKey   *string `json:"secret_key,omitempty"`
}

SigV4 credentials used for AWS XKS APIs

type AppCredentialGoogleServiceAccount added in v0.2.5 

type AppCredentialGoogleServiceAccount struct {
	// Policy specifying acceptable access reasons.
	AccessReasonPolicy *GoogleAccessReasonPolicy `json:"access_reason_policy,omitempty"`
	// Mapping for all groups an application is part of and the Gcp specific permissions it has within each of those groups.
	Groups *map[UUID]GcpAppPermissions `json:"groups,omitempty"`
}

An App's service account for communicating with Google APIs and Cloud. Google OAuth 2.0

type AppCredentialResponse 

type AppCredentialResponse struct {
	// Unique identifier of the App.
	AppID UUID `json:"app_id"`
	// Credential of an App which determine the App authentication mechanisms.
	Credential AppCredential `json:"credential"`
	// Expired app-credentials that may be valid during transitional period.
	PreviousCredential *PreviousCredential `json:"previous_credential,omitempty"`
}

App credential response.

type AppCredentialSignedJwt 

type AppCredentialSignedJwt struct {
	ValidIssuers []string       `json:"valid_issuers"`
	SigningKeys  JwtSigningKeys `json:"signing_keys"`
}

Authentication using a signed JWT directly as a bearer token.

type AppCreditsUsage added in v0.2.6 

type AppCreditsUsage struct {
	Generic            uint32 `json:"generic"`
	Tokenization       uint32 `json:"tokenization"`
	Tep                uint32 `json:"tep"`
	Accelerator        uint32 `json:"accelerator"`
	SecretsManagement  uint32 `json:"secrets_management"`
	AwsCloudAccounts   uint32 `json:"aws_cloud_accounts"`
	AzureCloudAccounts uint32 `json:"azure_cloud_accounts"`
}

type AppGroups 

type AppGroups map[UUID]*AppPermissions

AppGroups contains a list of groups and optionally permissions granted to an app in each group. In order to get information about the app permissions in each group, you should set `GroupPermissions` to true in GetAppParams/ListAppsParams when making app-related requests. When creating a new app, you should always specify desired permissions for each group.

func (AppGroups) MarshalJSON 

func (a AppGroups) MarshalJSON() ([]byte, error)

MarshalJSON implements JSON marshalling for AppGroups

func (*AppGroups) UnmarshalJSON 

func (a *AppGroups) UnmarshalJSON(data []byte) error

UnmarshalJSON implements JSON unmarshalling for AppGroups

type AppOauthConfig 

type AppOauthConfig struct {
	Enabled  *AppOauthConfigEnabled
	Disabled *struct{}
}

OAuth settings for an app. If enabled, an app can request to act on behalf of a user.

func (AppOauthConfig) MarshalJSON 

func (x AppOauthConfig) MarshalJSON() ([]byte, error)

func (*AppOauthConfig) UnmarshalJSON 

func (x *AppOauthConfig) UnmarshalJSON(data []byte) error

type AppOauthConfigEnabled 

type AppOauthConfigEnabled struct {
	RedirectUris []string `json:"redirect_uris"`
}

type AppPermissions 

type AppPermissions uint64

Operations allowed to be performed by an app. 

const (
	AppPermissionsSign AppPermissions = 1 << iota
	AppPermissionsVerify
	AppPermissionsEncrypt
	AppPermissionsDecrypt
	AppPermissionsWrapkey
	AppPermissionsUnwrapkey
	AppPermissionsDerivekey
	AppPermissionsMacgenerate
	AppPermissionsMacverify
	AppPermissionsExport
	AppPermissionsManage
	AppPermissionsAgreekey
	AppPermissionsMaskdecrypt
	AppPermissionsAudit
	AppPermissionsTransform
	AppPermissionsCreateSobjects
	AppPermissionsCopySobjects
	AppPermissionsRotateSobjects
	AppPermissionsActivateSobjects
	AppPermissionsRevokeSobjects
	AppPermissionsRevertSobjects
	AppPermissionsMoveSobjects
	AppPermissionsUpdateSobjectsProfile
	AppPermissionsUpdateSobjectsEnabledState
	AppPermissionsUpdateSobjectPolicies
	AppPermissionsUpdateKeyOps
	AppPermissionsDeleteKeyMaterial
	AppPermissionsDeleteSobjects
	AppPermissionsDestroySobjects
	AppPermissionsRestoreExternalSobjects
	AppPermissionsCalculateDigest
)

List of supported AppPermissions values

func (AppPermissions) MarshalJSON 

func (x AppPermissions) MarshalJSON() ([]byte, error)

MarshalJSON converts AppPermissions to an array of strings

func (*AppPermissions) UnmarshalJSON 

func (x *AppPermissions) UnmarshalJSON(data []byte) error

UnmarshalJSON converts array of strings to AppPermissions

type AppRequest 

type AppRequest struct {
	// Groups an application wants to be part of. Should belong to atleast one.
	AddGroups *AppGroups `json:"add_groups,omitempty"`
	// The user-defined type of this application.
	AppType *string `json:"app_type,omitempty"`
	// Client configurations that are set on the application level.
	// App level client configs override those set at group or account level.
	ClientConfigurations *ClientConfigurationsRequest `json:"client_configurations,omitempty"`
	// Credential for an application which determine the App authentication mechanisms.
	Credential *AppCredential `json:"credential,omitempty"`
	// Migration period for which credentials(and its sessions) remain valid during api key regeneration.
	CredentialMigrationPeriod *uint32 `json:"credential_migration_period,omitempty"`
	// The default group an application belongs to.
	DefaultGroup *UUID `json:"default_group,omitempty"`
	// Groups an application no longer needs to be a part of. Array of UUID of groups.
	DelGroups *[]UUID `json:"del_groups,omitempty"`
	// Description of this application.
	Description *string `json:"description,omitempty"`
	// Whether this application is enabled.
	Enabled *bool `json:"enabled,omitempty"`
	// Interface used with this application (PKCS11, CNG, JCE, KMIP, etc).
	Interface *string `json:"interface,omitempty"`
	// The IPs that are allowed for an application. ipv4 or ipv6 both are acceptable types.
	IpAddressPolicy *IpAddressPolicy `json:"ip_address_policy,omitempty"`
	// Modify the permissions an application has in the groups it belongs to.
	ModGroups *AppGroups `json:"mod_groups,omitempty"`
	// Name of this application, which must be unique within an account.
	Name *string `json:"name,omitempty"`
	// OAuth settings for an app. If enabled, an app can request to act on behalf of a user.
	OauthConfig *AppOauthConfig `json:"oauth_config,omitempty"`
	// Application's role.
	Role *AppRole `json:"role,omitempty"`
	// Size in bytes of app's secret.
	SecretSize *uint32 `json:"secret_size,omitempty"`
}

type AppResetSecretRequest 

type AppResetSecretRequest struct {
	// Size of app's secret in bytes.
	SecretSize *uint32 `json:"secret_size,omitempty"`
	// Time until which previous credentials(or its sessions)
	// will not be invalidated as the API key gets regenerated.
	CredentialMigrationPeriod *uint32 `json:"credential_migration_period,omitempty"`
}

Request for resetting the app secret.

type AppRole added in v0.2.6 

type AppRole string

App's role. 

const (
	// Can perform similar actions to an account admin user, but not crypto ops.
	AppRoleAdmin AppRole = "admin"
	// Can perform crypto ops
	AppRoleCrypto AppRole = "crypto"
)

List of supported AppRole values

type AppSort 

type AppSort struct {
	// Sort apps on the basis of their app_id.
	ByAppID *AppSortByAppId
}

Sort apps as per given ordering.

type AppSortByAppId 

type AppSortByAppId struct {
	// Ascending or Descending order.
	Order Order `json:"order"`
	// Starting from a particular app_id.
	Start *UUID `json:"start,omitempty"`
}

Sort apps on the basis of their app_id.

type ApprovableResult 

type ApprovableResult struct {
	// contains filtered or unexported fields
}

ApprovableResult is the result of an operation performed through approval requests

func (*ApprovableResult) Parse 

func (a *ApprovableResult) Parse(successResult interface{}) error

Parse the operation result

func (*ApprovableResult) UnmarshalJSON 

func (a *ApprovableResult) UnmarshalJSON(data []byte) error

UnmarshalJSON implements JSON unmarshalling for ApprovableResult

type ApprovalAuthConfig 

type ApprovalAuthConfig struct {
	RequirePassword *bool `json:"require_password,omitempty"`
	Require2fa      *bool `json:"require_2fa,omitempty"`
}

Authentication requirements for approval request reviewers.

type ApprovalRequest 

type ApprovalRequest struct {
	AcctID       UUID                `json:"acct_id"`
	Approvers    []ReviewerPrincipal `json:"approvers"`
	Body         interface{}         `json:"body,omitempty"`
	CreatedAt    Time                `json:"created_at"`
	DenialReason *string             `json:"denial_reason,omitempty"`
	Denier       *ReviewerPrincipal  `json:"denier,omitempty"`
	Description  *string             `json:"description,omitempty"`
	Expiry       Time                `json:"expiry"`
	Method       string              `json:"method"`
	Operation    string              `json:"operation"`
	RequestID    UUID                `json:"request_id"`
	Requester    Principal           `json:"requester"`
	ResultViewed bool                `json:"result_viewed"`
	Reviewers    *[]Reviewer         `json:"reviewers,omitempty"`
	Status       ApprovalStatus      `json:"status"`
	Subjects     *[]ApprovalSubject  `json:"subjects,omitempty"`
}

type ApprovalRequestRequest 

type ApprovalRequestRequest struct {
	Body        interface{} `json:"body,omitempty"`
	Description *string     `json:"description,omitempty"`
	Method      *string     `json:"method,omitempty"`
	Operation   *string     `json:"operation,omitempty"`
}

type ApprovalRequestSettings added in v0.2.6 

type ApprovalRequestSettings struct {
	// The number of seconds after which an approval request expires. If not
	// specified, the cluster-wide setting will be used (30 days by default).
	//
	// Upon creation, an approval request's expiry date is (time of creation +
	// expiry period). However, when the request is approved by all its approvers,
	// its expiry date will be changed to (time of approval + expiry period).
	ApprovalRequestExpiry *uint64 `json:"approval_request_expiry,omitempty"`
	// Whether or not expired approval requests should be kept. (Obviously, any
	// pending requests that have expired are no longer actionable!)
	//
	// This is only applicable for onprem clusters; the field is ignored in SaaS
	// environments.
	RetainExpiredRequests *bool `json:"retain_expired_requests,omitempty"`
	// Whether or not expiry of pending approval requests should be audit logged.
	//
	// This is only applicable for onprem clusters; the field is ignored in SaaS
	// environments.
	LogExpiredPendingRequests *bool `json:"log_expired_pending_requests,omitempty"`
}

Settings that apply to quorum approval requests.

type ApprovalRequestSettingsRequest added in v0.2.6 

type ApprovalRequestSettingsRequest struct {
	// The number of seconds after which an approval request expires. Changing this
	// setting will not change the expiry of existing approval requests, but it may
	// still affect the "updated" expiry period assigned to existing requests upon
	// their approval (see below for details).
	//
	// Upon creation, an approval request's expiry date is (time of creation +
	// expiry period). However, when the request is approved by all its approvers,
	// its expiry date will be changed to (time of approval + expiry period).
	ApprovalRequestExpiry *uint64 `json:"approval_request_expiry,omitempty"`
	// Whether or not expired approval requests should be kept. (Obviously, any
	// pending requests that have expired are no longer actionable!)
	//
	// This is only applicable for onprem clusters; the field is ignored in SaaS
	// environments.
	RetainExpiredRequests *bool `json:"retain_expired_requests,omitempty"`
	// Whether or not expiry of pending approval requests should be audit logged.
	// Changing this setting will not retroactively apply to existing expired
	// approval requests.
	//
	// This is only applicable for onprem clusters; the field is ignored in SaaS
	// environments.
	LogExpiredPendingRequests *bool `json:"log_expired_pending_requests,omitempty"`
}

A request struct for modifying settings that apply to quorum approval requests.

type ApprovalStatus 

type ApprovalStatus string

Approval request status. 

const (
	ApprovalStatusPending  ApprovalStatus = "PENDING"
	ApprovalStatusApproved ApprovalStatus = "APPROVED"
	ApprovalStatusDenied   ApprovalStatus = "DENIED"
	ApprovalStatusFailed   ApprovalStatus = "FAILED"
)

List of supported ApprovalStatus values

type ApprovalSubject 

type ApprovalSubject struct {
	Group      *UUID
	Sobject    *UUID
	App        *UUID
	Plugin     *UUID
	Account    *UUID
	NewAccount *struct{}
	Role       *UUID
}

Identifies an object acted upon by an approval request.

func (ApprovalSubject) MarshalJSON 

func (x ApprovalSubject) MarshalJSON() ([]byte, error)

func (*ApprovalSubject) UnmarshalJSON 

func (x *ApprovalSubject) UnmarshalJSON(data []byte) error

type ApproveRequest 

type ApproveRequest struct {
	// Password is required if the approval policy requires password authentication.
	Password *string `json:"password,omitempty"`
	// U2F assertion is required if the approval policy requires two factor authentication.
	U2f *U2fAuthRequest `json:"u2f,omitempty"`
	// FIDO2 assertion is required if the approval policy requires two factor authentication.
	Fido2AuthRequest *PublicKeyCredentialAuthenticatorAssertionResponse `json:"fido2_auth_request,omitempty"`
	// Data associated with the approval
	Body interface{} `json:"body,omitempty"`
}

type AriaOptions added in v0.2.6 

type AriaOptions struct {
	KeySizes   *[]uint32   `json:"key_sizes,omitempty"`
	TagLength  *uint8      `json:"tag_length,omitempty"`
	CipherMode *CipherMode `json:"cipher_mode,omitempty"`
	RandomIv   *bool       `json:"random_iv,omitempty"`
	IvLength   *uint8      `json:"iv_length,omitempty"`
}

type AttestationConveyancePreference added in v0.2.6 

type AttestationConveyancePreference string

<https://www.w3.org/TR/webauthn-2/#enum-attestation-convey> <https://www.w3.org/TR/webauthn-2/#sctn-attestation>

If you really want to understand attestation, read the following: 

<https://fidoalliance.org/fido-technotes-the-truth-about-attestation/>
<https://medium.com/webauthnworks/webauthn-fido2-demystifying-attestation-and-mds-efc3b3cb3651>

This enum just specified how the attestation should be conveyed to the RP. You can see doc of the individual variants to understand various ways. 

const (
	// When RP is not interested in attestation. In this case,
	// attestation statement is None and RP can't identify the
	// device.
	//
	// <https://www.w3.org/TR/webauthn-2/#sctn-none-attestation>
	//
	// This maybe good for UX as attestation may need user consent.
	AttestationConveyancePreferenceNone AttestationConveyancePreference = "none"
	// RP prefers getting attestation statement but allows client
	// to decide how to obtain it. (e.g., client may replace
	// authenticator generated statement with [Anonymization CA])
	//
	// [Anonymization CA]: <https://www.w3.org/TR/webauthn-2/#anonymization-ca>
	AttestationConveyancePreferenceIndirect AttestationConveyancePreference = "indirect"
	// RP wants attestation statement as generated by the authenticator.
	AttestationConveyancePreferenceDirect AttestationConveyancePreference = "direct"
	// RP wants attestation statement which can uniquely identify
	// the authenticator. Generally meant for enterpise use.
	// See spec for more info.
	AttestationConveyancePreferenceEnterprise AttestationConveyancePreference = "enterprise"
)

List of supported AttestationConveyancePreference values

type AuditLogTime added in v0.2.6 

type AuditLogTime time.Time

func (AuditLogTime) MarshalJSON added in v0.2.6 

func (t AuditLogTime) MarshalJSON() ([]byte, error)

func (*AuditLogTime) UnmarshalJSON added in v0.2.6 

func (t *AuditLogTime) UnmarshalJSON(data []byte) (err error)

type AuthConfig 

type AuthConfig struct {
	Password  *AuthConfigPassword      `json:"password,omitempty"`
	Saml      *string                  `json:"saml,omitempty"`
	Oauth     *AuthConfigOauth         `json:"oauth,omitempty"`
	Ldap      *map[UUID]AuthConfigLdap `json:"ldap,omitempty"`
	SignedJwt *AuthConfigSignedJwt     `json:"signed_jwt,omitempty"`
	Vcd       *AuthConfigVcd           `json:"vcd,omitempty"`
}

Account authentication settings.

type AuthConfigLdap 

type AuthConfigLdap struct {
	Name            string                   `json:"name"`
	IconURL         string                   `json:"icon_url"`
	LdapURL         string                   `json:"ldap_url"`
	DnResolution    LdapDnResolution         `json:"dn_resolution"`
	TLS             TlsConfig                `json:"tls"`
	BaseDn          *string                  `json:"base_dn,omitempty"`
	UserObjectClass *string                  `json:"user_object_class,omitempty"`
	ServiceAccount  *LdapServiceAccount      `json:"service_account,omitempty"`
	Authorization   *LdapAuthorizationConfig `json:"authorization,omitempty"`
}

LDAP authentication settings.

type AuthConfigOauth 

type AuthConfigOauth struct {
	IdpName                  string    `json:"idp_name"`
	IdpIconURL               string    `json:"idp_icon_url"`
	IdpAuthorizationEndpoint string    `json:"idp_authorization_endpoint"`
	IdpTokenEndpoint         string    `json:"idp_token_endpoint"`
	IdpUserinfoEndpoint      *string   `json:"idp_userinfo_endpoint,omitempty"`
	IdpRequiresBasicAuth     bool      `json:"idp_requires_basic_auth"`
	TLS                      TlsConfig `json:"tls"`
	ClientID                 string    `json:"client_id"`
	ClientSecret             string    `json:"client_secret"`
	// Parameters to set when calling `idp_authorization_endpoint`
	AuthParams *OauthAuthenticationParameters `json:"auth_params,omitempty"`
}

OAuth single sign-on authentication settings.

type AuthConfigPassword 

type AuthConfigPassword struct {
	Require2fa         bool `json:"require_2fa"`
	AdministratorsOnly bool `json:"administrators_only"`
}

Password authentication settings.

type AuthConfigSignedJwt 

type AuthConfigSignedJwt struct {
	ValidIssuers []string       `json:"valid_issuers"`
	SigningKeys  JwtSigningKeys `json:"signing_keys"`
}

Signed JWT authentication settings.

type AuthConfigVcd added in v0.2.6 

type AuthConfigVcd struct {
	IdpName                  string    `json:"idp_name"`
	IdpAuthorizationEndpoint string    `json:"idp_authorization_endpoint"`
	Org                      string    `json:"org"`
	TLS                      TlsConfig `json:"tls"`
}

Vcd single sign-on authentication settings.

type AuthDiscoverParams added in v0.2.6 

type AuthDiscoverParams struct {
	// The account for which the user wishes to discover authentication mechanisms.
	// Note that if specified, the user_email field in an AuthDiscoverRequest will
	// be ignored.
	AcctID *UUID `json:"acct_id,omitempty"`
}

type AuthDiscoverRequest added in v0.2.6 

type AuthDiscoverRequest struct {
	// The email of the user wishing to log in. If the auth discovery
	// request also includes an acct_id query parameter, this field
	// will be effectively ignored.
	UserEmail *string `json:"user_email,omitempty"`
}

type AuthMethod added in v0.2.6 

type AuthMethod struct {
	Password           *struct{}
	SamlPost           *AuthMethodSamlPost
	OauthAuthCodeGrant *AuthMethodOauthAuthCodeGrant
	LdapPassword       *AuthMethodLdapPassword
	Vcd                *AuthMethodVcd
}

func (AuthMethod) MarshalJSON added in v0.2.6 

func (x AuthMethod) MarshalJSON() ([]byte, error)

func (*AuthMethod) UnmarshalJSON added in v0.2.6 

func (x *AuthMethod) UnmarshalJSON(data []byte) error

type AuthMethodLdapPassword added in v0.2.6 

type AuthMethodLdapPassword struct {
	Name    string `json:"name"`
	IconURL string `json:"icon_url"`
	IdpID   Blob   `json:"idp_id"`
}

type AuthMethodOauthAuthCodeGrant added in v0.2.6 

type AuthMethodOauthAuthCodeGrant struct {
	Name             string                        `json:"name"`
	IconURL          string                        `json:"icon_url"`
	AuthorizationURL string                        `json:"authorization_url"`
	ClientID         string                        `json:"client_id"`
	RedirectURI      string                        `json:"redirect_uri"`
	State            string                        `json:"state"`
	IdpID            Blob                          `json:"idp_id"`
	AuthParams       OauthAuthenticationParameters `json:"auth_params"`
}

type AuthMethodSamlPost added in v0.2.6 

type AuthMethodSamlPost struct {
	Name         string `json:"name"`
	IconURL      string `json:"icon_url"`
	ID           string `json:"id"`
	BindingURL   string `json:"binding_url"`
	AuthnRequest string `json:"authn_request"`
	IdpID        Blob   `json:"idp_id"`
}

type AuthMethodVcd added in v0.2.6 

type AuthMethodVcd struct {
	Name             string `json:"name"`
	AuthorizationURL string `json:"authorization_url"`
	IdpID            Blob   `json:"idp_id"`
}

type AuthRequest added in v0.2.6 

type AuthRequest struct {
	SamlResponse  *AuthRequestSamlResponse
	OauthAuthCode *OauthCodeData
	LdapBasicAuth *AuthRequestLdapBasicAuth
	AuthByAppName *AuthRequestAuthByAppName
	AwsIam        *AuthRequestAwsIam
	// Login using a DSM user password and, optionally, a captcha. This is useful
	// for situations where a user is locked out of their DSM account, and wants to
	// become unlocked.
	Password *AuthRequestPassword
}

func (AuthRequest) MarshalJSON added in v0.2.6 

func (x AuthRequest) MarshalJSON() ([]byte, error)

func (*AuthRequest) UnmarshalJSON added in v0.2.6 

func (x *AuthRequest) UnmarshalJSON(data []byte) error

type AuthRequestAuthByAppName added in v0.2.6 

type AuthRequestAuthByAppName struct {
	AcctID   UUID   `json:"acct_id"`
	Name     string `json:"name"`
	Password string `json:"password"`
}

type AuthRequestAwsIam added in v0.2.6 

type AuthRequestAwsIam struct {
	AcctID  UUID              `json:"acct_id"`
	Region  string            `json:"region"`
	Headers map[string]string `json:"headers"`
}

type AuthRequestLdapBasicAuth added in v0.2.6 

type AuthRequestLdapBasicAuth struct {
	IdpID    Blob   `json:"idp_id"`
	Email    string `json:"email"`
	Password string `json:"password"`
	// The account where the IdP is configured. This should
	// only be used if attempting to self-provision into the
	// account. (Self-provisioning may not be possible for
	// existing users; they may need to be manually invited
	// into the account.)
	AcctID *UUID `json:"acct_id,omitempty"`
}

type AuthRequestPassword added in v0.2.6 

type AuthRequestPassword struct {
	// The user's email.
	Email string `json:"email"`
	// The user's password.
	Password string `json:"password"`
	// The response token after solving a reCAPTCHA successfully.
	RecaptchaResponse *string `json:"recaptcha_response,omitempty"`
}

Login using a DSM user password and, optionally, a captcha. This is useful for situations where a user is locked out of their DSM account, and wants to become unlocked.

type AuthRequestSamlResponse added in v0.2.6 

type AuthRequestSamlResponse struct {
	ID       *string `json:"id,omitempty"`
	Response string  `json:"response"`
}

type AuthResponse added in v0.2.6 

type AuthResponse struct {
	TokenType   string                   `json:"token_type"`
	ExpiresIn   uint32                   `json:"expires_in"`
	AccessToken string                   `json:"access_token"`
	EntityID    UUID                     `json:"entity_id"`
	Challenge   *U2fMfaChallengeResponse `json:"challenge,omitempty"`
	// Its presence indicates that 2FA is required for this
	// session and contains response that should be used with
	// `navigator.credentials.get()`
	Fido2AssertionOptions *PublicKeyCredentialRequestOptions `json:"fido2_assertion_options,omitempty"`
	AllowedMfaMethods     *[]MfaAuthMethod                   `json:"allowed_mfa_methods,omitempty"`
}

type AuthenticationExtensionsClientInputs added in v0.2.6 

type AuthenticationExtensionsClientInputs struct {
	// This extension excludes authenticators during registration
	// based on legacy u2f key handles specified in "excludeCredentials".
	// If that key handle was created with that device, it is excluded.
	//
	// https://www.w3.org/TR/webauthn-2/#sctn-appid-exclude-extension
	AppidExclude *string `json:"appidExclude,omitempty"`
	// This extension allows RPs that have previously registered a cred
	// using legacy U2F APIs to request an assertion.
	//
	// https://www.w3.org/TR/webauthn-2/#sctn-appid-extension
	Appid *string `json:"appid,omitempty"`
	// Dummy extension used by conformance tests
	Example *bool `json:"example.extension.bool,omitempty"`
}

Extensions for webauthn. For every extension input, an output must be returned if the input was considered.

https://www.w3.org/TR/webauthn-2/#dictdef-authenticationextensionsclientinputs

type AuthenticationExtensionsClientOutputs added in v0.2.6 

type AuthenticationExtensionsClientOutputs struct {
	// Response of `appidExclude` extension.
	// See [AuthenticationExtensionsClientInputs::appid_exclude].
	AppidExclude *bool `json:"appidExclude,omitempty"`
	// Response of `appid` extension.
	// See [AuthenticationExtensionsClientInputs::appid].
	Appid *bool `json:"appid,omitempty"`
}

This is the response of extension inputs. For every input, an output must be returned if the input was considered.

<https://www.w3.org/TR/webauthn-2/#iface-authentication-extensions-client-outputs>

type AuthenticationResponse 

type AuthenticationResponse struct {
	ExpiresIn   int32  `json:"expires_in"`
	AccessToken string `json:"access_token"`
	EntityID    string `json:"entity_id"`
}

AuthenticationResponse is the response returned by AuthenticateWith* APIs

type AuthenticatorAssertionResponse added in v0.2.6 

type AuthenticatorAssertionResponse struct {
	// Base64url of client_data in JSON format.
	ClientDataJson Base64UrlSafe `json:"clientDataJSON"`
	// Data returned by authenticator.
	// <https://www.w3.org/TR/webauthn-2/#sctn-authenticator-data>
	AuthenticatorData Base64UrlSafe `json:"authenticatorData"`
	// Raw signature returned by authenticator.
	// <https://www.w3.org/TR/webauthn-2/#sctn-op-get-assertion>
	Signature Base64UrlSafe `json:"signature"`
	// Corresponds to [PublicKeyCredentialUserEntity::id] sent during
	// credential creation.
	UserHandle *Base64UrlSafe `json:"userHandle,omitempty"`
}

<https://www.w3.org/TR/webauthn-2/#iface-authenticatorassertionresponse>

type AuthenticatorAttachment added in v0.2.6 

type AuthenticatorAttachment string

<https://www.w3.org/TR/webauthn-2/#enumdef-authenticatorattachment> 

const (
	// An authenticator that is part of the client
	// device. Usually not removable from the client
	// device.
	AuthenticatorAttachmentPlatform AuthenticatorAttachment = "platform"
	// Authenticator that can be removed and used on various
	// devices via cross-platform transport protocols.
	AuthenticatorAttachmentCrossPlatform AuthenticatorAttachment = "cross-platform"
)

List of supported AuthenticatorAttachment values

type AuthenticatorAttestationResponse added in v0.2.6 

type AuthenticatorAttestationResponse struct {
	// Base64url of [crate::fido2::models::CollectedClientData] in JSON form.
	ClientDataJson Base64UrlSafe `json:"clientDataJSON"`
	// Values obtained from `AuthenticatorAttestationResponse.getTransports()`.
	// Webauthn spec recommends RP to store it and user them along with
	// `allowCredentials` while authentication ceremony.
	GetTransports *[]AuthenticatorTransport `json:"getTransports,omitempty"`
	// Base64url of the attestation object.
	//
	// See in order:
	// <https://www.w3.org/TR/webauthn-2/#dom-authenticatorattestationresponse-attestationobject>
	// <https://www.w3.org/TR/webauthn-2/#sctn-attestation>
	// <https://www.w3.org/TR/webauthn-2/#sctn-defined-attestation-formats>
	//
	// Currently, only U2F is supported, others will be rejected.
	AttestationObject Base64UrlSafe `json:"attestationObject"`
}

This represents the authenticator's response to a client’s request for the creation of a new public key credential. It contains information about the new credential that can be used to identify it for later use, and metadata that can be used by the WebAuthn Relying Party to assess the characteristics of the credential during registration.

<https://www.w3.org/TR/webauthn-2/#iface-authenticatorattestationresponse>

type AuthenticatorSelectionCriteria added in v0.2.6 

type AuthenticatorSelectionCriteria struct {
	// Kind of authenticator attachment: attached to the
	// client device or a roaming authenticator.
	// See type level doc for more info.
	AuthenticatorAttachment *AuthenticatorAttachment `json:"authenticatorAttachment,omitempty"`
	// Preference about creating resident keys or not.
	// See type level doc for more info.
	ResidentKey *ResidentKeyRequirement `json:"residentKey,omitempty"`
	// Exists for backcompat with webauthn level 1.
	// By default it is false and should be set to true
	// if `residentKey` is set to `required`.
	RequireResidentKey *bool `json:"requireResidentKey,omitempty"`
	// Authenticator should support user verification by
	// ways like pin code, biometrics, etc.
	UserVerification *UserVerificationRequirement `json:"userVerification,omitempty"`
}

Parameters for deciding which authenticators should be selected.

<https://www.w3.org/TR/webauthn-2/#dictdef-authenticatorselectioncriteria>

type AuthenticatorTransport added in v0.2.6 

type AuthenticatorTransport struct {
	// Values known to the spec and DSM.
	Known *AuthenticatorTransportInner
	// Unknown values are stored as spec asks to do so.
	// As per the spec level 3 (which is draft):
	//   "The values SHOULD be members of AuthenticatorTransport
	//   but Relying Parties SHOULD accept and store unknown values."
	// See `[[transports]]` in https://w3c.github.io/webauthn/#iface-authenticatorattestationresponse
	//
	// Level 2 also says that but comparitively unclear.
	//   "The values SHOULD be members of AuthenticatorTransport but
	//   Relying Parties MUST ignore unknown values."
	// See `[[transports]]` in https://www.w3.org/TR/webauthn-2/#iface-authenticatorattestationresponse
	Unknown *string
}

Hints by relying party on how client should communicate with the authenticator.

https://www.w3.org/TR/webauthn-2/#enum-transport

func (AuthenticatorTransport) MarshalJSON added in v0.2.6 

func (x AuthenticatorTransport) MarshalJSON() ([]byte, error)

func (*AuthenticatorTransport) UnmarshalJSON added in v0.2.6 

func (x *AuthenticatorTransport) UnmarshalJSON(data []byte) error

type AuthenticatorTransportInner added in v0.2.6 

type AuthenticatorTransportInner string

See AuthenticatorTransport type. 

const (
	// Over removable USB.
	AuthenticatorTransportInnerUsb AuthenticatorTransportInner = "usb"
	// Over Near Field Communication (NFC).
	AuthenticatorTransportInnerNfc AuthenticatorTransportInner = "nfc"
	// Over Bluetooth Smart (Bluetooth Low Energy / BLE).
	AuthenticatorTransportInnerBle AuthenticatorTransportInner = "ble"
	// Indicates the respective authenticator is contacted using
	// a client device-specific transport, i.e., it is a platform
	// authenticator. These authenticators are not removable from
	// the client device.
	AuthenticatorTransportInnerInternal AuthenticatorTransportInner = "internal"
)

List of supported AuthenticatorTransportInner values

type Authorization 

type Authorization interface {
	// contains filtered or unexported methods
}

Authorization provides an HTTP authorization header

type AwsKmsInfo added in v0.2.6 

type AwsKmsInfo struct {
	MultiRegion *AwsMultiRegionInfo `json:"multi_region,omitempty"`
}

Information and properties of AWS KMS resources. Currently, it only contains information specific to AWS multi region keys.

type AwsMultiRegionInfo added in v0.2.6 

type AwsMultiRegionInfo struct {
	// Specifies the type of multi region key to be
	// either a Primary key or a Replica key.
	MultiRegionKeyType AwsMultiRegionKeyType `json:"multi_region_key_type"`
	// Specifies a replica key's primary key ARN.
	PrimaryKeyArn *string `json:"primary_key_arn,omitempty"`
	// Specifies ARNs of a primary key's replicas.
	ReplicaKeyArns *[]string `json:"replica_key_arns,omitempty"`
}

This structure mentions various properties of AWS multi region keys. https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html

type AwsMultiRegionKeyType added in v0.2.6 

type AwsMultiRegionKeyType string

Specifies the type of multi-Region keys. https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#multi-region-concepts 

const (
	AwsMultiRegionKeyTypePrimary AwsMultiRegionKeyType = "PRIMARY"
	AwsMultiRegionKeyTypeReplica AwsMultiRegionKeyType = "REPLICA"
)

List of supported AwsMultiRegionKeyType values

type AwsTemporaryCredentials added in v0.2.6 

type AwsTemporaryCredentials struct {
	AccessKey    string `json:"access_key"`
	SecretKey    string `json:"secret_key"`
	SessionToken string `json:"session_token"`
}

Temporary credentials to be used for AWS KMS.

type AwskmsRegion added in v0.2.6 

type AwskmsRegion string

AWS KMS resources are hosted in multiple locations world-wide and each AWS Region is a separate geographic area https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html 

const (
	AwskmsRegionUsEast1      AwskmsRegion = "us-east-1"
	AwskmsRegionUsEast2      AwskmsRegion = "us-east-2"
	AwskmsRegionUsWest1      AwskmsRegion = "us-west-1"
	AwskmsRegionUsWest2      AwskmsRegion = "us-west-2"
	AwskmsRegionAfSouth1     AwskmsRegion = "af-south-1"
	AwskmsRegionApEast1      AwskmsRegion = "ap-east-1"
	AwskmsRegionApSoutheast3 AwskmsRegion = "ap-southeast-3"
	AwskmsRegionApSouth1     AwskmsRegion = "ap-south-1"
	AwskmsRegionApNortheast3 AwskmsRegion = "ap-northeast-3"
	AwskmsRegionApNortheast2 AwskmsRegion = "ap-northeast-2"
	AwskmsRegionApSoutheast1 AwskmsRegion = "ap-southeast-1"
	AwskmsRegionApSoutheast2 AwskmsRegion = "ap-southeast-2"
	AwskmsRegionApNortheast1 AwskmsRegion = "ap-northeast-1"
	AwskmsRegionCaCentral1   AwskmsRegion = "ca-central-1"
	AwskmsRegionEuCentral1   AwskmsRegion = "eu-central-1"
	AwskmsRegionEuWest1      AwskmsRegion = "eu-west-1"
	AwskmsRegionEuWest2      AwskmsRegion = "eu-west-2"
	AwskmsRegionEuSouth1     AwskmsRegion = "eu-south-1"
	AwskmsRegionEuWest3      AwskmsRegion = "eu-west-3"
	AwskmsRegionEuNorth1     AwskmsRegion = "eu-north-1"
	AwskmsRegionMeSouth1     AwskmsRegion = "me-south-1"
	AwskmsRegionSaEast1      AwskmsRegion = "sa-east-1"
	AwskmsRegionUsGovEast1   AwskmsRegion = "us-gov-east-1"
	AwskmsRegionUsGovWest1   AwskmsRegion = "us-gov-west-1"
)

List of supported AwskmsRegion values

type AwskmsService added in v0.2.6 

type AwskmsService string

Specifies the AWS service. Only `kms` is supported for now. 

const (
	AwskmsServiceKms     AwskmsService = "kms"
	AwskmsServiceKmsFips AwskmsService = "kms-fips"
)

List of supported AwskmsService values

type AzureKeyVaultType added in v0.2.6 

type AzureKeyVaultType string
const (
	AzureKeyVaultTypeStandard AzureKeyVaultType = "STANDARD"
	AzureKeyVaultTypePremium  AzureKeyVaultType = "PREMIUM"
	AzureKeyVaultTypeManaged  AzureKeyVaultType = "MANAGED"
)

List of supported AzureKeyVaultType values

type AzureServiceEndpoints added in v0.2.6 

type AzureServiceEndpoints struct {
	// The API endpoint for managing Azure APIs and resources.
	Management string `json:"management"`
	// The API endpoint for Azure Key Vault (for Standard and Premium SKUs).
	KeyVault string `json:"key_vault"`
	// The API endpoint for Azure Key Vault Managed HSM.
	KeyVaultManagedHsm string `json:"key_vault_managed_hsm"`
	// The API endpoint for Azure AD (and authentication).
	Iam string `json:"iam"`
}

The set of endpoints to use when connecting with Azure cloud.

Today, only Azure global and Azure Government cloud endpoints are supported, and they cannot be mixed together. The Azure global endpoints are - `management`: management.azure.com - `key_vault`: vault.azure.net - `key_vault_managed_hsm`: managedhsm.azure.net - `iam`: login.microsoftonline.com

and the Azure Government endpoints are - `management`: management.usgovcloudapi.net - `key_vault`: vault.usgovcloudapi.net - `key_vault_managed_hsm`: managedhsm.usgovcloudapi.net - `iam`: login.microsoftonline.us

(In the future, this restriction may be relaxed to support custom clouds.)

type BackendError 

type BackendError struct {
	StatusCode int
	Message    string
}

BackendError is an error returned by SDKMS backend

func (*BackendError) Error 

func (e *BackendError) Error() string

type Base64UrlSafe added in v0.2.6 

type Base64UrlSafe []byte

func (Base64UrlSafe) MarshalJSON added in v0.2.6 

func (x Base64UrlSafe) MarshalJSON() ([]byte, error)

func (Base64UrlSafe) UnmarshalJSON added in v0.2.6 

func (x Base64UrlSafe) UnmarshalJSON(data []byte) error

type BasicAuth 

type BasicAuth struct {
	Username string
	Password string
}

BasicAuth is used for user authentication

type BatchExecutionType added in v0.3.4 

type BatchExecutionType string
const (
	BatchExecutionTypeSerial    BatchExecutionType = "Serial"
	BatchExecutionTypeUnordered BatchExecutionType = "Unordered"
)

List of supported BatchExecutionType values

type BatchRequest added in v0.3.4 

type BatchRequest struct {
	Batch      *BatchRequestList
	SingleItem *BatchRequestItem
}

func (BatchRequest) MarshalJSON added in v0.3.4 

func (x BatchRequest) MarshalJSON() ([]byte, error)

func (*BatchRequest) UnmarshalJSON added in v0.3.4 

func (x *BatchRequest) UnmarshalJSON(data []byte) error

type BatchRequestItem added in v0.3.4 

type BatchRequestItem struct {
	Method    string      `json:"method"`
	Operation string      `json:"operation"`
	Body      interface{} `json:"body,omitempty"`
}

type BatchRequestList added in v0.3.4 

type BatchRequestList struct {
	BatchExecutionType BatchExecutionType `json:"batch_execution_type"`
	Items              []BatchRequest     `json:"items"`
}

type BatchResponse added in v0.3.4 

type BatchResponse struct {
	Batch      *BatchResponseList
	SingleItem *BatchResponseObject
}

func (BatchResponse) MarshalJSON added in v0.3.4 

func (x BatchResponse) MarshalJSON() ([]byte, error)

func (*BatchResponse) UnmarshalJSON added in v0.3.4 

func (x *BatchResponse) UnmarshalJSON(data []byte) error

type BatchResponseList added in v0.3.4 

type BatchResponseList struct {
	Items []BatchResponse `json:"items"`
}

type BatchResponseObject added in v0.3.4 

type BatchResponseObject struct {
	Result  *BatchResponseObjectResult
	Skipped *BatchResponseObjectSkipped
}

func (BatchResponseObject) MarshalJSON added in v0.3.4 

func (x BatchResponseObject) MarshalJSON() ([]byte, error)

func (*BatchResponseObject) UnmarshalJSON added in v0.3.4 

func (x *BatchResponseObject) UnmarshalJSON(data []byte) error

type BatchResponseObjectResult added in v0.3.4 

type BatchResponseObjectResult struct {
	Status uint16      `json:"status"`
	Body   interface{} `json:"body,omitempty"`
}

type BatchResponseObjectSkipped added in v0.3.4 

type BatchResponseObjectSkipped struct {
	Reason string `json:"reason"`
}

type BatchSignResponseItem 

type BatchSignResponseItem struct {
	// contains filtered or unexported fields
}

BatchSignResponseItem is returned by BatchSign operation

func (*BatchSignResponseItem) Result 

func (b *BatchSignResponseItem) Result() (*SignResponse, error)

Result returns the Sign operation result

func (*BatchSignResponseItem) UnmarshalJSON 

func (b *BatchSignResponseItem) UnmarshalJSON(data []byte) error

UnmarshalJSON implements JSON unmarshalling for BatchSignResponseItem

type BatchVerifyResponseItem 

type BatchVerifyResponseItem struct {
	// contains filtered or unexported fields
}

BatchVerifyResponseItem is returned by BatchVerify operation

func (*BatchVerifyResponseItem) Result 

func (b *BatchVerifyResponseItem) Result() (*VerifyResponse, error)

Result returns the Verify operation result

func (*BatchVerifyResponseItem) UnmarshalJSON 

func (b *BatchVerifyResponseItem) UnmarshalJSON(data []byte) error

UnmarshalJSON implements JSON unmarshalling for BatchVerifyResponseItem

type BearerToken 

type BearerToken string

BearerToken is used for established sessions

type Bip32Network added in v0.2.6 

type Bip32Network string

The BIP32 network The Testnet network is usually an actual network with nodes and miners, and free cryptocurrency. This provides a testing environment for developers. 

const (
	Bip32NetworkMainnet Bip32Network = "mainnet"
	Bip32NetworkTestnet Bip32Network = "testnet"
)

List of supported Bip32Network values

type Bip32Options added in v0.2.6 

type Bip32Options struct {
	// The BIP32 path, starting from master. Master key is Some([]).
	// Ex: m/42/42'/0 -> Some([42, 2**31 + 42, 0])
	DerivationPath *[]uint32     `json:"derivation_path,omitempty"`
	Network        *Bip32Network `json:"network,omitempty"`
}

type Blob 

type Blob = []byte

Blob represents binary data

type BlsOptions added in v0.2.6 

type BlsOptions struct {
	Variant BlsVariant `json:"variant"`
}

type BlsOptionsPolicy added in v0.2.6 

type BlsOptionsPolicy struct {
}

type BlsVariant added in v0.2.6 

type BlsVariant string

Signature/public-key size trade-off for BLS. 

const (
	BlsVariantSmallSignatures BlsVariant = "small_signatures"
	BlsVariantSmallPublicKeys BlsVariant = "small_public_keys"
)

List of supported BlsVariant values

type COSEAlgorithmIdentifier added in v0.2.6 

type COSEAlgorithmIdentifier int16
const (
	Es256 COSEAlgorithmIdentifier = -7
)

type CaConfig 

type CaConfig struct {
	CaSet  *CaSet
	Pinned *[]Blob
}

CA settings.

func (CaConfig) MarshalJSON 

func (x CaConfig) MarshalJSON() ([]byte, error)

func (*CaConfig) UnmarshalJSON 

func (x *CaConfig) UnmarshalJSON(data []byte) error

type CaSet 

type CaSet string

Predefined CA sets. 

const (
	CaSetGlobalRoots CaSet = "global_roots"
)

List of supported CaSet values

type CertificateOptions added in v0.2.6 

type CertificateOptions struct {
}

type Char added in v0.2.1 

type Char rune

Char represents a single `rune` encoded as a JSON string

func (Char) MarshalJSON added in v0.2.1 

func (c Char) MarshalJSON() ([]byte, error)

func (*Char) UnmarshalJSON added in v0.2.1 

func (c *Char) UnmarshalJSON(data []byte) error

type CheckHmgRequest added in v0.2.6 

type CheckHmgRequest struct {
	// The ID of the hmg configuration in the group.
	ID     *UUID      `json:"id,omitempty"`
	Config *HmgConfig `json:"config,omitempty"`
}

type CipherMode 

type CipherMode string

Cipher mode used for symmetric key algorithms. 

const (
	CipherModeEcb      CipherMode = "ECB"
	CipherModeCbc      CipherMode = "CBC"
	CipherModeCbcNoPad CipherMode = "CBCNOPAD"
	CipherModeCfb      CipherMode = "CFB"
	CipherModeOfb      CipherMode = "OFB"
	CipherModeCtr      CipherMode = "CTR"
	CipherModeGcm      CipherMode = "GCM"
	CipherModeCcm      CipherMode = "CCM"
	CipherModeKw       CipherMode = "KW"
	CipherModeKwp      CipherMode = "KWP"
	CipherModeFf1      CipherMode = "FF1"
)

List of supported CipherMode values

type Client 

type Client struct {
	// SDKMS API endpoint, defaults to https://apps.smartkey.io
	Endpoint string
	// http.Client used for communicating to SDKMS backend
	HTTPClient *http.Client
	// Current authorization. If nil, no authorization header is set on requests.
	// This field is set by AuthenticateWith* and TerminateSession methods when establishing a session.
	Auth Authorization
}

Client is an SDKMS client

func (*Client) AccountUsage 

func (c *Client) AccountUsage(ctx context.Context, id string, queryParameters *CountParams) (*GetUsageResponse, error)

Get account usage information. See input and output of this API for info on what it can return.

func (*Client) ActivateSobject 

func (c *Client) ActivateSobject(ctx context.Context, id string) error

Transition a security object to Active state.

func (*Client) Agree 

func (c *Client) Agree(ctx context.Context, body AgreeKeyRequest) (*Sobject, error)

Agree on a key from two other keys.

Perform a cryptographic key agreement operation between a public key and a private key. Both keys must have been generated from the same parameters (e.g. the same elliptic curve). Both keys must allow the AGREEKEY operation. The request body contains the requested properties for the new key as well as the mechanism (e.g. Diffie-Hellman) to be used to produce the key material for the new key. The output of this API should not be used directly as a cryptographic key. The target object type should be HMAC or Secret, and a key derivation procedure should be used to derive the actual key material.

func (*Client) ApproveRequest 

func (c *Client) ApproveRequest(ctx context.Context, id string, body ApproveRequest) (*ApprovalRequest, error)

Approve an approval request.

If the quorum policy was configured to require extra things like 2FA, then, relevant info needs to be added to the request.

func (*Client) AsyncScanHmg added in v0.2.6 

func (c *Client) AsyncScanHmg(ctx context.Context, id string) (*Scan, error)

Scan external objects asynchronously.

Scan external objects asynchronously and create corresponding virtual sobjects in the group as needed. If there is already a virtual sobject corresponding to a scanned object, no sobject is created. This is only supported for DSM-backed groups currently.

func (*Client) AuthDiscover added in v0.2.6 

func (c *Client) AuthDiscover(ctx context.Context, queryParameters *AuthDiscoverParams, body AuthDiscoverRequest) ([]AuthMethod, error)

Returns the available auth methods for the given user email. Example: password, ldap, oauth, etc.

func (*Client) Authenticate added in v0.2.6 

func (c *Client) Authenticate(ctx context.Context, body AuthRequest) (*AuthResponse, error)

Create a session for a user or an app.

Authenticate a user or an app to begin a session. The caller needs to provide a basic authentication token or an appropriate request body (see input type). The response body contains a bearer authentication token which needs to be provided by subsequent calls for the duration of the session.

If this is basic auth and the user has MFA devices configured, the response also contains challenge for the device to sign. Until the signed assertion is passed to `POST /sys/v1/session/auth/2fa/fido2` to complete 2FA, the bearer token can't be used for anything else.

func (*Client) AuthenticateWithAPIKey 

func (c *Client) AuthenticateWithAPIKey(ctx context.Context, apiKey string) (*AuthenticationResponse, error)

AuthenticateWithAPIKey authenticates an app

func (*Client) AuthenticateWithUserPass 

func (c *Client) AuthenticateWithUserPass(ctx context.Context, username, password string) (*AuthenticationResponse, error)

AuthenticateWithUserPass authenticates a user

func (*Client) Batch added in v0.3.4 

func (c *Client) Batch(ctx context.Context, body BatchRequest) (*BatchResponse, error)

Create a new batch request

func (*Client) BatchSign 

func (c *Client) BatchSign(ctx context.Context, body []SignRequest) ([]BatchSignResponseItem, error)

Batch sign with one or more private keys.

The order of batch items in the response matches that of the request. An individual status code is returned for each batch item.

func (*Client) BatchVerify 

func (c *Client) BatchVerify(ctx context.Context, body []VerifyRequest) ([]BatchVerifyResponseItem, error)

Batch verify with one or more public keys.

The order of batch items in the response matches that of the request. An individual status code is returned for each batch item.

func (*Client) ChangePassword 

func (c *Client) ChangePassword(ctx context.Context, body PasswordChangeRequest) error

Change user's password.

func (*Client) CheckHmg added in v0.2.6 

func (c *Client) CheckHmg(ctx context.Context, id string, body CheckHmgRequest) error

Check that the HMG configuration for a particular group is valid and reachable.

func (*Client) CheckHmgConfig added in v0.2.6 

func (c *Client) CheckHmgConfig(ctx context.Context, body HmgConfig) error

Check that the HMG configuration provided is valid and reachable.

func (*Client) CompleteFido2Auth added in v0.2.6 

func (c *Client) CompleteFido2Auth(ctx context.Context, body PublicKeyCredentialAuthenticatorAssertionResponse) error

Completes a pending authentication using a FIDO2 key.

func (*Client) Config2faAuth 

func (c *Client) Config2faAuth(ctx context.Context, body Config2faAuthRequest) (*Config2faAuthResponse, error)

Unlock two factor configuration.

Re-authenticate to unlock two factor configuration. Two factor configuration must be unlocked to enable or disable two factor authentication, add or remove two factor devices, or regenerate recovery codes.

func (*Client) Config2faTerminate 

func (c *Client) Config2faTerminate(ctx context.Context) error

Lock two factor configuration.

Lock two factor configuration after completing two factor reconfiguration. If this API is not called, two factor configuration will be locked automatically after ten minutes. Locking this back is necessary if the 2FA device needs to be used for other things like approval requests. It is not possible use 2FA for other purposes when configuration mode is unlocked.

func (*Client) ConfirmEmail added in v0.2.6 

func (c *Client) ConfirmEmail(ctx context.Context, id string, body ConfirmEmailRequest) (*ConfirmEmailResponse, error)

Confirms user's email address.

func (*Client) CopySobject added in v0.2.6 

func (c *Client) CopySobject(ctx context.Context, body CopySobjectRequest) (*Sobject, error)

Make a copy of a security object.

A new key will be created in the target group and will have the same key material as the original key. Links will be maintained between all copied keys and the source key. If the key is being copied to an externally linked group, it needs to be exportable.

This can also be used to rotate an external key by copying the key material from a native DSM key. This key material will then finally be imported into the external KMS. For AWS KMS keys, after the rotation, the new key will have the original aliases and the old key's aliases will have (rotated at <timestamp>) appended in front of it.

func (*Client) CreateAccount 

func (c *Client) CreateAccount(ctx context.Context, body AccountRequest) (*Account, error)

Create a new account.

func (*Client) CreateApp 

func (c *Client) CreateApp(ctx context.Context, queryParameters *GetAppParams, body AppRequest) (*App, error)

Create a new application with the specified properties.

func (*Client) CreateApprovalRequest 

func (c *Client) CreateApprovalRequest(ctx context.Context, body ApprovalRequestRequest) (*ApprovalRequest, error)

Create a new approval request.

func (*Client) CreateDigest 

func (c *Client) CreateDigest(ctx context.Context, body DigestRequest) (*DigestResponse, error)

Compute digest (hash) of data.

func (*Client) CreateExternalRole 

func (c *Client) CreateExternalRole(ctx context.Context, body ExternalRoleRequest) (*ExternalRole, error)

Create a new external role.

func (*Client) CreateGroup 

func (c *Client) CreateGroup(ctx context.Context, body GroupRequest) (*Group, error)

Create a new group with the specified properties.

func (*Client) CreatePlugin 

func (c *Client) CreatePlugin(ctx context.Context, body PluginRequest) (*Plugin, error)

Create a new plugin.

func (*Client) CreateRole added in v0.2.6 

func (c *Client) CreateRole(ctx context.Context, body RoleRequest) (*Role, error)

Create a new role.

func (*Client) CreateSobject 

func (c *Client) CreateSobject(ctx context.Context, body SobjectRequest) (*Sobject, error)

Generate a new security object.

Generate a new security object (such as an RSA key pair or an AES key) of the requested size, elliptic curve, etc.

By default, all key operations except for EXPORT that are implemented for that type of key will be enabled. These may be overridden by requesting specific operations in the key creation request.

Objects of type Secret/Opaque may not be generated with this API. They must be imported via the import API.

For AWS KMS keys, this generates the key material in AWS and a corresponding virtual key is created in DSM. Only 256-bit AES keys are supported.

func (*Client) Decrypt 

func (c *Client) Decrypt(ctx context.Context, body DecryptRequest) (*DecryptResponse, error)

Decrypt data using a symmetric or asymmetric key.

For symmetric ciphers, `mode` (the block cipher mode) is a required field. For GCM and CCM modes, `tag_len` is a required field. `iv` is required for symmetric ciphers and unused for asymmetric ciphers. If the mode requires one, the request must contain the initialization vector used when the data was encrypted. Objects of type Opaque, EC, or HMAC may not be used with this API.

func (*Client) DecryptFinal 

func (c *Client) DecryptFinal(ctx context.Context, body DecryptFinalRequest) (*DecryptFinalResponse, error)

Conclude multi-part decryption. See `/crypto/v1/decrypt/init` for more details.

func (*Client) DecryptInit 

func (c *Client) DecryptInit(ctx context.Context, body DecryptInitRequest) (*DecryptInitResponse, error)

Begin multi-part decryption.

This API is used when decrypting more data than the client wishes to submit in a single request. It supports only symmetric ciphers and CBC, CBCNOPAD, CTR, and GCM modes of operation. To perform multi-part decryption, the client makes one request to the `init` resource, zero or more requests to the `update` resource, followed by one request to the `final` resource. The response to init and update requests includes a `state` field. The `state` is an opaque data blob that must be supplied unmodified by the client with each subsequent request.

func (*Client) DecryptUpdate 

func (c *Client) DecryptUpdate(ctx context.Context, body DecryptUpdateRequest) (*DecryptUpdateResponse, error)

Continue multi-part decryption. See `/crypto/v1/decrypt/init` for more details.

func (*Client) DeleteAccount 

func (c *Client) DeleteAccount(ctx context.Context, id string) error

Delete an account.

func (*Client) DeleteApp 

func (c *Client) DeleteApp(ctx context.Context, id string) error

Delete an app.

func (*Client) DeleteApprovalRequest 

func (c *Client) DeleteApprovalRequest(ctx context.Context, id string) error

Delete an approval request.

func (*Client) DeleteExternalRole 

func (c *Client) DeleteExternalRole(ctx context.Context, id string) error

Delete an external role.

func (*Client) DeleteGroup 

func (c *Client) DeleteGroup(ctx context.Context, id string) error

Delete the group.

func (*Client) DeletePlugin 

func (c *Client) DeletePlugin(ctx context.Context, id string) error

Delete a plugin.

func (*Client) DeleteRole added in v0.2.6 

func (c *Client) DeleteRole(ctx context.Context, id string) error

Delete a role.

func (*Client) DeleteSobject 

func (c *Client) DeleteSobject(ctx context.Context, id string) error

Delete the specified security object.

func (*Client) DeleteStale added in v0.2.6 

func (c *Client) DeleteStale(ctx context.Context, id string) error

Delete a stale user (for sysadmins).

func (*Client) DeleteUser 

func (c *Client) DeleteUser(ctx context.Context) error

Delete the currently logged-in user.

func (*Client) DeleteUserAccount 

func (c *Client) DeleteUserAccount(ctx context.Context, id string) error

Remove user's association with an account.

func (*Client) DenyRequest 

func (c *Client) DenyRequest(ctx context.Context, id string, body DenyRequest) (*ApprovalRequest, error)

Deny an approval request.

func (*Client) Derive 

func (c *Client) Derive(ctx context.Context, body DeriveKeyRequest) (*Sobject, error)

Derive a new key from an existing key.

The request body contains the requested properties for the new key as well as the mechanism to be used to produce the key material for the new key.

func (*Client) DestroySobject added in v0.2.6 

func (c *Client) DestroySobject(ctx context.Context, id string) error

Transition a security object to Destroyed state. Objects in the `Destroyed` state cannot be used in any cryptographic operation. Their metadata however, remains accessible.

func (*Client) DigestSobject 

func (c *Client) DigestSobject(ctx context.Context, body ObjectDigestRequest) (*ObjectDigestResponse, error)

Retrieve the digest (hash) of the value of an exportable security object.

func (*Client) Encrypt 

func (c *Client) Encrypt(ctx context.Context, body EncryptRequest) (*EncryptResponse, error)

Encrypt data using a symmetric or asymmetric key.

For symmetric ciphers, `mode` (the block cipher mode) is a required field. For GCM and CCM modes, `tag_len` is a required field. `iv` is optional for symmetric ciphers and unused for asymmetric ciphers. If provided, it will be used as the cipher initialization vector. The length of `iv` must match the initialization vector size for the cipher and mode. If not provided, a random iv of the correct length is created and returned in the response. Objects of type Opaque, EC, or HMAC may not be used with this API.

func (*Client) EncryptFinal 

func (c *Client) EncryptFinal(ctx context.Context, body EncryptFinalRequest) (*EncryptFinalResponse, error)

Conclude multi-part encryption. See `/crypto/v1/encrypt/init` for more details.

func (*Client) EncryptInit 

func (c *Client) EncryptInit(ctx context.Context, body EncryptInitRequest) (*EncryptInitResponse, error)

Begin multi-part encryption.

This API is used when encrypting more data than the client wishes to submit in a single request. It supports only symmetric ciphers and CBC, CBCNOPAD, CTR, and GCM modes of operation. To perform multi-part encryption, the client makes one request to the `init` resource, zero or more requests to the `update` resource, followed by one request to the `final` resource. The response to init and update requests includes a `state` field. The `state` is an opaque data blob that must be supplied unmodified by the client with each subsequent request.

func (*Client) EncryptUpdate 

func (c *Client) EncryptUpdate(ctx context.Context, body EncryptUpdateRequest) (*EncryptUpdateResponse, error)

Continue multi-part encryption. See `/crypto/v1/encrypt/init` for more details.

func (*Client) ExportSobject 

func (c *Client) ExportSobject(ctx context.Context, body SobjectDescriptor) (*Sobject, error)

Get the details and value of a particular exportable security object.

func (*Client) ExportSobjectComponents added in v0.2.6 

func (c *Client) ExportSobjectComponents(ctx context.Context, body ExportSobjectComponentsRequest) (*ExportComponentsResponse, error)

Exports the security object as components.

Exports the security object as components. This API can only be called through an approval request and won't work if called directly. This requires a key custodian policy and quorum approval policy to be set at the group level. A new approval request needs to be created (see `POST /sys/v1/approval_requests`), then after getting the required approvals, the key custodians can fetch the result of this approval request (See `POST /sys/v1/approval_requests/:id/result`). Each key custodian will be able to get only their component.

Only AES, DES, DES3 & HMAC objects are exportable by components.

This is described in detail in the following article: https://support.fortanix.com/hc/en-us/articles/360043559332-User-s-Guide-Key-Components

func (*Client) ForgotPassword 

func (c *Client) ForgotPassword(ctx context.Context, body ForgotPasswordRequest) error

Initiate password reset sequence for a user.

func (*Client) GenerateRecoveryCodes 

func (c *Client) GenerateRecoveryCodes(ctx context.Context) (*RecoveryCodes, error)

Generate recovery codes for two factor authentication.

Generate backup recovery codes that may be used to complete two factor authentication. Two factor configuration must be unlocked to use this API.

func (*Client) GetAccount 

func (c *Client) GetAccount(ctx context.Context, id string, queryParameters *GetAccountParams) (*Account, error)

Get info for a specific account.

A user can have access to multiple accounts and this API tries to look one up given by the input id.

func (*Client) GetAllHmgScans added in v0.2.6 

func (c *Client) GetAllHmgScans(ctx context.Context, id string) (*GetAllHmgScansResponse, error)

Retrieve the scan status of an external group.

func (*Client) GetAllLogs added in v0.2.6 

func (c *Client) GetAllLogs(ctx context.Context, queryParameters *LogsParams) (*EsAuditQueryResponse, error)

Get all logs visible to the requester.

func (*Client) GetApp 

func (c *Client) GetApp(ctx context.Context, id string, queryParameters *GetAppParams) (*App, error)

Lookup an application.

func (*Client) GetAppAggregate added in v0.2.6 

func (c *Client) GetAppAggregate(ctx context.Context, queryParameters *StatsParams) (*EsStatsCountQueryResponse, error)

Get app aggregate transaction statistics.

func (*Client) GetAppCredential 

func (c *Client) GetAppCredential(ctx context.Context, id string) (*AppCredentialResponse, error)

Get an application's credential.

func (*Client) GetAppStats added in v0.2.6 

func (c *Client) GetAppStats(ctx context.Context, id string, queryParameters *StatsParams) (*EsStatsCountQueryResponse, error)

Get transaction statistics for a specific application.

func (*Client) GetApprovalRequest 

func (c *Client) GetApprovalRequest(ctx context.Context, id string) (*ApprovalRequest, error)

Lookup a spcific approval request.

func (*Client) GetApprovalRequestResult 

func (c *Client) GetApprovalRequestResult(ctx context.Context, id string) (*ApprovableResult, error)

Get the result for an approved or failed request.

func (*Client) GetClientConfigs added in v0.2.6 

func (c *Client) GetClientConfigs(ctx context.Context) (*ClientConfigurations, error)

Get configurations for various clients. This API can only be called by apps

Client configurations can be set at account level, group level or app level. Client config set on the app itself overrides config set at group level and similarly group level config overrides account level config. This API returns the combined client config according to the above explanation.

func (*Client) GetExternalRole 

func (c *Client) GetExternalRole(ctx context.Context, id string) (*ExternalRole, error)

Lookup a particular external role by its ID.

func (*Client) GetGcpKeyRings added in v0.2.6 

func (c *Client) GetGcpKeyRings(ctx context.Context, body GcpKeyRingConfig) ([]string, error)

Given an GCP configuration, fetch a list of available GCP key rings which can be used to back a group.

func (*Client) GetGroup 

func (c *Client) GetGroup(ctx context.Context, id string) (*Group, error)

Lookup a specific group.

func (*Client) GetGroupAggregate added in v0.2.6 

func (c *Client) GetGroupAggregate(ctx context.Context, queryParameters *StatsParams) (*EsStatsCountQueryResponse, error)

Get group aggregate transaction statistics.

func (*Client) GetGroupStats added in v0.2.6 

func (c *Client) GetGroupStats(ctx context.Context, id string, queryParameters *StatsParams) (*EsStatsCountQueryResponse, error)

Get transaction statistics for a specific group.

func (*Client) GetHealth added in v0.2.6 

func (c *Client) GetHealth(ctx context.Context, queryParameters *HealthParams) error

Check whether the server is handling requests

Returns a 200-class status code if the server is handling requests, or a 500-class status code if the server is having problems.

func (*Client) GetKcv added in v0.2.6 

func (c *Client) GetKcv(ctx context.Context, body SobjectDescriptor) (*KeyCheckValueResponse, error)

Computes the KCV of the input and returns. This is only valid for AES, DES & DES3 keys.

func (*Client) GetMarketplace added in v0.2.6 

func (c *Client) GetMarketplace(ctx context.Context, queryParameters *GetMarketplaceParams) ([]MarketplacePlugin, error)

Gets all the plugins from the input url.

func (*Client) GetPlugin 

func (c *Client) GetPlugin(ctx context.Context, id string) (*Plugin, error)

Lookup a plugin.

func (*Client) GetPubkey added in v0.2.6 

func (c *Client) GetPubkey(ctx context.Context, id string, name string) (map[string]Blob, error)

Get public part of an asymmetric key.

Returns the public part of an asymmetric key. This needs account id and key name as input. No auth is required for this. This works with RSA, EC and Certificate objects.

func (*Client) GetRole added in v0.2.6 

func (c *Client) GetRole(ctx context.Context, id string) (*Role, error)

Lookup a role.

func (*Client) GetScan added in v0.2.6 

func (c *Client) GetScan(ctx context.Context, group_id string, scan_id string) (*Scan, error)

Query the status of a particular scan. Only the last five completed scans,as well as any in-progress scan, is queryable.

func (*Client) GetSobject 

func (c *Client) GetSobject(ctx context.Context, queryParameters *GetSobjectParams, body SobjectDescriptor) (*Sobject, error)

Lookup a security object.

func (*Client) GetSobjectStats added in v0.2.6 

func (c *Client) GetSobjectStats(ctx context.Context, id string, queryParameters *StatsParams) (*EsStatsCountQueryResponse, error)

Get transaction statistics for a specific security object.

func (*Client) GetUser 

func (c *Client) GetUser(ctx context.Context, id string) (*User, error)

Lookup a user.

func (*Client) GetUserAccounts 

func (c *Client) GetUserAccounts(ctx context.Context) (map[UUID]UserAccountFlags, error)

Get user's accounts.

func (*Client) GetUserPermissions added in v0.2.6 

func (c *Client) GetUserPermissions(ctx context.Context, queryParameters *GetUserPermissionsParams) (*GetUserPermissionsResponse, error)

Returns the caller's permissions

func (*Client) GetVaults added in v0.2.6 

func (c *Client) GetVaults(ctx context.Context, body HmgConfig) ([]KeyVault, error)

Given an Azure configuration, fetch a list of available Azure key vaults which can be used to back a group.

func (*Client) ImportSobject 

func (c *Client) ImportSobject(ctx context.Context, body SobjectRequest) (*Sobject, error)

Import a security object.

By default, all key operations that are implemented for that type of key will be enabled. These may be overridden by requesting specific operations in the key import request.

For symmetric and asymmetric keys, value is base64-encoding of the key material in DER format.

For AWS KMS keys, this imports the key material provided into the external KMS and a corresponding virtual key is created in DSM. Only AES 256 is supported for now.

func (*Client) ImportSobjectByComponents added in v0.2.6 

func (c *Client) ImportSobjectByComponents(ctx context.Context, body ImportSobjectComponentsRequest) (*Sobject, error)

Import a security object by components.

Import a security object by components. This API can only be called through an approval request and won't work if called directly. A key custodian and quorum policy needs to be set at the group level. After an import by components request has been made, key custodians will need to add their respective component via `POST /sys/v1/approval_requests/:id/approve`.

Only AES, DES, DES3 & HMAC objects are importable by components.

This is described in detail in the following article: https://support.fortanix.com/hc/en-us/articles/360043559332-User-s-Guide-Key-Components

func (*Client) InviteUser 

func (c *Client) InviteUser(ctx context.Context, body UserRequest) (*User, error)

Invite an existing user or new user to join an existing account.

func (*Client) InvokePlugin 

func (c *Client) InvokePlugin(ctx context.Context, id string, body interface{}) (*PluginOutput, error)

Invokes a plugin execution with the provided request body as input to the plugin.

func (*Client) LdapSearch added in v0.2.6 

func (c *Client) LdapSearch(ctx context.Context, id string, body LdapSearchRequest) ([]LdapSearchResultEntry, error)

Searches for LDAP objects in the specified LDAP directory.

func (*Client) ListAccounts 

func (c *Client) ListAccounts(ctx context.Context, queryParameters *GetAccountParams) ([]Account, error)

Get info about all accounts.

A user can have access to multiple accounts and this API gets all accounts the calling user has access to.

func (*Client) ListApprovalRequests 

func (c *Client) ListApprovalRequests(ctx context.Context, queryParameters *ListApprovalRequestsParams) ([]ApprovalRequest, error)

Get all approval requests.

func (*Client) ListApps 

func (c *Client) ListApps(ctx context.Context, queryParameters *ListAppsParams) ([]App, error)

Get details of all apps accessible to requester.

func (*Client) ListExternalRoles 

func (c *Client) ListExternalRoles(ctx context.Context, queryParameters *ListExternalRolesParams) ([]ExternalRole, error)

Get all external roles.

func (*Client) ListGroups 

func (c *Client) ListGroups(ctx context.Context, queryParameters *GetGroupsParams) ([]Group, error)

Get all groups accessible to the requester.

func (*Client) ListPlugins 

func (c *Client) ListPlugins(ctx context.Context, queryParameters *ListPluginsParams) ([]Plugin, error)

Get details of all plugins accessible to the requester.

func (*Client) ListRoles added in v0.2.6 

func (c *Client) ListRoles(ctx context.Context, queryParameters *ListRolesParams) (*ListRolesResponse, error)

Get all roles.

func (*Client) ListSobjects 

func (c *Client) ListSobjects(ctx context.Context, queryParameters *ListSobjectsParams) (*ListSobjectsResponse, error)

Get all security objects accessible to the requester.

func (*Client) ListUsers 

func (c *Client) ListUsers(ctx context.Context, queryParameters *ListUsersParams) ([]User, error)

Get all users accessible to the requester.

func (*Client) Mac 

func (c *Client) Mac(ctx context.Context, body MacRequest) (*MacResponse, error)

Compute a message authentication code (HMAC or CMAC). The key being used should have the `MACGENERATE` key operation.

A key of type `HMAC` needs to be used for computing an HMAC, and the hash algorithm should be present in the request.

AES, ARIA, DES3, and SEED keys can be used for computing a CMAC. No hash algorithm should be specified for CMAC computation. The digest algorithm shouldn't be specified in case of CMAC.

func (*Client) MacVerify 

func (c *Client) MacVerify(ctx context.Context, body VerifyMacRequest) (*VerifyResponse, error)

Verify the input MAC. The key used must have the `MACVERIFY` key operation.

func (*Client) MfaChallenge added in v0.2.6 

func (c *Client) MfaChallenge(ctx context.Context, id string, queryParameters *MfaChallengeParams) (*MfaChallengeResponse, error)

Creates a challenge for the FIDO2/U2F device to sign.

If the quorum policy is configured to require 2FA, then a call to this API produces a challenge that needs to be signed by the respective FIDO2/U2F device. The signed data that U2F device provides can be then used with `POST /sys/v1/approval_requests/:id/approve` to successfully approve the request.

func (*Client) MfaNewChallenge added in v0.2.6 

func (c *Client) MfaNewChallenge(ctx context.Context, queryParameters *MfaChallengeParams) (*MfaChallengeResponse, error)

Get credential creation options as per the given request.

The response of this API needs to be used with relevant API for the protocol. For U2F, it is `u2f.register()`. For FIDO2, it is `navigator.credentials.create()`.

func (*Client) PersistTransientKey 

func (c *Client) PersistTransientKey(ctx context.Context, body PersistTransientKeyRequest) (*Sobject, error)

Persist a transient key.

This API copies a transient key as a persisted security object. If the transient key's origin is "FortanixHSM", the origin of the persisted key will be "Transient". If the transient key's origin is "External", the origin of the persisted key will be "External".

func (*Client) ProcessInvite 

func (c *Client) ProcessInvite(ctx context.Context, body ProcessInviteRequest) error

Accept or reject pending account invitations.

func (*Client) Reauthenticate added in v0.2.6 

func (c *Client) Reauthenticate(ctx context.Context) (*AuthResponse, error)

Create a new session for an App using an existing session bearer token.

func (*Client) RecoveryCodeAuth 

func (c *Client) RecoveryCodeAuth(ctx context.Context, body RecoveryCodeAuthRequest) error

Use a backup recovery code to complete authentication.

Complete two factor authentication with a backup recovery code. Each recovery code may only be used once, so users should update their two factor configuration after using this API.

func (*Client) Refresh 

func (c *Client) Refresh(ctx context.Context) error

Perform a no-op to keep session from expiring.

func (*Client) RemovePrivate 

func (c *Client) RemovePrivate(ctx context.Context, id string) error

Destroy private half of an asymmetric key.

Removes the private portion of an asymmetric key. After this operation is performed, operations that require the private key, such as encryption and generating signatures, can no longer be performed.

func (*Client) ReplaceSobject added in v0.2.6 

func (c *Client) ReplaceSobject(ctx context.Context, body SobjectReplaceRequest) error

Rotate a security object to an existing security object.

For two keys R and S, where R is the key to be replaced, and S is the intended replacement, this operation will

  • Rename R to the name provided in the request
  • Establish an replaced-replacement between R and S
  • Assign R's old name to S

The metadata of S should be mostly same as that of R, and it is not possible to update any fields of S while performing this operation. If S does not have any custom metadata or a rotation policy, any corresponding values from R will be copied over to S. For now, this operation is not supported if R, S, or both are externally-backed keys.

func (*Client) RequestApprovalToAgree 

func (c *Client) RequestApprovalToAgree(
	ctx context.Context,
	body AgreeKeyRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToBatch added in v0.3.4 

func (c *Client) RequestApprovalToBatch(
	ctx context.Context,
	body BatchRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToBatchSign 

func (c *Client) RequestApprovalToBatchSign(
	ctx context.Context,
	body []SignRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToCopySobject added in v0.2.6 

func (c *Client) RequestApprovalToCopySobject(
	ctx context.Context,
	body CopySobjectRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToCreateAccount 

func (c *Client) RequestApprovalToCreateAccount(
	ctx context.Context,
	body AccountRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToCreateGroup added in v0.2.6 

func (c *Client) RequestApprovalToCreateGroup(
	ctx context.Context,
	body GroupRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToCreatePlugin 

func (c *Client) RequestApprovalToCreatePlugin(
	ctx context.Context,
	body PluginRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToDecrypt 

func (c *Client) RequestApprovalToDecrypt(
	ctx context.Context,
	body DecryptRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToDeleteSobject 

func (c *Client) RequestApprovalToDeleteSobject(
	ctx context.Context,
	id string,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToDerive 

func (c *Client) RequestApprovalToDerive(
	ctx context.Context,
	body DeriveKeyRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToDestroySobject added in v0.2.6 

func (c *Client) RequestApprovalToDestroySobject(
	ctx context.Context,
	id string,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToEncrypt 

func (c *Client) RequestApprovalToEncrypt(
	ctx context.Context,
	body EncryptRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToExportSobject 

func (c *Client) RequestApprovalToExportSobject(
	ctx context.Context,
	body SobjectDescriptor,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToExportSobjectComponents added in v0.2.6 

func (c *Client) RequestApprovalToExportSobjectComponents(
	ctx context.Context,
	body ExportSobjectComponentsRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToGetAppCredential 

func (c *Client) RequestApprovalToGetAppCredential(
	ctx context.Context,
	id string,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToImportSobjectByComponents added in v0.2.6 

func (c *Client) RequestApprovalToImportSobjectByComponents(
	ctx context.Context,
	body ImportSobjectComponentsRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToInvokePlugin 

func (c *Client) RequestApprovalToInvokePlugin(
	ctx context.Context,
	id string,
	body interface{},
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToMac 

func (c *Client) RequestApprovalToMac(
	ctx context.Context,
	body MacRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToRemovePrivate added in v0.2.6 

func (c *Client) RequestApprovalToRemovePrivate(
	ctx context.Context,
	id string,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToReplaceSobject added in v0.2.6 

func (c *Client) RequestApprovalToReplaceSobject(
	ctx context.Context,
	body SobjectReplaceRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToResetAppSecret added in v0.2.6 

func (c *Client) RequestApprovalToResetAppSecret(
	ctx context.Context,
	id string,
	queryParameters *GetAppParams,
	body AppResetSecretRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToRevertPrevKeyOp added in v0.2.6 

func (c *Client) RequestApprovalToRevertPrevKeyOp(
	ctx context.Context,
	id string,
	body RevertRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToRevokeSobject added in v0.2.6 

func (c *Client) RequestApprovalToRevokeSobject(
	ctx context.Context,
	id string,
	body RevocationReason,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToRotateSobject added in v0.2.6 

func (c *Client) RequestApprovalToRotateSobject(
	ctx context.Context,
	body SobjectRekeyRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToSign 

func (c *Client) RequestApprovalToSign(
	ctx context.Context,
	body SignRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToTransform added in v0.2.6 

func (c *Client) RequestApprovalToTransform(
	ctx context.Context,
	body TransformKeyRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToUnwrap 

func (c *Client) RequestApprovalToUnwrap(
	ctx context.Context,
	body UnwrapKeyRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToUpdateAccount 

func (c *Client) RequestApprovalToUpdateAccount(
	ctx context.Context,
	id string,
	body AccountRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToUpdateApp added in v0.2.6 

func (c *Client) RequestApprovalToUpdateApp(
	ctx context.Context,
	id string,
	queryParameters *GetAppParams,
	body AppRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToUpdateGroup 

func (c *Client) RequestApprovalToUpdateGroup(
	ctx context.Context,
	id string,
	body GroupRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToUpdatePlugin 

func (c *Client) RequestApprovalToUpdatePlugin(
	ctx context.Context,
	id string,
	body PluginRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToUpdateRole added in v0.2.6 

func (c *Client) RequestApprovalToUpdateRole(
	ctx context.Context,
	id string,
	body RoleRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToUpdateSobject 

func (c *Client) RequestApprovalToUpdateSobject(
	ctx context.Context,
	id string,
	body SobjectRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) RequestApprovalToWrap 

func (c *Client) RequestApprovalToWrap(
	ctx context.Context,
	body WrapKeyRequest,
	description *string) (*ApprovalRequest, error)

func (*Client) ResendConfirmEmail added in v0.2.6 

func (c *Client) ResendConfirmEmail(ctx context.Context) error

Resend email with link to confirm user's email address.

func (*Client) ResendInvite 

func (c *Client) ResendInvite(ctx context.Context, id string) error

Resend invite to the user to join a specific account.

func (*Client) ResetAppSecret 

func (c *Client) ResetAppSecret(ctx context.Context, id string, queryParameters *GetAppParams, body AppResetSecretRequest) (*App, error)

Regenerate API key.

This will invalidate all existing sessions of this app. Although, if `credential_migration_period` is set in request, previous credentials (or its sessions) won't invalidate until the given time.

func (*Client) ResetPassword 

func (c *Client) ResetPassword(ctx context.Context, id string, body PasswordResetRequest) error

Reset a user's password. Requires a valid password reset token.

func (*Client) RevertPrevKeyOp added in v0.2.6 

func (c *Client) RevertPrevKeyOp(ctx context.Context, id string, body RevertRequest) error

Reverts a security object to a previous state.

When a Key Undo Policy is in place, security objects maintain a list of history states. Using this API endpoint, clients may revert the security object to a previous (non-expired) history state.

func (*Client) RevokeSobject 

func (c *Client) RevokeSobject(ctx context.Context, id string, body RevocationReason) error

Transition a security object to Deactivated or Compromised state.

func (*Client) RotateSobject 

func (c *Client) RotateSobject(ctx context.Context, body SobjectRekeyRequest) (*Sobject, error)

Rotate a security object.

Renames current key to "<current_name> (rotated at <timestamp>)" and generates a new key with the original name of the source key. The metadata of the newly generated key is mostly same as original key and it is possible to update the following fields while performing rotation: `activation_date`, `deactivation_date`, `state`, `rsa`, `aes`, `aria`, `des`, `des3`, `seed`, `dsa`, `kcdsa`, `eckcdsa`, `pub_exponent`, `elliptic_curve`, `key_size`, `key_ops`, `description`, `enabled`, `custom_metadata`, `publish_public_key`, `rotation_policy`.

If the key is an external key, additional changes might happen (like changes to aws-alias custom_metadata, etc). (yet to be documented)

For AWS KMS keys, a new key is generated in the external KMS and after the rotation, the new key will have the original aliases and the old key's aliases will have (rotated at <timestamp>) appended in front of it.

func (*Client) SamlSpMetadata added in v0.2.6 

func (c *Client) SamlSpMetadata(ctx context.Context) ([]uint8, error)

Get the SP metadata file for SAML configuration

Returns the Service Provider metadata file of this cluster, for SAML configuration. If this cluster has a SAML signing key, the public key is included in the SPSSODescriptor.

func (*Client) ScanHmg added in v0.2.6 

func (c *Client) ScanHmg(ctx context.Context, id string, body ScanHmgRequest) ([]Sobject, error)

Scan external objects.

Scan external objects synchronously and create corresponding virtual sobjects in the group as needed. If there is already a virtual sobject corresponding to a scanned object, no sobject is created.

func (*Client) SelectAccount 

func (c *Client) SelectAccount(ctx context.Context, body SelectAccountRequest) (*SelectAccountResponse, error)

Select one of user's account to proceed. Even if the user has only one account, this needs to be called.

func (*Client) SetAwsTemporaryCredentials added in v0.2.6 

func (c *Client) SetAwsTemporaryCredentials(ctx context.Context, body AwsTemporaryCredentials) error

This sets AWS temporary credentials in the session so that calls to AWS backed groups use these creds. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html

func (*Client) Sign 

func (c *Client) Sign(ctx context.Context, body SignRequest) (*SignResponse, error)

Sign with a private key. The key must be asymmetric and have the `SIGN` key operation enabled.

func (*Client) SignupUser 

func (c *Client) SignupUser(ctx context.Context, body SignupRequest) (*User, error)

Create a new user with the given properties.

func (*Client) SyncExternalRole 

func (c *Client) SyncExternalRole(ctx context.Context, id string) (*ExternalRole, error)

Synchronize information about the external role by retrieving it from external source.

func (*Client) Terminate added in v0.2.6 

func (c *Client) Terminate(ctx context.Context) error

Terminate the current session.

Terminate an authenticated session. After this call, the provided bearer authentication token will be invalidated and cannot be used to make any further API calls.

func (*Client) TerminateSession 

func (c *Client) TerminateSession(ctx context.Context) error

TerminateSession terminates the current session

func (*Client) TestLdapConfig added in v0.2.6 

func (c *Client) TestLdapConfig(ctx context.Context, body LdapTestRequest) error

Test connection using the ldap SSO configuration saved in the account.

func (*Client) Transform added in v0.2.6 

func (c *Client) Transform(ctx context.Context, body TransformKeyRequest) (*Sobject, error)

Transform an existing key into a new one.

Some protocols (such as BIP32) require weak forms of key derivation, where the resulting key can be used to recompute the original key.

func (*Client) U2fAuth 

func (c *Client) U2fAuth(ctx context.Context, body U2fAuthRequest) error

Use a U2F key to complete authentication pending.

This API should be called with the bearer token received by above auth API call if the user has any U2F devices. On calling `POST /sys/v1/session/auth`, if the response contains `challenge`, it needs to be signed by `u2f.sign()` API and the signed assertion needs to be sent back via this API.

func (*Client) Unwrap 

func (c *Client) Unwrap(ctx context.Context, body UnwrapKeyRequest) (*Sobject, error)

Unwrap a security object with another security object.

Unwrap (decrypt) a wrapped key and import it into DSM. This allows one to securely import security objects into DSM that were previously wrapped by DSM or another key management system. A new security object will be created in DSM with the unwrapped data. The wrapping key must have the `UNWRAPKEY` operation enabled. The `obj_type` parameter specifies the object type of the security object being unwrapped.

func (*Client) UpdateAccount 

func (c *Client) UpdateAccount(ctx context.Context, id string, body AccountRequest) (*Account, error)

Update account settings such as authentication, logging, etc.

func (*Client) UpdateApp 

func (c *Client) UpdateApp(ctx context.Context, id string, queryParameters *GetAppParams, body AppRequest) (*App, error)

Update app settings like groups, client config, etc.

func (*Client) UpdateExternalRole 

func (c *Client) UpdateExternalRole(ctx context.Context, id string, body ExternalRoleRequest) (*ExternalRole, error)

Update an external role.

func (*Client) UpdateGroup 

func (c *Client) UpdateGroup(ctx context.Context, id string, body GroupRequest) (*Group, error)

Change a group's properties.

func (*Client) UpdatePlugin 

func (c *Client) UpdatePlugin(ctx context.Context, id string, body PluginRequest) (*Plugin, error)

Change a plugin's properties, such as name, description, code, group membership, etc.

func (*Client) UpdateRole added in v0.2.6 

func (c *Client) UpdateRole(ctx context.Context, id string, body RoleRequest) (*Role, error)

Update a role given by the input ID.

func (*Client) UpdateSobject 

func (c *Client) UpdateSobject(ctx context.Context, id string, body SobjectRequest) (*Sobject, error)

Update the properties of a security object like name, description, etc.

func (*Client) UpdateUser 

func (c *Client) UpdateUser(ctx context.Context, id string, body UserRequest) (*User, error)

Change a user's properties like first_name, last_name, description, etc.

func (*Client) ValidateToken added in v0.2.6 

func (c *Client) ValidateToken(ctx context.Context, id string, body ValidateTokenRequest) (*ValidateTokenResponse, error)

Validates password reset token for the user.

func (*Client) Verify 

func (c *Client) Verify(ctx context.Context, body VerifyRequest) (*VerifyResponse, error)

Verify a signature with a public key. The verifying key must be an asymmetric key with the `VERIFY` key operation enabled.

func (*Client) VerifyKcv added in v0.2.6 

func (c *Client) VerifyKcv(ctx context.Context, body VerifyKcvRequest) (*VerifyKcvResponse, error)

Computes the KCV of the input blob and checks if it matches the input KCV.

func (*Client) Version 

func (c *Client) Version(ctx context.Context) (*VersionResponse, error)

Returns information about the DSM server version and the client API version that it supports.

func (*Client) Wrap 

func (c *Client) Wrap(ctx context.Context, body WrapKeyRequest) (*WrapKeyResponse, error)

Wrap a security object with another security object.

Wrap (encrypt) an existing security object with a key. This allows keys to be securely exported from DSM so they can be later imported into DSM or another key management system. The key being wrapped must have the `EXPORT` operation enabled. The wrapping key must have the `WRAPKEY` operation enabled.

The following wrapping operations are supported:

  • Symmetric keys, HMAC keys, opaque objects, and secret objects may be wrapped with symmetric or asymmetric keys.
  • Asymmetric keys may be wrapped with symmetric keys. Wrapping an asymmetric key with an asymmetric key is not supported.

When wrapping with an asymmetric key, the wrapped object size must fit as plaintext for the wrapping key size and algorithm.

type ClientConfigurations added in v0.2.6 

type ClientConfigurations struct {
	// NOTE: not all clients use `common` configurations.
	Common *CommonClientConfig `json:"common,omitempty"`
	Pkcs11 *Pkcs11ClientConfig `json:"pkcs11,omitempty"`
	Kmip   *KmipClientConfig   `json:"kmip,omitempty"`
	Tep    *TepClientConfig    `json:"tep,omitempty"`
}

type ClientConfigurationsRequest added in v0.2.6 

type ClientConfigurationsRequest struct {
	Common *Removable[CommonClientConfig] `json:"common,omitempty"`
	Pkcs11 *Removable[Pkcs11ClientConfig] `json:"pkcs11,omitempty"`
	Kmip   *Removable[KmipClientConfig]   `json:"kmip,omitempty"`
	Tep    *Removable[TepClientConfig]    `json:"tep,omitempty"`
}

type ClientFileLogging added in v0.2.6 

type ClientFileLogging struct {
	Enabled  *ClientFileLoggingConfig
	Disabled *struct{}
}

func (ClientFileLogging) MarshalJSON added in v0.2.6 

func (x ClientFileLogging) MarshalJSON() ([]byte, error)

func (*ClientFileLogging) UnmarshalJSON added in v0.2.6 

func (x *ClientFileLogging) UnmarshalJSON(data []byte) error

type ClientFileLoggingConfig added in v0.2.6 

type ClientFileLoggingConfig struct {
	Path       *string `json:"path,omitempty"`
	FileSizeKb *uint64 `json:"file_size_kb,omitempty"`
	MaxFiles   *uint32 `json:"max_files,omitempty"`
}

type ClientLogConfig added in v0.2.6 

type ClientLogConfig struct {
	System *bool              `json:"system,omitempty"`
	File   *ClientFileLogging `json:"file,omitempty"`
	Level  *string            `json:"level,omitempty"`
}

type CommonClientConfig added in v0.2.6 

type CommonClientConfig struct {
	RetryTimeoutMillis *uint64          `json:"retry_timeout_millis,omitempty"`
	CacheTtl           *uint64          `json:"cache_ttl,omitempty"`
	Log                *ClientLogConfig `json:"log,omitempty"`
	H2NumConnections   *uint            `json:"h2_num_connections,omitempty"`
}

type Config2faAuthRequest 

type Config2faAuthRequest struct {
	Password string `json:"password"`
}

Request to start configuring U2F.

type Config2faAuthResponse 

type Config2faAuthResponse struct {
}

type ConfirmEmailRequest added in v0.2.6 

type ConfirmEmailRequest struct {
	ConfirmToken string `json:"confirm_token"`
}

type ConfirmEmailResponse added in v0.2.6 

type ConfirmEmailResponse struct {
	UserEmail string `json:"user_email"`
}

type CopySobjectRequest added in v0.2.6 

type CopySobjectRequest struct {
	// Unique identifier of the security object to be copied.
	Key SobjectDescriptor `json:"key"`
	// Properties for the new security object.
	Dest SobjectRequest `json:"dest"`
}

Request to copy a security object.

func (CopySobjectRequest) MarshalJSON added in v0.2.6 

func (x CopySobjectRequest) MarshalJSON() ([]byte, error)

func (*CopySobjectRequest) UnmarshalJSON added in v0.2.6 

func (x *CopySobjectRequest) UnmarshalJSON(data []byte) error

type CountParams 

type CountParams struct {
	RangeFrom     *uint64 `json:"range_from,omitempty"`
	RangeTo       *uint64 `json:"range_to,omitempty"`
	DetailedUsage *bool   `json:"detailed_usage,omitempty"`
	SaasFullUsage *bool   `json:"saas_full_usage,omitempty"`
}

type CryptMode 

type CryptMode struct {
	// Block cipher mode of operation
	Symmetric *CipherMode
	// RSA padding scheme
	Rsa *RsaEncryptionPadding
}

`CipherMode` or `RsaEncryptionPadding`, depending on the encryption algorithm.

func CryptModeRSA 

func CryptModeRSA(mode RsaEncryptionPadding) *CryptMode

CryptModeRSA returns CryptMode set to the specified RSA encryption padding

func CryptModeSymmetric 

func CryptModeSymmetric(mode CipherMode) *CryptMode

CryptModeSymmetric returns CryptMode set to the specified symmetric cipher mode

func (CryptMode) MarshalJSON 

func (x CryptMode) MarshalJSON() ([]byte, error)

func (*CryptMode) UnmarshalJSON 

func (x *CryptMode) UnmarshalJSON(data []byte) error

type CryptographicPolicy added in v0.2.6 

type CryptographicPolicy struct {
	Aes          *AesOptions         `json:"aes,omitempty"`
	Aria         *AriaOptions        `json:"aria,omitempty"`
	Des          *DesOptions         `json:"des,omitempty"`
	Des3         *Des3Options        `json:"des3,omitempty"`
	Seed         *SeedOptions        `json:"seed,omitempty"`
	Rsa          *RsaOptions         `json:"rsa,omitempty"`
	Dsa          *DsaOptions         `json:"dsa,omitempty"`
	Kcdsa        *KcdsaOptions       `json:"kcdsa,omitempty"`
	Ec           *EcOptions          `json:"ec,omitempty"`
	Eckcdsa      *EcKcdsaOptions     `json:"eckcdsa,omitempty"`
	Bip32        *Bip32Options       `json:"bip32,omitempty"`
	Bls          *BlsOptionsPolicy   `json:"bls,omitempty"`
	Opaque       *OpaqueOptions      `json:"opaque,omitempty"`
	Hmac         *HmacOptions        `json:"hmac,omitempty"`
	Secret       *SecretOptions      `json:"secret,omitempty"`
	Certificate  *CertificateOptions `json:"certificate,omitempty"`
	KeyOps       *KeyOperations      `json:"key_ops,omitempty"`
	LegacyPolicy *LegacyKeyPolicy    `json:"legacy_policy,omitempty"`
}

type CustomAttributeSearchMetadata added in v0.2.6 

type CustomAttributeSearchMetadata struct {
	Suggest *bool `json:"suggest,omitempty"`
}

type CustomMetadata added in v0.3.4 

type CustomMetadata map[string]string

type CustomSubscriptionType added in v0.2.6 

type CustomSubscriptionType struct {
	MaxPlugin                *uint32               `json:"max_plugin,omitempty"`
	MaxApp                   *uint32               `json:"max_app,omitempty"`
	MaxHsmg                  *uint32               `json:"max_hsmg,omitempty"`
	MaxOperation             *uint64               `json:"max_operation,omitempty"`
	MaxTokenizationOperation *uint64               `json:"max_tokenization_operation,omitempty"`
	CountTransientOps        *bool                 `json:"count_transient_ops,omitempty"`
	PackageName              *string               `json:"package_name,omitempty"`
	Features                 *SubscriptionFeatures `json:"features,omitempty"`
	AddOns                   *map[string]string    `json:"add_ons,omitempty"`
	SoftOpsPerSecondLimit    *uint32               `json:"soft_ops_per_second_limit,omitempty"`
}

Custom subscription type

type DecryptFinalRequest 

type DecryptFinalRequest struct {
	// Identifier of the sobject used for finalizing multi-part decryption
	Key *SobjectDescriptor `json:"key,omitempty"`
	// Current state of the encrypted cipher
	State Blob `json:"state"`
	// Tag value of the encrypted cipher. Only applicable when using GCM mode.
	Tag *Blob `json:"tag,omitempty"`
}

Request body to finalise a multi-part decryption.

type DecryptFinalResponse 

type DecryptFinalResponse struct {
	// Decrypted bytes
	Plain Blob `json:"plain"`
}

Final response body of a multi-part decryption.

type DecryptInitRequest 

type DecryptInitRequest struct {
	// Identifier of the sobject used for initializing multi-part decryption
	Key *SobjectDescriptor `json:"key,omitempty"`
	// Algorithm used for multi-part decryption
	Alg *Algorithm `json:"alg,omitempty"`
	// Mode of multi-part decryption. Required for symmetric algorithms.
	Mode *CipherMode `json:"mode,omitempty"`
	// Initialization vector. Required for symmetric algorithms.
	Iv *Blob `json:"iv,omitempty"`
	// Authenticated data. Only applicable when using GCM mode.
	Ad *Blob `json:"ad,omitempty"`
}

Request body to initialize multi-part decryption.

type DecryptInitResponse 

type DecryptInitResponse struct {
	// The key id is returned for non-transient keys.
	Kid *UUID `json:"kid,omitempty"`
	// Opaque data, not to be interpreted or modified by the client and must be provided with next request.
	State Blob `json:"state"`
}

Response body for initializing multi-part decryption.

type DecryptRequest 

type DecryptRequest struct {
	// Reference to the sobject to use for decryption. This can be a key
	// ID, key name, or a transient key blob.
	Key *SobjectDescriptor `json:"key,omitempty"`
	// Decryption algorithm to use. If specified, this must be compatible
	// with the key type; for example, an RSA key cannot be used with AES.
	Alg *Algorithm `json:"alg,omitempty"`
	// Ciphertext bytes to be decrypted.
	//
	// Note that when performing format-preserving decryption (i.e.,
	// detokenization), the ciphertext should be encoded as UTF-8 bytes.
	Cipher Blob `json:"cipher"`
	// Decryption mode to use. This is required for symmetric decryption.
	// For RSA decryption, the mode can be used to optionally specify the
	// padding to use. For all other algorithms, this field should not be
	// specified.
	Mode *CryptMode `json:"mode,omitempty"`
	// The initialization vector to use, required for modes that take IVs
	// (and irrelevant otherwise).
	Iv *Blob `json:"iv,omitempty"`
	// The authenticated data to use. This is only applicable when using
	// authenticated decryption modes (like GCM or CCM).
	Ad *Blob `json:"ad,omitempty"`
	// The authentication tag, relevant for authenticated encryption modes
	// (i.e., GCM or CCM), and otherwise irrelevant.
	Tag *Blob `json:"tag,omitempty"`
	// Whether to returned a masked result when detokenizing (i.e., when
	// decrypting using the FF1/FPE mode). Defaults to false.
	//
	// This field is only useful if the app has the `DECRYPT` permission.
	// In such situations, when this field is `true`, decryption returns
	// masked output. However, with the `MASKDECRYPT` permission, this field
	// is ignored and detokenization will always return the masked output.
	Masked *bool `json:"masked,omitempty"`
}

Request to decrypt data.

type DecryptResponse 

type DecryptResponse struct {
	// The ID of the key used for decryption. Returned for non-transient keys.
	Kid *UUID `json:"kid,omitempty"`
	// Decrypted plaintext bytes.
	//
	// Note that when performing format-preserving decryption (i.e.,
	// detokenization), the plaintext is encoded as UTF-8 bytes.
	Plain Blob `json:"plain"`
}

Response of a decryption request.

type DecryptUpdateRequest 

type DecryptUpdateRequest struct {
	// Identifier of the sobject used for multi-part decryption
	Key *SobjectDescriptor `json:"key,omitempty"`
	// Encrypted bytes
	Cipher Blob `json:"cipher"`
	// Currrent state of the encrypted cipher
	State Blob `json:"state"`
}

Request body for multi-part decryption.

type DecryptUpdateResponse 

type DecryptUpdateResponse struct {
	// Decrypted bytes
	Plain Blob `json:"plain"`
	// Current state of the multi part decrypted object.
	// Opaque data, not to be interpreted or modified by the client and must be provided with next request.
	State Blob `json:"state"`
}

Reponse body of multi-part decryption.

type DenyRequest added in v0.2.6 

type DenyRequest struct {
	Reason *string `json:"reason,omitempty"`
}

type DeriveKeyMechanism 

type DeriveKeyMechanism struct {
	EncryptData        *EncryptRequest
	Bip32MasterKey     *DeriveKeyMechanismBip32MasterKey
	Bip32HardenedChild *DeriveKeyMechanismBip32HardenedChild
	Hkdf               *DeriveKeyMechanismHkdf
}

Mechanism to be used when deriving a new key from an existing key.

func (DeriveKeyMechanism) MarshalJSON 

func (x DeriveKeyMechanism) MarshalJSON() ([]byte, error)

func (*DeriveKeyMechanism) UnmarshalJSON 

func (x *DeriveKeyMechanism) UnmarshalJSON(data []byte) error

type DeriveKeyMechanismBip32HardenedChild added in v0.2.6 

type DeriveKeyMechanismBip32HardenedChild struct {
	Index uint32 `json:"index"`
}

type DeriveKeyMechanismBip32MasterKey added in v0.2.6 

type DeriveKeyMechanismBip32MasterKey struct {
	Network Bip32Network `json:"network"`
}

type DeriveKeyMechanismHkdf added in v0.2.3 

type DeriveKeyMechanismHkdf struct {
	HashAlg DigestAlgorithm `json:"hash_alg"`
	Info    *Blob           `json:"info,omitempty"`
	Salt    *Blob           `json:"salt,omitempty"`
}

type DeriveKeyRequest 

type DeriveKeyRequest struct {
	// Activation date of the derived key
	ActivationDate *Time `json:"activation_date,omitempty"`
	// Deactivation date of the derived key
	DeactivationDate *Time `json:"deactivation_date,omitempty"`
	// Identifier of the sobject from which new key will be derived
	Key *SobjectDescriptor `json:"key,omitempty"`
	// Name of the derived key. Key names must be unique within an account.
	Name *string `json:"name,omitempty"`
	// Group ID of the security group that this security object should belong to. The user or
	// application creating this security object must be a member of this group. If no group is
	// specified, the default group for the requesting application will be used.
	GroupID *UUID `json:"group_id,omitempty"`
	// Type of key to be derived.
	KeyType ObjectType `json:"key_type"`
	// Key size of the derived key in bits.
	KeySize uint32 `json:"key_size"`
	// Mechanism to use for key derivation.
	Mechanism DeriveKeyMechanism `json:"mechanism"`
	// Whether the derived key should have cryptographic operations enabled.
	Enabled *bool `json:"enabled,omitempty"`
	// Description for derived key
	Description *string `json:"description,omitempty"`
	// User-defined metadata for this key stored as key-value pairs.
	CustomMetadata *map[string]string `json:"custom_metadata,omitempty"`
	// Optional array of key operations to be enabled for this security object. If not
	// provided the service will provide a default set of key operations. Note that if you
	// provide an empty array, all key operations will be disabled.
	KeyOps *KeyOperations `json:"key_ops,omitempty"`
	// State of the derived key
	State *SobjectState `json:"state,omitempty"`
	// If set to true, the derived key will be transient.
	Transient *bool `json:"transient,omitempty"`
}

Request body to derive a key.

type Des3Options added in v0.2.6 

type Des3Options struct {
	KeySizes   *[]uint32   `json:"key_sizes,omitempty"`
	CipherMode *CipherMode `json:"cipher_mode,omitempty"`
	RandomIv   *bool       `json:"random_iv,omitempty"`
	IvLength   *int32      `json:"iv_length,omitempty"`
}

type DesOptions added in v0.2.6 

type DesOptions struct {
	CipherMode *CipherMode `json:"cipher_mode,omitempty"`
	RandomIv   *bool       `json:"random_iv,omitempty"`
}

type DigestAlgorithm 

type DigestAlgorithm string

A hash algorithm. 

const (
	DigestAlgorithmBlake2b256  DigestAlgorithm = "BLAKE2B256"
	DigestAlgorithmBlake2b384  DigestAlgorithm = "BLAKE2B384"
	DigestAlgorithmBlake2b512  DigestAlgorithm = "BLAKE2B512"
	DigestAlgorithmBlake2s256  DigestAlgorithm = "BLAKE2S256"
	DigestAlgorithmRipemd160   DigestAlgorithm = "RIPEMD160"
	DigestAlgorithmSsl3        DigestAlgorithm = "SSL3"
	DigestAlgorithmSha1        DigestAlgorithm = "SHA1"
	DigestAlgorithmSha224      DigestAlgorithm = "SHA224"
	DigestAlgorithmSha256      DigestAlgorithm = "SHA256"
	DigestAlgorithmSha384      DigestAlgorithm = "SHA384"
	DigestAlgorithmSha512      DigestAlgorithm = "SHA512"
	DigestAlgorithmStreebog256 DigestAlgorithm = "STREEBOG256"
	DigestAlgorithmStreebog512 DigestAlgorithm = "STREEBOG512"
	DigestAlgorithmSha3_224    DigestAlgorithm = "SHA3_224"
	DigestAlgorithmSha3_256    DigestAlgorithm = "SHA3_256"
	DigestAlgorithmSha3_384    DigestAlgorithm = "SHA3_384"
	DigestAlgorithmSha3_512    DigestAlgorithm = "SHA3_512"
)

List of supported DigestAlgorithm values

type DigestRequest 

type DigestRequest struct {
	// Hash Algorithm to compute digest
	Alg DigestAlgorithm `json:"alg"`
	// Raw binary data
	Data Blob `json:"data"`
}

Request to compute the hash of arbitrary data.

type DigestResponse 

type DigestResponse struct {
	// Hashed binary output
	Digest Blob `json:"digest"`
}

Response body of a hash operation.

type DsaOptions added in v0.2.6 

type DsaOptions struct {
	SubgroupSize *uint32 `json:"subgroup_size,omitempty"`
}

type Duration added in v0.2.6 

type Duration struct {
	Secs  uint64 `json:"secs,omitempty"`
	Nanos uint32 `json:"nanos,omitempty"` // Always 0 <= nanos < NANOS_PER_SEC
}

type EcKcdsaOptions added in v0.2.6 

type EcKcdsaOptions struct {
	HashAlg *DigestAlgorithm `json:"hash_alg,omitempty"`
}

type EcOptions added in v0.2.6 

type EcOptions struct {
	EllipticCurves *[]EllipticCurve `json:"elliptic_curves,omitempty"`
}

type EffectiveKeyPolicy added in v0.2.6 

type EffectiveKeyPolicy struct {
	// Indicates allowed key operations for the security key.
	KeyOps KeyOperations `json:"key_ops"`
}

An aggregation of policies and permissions of the session creator for a security object.

type EllipticCurve 

type EllipticCurve string

Identifies a standardized elliptic curve. 

const (
	EllipticCurveX25519    EllipticCurve = "X25519"
	EllipticCurveEd25519   EllipticCurve = "Ed25519"
	EllipticCurveX448      EllipticCurve = "X448"
	EllipticCurveSecP192K1 EllipticCurve = "SecP192K1"
	EllipticCurveSecP224K1 EllipticCurve = "SecP224K1"
	EllipticCurveSecP256K1 EllipticCurve = "SecP256K1"
	EllipticCurveNistP192  EllipticCurve = "NistP192"
	EllipticCurveNistP224  EllipticCurve = "NistP224"
	EllipticCurveNistP256  EllipticCurve = "NistP256"
	EllipticCurveNistP384  EllipticCurve = "NistP384"
	EllipticCurveNistP521  EllipticCurve = "NistP521"
	EllipticCurveGost256A  EllipticCurve = "Gost256A"
)

List of supported EllipticCurve values

type EncryptFinalRequest 

type EncryptFinalRequest struct {
	// Reference to the sobject used for finalizing multi-part encryption
	Key *SobjectDescriptor `json:"key,omitempty"`
	// Last state of the encrypted cipher
	State Blob `json:"state"`
	// Size of authentication tag.
	// Tag length is only applicable when using GCM mode.
	TagLen *uint `json:"tag_len,omitempty"`
}

Request body to finalize a multi-part encryption.

type EncryptFinalResponse 

type EncryptFinalResponse struct {
	// Final encrypted bytes
	Cipher Blob `json:"cipher"`
	// Tag is only returned for symmetric encryption with GCM mode.
	Tag *Blob `json:"tag,omitempty"`
}

Final response body of a multi-part encryption.

type EncryptInitRequest 

type EncryptInitRequest struct {
	// Reference to the sobject used for initializing multi-part encryption
	Key *SobjectDescriptor `json:"key,omitempty"`
	// Algorithm to be used for multipart encryption
	Alg Algorithm `json:"alg"`
	// Cipher mode of operation for symmetric multi-part encryption
	Mode *CipherMode `json:"mode,omitempty"`
	// Initialization vector
	Iv *Blob `json:"iv,omitempty"`
	// Authenticated data, required for AEAD algorithms
	Ad *Blob `json:"ad,omitempty"`
}

Request body to initialize multi-part encryption.

type EncryptInitResponse 

type EncryptInitResponse struct {
	// Key id is returned for non-transient keys.
	Kid *UUID `json:"kid,omitempty"`
	// Initialization vector. Only returned for symmetric encryption.
	Iv *Blob `json:"iv,omitempty"`
	// Current state of the encrypted cipher.
	// Opaque data, not to be interpreted or modified by the client and must be provided with next request.
	State Blob `json:"state"`
}

Response body of initializing multi-part encryption.

type EncryptRequest 

type EncryptRequest struct {
	// Reference to the sobject to use for encryption. This can be a key
	// ID, key name, or a transient key blob.
	Key *SobjectDescriptor `json:"key,omitempty"`
	// Encryption algorithm to use. The algorithm must be compatible with
	// the key type; for example, an RSA key cannot be used with AES.
	Alg Algorithm `json:"alg"`
	// Plaintext bytes to be encrypted.
	//
	// Note that when performing format-preserving encryption (i.e.,
	// tokenization), the plaintext should be encoded as UTF-8 bytes.
	Plain Blob `json:"plain"`
	// Encryption mode to use. This is required for symmetric encryption.
	// For RSA encryption, the mode can be used to optionally specify the
	// padding to use. For all other algorithms, this field should not be
	// specified.
	Mode *CryptMode `json:"mode,omitempty"`
	// The initialization vector to use. This is only applicable to modes
	// that take IVs, and will be randomly generated if not specified.
	Iv *Blob `json:"iv,omitempty"`
	// The authenticated data to use. This is only applicable when using
	// authenticated encryption modes (like GCM or CCM).
	Ad *Blob `json:"ad,omitempty"`
	// The length of the authentication tag, in bits, for authenticated
	// encryption modes (i.e., GCM or CCM). For other modes, this field
	// is irrelevant.
	TagLen *uint `json:"tag_len,omitempty"`
}

Request to encrypt data.

type EncryptResponse 

type EncryptResponse struct {
	// The ID of the key used for encryption. Returned for non-transient keys.
	Kid *UUID `json:"kid,omitempty"`
	// Encrypted ciphertext bytes.
	//
	// Note that when performing format-preserving encryption (i.e.,
	// tokenization), the ciphertext is encoded as UTF-8 bytes.
	Cipher Blob `json:"cipher"`
	// The intialization vector used during encryption. This is only
	// applicable for certain symmetric encryption modes.
	Iv *Blob `json:"iv,omitempty"`
	// When using the GCM or CCM modes, the tag is returned from
	// authenticated encryption.
	Tag *Blob `json:"tag,omitempty"`
}

Response of an encryption request.

type EncryptUpdateRequest 

type EncryptUpdateRequest struct {
	// Reference to the sobject used for continuing multi part encryption
	Key *SobjectDescriptor `json:"key,omitempty"`
	// Data bytes to be encrypted
	Plain Blob `json:"plain"`
	// Last state of the encrypted cipher
	State Blob `json:"state"`
}

Request body for continuing multi part encryption

type EncryptUpdateResponse 

type EncryptUpdateResponse struct {
	// Encrypted bytes object from multi-part flow
	Cipher Blob `json:"cipher"`
	// Current state of the encrypted cipher
	// Opaque data, not to be interpreted or modified by the client and must be provided with next request.
	State Blob `json:"state"`
}

Response body of multi-part encryption.

type EsAuditLog added in v0.2.6 

type EsAuditLog struct {
	// Action Type
	ActionType ActionType `json:"action_type"`
	// Actor Type
	// Available values are: User, App & Plugin.
	ActorType string `json:"actor_type"`
	// Audit log message
	Message string `json:"message"`
	// Severity of event
	Severity SeverityLevel `json:"severity"`
	// Time of Event
	Time AuditLogTime `json:"time"`
	// UUID of account
	AcctID UUID `json:"acct_id"`
	// UUID of Actor (User, App or Plugin)
	ActorID UUID `json:"actor_id"`
	// UUIDs of groups involved/used in event
	GroupIds []UUID `json:"group_ids"`
	// UUID of entity affected by event. For instance, if a group is created object_id will be UUID of group.
	ObjectID UUID `json:"object_id"`
	// IP Address of client
	ClientIp *IpAddr `json:"client_ip,omitempty"`
	// Time taken for event/operation completion
	ResponseTime *Duration `json:"response_time,omitempty"`
}

Response parameters to show Audit log details.

type EsAuditLogOuter added in v0.2.6 

type EsAuditLogOuter struct {
	// UUID of audit log
	ID string `json:"_id"`
	// Source of audit log
	Source EsAuditLog `json:"_source"`
}

Response structure of a single log.

type EsAuditQueryResponse added in v0.2.6 

type EsAuditQueryResponse struct {
	// List of audit logs.
	Hits []EsAuditLogOuter `json:"hits"`
}

Response for Audit log Query.

type EsCountStatsLog added in v0.2.6 

type EsCountStatsLog struct {
	Buckets []OuterEsBucket `json:"buckets"`
}

type EsStatsCountQueryResponse added in v0.2.6 

type EsStatsCountQueryResponse struct {
	Time EsCountStatsLog `json:"time"`
}

type EsTotalTxn added in v0.2.6 

type EsTotalTxn struct {
	Buckets []InnerEsBucket `json:"buckets"`
}

type ExportComponentsResponse added in v0.2.6 

type ExportComponentsResponse struct {
	// Key components
	Components []SobjectComponent `json:"components"`
	// Initialization vector
	Iv *Blob `json:"iv,omitempty"`
	// Tag, if required by the encryption mode.
	Tag *Blob `json:"tag,omitempty"`
	// KCV for the exported key
	KeyKcv *string `json:"key_kcv,omitempty"`
	// Description of the exported key
	Description *string `json:"description,omitempty"`
}

Export security object by components response.

type ExportSobjectComponentsRequest added in v0.2.6 

type ExportSobjectComponentsRequest struct {
	// Unique identifier of the security object
	Key SobjectDescriptor `json:"key"`
	// Details of wrapping key
	WrapKeyParams *WrapKeyParams `json:"wrap_key_params,omitempty"`
	// Key holder identifier
	Custodians []Principal `json:"custodians"`
	// Splitting method
	Method *SplittingMethod `json:"method,omitempty"`
	// Description of the exported security object
	Description *string `json:"description,omitempty"`
}

Request to Export a security object by components

type ExternalKeyId added in v0.2.6 

type ExternalKeyId struct {
	Pkcs11        *ExternalKeyIdPkcs11
	Fortanix      *ExternalKeyIdFortanix
	AwsKms        *ExternalKeyIdAwsKms
	AzureKeyVault *ExternalKeyIdAzureKeyVault
	GcpKeyRing    *ExternalKeyIdGcpKeyRing
	Wrapped       *struct{}
}

func (ExternalKeyId) MarshalJSON added in v0.2.6 

func (x ExternalKeyId) MarshalJSON() ([]byte, error)

func (*ExternalKeyId) UnmarshalJSON added in v0.2.6 

func (x *ExternalKeyId) UnmarshalJSON(data []byte) error

type ExternalKeyIdAwsKms added in v0.2.6 

type ExternalKeyIdAwsKms struct {
	KeyArn string `json:"key_arn"`
	KeyID  string `json:"key_id"`
}

type ExternalKeyIdAzureKeyVault added in v0.2.6 

type ExternalKeyIdAzureKeyVault struct {
	Version UUID   `json:"version"`
	Label   string `json:"label"`
}

type ExternalKeyIdFortanix added in v0.2.6 

type ExternalKeyIdFortanix struct {
	ID UUID `json:"id"`
}

type ExternalKeyIdGcpKeyRing added in v0.2.6 

type ExternalKeyIdGcpKeyRing struct {
	Version uint32 `json:"version"`
	Label   string `json:"label"`
}

type ExternalKeyIdPkcs11 added in v0.2.6 

type ExternalKeyIdPkcs11 struct {
	ID    Blob `json:"id"`
	Label Blob `json:"label"`
}

type ExternalKmsInfo added in v0.2.6 

type ExternalKmsInfo struct {
	AWS *AwsKmsInfo
}

Information specific to an external KMS. Currently, it only has AWS related information.

func (ExternalKmsInfo) MarshalJSON added in v0.2.6 

func (x ExternalKmsInfo) MarshalJSON() ([]byte, error)

func (*ExternalKmsInfo) UnmarshalJSON added in v0.2.6 

func (x *ExternalKmsInfo) UnmarshalJSON(data []byte) error

type ExternalRole 

type ExternalRole struct {
	ExternalRoleID UUID                         `json:"external_role_id"`
	Groups         map[UUID]ExternalRoleMapping `json:"groups"`
	Kind           ExternalRoleKind             `json:"kind"`
	LastSynced     Time                         `json:"last_synced"`
	Name           string                       `json:"name"`
	SourceID       UUID                         `json:"source_id"`
	AcctID         UUID                         `json:"acct_id"`
}

type ExternalRoleKind 

type ExternalRoleKind string

Type of an external role. 

const (
	ExternalRoleKindLdapGroup ExternalRoleKind = "ldap-group"
)

List of supported ExternalRoleKind values

type ExternalRoleMapping added in v0.2.6 

type ExternalRoleMapping struct {
	Users *UserGroupRole  `json:"users,omitempty"`
	Apps  *AppPermissions `json:"apps,omitempty"`
}

type ExternalRoleRequest 

type ExternalRoleRequest struct {
	AddGroups *map[UUID]ExternalRoleMapping `json:"add_groups,omitempty"`
	DelGroups *[]UUID                       `json:"del_groups,omitempty"`
	Kind      *ExternalRoleKind             `json:"kind,omitempty"`
	ModGroups *map[UUID]ExternalRoleMapping `json:"mod_groups,omitempty"`
	Name      *string                       `json:"name,omitempty"`
	SourceID  *UUID                         `json:"source_id,omitempty"`
}

type ExternalSobjectInfo added in v0.2.6 

type ExternalSobjectInfo struct {
	// The ID of the external object in the external HSM.
	ID ExternalKeyId `json:"id"`
	// The group which corresponds to the external HSM.
	HsmGroupID      UUID             `json:"hsm_group_id"`
	ExternalKmsInfo *ExternalKmsInfo `json:"external_kms_info,omitempty"`
}

This describes an external object -- specifically, information about its source object.

type Fido2MfaChallengeResponse added in v0.2.6 

type Fido2MfaChallengeResponse struct {
	// Attestation options
	Registration *PublicKeyCredentialCreationOptions
	// Assertion options
	Authentication *PublicKeyCredentialRequestOptions
}

Fido2 options when requesting assertion or attestation to a device

func (Fido2MfaChallengeResponse) MarshalJSON added in v0.2.6 

func (x Fido2MfaChallengeResponse) MarshalJSON() ([]byte, error)

func (*Fido2MfaChallengeResponse) UnmarshalJSON added in v0.2.6 

func (x *Fido2MfaChallengeResponse) UnmarshalJSON(data []byte) error

type FidoAddDeviceRequest added in v0.2.6 

type FidoAddDeviceRequest struct {
	// A user friendly name for the device.
	Name string `json:"name"`
	// Result of calling `navigator.credentials.create()` with the
	// data obtained from `new_challenge` API.
	AttestationResult PublicKeyCredentialAuthenticatorAttestationResponse `json:"attestationResult"`
}

This contains the request for adding a FIDO device to user's data. Initially, `POST /sys/v1/session/config_2fa/new_challenge` needs to be called with protocol set to `fido2` and using that data, `navigator.credentials.create()` is called in the frontend. The data returned by `create` is sent in this request. The data sent back here creates a new FIDO2 device for the user after the payload is verified as per the rules stated in webauthn doc.

type ForgotPasswordRequest 

type ForgotPasswordRequest struct {
	UserEmail string `json:"user_email"`
}

Initiate password reset sequence.

type FpeCharSet added in v0.2.6 

type FpeCharSet = [][2]Char

The alphabet to use for an encrypted portion of a complex tokenization data type. Characters should be specified as a list of pairs, where each pair [a, b] represents the range of Unicode code points from a to b, with both bounds being inclusive. A single code point can be specified as [c, c].

Normally, each character is assigned a numeric value for FF1. The first character is assigned a value of 0, and subsequent characters are assigned values of 1, 2, and so on, up to the size of the alphabet. Note that the order of the ranges matters; characters appearing in later ranges are assigned higher numerical values compared to earlier characters. For instance, in the FpeCharSet [['a', 'z'], ['0', '9']], the digits '0' to '9' are assigned values from 26 to 35, since they are listed after the 'a' to 'z' range.

In any case, ranges should not overlap with each other, and should not contain surrogate code points.

type FpeCompoundPart added in v0.2.6 

type FpeCompoundPart struct {
	// Represents an OR of multiple structures.
	//
	// Implementation note: an OR is _not_ a union of `FpeDataPart`s. Rather, when parsing
	// the input, the backend will simply choose the first subpart that matches the current
	// portion of the input, and tokenize/detokenize accordingly. If that choice results in
	// an invalid parse of the rest of the input, the backend ***will not backtrack*** and
	// will simply return with an error.
	Or *FpeCompoundPartOr
	// Represents a concatenation of multiple structures (in a particular order).
	Concat *FpeCompoundPartConcat
	// Indicates a part that is possibly repeated multiple times.
	//
	// Implementation note: the backend parser is locally "greedy" and will attempt to match
	// as many repetitions as possible. If this later results in an invalid parse of the rest
	// of the input, the backend ***will not backtrack*** and will simply return with an error.
	Multiple *FpeCompoundPartMultiple
}

Structure of a compound portion of a complex tokenization data type, itself composed of smaller parts.

func (FpeCompoundPart) MarshalJSON added in v0.2.6 

func (x FpeCompoundPart) MarshalJSON() ([]byte, error)

func (*FpeCompoundPart) UnmarshalJSON added in v0.2.6 

func (x *FpeCompoundPart) UnmarshalJSON(data []byte) error

type FpeCompoundPartConcat added in v0.2.6 

type FpeCompoundPartConcat struct {
	// The actual subparts that make up this compound part, in order.
	Concat []FpeDataPart `json:"concat"`
	// Additional constraints that the token type must satisfy.
	Constraints *FpeConstraints `json:"constraints,omitempty"`
	// Whether the entire concat should be preserved as-is (i.e., not tokenized). If this is
	// set, any descendant subparts cannot contain any preserve-related fields set.
	Preserve *bool `json:"preserve,omitempty"`
	// Whether the entire concat should be masked when doing masked decryption. If this is
	// set, any descendant subparts cannot contain any mask-related fields set.
	Mask *bool `json:"mask,omitempty"`
	// The minimum allowed length for this part (in chars).
	MinLength *uint32 `json:"min_length,omitempty"`
	// The maximum allowed length for this part (in chars).
	MaxLength *uint32 `json:"max_length,omitempty"`
}

Represents a concatenation of multiple structures (in a particular order).

type FpeCompoundPartMultiple added in v0.2.6 

type FpeCompoundPartMultiple struct {
	// The subpart that may be repeated.
	Multiple *FpeDataPart `json:"multiple"`
	// The minimum number of times the subpart may occur. (A value of 1 marks a single
	// occurrence.)
	MinRepetitions *uint `json:"min_repetitions,omitempty"`
	// The maximum number of times the subpart may occur. (A value of 1 marks a single
	// occurrence.)
	MaxRepetitions *uint `json:"max_repetitions,omitempty"`
	// Additional constraints that the token type must satisfy.
	Constraints *FpeConstraints `json:"constraints,omitempty"`
	// Whether the entire Multiple should be preserved as-is (i.e., not tokenized). If this
	// is set, the `multiple` subpart and its descendants cannot contain any preserve-related
	// fields set.
	Preserve *bool `json:"preserve,omitempty"`
	// Whether the entire Multiple should be masked when doing masked decryption. If this is
	// set, the `multiple` subpart and its descendants cannot contain any mask-related fields
	// set.
	Mask *bool `json:"mask,omitempty"`
	// The minimum allowed length for this part (in chars).
	MinLength *uint32 `json:"min_length,omitempty"`
	// The maximum allowed length for this part (in chars).
	MaxLength *uint32 `json:"max_length,omitempty"`
}

Indicates a part that is possibly repeated multiple times.

Implementation note: the backend parser is locally "greedy" and will attempt to match as many repetitions as possible. If this later results in an invalid parse of the rest of the input, the backend ***will not backtrack*** and will simply return with an error.

type FpeCompoundPartOr added in v0.2.6 

type FpeCompoundPartOr struct {
	// The actual subparts that make up this compound part.
	Or []FpeDataPart `json:"or"`
	// Additional constraints that the token type must satisfy.
	Constraints *FpeConstraints `json:"constraints,omitempty"`
	// Whether the entire OR should be preserved as-is (i.e., not tokenized). If this is
	// set, any descendant subparts cannot contain any preserve-related fields set.
	Preserve *bool `json:"preserve,omitempty"`
	// Whether the entire OR should be masked when doing masked decryption. If this is set,
	// any descendant subparts cannot contain any mask-related fields set.
	Mask *bool `json:"mask,omitempty"`
	// The minimum allowed length for this part (in chars).
	MinLength *uint32 `json:"min_length,omitempty"`
	// The maximum allowed length for this part (in chars).
	MaxLength *uint32 `json:"max_length,omitempty"`
}

Represents an OR of multiple structures.

Implementation note: an OR is _not_ a union of `FpeDataPart`s. Rather, when parsing the input, the backend will simply choose the first subpart that matches the current portion of the input, and tokenize/detokenize accordingly. If that choice results in an invalid parse of the rest of the input, the backend ***will not backtrack*** and will simply return with an error.

type FpeConstraints added in v0.2.6 

type FpeConstraints struct {
	// Whether the token part contains a checksum that satisfies the Luhn formula. It is an
	// error to apply this constraint to non-numeric parts, or to have an encrypted part be
	// under more than one Luhn check constraint. Also, if an encrypted part has a Luhn check
	// constraint applied to it and may contain at least one digit that is not preserved, it
	// must not specify any other constraints.
	LuhnCheck *bool `json:"luhn_check,omitempty"`
	// Number that the token part should be greater than.
	//
	// This constraint can only be specified on (non-compound) numeric encrypted parts
	// guaranteed to preserve either everything or nothing at all. (For example, if an
	// encrypted part consists of 5 to 10 digits, a `preserve` list that covers only the
	// first five digits is not guaranteed to preserve everything, because if the input
	// happens to be six or more digits long, there will be at least one digit that
	// remains unpreserved.)
	NumGt *uint `json:"num_gt,omitempty"`
	// Number that the token part should be smaller than.
	//
	// This constraint can only be specified on (non-compound) numeric encrypted parts
	// guaranteed to preserve either everything or nothing at all. (For example, if an
	// encrypted part consists of 5 to 10 digits, a `preserve` list that covers only the
	// first five digits is not guaranteed to preserve everything, because if the input
	// happens to be six or more digits long, there will be at least one digit that
	// remains unpreserved.)
	NumLt *uint `json:"num_lt,omitempty"`
	// Numbers that the token part should not be equal to. It is an error to apply this
	// constraint to non-numeric parts.
	NumNe *[]uint `json:"num_ne,omitempty"`
	// Specifies that this portion is supposed to represent a date, or part of one. If used,
	// no other constraints can be specified on this part.
	Date *FpeDateConstraint `json:"date,omitempty"`
	// The subparts to apply the constaints to. If not specified, the constraints will be
	// applied to all subparts (recursively).
	AppliesTo *FpeConstraintsApplicability `json:"applies_to,omitempty"`
}

Constraints on a portion of a complex tokenization data type.

type FpeConstraintsApplicability added in v0.2.6 

type FpeConstraintsApplicability struct {
	// Indicates that the constraints apply to the entire part (i.e., all of its subparts),
	// including any descendants. This is the default value for this enum and the only option
	// available for FpeEncryptedPart, literal, and OR subparts.
	Simple *All
	// An object representing the individual subparts that the constraints should apply to. This
	// is a BTreeMap where for each key-value pair, the key represents the "index" of the subpart
	// (with the first subpart having index 0), and the value is an FpeConstraintsApplicability
	// instance. Note that a Multiple part only allows for one possible key-value pair, since it
	// only contains one subpart.
	//
	// This cannot be used with OR parts; instead, specify constraints individually on each
	// relevant subpart.
	BySubparts *map[FpeSubpartIndex]FpeConstraintsApplicability
}

A structure indicating which subparts to which to apply a set of constraints.

func (FpeConstraintsApplicability) MarshalJSON added in v0.2.6 

func (x FpeConstraintsApplicability) MarshalJSON() ([]byte, error)

func (*FpeConstraintsApplicability) UnmarshalJSON added in v0.2.6 

func (x *FpeConstraintsApplicability) UnmarshalJSON(data []byte) error

type FpeDataPart added in v0.2.6 

type FpeDataPart struct {
	// A portion of a data type consisting of characters that belong to a particular
	// alphabet (e.g., letters, numbers, etc.).
	Encrypted *FpeEncryptedPart
	// A section of the data type that is not to be tokenized (e.g., a delimiter).
	//
	// Unlike preserved characters, literal characters are not used for FF1 tweaks.
	Literal *FpeDataPartLiteral
	// A portion of a data type that consists of several smaller portions (e.g., an
	// `Encrypted` part followed by a `Literal`).
	Compound *FpeCompoundPart
}

Structure for specifying (part of) a complex tokenization data type.

func (FpeDataPart) MarshalJSON added in v0.2.6 

func (x FpeDataPart) MarshalJSON() ([]byte, error)

func (*FpeDataPart) UnmarshalJSON added in v0.2.6 

func (x *FpeDataPart) UnmarshalJSON(data []byte) error

type FpeDataPartLiteral added in v0.2.6 

type FpeDataPartLiteral struct {
	// The list of possible strings that make up this literal portion of the token.
	// For example, if a delimiter can either be a space or a dash, the list would
	// be `[" ", "-"]`.
	//
	// Implementation note: the backend will pick the first choice that matches when
	// when parsing the input. If this results in an invalid parse of the rest of the
	// input, the backend ***will not backtrack*** and will simply return with an error.
	Literal []string `json:"literal"`
}

A section of the data type that is not to be tokenized (e.g., a delimiter).

Unlike preserved characters, literal characters are not used for FF1 tweaks.

type FpeDate added in v0.2.6 

type FpeDate struct {
	// Represents a date that consists of a Month subpart, a Day subpart, and a Year subpart. The
	// Year part is allowed to be preserved, and the Day and Month parts are allowed to be
	// preserved together. (The Day part cannot be preserved if the Month part is not, and vice
	// versa.)
	DayMonthYear *FpeDateDayMonthYear
	// Represents a date that consists of a Month subpart and a Day subpart. It is an error to
	// preserve only the Month part or the Day part.
	MonthDay *FpeDateMonthDay
	// Represents a date that consists of a Month subpart and a Year subpart. The Year part is
	// allowed to be preserved; however, the Month part cannot be preserved by itself.
	MonthYear *FpeDateMonthYear
}

A structure for specifying a token part representing a date that occurs after a specified date and/or occurs before a specified date. Depending on the subparts that make up the date, one of the three options is used.

func (FpeDate) MarshalJSON added in v0.2.6 

func (x FpeDate) MarshalJSON() ([]byte, error)

func (*FpeDate) UnmarshalJSON added in v0.2.6 

func (x *FpeDate) UnmarshalJSON(data []byte) error

type FpeDateConstraint added in v0.2.6 

type FpeDateConstraint struct {
	// Used to indicate that a token part represents a date, which should occur before and/or
	// after any specified bounds. The part should be a concatenation that contains either
	// - a Day part and a Month part
	// - a Month part and a Year part
	// - a Day part, a Month part, and a Year part
	// (with this constraint applying to those subparts). Each of the three choices above
	// corresponds to a particular FpeDate variant; using the wrong variant is an error.
	//
	// Furthermore, the individual Month, Day, and/or Year parts that comprise the date cannot
	// appear under Or or Multiple compound part descendants of the overall Date part (i.e.,
	// when applying the Date constraint, the "paths" from the Date part to the Month, Day,
	// and/or Year parts can only "go through" concatenations, and not "through" Or or Multiple
	// parts). Those parts also have additional restrictions on how they may be preserved; the
	// exact rules depend on the FpeDate variant.
	//
	// It is an error to "share" Day, Month, or Year parts across multiple dates.
	Date *FpeDate
	// Used to indicate that a token part represents a month, day, or year (either as part of a
	// date, or independently).
	//
	// The token part must be a (non-compound) numeric encrypted part guaranteed to preserve either
	// everything or nothing at all. (For example, if an encrypted part consists of 5 to 10 digits,
	// a `preserve` list that covers only the first five digits is not guaranteed to preserve
	// everything, because if the input happens to be six or more digits long, there will be at
	// least one digit that remains unpreserved.)
	//
	// Additionally, the token part cannot be involved in any Luhn-check constraints.
	DatePart *FpeDatePart
}

Possible date-related constraint types for a portion of a complex tokenization data type.

func (FpeDateConstraint) MarshalJSON added in v0.2.6 

func (x FpeDateConstraint) MarshalJSON() ([]byte, error)

func (*FpeDateConstraint) UnmarshalJSON added in v0.2.6 

func (x *FpeDateConstraint) UnmarshalJSON(data []byte) error

type FpeDateDayMonthYear added in v0.2.6 

type FpeDateDayMonthYear struct {
	Before *FpeDayMonthYearDate `json:"before,omitempty"`
	After  *FpeDayMonthYearDate `json:"after,omitempty"`
}

Represents a date that consists of a Month subpart, a Day subpart, and a Year subpart. The Year part is allowed to be preserved, and the Day and Month parts are allowed to be preserved together. (The Day part cannot be preserved if the Month part is not, and vice versa.)

type FpeDateMonthDay added in v0.2.6 

type FpeDateMonthDay struct {
	Before *FpeDayMonthDate `json:"before,omitempty"`
	After  *FpeDayMonthDate `json:"after,omitempty"`
}

Represents a date that consists of a Month subpart and a Day subpart. It is an error to preserve only the Month part or the Day part.

type FpeDateMonthYear added in v0.2.6 

type FpeDateMonthYear struct {
	Before *FpeMonthYearDate `json:"before,omitempty"`
	After  *FpeMonthYearDate `json:"after,omitempty"`
}

Represents a date that consists of a Month subpart and a Year subpart. The Year part is allowed to be preserved; however, the Month part cannot be preserved by itself.

type FpeDatePart added in v0.2.6 

type FpeDatePart string

Possible date-related constraint types that do not form a complete date (by themselves) for a complex tokenization data type. 

const (
	// Used to indicate that a token part represents a month. The part should be an integer from 1
	// to 12, have its min_length field be at least 1, and have its max_length field be 2. Any
	// leading zero should be removed (unless the part is always 2 digits long, in which case a
	// leading zero may be needed).
	FpeDatePartMonth FpeDatePart = "month"
	// Used to indicate that a token part represents a day. The part should be an integer from 1 to
	// 31, have its min_length field be at least 1, and have its max_length field be 2. Any
	// leading zero should be removed (unless the part is always 2 digits long, in which case a
	// leading zero may be needed). Further restrictions apply when the Day part occurs within a
	// date; for instance, a date of 2/29/2000 is fine, but 4/31 is not.
	FpeDatePartDay FpeDatePart = "day"
	// Used to indicate that a token part represents a year, with any zero value being treated as
	// a leap year. The part should be a two to five digit number.
	FpeDatePartYear FpeDatePart = "year"
)

List of supported FpeDatePart values

type FpeDayMonthDate added in v0.2.6 

type FpeDayMonthDate struct {
	// The month, which should be an integer from 1 to 12.
	Month uint8 `json:"month"`
	// The day, which should be an integer from 1 to either 29, 30, or 31, depending on the month
	// and year. Here, February is treated as having 29 days.
	Day uint8 `json:"day"`
}

A structure for specifying a particular date consisting of a day and a month, for use in an FpeDate structure.

type FpeDayMonthYearDate added in v0.2.6 

type FpeDayMonthYearDate struct {
	// The year, which should be an integer less than 100000. Zero is treated as a leap year.
	Year uint32 `json:"year"`
	// The month, which should be an integer from 1 to 12.
	Month uint8 `json:"month"`
	// The day, which should be an integer from 1 to either 28, 29, 30, or 31, depending on the
	// month and year.
	Day uint8 `json:"day"`
}

A structure for specifying a particular date consisting of a day, month, and year, for use in an FpeDate structure.

type FpeEncryptedPart added in v0.2.6 

type FpeEncryptedPart struct {
	// The minimum allowed length for this part (in chars).
	MinLength uint32 `json:"min_length"`
	// The maximum allowed length for this part (in chars).
	MaxLength uint32 `json:"max_length"`
	// The alphabet to use for this part.
	CharSet FpeCharSet `json:"char_set"`
	// The output alphabet to use for this part. Defaults to `char_set` if not specified.
	// When specified, the cardinality of `cipher_char_set` must be the same as `char_set`.
	CipherCharSet *FpeCharSet `json:"cipher_char_set,omitempty"`
	// Additional constraints that the token type must satisfy.
	Constraints *FpeConstraints `json:"constraints,omitempty"`
	// The characters to be preserved while encrypting or decrypting.
	//
	// Any preserved characters will be concatenated together, and their UTF-8 bytes will be used
	// as an FF1 tweak. For example, if the input data is "abcd", and the first and last characters
	// are to be preserved, the FF1 tweak will be the bytes of the string "ad".
	Preserve *FpePreserveMask `json:"preserve,omitempty"`
	// The characters to be masked while performing masked decryption.
	Mask *FpePreserveMask `json:"mask,omitempty"`
}

Structure of a tokenized portion of a complex tokenization data type.

Implementation note: the backend parser is locally "greedy" and will attempt to match as many characters as possible. If this later results in an invalid parse of the rest of the input, the backend ***will not backtrack*** and will simply return with an error.

type FpeMonthYearDate added in v0.2.6 

type FpeMonthYearDate struct {
	// The year, which should be an integer less than 100000. Zero is treated as a leap year.
	Year uint32 `json:"year"`
	// The month, which should be an integer from 1 to 12.
	Month uint8 `json:"month"`
}

A structure for specifying a particular date consisting of a month and a year, for use in an FpeDate structure.

type FpeOptions 

type FpeOptions struct {
	// Basic FPE options, suitable for simple datatypes. See the
	// description of FpeOptionsBasic for more details.
	Basic *FpeOptionsBasic
	// Advanced FPE options. It is recommended to use this for
	// specifying any FPE options, as it is more expressive than
	// FpeOptionsBasic.
	Advanced *FpeOptionsAdvanced
}

FPE-specific options (for specifying the format of the data to be encrypted)

func (FpeOptions) MarshalJSON added in v0.2.6 

func (x FpeOptions) MarshalJSON() ([]byte, error)

func (*FpeOptions) UnmarshalJSON added in v0.2.6 

func (x *FpeOptions) UnmarshalJSON(data []byte) error

type FpeOptionsAdvanced added in v0.2.6 

type FpeOptionsAdvanced struct {
	// The structure of the data type.
	Format FpeDataPart `json:"format"`
	// The user-provided name for the data type.
	Description *string `json:"description,omitempty"`
}

Advanced FPE options. It is recommended to use this for specifying any FPE options, as it is more expressive than FpeOptionsBasic.

type FpeOptionsBasic added in v0.2.6 

type FpeOptionsBasic struct {
	// The FPE base for the input data (i.e., the size of the character
	// set of the datatype). This must be an integer from 2 to 36.
	//
	// This also implicitly defines the alphabet of the datatype. A base
	// from 2 to 10 implies ASCII digits (e.g., a radix of 3 can be used
	// to represent a ternary string), and a base from 11 to 36 implies
	// ASCII digits and uppercase letters (e.g., a radix of 16 can be
	Radix uint32 `json:"radix"`
	// The minimum allowed length for the input data.
	MinLength uint32 `json:"min_length"`
	// The maximum allowed length for the input data.
	MaxLength uint32 `json:"max_length"`
	// The list of indices of characters to be preserved while performing encryption/decryption.
	// Indices are Python-like; i.e., nonnegative indices index from the beginning of the input
	// (where 0 is the first character), and negative indices index from the end of the input.
	// (where -1 is the last character, -2 is second to last, and so on).
	//
	// Any preserved characters will be concatenated together and used as an FF1 tweak. For example,
	// if the input data is "abcd", and the first and last characters are to be preserved, the FF1
	// tweak will be the ASCII bytes of the string "ad".
	Preserve []int `json:"preserve"`
	// The list of indices of characters to be masked while performing masked decryption.
	// Indices are Python-like; i.e., nonnegative indices index from the beginning of the input
	// (where 0 is the first character), and negative indices index from the end of the input.
	// (where -1 is the last character, -2 is second to last, and so on).
	Mask *[]int `json:"mask,omitempty"`
	// Whether the encrypted/decrypted data contains a checksum digit that satisfies the Luhn
	// formula. (The output ciphertext/plaintext will also contain a Luhn checksum digit.)
	LuhnCheck *bool `json:"luhn_check,omitempty"`
	// The user-provided name for the data type that represents the input data.
	Name *string `json:"name,omitempty"`
}

Basic FPE-specific options. This is suitable for simple datatypes that consist of ASCII digits, or ASCII digits and uppercase letters.

type FpePreserveMask added in v0.2.6 

type FpePreserveMask struct {
	// Indicates that the entire encrypted part is to be preserved or masked.
	Entire *All
	// Indicates that only certain characters are to be preserved or masked. Indices are
	// Python-like; i.e., negative indices index from the end of the token portion, with
	// index -1 denoting the last character. (Indicating that nothing should be preserved
	// or masked can be done via an empty list, which is the default value for this enum.)
	ByChars *[]int
}

A structure indicating which indices in an encrypted part to mask or preserve.

func (FpePreserveMask) MarshalJSON added in v0.2.6 

func (x FpePreserveMask) MarshalJSON() ([]byte, error)

func (*FpePreserveMask) UnmarshalJSON added in v0.2.6 

func (x *FpePreserveMask) UnmarshalJSON(data []byte) error

type FpeSubpartIndex added in v0.2.6 

type FpeSubpartIndex = uint

An index for listing subparts of a compound part to which certain constraints are to be applied. For Concat parts, this is the zero-based index of the subpart in the `concat` field, and for Multiple parts, this is always 0 (due to a Multiple having only one subpart).

type FreemiumSubscriptionType added in v0.2.6 

type FreemiumSubscriptionType struct {
	MaxApp                   *uint32 `json:"max_app,omitempty"`
	MaxHsmg                  *uint32 `json:"max_hsmg,omitempty"`
	MaxOperation             *uint64 `json:"max_operation,omitempty"`
	MaxTokenizationOperation *uint64 `json:"max_tokenization_operation,omitempty"`
	MaxPlugin                *uint32 `json:"max_plugin,omitempty"`
}

type GcpAppPermissions added in v0.4.0 

type GcpAppPermissions uint64
const (
	GcpAppPermissionsCryptoSpaceGetInfo GcpAppPermissions = 1 << iota
	GcpAppPermissionsCryptoSpaceGetPublicKey
)

List of supported GcpAppPermissions values

func (GcpAppPermissions) MarshalJSON added in v0.4.0 

func (x GcpAppPermissions) MarshalJSON() ([]byte, error)

MarshalJSON converts GcpAppPermissions to an array of strings

func (*GcpAppPermissions) UnmarshalJSON added in v0.4.0 

func (x *GcpAppPermissions) UnmarshalJSON(data []byte) error

UnmarshalJSON converts array of strings to GcpAppPermissions

type GcpKeyRingConfig added in v0.2.6 

type GcpKeyRingConfig struct {
	ServiceAccountEmail string  `json:"service_account_email"`
	ProjectID           string  `json:"project_id"`
	Location            string  `json:"location"`
	KeyRing             *string `json:"key_ring,omitempty"`
	PrivateKey          *Blob   `json:"private_key,omitempty"`
}

type GetAccountParams 

type GetAccountParams struct {
	WithTotals *bool       `json:"with_totals,omitempty"`
	PreviousID *UUID       `json:"previous_id,omitempty"`
	Limit      *uint       `json:"limit,omitempty"`
	SortBy     AccountSort `json:"sort_by"`
}

type GetAllHmgScansResponse added in v0.2.6 

type GetAllHmgScansResponse struct {
	// List of all tracked scans, from newest to oldest.
	Items []Scan `json:"items"`
}

Information about a group's recent scans.

type GetAppParams 

type GetAppParams struct {
	// Flag specifying if group permissions should be returned with the app group.
	GroupPermissions *bool `json:"group_permissions,omitempty"`
	// The App's role.
	Role *string `json:"role,omitempty"`
}

Query params for individual App APIs

type GetGroupsParams added in v0.2.6 

type GetGroupsParams struct {
	Limit  *uint      `json:"limit,omitempty"`
	SortBy *GroupSort `json:"sort_by,omitempty"`
	Filter *string    `json:"filter,omitempty"`
}

type GetMarketplaceParams added in v0.2.6 

type GetMarketplaceParams struct {
	RepoURL string `json:"repo_url"`
}

type GetSobjectParams 

type GetSobjectParams struct {
	// Response data encoding
	View *SobjectEncoding `json:"view,omitempty"`
	// Show destroyed security object(s).
	ShowDestroyed *bool `json:"show_destroyed,omitempty"`
	// Show deleted security object(s).
	ShowDeleted *bool `json:"show_deleted,omitempty"`
	// Show value of security object(s).
	ShowValue *bool `json:"show_value,omitempty"`
	// Show public key of security objects(s) if present.
	ShowPubKey *bool `json:"show_pub_key,omitempty"`
}

Parameters to show sobject details.

type GetUsageResponse 

type GetUsageResponse struct {
	NumOperations            uint64             `json:"num_operations"`
	EncryptionOperations     *uint64            `json:"encryption_operations,omitempty"`
	DecryptionOperations     *uint64            `json:"decryption_operations,omitempty"`
	SignOperations           *uint64            `json:"sign_operations,omitempty"`
	VerifyOperations         *uint64            `json:"verify_operations,omitempty"`
	TokenizationOperations   *uint64            `json:"tokenization_operations,omitempty"`
	DetokenizationOperations *uint64            `json:"detokenization_operations,omitempty"`
	SecretsOperations        *uint64            `json:"secrets_operations,omitempty"`
	PluginInvokeOperations   *uint64            `json:"plugin_invoke_operations,omitempty"`
	Apps                     *AppCreditsUsage   `json:"apps,omitempty"`
	Plugin                   *uint32            `json:"plugin,omitempty"`
	Sobjects                 *uint64            `json:"sobjects,omitempty"`
	HsmGateway               *uint32            `json:"hsm_gateway,omitempty"`
	OperationTopApp          *map[string]uint64 `json:"operation_top_app,omitempty"`
	OperationTopSobject      *map[string]uint64 `json:"operation_top_sobject,omitempty"`
}

type GetUserPermissionsParams added in v0.2.6 

type GetUserPermissionsParams struct {
	// If `true`, implied permissions are added in the output. For example, if
	// permission A implies permission B, and the user has permission A, the
	// output will include both A and B if this is set to `true`. If this is
	// set to `false`, B will only be returned if it was assigned to the user
	// directly.
	WithImplied *bool `json:"with_implied,omitempty"`
}

type GetUserPermissionsResponse added in v0.2.6 

type GetUserPermissionsResponse struct {
	// User's permissions in the account.
	Account AccountPermissions `json:"account"`
	// User's permissions in all groups. Note that this will only be returned
	// if the user has one or more all-groups roles.
	AllGroups *GroupPermissions `json:"all_groups,omitempty"`
	// User's permissions in groups.
	Groups map[UUID]GroupPermissions `json:"groups"`
}

type GoogleAccessReason added in v0.2.6 

type GoogleAccessReason string

An access reason provided by Google when making EKMS API calls. 

const (
	// No reason is available for the access.
	GoogleAccessReasonReasonUnspecified GoogleAccessReason = "REASON_UNSPECIFIED"
	// Access Transparency Types, public documentation can be found at:
	// https://cloud.google.com/logging/docs/audit/reading-access-transparency-logs#justification-reason-codes
	GoogleAccessReasonCustomerInitiatedSupport GoogleAccessReason = "CUSTOMER_INITIATED_SUPPORT"
	GoogleAccessReasonGoogleInitiatedService   GoogleAccessReason = "GOOGLE_INITIATED_SERVICE"
	GoogleAccessReasonThirdPartyDataRequest    GoogleAccessReason = "THIRD_PARTY_DATA_REQUEST"
	GoogleAccessReasonGoogleInitiatedReview    GoogleAccessReason = "GOOGLE_INITIATED_REVIEW"
	// Customer uses their own account or grants IAM permission to some
	// partner of theirs to perform any access to their own data which is
	// authorized by their own IAM policy.
	GoogleAccessReasonCustomerInitiatedAccess GoogleAccessReason = "CUSTOMER_INITIATED_ACCESS"
	// Google access to data to help optimize the data's structure or quality
	// for future uses by the customer. This includes but is not limited to
	// accesses for the purposes of indexing, structuring, precomputation,
	// hashing, sharding and caching. This also includes backing up data for disaster
	// recovery or data integrity reasons, and detecting errors that can be
	// remedied from that backup data.
	// Note that where the customer has delegated a managed control plane
	// operation to Google, such as the creation of a managed instance group,
	// all managed operations will show as system operations. Services such as
	// the managed instance group manager that trigger downstream decryption
	// operations do not have access to clear-text customer data.
	GoogleAccessReasonGoogleInitiatedSystemOperation GoogleAccessReason = "GOOGLE_INITIATED_SYSTEM_OPERATION"
	// No reason is expected for this key request as the service in
	// question has never integrated with Key Access Justifications, or is still
	// in Pre GA state and therefore may still have residual methods that call
	// the External Key Manager but still do not provide a justification.
	GoogleAccessReasonReasonNotExpected GoogleAccessReason = "REASON_NOT_EXPECTED"
	// A Customer uses their account to perform any access to their own data
	// which is authorized by their own IAM policy, however a Google
	// administrator has reset the superuser account associated with the user’s
	// Organization within the last 7 days.
	GoogleAccessReasonModifiedCustomerInitiatedAccess GoogleAccessReason = "MODIFIED_CUSTOMER_INITIATED_ACCESS"
	// Google accesses customer data to help optimize the structure of the data or quality for future uses by the customer.
	// These accesses can be for indexing, structuring, precomputation, hashing, sharding and caching customer data
	// This also includes backing up data for disaster recovery or data integrity reasons,
	// and detecting errors that the backup data could remedy. At the same time,
	// a Google-initiated breakglass operation has affected the accessed resource.
	GoogleAccessReasonModifiedGoogleInitiatedSystemOperation GoogleAccessReason = "MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION"
	// Refers to Google-initiated access to maintain system reliability.
	// Google personnel can make this type of access for the following reasons:
	// - To investigate and confirm that a suspected service outage doesn't affect the customer.
	// - To ensure backup and recovery from outages and system failures.
	GoogleAccessReasonGoogleResponseToProductionAlert     GoogleAccessReason = "GOOGLE_RESPONSE_TO_PRODUCTION_ALERT"
	GoogleAccessReasonCustomerAuthorizedWorkflowServicing GoogleAccessReason = "CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING"
)

List of supported GoogleAccessReason values

type GoogleAccessReasonPolicy added in v0.2.6 

type GoogleAccessReasonPolicy struct {
	// Set of allowed Google Access reasons.
	Allow []GoogleAccessReason `json:"allow"`
	// Accept incoming requests which do not specify any access reasons.
	AllowMissingReason bool `json:"allow_missing_reason"`
}

Policy specifying acceptable access reasons by Google Service Account at App or Sobject level.

type GoogleServiceAccountKey 

type GoogleServiceAccountKey struct {
	Type         string  `json:"type"`
	ProjectID    string  `json:"project_id"`
	PrivateKeyID string  `json:"private_key_id"`
	PrivateKey   *string `json:"private_key,omitempty"`
	ClientEmail  string  `json:"client_email"`
}

A Google service account key object. See https://cloud.google.com/video-intelligence/docs/common/auth.

type Group 

type Group struct {
	AcctID         UUID                 `json:"acct_id"`
	ApprovalPolicy *GroupApprovalPolicy `json:"approval_policy,omitempty"`
	// Settings for automatic key scanning. For now, this is only available for DSM-backed groups.
	AutoScan             *HmgAutoScan         `json:"auto_scan,omitempty"`
	ClientConfigurations ClientConfigurations `json:"client_configurations"`
	CreatedAt            Time                 `json:"created_at"`
	Creator              Principal            `json:"creator"`
	CryptographicPolicy  *CryptographicPolicy `json:"cryptographic_policy,omitempty"`
	CustodianPolicy      *QuorumPolicy        `json:"custodian_policy,omitempty"`
	CustomMetadata       *map[string]string   `json:"custom_metadata,omitempty"`
	Description          *string              `json:"description,omitempty"`
	// Key Access Justifications for GCP EKM.
	// For more details: https://cloud.google.com/cloud-provider-access-management/key-access-justifications/docs/overview
	GoogleAccessReasonPolicy *GoogleAccessReasonPolicy `json:"google_access_reason_policy,omitempty"`
	GroupID                  UUID                      `json:"group_id"`
	Hmg                      *map[UUID]HmgConfig       `json:"hmg,omitempty"`
	HmgRedundancy            *HmgRedundancyScheme      `json:"hmg_redundancy,omitempty"`
	HmgSegregation           *bool                     `json:"hmg_segregation,omitempty"`
	HmgSync                  *bool                     `json:"hmg_sync,omitempty"`
	KeyHistoryPolicy         *KeyHistoryPolicy         `json:"key_history_policy,omitempty"`
	KeyMetadataPolicy        *KeyMetadataPolicy        `json:"key_metadata_policy,omitempty"`
	Name                     string                    `json:"name"`
	// Name of an AES key from another group. The key will be used to encrypt the key material of all keys in this group
	WrappingKeyName *WrappingKeyName `json:"wrapping_key_name,omitempty"`
}

type GroupApprovalPolicy added in v0.2.6 

type GroupApprovalPolicy struct {
	Policy QuorumPolicy `json:"policy"`
	// Deprecated, left this for backward compatibility.
	// When this is true, manage operations on security objects require approval.
	ProtectManageOperations *bool `json:"protect_manage_operations,omitempty"`
	// Use QuorumGroupPermissions to represent operations that require approval.
	ProtectPermissions *QuorumGroupPermissions `json:"protect_permissions,omitempty"`
	// When this is true, cryptographic operations on security objects require approval.
	ProtectCryptoOperations *bool `json:"protect_crypto_operations,omitempty"`
}

Group approval policy.

func (GroupApprovalPolicy) MarshalJSON added in v0.2.6 

func (x GroupApprovalPolicy) MarshalJSON() ([]byte, error)

func (*GroupApprovalPolicy) UnmarshalJSON added in v0.2.6 

func (x *GroupApprovalPolicy) UnmarshalJSON(data []byte) error

type GroupPermissions added in v0.2.6 

type GroupPermissions uint64
const (
	//  Permission to create group-level approval policy. Note that
	//  updating/deleting the approval policy is protected by the approval
	//  policy itself. Implies `GET_GROUP`.
	GroupPermissionsCreateGroupApprovalPolicy GroupPermissions = 1 << iota
	//  Permission to update external HSM/KMS configurations. Note that this
	//  is only useful for groups backed by external HSM/KMS. Implies
	//  `GET_GROUP`.
	GroupPermissionsUpdateGroupExternalLinks
	//  Permission to manage group-level client configurations. Implies
	//  `GET_GROUP`.
	GroupPermissionsManageGroupClientConfigs
	//  Permission to update name, description and custom metadata of the
	//  group. Implies `GET_GROUP`.
	GroupPermissionsUpdateGroupProfile
	//  Permission to delete the group. Implies `GET_GROUP`.
	GroupPermissionsDeleteGroup
	//  Permission to map external roles to DSM groups for apps authorized
	//  through LDAP. Implies `GET_GROUP`.
	GroupPermissionsMapExternalRolesForApps
	//  Permission to map external roles to DSM groups for users authorized
	//  through LDAP. Implies `GET_GROUP`.
	GroupPermissionsMapExternalRolesForUsers
	//  Currently implies `MAP_EXTERNAL_ROLES_FOR_APPS`,
	//  `MAP_EXTERNAL_ROLES_FOR_USERS`, and `GET_GROUP` permissions.
	GroupPermissionsMapExternalRoles
	//  Permission to add users to the group.
	GroupPermissionsAddUsersToGroup
	//  Permission to remove users from the group.
	GroupPermissionsDeleteUsersFromGroup
	//  Permission to change users' role in the group.
	GroupPermissionsUpdateUsersGroupRole
	//  Currently implies `ADD_USERS_TO_GROUP`, `DELETE_USERS_FROM_GROUP`,
	//  and `UPDATE_USERS_GROUP_ROLE` permissions.
	GroupPermissionsManageGroupUsers
	//  Permission to create various group-level security object policies
	//  including cryptographic policy, key metadata policy and key history
	//  policy. Implies `GET_GROUP`.
	GroupPermissionsCreateGroupSobjectPolicies
	//  Permission to update various group-level security object policies
	//  including cryptographic policy, key metadata policy and key history
	//  policy. Implies `GET_GROUP`.
	GroupPermissionsUpdateGroupSobjectPolicies
	//  Permission to delete various group-level security object policies
	//  including cryptographic policy, key metadata policy and key history
	//  policy. Implies `GET_GROUP`.
	GroupPermissionsDeleteGroupSobjectPolicies
	//  Currently implies `CREATE_GROUP_SOBJECT_POLICIES`,
	//  `UPDATE_GROUP_SOBJECT_POLICIES`, `DELETE_GROUP_SOBJECT_POLICIES`,
	//  and `GET_GROUP` permissions.
	GroupPermissionsManageGroupSobjectPolicies
	//  Permission to create key custodian policy for the group. Implies
	//  `GET_GROUP`.
	GroupPermissionsCreateGroupCustodianPolicy
	//  Permission to update group's key custodian policy. Implies
	//  `GET_GROUP`.
	GroupPermissionsUpdateGroupCustodianPolicy
	//  Permission to delete group's key custodian policy. Implies
	//  `GET_GROUP`.
	GroupPermissionsDeleteGroupCustodianPolicy
	//  Currently implies `CREATE_GROUP_CUSTODIAN_POLICY`,
	//  `UPDATE_GROUP_CUSTODIAN_POLICY`, `DELETE_GROUP_CUSTODIAN_POLICY`,
	//  and `GET_GROUP` permissions.
	GroupPermissionsManageGroupCustodianPolicy
	//  Permission to create cryptographic apps. Implies `GET_APPS`.
	GroupPermissionsCreateApps
	//  Permission to update cryptographic apps. Implies `GET_APPS`.
	GroupPermissionsUpdateApps
	//  Permission to retrieve cryptographic apps' secrets. Note that not
	//  all cryptographic app credentials contain secrets. If a
	//  cryptographic app's credential does not contain any secrets,
	//  `GET_APPS` permission is sufficient to call the `GetAppCredential`
	//  API. Implies `GET_APPS`.
	GroupPermissionsRetrieveAppSecrets
	//  Permission to delete cryptographic apps. Implies `GET_APPS`.
	GroupPermissionsDeleteApps
	//  Currently implies `CREATE_APPS`, `UPDATE_APPS`,
	//  `RETRIEVE_APP_SECRETS`, `DELETE_APPS`, and `GET_APPS` permissions.
	GroupPermissionsManageApps
	//  Permission to create plugins. Implies `GET_PLUGINS`.
	//  For creating a plugin, following group permissions are also required
	//  in each group plugin is being added, to prevent privilege escalation:
	//  `CREATE_SOBJECTS`, `EXPORT_SOBJECTS`, `COPY_SOBJECTS`, `WRAP_SOBJECTS`, `UNWRAP_SOBJECTS`,
	//  `DERIVE_SOBJECTS`, `TRANSFORM_SOBJECTS`, `UPDATE_SOBJECTS_ENABLED_STATE`, `ROTATE_SOBJECTS`,
	//  `DELETE_SOBJECTS`, `REVOKE_SOBJECTS`, `ACTIVATE_SOBJECTS`, `MOVE_SOBJECTS`, `UPDATE_KEY_OPS`,
	//  `UPDATE_SOBJECT_POLICIES`, `UPDATE_SOBJECTS_PROFILE`, `GET_GROUP`, `GET_SOBJECTS`, `GET_APPS`,
	//  `GET_PLUGINS`, `GET_AUDIT_LOGS`
	//  Following account permissions are required as well:
	//  `GET_ALL_USERS`
	GroupPermissionsCreatePlugins
	//  Permission to update plugins. Implies `GET_PLUGINS`.
	//  For updating a plugin, following group permissions are also required
	//  in each group plugin is being added, to prevent privilege escalation:
	//  `CREATE_SOBJECTS`, `EXPORT_SOBJECTS`, `COPY_SOBJECTS`, `WRAP_SOBJECTS`, `UNWRAP_SOBJECTS`,
	//  `UPDATE_SOBJECTS_ENABLED_STATE`, `ROTATE_SOBJECTS`, `DELETE_SOBJECTS`, `REVOKE_SOBJECTS`,
	//  `ACTIVATE_SOBJECTS`, `MOVE_SOBJECTS`, `UPDATE_KEY_OPS`, `UPDATE_SOBJECT_POLICIES`,
	//  `UPDATE_SOBJECTS_PROFILE`, `GET_GROUP`, `GET_SOBJECTS`, `GET_APPS`, `GET_PLUGINS`,
	//  `GET_AUDIT_LOGS`
	//  Following account permissions are required as well while adding
	//  new groups:
	//  `GET_ALL_USERS`
	GroupPermissionsUpdatePlugins
	//  Permission to invoke plugins. Implies `GET_PLUGINS`.
	GroupPermissionsInvokePlugins
	//  Permission to delete plugins. Implies `GET_PLUGINS`.
	GroupPermissionsDeletePlugins
	//  Currently implies `CREATE_PLUGINS`, `UPDATE_PLUGINS`,
	//  `INVOKE_PLUGINS`, `DELETE_PLUGINS`, and `GET_PLUGINS` permissions.
	GroupPermissionsManagePlugins
	//  Permission to create security objects. This permission is required
	//  for APIs that result in creation of a new security object including:
	//  Generate, Import, Unwrap. Also required in destination group when
	//  moving a key to a different group or when copying a key. Implies
	//  `GET_SOBJECTS`.
	GroupPermissionsCreateSobjects
	//  Permission to export security objects. This permission is required
	//  for Export, ExportByComponents, Copy (depending on destination
	//  group), Restore, and Wrap (for wrapped security object) APIs.
	//  Implies `GET_SOBJECTS`.
	GroupPermissionsExportSobjects
	//  Permission to copy security objects. This permission is required in
	//  the source group when calling the Copy API. Implies `GET_SOBJECTS`.
	GroupPermissionsCopySobjects
	//  Permission to wrap security objects. This permission is required in
	//  the wrapping security object's group. Implies `GET_SOBJECTS`.
	GroupPermissionsWrapSobjects
	//  Permission to unwrap security objects. This permission is required
	//  in the unwrapping security object's group. Implies `GET_SOBJECTS`.
	GroupPermissionsUnwrapSobjects
	//  Permission to derive other security objects. Implies `GET_SOBJECTS`.
	GroupPermissionsDeriveSobjects
	//  Permission to transform security objects. Implies `GET_SOBJECTS`.
	GroupPermissionsTransformSobjects
	//  Permission to enable/disable security objects. Implies
	//  `GET_SOBJECTS`.
	GroupPermissionsUpdateSobjectsEnabledState
	//  Permission to rotate (a.k.a. "rekey") security objects. Implies
	//  `GET_SOBJECTS`.
	GroupPermissionsRotateSobjects
	//  Permission to delete security objects. Implies `GET_SOBJECTS`.
	GroupPermissionsDeleteSobjects
	//  Permission to destroy security objects. Implies `GET_SOBJECTS`.
	GroupPermissionsDestroySobjects
	//  Permission to revoke security objects, i.e. mark security objects as
	//  deactivated or compromised. Implies `GET_SOBJECTS`.
	GroupPermissionsRevokeSobjects
	//  Permission to activate security objects. Implies `GET_SOBJECTS`.
	GroupPermissionsActivateSobjects
	//  Permission to revert changes to security objects. Implies
	//  `GET_SOBJECTS`.
	GroupPermissionsRevertSobjects
	//  Permission to delete key material including removing the private key
	//  part of an asymmetric key pair and removing key material of security
	//  objects backed by external HSM/KMS. Implies `GET_SOBJECTS`.
	GroupPermissionsDeleteKeyMaterial
	//  Permission to move security objects. This permission is required for
	//  changing the group of a security object in the source group. Note
	//  that changing the group of a security object also requires
	//  `CREATE_SOBJECTS` permission in the destination group. Implies
	//  `GET_SOBJECTS`.
	GroupPermissionsMoveSobjects
	//  Permission to update key operations of security objects. Implies
	//  `GET_SOBJECTS`.
	GroupPermissionsUpdateKeyOps
	//  Permission to update individual security objects' policies. This
	//  permission allows updating RSA options, as well as Google access
	//  reason policy (for use with Google EKM APIs) defined on the security
	//  object itself. Implies `GET_SOBJECTS`.
	GroupPermissionsUpdateSobjectPolicies
	//  Permission to update name, description, custom metadata, key links
	//  (currently only create parent link), and publish public key settings
	//  of security objects. Implies `GET_SOBJECTS`.
	GroupPermissionsUpdateSobjectsProfile
	//  Permission to scan for security objects in external HSM/KMS. Implies
	//  `GET_SOBJECTS`.
	GroupPermissionsScanExternalSobjects
	//  Permission to restore key material of security objects backed by
	//  external HSM/KMS. Note that calling the Restore API needs this
	//  permission in the destination group as well as `EXPORT_SOBJECTS`
	//  permission in the source group (where the object was copied from
	//  originally). Implies `GET_SOBJECTS`.
	GroupPermissionsRestoreExternalSobjects
	//  Permission to call Workspace CSE Wrap API.
	GroupPermissionsWrapWorkspaceCse
	//  Permission to call Workspace CSE Unwrap API.
	GroupPermissionsUnwrapWorkspaceCse
	GroupPermissionsWorkspaceCse
	//  Permission to get information about the group.
	GroupPermissionsGetGroup
	//  Permission to get security objects stored in the group.
	GroupPermissionsGetSobjects
	//  Permission to get cryptographic apps in the group.
	GroupPermissionsGetApps
	//  Permission to get plugin in the group.
	GroupPermissionsGetPlugins
	//  Permission to get approval requests related to the group.
	GroupPermissionsGetGroupApprovalRequests
	//  Permission to get audit logs related to the group.
	GroupPermissionsGetAuditLogs
	//  Permission to update or remove wrapping key of the  group
	GroupPermissionsManageGroupWrappingKey
)

List of supported GroupPermissions values

func (GroupPermissions) MarshalJSON added in v0.2.6 

func (x GroupPermissions) MarshalJSON() ([]byte, error)

MarshalJSON converts GroupPermissions to an array of strings

func (*GroupPermissions) UnmarshalJSON added in v0.2.6 

func (x *GroupPermissions) UnmarshalJSON(data []byte) error

UnmarshalJSON converts array of strings to GroupPermissions

type GroupRequest 

type GroupRequest struct {
	AddHmg         *[]HmgConfig         `json:"add_hmg,omitempty"`
	ApprovalPolicy *GroupApprovalPolicy `json:"approval_policy,omitempty"`
	// Settings for automatic key scanning. For now, this is only available for DSM-backed groups.
	AutoScan             *Removable[HmgAutoScan]         `json:"auto_scan,omitempty"`
	ClientConfigurations *ClientConfigurationsRequest    `json:"client_configurations,omitempty"`
	CryptographicPolicy  *Removable[CryptographicPolicy] `json:"cryptographic_policy,omitempty"`
	CustodianPolicy      *QuorumPolicy                   `json:"custodian_policy,omitempty"`
	CustomMetadata       *map[string]string              `json:"custom_metadata,omitempty"`
	DelHmg               *[]UUID                         `json:"del_hmg,omitempty"`
	Description          *string                         `json:"description,omitempty"`
	// Key Access Justifications for GCP EKM.
	// For more details: https://cloud.google.com/cloud-provider-access-management/key-access-justifications/docs/overview
	GoogleAccessReasonPolicy *Removable[GoogleAccessReasonPolicy] `json:"google_access_reason_policy,omitempty"`
	HmgRedundancy            *HmgRedundancyScheme                 `json:"hmg_redundancy,omitempty"`
	HmgSegregation           *bool                                `json:"hmg_segregation,omitempty"`
	HmgSync                  *bool                                `json:"hmg_sync,omitempty"`
	KeyHistoryPolicy         *Removable[KeyHistoryPolicy]         `json:"key_history_policy,omitempty"`
	KeyMetadataPolicy        *Removable[KeyMetadataPolicy]        `json:"key_metadata_policy,omitempty"`
	ModHmg                   *map[UUID]HmgConfig                  `json:"mod_hmg,omitempty"`
	Name                     *string                              `json:"name,omitempty"`
	// Name of an AES key from another group. The key will be used to encrypt the key material of all keys in this group
	WrappingKeyName *WrappingKeyName `json:"wrapping_key_name,omitempty"`
}

type GroupRole added in v0.2.6 

type GroupRole struct {
	Permissions GroupPermissions `json:"permissions"`
	Exclusive   *bool            `json:"exclusive,omitempty"`
}

type GroupSort added in v0.2.6 

type GroupSort struct {
	ByGroupID *GroupSortByGroupId
}

type GroupSortByGroupId added in v0.2.6 

type GroupSortByGroupId struct {
	Order Order `json:"order"`
	Start *UUID `json:"start,omitempty"`
}

type HealthParams added in v0.2.6 

type HealthParams struct {
	Consistency *string `json:"consistency,omitempty"`
	CheckQueues *bool   `json:"check_queues,omitempty"`
}

type HistoryItem added in v0.2.6 

type HistoryItem struct {
	ID        UUID             `json:"id"`
	State     HistoryItemState `json:"state"`
	CreatedAt Time             `json:"created_at"`
	Expiry    Time             `json:"expiry"`
}

type HistoryItemState added in v0.2.6 

type HistoryItemState struct {
	ActivationDate         *Time             `json:"activation_date,omitempty"`
	ActivationUndoWindow   *Secs             `json:"activation_undo_window,omitempty"`
	RevocationReason       *RevocationReason `json:"revocation_reason,omitempty"`
	CompromiseDate         *Time             `json:"compromise_date,omitempty"`
	DeactivationDate       *Time             `json:"deactivation_date,omitempty"`
	DeactivationUndoWindow *Secs             `json:"deactivation_undo_window,omitempty"`
	DestructionDate        *Time             `json:"destruction_date,omitempty"`
	DeletionDate           *Time             `json:"deletion_date,omitempty"`
	State                  SobjectState      `json:"state"`
	KeyOps                 KeyOperations     `json:"key_ops"`
	PublicOnly             bool              `json:"public_only"`
	HasKey                 bool              `json:"has_key"`
	RotationPolicy         *RotationPolicy   `json:"rotation_policy,omitempty"`
	GroupID                *UUID             `json:"group_id,omitempty"`
}

type HmacOptions added in v0.2.6 

type HmacOptions struct {
	MinimumKeyLength *uint32 `json:"minimum_key_length,omitempty"`
}

type HmgAutoScan added in v0.2.6 

type HmgAutoScan struct {
	// The number of hours between successive automatic scans. Must be greater than 0.
	ScanIntervalHours uint8 `json:"scan_interval_hours"`
}

Settings for automatic scanning in externally-backed groups. Today, this is only applicable for DSM-backed groups.

type HmgConfig added in v0.2.6 

type HmgConfig struct {
	Ncipher             *HmgConfigNcipher
	Safenet             *HmgConfigSafenet
	AwsCloudHsm         *HmgConfigAwsCloudHsm
	AwsKms              *HmgConfigAwsKms
	Fortanix            *HmgConfigFortanix
	FortanixFipsCluster *HmgConfigFortanixFipsCluster
	AzureKeyVault       *HmgConfigAzureKeyVault
	GcpKeyRing          *GcpKeyRingConfig
}

func (HmgConfig) MarshalJSON added in v0.2.6 

func (x HmgConfig) MarshalJSON() ([]byte, error)

func (*HmgConfig) UnmarshalJSON added in v0.2.6 

func (x *HmgConfig) UnmarshalJSON(data []byte) error

type HmgConfigAwsCloudHsm added in v0.2.6 

type HmgConfigAwsCloudHsm struct {
	URL      string    `json:"url"`
	TLS      TlsConfig `json:"tls"`
	Slot     uint      `json:"slot"`
	Pin      *string   `json:"pin,omitempty"`
	HsmOrder *int32    `json:"hsm_order,omitempty"`
}

type HmgConfigAwsKms added in v0.2.6 

type HmgConfigAwsKms struct {
	URL       string         `json:"url"`
	TLS       TlsConfig      `json:"tls"`
	AccessKey *string        `json:"access_key,omitempty"`
	SecretKey *string        `json:"secret_key,omitempty"`
	Region    *AwskmsRegion  `json:"region,omitempty"`
	Service   *AwskmsService `json:"service,omitempty"`
}

type HmgConfigAzureKeyVault added in v0.2.6 

type HmgConfigAzureKeyVault struct {
	URL            string             `json:"url"`
	TLS            TlsConfig          `json:"tls"`
	SecretKey      *string            `json:"secret_key,omitempty"`
	TenantID       UUID               `json:"tenant_id"`
	ClientID       UUID               `json:"client_id"`
	SubscriptionID UUID               `json:"subscription_id"`
	KeyVaultType   *AzureKeyVaultType `json:"key_vault_type,omitempty"`
	// Which Azure endpoints to use. If not specified upon group creation or
	// update, endpoints for (ordinary) Azure global cloud will be used.
	Endpoints *AzureServiceEndpoints `json:"endpoints,omitempty"`
}

type HmgConfigFortanix added in v0.2.6 

type HmgConfigFortanix struct {
	URL string    `json:"url"`
	TLS TlsConfig `json:"tls"`
	Pin *string   `json:"pin,omitempty"`
}

type HmgConfigFortanixFipsCluster added in v0.2.6 

type HmgConfigFortanixFipsCluster struct {
	URL         string    `json:"url"`
	TLS         TlsConfig `json:"tls"`
	Pin         *string   `json:"pin,omitempty"`
	Credentials *[]string `json:"credentials,omitempty"`
}

type HmgConfigNcipher added in v0.2.6 

type HmgConfigNcipher struct {
	URL      string    `json:"url"`
	TLS      TlsConfig `json:"tls"`
	Slot     uint      `json:"slot"`
	Pin      *string   `json:"pin,omitempty"`
	HsmOrder *int32    `json:"hsm_order,omitempty"`
}

type HmgConfigSafenet added in v0.2.6 

type HmgConfigSafenet struct {
	URL      string    `json:"url"`
	TLS      TlsConfig `json:"tls"`
	Slot     uint      `json:"slot"`
	Pin      *string   `json:"pin,omitempty"`
	HsmOrder *int32    `json:"hsm_order,omitempty"`
}

type HmgRedundancyScheme added in v0.2.6 

type HmgRedundancyScheme string
const (
	HmgRedundancySchemePriorityFailover HmgRedundancyScheme = "PriorityFailover"
)

List of supported HmgRedundancyScheme values

type HyperHttpMethod added in v0.2.6 

type HyperHttpMethod string
const (
	MethodGet     HyperHttpMethod = "GET"
	MethodHead    HyperHttpMethod = "HEAD"
	MethodPost    HyperHttpMethod = "POST"
	MethodPut     HyperHttpMethod = "PUT"
	MethodPatch   HyperHttpMethod = "PATCH" // RFC 5789
	MethodDelete  HyperHttpMethod = "DELETE"
	MethodConnect HyperHttpMethod = "CONNECT"
	MethodOptions HyperHttpMethod = "OPTIONS"
	MethodTrace   HyperHttpMethod = "TRACE"
)

Common HTTP methods.

Unless otherwise noted, these are defined in RFC 7231 section 4.3.

type ImportSobjectComponentsRequest added in v0.2.6 

type ImportSobjectComponentsRequest struct {
	// Properties of the imported security object
	Key SobjectRequest `json:"key"`
	// Details of unwrapping key, if components are wrapped.
	UnwrapKeyParams *UnwrapKeyParams `json:"unwrap_key_params,omitempty"`
	// Key holder identifier
	Custodians []Principal `json:"custodians"`
	// Key material by parts
	Components *[]SobjectComponent `json:"components,omitempty"`
	// Description of the imported security object
	Description *string `json:"description,omitempty"`
	// Splitting method used to join the key components
	Method *SplittingMethod `json:"method,omitempty"`
	// Authentication requirements for approval requests
	AuthConfig *ApprovalAuthConfig `json:"auth_config,omitempty"`
}

Request to import a security object by components.

type InnerEsBucket added in v0.2.6 

type InnerEsBucket struct {
	DocCount              uint64                 `json:"doc_count"`
	Key                   UUID                   `json:"key"`
	UniqueOperationsCount *UniqueOperationsCount `json:"unique_operations_count,omitempty"`
	UniqueActiveSobjCount *UniqueOperationsCount `json:"unique_active_sobj_count,omitempty"`
	UniqueActiveAppCount  *UniqueOperationsCount `json:"unique_active_app_count,omitempty"`
}

type IpAddr added in v0.2.6 

type IpAddr struct {
	Address net.IP
}

func (*IpAddr) MarshalJSON added in v0.2.6 

func (x *IpAddr) MarshalJSON() ([]byte, error)

func (*IpAddr) UnmarshalJSON added in v0.2.6 

func (x *IpAddr) UnmarshalJSON(data []byte) error

type IpAddressPolicy added in v0.2.6 

type IpAddressPolicy struct {
	AllowAll  *struct{}
	Whitelist *[]string
}

The IPs that are allowed for an application. ipv4 or ipv6 both are acceptable types.

func (IpAddressPolicy) MarshalJSON added in v0.2.6 

func (x IpAddressPolicy) MarshalJSON() ([]byte, error)

func (*IpAddressPolicy) UnmarshalJSON added in v0.2.6 

func (x *IpAddressPolicy) UnmarshalJSON(data []byte) error

type JwtSigningKeys 

type JwtSigningKeys struct {
	Stored  *JwtSigningKeysStored
	Fetched *JwtSigningKeysFetched
}

Signing keys used to validate signed JWT tokens.

func (JwtSigningKeys) MarshalJSON 

func (x JwtSigningKeys) MarshalJSON() ([]byte, error)

func (*JwtSigningKeys) UnmarshalJSON 

func (x *JwtSigningKeys) UnmarshalJSON(data []byte) error

type JwtSigningKeysFetched 

type JwtSigningKeysFetched struct {
	URL string `json:"url"`
	// Number of seconds that the service is allowed to cache the fetched keys.
	CacheDuration uint64 `json:"cache_duration"`
}

type JwtSigningKeysStored 

type JwtSigningKeysStored struct {
	// Mapping key ids to DER-encoded public key.
	Keys map[string]Blob `json:"keys"`
}

type KcdsaOptions added in v0.2.6 

type KcdsaOptions struct {
	SubgroupSize *uint32          `json:"subgroup_size,omitempty"`
	HashAlg      *DigestAlgorithm `json:"hash_alg,omitempty"`
}

type KeyCheckValueResponse added in v0.2.6 

type KeyCheckValueResponse struct {
	// UUID, only for persistent keys.
	Kid *UUID `json:"kid,omitempty"`
	// Key Checksum Value
	Kcv string `json:"kcv"`
}

KCV of a key

type KeyFormat added in v0.2.6 

type KeyFormat string

Key Format 

const (
	KeyFormatDefault KeyFormat = "Default"
	KeyFormatPkcs8   KeyFormat = "Pkcs8"
)

List of supported KeyFormat values

type KeyHistoryPolicy added in v0.2.6 

type KeyHistoryPolicy struct {
	UndoTimeWindow Secs `json:"undo_time_window"`
}
type KeyLinks struct {
	Replacement *UUID   `json:"replacement,omitempty"`
	Replaced    *UUID   `json:"replaced,omitempty"`
	CopiedFrom  *UUID   `json:"copiedFrom,omitempty"`
	CopiedTo    *[]UUID `json:"copiedTo,omitempty"`
	Subkeys     *[]UUID `json:"subkeys,omitempty"`
	Parent      *UUID   `json:"parent,omitempty"`
	// Wrapping key used to wrap this security object
	WrappingKey *UUID `json:"wrappingKey,omitempty"`
}

Linked security objects.

type KeyMetadataPolicy added in v0.2.6 

type KeyMetadataPolicy struct {
	// Applies to all objects.
	Base MetadataPolicyItem `json:"base"`
	// Each entry in this map fully overrides `base` for a particular object type.
	ForObjType map[ObjectType]MetadataPolicyItem `json:"for_obj_type"`
	// What to do with legacy objects that are not compliant with this policy.
	// Note that objects are not allowed to be created/updated if the result is
	// not compliant with the policy. Non-compliant legacy objects can only be
	// updated to comply with the policy (e.g. by adding missing required metadata).
	LegacyObjects LegacyKeyPolicy `json:"legacy_objects"`
}

type KeyOperations 

type KeyOperations uint64

Operations allowed to be performed on a given key. 

const (
	//  If this is set, the key can be used to for signing.
	KeyOperationsSign KeyOperations = 1 << iota
	//  If this is set, the key can used for verifying a signature.
	KeyOperationsVerify
	//  If this is set, the key can be used for encryption.
	KeyOperationsEncrypt
	//  If this is set, the key can be used for decryption.
	KeyOperationsDecrypt
	//  If this is set, the key can be used wrapping other keys.
	//  The key being wrapped must have the EXPORT operation enabled.
	KeyOperationsWrapkey
	//  If this is set, the key can be used to unwrap a wrapped key.
	KeyOperationsUnwrapkey
	//  If this is set, the key can be used to derive another key.
	KeyOperationsDerivekey
	//  If this is set, the key can be transformed.
	KeyOperationsTransform
	//  If this is set, the key can be used to compute a cryptographic
	//  Message Authentication Code (MAC) on a message.
	KeyOperationsMacgenerate
	//  If they is set, the key can be used to verify a MAC.
	KeyOperationsMacverify
	//  If this is set, the value of the key can be retrieved
	//  with an authenticated request. This shouldn't be set unless
	//  required. It is more secure to keep the key's value inside DSM only.
	KeyOperationsExport
	//  Without this operation, management operations like delete, destroy,
	//  rotate, activate, restore, revoke, revert, update, remove_private, etc.
	//  cannot be performed by a crypto App.
	//  A user with access or admin app can still perform these operations.
	//  This option is only relevant for crypto apps.
	KeyOperationsAppmanageable
	//  If this is set, audit logs will not be recorded for the key.
	//   High volume here tries to signify a key that is being used a lot
	//   and will produce lots of logs. Setting this operation disables
	//   audit logs for the key.
	KeyOperationsHighvolume
	//  If this is set, the key can be used for key agreement.
	//  Both the private and public key should have this option enabled
	//  to perform an agree operation.
	KeyOperationsAgreekey
)

List of supported KeyOperations values

func (KeyOperations) MarshalJSON 

func (x KeyOperations) MarshalJSON() ([]byte, error)

MarshalJSON converts KeyOperations to an array of strings

func (*KeyOperations) UnmarshalJSON 

func (x *KeyOperations) UnmarshalJSON(data []byte) error

UnmarshalJSON converts array of strings to KeyOperations

type KeyVault added in v0.2.6 

type KeyVault struct {
	ID        string             `json:"id"`
	Name      string             `json:"name"`
	VaultType AzureKeyVaultType  `json:"vault_type"`
	Location  string             `json:"location"`
	Tags      *map[string]string `json:"tags,omitempty"`
	Retention *uint32            `json:"retention,omitempty"`
	URI       string             `json:"uri"`
}

type KmipClientConfig added in v0.2.6 

type KmipClientConfig struct {
	IgnoreUnknownKeyOpsForSecrets *bool `json:"ignore_unknown_key_ops_for_secrets,omitempty"`
}

type Language 

type Language string

Language of plugin code. 

const (
	LanguageLua Language = "LUA"
)

List of supported Language values

type LastAppOperationTimestamp added in v0.2.6 

type LastAppOperationTimestamp struct {
	Generic           *uint64 `json:"generic,omitempty"`
	Tokenization      *uint64 `json:"tokenization,omitempty"`
	Tep               *uint64 `json:"tep,omitempty"`
	Accelerator       *uint64 `json:"accelerator,omitempty"`
	SecretsManagement *uint64 `json:"secrets_management,omitempty"`
}

type LdapAccountRole added in v0.2.6 

type LdapAccountRole struct {
	Legacy *LegacyLdapAccountRole
	Custom *UUID
}

Role of a user or app in an account for the purpose of LDAP configurations.

func (LdapAccountRole) MarshalJSON added in v0.2.6 

func (x LdapAccountRole) MarshalJSON() ([]byte, error)

func (*LdapAccountRole) UnmarshalJSON added in v0.2.6 

func (x *LdapAccountRole) UnmarshalJSON(data []byte) error

type LdapAuthorizationConfig 

type LdapAuthorizationConfig struct {
	// Number of seconds after which the authorization should be checked again.
	ValidFor uint64 `json:"valid_for"`
	// A map from account roles to distinguished names of LDAP groups.
	// If a DN is specified for an account role, entities with that role
	// must be a member of the specified LDAP group.
	RequireRole *map[LdapAccountRole]string `json:"require_role,omitempty"`
	// User self-provisioning settings for the LDAP integration.
	UserSelfProvisioning *LdapUserSelfProvisioningConfig `json:"user_self_provisioning,omitempty"`
	// How to resolve group role assignment conflicts for users authorized
	// through LDAP.
	RoleConflictResolution *LdapRoleConflictResolution `json:"role_conflict_resolution,omitempty"`
}

LDAP authorization settings.

type LdapDnResolution 

type LdapDnResolution struct {
	// Transform the user email through a pattern to derive the DN.
	Construct *LdapDnResolutionConstruct
	// Search the directory using the LDAP `mail` attribute matching user's email.
	SearchByMail *struct{}
	// Use email in place of DN. This method works with Active Directory if the userPrincipalName
	// attribute is set for the user. https://docs.microsoft.com/en-us/windows/desktop/ad/naming-properties
	UserPrincipalName *struct{}
}

Distinguished Name (DN) resolution method. Given a user's email address, a DN resolution method is used to find the user's DN in an LDAP directory.

func (LdapDnResolution) MarshalJSON 

func (x LdapDnResolution) MarshalJSON() ([]byte, error)

func (*LdapDnResolution) UnmarshalJSON 

func (x *LdapDnResolution) UnmarshalJSON(data []byte) error

type LdapDnResolutionConstruct 

type LdapDnResolutionConstruct struct {
	// For example: "example.com" => "uid={},ou=users,dc=example,dc=com".
	DomainFormat map[string]string `json:"domain_format"`
}

Transform the user email through a pattern to derive the DN.

type LdapPrincipal added in v0.2.6 

type LdapPrincipal struct {
	Unresolved *LdapPrincipalUnresolved
	Resolved   *LdapPrincipalResolved
}

func (LdapPrincipal) MarshalJSON added in v0.2.6 

func (x LdapPrincipal) MarshalJSON() ([]byte, error)

func (*LdapPrincipal) UnmarshalJSON added in v0.2.6 

func (x *LdapPrincipal) UnmarshalJSON(data []byte) error

type LdapPrincipalResolved added in v0.2.6 

type LdapPrincipalResolved struct {
	Dn string `json:"dn"`
}

type LdapPrincipalUnresolved added in v0.2.6 

type LdapPrincipalUnresolved struct {
	Email string `json:"email"`
}

type LdapRoleConflictResolution added in v0.2.6 

type LdapRoleConflictResolution string

Controls how we resolve conflicting role assignments with LDAP authorization.

When users are authorized through LDAP, their DSM group memberships are determined by their LDAP groups and the external role mappings created in DSM. For example, if the user belongs to 3 LDAP groups A, B and C, and these LDAP groups are mapped to DSM groups G1 and G2 in the following way: - A -> G1 as "group auditor" - B -> G1 as "group administrator" - C -> G2 as "group administrator" Then which role should be assigned to this user in G1?

The answer to this question used to be simple before the introduction of custom user roles in DSM: we took the maximum of the roles. Note that the legacy roles (group admin/auditor) formed a strict "more powerful than" relation, i.e. group administrator is strictly more powerful than group auditor (and same is true for legacy account roles). However, custom user roles do not have that relationship anymore. Moreover, the legacy behavior is not quite square with the role exclusivity rules either since the legacy behavior can also be regarded as assigning multiple exclusive roles in the same group.

After the introduction of custom user roles, we allow a user to have multiple roles in one group as long as none of the roles are marked as exclusive. That rule is easily enforceable in the user Invite API. With LDAP authorization, the group memberships are computed dynamically when the Select Account API is called and it is possible that we run into conflicting role assignments due to user's LDAP group membership and current mappings between external roles (i.e. LDAP groups) and DSM groups. 

const (
	// In this mode (which cannot be selected for new LDAP integrations and is
	// only meant for LDAP integrations that existed before custom roles), DSM
	// rejects any external role mapping involving custom roles and in case of
	// conflicting role assignments it takes the maximal legacy role.
	LdapRoleConflictResolutionBackcompatLegacyRolesOnly LdapRoleConflictResolution = "backcompat_legacy_roles_only"
	// In case of a role conflict, all role assignments where the role is
	// marked as exclusive are ignored and the rest are assigned to the user.
	// Note that legacy roles are all marked as exclusive. For example:
	// - LDAP group A is mapped to DSM group G1 with role R1
	// - LDAP group B is mapped to DSM group G1 with role R2
	// - LDAP group C is mapped to DSM group G1 with role R3
	// - Role R2 is marked exclusive
	// A user that belongs to LDAP groups A, B and C will become a member of
	// DSM group G1 with role R1 + R3.
	LdapRoleConflictResolutionDisregardExclusiveRoles LdapRoleConflictResolution = "disregard_exclusive_roles"
)

List of supported LdapRoleConflictResolution values

type LdapSearchFilter added in v0.2.6 

type LdapSearchFilter struct {
	Name  string `json:"name"`
	Value string `json:"value"`
}

type LdapSearchRequest added in v0.2.6 

type LdapSearchRequest struct {
	BaseDn      *string            `json:"base_dn,omitempty"`
	Filters     []LdapSearchFilter `json:"filters"`
	ObjectClass *string            `json:"object_class,omitempty"`
	Scope       LdapSearchScope    `json:"scope"`
}

type LdapSearchResultEntry added in v0.2.6 

type LdapSearchResultEntry struct {
	DistinguishedName string   `json:"distinguished_name"`
	LdapObjectID      UUID     `json:"ldap_object_id"`
	CommonName        []string `json:"common_name"`
	Description       []string `json:"description"`
	ObjectClass       []string `json:"object_class"`
	Mail              *string  `json:"mail,omitempty"`
	UserPrincipalName *string  `json:"user_principal_name,omitempty"`
}

type LdapSearchScope added in v0.2.6 

type LdapSearchScope string
const (
	LdapSearchScopeSingleLevel  LdapSearchScope = "single-level"
	LdapSearchScopeWholeSubtree LdapSearchScope = "whole-subtree"
)

List of supported LdapSearchScope values

type LdapServiceAccount 

type LdapServiceAccount struct {
	Dn       string `json:"dn"`
	Password string `json:"password"`
}

Credentials used by the service to authenticate itself to an LDAP server.

type LdapTestCredentials added in v0.2.6 

type LdapTestCredentials struct {
	ID          LdapPrincipal    `json:"id"`
	Password    string           `json:"password"`
	AccountRole *LdapAccountRole `json:"account_role,omitempty"`
}

func (LdapTestCredentials) MarshalJSON added in v0.2.6 

func (x LdapTestCredentials) MarshalJSON() ([]byte, error)

func (*LdapTestCredentials) UnmarshalJSON added in v0.2.6 

func (x *LdapTestCredentials) UnmarshalJSON(data []byte) error

type LdapTestRequest added in v0.2.6 

type LdapTestRequest struct {
	Ldap            AuthConfigLdap       `json:"ldap"`
	TestCredentials *LdapTestCredentials `json:"test_credentials,omitempty"`
}

type LdapUserSelfProvisioningConfig added in v0.2.6 

type LdapUserSelfProvisioningConfig struct {
	// The mapping that determines which roles will be assigned
	// to self-provisioned users.
	RoleAssignment LdapUserSelfProvisioningRole `json:"role_assignment"`
}

LDAP user self-provisioning settings. Currently, the only setting available for configuration is the mapping from LDAP users to DSM account roles.

type LdapUserSelfProvisioningRole added in v0.2.6 

type LdapUserSelfProvisioningRole struct {
	// Map all self-provisioned users to a single specified account role.
	// (Note that this setting only determines the role that a self-
	// provisioned user starts with; an account admin can change any user's
	// role at a later time.) A "state enabled" flag will be implicitly added,
	// and any specified "pending invite" flag will be removed.
	Fixed *LdapUserSelfProvisioningRoleFixed
}

A structure indicating how self-provisioned LDAP users will be assigned account roles.

func (LdapUserSelfProvisioningRole) MarshalJSON added in v0.2.6 

func (x LdapUserSelfProvisioningRole) MarshalJSON() ([]byte, error)

func (*LdapUserSelfProvisioningRole) UnmarshalJSON added in v0.2.6 

func (x *LdapUserSelfProvisioningRole) UnmarshalJSON(data []byte) error

type LdapUserSelfProvisioningRoleFixed added in v0.2.6 

type LdapUserSelfProvisioningRoleFixed struct {
	Role UserAccountFlags `json:"role"`
}

Map all self-provisioned users to a single specified account role. (Note that this setting only determines the role that a self- provisioned user starts with; an account admin can change any user's role at a later time.) A "state enabled" flag will be implicitly added, and any specified "pending invite" flag will be removed.

type LegacyKeyPolicy added in v0.2.6 

type LegacyKeyPolicy string
const (
	// The key can be used for all purposes.
	LegacyKeyPolicyAllowed LegacyKeyPolicy = "allowed"
	// The key cannot be used for any crypto operations until it becomes compliant.
	LegacyKeyPolicyProhibited LegacyKeyPolicy = "prohibited"
	// The key can only be used for these crypto operations:
	// - DECRYPT
	// - VERIFY
	// - MACVERIFY
	// - UNWRAPKEY
	LegacyKeyPolicyUnprotectOnly LegacyKeyPolicy = "unprotect_only"
)

List of supported LegacyKeyPolicy values

type LegacyLdapAccountRole added in v0.2.6 

type LegacyLdapAccountRole string

Role of a user or app in an account for the purpose of LDAP configurations. 

const (
	LegacyLdapAccountRoleAdminUser   LegacyLdapAccountRole = "ADMIN_USER"
	LegacyLdapAccountRoleMemberUser  LegacyLdapAccountRole = "MEMBER_USER"
	LegacyLdapAccountRoleAuditorUser LegacyLdapAccountRole = "AUDITOR_USER"
	LegacyLdapAccountRoleAdminApp    LegacyLdapAccountRole = "ADMIN_APP"
	LegacyLdapAccountRoleCryptoApp   LegacyLdapAccountRole = "CRYPTO_APP"
)

List of supported LegacyLdapAccountRole values

type LegacyUserAccountRole added in v0.2.6 

type LegacyUserAccountRole string

Legacy user account role 

const (
	LegacyUserAccountRoleAccountAdministrator LegacyUserAccountRole = "ACCOUNTADMINISTRATOR"
	LegacyUserAccountRoleAccountMember        LegacyUserAccountRole = "ACCOUNTMEMBER"
	LegacyUserAccountRoleAccountAuditor       LegacyUserAccountRole = "ACCOUNTAUDITOR"
)

List of supported LegacyUserAccountRole values

type LegacyUserGroupRole added in v0.2.6 

type LegacyUserGroupRole string

Legacy user group role 

const (
	LegacyUserGroupRoleGroupAuditor       LegacyUserGroupRole = "GROUPAUDITOR"
	LegacyUserGroupRoleGroupAdministrator LegacyUserGroupRole = "GROUPADMINISTRATOR"
)

List of supported LegacyUserGroupRole values

type LegacyUserGroupRoleOrRoleId added in v0.2.6 

type LegacyUserGroupRoleOrRoleId struct {
	LegacyRole *LegacyUserGroupRole
	RoleID     *UUID
}

Legacy user group role name or custom role id

func (LegacyUserGroupRoleOrRoleId) MarshalJSON added in v0.2.6 

func (x LegacyUserGroupRoleOrRoleId) MarshalJSON() ([]byte, error)

func (*LegacyUserGroupRoleOrRoleId) UnmarshalJSON added in v0.2.6 

func (x *LegacyUserGroupRoleOrRoleId) UnmarshalJSON(data []byte) error

type ListApprovalRequestsParams 

type ListApprovalRequestsParams struct {
	Requester *UUID           `json:"requester,omitempty"`
	Reviewer  *UUID           `json:"reviewer,omitempty"`
	Subject   *UUID           `json:"subject,omitempty"`
	Status    *ApprovalStatus `json:"status,omitempty"`
}

type ListAppsParams 

type ListAppsParams struct {
	// Group for which the associated apps should be retrived.
	GroupID *UUID `json:"group_id,omitempty"`
	// Maximum number of apps to return. Default limit is 1001.
	Limit *uint `json:"limit,omitempty"`
	// Number of apps to skip from the beginning/start.
	Offset *uint `json:"offset,omitempty"`
	// Sort apps by app_id in ascending or descending order.
	Sort AppSort `json:"sort"`
	// Flag specifying if group permissions should be returned with the apps.
	GroupPermissions *bool `json:"group_permissions,omitempty"`
	// Specify role of the apps.
	Role *AppRole `json:"role,omitempty"`
}

Query params for Get all apps API

type ListExternalRolesParams 

type ListExternalRolesParams struct {
	GroupID *UUID `json:"group_id,omitempty"`
}

type ListPluginsParams 

type ListPluginsParams struct {
	// Group for which the associated plugins should be retrived.
	GroupID *UUID `json:"group_id,omitempty"`
	// Maximum number of entries to return.
	Limit *uint `json:"limit,omitempty"`
	// Starting offset.
	Offset *uint `json:"offset,omitempty"`
	// Sort plugins in ascending or descending order by Plugin Id.
	Sort PluginSort `json:"sort"`
}

Query parameters to get Plugins.

type ListRolesParams added in v0.2.6 

type ListRolesParams struct {
	Filter *string  `json:"filter,omitempty"`
	Limit  *uint    `json:"limit,omitempty"`
	Sort   RoleSort `json:"sort"`
}

type ListRolesResponse added in v0.2.6 

type ListRolesResponse struct {
	Metadata Metadata `json:"metadata"`
	Items    []Role   `json:"items"`
}

type ListSobjectsParams 

type ListSobjectsParams struct {
	// Filter security object(s) by group ID.
	GroupID *UUID `json:"group_id,omitempty"`
	// Filter security object(s) by a particular creator.
	Creator *UUID `json:"creator,omitempty"`
	// Filter security object(s) by name.
	Name *string `json:"name,omitempty"`
	// Filter security object(s) by PKCS11 label.
	Pkcs11Label *string `json:"pkcs11_label,omitempty"`
	// Filter security object(s) by PKCS11 unique identifier.
	Pkcs11ID *Blob `json:"pkcs11_id,omitempty"`
	// Filter security object(s) by object type.
	ObjType *ObjectType `json:"obj_type,omitempty"`
	// Set max security objects in returned in response (default: 1000).
	Limit *uint `json:"limit,omitempty"`
	// Skip first n (offset) matches.
	Offset *uint `json:"offset,omitempty"`
	// Sorting method for listed security objects.
	Sort *SobjectSort `json:"sort,omitempty"`
	// Only show security objects complying with group and account policies.
	CompliantWithPolicies *bool `json:"compliant_with_policies,omitempty"`
	// Filter security object(s) by custom_metadata fields.
	CustomMetadata *CustomMetadata `json:"custom_metadata,omitempty"`
	// Display query metadata in response, containing information on total objects
	// and number of objects skipped.
	WithMetadata *bool `json:"with_metadata,omitempty"`
	// Show destroyed security object(s).
	ShowDestroyed *bool `json:"show_destroyed,omitempty"`
	// Show deleted security object(s).
	ShowDeleted *bool `json:"show_deleted,omitempty"`
	// Show non-sensitive key material of security object(s).
	ShowValue *bool `json:"show_value,omitempty"`
	// Show public key of security objects(s) if present.
	ShowPubKey *bool `json:"show_pub_key,omitempty"`
	// Show key check value for security object(s).
	ShowKcv *bool `json:"show_kcv,omitempty"`
	// Provide custom filtering query.
	Filter *string `json:"filter,omitempty"`
}

Request parameters for filtering and listing security objects.

type ListSobjectsResponse added in v0.2.6 

type ListSobjectsResponse struct {
	// Metadata indicating filtered and total count.
	Md Metadata `json:"metadata,omitempty"`
	// List of security objects matching the filtering parameters.
	Items []Sobject `json:"items,omitempty"`
}

Response structure from list security objects query

func (*ListSobjectsResponse) UnmarshalJSON added in v0.2.6 

func (r *ListSobjectsResponse) UnmarshalJSON(data []byte) error

type ListUsersParams 

type ListUsersParams struct {
	GroupID *UUID    `json:"group_id,omitempty"`
	AcctID  *UUID    `json:"acct_id,omitempty"`
	Limit   *uint    `json:"limit,omitempty"`
	Offset  *uint    `json:"offset,omitempty"`
	Sort    UserSort `json:"sort"`
}

type LmsOptions added in v0.2.6 

type LmsOptions struct {
	// The height of the top level tree
	L1Height uint32 `json:"l1_height"`
	// The height of the secondary tree
	L2Height uint32 `json:"l2_height"`
	// The hash function to use
	Digest *DigestAlgorithm `json:"digest,omitempty"`
}

LMS specific options

type LoggingConfig 

type LoggingConfig struct {
	Splunk      *SplunkLoggingConfig
	Stackdriver *StackdriverLoggingConfig
	Syslog      *SyslogLoggingConfig
}

func (LoggingConfig) MarshalJSON 

func (x LoggingConfig) MarshalJSON() ([]byte, error)

func (*LoggingConfig) UnmarshalJSON 

func (x *LoggingConfig) UnmarshalJSON(data []byte) error

type LoggingConfigRequest 

type LoggingConfigRequest struct {
	Splunk      *SplunkLoggingConfigRequest
	Stackdriver *StackdriverLoggingConfigRequest
	Syslog      *SyslogLoggingConfigRequest
}

func (LoggingConfigRequest) MarshalJSON 

func (x LoggingConfigRequest) MarshalJSON() ([]byte, error)

func (*LoggingConfigRequest) UnmarshalJSON 

func (x *LoggingConfigRequest) UnmarshalJSON(data []byte) error

type LogsParams added in v0.2.6 

type LogsParams struct {
	// Maximum number of entries to return. Upper limit for max entries is 1000.
	Size *uint32 `json:"size,omitempty"`
	// Starting offset
	From *uint32 `json:"from,omitempty"`
	// Starting time for search. This is EPOCH time.
	RangeFrom *uint64 `json:"range_from,omitempty"`
	// Ending time for search. This is EPOCH time.
	RangeTo *uint64 `json:"range_to,omitempty"`
	// Action Type
	ActionType *[]ActionType `json:"action_type,omitempty"`
	// Actor Type
	// Available values are: User, App & Plugin.
	ActorType *[]string `json:"actor_type,omitempty"`
	// UUID of Actor (User, App or Plugin)
	ActorID *UUID `json:"actor_id,omitempty"`
	// UUID of entity affected by event. For instance, if a group is created object_id will be UUID of group.
	ObjectID *UUID `json:"object_id,omitempty"`
	// UUID of log after which further logs are required.
	PreviousID *UUID `json:"previous_id,omitempty"`
	// Severity of event
	Severity *[]SeverityLevel `json:"severity,omitempty"`
}

Query parameters to get audit logs.

type MacRequest 

type MacRequest struct {
	// Reference to the sobject with which to compute a MAC.
	// This can be a key ID, key name, or a transient key blob.
	Key *SobjectDescriptor `json:"key,omitempty"`
	// The hash algorithm to use when computing an HMAC. Irrelevant
	// if computing a CMAC.
	Alg *DigestAlgorithm `json:"alg,omitempty"`
	// The data for which to generate a MAC
	Data Blob `json:"data"`
}

Request to compute a MAC.

type MacResponse 

type MacResponse struct {
	// The ID of the key used to compute the MAC. Returned for
	// non-transient keys
	Kid *UUID `json:"kid,omitempty"`
	// MAC generated for the input data
	Mac Blob `json:"mac"`
}

Response of an MAC verification request.

type MarketplacePlugin added in v0.2.6 

type MarketplacePlugin struct {
	Name     string                    `json:"name"`
	Versions map[PluginVersion]*string `json:"versions"`
}

type Metadata added in v0.2.6 

type Metadata struct {
	TotalCount    *uint `json:"total_count,omitempty"`
	FilteredCount *uint `json:"filtered_count,omitempty"`
}

type MetadataDurationConstraint added in v0.2.6 

type MetadataDurationConstraint struct {
	Forbidden *struct{}
	Required  *MetadataDurationConstraintRequired
}

func (MetadataDurationConstraint) MarshalJSON added in v0.2.6 

func (x MetadataDurationConstraint) MarshalJSON() ([]byte, error)

func (*MetadataDurationConstraint) UnmarshalJSON added in v0.2.6 

func (x *MetadataDurationConstraint) UnmarshalJSON(data []byte) error

type MetadataDurationConstraintRequired added in v0.2.6 

type MetadataDurationConstraintRequired struct {
	// If specified, the value (typically a date) is restricted to be in a
	// range expressed in terms of duration with respect to some known point
	// in time. For example, if we specify min = 30 days and max = 180 days
	// for `deactivation_date`, then the user must specify a deactivation date
	// that is within 30 and 180 days of security object's creation time.
	AllowedValues *RestrictedDuration `json:"allowed_values,omitempty"`
}

type MetadataPolicyItem added in v0.2.6 

type MetadataPolicyItem struct {
	CustomMetadata map[string]MetadataStringConstraint `json:"custom_metadata"`
	Description    *MetadataStringConstraint           `json:"description,omitempty"`
	// If a restricted duration is specified, it is enforced w.r.t object creation time.
	DeactivationDate *MetadataDurationConstraint `json:"deactivation_date,omitempty"`
	// If a restricted duration is specified, it is enforced w.r.t object creation time.
	// NOTE: Specifying a minimum duration for this field may not be a good
	// idea since it would not be possible to create a key and start using it
	// immediately in the affected group(s).
	ActivationDate *MetadataDurationConstraint `json:"activation_date,omitempty"`
}

type MetadataStringConstraint added in v0.2.6 

type MetadataStringConstraint struct {
	Forbidden *struct{}
	Required  *MetadataStringConstraintRequired
}

func (MetadataStringConstraint) MarshalJSON added in v0.2.6 

func (x MetadataStringConstraint) MarshalJSON() ([]byte, error)

func (*MetadataStringConstraint) UnmarshalJSON added in v0.2.6 

func (x *MetadataStringConstraint) UnmarshalJSON(data []byte) error

type MetadataStringConstraintRequired added in v0.2.6 

type MetadataStringConstraintRequired struct {
	// If set to `true`, the value must have a length > 0 after trimming
	// leading and trailing whitespace characters.
	NonEmptyAfterTrim *bool `json:"non_empty_after_trim,omitempty"`
	// If not specified or empty, it will not impose any restrictions on the value.
	AllowedValues *[]string `json:"allowed_values,omitempty"`
}

type MfaAuthMethod added in v0.4.0 

type MfaAuthMethod struct {
	Fido2 *MfaAuthMethodFido2
}

func (MfaAuthMethod) MarshalJSON added in v0.4.0 

func (x MfaAuthMethod) MarshalJSON() ([]byte, error)

func (*MfaAuthMethod) UnmarshalJSON added in v0.4.0 

func (x *MfaAuthMethod) UnmarshalJSON(data []byte) error

type MfaAuthMethodFido2 added in v0.4.0 

type MfaAuthMethodFido2 struct {
	Challenge      PublicKeyCredentialRequestOptions `json:"challenge"`
	ChallengeToken Blob                              `json:"challenge_token"`
	MfaDevices     []MfaDevice                       `json:"mfa_devices"`
}

type MfaChallengeParams added in v0.2.6 

type MfaChallengeParams struct {
	// Protocol for the Mfa request. U2f is default
	// for backcompat.
	Protocol MfaProtocol `json:"protocol"`
}

Params for Mfa challenge.

type MfaChallengeResponse 

type MfaChallengeResponse struct {
	LegacyU2f *U2fMfaChallengeResponse
	Fido2     *Fido2MfaChallengeResponse
}

func (MfaChallengeResponse) MarshalJSON added in v0.2.6 

func (x MfaChallengeResponse) MarshalJSON() ([]byte, error)

func (*MfaChallengeResponse) UnmarshalJSON added in v0.2.6 

func (x *MfaChallengeResponse) UnmarshalJSON(data []byte) error

type MfaDelDeviceRequest added in v0.2.6 

type MfaDelDeviceRequest struct {
	// Name of the FIDO device to delete.
	Name string `json:"name"`
}

Request to delete a FIDO device.

type MfaDevice added in v0.2.6 

type MfaDevice struct {
	// Name given to the FIDO device.
	Name string `json:"name"`
	// Type of the device, should be either fido2 or u2f
	Type MfaDeviceType `json:"type"`
	// Origin of the FIDO device.
	Origin *string `json:"origin,omitempty"`
}

A FIDO device that may be used for second factor authentication.

type MfaDeviceType added in v0.4.0 

type MfaDeviceType string

Type of MFA device 

const (
	MfaDeviceTypeU2f   MfaDeviceType = "U2f"
	MfaDeviceTypeFido2 MfaDeviceType = "Fido2"
)

List of supported MfaDeviceType values

type MfaProtocol added in v0.2.6 

type MfaProtocol string

Protocols for MFA. 

const (
	// U2f protocol. (deprecated)
	MfaProtocolU2f MfaProtocol = "u2f"
	// FIDO2 protocol.
	MfaProtocolFido2 MfaProtocol = "fido2"
)

List of supported MfaProtocol values

type MfaRenameDeviceRequest added in v0.2.6 

type MfaRenameDeviceRequest struct {
	// Old name of FIDO device.
	OldName string `json:"old_name"`
	// New name of FIDO device.
	NewName string `json:"new_name"`
}

Request to rename a FIDO device.

type Mgf 

type Mgf struct {
	// MGF1 algorithm
	Mgf1 *Mgf1
}

Specifies the Mask Generating Function (MGF) to use.

func (Mgf) MarshalJSON 

func (x Mgf) MarshalJSON() ([]byte, error)

func (*Mgf) UnmarshalJSON 

func (x *Mgf) UnmarshalJSON(data []byte) error

type Mgf1 

type Mgf1 struct {
	Hash DigestAlgorithm `json:"hash"`
}

MGF1 algorithm

type MgfPolicy 

type MgfPolicy struct {
	Mgf1 *MgfPolicyMgf1
}

MGF policy.

func (MgfPolicy) MarshalJSON 

func (x MgfPolicy) MarshalJSON() ([]byte, error)

func (*MgfPolicy) UnmarshalJSON 

func (x *MgfPolicy) UnmarshalJSON(data []byte) error

type MgfPolicyMgf1 

type MgfPolicyMgf1 struct {
	Hash *DigestAlgorithm `json:"hash,omitempty"`
}

type NotificationPref 

type NotificationPref string

Notification preferences. 

const (
	NotificationPrefNone  NotificationPref = "None"
	NotificationPrefEmail NotificationPref = "Email"
	NotificationPrefPhone NotificationPref = "Phone"
	NotificationPrefBoth  NotificationPref = "Both"
)

List of supported NotificationPref values

type OauthAuthParamDisplay added in v0.4.0 

type OauthAuthParamDisplay string

Corresponds to the `display` parameter in https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest 

const (
	// The Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view
	OauthAuthParamDisplayPage OauthAuthParamDisplay = "page"
	// The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window.
	// The popup User Agent window should be of an appropriate size for a login-focused dialog and should not obscure the entire window that it is popping up over.
	OauthAuthParamDisplayPopup OauthAuthParamDisplay = "popup"
	// The Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface.
	OauthAuthParamDisplayTouch OauthAuthParamDisplay = "touch"
	// The Authorization Server SHOULD display the authentication and consent UI consistent with a "feature phone" type display.
	OauthAuthParamDisplayWap OauthAuthParamDisplay = "wrap"
)

List of supported OauthAuthParamDisplay values

type OauthAuthParamPrompt added in v0.4.0 

type OauthAuthParamPrompt string

Corresponds to the `prompt` parameter in https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest 

const (
	// The Authorization Server SHOULD prompt the End-User for reauthentication.
	// If it cannot reauthenticate the End-User, it MUST return an error, typically login_required.
	OauthAuthParamPromptLogin OauthAuthParamPrompt = "login"
	// The Authorization Server MUST NOT display any authentication or consent user interface pages.
	// An error is returned if an End-User is not already authenticated or the Client does not have pre-configured consent for the requested Claims or does not fulfill other conditions for processing the request.
	// The error code will typically be login_required, interaction_required, or another code defined in Section 3.1.2.6.
	// This can be used as a method to check for existing authentication and/or consent.
	OauthAuthParamPromptNone OauthAuthParamPrompt = "none"
	// The Authorization Server SHOULD prompt the End-User for consent before returning information to the Client.
	// If it cannot obtain consent, it MUST return an error, typically consent_required.
	OauthAuthParamPromptConsent OauthAuthParamPrompt = "consent"
	// The Authorization Server SHOULD prompt the End-User to select a user account.
	// This enables an End-User who has multiple accounts at the Authorization Server to select amongst the multiple accounts that they might have current sessions for.
	// If it cannot obtain an account selection choice made by the End-User, it MUST return an error, typically account_selection_required.
	OauthAuthParamPromptSelectAccount OauthAuthParamPrompt = "select_account"
)

List of supported OauthAuthParamPrompt values

type OauthAuthenticationParameters added in v0.4.0 

type OauthAuthenticationParameters struct {
	// Specifies whether the Authorization Server prompts the End-User for reauthentication and consent
	Prompt *[]OauthAuthParamPrompt `json:"prompt,omitempty"`
	// Specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User
	Display *OauthAuthParamDisplay `json:"display,omitempty"`
	// Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP.
	// If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User
	MaxAge *uint64 `json:"max_age,omitempty"`
}

Parameters for the OpenID Connect Authentication Request https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

type OauthCodeData added in v0.2.6 

type OauthCodeData struct {
	IdpID Blob   `json:"idp_id"`
	Code  string `json:"code"`
	Email string `json:"email"`
}

type OauthScope 

type OauthScope string

OAuth scope. 

const (
	OauthScopeApp     OauthScope = "app"
	OauthScopeOpenID  OauthScope = "openid"
	OauthScopeEmail   OauthScope = "email"
	OauthScopeProfile OauthScope = "profile"
)

List of supported OauthScope values

type ObjectCounts 

type ObjectCounts struct {
	Groups        uint64 `json:"groups"`
	Apps          uint64 `json:"apps"`
	Users         uint64 `json:"users"`
	Plugins       uint64 `json:"plugins"`
	Sobjects      uint64 `json:"sobjects"`
	ChildAccounts uint64 `json:"child_accounts"`
}

Counts of objects of various types in an account.

type ObjectDigestRequest 

type ObjectDigestRequest struct {
	// Uniquely identifies a security object.
	Key SobjectDescriptor `json:"key"`
	// Digest algorithm
	Alg DigestAlgorithm `json:"alg"`
}

Request to compute digest of a key.

type ObjectDigestResponse 

type ObjectDigestResponse struct {
	// UUID, only displayed for persistent keys.
	Kid *UUID `json:"kid,omitempty"`
	// Digest value
	Digest Blob `json:"digest"`
}

Digest of a key.

type ObjectOrigin 

type ObjectOrigin string

The origin of a security object - where it was created / generated. 

const (
	ObjectOriginFortanixHSM ObjectOrigin = "FortanixHSM"
	ObjectOriginTransient   ObjectOrigin = "Transient"
	ObjectOriginExternal    ObjectOrigin = "External"
)

List of supported ObjectOrigin values

type ObjectType 

type ObjectType string

Type of security object. 

const (
	ObjectTypeAes         ObjectType = "AES"
	ObjectTypeAria        ObjectType = "ARIA"
	ObjectTypeDes         ObjectType = "DES"
	ObjectTypeDes3        ObjectType = "DES3"
	ObjectTypeSeed        ObjectType = "SEED"
	ObjectTypeRsa         ObjectType = "RSA"
	ObjectTypeDsa         ObjectType = "DSA"
	ObjectTypeEc          ObjectType = "EC"
	ObjectTypeKcdsa       ObjectType = "KCDSA"
	ObjectTypeEcKcdsa     ObjectType = "ECKCDSA"
	ObjectTypeBip32       ObjectType = "BIP32"
	ObjectTypeBls         ObjectType = "BLS"
	ObjectTypeOpaque      ObjectType = "OPAQUE"
	ObjectTypeHmac        ObjectType = "HMAC"
	ObjectTypeLedaBeta    ObjectType = "LEDABETA"
	ObjectTypeRound5Beta  ObjectType = "ROUND5BETA"
	ObjectTypeSecret      ObjectType = "SECRET"
	ObjectTypeLms         ObjectType = "LMS"
	ObjectTypeCertificate ObjectType = "CERTIFICATE"
	ObjectTypePbe         ObjectType = "PBE"
)

List of supported ObjectType values

type OpaqueOptions added in v0.2.6 

type OpaqueOptions struct {
}

type Order 

type Order string

Order specifies sort order of objects returned 

const (
	OrderAscending  Order = ":asc"
	OrderDescending Order = ":desc"
)

List of values for Order

type OuterEsBucket added in v0.2.6 

type OuterEsBucket struct {
	DocCount    uint64     `json:"doc_count"`
	Key         uint64     `json:"key"`
	KeyAsString string     `json:"key_as_string"`
	TotalTxn    EsTotalTxn `json:"total_txn"`
}

type PasswordChangeRequest 

type PasswordChangeRequest struct {
	CurrentPassword string `json:"current_password"`
	NewPassword     string `json:"new_password"`
}

Request to change user's password.

type PasswordResetRequest 

type PasswordResetRequest struct {
	ResetToken  string `json:"reset_token"`
	NewPassword string `json:"new_password"`
}

Request to perform a password reset.

type PersistTransientKeyRequest 

type PersistTransientKeyRequest struct {
	// Intended activation date of the security object.
	ActivationDate *Time `json:"activation_date,omitempty"`
	// Intended deactivation date of the security object.
	DeactivationDate *Time `json:"deactivation_date,omitempty"`
	// Name of the persisted security object. Security object names must be unique within an account.
	Name string `json:"name"`
	// User-defined readable description
	Description *string `json:"description,omitempty"`
	// User-defined metadata for the persisted key stored as key-value pairs.
	CustomMetadata *map[string]string `json:"custom_metadata,omitempty"`
	// Whether the new security object should be enabled. Disabled security objects may not perform cryptographic operations.
	Enabled *bool `json:"enabled,omitempty"`
	// Group ID of the security group that the persisted key should belong to. The user or
	// application creating this security object must be a member of this group. If no group is
	// specified, the default group for the requesting application will be used.
	GroupID *UUID `json:"group_id,omitempty"`
	// Intended initial state of the key
	State *SobjectState `json:"state,omitempty"`
	// Transient key to persist
	TransientKey Blob `json:"transient_key"`
}

Request to persist a transient key.

type Pkcs11ClientConfig added in v0.2.6 

type Pkcs11ClientConfig struct {
	FakeRsaX931KeygenSupport        *bool `json:"fake_rsa_x9_31_keygen_support,omitempty"`
	SigningAesKeyAsHmac             *bool `json:"signing_aes_key_as_hmac,omitempty"`
	ExactKeyOps                     *bool `json:"exact_key_ops,omitempty"`
	PreventDuplicateOpaqueObjects   *bool `json:"prevent_duplicate_opaque_objects,omitempty"`
	OpaqueObjectsAreNotCertificates *bool `json:"opaque_objects_are_not_certificates,omitempty"`
	MaxConcurrentRequestsPerSlot    *uint `json:"max_concurrent_requests_per_slot,omitempty"`
}

type Plugin 

type Plugin struct {
	// The id of the Account that the plugin belongs to.
	AcctID UUID `json:"acct_id"`
	// Timestamp when the plugin was created.
	CreatedAt Time `json:"created_at"`
	// Creator of the plugin.
	Creator Principal `json:"creator"`
	// The default group a plugin belongs to.
	DefaultGroup UUID `json:"default_group"`
	// Description of the plugin.
	Description *string `json:"description,omitempty"`
	// Is plugin enabled.
	Enabled bool `json:"enabled"`
	// Timestamp when the plugin was most recently used.
	LastrunAt *Time `json:"lastrun_at,omitempty"`
	// Timestamp when the plugin was most recently updated.
	LastupdatedAt Time `json:"lastupdated_at"`
	// If a requester is updating/using a Plugin they must have the relevant
	// permissions in all Groups that Plugin has access to. But for legacy Plugins,
	// the requester is required to have relevant permissions in any one of the groups
	// that Plugin has access to.
	LegacyAccess bool `json:"legacy_access"`
	// Name of the plugin, which must be unique within an account.
	Name string `json:"name"`
	// Unique id to identify a plugin.
	PluginID UUID `json:"plugin_id"`
	// Type of plugin.
	PluginType PluginType `json:"plugin_type"`
	// Source of plugin. It contains language & source code of plugin. In case of marketplace plugin repo_url & version as well
	Source PluginSource `json:"source"`
	// Set of all the groups that plugin is part of.
	Groups []UUID `json:"groups"`
}

type PluginOutput 

type PluginOutput []byte

PluginOutput is returned by the InvokePlugin operation

func (PluginOutput) HasValue 

func (po PluginOutput) HasValue() bool

HasValue returns true if plugin returned any value

func (PluginOutput) Parse 

func (po PluginOutput) Parse(output interface{}) error

Parse the plugin output as the desired type

type PluginRequest 

type PluginRequest struct {
	// The default group a plugin belongs to.
	DefaultGroup *UUID `json:"default_group,omitempty"`
	// Description of the plugin.
	Description *string `json:"description,omitempty"`
	// Is plugin enabled.
	Enabled *bool `json:"enabled,omitempty"`
	// Name of the plugin, which must be unique within an account.
	Name *string `json:"name,omitempty"`
	// Type of plugin.
	PluginType *PluginType `json:"plugin_type,omitempty"`
	// Request to get source of plugin.
	SourceReq *PluginSourceRequest `json:"source,omitempty"`
	// Set of all the groups that plugin is part of.
	AddGroups *[]UUID `json:"add_groups,omitempty"`
	// Set of all the groups that plugin is part of.
	DelGroups *[]UUID `json:"del_groups,omitempty"`
	// Set of all the groups that plugin is part of.
	ModGroups *[]UUID `json:"mod_groups,omitempty"`
}

type PluginSort 

type PluginSort struct {
	// Sort plugins by Plugin Id.
	ByPluginID *PluginSortByPluginId
}

Sorting order on listed Plugins.

type PluginSortByPluginId 

type PluginSortByPluginId struct {
	// Order of sorting(Ascending/Descending).
	Order Order `json:"order"`
	// Starting offset(UUID of plugin).
	Start *UUID `json:"start,omitempty"`
}

Sort plugins by Plugin Id.

type PluginSource 

type PluginSource struct {
	FromRepo *PluginSourceFromRepo
	Inline   *PluginSourceInline
}

Plugin code that will be executed inside SGX enclave.

func (PluginSource) MarshalJSON 

func (x PluginSource) MarshalJSON() ([]byte, error)

func (*PluginSource) UnmarshalJSON 

func (x *PluginSource) UnmarshalJSON(data []byte) error

type PluginSourceFromRepo 

type PluginSourceFromRepo struct {
	RepoURL  string        `json:"repo_url"`
	Name     string        `json:"name"`
	Version  PluginVersion `json:"version"`
	Language Language      `json:"language"`
	Code     string        `json:"code"`
}

type PluginSourceInline 

type PluginSourceInline struct {
	Language Language `json:"language"`
	Code     string   `json:"code"`
}

type PluginSourceRequest 

type PluginSourceRequest struct {
	FromRepo *PluginSourceRequestFromRepo
	Inline   *PluginSourceRequestInline
}

func (PluginSourceRequest) MarshalJSON 

func (x PluginSourceRequest) MarshalJSON() ([]byte, error)

func (*PluginSourceRequest) UnmarshalJSON 

func (x *PluginSourceRequest) UnmarshalJSON(data []byte) error

type PluginSourceRequestFromRepo 

type PluginSourceRequestFromRepo struct {
	RepoURL    string        `json:"repo_url"`
	PluginName string        `json:"plugin_name"`
	Version    PluginVersion `json:"version"`
}

type PluginSourceRequestInline 

type PluginSourceRequestInline struct {
	Language Language `json:"language"`
	Code     string   `json:"code"`
}

type PluginType 

type PluginType string

Type of a plugin. 

const (
	PluginTypeStandard        PluginType = "STANDARD"
	PluginTypeImpersonating   PluginType = "IMPERSONATING"
	PluginTypeCustomAlgorithm PluginType = "CUSTOMALGORITHM"
)

List of supported PluginType values

type PluginVersion 

type PluginVersion struct {
	Major uint64
	Minor uint64
}

func (*PluginVersion) MarshalJSON added in v0.2.6 

func (x *PluginVersion) MarshalJSON() ([]byte, error)

func (*PluginVersion) UnmarshalJSON added in v0.2.6 

func (x *PluginVersion) UnmarshalJSON(data []byte) error

type PreviousCredential added in v0.2.6 

type PreviousCredential struct {
	// App authentication mechanisms.
	Credential AppCredential `json:"credential"`
	// Validity period of the App credentials.
	ValidUntil Time `json:"valid_until"`
}

Expired app-credentials that are still valid for a transitional period.

type Principal 

type Principal struct {
	App    *UUID
	User   *UUID
	Plugin *UUID
	// UserViaApp signifies a user authorizing some app to act on its behalf through OAuth.
	UserViaApp *PrincipalUserViaApp
	// System signifies DSM itself performing certain actions, like automatic key scans.
	// This cannot be used for things like approval requests or session creation.
	System *struct{}
	// An unregistered user.
	UnregisteredUser *struct{}
}

A security principal.

func (Principal) MarshalJSON 

func (x Principal) MarshalJSON() ([]byte, error)

func (*Principal) UnmarshalJSON 

func (x *Principal) UnmarshalJSON(data []byte) error

type PrincipalUserViaApp 

type PrincipalUserViaApp struct {
	UserID UUID         `json:"user_id"`
	Scopes []OauthScope `json:"scopes"`
}

UserViaApp signifies a user authorizing some app to act on its behalf through OAuth.

type ProcessInviteRequest 

type ProcessInviteRequest struct {
	// Optional list of account IDs to accept.
	Accepts *[]UUID `json:"accepts,omitempty"`
	// Optional list of account IDs to reject.
	Rejects *[]UUID `json:"rejects,omitempty"`
}

Accept/reject invitations to join account.

type PublicKeyCredentialAuthenticatorAssertionResponse added in v0.2.6 

type PublicKeyCredentialAuthenticatorAssertionResponse struct {
	// Identifier of Credential
	Id string `json:"id"`
	// Type of credential
	Type     *PublicKeyCredentialType        `json:"type"`
	Response *AuthenticatorAssertionResponse `json:"response"`
	// This field contains client extension output entries produced by the extension’s client extension processing.
	ExtensionResults *AuthenticationExtensionsClientOutputs `json:"get_client_extension_results"`
}

type PublicKeyCredentialAuthenticatorAttestationResponse added in v0.2.6 

type PublicKeyCredentialAuthenticatorAttestationResponse struct {
	Id               Base64UrlSafe                         `json:"id,omitempty"`
	Type             PublicKeyCredentialType               `json:"type,omitempty"`
	Response         AuthenticatorAssertionResponse        `json:"response,omitempty"`
	ExtensionResults AuthenticationExtensionsClientOutputs `json:"get_client_extension_results,omitempty"`
}

type PublicKeyCredentialCreationOptions added in v0.2.6 

type PublicKeyCredentialCreationOptions struct {
	// Additional relying party's attributes. See type level
	// doc for more info.
	Rp PublicKeyCredentialEntityForRp `json:"rp"`
	// Additional user's attributes. See type level doc for
	// more info.
	User PublicKeyCredentialEntityForUser `json:"user"`
	// A random base64url encoded string. This can be min 16 bytes
	// and max 64 bytes.
	Challenge Base64UrlSafe `json:"challenge"`
	// This member contains information about the desired properties of the
	// credential to be created. The sequence is ordered from most preferred
	// to least preferred.
	PubKeyCredParams []PublicKeyCredentialParameters `json:"pubKeyCredParams"`
	// The time for which response from the authenticator
	// would be awaited. This should only be a hint as per the spec.
	// This is in milliseconds.
	Timeout *uint64 `json:"timeout,omitempty"`
	// The existing creds mapped to the current user. This tells
	// the authenticator to not create multiple creds for the same
	// user.
	// NOTE: This isn't for U2F authenticators. For that, `appidExclude`
	// needs to be set instead.
	ExcludeCredentials []PublicKeyCredentialDescriptor `json:"excludeCredentials"`
	// The selection criteria that should be used for selecting
	// an authenticator.
	AuthenticatorSelection *AuthenticatorSelectionCriteria `json:"authenticatorSelection,omitempty"`
	// The way attestation should be conveyed to RP.
	// See type level doc for more info.
	Attestation AttestationConveyancePreference `json:"attestation"`
	// Registration extensions returns by DSM and should
	// be used as inputs to `navigator.credentials.create()`.
	//
	// Extensions are optional and can be ignored by clients
	// or authenticator. But as per the spec, if the extensions
	// are ignored, response of extensions must be empty and
	// if not ignored, then, response must not be empty.
	Extensions *AuthenticationExtensionsClientInputs `json:"extensions,omitempty"`
}

<https://www.w3.org/TR/webauthn-2/#dictionary-makecredentialoptions>

type PublicKeyCredentialDescriptor added in v0.2.6 

type PublicKeyCredentialDescriptor struct {
	// Type of credential.
	Type PublicKeyCredentialType `json:"type"`
	// Credential ID of the public key credential the
	// caller is referring to.
	ID Base64UrlSafe `json:"id"`
	// Hints by relying party on what transport client should
	// use to communicate with authenticator.
	Transports *[]AuthenticatorTransport `json:"transports,omitempty"`
}

Used to in registration response (telling about existing creds) to prevent creation of duplicate creds on the same authenticator. Used in authentication as the allowed creds.

type PublicKeyCredentialEntityForRp added in v0.2.6 

type PublicKeyCredentialEntityForRp struct {
	// Name of the entity
	Name string `json:"name"`
	// <https://www.w3.org/TR/webauthn-2/#dictionary-rp-credential-params>
	Entity *PublicKeyCredentialRpEntity `json:"entity"`
}

type PublicKeyCredentialEntityForUser added in v0.2.6 

type PublicKeyCredentialEntityForUser struct {
	//
	Name string `json:"name"`
	//
	Entity PublicKeyCredentialUserEntity `json:"entity"`
}

type PublicKeyCredentialParameters added in v0.2.6 

type PublicKeyCredentialParameters struct {
	// Type of credential.
	Type PublicKeyCredentialType `json:"type"`
	// An algorithm from IANA COSE Algorithms registry supported
	// by DSM as well.Upgrade to use this branch
	Alg COSEAlgorithmIdentifier `json:"alg"`
}

https://www.w3.org/TR/webauthn-2/#dictionary-credential-params

type PublicKeyCredentialRequestOptions added in v0.2.6 

type PublicKeyCredentialRequestOptions struct {
	// This member contains the base64url encoding of the challenge
	// provided by the Relying Party
	Challenge Base64UrlSafe `json:"challenge"`
	// The time for which response from the authenticator
	// would be awaited. This should only be a hint as per the spec.
	// This is in milliseconds.
	Timeout *uint64 `json:"timeout,omitempty"`
	// This optional member specifies the relying party identifier
	// claimed by the caller. If omitted, its value will be the
	// CredentialsContainer object’s relevant settings object's
	// origin's effective domain.
	RpID *string `json:"rpId,omitempty"`
	// This OPTIONAL member contains a list of [PublicKeyCredentialDescriptor]
	// objects representing public key credentials acceptable to the caller,
	// in descending order of the caller’s preference (the first item in the
	// list is the most preferred credential, and so on down the list).
	AllowCredentials *[]PublicKeyCredentialDescriptor `json:"allowCredentials,omitempty"`
	// Authenticator should support user verification by
	// ways like pin code, biometrics, etc.
	UserVerification *UserVerificationRequirement `json:"userVerification,omitempty"`
	// Authentication extensions returned by DSM and should
	// be used as inputs to `navigator.credentials.get()`.
	//
	// Extensions are optional and can be ignored by clients
	// or authenticator. But as per the spec, if the extensions
	// are ignored, response of extensions must be empty and
	// if not ignored, then, response must not be empty.
	Extensions *AuthenticationExtensionsClientInputs `json:"extensions,omitempty"`
}

<https://www.w3.org/TR/webauthn-2/#dictionary-assertion-options>

type PublicKeyCredentialRpEntity added in v0.2.6 

type PublicKeyCredentialRpEntity struct {
	// A unique identifier for the Relying Party entity, which sets the RP ID.
	//
	// <https://www.w3.org/TR/webauthn-2/#CreateCred-DetermineRpId>
	ID *string `json:"id,omitempty"`
}

<https://www.w3.org/TR/webauthn-2/#dictionary-rp-credential-params>

type PublicKeyCredentialType added in v0.2.6 

type PublicKeyCredentialType string

https://www.w3.org/TR/webauthn-2/#enum-credentialType

This enum defines valid cred types. 

const (
	// Public key credential.
	PublicKeyCredentialTypePublicKey PublicKeyCredentialType = "public-key"
)

List of supported PublicKeyCredentialType values

type PublicKeyCredentialUserEntity added in v0.2.6 

type PublicKeyCredentialUserEntity struct {
	// This is uuid of the user in DSM. But here, it is
	// in base64url format as required by fido server conformance
	// spec.
	ID Base64UrlSafe `json:"id"`
	// Human friendly name intended only for display.
	DisplayName string `json:"displayName"`
}

type PublishPublicKeyConfig 

type PublishPublicKeyConfig struct {
	Enabled  *PublishPublicKeyConfigEnabled
	Disabled *struct{}
}

If enabled, the public key will be available publicly (without authentication) through the GetPublicKey API.

func (PublishPublicKeyConfig) MarshalJSON 

func (x PublishPublicKeyConfig) MarshalJSON() ([]byte, error)

func (*PublishPublicKeyConfig) UnmarshalJSON 

func (x *PublishPublicKeyConfig) UnmarshalJSON(data []byte) error

type PublishPublicKeyConfigEnabled 

type PublishPublicKeyConfigEnabled struct {
	// Additionally list the previous version of the key if not compromised.
	ListPreviousVersion bool `json:"list_previous_version"`
}

type Quorum added in v0.2.6 

type Quorum struct {
	N       uint               `json:"n"`
	Members []QuorumPolicy     `json:"members"`
	Config  ApprovalAuthConfig `json:"config"`
}

Quorum approval policy.

func (Quorum) MarshalJSON added in v0.2.6 

func (x Quorum) MarshalJSON() ([]byte, error)

func (*Quorum) UnmarshalJSON added in v0.2.6 

func (x *Quorum) UnmarshalJSON(data []byte) error

type QuorumGroupPermissions added in v0.2.6 

type QuorumGroupPermissions uint64

Subset of GroupPermissions to represent GroupPermissions flags in use 

const (
	QuorumGroupPermissionsGetSobjects QuorumGroupPermissions = 1 << iota
	QuorumGroupPermissionsRotateSobjects
	QuorumGroupPermissionsRevokeSobjects
	QuorumGroupPermissionsRevertSobjects
	QuorumGroupPermissionsDeleteKeyMaterial
	QuorumGroupPermissionsDeleteSobjects
	QuorumGroupPermissionsDestroySobjects
	QuorumGroupPermissionsMoveSobjects
	QuorumGroupPermissionsCreateSobjects
	QuorumGroupPermissionsUpdateSobjectsProfile
	QuorumGroupPermissionsUpdateSobjectsEnabledState
	QuorumGroupPermissionsUpdateSobjectPolicies
	QuorumGroupPermissionsActivateSobjects
	QuorumGroupPermissionsUpdateKeyOps
)

List of supported QuorumGroupPermissions values

func (QuorumGroupPermissions) MarshalJSON added in v0.2.6 

func (x QuorumGroupPermissions) MarshalJSON() ([]byte, error)

MarshalJSON converts QuorumGroupPermissions to an array of strings

func (*QuorumGroupPermissions) UnmarshalJSON added in v0.2.6 

func (x *QuorumGroupPermissions) UnmarshalJSON(data []byte) error

UnmarshalJSON converts array of strings to QuorumGroupPermissions

type QuorumPolicy added in v0.2.6 

type QuorumPolicy struct {
	Quorum *Quorum `json:"quorum,omitempty"`
	User   *UUID   `json:"user,omitempty"`
	App    *UUID   `json:"app,omitempty"`
}

Approval policy.

type RecoveryCodeAuthRequest 

type RecoveryCodeAuthRequest struct {
	RecoveryCode string `json:"recovery_code"`
}

Request to authenticate using U2F recovery code.

type RecoveryCodes 

type RecoveryCodes struct {
	RecoveryCodes []string `json:"recovery_codes"`
}

U2F recovery codes.

type Removable added in v0.2.6 

type Removable[T any] struct {
	// contains filtered or unexported fields
}

func (*Removable[T]) BuildStruct added in v0.2.6 

func (r *Removable[T]) BuildStruct(value T) Removable[T]

func (Removable[T]) Get added in v0.2.6 

func (r Removable[T]) Get() *T

func (*Removable[T]) MarshalJSON added in v0.2.6 

func (r *Removable[T]) MarshalJSON() ([]byte, error)

func (*Removable[T]) RemoveVal added in v0.2.6 

func (r *Removable[T]) RemoveVal() Removable[T]

func (*Removable[T]) UnmarshalJSON added in v0.2.6 

func (r *Removable[T]) UnmarshalJSON(data []byte) error

type ResellerSubscriptionType added in v0.2.6 

type ResellerSubscriptionType struct {
	MaxPlugin          *uint32               `json:"max_plugin,omitempty"`
	MaxOperation       *uint64               `json:"max_operation,omitempty"`
	MaxTenant          *uint32               `json:"max_tenant,omitempty"`
	MaxTenantPlugin    *uint32               `json:"max_tenant_plugin,omitempty"`
	MaxTenantOperation *uint64               `json:"max_tenant_operation,omitempty"`
	PackageName        *string               `json:"package_name,omitempty"`
	Features           *SubscriptionFeatures `json:"features,omitempty"`
	AddOns             *map[string]string    `json:"add_ons,omitempty"`
	TenantFeatures     *SubscriptionFeatures `json:"tenant_features,omitempty"`
}

Reseller subscription type

type ResidentKeyRequirement added in v0.2.6 

type ResidentKeyRequirement string

<https://www.w3.org/TR/webauthn-2/#enum-residentKeyRequirement>

Tells Relying Party's requirement about client side discoverable creds (formely known as resident keys). If client side discoverable creds are there, it means that the authenticator is self-sufficient in identifying the user. If this isn't the case, the user needs to login first so that the server can identify the user and help send `allowCredentials` to authenticator.

This is mostly meant for [username-less] authentication (which we don't support in DSM). We support 2FA where we already know about the logged in user.

[username-less]: <https://groups.google.com/a/fidoalliance.org/g/fido-dev/c/ALQj3JXuyhs> 

const (
	// Indicates that the relying party "prefers"
	// that client-side discoverable creds aren't
	// created.
	ResidentKeyRequirementDiscouraged ResidentKeyRequirement = "discouraged"
	// Indicates that relying party prefers resident
	// keys.
	ResidentKeyRequirementPreferred ResidentKeyRequirement = "preferred"
	// Indicates that relying party requires resident
	// keys.
	ResidentKeyRequirementRequired ResidentKeyRequirement = "required"
)

List of supported ResidentKeyRequirement values

type RestrictedDuration added in v0.2.6 

type RestrictedDuration struct {
	Min *TimeSpan `json:"min,omitempty"`
	Max *TimeSpan `json:"max,omitempty"`
}

type RevertRequest added in v0.2.6 

type RevertRequest struct {
	Ids []UUID `json:"ids"`
}

type Reviewer 

type Reviewer struct {
	Entity           ReviewerPrincipal `json:"entity"`
	RequiresPassword *bool             `json:"requires_password,omitempty"`
	Requires2fa      *bool             `json:"requires_2fa,omitempty"`
}

Reviewer of an approval request.

func (Reviewer) MarshalJSON 

func (x Reviewer) MarshalJSON() ([]byte, error)

func (*Reviewer) UnmarshalJSON 

func (x *Reviewer) UnmarshalJSON(data []byte) error

type ReviewerPrincipal 

type ReviewerPrincipal struct {
	App  *UUID
	User *UUID
}

A Principal who can approve or deny an approval request.

func (ReviewerPrincipal) MarshalJSON 

func (x ReviewerPrincipal) MarshalJSON() ([]byte, error)

func (*ReviewerPrincipal) UnmarshalJSON 

func (x *ReviewerPrincipal) UnmarshalJSON(data []byte) error

type RevocationReason 

type RevocationReason struct {
	Code RevocationReasonCode `json:"code"`
	// Message is used exclusively for audit trail/logging purposes and MAY contain additional
	// information about why the object was revoked.
	Message                 *string `json:"message,omitempty"`
	CompromiseOccuranceDate *Time   `json:"compromise_occurance_date,omitempty"`
}

Reason for revoking a key.

type RevocationReasonCode 

type RevocationReasonCode string

Reasons to revoke a security object. 

const (
	RevocationReasonCodeUnspecified          RevocationReasonCode = "Unspecified"
	RevocationReasonCodeKeyCompromise        RevocationReasonCode = "KeyCompromise"
	RevocationReasonCodeCACompromise         RevocationReasonCode = "CACompromise"
	RevocationReasonCodeAffiliationChanged   RevocationReasonCode = "AffiliationChanged"
	RevocationReasonCodeSuperseded           RevocationReasonCode = "Superseded"
	RevocationReasonCodeCessationOfOperation RevocationReasonCode = "CessationOfOperation"
	RevocationReasonCodePrivilegeWithdrawn   RevocationReasonCode = "PrivilegeWithdrawn"
)

List of supported RevocationReasonCode values

type Role added in v0.2.6 

type Role struct {
	CreatedAt     Time        `json:"created_at"`
	Creator       Principal   `json:"creator"`
	Description   string      `json:"description"`
	Details       RoleDetails `json:"details"`
	Kind          *RoleKind   `json:"kind,omitempty"`
	LastUpdatedAt Time        `json:"last_updated_at"`
	Name          string      `json:"name"`
	RoleID        UUID        `json:"role_id"`
	AcctID        UUID        `json:"acct_id"`
}

type RoleDetails added in v0.2.6 

type RoleDetails struct {
	Account *AccountRole
	Group   *GroupRole
}

func (RoleDetails) MarshalJSON added in v0.2.6 

func (x RoleDetails) MarshalJSON() ([]byte, error)

func (*RoleDetails) UnmarshalJSON added in v0.2.6 

func (x *RoleDetails) UnmarshalJSON(data []byte) error

type RoleKind added in v0.2.6 

type RoleKind string
const (
	RoleKindAccount RoleKind = "account"
	RoleKindGroup   RoleKind = "group"
)

List of supported RoleKind values

type RoleRequest added in v0.2.6 

type RoleRequest struct {
	Description *string      `json:"description,omitempty"`
	Details     *RoleDetails `json:"details,omitempty"`
	Name        *string      `json:"name,omitempty"`
}

type RoleSort added in v0.2.6 

type RoleSort struct {
	ByRoleID *RoleSortByRoleId
}

type RoleSortByRoleId added in v0.2.6 

type RoleSortByRoleId struct {
	Order Order `json:"order"`
	Start *UUID `json:"start,omitempty"`
}

type RotateCopiedKeys added in v0.2.6 

type RotateCopiedKeys struct {
	AllExternal *struct{}
	Select      *[]UUID
}

func (RotateCopiedKeys) MarshalJSON added in v0.2.6 

func (x RotateCopiedKeys) MarshalJSON() ([]byte, error)

func (*RotateCopiedKeys) UnmarshalJSON added in v0.2.6 

func (x *RotateCopiedKeys) UnmarshalJSON(data []byte) error

type RotationInterval added in v0.2.6 

type RotationInterval struct {
	IntervalDays   *uint32
	IntervalMonths *uint32
}

func (RotationInterval) MarshalJSON added in v0.2.6 

func (x RotationInterval) MarshalJSON() ([]byte, error)

func (*RotationInterval) UnmarshalJSON added in v0.2.6 

func (x *RotationInterval) UnmarshalJSON(data []byte) error

type RotationPolicy added in v0.2.6 

type RotationPolicy struct {
	Interval             *RotationInterval `json:"interval,omitempty"`
	EffectiveAt          *Time             `json:"effective_at,omitempty"`
	DeactivateRotatedKey *bool             `json:"deactivate_rotated_key,omitempty"`
	RotateCopiedKeys     *RotateCopiedKeys `json:"rotate_copied_keys,omitempty"`
}

func (RotationPolicy) MarshalJSON added in v0.2.6 

func (x RotationPolicy) MarshalJSON() ([]byte, error)

func (*RotationPolicy) UnmarshalJSON added in v0.2.6 

func (x *RotationPolicy) UnmarshalJSON(data []byte) error

type RsaEncryptionPadding 

type RsaEncryptionPadding struct {
	// Optimal Asymmetric Encryption Padding (PKCS#1 v2.1).
	Oaep *RsaEncryptionPaddingOaep
	// PKCS#1 v1.5 padding.
	Pkcs1V15 *struct{}
	// RSA encryption without padding
	RawDecrypt *struct{}
}

Type of padding to use for RSA encryption. The use of PKCS#1 v1.5 padding is strongly discouraged, because of its susceptibility to Bleichenbacher's attack. The padding specified must adhere to the key's encryption policy. If not specified, the default based on the key's policy will be used.

func RsaEncryptionPaddingOAEPMGF1 

func RsaEncryptionPaddingOAEPMGF1(hash DigestAlgorithm) RsaEncryptionPadding

RsaEncryptionPaddingOAEPMGF1 returns RSA encryption padding set to OAEP with MGF1 using the specified hash algorithm

func RsaEncryptionPaddingPKCS1V15 

func RsaEncryptionPaddingPKCS1V15() RsaEncryptionPadding

RsaEncryptionPaddingPKCS1V15 returns RSA encryption padding set to PKCS#1 V1.5

func (RsaEncryptionPadding) MarshalJSON 

func (x RsaEncryptionPadding) MarshalJSON() ([]byte, error)

func (*RsaEncryptionPadding) UnmarshalJSON 

func (x *RsaEncryptionPadding) UnmarshalJSON(data []byte) error

type RsaEncryptionPaddingOaep 

type RsaEncryptionPaddingOaep struct {
	Mgf Mgf `json:"mgf"`
}

Optimal Asymmetric Encryption Padding (PKCS#1 v2.1).

type RsaEncryptionPaddingPolicy 

type RsaEncryptionPaddingPolicy struct {
	Oaep       *RsaEncryptionPaddingPolicyOaep
	Pkcs1V15   *struct{}
	RawDecrypt *struct{}
}

RSA encryption padding policy.

func (RsaEncryptionPaddingPolicy) MarshalJSON 

func (x RsaEncryptionPaddingPolicy) MarshalJSON() ([]byte, error)

func (*RsaEncryptionPaddingPolicy) UnmarshalJSON 

func (x *RsaEncryptionPaddingPolicy) UnmarshalJSON(data []byte) error

type RsaEncryptionPaddingPolicyOaep 

type RsaEncryptionPaddingPolicyOaep struct {
	Mgf *MgfPolicy `json:"mgf,omitempty"`
}

type RsaEncryptionPolicy 

type RsaEncryptionPolicy struct {
	Padding *RsaEncryptionPaddingPolicy `json:"padding,omitempty"`
}

Constraints on RSA encryption parameters. In general, if a constraint is not specified, anything is allowed.

type RsaOptions 

type RsaOptions struct {
	// Size in bits (not bytes) of the RSA key. Specify on Create only. Returned on Get.
	KeySize *uint32 `json:"key_size,omitempty"`
	// Public exponent to use for generating the RSA key. Specify on Create only.
	PublicExponent *uint32 `json:"public_exponent,omitempty"`
	// Encryption policy for an RSA key. When doing an encryption or key wrapping operation, the
	// policies are evaluated against the specified parameters one by one. If one matches, the
	// operation is allowed. If none match, including if the policy list is empty, the operation
	// is disallowed. Missing optional parameters will have their defaults specified according to
	// the matched policy. The default for new keys is `[{"padding":{"OAEP":{}}]`.
	// If (part of) a constraint is not specified, anything is allowed for that constraint.
	// To impose no constraints, specify `[{}]`.
	EncryptionPolicy *[]RsaEncryptionPolicy `json:"encryption_policy,omitempty"`
	// Signature policy for an RSA key. When doing a signature operation, the policies are
	// evaluated against the specified parameters one by one. If one matches, the operation is
	// allowed. If none match, including if the policy list is empty, the operation is disallowed.
	// Missing optional parameters will have their defaults specified according to the matched
	// policy. The default for new keys is `[{}]` (no constraints).
	// If (part of) a constraint is not specified, anything is allowed for that constraint.
	SignaturePolicy  *[]RsaSignaturePolicy `json:"signature_policy,omitempty"`
	MinimumKeyLength *uint32               `json:"minimum_key_length,omitempty"`
}

RSA-specific options.

type RsaSignaturePadding 

type RsaSignaturePadding struct {
	// Probabilistic Signature Scheme (PKCS#1 v2.1).
	Pss *RsaSignaturePaddingPss
	// PKCS#1 v1.5 padding.
	Pkcs1V15 *struct{}
}

Type of padding to use for RSA signatures. The padding specified must adhere to the key's signature policy. If not specified, the default based on the key's policy will be used.

func RsaSignaturePaddingPKCS1V15 

func RsaSignaturePaddingPKCS1V15() RsaSignaturePadding

RsaSignaturePaddingPKCS1V15 returns RSA signature padding set to PKCS#1 V1.5

func RsaSignaturePaddingPSSMGF1 

func RsaSignaturePaddingPSSMGF1(hash DigestAlgorithm) RsaSignaturePadding

RsaSignaturePaddingPSSMGF1 returns RSA signature padding set to PSS with MGF1 using the specified hash algorithm

func (RsaSignaturePadding) MarshalJSON 

func (x RsaSignaturePadding) MarshalJSON() ([]byte, error)

func (*RsaSignaturePadding) UnmarshalJSON 

func (x *RsaSignaturePadding) UnmarshalJSON(data []byte) error

type RsaSignaturePaddingPolicy 

type RsaSignaturePaddingPolicy struct {
	Pss      *RsaSignaturePaddingPolicyPss
	Pkcs1V15 *struct{}
}

RSA signature padding policy.

func (RsaSignaturePaddingPolicy) MarshalJSON 

func (x RsaSignaturePaddingPolicy) MarshalJSON() ([]byte, error)

func (*RsaSignaturePaddingPolicy) UnmarshalJSON 

func (x *RsaSignaturePaddingPolicy) UnmarshalJSON(data []byte) error

type RsaSignaturePaddingPolicyPss 

type RsaSignaturePaddingPolicyPss struct {
	Mgf *MgfPolicy `json:"mgf,omitempty"`
}

type RsaSignaturePaddingPss 

type RsaSignaturePaddingPss struct {
	Mgf Mgf `json:"mgf"`
}

Probabilistic Signature Scheme (PKCS#1 v2.1).

type RsaSignaturePolicy 

type RsaSignaturePolicy struct {
	Padding *RsaSignaturePaddingPolicy `json:"padding,omitempty"`
}

Constraints on RSA signature parameters. In general, if a constraint is not specified, anything is allowed.

type Scan added in v0.2.6 

type Scan struct {
	// The ID of the scan.
	ScanID UUID `json:"scan_id"`
	// Whether the scan is async or not.
	IsAsync bool `json:"is_async"`
	// The time the scan began.
	StartedAt Time `json:"started_at"`
	// The time the scan finished.
	FinishedAt *Time `json:"finished_at,omitempty"`
	// The "return status" of the scan.
	ScanResult *ScanResult `json:"scan_result,omitempty"`
	// Any warnings thrown during the scan.
	Warnings *[]ScanWarning `json:"warnings,omitempty"`
}

An object for representing a scan of objects from a source HSM, DSM cluster, or cloud KMS.

type ScanHmgRequest added in v0.2.6 

type ScanHmgRequest struct {
}

type ScanResult added in v0.2.6 

type ScanResult struct {
	// Indicates that a scan completed successfully.
	Success *struct{}
	// Indicates that a scan has failed. The most recent error is included
	// (taken from the last retry).
	Failed *ScanResultFailed
}

The result of a scan.

func (ScanResult) MarshalJSON added in v0.2.6 

func (x ScanResult) MarshalJSON() ([]byte, error)

func (*ScanResult) UnmarshalJSON added in v0.2.6 

func (x *ScanResult) UnmarshalJSON(data []byte) error

type ScanResultFailed added in v0.2.6 

type ScanResultFailed struct {
	Message string `json:"message"`
}

Indicates that a scan has failed. The most recent error is included (taken from the last retry).

type ScanWarning added in v0.2.6 

type ScanWarning struct {
	// The ID of the source key for which the warning applies to.
	SourceKeyID *UUID `json:"source_key_id,omitempty"`
	// The ID of the virtual key for which the warning applies to.
	VirtualKeyID *UUID `json:"virtual_key_id,omitempty"`
	// The warning message associated with the warning.
	Message string `json:"message"`
}

A warning "thrown" by a scan.

type SecretOptions added in v0.2.6 

type SecretOptions struct {
}

type Secs added in v0.2.6 

type Secs = uint64

type SeedOptions added in v0.2.6 

type SeedOptions struct {
	CipherMode *CipherMode `json:"cipher_mode,omitempty"`
	RandomIv   *bool       `json:"random_iv,omitempty"`
}

type SelectAccountRequest 

type SelectAccountRequest struct {
	AcctID UUID `json:"acct_id"`
}

Request to select an account.

type SelectAccountResponse 

type SelectAccountResponse struct {
	Cookie *string `json:"cookie,omitempty"`
}

Response to select account request.

type ServerMode 

type ServerMode string

Server execution mode. 

const (
	ServerModeSoftware ServerMode = "Software"
	ServerModeSgx      ServerMode = "Sgx"
)

List of supported ServerMode values

type SeverityLevel added in v0.2.6 

type SeverityLevel string
const (
	SeverityLevelInfo     SeverityLevel = "INFO"
	SeverityLevelWarning  SeverityLevel = "WARNING"
	SeverityLevelError    SeverityLevel = "ERROR"
	SeverityLevelCritical SeverityLevel = "CRITICAL"
)

List of supported SeverityLevel values

type SignRequest 

type SignRequest struct {
	// Reference to the sobject to use for signing. This can be a key ID,
	// key name, or a transient key blob.
	Key *SobjectDescriptor `json:"key,omitempty"`
	// Hashing algorithm to use for signing
	HashAlg DigestAlgorithm `json:"hash_alg"`
	// Hashed data to be signed. Either `hash` or `data` should be specified;
	// it is an error to specify both or none.
	Hash *Blob `json:"hash,omitempty"`
	// Data to be signed. Either `hash` or `data` should be specified; it is
	// an error to specify both or none.
	Data *Blob `json:"data,omitempty"`
	// Signature mechanism to use
	Mode *SignatureMode `json:"mode,omitempty"`
	// Whether signatures should be deterministic. Defaults to false. If
	// specified, the value must be compatible with the key's settings.
	DeterministicSignature *bool `json:"deterministic_signature,omitempty"`
}

Request to sign data (or hashed data) using an asymmetric key.

type SignResponse 

type SignResponse struct {
	// The ID of the key used for signing. Returned for non-transient keys
	Kid *UUID `json:"kid,omitempty"`
	// Signed data
	Signature Blob `json:"signature"`
}

Response of a signing request.

type SignatureMode 

type SignatureMode struct {
	// RSA Signature mechanism with padding
	Rsa *RsaSignaturePadding
}

Signature mechanism

func SignatureModeRSA 

func SignatureModeRSA(mode RsaSignaturePadding) *SignatureMode

SignatureModeRSA returns SignatureMode set to the specified RSA signature padding

func (SignatureMode) MarshalJSON 

func (x SignatureMode) MarshalJSON() ([]byte, error)

func (*SignatureMode) UnmarshalJSON 

func (x *SignatureMode) UnmarshalJSON(data []byte) error

type SignupRequest 

type SignupRequest struct {
	UserEmail         string  `json:"user_email"`
	UserPassword      string  `json:"user_password"`
	RecaptchaResponse *string `json:"recaptcha_response,omitempty"`
	FirstName         *string `json:"first_name,omitempty"`
	LastName          *string `json:"last_name,omitempty"`
}

Request to signup a new user.

type Sobject 

type Sobject struct {
	// UUID of the account which the security object belongs to.
	AcctID UUID `json:"acct_id"`
	// Activation date of security object in seconds since EPOCH.
	ActivationDate *Time `json:"activation_date,omitempty"`
	// AES specific options.
	Aes *AesOptions `json:"aes,omitempty"`
	// Whether the sign operation response contains hash or data as output.
	AllowSignHash *bool `json:"allow_sign_hash,omitempty"`
	// ARIA specific options.
	Aria *AriaOptions `json:"aria,omitempty"`
	// BIP32 specific options.
	Bip32 *Bip32Options `json:"bip32,omitempty"`
	// BLS specific options.
	Bls *BlsOptions `json:"bls,omitempty"`
	// Whether this security object is compliant with cryptographic policies or not.
	CompliantWithPolicies *bool `json:"compliant_with_policies,omitempty"`
	// Compromise date of security object in seconds since EPOCH.
	CompromiseDate *Time `json:"compromise_date,omitempty"`
	// Timestamp at which the security object was created.
	CreatedAt Time `json:"created_at"`
	// DSM entity which created the security object.
	Creator Principal `json:"creator"`
	// User managed field for adding custom metadata to the security object.
	CustomMetadata *map[string]string `json:"custom_metadata,omitempty"`
	// Deactivation date of security object in seconds since EPOCH.
	DeactivationDate *Time `json:"deactivation_date,omitempty"`
	// Deletion date of security object in seconds since EPOCH.
	DeletionDate *Time `json:"deletion_date,omitempty"`
	// DES specific options.
	Des *DesOptions `json:"des,omitempty"`
	// DES3 specific options.
	Des3 *Des3Options `json:"des3,omitempty"`
	// Description of the security object.
	Description *string `json:"description,omitempty"`
	// Destruction date of security object in seconds since EPOCH.
	DestructionDate *Time `json:"destruction_date,omitempty"`
	// Optionally get deterministic signatures, if algorithm is EC or RSA.
	DeterministicSignatures *bool `json:"deterministic_signatures,omitempty"`
	// DSA specific options.
	Dsa *DsaOptions `json:"dsa,omitempty"`
	// ECKCDSA specific options.
	Eckcdsa *EcKcdsaOptions `json:"eckcdsa,omitempty"`
	// An aggregation of policies and permissions of the session creator for a security object.
	EffectiveKeyPolicy *EffectiveKeyPolicy `json:"effective_key_policy,omitempty"`
	// Identifies a standard elliptic curve.
	EllipticCurve *EllipticCurve `json:"elliptic_curve,omitempty"`
	// Whether this security object has cryptographic operations enabled.
	Enabled bool `json:"enabled"`
	// Information specific to an external KMS. Currently, it only has AWS related information.
	External *ExternalSobjectInfo `json:"external,omitempty"`
	// FPE specific options.
	Fpe *FpeOptions `json:"fpe,omitempty"`
	// Key Access Justifications for GCP EKM.
	// For more details: https://cloud.google.com/cloud-provider-access-management/key-access-justifications/docs/overview
	GoogleAccessReasonPolicy *GoogleAccessReasonPolicy `json:"google_access_reason_policy,omitempty"`
	// When a Key Undo Policy is in place, a list of (non-expired) history items is returned.
	// Each history item represents a past key state that can be reverted to.
	History *[]HistoryItem `json:"history,omitempty"`
	// KCDSA specific options.
	Kcdsa *KcdsaOptions `json:"kcdsa,omitempty"`
	// Key Checksum Value of the security object.
	Kcv *string `json:"kcv,omitempty"`
	// Operations allowed to be performed by a given key.
	KeyOps KeyOperations `json:"key_ops"`
	// Key size of the security object in bits.
	KeySize *uint32 `json:"key_size,omitempty"`
	// Unique identifier of the security object.
	Kid *UUID `json:"kid,omitempty"`
	// Linked security objects.
	Links *KeyLinks `json:"links,omitempty"`
	// LMS specific options.
	Lms *LmsOptions `json:"lms,omitempty"`
	// Name of the security object.
	Name *string `json:"name,omitempty"`
	// Whether the security object was exportable at some point in its lifetime.
	NeverExportable *bool `json:"never_exportable,omitempty"`
	// Type of security object.
	ObjType ObjectType `json:"obj_type"`
	// The origin of the security object.
	Origin ObjectOrigin `json:"origin"`
	// Public key material of the security object, if it exists.
	PubKey *Blob `json:"pub_key,omitempty"`
	// Whether the security object only consists of public material.
	PublicOnly bool `json:"public_only"`
	// If enabled, the public key will be available publicly (without authentication)
	// through the GetPublicKey API.
	PublishPublicKey *PublishPublicKeyConfig `json:"publish_public_key,omitempty"`
	// Revocation reason for compromised security object.
	RevocationReason *RevocationReason `json:"revocation_reason,omitempty"`
	// Rotation policy of security objects.
	RotationPolicy *RotationPolicy `json:"rotation_policy,omitempty"`
	// RSA specific options.
	Rsa *RsaOptions `json:"rsa,omitempty"`
	// Timestamp at which security object will be rotated, if rotation policy exists.
	ScheduledRotation *Time `json:"scheduled_rotation,omitempty"`
	// Seed options.
	Seed *SeedOptions `json:"seed,omitempty"`
	// Security object operational state.
	State *SobjectState `json:"state,omitempty"`
	// Transient key material.
	TransientKey *Blob `json:"transient_key,omitempty"`
	// Security object stored as byte array.
	Value *Blob `json:"value,omitempty"`
	// Metadata specific to the virtual key.
	VirtualKeyInfo *VirtualSobjectInfo `json:"virtual_key_info,omitempty"`
	// Group ids of groups that use this security object to encrypt the key material of their security objects
	WrappingKeyGroupIds *[]UUID `json:"wrapping_key_group_ids,omitempty"`
	// UUID of the group which the security object belongs to.
	GroupID *UUID `json:"group_id,omitempty"`
}

type SobjectComponent added in v0.2.6 

type SobjectComponent struct {
	// Key component
	Component Blob `json:"component"`
	// Key component KCV
	ComponentKcv *string `json:"component_kcv,omitempty"`
	// Component custodian
	Custodian Principal `json:"custodian"`
}

Component of security object, held by a custodian.

type SobjectDescriptor 

type SobjectDescriptor struct {
	Kid          *UUID
	Name         *string
	TransientKey *Blob
	Inline       *SobjectDescriptorInline
}

Uniquely identifies a persisted or transient sobject.

func SobjectByID 

func SobjectByID(id string) *SobjectDescriptor

SobjectByID returns a SobjectDescriptor that identifies a security object by id

func SobjectByName 

func SobjectByName(name string) *SobjectDescriptor

SobjectByName returns a SobjectDescriptor that identifies a security object by name

func TransientKey 

func TransientKey(key Blob) *SobjectDescriptor

TransientKey returns a SobjectDescriptor that identifies a transient key

func (SobjectDescriptor) MarshalJSON 

func (x SobjectDescriptor) MarshalJSON() ([]byte, error)

func (*SobjectDescriptor) UnmarshalJSON 

func (x *SobjectDescriptor) UnmarshalJSON(data []byte) error

type SobjectDescriptorInline added in v0.2.6 

type SobjectDescriptorInline struct {
	Value   Blob       `json:"value"`
	ObjType ObjectType `json:"obj_type"`
}

type SobjectDescriptorPersisted added in v0.2.6 

type SobjectDescriptorPersisted struct {
	Kid  *UUID
	Name *string
}

Uniquely identifies a persisted sobject.

func (SobjectDescriptorPersisted) MarshalJSON added in v0.2.6 

func (x SobjectDescriptorPersisted) MarshalJSON() ([]byte, error)

func (*SobjectDescriptorPersisted) UnmarshalJSON added in v0.2.6 

func (x *SobjectDescriptorPersisted) UnmarshalJSON(data []byte) error

type SobjectEncoding 

type SobjectEncoding string

Response data encoding. 

const (
	// JSON format
	SobjectEncodingJson SobjectEncoding = "json"
	// Value format
	SobjectEncodingValue SobjectEncoding = "value"
)

List of supported SobjectEncoding values

type SobjectRekeyRequest added in v0.2.6 

type SobjectRekeyRequest struct {
	// If set to true, the old key is deactivated on rekey.
	DeactivateRotatedKey *bool `json:"deactivate_rotated_key,omitempty"`
	// Parameters for the new security object.
	Dest SobjectRequest `json:"dest"`
}

Request to rekey a security object.

func (SobjectRekeyRequest) MarshalJSON added in v0.2.6 

func (x SobjectRekeyRequest) MarshalJSON() ([]byte, error)

func (*SobjectRekeyRequest) UnmarshalJSON added in v0.2.6 

func (x *SobjectRekeyRequest) UnmarshalJSON(data []byte) error

type SobjectReplaceRequest added in v0.2.6 

type SobjectReplaceRequest struct {
	// Security object that will be replaced as part of this operation.
	Replaced SobjectDescriptorPersisted `json:"replaced"`
	// New name for the replaced security object.
	ReplacedNewName string `json:"replaced_new_name"`
	// Security object that will become the replacement of the security object
	// that has to be replaced.
	Replacement SobjectDescriptorPersisted `json:"replacement"`
}

Request to rotate a security object to an existing security object.

type SobjectRequest 

type SobjectRequest struct {
	// Activation date of security object in seconds since EPOCH.
	ActivationDate *Time `json:"activation_date,omitempty"`
	// AES specific options.
	Aes *AesOptions `json:"aes,omitempty"`
	// Whether the sign operation response contains hash or data as output.
	AllowSignHash *bool `json:"allow_sign_hash,omitempty"`
	// ARIA specific options.
	Aria *AriaOptions `json:"aria,omitempty"`
	// BIP32 specific options.
	Bip32 *Bip32Options `json:"bip32,omitempty"`
	// BLS specific options.
	Bls *BlsOptions `json:"bls,omitempty"`
	// User managed field for adding custom metadata to the security object.
	CustomMetadata *map[string]string `json:"custom_metadata,omitempty"`
	// Deactivation date of security object in seconds since EPOCH.
	DeactivationDate *Time `json:"deactivation_date,omitempty"`
	// DES specific options.
	Des *DesOptions `json:"des,omitempty"`
	// DES3 specific options.
	Des3 *Des3Options `json:"des3,omitempty"`
	// Description of the security object.
	Description *string `json:"description,omitempty"`
	// Optionally get deterministic signatures, if algorithm is EC or RSA.
	DeterministicSignatures *bool `json:"deterministic_signatures,omitempty"`
	// DSA specific options.
	Dsa *DsaOptions `json:"dsa,omitempty"`
	// ECKCDSA specific options.
	Eckcdsa *EcKcdsaOptions `json:"eckcdsa,omitempty"`
	// Identifies a standard elliptic curve.
	EllipticCurve *EllipticCurve `json:"elliptic_curve,omitempty"`
	// Whether this security object has cryptographic operations enabled.
	Enabled *bool `json:"enabled,omitempty"`
	// Information specific to an external KMS. Currently, it only has AWS related information.
	External *ExternalKmsInfo `json:"external,omitempty"`
	// FPE specific options.
	Fpe *FpeOptions `json:"fpe,omitempty"`
	// Key Access Justifications for GCP EKM.
	// For more details: https://cloud.google.com/cloud-provider-access-management/key-access-justifications/docs/overview
	GoogleAccessReasonPolicy *Removable[GoogleAccessReasonPolicy] `json:"google_access_reason_policy,omitempty"`
	// KCDSA specific options.
	Kcdsa *KcdsaOptions `json:"kcdsa,omitempty"`
	// Key Checksum Value of the security object.
	Kcv *string `json:"kcv,omitempty"`
	// Operations allowed to be performed by a given key.
	KeyOps *KeyOperations `json:"key_ops,omitempty"`
	// Key size of the security object in bits.
	KeySize *uint32 `json:"key_size,omitempty"`
	// Linked security objects.
	Links *KeyLinks `json:"links,omitempty"`
	// LMS specific options.
	Lms *LmsOptions `json:"lms,omitempty"`
	// Name of the security object.
	Name *string `json:"name,omitempty"`
	// Type of security object.
	ObjType *ObjectType `json:"obj_type,omitempty"`
	// Public exponent
	PubExponent *uint32 `json:"pub_exponent,omitempty"`
	// If enabled, the public key will be available publicly (without authentication)
	// through the GetPublicKey API.
	PublishPublicKey *PublishPublicKeyConfig `json:"publish_public_key,omitempty"`
	// Rotation policy of security objects.
	RotationPolicy *RotationPolicy `json:"rotation_policy,omitempty"`
	// RSA specific options.
	Rsa *RsaOptions `json:"rsa,omitempty"`
	// Seed options.
	Seed *SeedOptions `json:"seed,omitempty"`
	// Security object operational state.
	State *SobjectState `json:"state,omitempty"`
	// If set to true, the security object will cease to exist after session ends.
	Transient *bool `json:"transient,omitempty"`
	// Security object stored as byte array.
	Value *Blob `json:"value,omitempty"`
	// UUID of the group which the security object belongs to.
	GroupID *UUID `json:"group_id,omitempty"`
}

type SobjectSort 

type SobjectSort struct {
	// Security object UUID
	ByKid *SobjectSortByKid
	// Security object name
	ByName *SobjectSortByName
}

Sorting order on listed security objects.

type SobjectSortByKid 

type SobjectSortByKid struct {
	// Order of listing
	Order Order `json:"order"`
	// Initial security object UUID
	Start *UUID `json:"start,omitempty"`
}

Security object UUID

type SobjectSortByName 

type SobjectSortByName struct {
	// Order of listing
	Order Order `json:"order"`
	// Initial security object Name
	Start *string `json:"start,omitempty"`
}

Security object name

type SobjectState 

type SobjectState string

Security object operational state. 

const (
	// The security object exists but can not be used for any cryptographic purpose
	// until it's activated.
	SobjectStatePreActive SobjectState = "PreActive"
	// The security object can be used for any cryptographic purpose.
	SobjectStateActive SobjectState = "Active"
	// The security object can not be used for applying cryptographic protection,
	// but can be used for processing cryptographically protected information.
	// Key must be in the activated state in order to transition to the deactivated state.
	SobjectStateDeactivated SobjectState = "Deactivated"
	// The security object can not be used for applying cryptographic protection
	// but can be used for processing cryptographically protected information.
	SobjectStateCompromised SobjectState = "Compromised"
	// The security object can not perform any cryptographic operations, as the
	// key material gets deleted.
	SobjectStateDestroyed SobjectState = "Destroyed"
	// The security object does not exist in DSM. However, its compromised status
	// is retained for audit and security purposes.
	SobjectStateDeleted SobjectState = "Deleted"
)

List of supported SobjectState values

type SplittingMethod added in v0.2.6 

type SplittingMethod string

Method used to split the key into multiple components. 

const (
	// Logical XOR operation
	SplittingMethodXOR SplittingMethod = "XOR"
)

List of supported SplittingMethod values

type SplunkLoggingConfig 

type SplunkLoggingConfig struct {
	Enabled bool      `json:"enabled"`
	Host    string    `json:"host"`
	Port    uint16    `json:"port"`
	Index   string    `json:"index"`
	TLS     TlsConfig `json:"tls"`
}

Splunk logging configuration.

type SplunkLoggingConfigRequest 

type SplunkLoggingConfigRequest struct {
	Enabled *bool   `json:"enabled,omitempty"`
	Host    *string `json:"host,omitempty"`
	Port    *uint16 `json:"port,omitempty"`
	// The Splunk index that will receive log items.
	Index *string `json:"index,omitempty"`
	// The Splunk authentication token.
	Token *string    `json:"token,omitempty"`
	TLS   *TlsConfig `json:"tls,omitempty"`
}

type StackdriverLoggingConfig 

type StackdriverLoggingConfig struct {
	Enabled bool `json:"enabled"`
	// The log ID that will recieve the log items (see https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry).
	LogID             string                  `json:"log_id"`
	ServiceAccountKey GoogleServiceAccountKey `json:"service_account_key"`
}

Stackdriver logging configuration.

type StackdriverLoggingConfigRequest 

type StackdriverLoggingConfigRequest struct {
	Enabled *bool `json:"enabled,omitempty"`
	// The log ID that will recieve the log items (see https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry).
	LogID             *string                  `json:"log_id,omitempty"`
	ServiceAccountKey *GoogleServiceAccountKey `json:"service_account_key,omitempty"`
}

type StatsParams added in v0.2.6 

type StatsParams struct {
	NumPoints *uint64 `json:"num_points,omitempty"`
	TopCount  *uint32 `json:"top_count,omitempty"`
	RangeFrom *uint64 `json:"range_from,omitempty"`
	RangeTo   *uint64 `json:"range_to,omitempty"`
}

type SubjectGeneral added in v0.2.6 

type SubjectGeneral struct {
	DirectoryName *[][2]string
	DnsName       *string
	IpAddress     *IpAddr
}

func (SubjectGeneral) MarshalJSON added in v0.2.6 

func (x SubjectGeneral) MarshalJSON() ([]byte, error)

func (*SubjectGeneral) UnmarshalJSON added in v0.2.6 

func (x *SubjectGeneral) UnmarshalJSON(data []byte) error

type Subscription added in v0.2.6 

type Subscription struct {
	Memo                 *string                           `json:"memo,omitempty"`
	ExperimentalFeatures *SubscriptionExperimentalFeatures `json:"experimental_features,omitempty"`
	SubscriptionType     SubscriptionType                  `json:"subscription_type"`
}

func (Subscription) MarshalJSON added in v0.2.6 

func (x Subscription) MarshalJSON() ([]byte, error)

func (*Subscription) UnmarshalJSON added in v0.2.6 

func (x *Subscription) UnmarshalJSON(data []byte) error

type SubscriptionChangeRequest 

type SubscriptionChangeRequest struct {
	Subscription Subscription `json:"subscription"`
	Contact      *string      `json:"contact,omitempty"`
	Comment      *string      `json:"comment,omitempty"`
}

A request to update subscription type.

type SubscriptionExperimentalFeatures added in v0.2.6 

type SubscriptionExperimentalFeatures struct {
}

type SubscriptionFeatures added in v0.2.6 

type SubscriptionFeatures uint64

Features in subscription 

const (
	SubscriptionFeaturesTokenization SubscriptionFeatures = 1 << iota
	SubscriptionFeaturesHmg
	SubscriptionFeaturesAwsbyok
	SubscriptionFeaturesAzurebyok
	SubscriptionFeaturesGcpbyok
	SubscriptionFeaturesGcpekmcontrolplane
)

List of supported SubscriptionFeatures values

func (SubscriptionFeatures) MarshalJSON added in v0.2.6 

func (x SubscriptionFeatures) MarshalJSON() ([]byte, error)

MarshalJSON converts SubscriptionFeatures to an array of strings

func (*SubscriptionFeatures) UnmarshalJSON added in v0.2.6 

func (x *SubscriptionFeatures) UnmarshalJSON(data []byte) error

UnmarshalJSON converts array of strings to SubscriptionFeatures

type SubscriptionType 

type SubscriptionType struct {
	Trial      *SubscriptionTypeTrial
	Standard   *struct{}
	Enterprise *struct{}
	Custom     **CustomSubscriptionType
	Freemium   **FreemiumSubscriptionType
	OnPrem     *struct{}
	Reseller   **ResellerSubscriptionType
}

Type of subscription.

func (SubscriptionType) MarshalJSON 

func (x SubscriptionType) MarshalJSON() ([]byte, error)

func (*SubscriptionType) UnmarshalJSON 

func (x *SubscriptionType) UnmarshalJSON(data []byte) error

type SubscriptionTypeTrial 

type SubscriptionTypeTrial struct {
	ExpiresAt *Time `json:"expires_at,omitempty"`
}

type SyslogFacility 

type SyslogFacility string
const (
	SyslogFacilityUser   SyslogFacility = "User"
	SyslogFacilityLocal0 SyslogFacility = "Local0"
	SyslogFacilityLocal1 SyslogFacility = "Local1"
	SyslogFacilityLocal2 SyslogFacility = "Local2"
	SyslogFacilityLocal3 SyslogFacility = "Local3"
	SyslogFacilityLocal4 SyslogFacility = "Local4"
	SyslogFacilityLocal5 SyslogFacility = "Local5"
	SyslogFacilityLocal6 SyslogFacility = "Local6"
	SyslogFacilityLocal7 SyslogFacility = "Local7"
)

List of supported SyslogFacility values

type SyslogLoggingConfig 

type SyslogLoggingConfig struct {
	Enabled  bool           `json:"enabled"`
	Host     string         `json:"host"`
	Port     uint16         `json:"port"`
	TLS      TlsConfig      `json:"tls"`
	Facility SyslogFacility `json:"facility"`
}

type SyslogLoggingConfigRequest 

type SyslogLoggingConfigRequest struct {
	Enabled  *bool           `json:"enabled,omitempty"`
	Host     *string         `json:"host,omitempty"`
	Port     *uint16         `json:"port,omitempty"`
	TLS      *TlsConfig      `json:"tls,omitempty"`
	Facility *SyslogFacility `json:"facility,omitempty"`
}

type TepClientConfig added in v0.2.6 

type TepClientConfig struct {
	Schema TepSchema     `json:"schema"`
	KeyMap TepKeyMapList `json:"key_map"`
}

type TepKeyContext added in v0.2.6 

type TepKeyContext string
const (
	TepKeyContextRequest  TepKeyContext = "request"
	TepKeyContextResponse TepKeyContext = "response"
)

List of supported TepKeyContext values

type TepKeyMap added in v0.2.6 

type TepKeyMap struct {
	Path ApiPath    `json:"path"`
	Kid  UUID       `json:"kid"`
	Mode CipherMode `json:"mode"`
}

type TepKeyMapList added in v0.2.6 

type TepKeyMapList = []TepKeyMap

type TepSchema added in v0.2.6 

type TepSchema struct {
	OpenAPI **string
}

func (TepSchema) MarshalJSON added in v0.2.6 

func (x TepSchema) MarshalJSON() ([]byte, error)

func (*TepSchema) UnmarshalJSON added in v0.2.6 

func (x *TepSchema) UnmarshalJSON(data []byte) error

type Time 

type Time string

Time in ISO 8601 format

func (Time) Std 

func (t Time) Std() (time.Time, error)

Std returns a time.Time value representing t

type TimeSpan added in v0.2.6 

type TimeSpan struct {
	Seconds *uint32
	Minutes *uint32
	Hours   *uint32
	Days    *uint32
}

func (TimeSpan) MarshalJSON added in v0.2.6 

func (x TimeSpan) MarshalJSON() ([]byte, error)

func (*TimeSpan) UnmarshalJSON added in v0.2.6 

func (x *TimeSpan) UnmarshalJSON(data []byte) error

type TlsConfig 

type TlsConfig struct {
	Disabled      *struct{}
	Opportunistic *struct{}
	Required      *TlsConfigRequired
}

TLS settings.

func TLSConfigGlobalRootCAs 

func TLSConfigGlobalRootCAs(validateHostname bool) TlsConfig

TLSConfigGlobalRootCAs returns a TlsConfig set to global root CAs

func TLSConfigPinned 

func TLSConfigPinned(certs []Blob, validateHostname bool) TlsConfig

TLSConfigPinned returns a TlsConfig set to the given CA certificates

func (TlsConfig) MarshalJSON 

func (x TlsConfig) MarshalJSON() ([]byte, error)

func (*TlsConfig) UnmarshalJSON 

func (x *TlsConfig) UnmarshalJSON(data []byte) error

type TlsConfigRequired 

type TlsConfigRequired struct {
	ValidateHostname bool     `json:"validate_hostname"`
	Ca               CaConfig `json:"ca"`
	ClientKey        *Blob    `json:"client_key,omitempty"`
	ClientCert       *Blob    `json:"client_cert,omitempty"`
}

type TransformKeyMechanism added in v0.2.6 

type TransformKeyMechanism struct {
	Bip32WeakChild *TransformKeyMechanismBip32WeakChild
}

Options for mechanism to be used when transforming a key

func (TransformKeyMechanism) MarshalJSON added in v0.2.6 

func (x TransformKeyMechanism) MarshalJSON() ([]byte, error)

func (*TransformKeyMechanism) UnmarshalJSON added in v0.2.6 

func (x *TransformKeyMechanism) UnmarshalJSON(data []byte) error

type TransformKeyMechanismBip32WeakChild added in v0.2.6 

type TransformKeyMechanismBip32WeakChild struct {
	// The index of a weak child is an integer between 0 and 2**31 - 1.
	Index uint32 `json:"index"`
}

type TransformKeyRequest added in v0.2.6 

type TransformKeyRequest struct {
	// Activation date of the transformed key
	ActivationDate *Time `json:"activation_date,omitempty"`
	// Deactivation date of the transformed key
	DeactivationDate *Time `json:"deactivation_date,omitempty"`
	// Identifier of the sobject which will be transformed
	Key *SobjectDescriptor `json:"key,omitempty"`
	// Name of the transformed key. Key names must be unique within an account.
	Name *string `json:"name,omitempty"`
	// Group ID of the group that this security object should belong to. The user or
	// application creating this security object must be a member of this group. If no group is
	// specified, the default group for the requesting application will be used.
	GroupID *UUID `json:"group_id,omitempty"`
	// Type of the transformed key.
	KeyType ObjectType `json:"key_type"`
	// Mechanism to use for key transformation.
	Mechanism TransformKeyMechanism `json:"mechanism"`
	// Whether the transformed key should have cryptographic operations enabled.
	Enabled *bool `json:"enabled,omitempty"`
	// Description of the transformed key
	Description *string `json:"description,omitempty"`
	// User-defined metadata for this key stored as key-value pairs.
	CustomMetadata *map[string]string `json:"custom_metadata,omitempty"`
	// Optional array of key operations to be enabled for this security object. If not
	// provided the service will provide a default set of key operations. Note that if you
	// provide an empty array, all key operations will be disabled.
	KeyOps *KeyOperations `json:"key_ops,omitempty"`
	// State of the transformed key
	State *SobjectState `json:"state,omitempty"`
	// If set to true, the transformed key will be transient.
	Transient *bool `json:"transient,omitempty"`
}

Request body to transform a key.

type TrustAnchor 

type TrustAnchor struct {
	Subject       TrustAnchorSubject `json:"subject"`
	CaCertificate Blob               `json:"ca_certificate"`
}

A trusted CA for app authentication.

func (TrustAnchor) MarshalJSON added in v0.2.6 

func (x TrustAnchor) MarshalJSON() ([]byte, error)

func (*TrustAnchor) UnmarshalJSON added in v0.2.6 

func (x *TrustAnchor) UnmarshalJSON(data []byte) error

type TrustAnchorSubject added in v0.2.6 

type TrustAnchorSubject struct {
	Subject        *[][2]string
	SubjectGeneral *SubjectGeneral
}

func (TrustAnchorSubject) MarshalJSON added in v0.2.6 

func (x TrustAnchorSubject) MarshalJSON() ([]byte, error)

func (*TrustAnchorSubject) UnmarshalJSON added in v0.2.6 

func (x *TrustAnchorSubject) UnmarshalJSON(data []byte) error

type U2fAddDeviceRequest 

type U2fAddDeviceRequest struct {
	Name             string `json:"name"`
	RegistrationData Blob   `json:"registrationData"`
	ClientData       Blob   `json:"clientData"`
	Version          string `json:"version"`
}

Description of a U2F device to add for two factor authentication.

type U2fAuthRequest 

type U2fAuthRequest struct {
	KeyHandle     Blob `json:"keyHandle"`
	SignatureData Blob `json:"signatureData"`
	ClientData    Blob `json:"clientData"`
}

Request for second factor authentication with a U2f device.

type U2fMfaChallengeResponse added in v0.2.6 

type U2fMfaChallengeResponse struct {
	U2fChallenge string             `json:"u2f_challenge"`
	U2fKeys      []U2fRegisteredKey `json:"u2f_keys"`
}

A challenge used for multi-factor authentication.

type U2fRegisteredKey 

type U2fRegisteredKey struct {
	KeyHandle string `json:"keyHandle"`
	Version   string `json:"version"`
}

Description of a registered U2F device.

type UUID 

type UUID = string

UUID is a universally-unique identifier in hyphenated format

type UniqueOperationsCount added in v0.2.6 

type UniqueOperationsCount struct {
	Value uint64 `json:"value"`
}

type UnwrapKeyParams added in v0.2.6 

type UnwrapKeyParams struct {
	// Unique identifier of the security object.
	Key SobjectDescriptor `json:"key"`
	// Cryptographic algorithm used for unwrapping.
	Alg Algorithm `json:"alg"`
	// Block cipher mode of operation, required for symmetric algorithms.
	Mode *CryptMode `json:"mode,omitempty"`
	// Initialization vector is required for symmetric algorithms.
	Iv *Blob `json:"iv,omitempty"`
	// Authenticated data is only applicable if mode is GCM.
	Ad *Blob `json:"ad,omitempty"`
	// Tag is required if mode is GCM.
	Tag *Blob `json:"tag,omitempty"`
}

Request to unwrap a security object

type UnwrapKeyRequest 

type UnwrapKeyRequest struct {
	// Reference to the unwrapping key. This can be a key ID, key name,
	// or a transient key blob. It may also be a password (if unwrapping
	// PKCS #8 blobs).
	Key *SobjectDescriptor `json:"key,omitempty"`
	// Algorithm to use for key unwrapping. The algorithm must be
	// compatible with the key type; for example, an RSA key cannot
	// be used with AES.
	Alg Algorithm `json:"alg"`
	// Object type of the key being unwrapped
	ObjType ObjectType `json:"obj_type"`
	// RSA-specific options for the key being unwrapped
	Rsa *RsaOptions `json:"rsa,omitempty"`
	// A security object previously wrapped with another key
	WrappedKey Blob `json:"wrapped_key"`
	// Decryption mode to use. This is required for unwrapping via
	// symmetric decryption. For RSA-based wrapping, the mode can be used
	// to optionally specify the padding to use. For all other algorithms,
	// this field should not be specified.
	Mode *CryptMode `json:"mode,omitempty"`
	// The initialization vector to use, required for modes that take IVs
	// (and irrelevant otherwise).
	Iv *Blob `json:"iv,omitempty"`
	// The authenticated data to use. This is only applicable when using
	// authenticated decryption modes (i.e., GCM or CCM).
	Ad *Blob `json:"ad,omitempty"`
	// The authentication tag, relevant for authenticated encryption modes
	// (i.e., GCM or CCM), and otherwise irrelevant.
	Tag *Blob `json:"tag,omitempty"`
	// Name to be given to the resulting security object, if persisted
	Name *string `json:"name,omitempty"`
	// ID of the group that the unwrapped security object should belong to
	// (if persisted). The user or application creating this security object
	// must be a member of this group. If no group is specified, and the
	// requester is an app, the app's default group will be used.
	GroupID *UUID `json:"group_id,omitempty"`
	// Whether the unwrapped key should have cryptographic operations enabled.
	// Defaults to true.
	Enabled *bool `json:"enabled,omitempty"`
	// User-defined description of the unwrapped key
	Description *string `json:"description,omitempty"`
	// User-defined metadata for the resulting key, stored as key-value pairs.
	CustomMetadata *map[string]string `json:"custom_metadata,omitempty"`
	// Optional array of key operations to be enabled for the resulting security
	// object. If not provided, DSM will provide a default set of key operations.
	// Note that an empty array will result in all key operations being disabled.
	KeyOps *KeyOperations `json:"key_ops,omitempty"`
	// Whether the unwrapped key should be a transient key
	Transient *bool `json:"transient,omitempty"`
	// Checksum value of the wrapped key
	Kcv *string `json:"kcv,omitempty"`
}

Request to unwrap an sobject with another sobject.

type User 

type User struct {
	AccountRole   UserAccountFlags `json:"account_role"`
	CreatedAt     *Time            `json:"created_at,omitempty"`
	Description   *string          `json:"description,omitempty"`
	EmailVerified *bool            `json:"email_verified,omitempty"`
	// Explicit group assignments.
	//
	// This is similar to `groups` field except that it does not include groups due to
	// all-groups roles. Use this field to find out which group assignments can be
	// changed using `mod_groups` and `del_groups` fields in user update API.
	ExplicitGroups map[UUID]UserGroupRole `json:"explicit_groups"`
	FirstName      *string                `json:"first_name,omitempty"`
	Groups         map[UUID]UserGroupRole `json:"groups"`
	HasAccount     *bool                  `json:"has_account,omitempty"`
	HasPassword    *bool                  `json:"has_password,omitempty"`
	LastLoggedInAt *Time                  `json:"last_logged_in_at,omitempty"`
	LastName       *string                `json:"last_name,omitempty"`
	// Mfa devices registered with the user
	MfaDevices      []MfaDevice `json:"mfa_devices"`
	NewEmail        *string     `json:"new_email,omitempty"`
	SelfProvisioned *bool       `json:"self_provisioned,omitempty"`
	U2fDevices      []MfaDevice `json:"u2f_devices"`
	UserEmail       string      `json:"user_email"`
	UserID          UUID        `json:"user_id"`
}

type UserAccountFlag added in v0.2.6 

type UserAccountFlag string

User account flag 

const (
	UserAccountFlagStateEnabled  UserAccountFlag = "STATEENABLED"
	UserAccountFlagPendingInvite UserAccountFlag = "PENDINGINVITE"
)

List of supported UserAccountFlag values

type UserAccountFlagOrRole added in v0.2.6 

type UserAccountFlagOrRole struct {
	Flag       *UserAccountFlag
	LegacyRole *LegacyUserAccountRole
	RoleID     *UUID
}

User account flag or legacy user account role name or custom role id

func (UserAccountFlagOrRole) MarshalJSON added in v0.2.6 

func (x UserAccountFlagOrRole) MarshalJSON() ([]byte, error)

func (*UserAccountFlagOrRole) UnmarshalJSON added in v0.2.6 

func (x *UserAccountFlagOrRole) UnmarshalJSON(data []byte) error

type UserAccountFlags 

type UserAccountFlags = []UserAccountFlagOrRole

User's role(s) and state in an account.

type UserGroupRole 

type UserGroupRole = []LegacyUserGroupRoleOrRoleId

User's role(s) in a group.

type UserRequest 

type UserRequest struct {
	AccountRole *UserAccountFlags       `json:"account_role,omitempty"`
	AddGroups   *map[UUID]UserGroupRole `json:"add_groups,omitempty"`
	// FIDO devices to add. Only one device can be added at present.
	AddMfaDevices *[]FidoAddDeviceRequest `json:"add_mfa_devices,omitempty"`
	AddU2fDevices *[]U2fAddDeviceRequest  `json:"add_u2f_devices,omitempty"`
	DelGroups     *map[UUID]UserGroupRole `json:"del_groups,omitempty"`
	// Mfa devices to delete
	DelMfaDevices *[]MfaDelDeviceRequest  `json:"del_mfa_devices,omitempty"`
	DelU2fDevices *[]MfaDelDeviceRequest  `json:"del_u2f_devices,omitempty"`
	Description   *string                 `json:"description,omitempty"`
	Enable        *bool                   `json:"enable,omitempty"`
	FirstName     *string                 `json:"first_name,omitempty"`
	LastName      *string                 `json:"last_name,omitempty"`
	ModGroups     *map[UUID]UserGroupRole `json:"mod_groups,omitempty"`
	// Mfa devices to rename
	RenameMfaDevices *[]MfaRenameDeviceRequest `json:"rename_mfa_devices,omitempty"`
	RenameU2fDevices *[]MfaRenameDeviceRequest `json:"rename_u2f_devices,omitempty"`
	UserEmail        *string                   `json:"user_email,omitempty"`
	UserPassword     *string                   `json:"user_password,omitempty"`
}

type UserSort 

type UserSort struct {
	ByUserID *UserSortByUserId
}

type UserSortByUserId 

type UserSortByUserId struct {
	Order Order `json:"order"`
	Start *UUID `json:"start,omitempty"`
}

type UserVerificationRequirement added in v0.2.6 

type UserVerificationRequirement string

https://www.w3.org/TR/webauthn-2/#enum-userVerificationRequirement https://www.w3.org/TR/webauthn-2/#user-verification 

const (
	// Indicates the requirement of UV by RP and op
	// fails if this wasn't satisfied.
	UserVerificationRequirementRequired UserVerificationRequirement = "required"
	// UV is preferred by the RP but op won't fail
	// if it isn't satisfied.
	UserVerificationRequirementPreferred UserVerificationRequirement = "preferred"
	// UV isn't "preferred" by RP.
	UserVerificationRequirementDiscouraged UserVerificationRequirement = "discouraged"
)

List of supported UserVerificationRequirement values

type ValidateTokenRequest added in v0.2.6 

type ValidateTokenRequest struct {
	ResetToken string `json:"reset_token"`
}

type ValidateTokenResponse added in v0.2.6 

type ValidateTokenResponse struct {
	UserEmail string `json:"user_email"`
}

type VerifyKcvRequest added in v0.2.6 

type VerifyKcvRequest struct {
	// Key Checksum Value
	Kcv string `json:"kcv"`
	// Key material
	Value Blob `json:"value"`
	// Type of Security object
	ObjType ObjectType `json:"obj_type"`
}

Verify KCV of a key

type VerifyKcvResponse added in v0.2.6 

type VerifyKcvResponse struct {
	// Verification status
	Verified bool `json:"verified"`
}

Key Checksum Value verification status.

type VerifyMacRequest 

type VerifyMacRequest struct {
	// Reference to the sobject with which to verify a MAC.
	// This can be a key ID, key name, or a transient key blob.
	Key *SobjectDescriptor `json:"key,omitempty"`
	// The hash algorithm used when computing the HMAC. Irrelevant
	// if verifying a CMAC.
	Alg *DigestAlgorithm `json:"alg,omitempty"`
	// The data over which the MAC needs to be verified
	Data Blob `json:"data"`
	// The MAC to verify. Note that the previously available
	// field `digest` is deprecated; this field should be used
	// instead.
	Mac *Blob `json:"mac,omitempty"`
}

Request to verify a MAC.

type VerifyRequest 

type VerifyRequest struct {
	// Reference to the sobject to use for verification. This can be a key
	// ID, key name, or a transient key blob.
	Key *SobjectDescriptor `json:"key,omitempty"`
	// Hash algorithm used for signature verification
	HashAlg DigestAlgorithm `json:"hash_alg"`
	// The hash of the data on which the signature is being verified. Either
	// `hash` or `data` should be specified; it is an error to specify both
	// or none.
	Hash *Blob `json:"hash,omitempty"`
	// The data on which the signature is being verified. Either `hash` or
	// `data` should be specified; it is an error to specify both or none.
	Data *Blob `json:"data,omitempty"`
	// Signature mechanism used for verification
	Mode *SignatureMode `json:"mode,omitempty"`
	// The signature to verify
	Signature Blob `json:"signature"`
}

Request to verify a signature using an asymmetric key.

type VerifyResponse 

type VerifyResponse struct {
	// The ID of the key used for verification. Returned for non-transient keys.
	Kid *UUID `json:"kid,omitempty"`
	// True if the signature verified and false if it did not.
	Result bool `json:"result"`
}

Result of verifying a signature or MAC.

type VersionResponse 

type VersionResponse struct {
	// Server version. This is encoded as "major.minor.build".
	Version string `json:"version"`
	// The API version implemented by the server.
	APIVersion string     `json:"api_version"`
	ServerMode ServerMode `json:"server_mode"`
	// FIPS level at which the service in running. If this field is absent, then the service is
	// not running in FIPS compliant mode.
	FipsLevel *uint8 `json:"fips_level,omitempty"`
}

Information about the service version.

type VirtualSobjectInfo added in v0.2.6 

type VirtualSobjectInfo struct {
	// Whether or not the source key material is cached within the key.
	CachedKeyMaterial bool `json:"cached_key_material"`
}

Information specific to a virtual key. Currently, this is only relevant for virtual keys backed by DSM.

type WorkspaceCseAuthMethod added in v0.4.0 

type WorkspaceCseAuthMethod string

Authentication method for Google Workspace CSE, `User` (default choice) requires each CSE user to be registered as a DSM user, while `App` requires each CSE user to be represented by a DSM app.

Note: For large organizations where lots of users use Google Workspace CSE but are not otherwise expected to be able to access DSM, App authentication method could be easier to implement. 

const (
	// Each CSE user must be registered as a DSM user
	WorkspaceCseAuthMethodUser WorkspaceCseAuthMethod = "User"
	// Each CSE user is represented by a DSM app and only needs access to cse specific endpoints.
	WorkspaceCseAuthMethodApp WorkspaceCseAuthMethod = "App"
)

List of supported WorkspaceCseAuthMethod values

type WorkspaceCseAuthorizationProvider added in v0.2.6 

type WorkspaceCseAuthorizationProvider struct {
	// Authorization provider's name
	Name string `json:"name"`
	// A URL pointing to the JWKS endpoint
	JwksURL string `json:"jwks_url"`
	// Number of seconds that the service is allowed to cache the fetched keys
	CacheDuration uint64 `json:"cache_duration"`
	// Acceptable values for the `iss` (issuer) field used in Google's
	// authorization tokens
	ValidIssuers []string `json:"valid_issuers"`
	// Acceptable values for the `aud` (audience) field used in Google's
	// authorization tokens
	ValidAudiences []string `json:"valid_audiences"`
}

These settings will allow the service to validate the Google-issued authorization tokens used in Workspace CSE APIs.

For example, the specific settings for CSE Docs & Drive are: - JWKS URL: https://www.googleapis.com/service_accounts/v1/jwk/gsuitecse-tokenissuer-drive@system.gserviceaccount.com - Issuer: gsuitecse-tokenissuer-drive@system.gserviceaccount.com - Audience: cse-authorization

type WorkspaceCseConfig added in v0.2.6 

type WorkspaceCseConfig struct {
	// One or more Identity Providers (IdP) trusted to authenticate users.
	// Note that we don't check if Single Sign-On (SSO) settings exist for
	// each IdP listed here, but it is recommended to add these IdPs in SSO
	// settings as well (usually as OAuth/OIDC providers).
	IdentityProviders []WorkspaceCseIdentityProvider `json:"identity_providers"`
	// One or more authorization providers used to validate authorization
	// tokens. Different Workspace applications might require different
	// authorization settings.
	AuthorizationProviders []WorkspaceCseAuthorizationProvider `json:"authorization_providers"`
	// An accounts method of authenticating users via the CSE integration.
	AuthMethod *WorkspaceCseAuthMethod `json:"auth_method,omitempty"`
}

Workspace CSE API settings. Specifying these settings enables the CSE APIs for the account.

type WorkspaceCseIdentityProvider added in v0.2.6 

type WorkspaceCseIdentityProvider struct {
	// Identity provider's name
	Name string `json:"name"`
	// The public key(s) used to validate the authentication tokens
	SigningKeys JwtSigningKeys `json:"signing_keys"`
	// Acceptable values for the `iss` (issuer) field used in authentication
	// tokens
	ValidIssuers []string `json:"valid_issuers"`
	// Acceptable values for the `aud` (audience) field used in authentication
	// tokens
	ValidAudiences []string `json:"valid_audiences"`
}

An identity provider trusted to authenticate users for Workspace CSE APIs

type WrapKeyParams added in v0.2.6 

type WrapKeyParams struct {
	// Wrapping key
	Key SobjectDescriptor `json:"key"`
	// Cryptographic algorithm of security object
	Alg Algorithm `json:"alg"`
	// Block cipher mode of operation, required for symmetric algorithms.
	Mode *CryptMode `json:"mode,omitempty"`
	// Initialization vector is required for symmetric algorithms.
	Iv *Blob `json:"iv,omitempty"`
	// Authenticated data is only applicable if mode is GCM.
	Ad *Blob `json:"ad,omitempty"`
	// Tag length is required when mode is GCM.
	TagLen *uint `json:"tag_len,omitempty"`
}

Wrapping key parameters

type WrapKeyRequest 

type WrapKeyRequest struct {
	// Reference to the wrapping key. This can be a key ID, key name,
	// or a transient key blob.
	Key *SobjectDescriptor `json:"key,omitempty"`
	// Reference to the sobject being wrapped. This can be an sobject
	// ID, sobject name, or a transient sobject blob.
	//
	// If specified, the `kid` field should not be present.
	Subject *SobjectDescriptor `json:"subject,omitempty"`
	// ID of the sobject to be wrapped. (This is a legacy field,
	// mutually exclusive with `subject`).
	Kid *UUID `json:"kid,omitempty"`
	// Algorithm to use for key wrapping. The algorithm must be
	// compatible with the key type; for example, an RSA key cannot
	// be used with AES.
	Alg Algorithm `json:"alg"`
	// Encryption mode to use. This is required for wrapping via symmetric
	// encryption. For RSA-based wrapping, the mode can be used to
	// optionally specify the padding to use. For all other algorithms,
	// this field should not be specified.
	Mode *CryptMode `json:"mode,omitempty"`
	// The initialization vector to use. This is only applicable to modes
	// that take IVs, and will be randomly generated if not specified.
	Iv *Blob `json:"iv,omitempty"`
	// The authenticated data to use. This is only applicable when using
	// authenticated encryption modes (i.e., GCM or CCM).
	Ad *Blob `json:"ad,omitempty"`
	// The length of the authentication tag, in bits, for authenticated
	// encryption modes (i.e., GCM or CCM). For other modes, this field
	// is irrelevant.
	TagLen *uint `json:"tag_len,omitempty"`
	// Format of the wrapped key
	KeyFormat *KeyFormat `json:"key_format,omitempty"`
}

Request to wrap an sobject with another sobject.

type WrapKeyResponse 

type WrapKeyResponse struct {
	// The wrapped key blob
	WrappedKey Blob `json:"wrapped_key"`
	// The intialization vector used during encryption. This is only
	// applicable for certain symmetric encryption modes.
	Iv *Blob `json:"iv,omitempty"`
	// The authenticated tag returned from authenticated encryption
	// (i.e., using GCM or CCM mode). For other modes, this field is
	// not applicable.
	Tag *Blob `json:"tag,omitempty"`
}

Result of a key wrapping request.

type WrappingKeyName added in v0.2.6 

type WrappingKeyName struct {
	Null  *struct{}
	Value *string
}

func (WrappingKeyName) MarshalJSON added in v0.2.6 

func (x WrappingKeyName) MarshalJSON() ([]byte, error)

func (*WrappingKeyName) UnmarshalJSON added in v0.2.6 

func (x *WrappingKeyName) UnmarshalJSON(data []byte) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.