diff --git a/specs/authorization/authorization.openapi.yaml b/specs/authorization/authorization.openapi.yaml index 5a112b61..cb0927c7 100644 --- a/specs/authorization/authorization.openapi.yaml +++ b/specs/authorization/authorization.openapi.yaml @@ -143,6 +143,8 @@ components: - ALGORITHM_HPQT_XWING - ALGORITHM_HPQT_SECP256R1_MLKEM768 - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + - ALGORITHM_MLKEM_768 + - ALGORITHM_MLKEM_1024 description: Supported key algorithms. policy.KasPublicKeyAlgEnum: type: string @@ -157,6 +159,8 @@ components: - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + - KAS_PUBLIC_KEY_ALG_ENUM_MLKEM_768 + - KAS_PUBLIC_KEY_ALG_ENUM_MLKEM_1024 policy.SourceType: type: string title: SourceType diff --git a/specs/authorization/v2/authorization.openapi.yaml b/specs/authorization/v2/authorization.openapi.yaml index 0e03a9e1..e6914f49 100644 --- a/specs/authorization/v2/authorization.openapi.yaml +++ b/specs/authorization/v2/authorization.openapi.yaml @@ -178,6 +178,8 @@ components: - ALGORITHM_HPQT_XWING - ALGORITHM_HPQT_SECP256R1_MLKEM768 - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + - ALGORITHM_MLKEM_768 + - ALGORITHM_MLKEM_1024 description: Supported key algorithms. policy.KasPublicKeyAlgEnum: type: string @@ -192,6 +194,8 @@ components: - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + - KAS_PUBLIC_KEY_ALG_ENUM_MLKEM_768 + - KAS_PUBLIC_KEY_ALG_ENUM_MLKEM_1024 policy.SourceType: type: string title: SourceType diff --git a/specs/policy/actions/actions.openapi.yaml b/specs/policy/actions/actions.openapi.yaml index 3f16ddef..69a29f35 100644 --- a/specs/policy/actions/actions.openapi.yaml +++ b/specs/policy/actions/actions.openapi.yaml @@ -206,6 +206,8 @@ components: - ALGORITHM_HPQT_XWING - ALGORITHM_HPQT_SECP256R1_MLKEM768 - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + - ALGORITHM_MLKEM_768 + - ALGORITHM_MLKEM_1024 description: Supported key algorithms. policy.AttributeRuleTypeEnum: type: string @@ -222,28 +224,6 @@ components: - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED - CONDITION_BOOLEAN_TYPE_ENUM_AND - CONDITION_BOOLEAN_TYPE_ENUM_OR - policy.ConditionComparisonOperatorEnum: - type: string - title: ConditionComparisonOperatorEnum - enum: - - CONDITION_COMPARISON_OPERATOR_ENUM_UNSPECIFIED - - CONDITION_COMPARISON_OPERATOR_ENUM_EQUALS - - CONDITION_COMPARISON_OPERATOR_ENUM_CONTAINS - - CONDITION_COMPARISON_OPERATOR_ENUM_STARTS_WITH - - CONDITION_COMPARISON_OPERATOR_ENUM_ENDS_WITH - description: |- - How a selector result is compared against a comparison value. Replaces the all-in-one - SubjectMappingOperatorEnum by separating the comparison from the quantifier (see - ConditionQuantifierEnum) and case sensitivity. - policy.ConditionQuantifierEnum: - type: string - title: ConditionQuantifierEnum - enum: - - CONDITION_QUANTIFIER_ENUM_UNSPECIFIED - - CONDITION_QUANTIFIER_ENUM_ANY - - CONDITION_QUANTIFIER_ENUM_ALL - - CONDITION_QUANTIFIER_ENUM_NONE - description: How matches are aggregated across the comparison set (subject_external_values). policy.KasPublicKeyAlgEnum: type: string title: KasPublicKeyAlgEnum @@ -257,6 +237,8 @@ components: - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + - KAS_PUBLIC_KEY_ALG_ENUM_MLKEM_768 + - KAS_PUBLIC_KEY_ALG_ENUM_MLKEM_1024 policy.SourceType: type: string title: SourceType @@ -540,10 +522,7 @@ components: from idP/LDAP) operator: title: operator - description: |- - Deprecated: use comparison + quantifier (+ case_insensitive) instead. Normalized to the - decomposed fields in the service layer for backward compatibility. - deprecated: true + description: the evaluation operator of relation $ref: '#/components/schemas/policy.SubjectMappingOperatorEnum' subjectExternalValues: type: array @@ -556,23 +535,10 @@ components: list of comparison values for the result of applying the subject_external_selector_value on a flattened Entity Representation (Subject), evaluated by the operator - comparison: - title: comparison - description: how each selector result is compared to subject_external_values entries - $ref: '#/components/schemas/policy.ConditionComparisonOperatorEnum' - quantifier: - title: quantifier - description: how matches are aggregated across subject_external_values - $ref: '#/components/schemas/policy.ConditionQuantifierEnum' - caseInsensitive: - title: case_insensitive - description: |- - when set true, comparison is case-insensitive; unset is treated as case-sensitive. Modeled as - BoolValue so an explicit false is distinguishable from unset, leaving room to change the default. - $ref: '#/components/schemas/google.protobuf.BoolValue' title: Condition required: - subjectExternalSelectorValue + - operator additionalProperties: false description: |- * diff --git a/specs/policy/attributes/attributes.openapi.yaml b/specs/policy/attributes/attributes.openapi.yaml index b5270ccd..cc533e2c 100644 --- a/specs/policy/attributes/attributes.openapi.yaml +++ b/specs/policy/attributes/attributes.openapi.yaml @@ -150,6 +150,83 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.attributes.GetAttributeValuesByFqnsResponse' + /policy.attributes.AttributesService/GetKeyMappingsByFqns: + post: + tags: + - policy.attributes.AttributesService + summary: GetKeyMappingsByFqns + description: |- + Returns only key-mapping information (rule and effective KAS keys) for the + requested attribute value FQNs, for client-side key split construction. + operationId: policy.attributes.AttributesService.GetKeyMappingsByFqns + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.attributes.GetKeyMappingsByFqnsRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.attributes.GetKeyMappingsByFqnsResponse' + /policy.attributes.AttributesService/GetEntitleableAttributesByFqns: + post: + tags: + - policy.attributes.AttributesService + summary: GetEntitleableAttributesByFqns + description: |- + Returns only entitlement-relevant information (rule, value identity, ordered + definition values, and subject mappings) for the requested attribute value + FQNs, for server-side decisioning / entitlement resolution. + operationId: policy.attributes.AttributesService.GetEntitleableAttributesByFqns + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.attributes.GetEntitleableAttributesByFqnsRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.attributes.GetEntitleableAttributesByFqnsResponse' /policy.attributes.AttributesService/CreateAttribute: post: tags: @@ -725,6 +802,8 @@ components: - ALGORITHM_HPQT_XWING - ALGORITHM_HPQT_SECP256R1_MLKEM768 - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + - ALGORITHM_MLKEM_768 + - ALGORITHM_MLKEM_1024 description: Supported key algorithms. policy.AttributeRuleTypeEnum: type: string @@ -741,28 +820,6 @@ components: - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED - CONDITION_BOOLEAN_TYPE_ENUM_AND - CONDITION_BOOLEAN_TYPE_ENUM_OR - policy.ConditionComparisonOperatorEnum: - type: string - title: ConditionComparisonOperatorEnum - enum: - - CONDITION_COMPARISON_OPERATOR_ENUM_UNSPECIFIED - - CONDITION_COMPARISON_OPERATOR_ENUM_EQUALS - - CONDITION_COMPARISON_OPERATOR_ENUM_CONTAINS - - CONDITION_COMPARISON_OPERATOR_ENUM_STARTS_WITH - - CONDITION_COMPARISON_OPERATOR_ENUM_ENDS_WITH - description: |- - How a selector result is compared against a comparison value. Replaces the all-in-one - SubjectMappingOperatorEnum by separating the comparison from the quantifier (see - ConditionQuantifierEnum) and case sensitivity. - policy.ConditionQuantifierEnum: - type: string - title: ConditionQuantifierEnum - enum: - - CONDITION_QUANTIFIER_ENUM_UNSPECIFIED - - CONDITION_QUANTIFIER_ENUM_ANY - - CONDITION_QUANTIFIER_ENUM_ALL - - CONDITION_QUANTIFIER_ENUM_NONE - description: How matches are aggregated across the comparison set (subject_external_values). policy.KasPublicKeyAlgEnum: type: string title: KasPublicKeyAlgEnum @@ -776,6 +833,8 @@ components: - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + - KAS_PUBLIC_KEY_ALG_ENUM_MLKEM_768 + - KAS_PUBLIC_KEY_ALG_ENUM_MLKEM_1024 policy.SortDirection: type: string title: SortDirection @@ -1113,10 +1172,7 @@ components: from idP/LDAP) operator: title: operator - description: |- - Deprecated: use comparison + quantifier (+ case_insensitive) instead. Normalized to the - decomposed fields in the service layer for backward compatibility. - deprecated: true + description: the evaluation operator of relation $ref: '#/components/schemas/policy.SubjectMappingOperatorEnum' subjectExternalValues: type: array @@ -1129,23 +1185,10 @@ components: list of comparison values for the result of applying the subject_external_selector_value on a flattened Entity Representation (Subject), evaluated by the operator - comparison: - title: comparison - description: how each selector result is compared to subject_external_values entries - $ref: '#/components/schemas/policy.ConditionComparisonOperatorEnum' - quantifier: - title: quantifier - description: how matches are aggregated across subject_external_values - $ref: '#/components/schemas/policy.ConditionQuantifierEnum' - caseInsensitive: - title: case_insensitive - description: |- - when set true, comparison is case-insensitive; unset is treated as case-sensitive. Modeled as - BoolValue so an explicit false is distinguishable from unset, leaving room to change the default. - $ref: '#/components/schemas/google.protobuf.BoolValue' title: Condition required: - subjectExternalSelectorValue + - operator additionalProperties: false description: |- * @@ -2140,6 +2183,194 @@ components: $ref: '#/components/schemas/policy.attributes.GetAttributeValuesByFqnsResponse.AttributeAndValue' title: FqnAttributeValuesEntry additionalProperties: false + policy.attributes.GetEntitleableAttributesByFqnsRequest: + type: object + properties: + fqns: + type: array + items: + type: string + maxItems: 250 + minItems: 1 + title: fqns + maxItems: 250 + minItems: 1 + description: |- + Required + Fully Qualified Names of attribute values (i.e. https:///attr//value/), normalized to lower case. + title: GetEntitleableAttributesByFqnsRequest + additionalProperties: false + description: |- + Entitleable Attributes By FQNs (server-side decisioning path) + + Narrow read API for Auth Service / Access PDP entitlement resolution. Given + attribute value FQNs, returns the parent definitions (deduped, each with its + rule) and, per requested value, the value identity and the subject mappings + needed to resolve entitlements. Hierarchy definitions additionally carry their + ordered values with subject mappings, for hierarchy rule propagation. It does + not return KAS keys, grants, resource mappings, obligations, or metadata. + policy.attributes.GetEntitleableAttributesByFqnsResponse: + type: object + properties: + definitions: + type: object + title: definitions + additionalProperties: + title: value + $ref: '#/components/schemas/policy.attributes.GetEntitleableAttributesByFqnsResponse.EntitleableDefinition' + description: map of definition FQN to its definition, returned once each (deduped) + fqnEntitleableAttributes: + type: object + title: fqn_entitleable_attributes + additionalProperties: + title: value + $ref: '#/components/schemas/policy.attributes.GetEntitleableAttributesByFqnsResponse.EntitleableAttribute' + description: map of requested value FQN to its value and parent definition reference, for O(1) lookup + title: GetEntitleableAttributesByFqnsResponse + additionalProperties: false + policy.attributes.GetEntitleableAttributesByFqnsResponse.DefinitionsEntry: + type: object + properties: + key: + type: string + title: key + value: + title: value + $ref: '#/components/schemas/policy.attributes.GetEntitleableAttributesByFqnsResponse.EntitleableDefinition' + title: DefinitionsEntry + additionalProperties: false + policy.attributes.GetEntitleableAttributesByFqnsResponse.EntitleableAttribute: + type: object + properties: + definitionFqn: + type: string + title: definition_fqn + description: the FQN of the parent definition, a key into `definitions` + value: + title: value + description: the requested attribute value plus its subject mappings + $ref: '#/components/schemas/policy.attributes.GetEntitleableAttributesByFqnsResponse.EntitleableValue' + title: EntitleableAttribute + additionalProperties: false + policy.attributes.GetEntitleableAttributesByFqnsResponse.EntitleableDefinition: + type: object + properties: + rule: + title: rule + description: the attribute rule, which drives rule logic during decisioning + $ref: '#/components/schemas/policy.AttributeRuleTypeEnum' + values: + type: array + items: + $ref: '#/components/schemas/policy.attributes.GetEntitleableAttributesByFqnsResponse.EntitleableValue' + title: values + description: |- + the definition's values in order, each with its subject mappings. Populated + ONLY for hierarchy definitions (whose decisioning needs sibling values and + their mappings to propagate entitlement up the chain). Empty for any_of / + all_of, where the requested per-value entries below carry what's needed. + title: EntitleableDefinition + additionalProperties: false + description: |- + An attribute definition referenced by one or more requested value FQNs, + returned once regardless of how many of its values were requested. + policy.attributes.GetEntitleableAttributesByFqnsResponse.EntitleableValue: + type: object + properties: + fqn: + type: string + title: fqn + description: the attribute value FQN + valueId: + type: string + title: value_id + description: identity of the attribute value + subjectMappings: + type: array + items: + $ref: '#/components/schemas/policy.SubjectMapping' + title: subject_mappings + description: subject mappings used to resolve entitlements for this value + title: EntitleableValue + additionalProperties: false + description: An attribute value plus the subject mappings that entitle it. + policy.attributes.GetEntitleableAttributesByFqnsResponse.FqnEntitleableAttributesEntry: + type: object + properties: + key: + type: string + title: key + value: + title: value + $ref: '#/components/schemas/policy.attributes.GetEntitleableAttributesByFqnsResponse.EntitleableAttribute' + title: FqnEntitleableAttributesEntry + additionalProperties: false + policy.attributes.GetKeyMappingsByFqnsRequest: + type: object + properties: + fqns: + type: array + items: + type: string + maxItems: 250 + minItems: 1 + title: fqns + maxItems: 250 + minItems: 1 + description: |- + Required + Fully Qualified Names of attribute values (i.e. https:///attr//value/), normalized to lower case. + title: GetKeyMappingsByFqnsRequest + additionalProperties: false + description: |- + Key Mappings By FQNs (client-side key split path) + + Narrow read API for the client-side encrypt flow. Given attribute value FQNs, + returns only the information needed to build key splits: the governing + attribute rule and the effective KAS keys resolved server-side. It does not + return subject mappings, resource mappings, obligations, sibling values, or + metadata. Prefer this over GetAttributeValuesByFqns when building splits. + policy.attributes.GetKeyMappingsByFqnsResponse: + type: object + properties: + fqnKeyMappings: + type: object + title: fqn_key_mappings + additionalProperties: + title: value + $ref: '#/components/schemas/policy.attributes.GetKeyMappingsByFqnsResponse.AttributeKeyMapping' + description: map of value FQN to its key mapping information, for O(1) lookup + title: GetKeyMappingsByFqnsResponse + additionalProperties: false + policy.attributes.GetKeyMappingsByFqnsResponse.AttributeKeyMapping: + type: object + properties: + rule: + title: rule + description: the attribute rule, which governs how splits combine (any_of / all_of / hierarchy) + $ref: '#/components/schemas/policy.AttributeRuleTypeEnum' + keys: + type: array + items: + $ref: '#/components/schemas/policy.SimpleKasKey' + title: keys + description: |- + effective KAS keys resolved for this value (value > definition > namespace + precedence). Legacy grants are not used by this API; values configured only + with grants and no kas_keys return an empty key set. + title: AttributeKeyMapping + additionalProperties: false + policy.attributes.GetKeyMappingsByFqnsResponse.FqnKeyMappingsEntry: + type: object + properties: + key: + type: string + title: key + value: + title: value + $ref: '#/components/schemas/policy.attributes.GetKeyMappingsByFqnsResponse.AttributeKeyMapping' + title: FqnKeyMappingsEntry + additionalProperties: false policy.attributes.ListAttributeValuesRequest: type: object properties: diff --git a/specs/policy/dynamicvaluemapping/dynamic_value_mapping.openapi.yaml b/specs/policy/dynamicvaluemapping/dynamic_value_mapping.openapi.yaml index c05551ba..ddda4372 100644 --- a/specs/policy/dynamicvaluemapping/dynamic_value_mapping.openapi.yaml +++ b/specs/policy/dynamicvaluemapping/dynamic_value_mapping.openapi.yaml @@ -206,6 +206,8 @@ components: - ALGORITHM_HPQT_XWING - ALGORITHM_HPQT_SECP256R1_MLKEM768 - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + - ALGORITHM_MLKEM_768 + - ALGORITHM_MLKEM_1024 description: Supported key algorithms. policy.AttributeRuleTypeEnum: type: string @@ -222,28 +224,6 @@ components: - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED - CONDITION_BOOLEAN_TYPE_ENUM_AND - CONDITION_BOOLEAN_TYPE_ENUM_OR - policy.ConditionComparisonOperatorEnum: - type: string - title: ConditionComparisonOperatorEnum - enum: - - CONDITION_COMPARISON_OPERATOR_ENUM_UNSPECIFIED - - CONDITION_COMPARISON_OPERATOR_ENUM_EQUALS - - CONDITION_COMPARISON_OPERATOR_ENUM_CONTAINS - - CONDITION_COMPARISON_OPERATOR_ENUM_STARTS_WITH - - CONDITION_COMPARISON_OPERATOR_ENUM_ENDS_WITH - description: |- - How a selector result is compared against a comparison value. Replaces the all-in-one - SubjectMappingOperatorEnum by separating the comparison from the quantifier (see - ConditionQuantifierEnum) and case sensitivity. - policy.ConditionQuantifierEnum: - type: string - title: ConditionQuantifierEnum - enum: - - CONDITION_QUANTIFIER_ENUM_UNSPECIFIED - - CONDITION_QUANTIFIER_ENUM_ANY - - CONDITION_QUANTIFIER_ENUM_ALL - - CONDITION_QUANTIFIER_ENUM_NONE - description: How matches are aggregated across the comparison set (subject_external_values). policy.KasPublicKeyAlgEnum: type: string title: KasPublicKeyAlgEnum @@ -257,6 +237,8 @@ components: - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + - KAS_PUBLIC_KEY_ALG_ENUM_MLKEM_768 + - KAS_PUBLIC_KEY_ALG_ENUM_MLKEM_1024 policy.SortDirection: type: string title: SortDirection @@ -559,10 +541,7 @@ components: from idP/LDAP) operator: title: operator - description: |- - Deprecated: use comparison + quantifier (+ case_insensitive) instead. Normalized to the - decomposed fields in the service layer for backward compatibility. - deprecated: true + description: the evaluation operator of relation $ref: '#/components/schemas/policy.SubjectMappingOperatorEnum' subjectExternalValues: type: array @@ -575,23 +554,10 @@ components: list of comparison values for the result of applying the subject_external_selector_value on a flattened Entity Representation (Subject), evaluated by the operator - comparison: - title: comparison - description: how each selector result is compared to subject_external_values entries - $ref: '#/components/schemas/policy.ConditionComparisonOperatorEnum' - quantifier: - title: quantifier - description: how matches are aggregated across subject_external_values - $ref: '#/components/schemas/policy.ConditionQuantifierEnum' - caseInsensitive: - title: case_insensitive - description: |- - when set true, comparison is case-insensitive; unset is treated as case-sensitive. Modeled as - BoolValue so an explicit false is distinguishable from unset, leaving room to change the default. - $ref: '#/components/schemas/google.protobuf.BoolValue' title: Condition required: - subjectExternalSelectorValue + - operator additionalProperties: false description: |- * @@ -666,28 +632,26 @@ components: description: |- a selector for a field value on a flattened Entity Representation (such as from idP/LDAP), e.g. ".patientAssignments[]" - comparison: - title: comparison + operator: + not: + enum: + - 2 + title: operator description: |- how the requested resource value segment is compared against each value the selector - resolves from the entity representation - $ref: '#/components/schemas/policy.ConditionComparisonOperatorEnum' - caseInsensitive: - title: case_insensitive - description: |- - when set true, comparison is case-insensitive; unset is treated as case-sensitive. Modeled as - BoolValue so an explicit false is distinguishable from unset, leaving room to change the default. - $ref: '#/components/schemas/google.protobuf.BoolValue' + resolves from the entity representation. NOT_IN is unsupported because dynamic resolution + is existential over the resolved entity values. + $ref: '#/components/schemas/policy.SubjectMappingOperatorEnum' title: DynamicValueResolver required: - subjectExternalSelectorValue - - comparison + - operator additionalProperties: false description: |- Dynamic Value Resolver: the dynamic half of a DynamicValueMapping. It resolves a selector against the entity representation, then tests whether any resolved entity value matches the - requested resource value segment under comparison. The match is inherently existential over - the resolved entity values, so no quantifier is carried here. + requested resource value segment under the operator. The match is inherently existential over + the resolved entity values. policy.KasPublicKey: type: object properties: diff --git a/specs/policy/kasregistry/key_access_server_registry.openapi.yaml b/specs/policy/kasregistry/key_access_server_registry.openapi.yaml index 2d803524..b8c7b84c 100644 --- a/specs/policy/kasregistry/key_access_server_registry.openapi.yaml +++ b/specs/policy/kasregistry/key_access_server_registry.openapi.yaml @@ -526,6 +526,8 @@ components: - ALGORITHM_HPQT_XWING - ALGORITHM_HPQT_SECP256R1_MLKEM768 - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + - ALGORITHM_MLKEM_768 + - ALGORITHM_MLKEM_1024 description: Supported key algorithms. policy.KasPublicKeyAlgEnum: type: string @@ -540,6 +542,8 @@ components: - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + - KAS_PUBLIC_KEY_ALG_ENUM_MLKEM_768 + - KAS_PUBLIC_KEY_ALG_ENUM_MLKEM_1024 policy.KeyMode: type: string title: KeyMode @@ -1181,7 +1185,7 @@ components: Required The algorithm to be used for the key The key_algorithm must be one of the defined values.: ``` - this in [1, 2, 3, 4, 5, 6, 7, 8] + this in [1, 2, 3, 4, 5, 6, 7, 8, 20, 21] ``` $ref: '#/components/schemas/policy.Algorithm' @@ -1742,7 +1746,7 @@ components: Filter keys by algorithm The key_algorithm must be one of the defined values.: ``` - this in [0, 1, 2, 3, 4, 5, 6, 7, 8] + this in [0, 1, 2, 3, 4, 5, 6, 7, 8, 20, 21] ``` $ref: '#/components/schemas/policy.Algorithm' @@ -2020,7 +2024,7 @@ components: Required The key_algorithm must be one of the defined values.: ``` - this in [1, 2, 3, 4, 5, 6, 7, 8] + this in [1, 2, 3, 4, 5, 6, 7, 8, 20, 21] ``` $ref: '#/components/schemas/policy.Algorithm' diff --git a/specs/policy/namespaces/namespaces.openapi.yaml b/specs/policy/namespaces/namespaces.openapi.yaml index d6f72e3e..c813ecd9 100644 --- a/specs/policy/namespaces/namespaces.openapi.yaml +++ b/specs/policy/namespaces/namespaces.openapi.yaml @@ -356,6 +356,8 @@ components: - ALGORITHM_HPQT_XWING - ALGORITHM_HPQT_SECP256R1_MLKEM768 - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + - ALGORITHM_MLKEM_768 + - ALGORITHM_MLKEM_1024 description: Supported key algorithms. policy.KasPublicKeyAlgEnum: type: string @@ -370,6 +372,8 @@ components: - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + - KAS_PUBLIC_KEY_ALG_ENUM_MLKEM_768 + - KAS_PUBLIC_KEY_ALG_ENUM_MLKEM_1024 policy.SortDirection: type: string title: SortDirection diff --git a/specs/policy/objects.openapi.yaml b/specs/policy/objects.openapi.yaml index 7ec3b464..eb040231 100644 --- a/specs/policy/objects.openapi.yaml +++ b/specs/policy/objects.openapi.yaml @@ -24,6 +24,8 @@ components: - ALGORITHM_HPQT_XWING - ALGORITHM_HPQT_SECP256R1_MLKEM768 - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + - ALGORITHM_MLKEM_768 + - ALGORITHM_MLKEM_1024 description: Supported key algorithms. policy.AttributeRuleTypeEnum: type: string @@ -40,28 +42,6 @@ components: - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED - CONDITION_BOOLEAN_TYPE_ENUM_AND - CONDITION_BOOLEAN_TYPE_ENUM_OR - policy.ConditionComparisonOperatorEnum: - type: string - title: ConditionComparisonOperatorEnum - enum: - - CONDITION_COMPARISON_OPERATOR_ENUM_UNSPECIFIED - - CONDITION_COMPARISON_OPERATOR_ENUM_EQUALS - - CONDITION_COMPARISON_OPERATOR_ENUM_CONTAINS - - CONDITION_COMPARISON_OPERATOR_ENUM_STARTS_WITH - - CONDITION_COMPARISON_OPERATOR_ENUM_ENDS_WITH - description: |- - How a selector result is compared against a comparison value. Replaces the all-in-one - SubjectMappingOperatorEnum by separating the comparison from the quantifier (see - ConditionQuantifierEnum) and case sensitivity. - policy.ConditionQuantifierEnum: - type: string - title: ConditionQuantifierEnum - enum: - - CONDITION_QUANTIFIER_ENUM_UNSPECIFIED - - CONDITION_QUANTIFIER_ENUM_ANY - - CONDITION_QUANTIFIER_ENUM_ALL - - CONDITION_QUANTIFIER_ENUM_NONE - description: How matches are aggregated across the comparison set (subject_external_values). policy.KasPublicKeyAlgEnum: type: string title: KasPublicKeyAlgEnum @@ -75,6 +55,8 @@ components: - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + - KAS_PUBLIC_KEY_ALG_ENUM_MLKEM_768 + - KAS_PUBLIC_KEY_ALG_ENUM_MLKEM_1024 policy.KeyMode: type: string title: KeyMode @@ -411,23 +393,10 @@ components: list of comparison values for the result of applying the subject_external_selector_value on a flattened Entity Representation (Subject), evaluated by the operator - comparison: - title: comparison - description: how each selector result is compared to subject_external_values entries - $ref: '#/components/schemas/policy.ConditionComparisonOperatorEnum' - quantifier: - title: quantifier - description: how matches are aggregated across subject_external_values - $ref: '#/components/schemas/policy.ConditionQuantifierEnum' - caseInsensitive: - title: case_insensitive - description: |- - when set true, comparison is case-insensitive; unset is treated as case-sensitive. Modeled as - BoolValue so an explicit false is distinguishable from unset, leaving room to change the default. - $ref: '#/components/schemas/google.protobuf.BoolValue' title: Condition required: - subjectExternalSelectorValue + - operator additionalProperties: false description: |- * @@ -502,28 +471,26 @@ components: description: |- a selector for a field value on a flattened Entity Representation (such as from idP/LDAP), e.g. ".patientAssignments[]" - comparison: - title: comparison + operator: + not: + enum: + - 2 + title: operator description: |- how the requested resource value segment is compared against each value the selector - resolves from the entity representation - $ref: '#/components/schemas/policy.ConditionComparisonOperatorEnum' - caseInsensitive: - title: case_insensitive - description: |- - when set true, comparison is case-insensitive; unset is treated as case-sensitive. Modeled as - BoolValue so an explicit false is distinguishable from unset, leaving room to change the default. - $ref: '#/components/schemas/google.protobuf.BoolValue' + resolves from the entity representation. NOT_IN is unsupported because dynamic resolution + is existential over the resolved entity values. + $ref: '#/components/schemas/policy.SubjectMappingOperatorEnum' title: DynamicValueResolver required: - subjectExternalSelectorValue - - comparison + - operator additionalProperties: false description: |- Dynamic Value Resolver: the dynamic half of a DynamicValueMapping. It resolves a selector against the entity representation, then tests whether any resolved entity value matches the - requested resource value segment under comparison. The match is inherently existential over - the resolved entity values, so no quantifier is carried here. + requested resource value segment under the operator. The match is inherently existential over + the resolved entity values. policy.KasKey: type: object properties: diff --git a/specs/policy/obligations/obligations.openapi.yaml b/specs/policy/obligations/obligations.openapi.yaml index 01fcb57b..fe4758bf 100644 --- a/specs/policy/obligations/obligations.openapi.yaml +++ b/specs/policy/obligations/obligations.openapi.yaml @@ -556,6 +556,8 @@ components: - ALGORITHM_HPQT_XWING - ALGORITHM_HPQT_SECP256R1_MLKEM768 - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + - ALGORITHM_MLKEM_768 + - ALGORITHM_MLKEM_1024 description: Supported key algorithms. policy.AttributeRuleTypeEnum: type: string @@ -572,28 +574,6 @@ components: - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED - CONDITION_BOOLEAN_TYPE_ENUM_AND - CONDITION_BOOLEAN_TYPE_ENUM_OR - policy.ConditionComparisonOperatorEnum: - type: string - title: ConditionComparisonOperatorEnum - enum: - - CONDITION_COMPARISON_OPERATOR_ENUM_UNSPECIFIED - - CONDITION_COMPARISON_OPERATOR_ENUM_EQUALS - - CONDITION_COMPARISON_OPERATOR_ENUM_CONTAINS - - CONDITION_COMPARISON_OPERATOR_ENUM_STARTS_WITH - - CONDITION_COMPARISON_OPERATOR_ENUM_ENDS_WITH - description: |- - How a selector result is compared against a comparison value. Replaces the all-in-one - SubjectMappingOperatorEnum by separating the comparison from the quantifier (see - ConditionQuantifierEnum) and case sensitivity. - policy.ConditionQuantifierEnum: - type: string - title: ConditionQuantifierEnum - enum: - - CONDITION_QUANTIFIER_ENUM_UNSPECIFIED - - CONDITION_QUANTIFIER_ENUM_ANY - - CONDITION_QUANTIFIER_ENUM_ALL - - CONDITION_QUANTIFIER_ENUM_NONE - description: How matches are aggregated across the comparison set (subject_external_values). policy.KasPublicKeyAlgEnum: type: string title: KasPublicKeyAlgEnum @@ -607,6 +587,8 @@ components: - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + - KAS_PUBLIC_KEY_ALG_ENUM_MLKEM_768 + - KAS_PUBLIC_KEY_ALG_ENUM_MLKEM_1024 policy.SortDirection: type: string title: SortDirection @@ -945,10 +927,7 @@ components: from idP/LDAP) operator: title: operator - description: |- - Deprecated: use comparison + quantifier (+ case_insensitive) instead. Normalized to the - decomposed fields in the service layer for backward compatibility. - deprecated: true + description: the evaluation operator of relation $ref: '#/components/schemas/policy.SubjectMappingOperatorEnum' subjectExternalValues: type: array @@ -961,23 +940,10 @@ components: list of comparison values for the result of applying the subject_external_selector_value on a flattened Entity Representation (Subject), evaluated by the operator - comparison: - title: comparison - description: how each selector result is compared to subject_external_values entries - $ref: '#/components/schemas/policy.ConditionComparisonOperatorEnum' - quantifier: - title: quantifier - description: how matches are aggregated across subject_external_values - $ref: '#/components/schemas/policy.ConditionQuantifierEnum' - caseInsensitive: - title: case_insensitive - description: |- - when set true, comparison is case-insensitive; unset is treated as case-sensitive. Modeled as - BoolValue so an explicit false is distinguishable from unset, leaving room to change the default. - $ref: '#/components/schemas/google.protobuf.BoolValue' title: Condition required: - subjectExternalSelectorValue + - operator additionalProperties: false description: |- * diff --git a/specs/policy/registeredresources/registered_resources.openapi.yaml b/specs/policy/registeredresources/registered_resources.openapi.yaml index cf6f5268..84ae4a90 100644 --- a/specs/policy/registeredresources/registered_resources.openapi.yaml +++ b/specs/policy/registeredresources/registered_resources.openapi.yaml @@ -416,6 +416,8 @@ components: - ALGORITHM_HPQT_XWING - ALGORITHM_HPQT_SECP256R1_MLKEM768 - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + - ALGORITHM_MLKEM_768 + - ALGORITHM_MLKEM_1024 description: Supported key algorithms. policy.AttributeRuleTypeEnum: type: string @@ -432,28 +434,6 @@ components: - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED - CONDITION_BOOLEAN_TYPE_ENUM_AND - CONDITION_BOOLEAN_TYPE_ENUM_OR - policy.ConditionComparisonOperatorEnum: - type: string - title: ConditionComparisonOperatorEnum - enum: - - CONDITION_COMPARISON_OPERATOR_ENUM_UNSPECIFIED - - CONDITION_COMPARISON_OPERATOR_ENUM_EQUALS - - CONDITION_COMPARISON_OPERATOR_ENUM_CONTAINS - - CONDITION_COMPARISON_OPERATOR_ENUM_STARTS_WITH - - CONDITION_COMPARISON_OPERATOR_ENUM_ENDS_WITH - description: |- - How a selector result is compared against a comparison value. Replaces the all-in-one - SubjectMappingOperatorEnum by separating the comparison from the quantifier (see - ConditionQuantifierEnum) and case sensitivity. - policy.ConditionQuantifierEnum: - type: string - title: ConditionQuantifierEnum - enum: - - CONDITION_QUANTIFIER_ENUM_UNSPECIFIED - - CONDITION_QUANTIFIER_ENUM_ANY - - CONDITION_QUANTIFIER_ENUM_ALL - - CONDITION_QUANTIFIER_ENUM_NONE - description: How matches are aggregated across the comparison set (subject_external_values). policy.KasPublicKeyAlgEnum: type: string title: KasPublicKeyAlgEnum @@ -467,6 +447,8 @@ components: - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + - KAS_PUBLIC_KEY_ALG_ENUM_MLKEM_768 + - KAS_PUBLIC_KEY_ALG_ENUM_MLKEM_1024 policy.SortDirection: type: string title: SortDirection @@ -770,10 +752,7 @@ components: from idP/LDAP) operator: title: operator - description: |- - Deprecated: use comparison + quantifier (+ case_insensitive) instead. Normalized to the - decomposed fields in the service layer for backward compatibility. - deprecated: true + description: the evaluation operator of relation $ref: '#/components/schemas/policy.SubjectMappingOperatorEnum' subjectExternalValues: type: array @@ -786,23 +765,10 @@ components: list of comparison values for the result of applying the subject_external_selector_value on a flattened Entity Representation (Subject), evaluated by the operator - comparison: - title: comparison - description: how each selector result is compared to subject_external_values entries - $ref: '#/components/schemas/policy.ConditionComparisonOperatorEnum' - quantifier: - title: quantifier - description: how matches are aggregated across subject_external_values - $ref: '#/components/schemas/policy.ConditionQuantifierEnum' - caseInsensitive: - title: case_insensitive - description: |- - when set true, comparison is case-insensitive; unset is treated as case-sensitive. Modeled as - BoolValue so an explicit false is distinguishable from unset, leaving room to change the default. - $ref: '#/components/schemas/google.protobuf.BoolValue' title: Condition required: - subjectExternalSelectorValue + - operator additionalProperties: false description: |- * diff --git a/specs/policy/resourcemapping/resource_mapping.openapi.yaml b/specs/policy/resourcemapping/resource_mapping.openapi.yaml index c17e5461..f393b216 100644 --- a/specs/policy/resourcemapping/resource_mapping.openapi.yaml +++ b/specs/policy/resourcemapping/resource_mapping.openapi.yaml @@ -416,6 +416,8 @@ components: - ALGORITHM_HPQT_XWING - ALGORITHM_HPQT_SECP256R1_MLKEM768 - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + - ALGORITHM_MLKEM_768 + - ALGORITHM_MLKEM_1024 description: Supported key algorithms. policy.AttributeRuleTypeEnum: type: string @@ -432,28 +434,6 @@ components: - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED - CONDITION_BOOLEAN_TYPE_ENUM_AND - CONDITION_BOOLEAN_TYPE_ENUM_OR - policy.ConditionComparisonOperatorEnum: - type: string - title: ConditionComparisonOperatorEnum - enum: - - CONDITION_COMPARISON_OPERATOR_ENUM_UNSPECIFIED - - CONDITION_COMPARISON_OPERATOR_ENUM_EQUALS - - CONDITION_COMPARISON_OPERATOR_ENUM_CONTAINS - - CONDITION_COMPARISON_OPERATOR_ENUM_STARTS_WITH - - CONDITION_COMPARISON_OPERATOR_ENUM_ENDS_WITH - description: |- - How a selector result is compared against a comparison value. Replaces the all-in-one - SubjectMappingOperatorEnum by separating the comparison from the quantifier (see - ConditionQuantifierEnum) and case sensitivity. - policy.ConditionQuantifierEnum: - type: string - title: ConditionQuantifierEnum - enum: - - CONDITION_QUANTIFIER_ENUM_UNSPECIFIED - - CONDITION_QUANTIFIER_ENUM_ANY - - CONDITION_QUANTIFIER_ENUM_ALL - - CONDITION_QUANTIFIER_ENUM_NONE - description: How matches are aggregated across the comparison set (subject_external_values). policy.KasPublicKeyAlgEnum: type: string title: KasPublicKeyAlgEnum @@ -467,6 +447,8 @@ components: - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + - KAS_PUBLIC_KEY_ALG_ENUM_MLKEM_768 + - KAS_PUBLIC_KEY_ALG_ENUM_MLKEM_1024 policy.SourceType: type: string title: SourceType @@ -750,10 +732,7 @@ components: from idP/LDAP) operator: title: operator - description: |- - Deprecated: use comparison + quantifier (+ case_insensitive) instead. Normalized to the - decomposed fields in the service layer for backward compatibility. - deprecated: true + description: the evaluation operator of relation $ref: '#/components/schemas/policy.SubjectMappingOperatorEnum' subjectExternalValues: type: array @@ -766,23 +745,10 @@ components: list of comparison values for the result of applying the subject_external_selector_value on a flattened Entity Representation (Subject), evaluated by the operator - comparison: - title: comparison - description: how each selector result is compared to subject_external_values entries - $ref: '#/components/schemas/policy.ConditionComparisonOperatorEnum' - quantifier: - title: quantifier - description: how matches are aggregated across subject_external_values - $ref: '#/components/schemas/policy.ConditionQuantifierEnum' - caseInsensitive: - title: case_insensitive - description: |- - when set true, comparison is case-insensitive; unset is treated as case-sensitive. Modeled as - BoolValue so an explicit false is distinguishable from unset, leaving room to change the default. - $ref: '#/components/schemas/google.protobuf.BoolValue' title: Condition required: - subjectExternalSelectorValue + - operator additionalProperties: false description: |- * diff --git a/specs/policy/subjectmapping/subject_mapping.openapi.yaml b/specs/policy/subjectmapping/subject_mapping.openapi.yaml index 11135683..2762d4cf 100644 --- a/specs/policy/subjectmapping/subject_mapping.openapi.yaml +++ b/specs/policy/subjectmapping/subject_mapping.openapi.yaml @@ -452,6 +452,8 @@ components: - ALGORITHM_HPQT_XWING - ALGORITHM_HPQT_SECP256R1_MLKEM768 - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + - ALGORITHM_MLKEM_768 + - ALGORITHM_MLKEM_1024 description: Supported key algorithms. policy.AttributeRuleTypeEnum: type: string @@ -468,28 +470,6 @@ components: - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED - CONDITION_BOOLEAN_TYPE_ENUM_AND - CONDITION_BOOLEAN_TYPE_ENUM_OR - policy.ConditionComparisonOperatorEnum: - type: string - title: ConditionComparisonOperatorEnum - enum: - - CONDITION_COMPARISON_OPERATOR_ENUM_UNSPECIFIED - - CONDITION_COMPARISON_OPERATOR_ENUM_EQUALS - - CONDITION_COMPARISON_OPERATOR_ENUM_CONTAINS - - CONDITION_COMPARISON_OPERATOR_ENUM_STARTS_WITH - - CONDITION_COMPARISON_OPERATOR_ENUM_ENDS_WITH - description: |- - How a selector result is compared against a comparison value. Replaces the all-in-one - SubjectMappingOperatorEnum by separating the comparison from the quantifier (see - ConditionQuantifierEnum) and case sensitivity. - policy.ConditionQuantifierEnum: - type: string - title: ConditionQuantifierEnum - enum: - - CONDITION_QUANTIFIER_ENUM_UNSPECIFIED - - CONDITION_QUANTIFIER_ENUM_ANY - - CONDITION_QUANTIFIER_ENUM_ALL - - CONDITION_QUANTIFIER_ENUM_NONE - description: How matches are aggregated across the comparison set (subject_external_values). policy.KasPublicKeyAlgEnum: type: string title: KasPublicKeyAlgEnum @@ -503,6 +483,8 @@ components: - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + - KAS_PUBLIC_KEY_ALG_ENUM_MLKEM_768 + - KAS_PUBLIC_KEY_ALG_ENUM_MLKEM_1024 policy.SortDirection: type: string title: SortDirection @@ -812,10 +794,7 @@ components: from idP/LDAP) operator: title: operator - description: |- - Deprecated: use comparison + quantifier (+ case_insensitive) instead. Normalized to the - decomposed fields in the service layer for backward compatibility. - deprecated: true + description: the evaluation operator of relation $ref: '#/components/schemas/policy.SubjectMappingOperatorEnum' subjectExternalValues: type: array @@ -828,23 +807,10 @@ components: list of comparison values for the result of applying the subject_external_selector_value on a flattened Entity Representation (Subject), evaluated by the operator - comparison: - title: comparison - description: how each selector result is compared to subject_external_values entries - $ref: '#/components/schemas/policy.ConditionComparisonOperatorEnum' - quantifier: - title: quantifier - description: how matches are aggregated across subject_external_values - $ref: '#/components/schemas/policy.ConditionQuantifierEnum' - caseInsensitive: - title: case_insensitive - description: |- - when set true, comparison is case-insensitive; unset is treated as case-sensitive. Modeled as - BoolValue so an explicit false is distinguishable from unset, leaving room to change the default. - $ref: '#/components/schemas/google.protobuf.BoolValue' title: Condition required: - subjectExternalSelectorValue + - operator additionalProperties: false description: |- * diff --git a/specs/policy/unsafe/unsafe.openapi.yaml b/specs/policy/unsafe/unsafe.openapi.yaml index eff9dbd4..0fd9822b 100644 --- a/specs/policy/unsafe/unsafe.openapi.yaml +++ b/specs/policy/unsafe/unsafe.openapi.yaml @@ -390,6 +390,8 @@ components: - ALGORITHM_HPQT_XWING - ALGORITHM_HPQT_SECP256R1_MLKEM768 - ALGORITHM_HPQT_SECP384R1_MLKEM1024 + - ALGORITHM_MLKEM_768 + - ALGORITHM_MLKEM_1024 description: Supported key algorithms. policy.AttributeRuleTypeEnum: type: string @@ -406,28 +408,6 @@ components: - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED - CONDITION_BOOLEAN_TYPE_ENUM_AND - CONDITION_BOOLEAN_TYPE_ENUM_OR - policy.ConditionComparisonOperatorEnum: - type: string - title: ConditionComparisonOperatorEnum - enum: - - CONDITION_COMPARISON_OPERATOR_ENUM_UNSPECIFIED - - CONDITION_COMPARISON_OPERATOR_ENUM_EQUALS - - CONDITION_COMPARISON_OPERATOR_ENUM_CONTAINS - - CONDITION_COMPARISON_OPERATOR_ENUM_STARTS_WITH - - CONDITION_COMPARISON_OPERATOR_ENUM_ENDS_WITH - description: |- - How a selector result is compared against a comparison value. Replaces the all-in-one - SubjectMappingOperatorEnum by separating the comparison from the quantifier (see - ConditionQuantifierEnum) and case sensitivity. - policy.ConditionQuantifierEnum: - type: string - title: ConditionQuantifierEnum - enum: - - CONDITION_QUANTIFIER_ENUM_UNSPECIFIED - - CONDITION_QUANTIFIER_ENUM_ANY - - CONDITION_QUANTIFIER_ENUM_ALL - - CONDITION_QUANTIFIER_ENUM_NONE - description: How matches are aggregated across the comparison set (subject_external_values). policy.KasPublicKeyAlgEnum: type: string title: KasPublicKeyAlgEnum @@ -441,6 +421,8 @@ components: - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768 - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024 + - KAS_PUBLIC_KEY_ALG_ENUM_MLKEM_768 + - KAS_PUBLIC_KEY_ALG_ENUM_MLKEM_1024 policy.KeyMode: type: string title: KeyMode @@ -764,10 +746,7 @@ components: from idP/LDAP) operator: title: operator - description: |- - Deprecated: use comparison + quantifier (+ case_insensitive) instead. Normalized to the - decomposed fields in the service layer for backward compatibility. - deprecated: true + description: the evaluation operator of relation $ref: '#/components/schemas/policy.SubjectMappingOperatorEnum' subjectExternalValues: type: array @@ -780,23 +759,10 @@ components: list of comparison values for the result of applying the subject_external_selector_value on a flattened Entity Representation (Subject), evaluated by the operator - comparison: - title: comparison - description: how each selector result is compared to subject_external_values entries - $ref: '#/components/schemas/policy.ConditionComparisonOperatorEnum' - quantifier: - title: quantifier - description: how matches are aggregated across subject_external_values - $ref: '#/components/schemas/policy.ConditionQuantifierEnum' - caseInsensitive: - title: case_insensitive - description: |- - when set true, comparison is case-insensitive; unset is treated as case-sensitive. Modeled as - BoolValue so an explicit false is distinguishable from unset, leaving room to change the default. - $ref: '#/components/schemas/google.protobuf.BoolValue' title: Condition required: - subjectExternalSelectorValue + - operator additionalProperties: false description: |- *