package com.yahoo.athenz.zts;

import com.yahoo.rdl.Schema;
import com.yahoo.rdl.SchemaBuilder;

/* loaded from: input_file:com/yahoo/athenz/zts/ZTSSchema.class */
public class ZTSSchema {
    private static final Schema INSTANCE = build();

    public static Schema instance() {
        return INSTANCE;
    }

    private static Schema build() {
        SchemaBuilder schemaBuilder = new SchemaBuilder("ZTS");
        schemaBuilder.version(1);
        schemaBuilder.namespace("com.yahoo.athenz.zts");
        schemaBuilder.comment("Copyright 2016 Yahoo Inc. Licensed under the terms of the Apache version 2.0 license. See LICENSE file for terms. The Authorization Token Service (ZTS) API");
        schemaBuilder.stringType("SimpleName").comment("Copyright 2016 Yahoo Inc. Licensed under the terms of the Apache version 2.0 license. See LICENSE file for terms. Common name types used by several API definitions A simple identifier, an element of compound name.").pattern("[a-zA-Z0-9_][a-zA-Z0-9_-]*");
        schemaBuilder.stringType("CompoundName").comment("A compound name. Most names in this API are compound names.").pattern("([a-zA-Z0-9_][a-zA-Z0-9_-]*\\.)*[a-zA-Z0-9_][a-zA-Z0-9_-]*");
        schemaBuilder.stringType("DomainName").comment("A domain name is the general qualifier prefix, as its uniqueness is managed.").pattern("([a-zA-Z0-9_][a-zA-Z0-9_-]*\\.)*[a-zA-Z0-9_][a-zA-Z0-9_-]*");
        schemaBuilder.stringType("EntityName").comment("An entity name is a short form of a resource name, including only the domain and entity.").pattern("([a-zA-Z0-9_][a-zA-Z0-9_-]*\\.)*[a-zA-Z0-9_][a-zA-Z0-9_-]*");
        schemaBuilder.stringType("EntityList").comment("An Entity list is comma separated compound Names").pattern("(([a-zA-Z0-9_][a-zA-Z0-9_-]*\\.)*[a-zA-Z0-9_][a-zA-Z0-9_-]*,)*([a-zA-Z0-9_][a-zA-Z0-9_-]*\\.)*[a-zA-Z0-9_][a-zA-Z0-9_-]*");
        schemaBuilder.stringType("ServiceName").comment("A service name will generally be a unique subdomain.").pattern("([a-zA-Z0-9_][a-zA-Z0-9_-]*\\.)*[a-zA-Z0-9_][a-zA-Z0-9_-]*");
        schemaBuilder.stringType("ActionName").comment("An action (operation) name.").pattern("([a-zA-Z0-9_][a-zA-Z0-9_-]*\\.)*[a-zA-Z0-9_][a-zA-Z0-9_-]*");
        schemaBuilder.stringType("ResourceName").comment("A resource name Note that the EntityName part is optional, that is, a domain name followed by a colon is valid resource name.").pattern("([a-zA-Z0-9_][a-zA-Z0-9_-]*\\.)*[a-zA-Z0-9_][a-zA-Z0-9_-]*(:([a-zA-Z0-9_][a-zA-Z0-9_-]*\\.)*[a-zA-Z0-9_][a-zA-Z0-9_-]*)?");
        schemaBuilder.stringType("YBase64").comment("The Y-specific URL-safe Base64 variant.").pattern("[a-zA-Z0-9\\._-]+");
        schemaBuilder.stringType("YEncoded").comment("YEncoded includes ybase64 chars, as well as = and %. This can represent a user cookie and URL-encoded values.").pattern("[a-zA-Z0-9\\._%=-]*");
        schemaBuilder.stringType("AuthorityName").comment("Used as the prefix in a signed assertion. This uniquely identifies a signing authority.").pattern("([a-zA-Z0-9_][a-zA-Z0-9_-]*\\.)*[a-zA-Z0-9_][a-zA-Z0-9_-]*");
        schemaBuilder.stringType("SignedToken").comment("A signed assertion if identity. i.e. the user cookie value. This token will only make sense to the authority that generated it, so it is beneficial to have something in the value that is cheaply recognized to quickly reject if it belongs to another authority. In addition to the YEncoded set our token includes ; to separate components and , to separate roles").pattern("[a-zA-Z0-9\\._%=;,-]*");
        schemaBuilder.stringType("PathElement").comment("A uri-safe path element").pattern("[a-zA-Z0-9-\\._~=+@$,:]*");
        schemaBuilder.enumType("CertType").comment("CertType denotes various types of certs issued by Athenz").element("X509").element("SSH_HOST").element("SSH_USER");
        schemaBuilder.structType("ResourceAccess").comment("ResourceAccess can be checked and returned as this resource. (same as ZMS.Access)").field("granted", "Bool", false, "true (allowed) or false (denied)");
        schemaBuilder.structType("PublicKeyEntry").comment("The representation of the public key in a service identity object.").field("key", "String", false, "the public key for the service").field("id", "String", false, "the key identifier (version or zone name)");
        schemaBuilder.structType("ServiceIdentity").comment("The representation of the service identity object.").field("name", "ServiceName", false, "the full name of the service, i.e. \"sports.storage\"").arrayField("publicKeys", "PublicKeyEntry", true, "array of public keys for key rotation").field("providerEndpoint", "String", true, "if present, then this service can provision tenants via this endpoint.").field("modified", "Timestamp", true, "the timestamp when this entry was last modified").field("executable", "String", true, "the path of the executable that runs the service").arrayField("hosts", "String", true, "list of host names that this service can run on").field("user", "String", true, "local (unix) user name this service can run as").field("group", "String", true, "local (unix) group name this service can run as");
        schemaBuilder.structType("ServiceIdentityList").comment("The representation for an enumeration of services in the namespace.").arrayField("names", "EntityName", false, "list of service names");
        schemaBuilder.structType("HostServices").comment("The representation for an enumeration of services authorized to run on a specific host.").field("host", "String", false, "name of the host").arrayField("names", "EntityName", false, "list of service names authorized to run on this host");
        schemaBuilder.enumType("AssertionEffect").comment("Every assertion can have the effect of ALLOW or DENY.").element("ALLOW").element("DENY");
        schemaBuilder.structType("Assertion").comment("A representation for the encapsulation of an action to be performed on a resource by a principal.").field("role", "String", false, "the subject of the assertion, a role").field("resource", "String", false, "the object of the assertion. Must be in the local namespace. Can contain wildcards").field("action", "String", false, "the predicate of the assertion. Can contain wildcards").field("effect", "AssertionEffect", true, "the effect of the assertion in the policy language", AssertionEffect.ALLOW).field("id", "Int64", true, "assertion id - auto generated by server").field("caseSensitive", "Bool", true, "If true, we should store action and resource in their original case");
        schemaBuilder.structType("Policy").comment("The representation for a Policy with set of assertions.").field("name", "ResourceName", false, "name of the policy").field("modified", "Timestamp", true, "last modification timestamp of this policy").arrayField("assertions", "Assertion", false, "list of defined assertions for this policy").field("caseSensitive", "Bool", true, "If true, we should store action and resource in their original case").field("version", "SimpleName", true, "optional version string, defaults to 0").field("active", "Bool", true, "if multi-version policy then indicates active version");
        schemaBuilder.structType("PolicyData").field("domain", "DomainName", false, "name of the domain").arrayField("policies", "Policy", false, "list of policies defined in this server");
        schemaBuilder.structType("SignedPolicyData").comment("A representation of policies object defined in a given server.").field("policyData", "PolicyData", false, "list of policies defined in a domain").field("zmsSignature", "String", true, "zms signature generated based on the domain policies object").field("zmsKeyId", "String", true, "the identifier of the zms key used to generate the signature").field("modified", "Timestamp", false, "when the domain itself was last modified").field("expires", "Timestamp", false, "timestamp specifying the expiration time for using this set of policies");
        schemaBuilder.structType("DomainSignedPolicyData").comment("A signed bulk transfer of policies. The data is signed with server's private key.").field("signedPolicyData", "SignedPolicyData", false, "policy data signed by ZMS").field("signature", "String", false, "signature generated based on the domain policies object").field("keyId", "String", false, "the identifier of the key used to generate the signature");
        schemaBuilder.structType("JWSPolicyData").comment("SignedPolicyData using flattened JWS JSON Serialization syntax. https://tools.ietf.org/html/rfc7515#section-7.2.2").field("payload", "String", false, "").field("protected", "String", false, "").mapField("header", "String", "String", false, "").field("signature", "String", false, "");
        schemaBuilder.structType("SignedPolicyRequest").mapField("policyVersions", "String", "String", false, "").field("signatureP1363Format", "Bool", false, "true if signature must be in P1363 format instead of ASN.1 DER");
        schemaBuilder.structType("RoleCertificate").comment("Copyright Athenz Authors Licensed under the terms of the Apache version 2.0 license. See LICENSE file for terms. RoleCertificate - a role certificate").field("x509Certificate", "String", false, "");
        schemaBuilder.structType("RoleCertificateRequest").comment("RoleCertificateRequest - a certificate signing request. By including the optional previous Certificate NotBefore and NotAfter dates would all the server to correctly prioritize this request in case the certificate signer is under heavy load and it can't sign all submitted requests from the Athenz Server.").field("csr", "String", false, "role certificate singing request").field("proxyForPrincipal", "EntityName", true, "this request is proxy for this principal").field("expiryTime", "Int64", false, "request an expiry time for the role certificate").field("prevCertNotBefore", "Timestamp", true, "previous role certificate not before date").field("prevCertNotAfter", "Timestamp", true, "previous role certificate not after date");
        schemaBuilder.structType("RoleAccess").arrayField("roles", "EntityName", false, "");
        schemaBuilder.structType("RoleToken").comment("A representation of a signed RoleToken").field("token", "String", false, "").field("expiryTime", "Int64", false, "");
        schemaBuilder.structType("Access").comment("Access can be checked and returned as this resource.").field("granted", "Bool", false, "true (allowed) or false (denied)");
        schemaBuilder.structType("TenantDomains").arrayField("tenantDomainNames", "DomainName", false, "");
        schemaBuilder.structType("Identity").comment("Identity - a signed assertion of service or human identity, the response could be either a client certificate or just a regular NToken (depending if the request contained a csr or not).").field("name", "CompoundName", false, "name of the identity, fully qualified, i.e. my.domain.service1, or aws.1232321321312.myusername").field("certificate", "String", true, "a certificate usable for both client and server in TLS connections").field("caCertBundle", "String", true, "the CA certificate chain to use with all IMS-generated certs").field("sshCertificate", "String", true, "the SSH certificate, signed by the CA (user or host)").field("sshCertificateSigner", "String", true, "the SSH CA's public key for the sshCertificate (user or host)").field("serviceToken", "SignedToken", true, "service token instead of TLS certificate").mapField("attributes", "String", "String", true, "other config-like attributes determined at boot time");
        schemaBuilder.structType("InstanceRefreshRequest").comment("InstanceRefreshRequest - a certificate refresh request").field("csr", "String", false, "Cert CSR signed by the service's private key (public key registered in ZMS)").field("expiryTime", "Int32", true, "in minutes how long token should be valid for").field("keyId", "String", true, "public key identifier");
        schemaBuilder.stringType("AWSRoleName").comment("AWS role name without the path").pattern("[a-zA-Z0-9-\\._=+@,]*");
        schemaBuilder.stringType("AWSRolePathElement").comment("AWS role path single element").pattern("[a-zA-Z0-9][a-zA-Z0-9-\\._]*");
        schemaBuilder.stringType("AWSRolePath").comment("AWS role path").pattern("([a-zA-Z0-9][a-zA-Z0-9-\\._]*/)+");
        schemaBuilder.stringType("AWSArnRoleName").comment("AWS full role name with path").pattern("(([a-zA-Z0-9][a-zA-Z0-9-\\._]*/)+)*[a-zA-Z0-9-\\._=+@,]*");
        schemaBuilder.structType("AWSTemporaryCredentials").field("accessKeyId", "String", false, "").field("secretAccessKey", "String", false, "").field("sessionToken", "String", false, "").field("expiration", "Timestamp", false, "");
        schemaBuilder.structType("SSHCertRequestData").arrayField("principals", "String", false, "principals in the ssh certificate (usually only one)").arrayField("sources", "String", true, "source FQDNs or ip addresses").arrayField("destinations", "String", true, "destination FQDNs or ip addresses").field("publicKey", "String", true, "public key for ssh certificate").field("touchPublicKey", "String", true, "yubikey/touch public key for ssh certificate").field("caPubKeyAlgo", "Int32", true, "CA public key algorithm: 0: Unknown, 1: RSA, 3: ECDSA").field("command", "String", true, "optional force command option for certificate");
        schemaBuilder.structType("SSHCertRequestMeta").field("requestor", "String", false, "requesting user").field("origin", "String", false, "origin FQDN or ip").field("clientInfo", "String", true, "client info").field("sshClientVersion", "String", true, "ssh client version").field("certType", "String", false, "cert type - user or host").arrayField("keyIdPrincipals", "String", true, "principals included in the keyId field in the certificate").field("athenzService", "EntityName", true, "ssh host cert request is for this athenz service").field("instanceId", "PathElement", true, "ssh host cert request is for this instance id").field("prevCertValidFrom", "Timestamp", true, "previous ssh certificate validity from date").field("prevCertValidTo", "Timestamp", true, "previous ssh certificate validity to date").field("transId", "String", true, "ssh request transaction id");
        schemaBuilder.structType("SSHCertRequest").field("certRequestData", "SSHCertRequestData", false, "ssh certificate request data").field("certRequestMeta", "SSHCertRequestMeta", false, "ssh certificate request meta").field("csr", "String", true, "free-form csr if not using data/meta fields.");
        schemaBuilder.structType("SSHCertificate").field("certificate", "String", false, "the SSH certificate, signed by the CA").field("publicKey", "String", true, "certificate public key if generated by SSH RA").field("privateKey", "String", true, "certificate private key if generated by SSH Agent");
        schemaBuilder.structType("SSHCertificates").arrayField("certificates", "SSHCertificate", false, "set of user ssh certificates").field("certificateSigner", "String", true, "the SSH CA's public key for the sshCertificate (user or host)");
        schemaBuilder.structType("InstanceRegisterInformation").field("provider", "ServiceName", false, "the provider service name (i.e. \"aws.us-west-2\", \"sys.openstack.cluster1\")").field("domain", "DomainName", false, "the domain of the instance").field("service", "SimpleName", false, "the service this instance is supposed to run").field("attestationData", "String", false, "identity attestation data including document with its signature containing attributes like IP address, instance-id, account#, etc.").field("csr", "String", false, "the Certificate Signing Request for the expected X.509 certificate in the response").field("ssh", "String", true, "deprecated - use sshCertRequest, if present, return an SSH host certificate. Format is JSON.").field("sshCertRequest", "SSHCertRequest", true, "if present, return an SSH host certificate").field("token", "Bool", true, "if true, return a service token signed by ZTS for this service").field("expiryTime", "Int32", true, "expiry time in minutes for the certificate (server enforces max expiry)").field("hostname", "DomainName", true, "optional hostname in case included in the csr SAN dnsName attribute").arrayField("hostCnames", "DomainName", true, "optional host CNAMEs included in the csr SAN dnsName attribute");
        schemaBuilder.structType("InstanceRefreshInformation").field("attestationData", "String", true, "identity attestation data including document with its signature containing attributes like IP address, instance-id, account#, etc.").field("csr", "String", true, "the Certificate Signing Request for the expected X.509 certificate in the response").field("ssh", "String", true, "deprecated - use sshCertRequest, if present, return an SSH host certificate. Format is JSON.").field("sshCertRequest", "SSHCertRequest", true, "if present, return an SSH host certificate").field("token", "Bool", true, "if true, return a service token signed by ZTS for this service").field("expiryTime", "Int32", true, "expiry time in minutes for the certificate (server enforces max expiry)").field("hostname", "DomainName", true, "optional hostname in case included in the csr SAN dnsName attribute").arrayField("hostCnames", "DomainName", true, "optional host CNAMEs included in the csr SAN dnsName attribute");
        schemaBuilder.structType("InstanceRegisterToken").field("provider", "ServiceName", false, "provider service name").field("domain", "DomainName", false, "the domain of the instance").field("service", "SimpleName", false, "the service this instance is supposed to run").field("attestationData", "String", false, "identity attestation data including document with its signature containing attributes like IP address, instance-id, account#, etc.").mapField("attributes", "String", "String", true, "additional non-signed attributes that assist in attestation. I.e. \"keyId\", \"accessKey\", etc");
        schemaBuilder.structType("InstanceIdentity").field("provider", "ServiceName", false, "the provider service name (i.e. \"aws.us-west-2\", \"sys.openstack.cluster1\")").field("name", "ServiceName", false, "name of the identity, fully qualified, i.e. my.domain.service1").field("instanceId", "PathElement", false, "unique instance id within provider's namespace").field("x509Certificate", "String", true, "an X.509 certificate usable for both client and server in TLS connections").field("x509CertificateSigner", "String", true, "the CA certificate chain to verify all generated X.509 certs").field("sshCertificate", "String", true, "the SSH certificate, signed by the CA (user or host)").field("sshCertificateSigner", "String", true, "the SSH CA's public key for the sshCertificate (user or host)").field("serviceToken", "SignedToken", true, "service token instead of TLS certificate").mapField("attributes", "String", "String", true, "other config-like attributes determined at boot time");
        schemaBuilder.structType("CertificateAuthorityBundle").field("name", "SimpleName", false, "name of the bundle").field("certs", "String", false, "set of certificates included in the bundle");
        schemaBuilder.enumType("DomainMetricType").comment("zpe metric attributes").element("ACCESS_ALLOWED").element("ACCESS_ALLOWED_DENY").element("ACCESS_ALLOWED_DENY_NO_MATCH").element("ACCESS_ALLOWED_ALLOW").element("ACCESS_ALLOWED_ERROR").element("ACCESS_ALLOWED_TOKEN_INVALID").element("ACCESS_Allowed_TOKEN_EXPIRED").element("ACCESS_ALLOWED_DOMAIN_NOT_FOUND").element("ACCESS_ALLOWED_DOMAIN_MISMATCH").element("ACCESS_ALLOWED_DOMAIN_EXPIRED").element("ACCESS_ALLOWED_DOMAIN_EMPTY").element("ACCESS_ALLOWED_TOKEN_CACHE_FAILURE").element("ACCESS_ALLOWED_TOKEN_CACHE_NOT_FOUND").element("ACCESS_ALLOWED_TOKEN_CACHE_SUCCESS").element("ACCESS_ALLOWED_TOKEN_VALIDATE").element("LOAD_FILE_FAIL").element("LOAD_FILE_GOOD").element("LOAD_DOMAIN_GOOD");
        schemaBuilder.structType("DomainMetric").field("metricType", "DomainMetricType", false, "").field("metricVal", "Int32", false, "");
        schemaBuilder.structType("DomainMetrics").field("domainName", "DomainName", false, "name of the domain the metrics pertain to").arrayField("metricList", "DomainMetric", false, "list of the domains metrics");
        schemaBuilder.structType("Status").comment("The representation for a status object").field("code", "Int32", false, "status message code").field("message", "String", false, "status message of the server");
        schemaBuilder.structType("AccessTokenResponse").field("access_token", "String", false, "access token").field("token_type", "String", false, "token type e.g. Bearer").field("expires_in", "Int32", true, "expiration in seconds").field("scope", "String", true, "scope of the access token e.g. openid").field("refresh_token", "String", true, "refresh token").field("id_token", "String", true, "id token");
        schemaBuilder.structType("JWK").field("kty", "String", false, "key type: EC or RSA").field("kid", "String", false, "identifier").field("alg", "String", true, "key algorithm").field("use", "String", true, "usage: sig or enc").field("crv", "String", true, "ec curve name").field("x", "String", true, "ec x value").field("y", "String", true, "ec y value").field("n", "String", true, "rsa modulus value").field("e", "String", true, "rsa public exponent value");
        schemaBuilder.structType("OpenIDConfig").field("issuer", "String", false, "url using the https scheme").field("authorization_endpoint", "String", false, "oauth 2.0 authorization endpoint url").field("jwks_uri", "String", false, "public server jwk set url").arrayField("response_types_supported", "String", false, "list of supported response types").arrayField("subject_types_supported", "String", false, "list of supported subject identifier types").arrayField("id_token_signing_alg_values_supported", "String", false, "list of supported algorithms for issued id tokens").arrayField("claims_supported", "String", true, "list of supported id claims");
        schemaBuilder.structType("OAuthConfig").field("issuer", "String", false, "url using the https scheme").field("authorization_endpoint", "String", false, "oauth 2.0 authorization endpoint url").field("token_endpoint", "String", false, "authorization server token endpoint").field("jwks_uri", "String", false, "public server jwk set url").arrayField("response_types_supported", "String", false, "list of supported response types").arrayField("grant_types_supported", "String", false, "supported grant types").arrayField("token_endpoint_auth_signing_alg_values_supported", "String", false, "list of supported algorithms for issued access tokens");
        schemaBuilder.structType("JWKList").comment("JSON Web Key (JWK) List").arrayField("keys", "JWK", false, "array of JWKs");
        schemaBuilder.structType("OIDCResponse").field("location", "String", false, "");
        schemaBuilder.structType("Workload").field("domainName", "DomainName", false, "name of the domain, optional for getWorkloadsByService API call").field("serviceName", "EntityName", false, "name of the service, , optional for getWorkloadsByService API call").field("uuid", "String", false, "unique identifier for the workload, usually defined by provider").arrayField("ipAddresses", "String", false, "list of IP addresses associated with the workload, optional for getWorkloadsByIP API call").field("hostname", "String", false, "hostname associated with the workload").field("provider", "String", false, "infrastructure provider e.g. k8s, AWS, Azure, openstack etc.").field("updateTime", "Timestamp", false, "most recent update timestamp in the backend").field("certExpiryTime", "Timestamp", false, "certificate expiry time (ex: getNotAfter)");
        schemaBuilder.structType("Workloads").arrayField("workloadList", "Workload", false, "list of workloads");
        schemaBuilder.enumType("TransportDirection").comment("Copyright The Athenz Authors Licensed under the terms of the Apache version 2.0 license. See LICENSE file for terms.").element("IN").element("OUT");
        schemaBuilder.structType("TransportRule").field("endPoint", "String", false, "source or destination endpoints defined in terms of CIDR notation").field("sourcePortRange", "String", false, "range of port numbers for incoming connections").field("port", "Int32", false, "destination / listener port of the service").field("protocol", "String", false, "protocol of the connection").field("direction", "TransportDirection", false, "transport direction");
        schemaBuilder.structType("TransportRules").arrayField("ingressRules", "TransportRule", false, "").arrayField("egressRules", "TransportRule", false, "");
        schemaBuilder.resource("ResourceAccess", "GET", "/access/{action}/{resource}").comment("Check access for the specified operation on the specified resource for the currently authenticated user. This is the slow centralized access for control-plane purposes. Use distributed mechanisms for decentralized (data-plane) access by fetching signed policies and role tokens for users. With this endpoint the resource is part of the uri and restricted to its strict definition of resource name. If needed, you can use the GetAccessExt api that allows resource name to be less restrictive.").pathParam("action", "ActionName", "action as specified in the policy assertion, i.e. update or read").pathParam("resource", "ResourceName", "the resource to check access against, i.e. \"media.news:articles\"").queryParam("domain", "domain", "DomainName", (Object) null, "usually null. If present, it specifies an alternate domain for cross-domain trust relation").queryParam("principal", "checkPrincipal", "EntityName", (Object) null, "usually null. If present, carry out the access check for this principal").auth("", "", true).expected("OK").exception("BAD_REQUEST", "ResourceError", "").exception("FORBIDDEN", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "").exception("UNAUTHORIZED", "ResourceError", "");
        schemaBuilder.resource("ResourceAccess", "GET", "/access/{action}").comment("Check access for the specified operation on the specified resource for the currently authenticated user. This is the slow centralized access for control-plane purposes.").name("GetResourceAccessExt").pathParam("action", "ActionName", "action as specified in the policy assertion, i.e. update or read").queryParam("resource", "resource", "String", (Object) null, "the resource to check access against, i.e. \"media.news:articles\"").queryParam("domain", "domain", "DomainName", (Object) null, "usually null. If present, it specifies an alternate domain for cross-domain trust relation").queryParam("principal", "checkPrincipal", "EntityName", (Object) null, "usually null. If present, carry out the access check for this principal").auth("", "", true).expected("OK").exception("BAD_REQUEST", "ResourceError", "").exception("FORBIDDEN", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "").exception("UNAUTHORIZED", "ResourceError", "");
        schemaBuilder.resource("ServiceIdentity", "GET", "/domain/{domainName}/service/{serviceName}").comment("Get info for the specified ServiceIdentity.").pathParam("domainName", "DomainName", "name of the domain").pathParam("serviceName", "ServiceName", "name of the service to be retrieved").auth("", "", true).expected("OK").exception("BAD_REQUEST", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "").exception("UNAUTHORIZED", "ResourceError", "");
        schemaBuilder.resource("ServiceIdentityList", "GET", "/domain/{domainName}/service").comment("Enumerate services provisioned in this domain.").pathParam("domainName", "DomainName", "name of the domain").auth("", "", true).expected("OK").exception("BAD_REQUEST", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "").exception("UNAUTHORIZED", "ResourceError", "");
        schemaBuilder.resource("PublicKeyEntry", "GET", "/domain/{domainName}/service/{serviceName}/publickey/{keyId}").comment("Retrieve the specified public key from the service.").pathParam("domainName", "DomainName", "name of the domain").pathParam("serviceName", "SimpleName", "name of the service").pathParam("keyId", "String", "the identifier of the public key to be retrieved").auth("", "", true).expected("OK").exception("BAD_REQUEST", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "");
        schemaBuilder.resource("HostServices", "GET", "/host/{host}/services").comment("Enumerate services provisioned on a specific host").pathParam("host", "String", "name of the host").auth("", "", true).expected("OK").exception("BAD_REQUEST", "ResourceError", "");
        schemaBuilder.resource("DomainSignedPolicyData", "GET", "/domain/{domainName}/signed_policy_data").comment("Get a signed policy enumeration from the service, to transfer to a local store. An ETag is generated for the PolicyList that changes when any item in the list changes. If the If-None-Match header is provided, and it matches the ETag that would be returned, then a NOT_MODIFIED response is returned instead of the list.").pathParam("domainName", "DomainName", "name of the domain").headerParam("If-None-Match", "matchingTag", "String", (Object) null, "Retrieved from the previous request, this timestamp specifies to the server to return any policies modified since this time").output("ETag", "tag", "String", "The current latest modification timestamp is returned in this header").auth("", "", true).expected("OK").exception("BAD_REQUEST", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "");
        schemaBuilder.resource("SignedPolicyRequest", "POST", "/domain/{domainName}/policy/signed").comment("Get a signed policy enumeration from the service, to transfer to a local store. An ETag is generated for the PolicyList that changes when any item in the list changes. If the If-None-Match header is provided, and it matches the ETag that would be returned, then a NOT_MODIFIED response is returned instead of the list.").pathParam("domainName", "DomainName", "name of the domain").input("request", "SignedPolicyRequest", "policy version request details").headerParam("If-None-Match", "matchingTag", "String", (Object) null, "Retrieved from the previous request, this timestamp specifies to the server to return any policies modified since this time").output("ETag", "tag", "String", "The current latest modification timestamp is returned in this header").auth("", "", true).expected("OK").exception("BAD_REQUEST", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "");
        schemaBuilder.resource("RoleToken", "GET", "/domain/{domainName}/token").comment("Return a security token for the specific role in the namespace that the principal can assume. If the role is omitted, then all roles in the namespace that the authenticated user can assume are returned. the caller can specify how long the RoleToken should be valid for by specifying the minExpiryTime and maxExpiryTime parameters. The minExpiryTime specifies that the returned RoleToken must be at least valid (min/lower bound) for specified number of seconds, while maxExpiryTime specifies that the RoleToken must be at most valid (max/upper bound) for specified number of seconds. If both values are the same, the server must return a RoleToken for that many seconds. If no values are specified, the server's default RoleToken Timeout value is used.").pathParam("domainName", "DomainName", "name of the domain").queryParam("role", "role", "EntityList", (Object) null, "only interested for a token for these comma separated roles").queryParam("minExpiryTime", "minExpiryTime", "Int32", (Object) null, "in seconds min expiry time").queryParam("maxExpiryTime", "maxExpiryTime", "Int32", (Object) null, "in seconds max expiry time").queryParam("proxyForPrincipal", "proxyForPrincipal", "EntityName", (Object) null, "optional this request is proxy for this principal").auth("", "", true).expected("OK").exception("BAD_REQUEST", "ResourceError", "").exception("FORBIDDEN", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "").exception("UNAUTHORIZED", "ResourceError", "");
        schemaBuilder.resource("RoleCertificateRequest", "POST", "/domain/{domainName}/role/{roleName}/token").comment("Return a TLS certificate for the specific role in the namespace that the principal can assume. Role certificates are valid for 30 days by default. This is deprecated and \"POST /rolecert\" api should be used instead.").pathParam("domainName", "DomainName", "name of the domain").pathParam("roleName", "EntityName", "name of role").input("req", "RoleCertificateRequest", "csr request").auth("", "", true).expected("OK").exception("BAD_REQUEST", "ResourceError", "").exception("FORBIDDEN", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "").exception("UNAUTHORIZED", "ResourceError", "");
        schemaBuilder.resource("Access", "GET", "/access/domain/{domainName}/role/{roleName}/principal/{principal}").pathParam("domainName", "DomainName", "name of the domain").pathParam("roleName", "EntityName", "name of the role to check access for").pathParam("principal", "EntityName", "carry out the access check for this principal").auth("", "", true).expected("OK").exception("BAD_REQUEST", "ResourceError", "").exception("FORBIDDEN", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "").exception("UNAUTHORIZED", "ResourceError", "");
        schemaBuilder.resource("RoleAccess", "GET", "/access/domain/{domainName}/principal/{principal}").pathParam("domainName", "DomainName", "name of the domain").pathParam("principal", "EntityName", "carry out the role access lookup for this principal").auth("", "", true).expected("OK").exception("BAD_REQUEST", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "").exception("UNAUTHORIZED", "ResourceError", "");
        schemaBuilder.resource("TenantDomains", "GET", "/providerdomain/{providerDomainName}/user/{userName}").comment("Get list of tenant domains user has access to for specified provider domain and service").pathParam("providerDomainName", "DomainName", "name of the provider domain").pathParam("userName", "EntityName", "name of the user to retrieve tenant domain access for").queryParam("roleName", "roleName", "EntityName", (Object) null, "role name to filter on when looking for the tenants in provider").queryParam("serviceName", "serviceName", "ServiceName", (Object) null, "service name to filter on when looking for the tenants in provider").auth("", "", true).expected("OK").exception("BAD_REQUEST", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "").exception("UNAUTHORIZED", "ResourceError", "");
        schemaBuilder.resource("InstanceRefreshRequest", "POST", "/instance/{domain}/{service}/refresh").comment("Refresh Service tokens into TLS Certificate").pathParam("domain", "CompoundName", "name of the domain requesting the refresh").pathParam("service", "SimpleName", "name of the service requesting the refresh").input("req", "InstanceRefreshRequest", "the refresh request").auth("", "", true).expected("OK").exception("BAD_REQUEST", "ResourceError", "").exception("FORBIDDEN", "ResourceError", "").exception("INTERNAL_SERVER_ERROR", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "").exception("UNAUTHORIZED", "ResourceError", "");
        schemaBuilder.resource("AWSTemporaryCredentials", "GET", "/domain/{domainName}/role/{role}/creds").comment("perform an AWS AssumeRole of the target role and return the credentials. ZTS must have been granted the ability to assume the role in IAM, and granted the ability to assume_aws_role in Athenz for this to succeed.").pathParam("domainName", "DomainName", "name of the domain containing the role, which implies the target account").pathParam("role", "AWSArnRoleName", "the target AWS role name in the domain account, in Athenz terms, i.e. \"the.role\"").queryParam("durationSeconds", "durationSeconds", "Int32", (Object) null, "how long the aws temp creds should be issued for").queryParam("externalId", "externalId", "String", (Object) null, "aws assume role external id").auth("", "", true).expected("OK").exception("BAD_REQUEST", "ResourceError", "").exception("FORBIDDEN", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "").exception("UNAUTHORIZED", "ResourceError", "");
        schemaBuilder.resource("InstanceRegisterInformation", "POST", "/instance").comment("Register a new service instance and issue an x.509 service identity certificate once the provider validates the attestation data along with the request attributes. We have an authenticate enabled for this endpoint but in most cases the service owner might need to make it optional by setting the zts servers no_auth_uri list to include this endpoint. We need the authenticate in case the request comes with a client certificate and the provider needs to know who that principal was in the client certificate").input("info", "InstanceRegisterInformation", "").output("Location", "location", "String", "return location for subsequent patch requests").auth("", "", true).expected("CREATED").exception("BAD_REQUEST", "ResourceError", "").exception("FORBIDDEN", "ResourceError", "").exception("INTERNAL_SERVER_ERROR", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "").exception("UNAUTHORIZED", "ResourceError", "");
        schemaBuilder.resource("InstanceRefreshInformation", "POST", "/instance/{provider}/{domain}/{service}/{instanceId}").comment("Refresh the given service instance and issue a new x.509 service identity certificate once the provider validates the attestation data along with the request attributes. only TLS Certificate authentication is allowed").pathParam("provider", "ServiceName", "the provider service name (i.e. \"aws.us-west-2\", \"paas.manhattan.corp-gq1\")").pathParam("domain", "DomainName", "the domain of the instance").pathParam("service", "SimpleName", "the service this instance is supposed to run").pathParam("instanceId", "PathElement", "unique instance id within provider's namespace").input("info", "InstanceRefreshInformation", "the refresh request").auth("", "", true).expected("OK").exception("BAD_REQUEST", "ResourceError", "").exception("FORBIDDEN", "ResourceError", "").exception("INTERNAL_SERVER_ERROR", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "").exception("UNAUTHORIZED", "ResourceError", "");
        schemaBuilder.resource("InstanceRegisterToken", "GET", "/instance/{provider}/{domain}/{service}/{instanceId}/token").comment("Request a token for the given service to be bootstrapped for the given provider. The caller must have authorization to manage the service in the given domain. The token will be valid for 30 mins for one time use only for the initial registration. The token must be sent back in the register request as the value of the attestationData field in the InstanceRegisterInformation object").pathParam("provider", "ServiceName", "the provider service name (i.e. \"aws.us-west-2\")").pathParam("domain", "DomainName", "the domain of the instance").pathParam("service", "SimpleName", "the service this instance is supposed to run").pathParam("instanceId", "PathElement", "unique instance id within provider's namespace").auth("update", "{domain}:service.{service}").expected("OK").exception("BAD_REQUEST", "ResourceError", "").exception("FORBIDDEN", "ResourceError", "").exception("INTERNAL_SERVER_ERROR", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "").exception("UNAUTHORIZED", "ResourceError", "");
        schemaBuilder.resource("InstanceIdentity", "DELETE", "/instance/{provider}/{domain}/{service}/{instanceId}").comment("Delete the given service instance certificate record thus blocking any future refresh requests from the given instance for this service There are two possible authorization checks for this endpoint: 1) domain admin: authorize(\"delete\", \"{domain}:instance.{instanceId}\") the authorized user can remove the instance record from the datastore 2) provider itself: if the identity of the caller is the provider itself then the provider is notifying ZTS that the instance was deleted").pathParam("provider", "ServiceName", "the provider service name (i.e. \"aws.us-west-2\", \"paas.manhattan.corp-gq1\")").pathParam("domain", "DomainName", "the domain of the instance").pathParam("service", "SimpleName", "the service this instance is supposed to run").pathParam("instanceId", "PathElement", "unique instance id within provider's namespace").auth("", "", true).expected("NO_CONTENT").exception("BAD_REQUEST", "ResourceError", "").exception("FORBIDDEN", "ResourceError", "").exception("INTERNAL_SERVER_ERROR", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "").exception("UNAUTHORIZED", "ResourceError", "");
        schemaBuilder.resource("CertificateAuthorityBundle", "GET", "/cacerts/{name}").comment("Return the request CA X.509 Certificate bundle").pathParam("name", "SimpleName", "name of the CA cert bundle").auth("", "", true).expected("OK").exception("BAD_REQUEST", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "").exception("UNAUTHORIZED", "ResourceError", "");
        schemaBuilder.resource("Status", "GET", "/status").comment("Retrieve the server status").auth("", "", true).expected("OK").exception("BAD_REQUEST", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "").exception("UNAUTHORIZED", "ResourceError", "");
        schemaBuilder.resource("SSHCertRequest", "POST", "/sshcert").input("certRequest", "SSHCertRequest", "ssh certificate request").auth("", "", true).expected("CREATED").exception("BAD_REQUEST", "ResourceError", "").exception("FORBIDDEN", "ResourceError", "").exception("INTERNAL_SERVER_ERROR", "ResourceError", "").exception("UNAUTHORIZED", "ResourceError", "");
        schemaBuilder.resource("OpenIDConfig", "GET", "/.well-known/openid-configuration").expected("OK").exception("BAD_REQUEST", "ResourceError", "");
        schemaBuilder.resource("OAuthConfig", "GET", "/.well-known/oauth-authorization-server").expected("OK").exception("BAD_REQUEST", "ResourceError", "");
        schemaBuilder.resource("JWKList", "GET", "/oauth2/keys").queryParam("rfc", "rfc", "Bool", false, "flag to indicate ec curve names are restricted to RFC values").expected("OK").exception("BAD_REQUEST", "ResourceError", "");
        schemaBuilder.resource("AccessTokenRequest", "POST", "/oauth2/token").comment("Fetch OAuth2 Access Token").input("request", "AccessTokenRequest", "token request details include scope").auth("", "", true).expected("OK").exception("BAD_REQUEST", "ResourceError", "").exception("FORBIDDEN", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "").exception("UNAUTHORIZED", "ResourceError", "");
        schemaBuilder.resource("OIDCResponse", "GET", "/oauth2/auth").comment("Fetch OAuth OpenID Connect ID Token").queryParam("response_type", "responseType", "String", (Object) null, "response type - currently only supporting id tokens - id_token").queryParam("client_id", "clientId", "ServiceName", (Object) null, "client id - must be valid athenz service identity name").queryParam("redirect_uri", "redirectUri", "String", (Object) null, "redirect uri for the response").queryParam("scope", "scope", "String", (Object) null, "id token scope").queryParam("state", "state", "EntityName", (Object) null, "optional state claim included in the response location header").queryParam("nonce", "nonce", "EntityName", (Object) null, "nonce claim included in the id token").queryParam("keyType", "keyType", "SimpleName", (Object) null, "optional signing key type - RSA or EC. Might be ignored if server doesn't have the requested type configured").output("Location", "location", "String", "return location header with id token").auth("", "", true).expected("FOUND").exception("BAD_REQUEST", "ResourceError", "").exception("FORBIDDEN", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "").exception("UNAUTHORIZED", "ResourceError", "");
        schemaBuilder.resource("RoleCertificateRequest", "POST", "/rolecert").comment("Return a TLS certificate for a role that the principal can assume. The role arn is in the CN field of the Subject and the principal is in the SAN URI field.").name("PostRoleCertificateRequestExt").input("req", "RoleCertificateRequest", "csr request").auth("", "", true).expected("OK").exception("BAD_REQUEST", "ResourceError", "").exception("FORBIDDEN", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "").exception("UNAUTHORIZED", "ResourceError", "");
        schemaBuilder.resource("RoleAccess", "GET", "/role/cert").comment("Fetch all roles that are tagged as requiring role certificates for principal").name("getRolesRequireRoleCert").queryParam("principal", "principal", "EntityName", (Object) null, "If not present, will return roles for the user making the call").auth("", "", true).expected("OK").exception("BAD_REQUEST", "ResourceError", "").exception("FORBIDDEN", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "").exception("TOO_MANY_REQUESTS", "ResourceError", "").exception("UNAUTHORIZED", "ResourceError", "");
        schemaBuilder.resource("Workloads", "GET", "/domain/{domainName}/service/{serviceName}/workloads").name("getWorkloadsByService").pathParam("domainName", "DomainName", "name of the domain").pathParam("serviceName", "EntityName", "name of the service").auth("", "", true).expected("OK").exception("BAD_REQUEST", "ResourceError", "").exception("FORBIDDEN", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "").exception("TOO_MANY_REQUESTS", "ResourceError", "").exception("UNAUTHORIZED", "ResourceError", "");
        schemaBuilder.resource("Workloads", "GET", "/workloads/{ip}").name("getWorkloadsByIP").pathParam("ip", "String", "ip address to query").auth("", "", true).expected("OK").exception("BAD_REQUEST", "ResourceError", "").exception("FORBIDDEN", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "").exception("TOO_MANY_REQUESTS", "ResourceError", "").exception("UNAUTHORIZED", "ResourceError", "");
        schemaBuilder.resource("TransportRules", "GET", "/domain/{domainName}/service/{serviceName}/transportRules").pathParam("domainName", "DomainName", "name of the domain").pathParam("serviceName", "EntityName", "name of the service").auth("", "", true).expected("OK").exception("BAD_REQUEST", "ResourceError", "").exception("FORBIDDEN", "ResourceError", "").exception("NOT_FOUND", "ResourceError", "").exception("TOO_MANY_REQUESTS", "ResourceError", "").exception("UNAUTHORIZED", "ResourceError", "");
        return schemaBuilder.build();
    }
}
