Skip to content
Snippets Groups Projects
api.gen.go 401 KiB
Newer Older
// Package v20230301 provides primitives to interact with the openapi HTTP API.
//
// Code generated by github.com/deepmap/oapi-codegen version v1.12.3 DO NOT EDIT.
package v20230301

import (
	"bytes"
	"context"
	"encoding/json"
	"fmt"
	"io"
	"net/http"
	"net/url"
	"strings"
	"time"

	"github.com/deepmap/oapi-codegen/pkg/runtime"
	openapi_types "github.com/deepmap/oapi-codegen/pkg/types"
)

const (
	JWTScopes  = "JWT.Scopes"
	MtlsScopes = "mtls.Scopes"
)

// Defines values for AcmeAttestationProvisionerAttestationFormats.
const (
	Apple AcmeAttestationProvisionerAttestationFormats = "apple"
	Step  AcmeAttestationProvisionerAttestationFormats = "step"
	Tpm   AcmeAttestationProvisionerAttestationFormats = "tpm"
)

// Defines values for AcmeProvisionerChallenges.
const (
	Dns01     AcmeProvisionerChallenges = "dns-01"
	Http01    AcmeProvisionerChallenges = "http-01"
	TlsAlpn01 AcmeProvisionerChallenges = "tls-alpn-01"
)

// Defines values for AuthorityType.
const (
	AuthorityTypeAdvanced AuthorityType = "advanced"
	AuthorityTypeDevops   AuthorityType = "devops"
	AuthorityTypeManaged  AuthorityType = "managed"
// Defines values for EndpointCertificateInfoType.
const (
	EndpointCertificateInfoTypeSSHHOST EndpointCertificateInfoType = "SSH_HOST"
	EndpointCertificateInfoTypeSSHUSER EndpointCertificateInfoType = "SSH_USER"
	EndpointCertificateInfoTypeX509    EndpointCertificateInfoType = "X509"
)

// Defines values for EndpointConfigurationKind.
const (
	DEVICE   EndpointConfigurationKind = "DEVICE"
	PEOPLE   EndpointConfigurationKind = "PEOPLE"
	WORKLOAD EndpointConfigurationKind = "WORKLOAD"
)

// Defines values for EndpointKeyInfoFormat.
const (
	EndpointKeyInfoFormatDEFAULT EndpointKeyInfoFormat = "DEFAULT"
	EndpointKeyInfoFormatDER     EndpointKeyInfoFormat = "DER"
	EndpointKeyInfoFormatOPENSSH EndpointKeyInfoFormat = "OPENSSH"
	EndpointKeyInfoFormatPKCS8   EndpointKeyInfoFormat = "PKCS8"
)

// Defines values for EndpointKeyInfoType.
const (
	EndpointKeyInfoTypeDEFAULT   EndpointKeyInfoType = "DEFAULT"
	EndpointKeyInfoTypeECDSAP256 EndpointKeyInfoType = "ECDSA_P256"
	EndpointKeyInfoTypeECDSAP384 EndpointKeyInfoType = "ECDSA_P384"
	EndpointKeyInfoTypeECDSAP521 EndpointKeyInfoType = "ECDSA_P521"
	EndpointKeyInfoTypeED25519   EndpointKeyInfoType = "ED25519"
	EndpointKeyInfoTypeRSA2048   EndpointKeyInfoType = "RSA_2048"
	EndpointKeyInfoTypeRSA3072   EndpointKeyInfoType = "RSA_3072"
	EndpointKeyInfoTypeRSA4096   EndpointKeyInfoType = "RSA_4096"
)

// Defines values for EndpointReloadInfoMethod.
const (
	AUTOMATIC EndpointReloadInfoMethod = "AUTOMATIC"
	CUSTOM    EndpointReloadInfoMethod = "CUSTOM"
	SIGNAL    EndpointReloadInfoMethod = "SIGNAL"
)

// Defines values for NewAuthorityType.
const (
	NewAuthorityTypeAdvanced NewAuthorityType = "advanced"
	NewAuthorityTypeDevops   NewAuthorityType = "devops"
)

Andrew Reed's avatar
Andrew Reed committed
// Defines values for ProvisionerType.
const (
	ACME            ProvisionerType = "ACME"
	ACMEATTESTATION ProvisionerType = "ACME_ATTESTATION"
	AWS             ProvisionerType = "AWS"
	AZURE           ProvisionerType = "AZURE"
	GCP             ProvisionerType = "GCP"
	JWK             ProvisionerType = "JWK"
	OIDC            ProvisionerType = "OIDC"
	X5C             ProvisionerType = "X5C"
// Defines values for ProvisionerWebhookCertType.
const (
	ProvisionerWebhookCertTypeALL  ProvisionerWebhookCertType = "ALL"
	ProvisionerWebhookCertTypeSSH  ProvisionerWebhookCertType = "SSH"
	ProvisionerWebhookCertTypeX509 ProvisionerWebhookCertType = "X509"
)

// Defines values for ProvisionerWebhookKind.
const (
	ENRICHING ProvisionerWebhookKind = "ENRICHING"
)

// Defines values for ProvisionerWebhookServerType.
Andrew Reed's avatar
Andrew Reed committed
const (
	EXTERNAL          ProvisionerWebhookServerType = "EXTERNAL"
	HOSTEDATTESTATION ProvisionerWebhookServerType = "HOSTED_ATTESTATION"
// Defines values for X509IssuerKeyVersion.
const (
	ECSIGNP256SHA256       X509IssuerKeyVersion = "EC_SIGN_P256_SHA256"
	ECSIGNP384SHA384       X509IssuerKeyVersion = "EC_SIGN_P384_SHA384"
	RSASIGNPKCS12048SHA256 X509IssuerKeyVersion = "RSA_SIGN_PKCS1_2048_SHA256"
	RSASIGNPKCS13072SHA256 X509IssuerKeyVersion = "RSA_SIGN_PKCS1_3072_SHA256"
	RSASIGNPKCS14096SHA256 X509IssuerKeyVersion = "RSA_SIGN_PKCS1_4096_SHA256"
	RSASIGNPKCS14096SHA512 X509IssuerKeyVersion = "RSA_SIGN_PKCS1_4096_SHA512"
	RSASIGNPSS2048SHA256   X509IssuerKeyVersion = "RSA_SIGN_PSS_2048_SHA256"
	RSASIGNPSS3072SHA256   X509IssuerKeyVersion = "RSA_SIGN_PSS_3072_SHA256"
	RSASIGNPSS4096SHA256   X509IssuerKeyVersion = "RSA_SIGN_PSS_4096_SHA256"
	RSASIGNPSS4096SHA512   X509IssuerKeyVersion = "RSA_SIGN_PSS_4096_SHA512"
)

Andrew Reed's avatar
Andrew Reed committed
// Defines values for PostAuthJSONBodyAudience.
const (
	StepAgent PostAuthJSONBodyAudience = "step-agent"
)

// AcmeAttestationProvisioner A [provisioner](https://smallstep.com/docs/step-ca/provisioners/#acme) that enables automation with the [device-attest-01 challenge of the ACME protocol](https://smallstep.com/blog/acme-managed-device-attestation-explained/).
type AcmeAttestationProvisioner struct {
	// AttestationFormats The allowed attestation formats for the device-attest-01 challenge. Valid values are `apple`, `step`, and `tpm`. The apple format is for Apple devices, and adds trust for Apple's CAs. The step format is for non-TPM devices that can issue attestation certificates, such as YubiKey PIV. It adds trust for Yubico's root CA. The tpm format is for TPMs and does not trust any CAs by default.
	AttestationFormats []AcmeAttestationProvisionerAttestationFormats `json:"attestationFormats"`

	// AttestationRoots A trust bundle of root certificates in PEM format that will be used to verify attestation certificates. The default value depends on the value of attestationFormats. If provided, this PEM bundle will override the CA trust established by setting attestationFormats to apple or step. At least one root certificate is required when using the tpm attestationFormat.
	AttestationRoots *[]string `json:"attestationRoots,omitempty"`

	// ForceCN Force one of the SANs to become the Common Name, if a Common Name is not provided.
	ForceCN *bool `json:"forceCN,omitempty"`

	// RequireEAB Only ACME clients that have been preconfigured with valid EAB credentials will be able to create an account with this provisioner.
	RequireEAB *bool `json:"requireEAB,omitempty"`
}

// AcmeAttestationProvisionerAttestationFormats defines model for AcmeAttestationProvisioner.AttestationFormats.
type AcmeAttestationProvisionerAttestationFormats string

// AcmeProvisioner A [provisioner](https://smallstep.com/docs/step-ca/provisioners/#acme) that enables automation with the [ACME protocol](https://smallstep.com/docs/step-ca/acme-basics/#acme-challenges).
type AcmeProvisioner struct {
	// Challenges Which ACME challenge types are allowed.
	Challenges []AcmeProvisionerChallenges `json:"challenges"`

	// ForceCN Force one of the SANs to become the Common Name, if a Common Name is not provided.
	ForceCN *bool `json:"forceCN,omitempty"`

	// RequireEAB Only ACME clients that have been preconfigured with valid EAB credentials will be able to create an account with this provisioner. Must be `true` for all new provisioners.
	RequireEAB bool `json:"requireEAB"`
}

// AcmeProvisionerChallenges defines model for AcmeProvisioner.Challenges.
type AcmeProvisionerChallenges string

// AgentConfiguration The agent configuration describes the attestation authority used by the agent to grant workload certificates. This object is experimental and subject to change.
type AgentConfiguration struct {
	// AttestationSlug The slug of the attestation authority the agent connects to to get a certificate.
	AttestationSlug *string `json:"attestationSlug,omitempty"`

	// AuthorityID UUID identifying the authority the agent uses to generate endpoint certificates.
	AuthorityID string `json:"authorityID"`

	// Id A UUID identifying this agent configuration. Read only.
	Id *string `json:"id,omitempty"`

	// Name The name of this agent configuration.
	Name string `json:"name"`

	// Provisioner The name of the provisioner on the authority the agent uses to generate endpoint certificates.
	Provisioner string `json:"provisioner"`
}

// AttestationAuthority An attestation authority used with the device-attest-01 ACME challenge to verify a device's hardware identity. This object is experimental and subject to change.
type AttestationAuthority struct {
	// AttestorIntermediates The pem-encoded list of intermediate certificates used to build a chain of trust to verify the attestation certificates submitted by devices.
	AttestorIntermediates *string `json:"attestorIntermediates,omitempty"`

	// AttestorRoots The pem-encoded list of certificates used to verify the attestation certificates submitted by devices.
	AttestorRoots string `json:"attestorRoots"`

	// Catalog The slug of a collection that holds the list of devices belonging to the team.
	Catalog string `json:"catalog"`

	// CreatedAt Timestamp in RFC3339 format when the attestation authority was created.
	CreatedAt *time.Time `json:"createdAt,omitempty"`

	// Id A UUID identifying this attestation authority. Read only.
	Id *string `json:"id,omitempty"`

	// Name The name of the attestation authority.
	Name string `json:"name"`

	// Root The pem-encoded root certificate of this attestation authority. This is generated server-side when the attestation authority is created. This certificate should be used in the `attestationRoots` field of an ACME_ATTESTATION provisioner with the `tpm` format.
	Root *string `json:"root,omitempty"`

	// Slug A short name for this attestation authority. Read only.
	Slug *string `json:"slug,omitempty"`
}

// Authority An X509 authority hosted by Smallstep.
type Authority struct {
	// ActiveRevocation Whether CRL and OCSP are enabled (advanced authorities only).
	ActiveRevocation *bool `json:"activeRevocation,omitempty"`

	// AdminEmails Users that have admin access to manage the authority.
	AdminEmails *[]string `json:"adminEmails,omitempty"`

	// CreatedAt Timestamp when the authority was created.
	CreatedAt time.Time `json:"createdAt"`

	// Domain The domain where the authority can be reached.
	Domain string `json:"domain"`

	// Fingerprint The SHA-256 digest of the authority's root certificate in hex format.
	Fingerprint *string `json:"fingerprint,omitempty"`

	// Id A UUID identifying this authority.
	Name string `json:"name"`

	// Type One of the available authority types
	Type AuthorityType `json:"type"`
}

// AuthorityCsr A certificate signing request for an X509 advanced authority with an external root.
type AuthorityCsr struct {
	// AuthorityID A UUID identifying the authority.
	AuthorityID string `json:"authorityID"`

	// Csr A certificate sigining request for the authority's intermediate issuer in pem format.
	Csr string `json:"csr"`

	Id string `json:"id"`
}

// AuthorityType One of the available authority types
type AuthorityType string

// AwsProvisioner The [AWS provisioner](https://smallstep.com/docs/step-ca/provisioners/#aws) grants a certificate to an Amazon EC2 instance using the Instance Identity Document.
type AwsProvisioner struct {
	// Accounts The list of AWS account IDs that are allowed to use this provisioner.
	Accounts []string `json:"accounts"`

	// DisableCustomSANs By default custom SANs are valid, but if this option is set to `true` only the SANs available in the instance identity document will be valid. These are the private IP and the DNS ip-<private-ip>.<region>.compute.internal.
	DisableCustomSANs *bool `json:"disableCustomSANs,omitempty"`

	// DisableTrustOnFirstUse By default only one certificate will be granted per instance, but if the option is set to `true` this limit is not set and different tokens can be used to get different certificates.
	DisableTrustOnFirstUse *bool `json:"disableTrustOnFirstUse,omitempty"`

	// InstanceAge The maximum age of an instance that should be allowed to obtain a certificate. Limits certificate issuance to new instances to mitigate the risk of credential-misuse from instances that don't need a certificate. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
	InstanceAge *string `json:"instanceAge,omitempty"`
}

// AzureProvisioner The [Azure provisioner](https://smallstep.com/docs/step-ca/provisioners/#azure) grants certificates to Microsoft Azure instances using the managed identities tokens.
type AzureProvisioner struct {
	// Audience Defaults to https://management.azure.com/ but it can be changed if necessary.
	Audience *string `json:"audience,omitempty"`

	// DisableCustomSANs By default custom SANs are valid, but if this option is set to `true` only the SANs available in the token will be valid, in Azure only the virtual machine name is available.
	DisableCustomSANs *bool `json:"disableCustomSANs,omitempty"`

	// DisableTrustOnFirstUse By default only one certificate will be granted per instance, but if the option is set to true this limit is not set and different tokens can be used to get different certificates.
	DisableTrustOnFirstUse *bool `json:"disableTrustOnFirstUse,omitempty"`

	// ResourceGroups The list of resource group names that are allowed to use this provisioner.
	ResourceGroups []string `json:"resourceGroups"`

	// TenantID The Azure account tenant ID for this provisioner. This ID is the Directory ID available in the Azure Active Directory properties.
	TenantID string `json:"tenantID"`
}

// BasicAuth Configures provisioner webhook requests to include an Authorization header with these credentials. Optional for `EXTERNAL` webhook servers; not allowed with hosted webhook servers. At most one of `bearerToken` and `basicAuth` may be set.
type BasicAuth struct {
	Password string `json:"password"`
	Username string `json:"username"`
}

// Collection A collection of instances.
type Collection struct {
	// CreatedAt Timestamp in RFC3339 format when the collections was created
	CreatedAt time.Time `json:"createdAt"`

	// DisplayName A user-friendly name for the collection.
	DisplayName string `json:"displayName"`

	// InstanceCount The number of instances in the collection.
	InstanceCount int `json:"instanceCount"`

	// SchemaURI Reference to a schema that all instances in the collection must conform to.
	SchemaURI *string `json:"schemaURI,omitempty"`

	// Slug A lowercase name identifying the collection.
	Slug string `json:"slug"`

	// UpdatedAt Timestamp in RFC3339 format when the collections was last updated
	UpdatedAt time.Time `json:"updatedAt"`
}

// CollectionInstance An instance in a collection.
type CollectionInstance struct {
	// CreatedAt Timestamp in RFC3339 format when the instance was added to the collection.
	CreatedAt time.Time `json:"createdAt"`

	Data interface{} `json:"data"`
	Id   string      `json:"id"`

	// UpdatedAt Timestamp in RFC3339 format when the instance was last changed.
	UpdatedAt time.Time `json:"updatedAt"`
}

// DistinguishedName Name used in x509 certificates
type DistinguishedName struct {
	CommonName         *string `json:"commonName,omitempty"`
	Country            *string `json:"country,omitempty"`
	EmailAddress       *string `json:"emailAddress,omitempty"`
	Locality           *string `json:"locality,omitempty"`
	Organization       *string `json:"organization,omitempty"`
	OrganizationalUnit *string `json:"organizationalUnit,omitempty"`
	PostalCode         *string `json:"postalCode,omitempty"`
	Province           *string `json:"province,omitempty"`
	SerialNumber       *string `json:"serialNumber,omitempty"`
	StreetAddress      *string `json:"streetAddress,omitempty"`
}

// Email Email is a subresource of an SSH User.
type Email struct {
	Email   *string `json:"email,omitempty"`
	Primary *bool   `json:"primary,omitempty"`
}

// EndpointCertificateInfo Details on a managed certificate.
type EndpointCertificateInfo struct {
	// CrtFile The filepath where the certificate is to be stored.
	CrtFile *string `json:"crtFile,omitempty"`

	// Duration The certificate lifetime. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
	Duration *string `json:"duration,omitempty"`

	// Gid GID of the files where the certificate is stored.
	Gid *int `json:"gid,omitempty"`

	// KeyFile The filepath where the key is to be stored.
	KeyFile *string `json:"keyFile,omitempty"`

	// Mode Permission bits of the files where the certificate is stored.
	Mode *int `json:"mode,omitempty"`

	// RootFile The filepath where the root certificate is to be stored.
	RootFile *string `json:"rootFile,omitempty"`

	Type EndpointCertificateInfoType `json:"type"`

	// Uid UID of the files where the certificate is stored.
	Uid *int `json:"uid,omitempty"`
}

// EndpointCertificateInfoType The type of certificate.
type EndpointCertificateInfoType string

// EndpointConfiguration Configuration for a managed endpoint. This object is experimental and subject to change.
type EndpointConfiguration struct {
	// AuthorityID UUID identifying the authority that will issue certificates for the endpoint.
	AuthorityID string `json:"authorityID"`

	// CertificateInfo Details on a managed certificate.
	CertificateInfo EndpointCertificateInfo `json:"certificateInfo"`

	// Hooks The collection of commands to run when a certificate for a managed endpoint is signed or renewed.
	Hooks *EndpointHooks `json:"hooks,omitempty"`

	// Id A UUID identifying this endpoint configuration. Read only.
	Id *string `json:"id,omitempty"`

	// KeyInfo The attributes of the cryptographic key.
	KeyInfo *EndpointKeyInfo `json:"keyInfo,omitempty"`

	// Kind The kind of endpoint this configuration applies to.
	Kind EndpointConfigurationKind `json:"kind"`

	// Name The name of the endpoint configuration.
	Name string `json:"name"`

	// Provisioner Name of the provisioner on the authority that will authorize certificates for the endpoint.
	Provisioner string `json:"provisioner"`

	// ReloadInfo The properties used to reload a service.
	ReloadInfo *EndpointReloadInfo `json:"reloadInfo,omitempty"`
}

// EndpointConfigurationKind The kind of endpoint this configuration applies to.
type EndpointConfigurationKind string

// EndpointHook A list of commands to run before and after a certificate is granted.
type EndpointHook struct {
	// After List of commands to run after the operation.
	After *[]string `json:"after,omitempty"`

	// Before List of commands to run before the operation.
	Before *[]string `json:"before,omitempty"`

	// OnError List of commands to run when the operation fails.
	OnError *[]string `json:"onError,omitempty"`

	// Shell The shell to use to execute the commands.
	Shell *string `json:"shell,omitempty"`
}

// EndpointHooks The collection of commands to run when a certificate for a managed endpoint is signed or renewed.
type EndpointHooks struct {
	// Renew A list of commands to run before and after a certificate is granted.
	Renew *EndpointHook `json:"renew,omitempty"`

	// Sign A list of commands to run before and after a certificate is granted.
	Sign *EndpointHook `json:"sign,omitempty"`
}

// EndpointKeyInfo The attributes of the cryptographic key.
type EndpointKeyInfo struct {
	// Format The format used to encode the private key. For X509 keys the default format is SEC 1 for ECDSA keys, PKCS#1 for RSA keys and PKCS#8 for ED25519 keys. For SSH keys the default format is always the OPENSSH format.
	Format *EndpointKeyInfoFormat `json:"format,omitempty"`

	// PubFile A CSR or SSH public key to use instead of generating one.
	PubFile *string `json:"pubFile,omitempty"`

	// Type The key type used. The current DEFAULT type is ECDSA_P256.
	Type *EndpointKeyInfoType `json:"type,omitempty"`
}

// EndpointKeyInfoFormat The format used to encode the private key. For X509 keys the default format is SEC 1 for ECDSA keys, PKCS#1 for RSA keys and PKCS#8 for ED25519 keys. For SSH keys the default format is always the OPENSSH format.
type EndpointKeyInfoFormat string

// EndpointKeyInfoType The key type used. The current DEFAULT type is ECDSA_P256.
type EndpointKeyInfoType string

// EndpointReloadInfo The properties used to reload a service.
type EndpointReloadInfo struct {
	// Method Ways an endpoint can reload a certificate. `AUTOMATIC` means the process is able to detect and reload new certificates automatically. `CUSTOM` means a custom command must be run to trigger the workload to reload the certificates. `SIGNAL` will configure the agent to send a signal to the process in pidFile.
	Method EndpointReloadInfoMethod `json:"method"`

	// PidFile File that holds the pid of the process to signal. Required when method is SIGNAL.
	PidFile *string `json:"pidFile,omitempty"`

	// Signal The signal to send to a process when a certificate should be reloaded. Required when method is SIGNAL.
	Signal *int `json:"signal,omitempty"`
}

// EndpointReloadInfoMethod Ways an endpoint can reload a certificate. `AUTOMATIC` means the process is able to detect and reload new certificates automatically. `CUSTOM` means a custom command must be run to trigger the workload to reload the certificates. `SIGNAL` will configure the agent to send a signal to the process in pidFile.
type EndpointReloadInfoMethod string

// EndpointSSHCertificateData Contains the information to include when granting an SSH certificate to a managed endpoint.
type EndpointSSHCertificateData struct {
	// KeyID The key ID to include in the endpoint certificate.
	KeyID string `json:"keyID"`

	// Principals The principals to include in the endpoint certificate.
	Principals []string `json:"principals"`
}

// EndpointX509CertificateData Contains the information to include when granting an x509 certificate to a managed endpoint.
type EndpointX509CertificateData struct {
	// CommonName The Common Name to be used in the subject of the endpoint certificate.
	CommonName string `json:"commonName"`

	// Sans The list of SANs to include in the endpoint certificate.
	Sans []string `json:"sans"`
}

// Error defines model for error.
type Error struct {
	// Message A description of the error.
	Message string `json:"message"`
}

// GcpProvisioner The [GCP provisioner](https://smallstep.com/docs/step-ca/provisioners/#gcp) grants a certificate to a Google Compute Engine instance using its identity token.
type GcpProvisioner struct {
	// DisableCustomSANs By default custom SANs are valid, but if this option is set to `true` only the SANs available in the instance identity document will be valid, these are the DNS `<instance-name>.c.<project-id>.internal` and `<instance-name>.<zone>.c.<project-id>.internal`.
	DisableCustomSANs *bool `json:"disableCustomSANs,omitempty"`

	// DisableTrustOnFirstUse By default only one certificate will be granted per instance, but if the option is set to `true` this limit is not set and different tokens can be used to get different certificates.
	DisableTrustOnFirstUse *bool `json:"disableTrustOnFirstUse,omitempty"`

	// InstanceAge The maximum age of an instance that should be allowed to obtain a certificate. Limits certificate issuance to new instances to mitigate the risk of credential-misuse from instances that don't need a certificate. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
	InstanceAge *string `json:"instanceAge,omitempty"`

	// ProjectIDs The list of project identifiers that are allowed to use this provisioner.
	ProjectIDs []string `json:"projectIDs"`

	// ServiceAccounts The list of service accounts that are allowed to use this provisioner.
	ServiceAccounts []string `json:"serviceAccounts"`
}

// Grant A grant gives permission to all users in a group to access a host with a matching tag.
type Grant struct {
	// GroupID A UUID identifying the group this grant is attached to.
	GroupID *string `json:"groupID,omitempty"`

	Id *string `json:"id,omitempty"`

	// Name Matched against host tag names.
	Name *string `json:"name,omitempty"`

	// Sudo Whether users in the group will have sudo permission on matching hosts.
	Sudo *bool `json:"sudo,omitempty"`

	// Value Matched against host tag values.
	Value *string `json:"value,omitempty"`
}

// Group A group is a set of users that have been synced from an identity provider.
type Group struct {
	HostGrants *[]Grant `json:"hostGrants,omitempty"`

	Id *string `json:"id,omitempty"`

	Name        *string       `json:"name,omitempty"`
	PosixGroups *[]PosixGroup `json:"posixGroups,omitempty"`

	// Principals Additional principals that will be appended to users' certilficates, in addition to the user's email and POSIX username.
	Principals *[]string `json:"principals,omitempty"`
}

// Host A host where Smallstep has been installed to manage SSH access.
type Host struct {
	// Active A host is active until it is unregistered.
	Active *bool `json:"active,omitempty"`

	// Bastion Whether or not this host is a bastion.
	Bastion *bool `json:"bastion,omitempty"`

	// BastionHostname The hostname of the bastion server required to access this host, if any.
	BastionHostname *string `json:"bastionHostname,omitempty"`

	// CreatedAt Timestamp in RFC3339 format when the host was registered.
	CreatedAt *time.Time `json:"createdAt,omitempty"`

	// Hostname The hostname detected during installation.
	Hostname *string `json:"hostname,omitempty"`

	Id   *string `json:"id,omitempty"`
	Tags *[]Tag  `json:"tags,omitempty"`

	// UpdatedAt Timestamp in RFC3339 format when the host was last updated.
	UpdatedAt *time.Time `json:"updatedAt,omitempty"`
}

// JwkProvisioner A [provisioner](https://smallstep.com/docs/step-ca/provisioners/#jwk) that uses public-key cryptography to sign and validate a JSON Web Token (JWT).
type JwkProvisioner struct {
	// EncryptedKey The JWE encrypted private key.
	EncryptedKey *string `json:"encryptedKey,omitempty"`
	Key interface{} `json:"key"`
// ManagedConfiguration The agent and managed endpoints used in one host. This object is experimental and subject to change.
type ManagedConfiguration struct {
	// AgentConfigurationID UUID identifying the agent configuration.
	AgentConfigurationID string `json:"agentConfigurationID"`
	// HostID UUID identifying the host this managed configuration is for. Will be generated on server-side if not provided.
	HostID *string `json:"hostID,omitempty"`
	// Id UUID identifying this managed configuration. Read only.
	Id *string `json:"id,omitempty"`

	// ManagedEndpoints The list of endpoints managed by this configuration.
	ManagedEndpoints []ManagedEndpoint `json:"managedEndpoints"`

	// Name The name of this managed configuration.
	Name string `json:"name"`
// ManagedEndpoint All the information used by an agent to grant a certificate to an endpoint. Exactly one of `x509CertificateData` or `sshCertificateData` must be set and must match the endpoint configuration certificate info type. This object is experimental and subject to change.
type ManagedEndpoint struct {
	// EndpointConfigurationID UUID identifying the endpoint configuration.
	EndpointConfigurationID string `json:"endpointConfigurationID"`
Andrew Reed's avatar
Andrew Reed committed

	// Id UUID identifying this managed endpoint. Read only.
	Id *string `json:"id,omitempty"`

	// SshCertificateData Contains the information to include when granting an SSH certificate to a managed endpoint.
	SshCertificateData *EndpointSSHCertificateData `json:"sshCertificateData,omitempty"`

	// X509CertificateData Contains the information to include when granting an x509 certificate to a managed endpoint.
	X509CertificateData *EndpointX509CertificateData `json:"x509CertificateData,omitempty"`
// NameConstraints X509 certificate name constratins.
type NameConstraints struct {
	// Critical Whether or not name constraints are marked critical.
	Critical                *bool     `json:"critical,omitempty"`
	ExcludedDNSDomains      *[]string `json:"excludedDNSDomains,omitempty"`
	ExcludedEmailAddresses  *[]string `json:"excludedEmailAddresses,omitempty"`
	ExcludedIPRanges        *[]string `json:"excludedIPRanges,omitempty"`
	ExcludedURIDomains      *[]string `json:"excludedURIDomains,omitempty"`
	PermittedDNSDomains     *[]string `json:"permittedDNSDomains,omitempty"`
	PermittedEmailAddresses *[]string `json:"permittedEmailAddresses,omitempty"`
	PermittedIPRanges       *[]string `json:"permittedIPRanges,omitempty"`
	PermittedURIDomains     *[]string `json:"permittedURIDomains,omitempty"`
}

// NewAuthority The body of a request to create a new authority.
type NewAuthority struct {
	// ActiveRevocation Whether to enable CRL and OCSP on an advanced authority.
	ActiveRevocation *bool `json:"activeRevocation,omitempty"`

	// AdminEmails Users that will have admin access to manage the authority.
	AdminEmails []string `json:"adminEmails"`

	// IntermediateIssuer A Customized X509 issuer for an authority.
	IntermediateIssuer *X509Issuer `json:"intermediateIssuer,omitempty"`

	Name string `json:"name"`

	// RootIssuer A Customized X509 issuer for an authority.
	RootIssuer *X509Issuer `json:"rootIssuer,omitempty"`

	// Subdomain The new authority will be available at <subdomain>.<team slug>.ca.smallstep.com.
	Subdomain string `json:"subdomain"`

	// Type Create either a devops or advanced authority.
	Type NewAuthorityType `json:"type"`
}

// NewAuthorityType Create either a devops or advanced authority.
type NewAuthorityType string

// NewAuthorityCsr Body of a request to create a new X509 advanced authority with an external root.
type NewAuthorityCsr struct {
	// ActiveRevocation Whether to enable CRL and OCSP on the authority.
	ActiveRevocation *bool `json:"activeRevocation,omitempty"`

	// IntermediateIssuer A Customized X509 issuer for an authority.
	IntermediateIssuer X509Issuer `json:"intermediateIssuer"`

	Name string `json:"name"`

	// Subdomain The new authority will be available at <subdomain>.<team slug>.ca.smallstep.com.
	Subdomain string `json:"subdomain"`
}

// NewCollection Body of a request to create a new collection.
type NewCollection struct {
	// DisplayName A user-friendly name for the collection.
	DisplayName *string `json:"displayName,omitempty"`

	// SchemaURI Reference to a schema that all instances in the collection must conform to.
	SchemaURI *string `json:"schemaURI,omitempty"`

	// Slug A lowercase name identifying the collection.
	Slug string `json:"slug"`
}

// NewGrant The body of a request to add a grant to a group.
type NewGrant struct {
	// GroupID A UUID identifying the group this grant is attached to.
	GroupID string `json:"groupID"`

	// Name Matched against host tag names
	Name string `json:"name"`

	// Sudo Whether users in the group will have sudo permission on matching hosts
	Sudo *bool `json:"sudo,omitempty"`

	// Value Matched against host tag values
	Value *string `json:"value,omitempty"`
}

// NewTag The body of a request to add a tag to a host.
type NewTag struct {
	Name *string `json:"name,omitempty"`

	Value *string `json:"value,omitempty"`
}

// OidcProvisioner A [provisioner](https://smallstep.com/docs/step-ca/provisioners/#oauthoidc-single-sign-on) that is configured to trust and accept an OAuth provider's ID tokens for authentication. By default, the issued certificate will use the subject (sub) claim from the identity token as its subject. The value of the token's email claim is also included as an email SAN in the certificate.
Andrew Reed's avatar
Andrew Reed committed
type OidcProvisioner struct {
	// Admins The emails of admin users in an OpenID Connect provisioner. These users will not have restrictions in the certificates to sign.
	Admins *[]string `json:"admins,omitempty"`

	// ClientID The id used to validate the audience in an OpenID Connect token.
	ClientID string `json:"clientID"`

	// ClientSecret The secret used to obtain the OpenID Connect tokens.
	ClientSecret string `json:"clientSecret"`

	// ConfigurationEndpoint OpenID Connect configuration URL.
	ConfigurationEndpoint string `json:"configurationEndpoint"`

	// Domains The domains used to validate the email claim in an OpenID Connect provisioner.
	Domains *[]string `json:"domains,omitempty"`

	// Groups The group list used to validate the groups extension in an OpenID Connect token.
	Groups *[]string `json:"groups,omitempty"`

	// ListenAddress The callback address used in the OpenID Connect flow.
	ListenAddress *string `json:"listenAddress,omitempty"`

	// TenantID The tenant-id used to replace the templatized tenantid value in the OpenID Configuration.
	TenantID *string `json:"tenantID,omitempty"`
}

// PosixGroup A POSIX group represents a group that exists on a host with the given group name and gid.
// A managed group will be created or deleted on the host by Smallstep.
// Unmanaged groups must already exist on the host.
//
// An SSH Group may have multiple POSIX groups.
// An SSH User belonging to the group will be a member of the POSIX group when they access the host.
type PosixGroup struct {
	Gid *int `json:"gid,omitempty"`

	// Id A UUID identifying the POSIX group.
	Id *string `json:"id,omitempty"`

	// Managed Whether Smallstep should create and delete the group.
	Managed *bool `json:"managed,omitempty"`

	Name *string `json:"name,omitempty"`
}

// PosixUser A POSIX user is the login user on the SSH Host. It will be generated automatically if not supplied by the team's Identity Provider.
type PosixUser struct {
	// Gid The numeric group ID of the user.
	Gid *int `json:"gid,omitempty"`

	HomeDir *string `json:"homeDir,omitempty"`

	Shell *string `json:"shell,omitempty"`

	Uid *int `json:"uid,omitempty"`

	// Username The login name of the user.
	Username *string `json:"username,omitempty"`
}

Andrew Reed's avatar
Andrew Reed committed
// Provisioner defines model for provisioner.
type Provisioner struct {
	// Claims A set of constraints configuring how this provisioner can be used to issue certificates.
	Claims *ProvisionerClaims `json:"claims,omitempty"`

	// CreatedAt Timestamp of when the provisioner was created in RFC 3339 format. Generated server-side.
	CreatedAt *time.Time `json:"createdAt,omitempty"`

	// Id A UUID identifying this provisioner. Generated server-side when the provisioner is created.
	Id *string `json:"id,omitempty"`

	// Name The name of the provisioner.
	Name string `json:"name"`

	// Options Options that apply when issuing certificates with this provisioner.
Andrew Reed's avatar
Andrew Reed committed
	Options *ProvisionerOptions `json:"options,omitempty"`

	// Type The type of provisioner.
	Type  ProvisionerType `json:"type"`
	union json.RawMessage
}

// ProvisionerType The type of provisioner.
type ProvisionerType string

// ProvisionerClaims A set of constraints configuring how this provisioner can be used to issue certificates.
type ProvisionerClaims struct {
	// AllowRenewalAfterExpiry Allow renewals for expired certificates generated by this provisioner.
	AllowRenewalAfterExpiry *bool `json:"allowRenewalAfterExpiry,omitempty"`

	// DefaultHostSSHCertDuration The default duration for an SSH host certificate generated by this provisioner. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
	DefaultHostSSHCertDuration *string `json:"defaultHostSSHCertDuration,omitempty"`

	// DefaultTLSCertDuration The default duration for an x509 certificate generated by this provisioner. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
	DefaultTLSCertDuration *string `json:"defaultTLSCertDuration,omitempty"`

	// DefaultUserSSHCertDuration The default duration for an SSH user certificate generated by this provisioner. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
	DefaultUserSSHCertDuration *string `json:"defaultUserSSHCertDuration,omitempty"`

	// DisableRenewal Disable renewal for all certificates generated by this provisioner.
	DisableRenewal *bool `json:"disableRenewal,omitempty"`

	// EnableSSHCA Allow this provisioner to be used to generate SSH certificates.
	EnableSSHCA *bool `json:"enableSSHCA,omitempty"`

	// MaxHostSSHCertDuration The maximum duration for an SSH host certificate generated by this provisioner. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
	MaxHostSSHCertDuration *string `json:"maxHostSSHCertDuration,omitempty"`

	// MaxTLSCertDuration The maximum duration for an x509 certificate generated by this provisioner. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
	MaxTLSCertDuration *string `json:"maxTLSCertDuration,omitempty"`

	// MaxUserSSHCertDuration The maximum duration for an SSH user certificate generated by this provisioner. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
	MaxUserSSHCertDuration *string `json:"maxUserSSHCertDuration,omitempty"`

	// MinHostSSHCertDuration The minimum duration for an SSH host certificate generated by this provisioner. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
	MinHostSSHCertDuration *string `json:"minHostSSHCertDuration,omitempty"`

	// MinTLSCertDuration The minimum duration for an x509 certificate generated by this provisioner. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
	MinTLSCertDuration *string `json:"minTLSCertDuration,omitempty"`

	// MinUserSSHCertDuration The minimum duration for an SSH user certificate generated by this provisioner. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
	MinUserSSHCertDuration *string `json:"minUserSSHCertDuration,omitempty"`
}

// ProvisionerOptions Options that apply when issuing certificates with this provisioner.
Andrew Reed's avatar
Andrew Reed committed
type ProvisionerOptions struct {
	// Ssh Options that apply when issuing SSH certificates
	Ssh      *SshOptions           `json:"ssh,omitempty"`
	Webhooks *[]ProvisionerWebhook `json:"webhooks,omitempty"`
Andrew Reed's avatar
Andrew Reed committed

	// X509 Options that apply when issuing x509 certificates.
Andrew Reed's avatar
Andrew Reed committed
	X509 *X509Options `json:"x509,omitempty"`
}

// ProvisionerWebhook A [webhook](https://smallstep.com/docs/step-ca/webhooks/) to call when a certificate request is being processed.
type ProvisionerWebhook struct {
	// BasicAuth Configures provisioner webhook requests to include an Authorization header with these credentials. Optional for `EXTERNAL` webhook servers; not allowed with hosted webhook servers. At most one of `bearerToken` and `basicAuth` may be set.
	BasicAuth *BasicAuth `json:"basicAuth,omitempty"`

	// BearerToken Webhook requests will include an Authorization header with the token. Optional for `EXTERNAL` webhook servers; not allowed with hosted webhook servers. At most one of `bearerToken` and `basicAuth` may be set.
	BearerToken *string                    `json:"bearerToken,omitempty"`
	CertType    ProvisionerWebhookCertType `json:"certType"`

	// CollectionSlug For HOSTED_ATTESTATION webhooks, the collectionSlug is a reference to the collection that holds the devices that may be issued certificates. This collection must already exist. Required for `HOSTED_ATTESTATION` webhook servers; not allowed for `EXTERNAL`.
	CollectionSlug *string `json:"collectionSlug,omitempty"`

	// DisableTLSClientAuth The CA will not send a client certificate when requested by the webhook server. Optional for `EXTERNAL` webhook servers; not allowed with hosted webhook servers.
	DisableTLSClientAuth *bool `json:"disableTLSClientAuth,omitempty"`

	// Id UUID identifying this webhook. Generated server-side when the webhook is created. Will be sent to the webhook server in every request in the `X-Smallstep-Webhook-ID` header.
	Id *string `json:"id,omitempty"`

	// Kind The webhook kind indicates how and when it is called.
	//
	// ENRICHING webhooks are called before rendering the certificate template. They have two functions. First, they must allow the certificate request or it will be aborted. Second, they can return additional data to be referenced in the certificate template. The payload sent to the webhook server varies based on whether an X509 or SSH certificate is to be signed and based on the type of provisioner.
	Kind ProvisionerWebhookKind `json:"kind"`

	// Name The name of the webhook. For `ENRICHING` webhooks, the returned data can be referenced in the certificate under the path `.Webhooks.<name>`. Must be unique to the provisioner.
	Name string `json:"name"`

	// Secret The shared secret used to authenticate the payload sent to the webhook server. Generated server-side. This is returned only for `EXTERNAL` webhook servers and only once, at the time of creation.
	Secret *string `json:"secret,omitempty"`

	// ServerType An EXTERNAL webhook server is not operated by Smallstep. The caller must use the returned ID and secret to configure the server.
	//
	// A HOSTED_ATTESTATION webhook server is hosted by Smallstep and must be used with an `ENRICHING` webhook type and an ACME Attestation provisioner. The webhook server will verify the attested permanent identifier exists as the ID of an instance in the configured collection. The data of the instance in the collection will be added to the template data.
	ServerType ProvisionerWebhookServerType `json:"serverType"`

	// Url The URL of the webhook server. Required for `EXTERNAL` webhook servers; read-only for hosted webhook servers.
	Url *string `json:"url,omitempty"`
}

// ProvisionerWebhookCertType defines model for ProvisionerWebhook.CertType.
type ProvisionerWebhookCertType string

// ProvisionerWebhookKind The webhook kind indicates how and when it is called.
//
// ENRICHING webhooks are called before rendering the certificate template. They have two functions. First, they must allow the certificate request or it will be aborted. Second, they can return additional data to be referenced in the certificate template. The payload sent to the webhook server varies based on whether an X509 or SSH certificate is to be signed and based on the type of provisioner.
type ProvisionerWebhookKind string

// ProvisionerWebhookServerType An EXTERNAL webhook server is not operated by Smallstep. The caller must use the returned ID and secret to configure the server.
//
// A HOSTED_ATTESTATION webhook server is hosted by Smallstep and must be used with an `ENRICHING` webhook type and an ACME Attestation provisioner. The webhook server will verify the attested permanent identifier exists as the ID of an instance in the configured collection. The data of the instance in the collection will be added to the template data.
type ProvisionerWebhookServerType string

Andrew Reed's avatar
Andrew Reed committed
// SshOptions Options that apply when issuing SSH certificates
type SshOptions struct {
	// Template A JSON representation of the SSH certificate to be created. [More info](https://smallstep.com/docs/step-ca/templates/#ssh-templates).
	Template *string `json:"template,omitempty"`

	// TemplateData A map of data that can be used by the certificate template.
	TemplateData *interface{} `json:"templateData,omitempty"`
}

// Tag A key-value pair attached to a host.
// Smallstep determines access by comparing host tags to group grants when a user attempts to SSH to a host.
type Tag struct {
	// Id A UUID identifying this host tag.
	Id *string `json:"id,omitempty"`

	Name *string `json:"name,omitempty"`

	Value *string `json:"value,omitempty"`
}

// User SSH Users are synced from the team's Identity Provider, or from the default Smallstep directory if no external Identity Provider has been configured.
type User struct {
	// Active Whether the user has been deactivated in the team's Identity Provider.
	Active *bool `json:"active,omitempty"`

	// DisplayName The user's display name.
	DisplayName *string  `json:"displayName,omitempty"`
	Emails      *[]Email `json:"emails,omitempty"`

	FamilyName *string `json:"familyName,omitempty"`

	GivenName *string  `json:"givenName,omitempty"`
	Groups    *[]Group `json:"groups,omitempty"`

	Id         *string      `json:"id,omitempty"`
	PosixUsers *[]PosixUser `json:"posixUsers,omitempty"`
}

// X509Issuer A Customized X509 issuer for an authority.
type X509Issuer struct {
	// Duration The certificate lifetime. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
	Duration *string `json:"duration,omitempty"`

	// KeyVersion The signature algorithm.
	KeyVersion    X509IssuerKeyVersion `json:"keyVersion"`
	MaxPathLength *int                 `json:"maxPathLength,omitempty"`

	// Name The name of the issuer.
	Name string `json:"name"`

	// NameConstraints X509 certificate name constratins.
	NameConstraints *NameConstraints `json:"nameConstraints,omitempty"`

	// Subject Name used in x509 certificates
	Subject *DistinguishedName `json:"subject,omitempty"`
}

// X509IssuerKeyVersion The signature algorithm.
type X509IssuerKeyVersion string

// X509Options Options that apply when issuing x509 certificates.
Andrew Reed's avatar
Andrew Reed committed
type X509Options struct {
	// Template A JSON representation of the x509 certificate to be created. [More info](https://smallstep.com/docs/step-ca/templates/#x509-templates).
	Template *string `json:"template,omitempty"`

	// TemplateData A map of data that can be used by the certificate template.
	TemplateData *interface{} `json:"templateData,omitempty"`
}

// X5cProvisioner A [provisioner](https://smallstep.com/docs/step-ca/provisioners/#x5c---x509-certificate) that authenticates a certificate request with an existing x509 certificate.
type X5cProvisioner struct {
	// Roots A list of pem-encoded x509 certificates. Any certificate bundle that chains up to any of these roots can be used in a certificate request.
	Roots []string `json:"roots"`
}

// Accept defines model for accept.
type Accept = string

// AgentConfigurationID defines model for agentConfigurationID.
type AgentConfigurationID = string

// AttestationAuthorityID defines model for attestationAuthorityID.
type AttestationAuthorityID = string

// AuthorityID defines model for authorityID.
type AuthorityID = string

// CollectionSlug defines model for collectionSlug.
type CollectionSlug = string

// EndpointConfigurationID defines model for endpointConfigurationID.
type EndpointConfigurationID = string

// GrantID defines model for grantID.
type GrantID = string