Newer
Older
// Package v20230301 provides primitives to interact with the openapi HTTP API.
//
// Code generated by github.com/deepmap/oapi-codegen version v1.12.3 DO NOT EDIT.
package v20230301
import (
"bytes"
"context"
"encoding/json"
"fmt"
"io"
"net/http"
"net/url"
"strings"
"time"
"github.com/deepmap/oapi-codegen/pkg/runtime"
openapi_types "github.com/deepmap/oapi-codegen/pkg/types"
)
const (
JWTScopes = "JWT.Scopes"
MtlsScopes = "mtls.Scopes"
)
// Defines values for AcmeAttestationProvisionerAttestationFormats.
const (
Apple AcmeAttestationProvisionerAttestationFormats = "apple"
Step AcmeAttestationProvisionerAttestationFormats = "step"
Tpm AcmeAttestationProvisionerAttestationFormats = "tpm"
)
// Defines values for AcmeProvisionerChallenges.
const (
Dns01 AcmeProvisionerChallenges = "dns-01"
Http01 AcmeProvisionerChallenges = "http-01"
TlsAlpn01 AcmeProvisionerChallenges = "tls-alpn-01"
)
// Defines values for AuthorityType.
const (
AuthorityTypeAdvanced AuthorityType = "advanced"
AuthorityTypeDevops AuthorityType = "devops"
AuthorityTypeManaged AuthorityType = "managed"
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
// Defines values for EndpointCertificateInfoType.
const (
EndpointCertificateInfoTypeSSHHOST EndpointCertificateInfoType = "SSH_HOST"
EndpointCertificateInfoTypeSSHUSER EndpointCertificateInfoType = "SSH_USER"
EndpointCertificateInfoTypeX509 EndpointCertificateInfoType = "X509"
)
// Defines values for EndpointConfigurationKind.
const (
DEVICE EndpointConfigurationKind = "DEVICE"
PEOPLE EndpointConfigurationKind = "PEOPLE"
WORKLOAD EndpointConfigurationKind = "WORKLOAD"
)
// Defines values for EndpointKeyInfoFormat.
const (
EndpointKeyInfoFormatDEFAULT EndpointKeyInfoFormat = "DEFAULT"
EndpointKeyInfoFormatDER EndpointKeyInfoFormat = "DER"
EndpointKeyInfoFormatOPENSSH EndpointKeyInfoFormat = "OPENSSH"
EndpointKeyInfoFormatPKCS8 EndpointKeyInfoFormat = "PKCS8"
)
// Defines values for EndpointKeyInfoType.
const (
EndpointKeyInfoTypeDEFAULT EndpointKeyInfoType = "DEFAULT"
EndpointKeyInfoTypeECDSAP256 EndpointKeyInfoType = "ECDSA_P256"
EndpointKeyInfoTypeECDSAP384 EndpointKeyInfoType = "ECDSA_P384"
EndpointKeyInfoTypeECDSAP521 EndpointKeyInfoType = "ECDSA_P521"
EndpointKeyInfoTypeED25519 EndpointKeyInfoType = "ED25519"
EndpointKeyInfoTypeRSA2048 EndpointKeyInfoType = "RSA_2048"
EndpointKeyInfoTypeRSA3072 EndpointKeyInfoType = "RSA_3072"
EndpointKeyInfoTypeRSA4096 EndpointKeyInfoType = "RSA_4096"
)
// Defines values for EndpointReloadInfoMethod.
const (
AUTOMATIC EndpointReloadInfoMethod = "AUTOMATIC"
CUSTOM EndpointReloadInfoMethod = "CUSTOM"
SIGNAL EndpointReloadInfoMethod = "SIGNAL"
)
// Defines values for NewAuthorityType.
const (
NewAuthorityTypeAdvanced NewAuthorityType = "advanced"
NewAuthorityTypeDevops NewAuthorityType = "devops"
)
ACME ProvisionerType = "ACME"
ACMEATTESTATION ProvisionerType = "ACME_ATTESTATION"
AWS ProvisionerType = "AWS"
AZURE ProvisionerType = "AZURE"
GCP ProvisionerType = "GCP"
JWK ProvisionerType = "JWK"
OIDC ProvisionerType = "OIDC"
X5C ProvisionerType = "X5C"
// Defines values for ProvisionerWebhookCertType.
const (
ProvisionerWebhookCertTypeALL ProvisionerWebhookCertType = "ALL"
ProvisionerWebhookCertTypeSSH ProvisionerWebhookCertType = "SSH"
ProvisionerWebhookCertTypeX509 ProvisionerWebhookCertType = "X509"
)
// Defines values for ProvisionerWebhookKind.
const (
ENRICHING ProvisionerWebhookKind = "ENRICHING"
)
// Defines values for ProvisionerWebhookServerType.
EXTERNAL ProvisionerWebhookServerType = "EXTERNAL"
HOSTEDATTESTATION ProvisionerWebhookServerType = "HOSTED_ATTESTATION"
// Defines values for X509IssuerKeyVersion.
const (
ECSIGNP256SHA256 X509IssuerKeyVersion = "EC_SIGN_P256_SHA256"
ECSIGNP384SHA384 X509IssuerKeyVersion = "EC_SIGN_P384_SHA384"
RSASIGNPKCS12048SHA256 X509IssuerKeyVersion = "RSA_SIGN_PKCS1_2048_SHA256"
RSASIGNPKCS13072SHA256 X509IssuerKeyVersion = "RSA_SIGN_PKCS1_3072_SHA256"
RSASIGNPKCS14096SHA256 X509IssuerKeyVersion = "RSA_SIGN_PKCS1_4096_SHA256"
RSASIGNPKCS14096SHA512 X509IssuerKeyVersion = "RSA_SIGN_PKCS1_4096_SHA512"
RSASIGNPSS2048SHA256 X509IssuerKeyVersion = "RSA_SIGN_PSS_2048_SHA256"
RSASIGNPSS3072SHA256 X509IssuerKeyVersion = "RSA_SIGN_PSS_3072_SHA256"
RSASIGNPSS4096SHA256 X509IssuerKeyVersion = "RSA_SIGN_PSS_4096_SHA256"
RSASIGNPSS4096SHA512 X509IssuerKeyVersion = "RSA_SIGN_PSS_4096_SHA512"
)
// Defines values for PostAuthJSONBodyAudience.
const (
StepAgent PostAuthJSONBodyAudience = "step-agent"
)
// AcmeAttestationProvisioner A [provisioner](https://smallstep.com/docs/step-ca/provisioners/#acme) that enables automation with the [device-attest-01 challenge of the ACME protocol](https://smallstep.com/blog/acme-managed-device-attestation-explained/).
type AcmeAttestationProvisioner struct {
// AttestationFormats The allowed attestation formats for the device-attest-01 challenge. Valid values are `apple`, `step`, and `tpm`. The apple format is for Apple devices, and adds trust for Apple's CAs. The step format is for non-TPM devices that can issue attestation certificates, such as YubiKey PIV. It adds trust for Yubico's root CA. The tpm format is for TPMs and does not trust any CAs by default.
AttestationFormats []AcmeAttestationProvisionerAttestationFormats `json:"attestationFormats"`
// AttestationRoots A trust bundle of root certificates in PEM format that will be used to verify attestation certificates. The default value depends on the value of attestationFormats. If provided, this PEM bundle will override the CA trust established by setting attestationFormats to apple or step. At least one root certificate is required when using the tpm attestationFormat.
AttestationRoots *[]string `json:"attestationRoots,omitempty"`
// ForceCN Force one of the SANs to become the Common Name, if a Common Name is not provided.
ForceCN *bool `json:"forceCN,omitempty"`
// RequireEAB Only ACME clients that have been preconfigured with valid EAB credentials will be able to create an account with this provisioner.
RequireEAB *bool `json:"requireEAB,omitempty"`
}
// AcmeAttestationProvisionerAttestationFormats defines model for AcmeAttestationProvisioner.AttestationFormats.
type AcmeAttestationProvisionerAttestationFormats string
// AcmeProvisioner A [provisioner](https://smallstep.com/docs/step-ca/provisioners/#acme) that enables automation with the [ACME protocol](https://smallstep.com/docs/step-ca/acme-basics/#acme-challenges).
type AcmeProvisioner struct {
// Challenges Which ACME challenge types are allowed.
Challenges []AcmeProvisionerChallenges `json:"challenges"`
// ForceCN Force one of the SANs to become the Common Name, if a Common Name is not provided.
ForceCN *bool `json:"forceCN,omitempty"`
// RequireEAB Only ACME clients that have been preconfigured with valid EAB credentials will be able to create an account with this provisioner. Must be `true` for all new provisioners.
RequireEAB bool `json:"requireEAB"`
}
// AcmeProvisionerChallenges defines model for AcmeProvisioner.Challenges.
type AcmeProvisionerChallenges string
// AgentConfiguration The agent configuration describes the attestation authority used by the agent to grant workload certificates. This object is experimental and subject to change.
type AgentConfiguration struct {
// AttestationSlug The slug of the attestation authority the agent connects to to get a certificate.
AttestationSlug *string `json:"attestationSlug,omitempty"`
// AuthorityID UUID identifying the authority the agent uses to generate endpoint certificates.
AuthorityID string `json:"authorityID"`
// Id A UUID identifying this agent configuration. Read only.
Id *string `json:"id,omitempty"`
// Name The name of this agent configuration.
Name string `json:"name"`
// Provisioner The name of the provisioner on the authority the agent uses to generate endpoint certificates.
Provisioner string `json:"provisioner"`
}
// AttestationAuthority An attestation authority used with the device-attest-01 ACME challenge to verify a device's hardware identity. This object is experimental and subject to change.
type AttestationAuthority struct {
// AttestorIntermediates The pem-encoded list of intermediate certificates used to build a chain of trust to verify the attestation certificates submitted by devices.
AttestorIntermediates *string `json:"attestorIntermediates,omitempty"`
// AttestorRoots The pem-encoded list of certificates used to verify the attestation certificates submitted by devices.
AttestorRoots string `json:"attestorRoots"`
// Catalog The slug of a collection that holds the list of devices belonging to the team.
Catalog string `json:"catalog"`
// CreatedAt Timestamp in RFC3339 format when the attestation authority was created.
CreatedAt *time.Time `json:"createdAt,omitempty"`
// Id A UUID identifying this attestation authority. Read only.
Id *string `json:"id,omitempty"`
// Name The name of the attestation authority.
Name string `json:"name"`
// Root The pem-encoded root certificate of this attestation authority. This is generated server-side when the attestation authority is created. This certificate should be used in the `attestationRoots` field of an ACME_ATTESTATION provisioner with the `tpm` format.
Root *string `json:"root,omitempty"`
// Slug A short name for this attestation authority. Read only.
Slug *string `json:"slug,omitempty"`
}
// Authority An X509 authority hosted by Smallstep.
// ActiveRevocation Whether CRL and OCSP are enabled (advanced authorities only).
ActiveRevocation *bool `json:"activeRevocation,omitempty"`
// AdminEmails Users that have admin access to manage the authority.
AdminEmails *[]string `json:"adminEmails,omitempty"`
// CreatedAt Timestamp when the authority was created.
CreatedAt time.Time `json:"createdAt"`
// Domain The domain where the authority can be reached.
Domain string `json:"domain"`
// Fingerprint The SHA-256 digest of the authority's root certificate in hex format.
Fingerprint *string `json:"fingerprint,omitempty"`
// Id A UUID identifying this authority.
// Name The name of the authority.
Name string `json:"name"`
// Type One of the available authority types
Type AuthorityType `json:"type"`
}
// AuthorityCsr A certificate signing request for an X509 advanced authority with an external root.
type AuthorityCsr struct {
// AuthorityID A UUID identifying the authority.
AuthorityID string `json:"authorityID"`
// Csr A certificate sigining request for the authority's intermediate issuer in pem format.
Csr string `json:"csr"`
// Id A UUID identifying this CSR.
Id string `json:"id"`
}
// AuthorityType One of the available authority types
type AuthorityType string
// AwsProvisioner The [AWS provisioner](https://smallstep.com/docs/step-ca/provisioners/#aws) grants a certificate to an Amazon EC2 instance using the Instance Identity Document.
// Accounts The list of AWS account IDs that are allowed to use this provisioner.
Accounts []string `json:"accounts"`
// DisableCustomSANs By default custom SANs are valid, but if this option is set to `true` only the SANs available in the instance identity document will be valid. These are the private IP and the DNS ip-<private-ip>.<region>.compute.internal.
DisableCustomSANs *bool `json:"disableCustomSANs,omitempty"`
// DisableTrustOnFirstUse By default only one certificate will be granted per instance, but if the option is set to `true` this limit is not set and different tokens can be used to get different certificates.
DisableTrustOnFirstUse *bool `json:"disableTrustOnFirstUse,omitempty"`
// InstanceAge The maximum age of an instance that should be allowed to obtain a certificate. Limits certificate issuance to new instances to mitigate the risk of credential-misuse from instances that don't need a certificate. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
InstanceAge *string `json:"instanceAge,omitempty"`
}
// AzureProvisioner The [Azure provisioner](https://smallstep.com/docs/step-ca/provisioners/#azure) grants certificates to Microsoft Azure instances using the managed identities tokens.
type AzureProvisioner struct {
// Audience Defaults to https://management.azure.com/ but it can be changed if necessary.
Audience *string `json:"audience,omitempty"`
// DisableCustomSANs By default custom SANs are valid, but if this option is set to `true` only the SANs available in the token will be valid, in Azure only the virtual machine name is available.
DisableCustomSANs *bool `json:"disableCustomSANs,omitempty"`
// DisableTrustOnFirstUse By default only one certificate will be granted per instance, but if the option is set to true this limit is not set and different tokens can be used to get different certificates.
DisableTrustOnFirstUse *bool `json:"disableTrustOnFirstUse,omitempty"`
// ResourceGroups The list of resource group names that are allowed to use this provisioner.
ResourceGroups []string `json:"resourceGroups"`
// TenantID The Azure account tenant ID for this provisioner. This ID is the Directory ID available in the Azure Active Directory properties.
TenantID string `json:"tenantID"`
}
// BasicAuth Configures provisioner webhook requests to include an Authorization header with these credentials. Optional for `EXTERNAL` webhook servers; not allowed with hosted webhook servers. At most one of `bearerToken` and `basicAuth` may be set.
type BasicAuth struct {
Password string `json:"password"`
Username string `json:"username"`
}
// Collection A collection of instances.
// CreatedAt Timestamp in RFC3339 format when the collections was created
CreatedAt time.Time `json:"createdAt"`
// DisplayName A user-friendly name for the collection.
DisplayName string `json:"displayName"`
// InstanceCount The number of instances in the collection.
InstanceCount int `json:"instanceCount"`
// SchemaURI Reference to a schema that all instances in the collection must conform to.
SchemaURI *string `json:"schemaURI,omitempty"`
// Slug A lowercase name identifying the collection.
Slug string `json:"slug"`
// UpdatedAt Timestamp in RFC3339 format when the collections was last updated
UpdatedAt time.Time `json:"updatedAt"`
}
// CollectionInstance An instance in a collection.
// CreatedAt Timestamp in RFC3339 format when the instance was added to the collection.
CreatedAt time.Time `json:"createdAt"`
// Data The instance data.
Data interface{} `json:"data"`
Id string `json:"id"`
// UpdatedAt Timestamp in RFC3339 format when the instance was last changed.
UpdatedAt time.Time `json:"updatedAt"`
}
// DistinguishedName Name used in x509 certificates
type DistinguishedName struct {
CommonName *string `json:"commonName,omitempty"`
Country *string `json:"country,omitempty"`
EmailAddress *string `json:"emailAddress,omitempty"`
Locality *string `json:"locality,omitempty"`
Organization *string `json:"organization,omitempty"`
OrganizationalUnit *string `json:"organizationalUnit,omitempty"`
PostalCode *string `json:"postalCode,omitempty"`
Province *string `json:"province,omitempty"`
SerialNumber *string `json:"serialNumber,omitempty"`
StreetAddress *string `json:"streetAddress,omitempty"`
}
// Email Email is a subresource of an SSH User.
type Email struct {
Email *string `json:"email,omitempty"`
Primary *bool `json:"primary,omitempty"`
}
// EndpointCertificateInfo Details on a managed certificate.
type EndpointCertificateInfo struct {
// CrtFile The filepath where the certificate is to be stored.
CrtFile *string `json:"crtFile,omitempty"`
// Duration The certificate lifetime. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
Duration *string `json:"duration,omitempty"`
// Gid GID of the files where the certificate is stored.
Gid *int `json:"gid,omitempty"`
// KeyFile The filepath where the key is to be stored.
KeyFile *string `json:"keyFile,omitempty"`
// Mode Permission bits of the files where the certificate is stored.
Mode *int `json:"mode,omitempty"`
// RootFile The filepath where the root certificate is to be stored.
RootFile *string `json:"rootFile,omitempty"`
// Type The type of certificate.
Type EndpointCertificateInfoType `json:"type"`
// Uid UID of the files where the certificate is stored.
Uid *int `json:"uid,omitempty"`
}
// EndpointCertificateInfoType The type of certificate.
type EndpointCertificateInfoType string
// EndpointConfiguration Configuration for a managed endpoint. This object is experimental and subject to change.
type EndpointConfiguration struct {
// AuthorityID UUID identifying the authority that will issue certificates for the endpoint.
AuthorityID string `json:"authorityID"`
// CertificateInfo Details on a managed certificate.
CertificateInfo EndpointCertificateInfo `json:"certificateInfo"`
// Hooks The collection of commands to run when a certificate for a managed endpoint is signed or renewed.
Hooks *EndpointHooks `json:"hooks,omitempty"`
// Id A UUID identifying this endpoint configuration. Read only.
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
Id *string `json:"id,omitempty"`
// KeyInfo The attributes of the cryptographic key.
KeyInfo *EndpointKeyInfo `json:"keyInfo,omitempty"`
// Kind The kind of endpoint this configuration applies to.
Kind EndpointConfigurationKind `json:"kind"`
// Name The name of the endpoint configuration.
Name string `json:"name"`
// Provisioner Name of the provisioner on the authority that will authorize certificates for the endpoint.
Provisioner string `json:"provisioner"`
// ReloadInfo The properties used to reload a service.
ReloadInfo *EndpointReloadInfo `json:"reloadInfo,omitempty"`
}
// EndpointConfigurationKind The kind of endpoint this configuration applies to.
type EndpointConfigurationKind string
// EndpointHook A list of commands to run before and after a certificate is granted.
type EndpointHook struct {
// After List of commands to run after the operation.
After *[]string `json:"after,omitempty"`
// Before List of commands to run before the operation.
Before *[]string `json:"before,omitempty"`
// OnError List of commands to run when the operation fails.
OnError *[]string `json:"onError,omitempty"`
// Shell The shell to use to execute the commands.
Shell *string `json:"shell,omitempty"`
}
// EndpointHooks The collection of commands to run when a certificate for a managed endpoint is signed or renewed.
type EndpointHooks struct {
// Renew A list of commands to run before and after a certificate is granted.
Renew *EndpointHook `json:"renew,omitempty"`
// Sign A list of commands to run before and after a certificate is granted.
Sign *EndpointHook `json:"sign,omitempty"`
}
// EndpointKeyInfo The attributes of the cryptographic key.
type EndpointKeyInfo struct {
// Format The format used to encode the private key. For X509 keys the default format is SEC 1 for ECDSA keys, PKCS#1 for RSA keys and PKCS#8 for ED25519 keys. For SSH keys the default format is always the OPENSSH format.
Format *EndpointKeyInfoFormat `json:"format,omitempty"`
// PubFile A CSR or SSH public key to use instead of generating one.
PubFile *string `json:"pubFile,omitempty"`
// Type The key type used. The current DEFAULT type is ECDSA_P256.
Type *EndpointKeyInfoType `json:"type,omitempty"`
}
// EndpointKeyInfoFormat The format used to encode the private key. For X509 keys the default format is SEC 1 for ECDSA keys, PKCS#1 for RSA keys and PKCS#8 for ED25519 keys. For SSH keys the default format is always the OPENSSH format.
type EndpointKeyInfoFormat string
// EndpointKeyInfoType The key type used. The current DEFAULT type is ECDSA_P256.
type EndpointKeyInfoType string
// EndpointReloadInfo The properties used to reload a service.
type EndpointReloadInfo struct {
// Method Ways an endpoint can reload a certificate. `AUTOMATIC` means the process is able to detect and reload new certificates automatically. `CUSTOM` means a custom command must be run to trigger the workload to reload the certificates. `SIGNAL` will configure the agent to send a signal to the process in pidFile.
Method EndpointReloadInfoMethod `json:"method"`
// PidFile File that holds the pid of the process to signal. Required when method is SIGNAL.
PidFile *string `json:"pidFile,omitempty"`
// Signal The signal to send to a process when a certificate should be reloaded. Required when method is SIGNAL.
Signal *int `json:"signal,omitempty"`
}
// EndpointReloadInfoMethod Ways an endpoint can reload a certificate. `AUTOMATIC` means the process is able to detect and reload new certificates automatically. `CUSTOM` means a custom command must be run to trigger the workload to reload the certificates. `SIGNAL` will configure the agent to send a signal to the process in pidFile.
type EndpointReloadInfoMethod string
// EndpointSSHCertificateData Contains the information to include when granting an SSH certificate to a managed endpoint.
type EndpointSSHCertificateData struct {
// KeyID The key ID to include in the endpoint certificate.
KeyID string `json:"keyID"`
// Principals The principals to include in the endpoint certificate.
Principals []string `json:"principals"`
}
// EndpointX509CertificateData Contains the information to include when granting an x509 certificate to a managed endpoint.
type EndpointX509CertificateData struct {
// CommonName The Common Name to be used in the subject of the endpoint certificate.
CommonName string `json:"commonName"`
// Sans The list of SANs to include in the endpoint certificate.
Sans []string `json:"sans"`
}
// Error defines model for error.
type Error struct {
// Message A description of the error.
Message string `json:"message"`
}
// GcpProvisioner The [GCP provisioner](https://smallstep.com/docs/step-ca/provisioners/#gcp) grants a certificate to a Google Compute Engine instance using its identity token.
type GcpProvisioner struct {
// DisableCustomSANs By default custom SANs are valid, but if this option is set to `true` only the SANs available in the instance identity document will be valid, these are the DNS `<instance-name>.c.<project-id>.internal` and `<instance-name>.<zone>.c.<project-id>.internal`.
DisableCustomSANs *bool `json:"disableCustomSANs,omitempty"`
// DisableTrustOnFirstUse By default only one certificate will be granted per instance, but if the option is set to `true` this limit is not set and different tokens can be used to get different certificates.
DisableTrustOnFirstUse *bool `json:"disableTrustOnFirstUse,omitempty"`
// InstanceAge The maximum age of an instance that should be allowed to obtain a certificate. Limits certificate issuance to new instances to mitigate the risk of credential-misuse from instances that don't need a certificate. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
InstanceAge *string `json:"instanceAge,omitempty"`
// ProjectIDs The list of project identifiers that are allowed to use this provisioner.
ProjectIDs []string `json:"projectIDs"`
// ServiceAccounts The list of service accounts that are allowed to use this provisioner.
ServiceAccounts []string `json:"serviceAccounts"`
}
// Grant A grant gives permission to all users in a group to access a host with a matching tag.
type Grant struct {
// GroupID A UUID identifying the group this grant is attached to.
GroupID *string `json:"groupID,omitempty"`
// Id A UUID identifying this grant.
Id *string `json:"id,omitempty"`
// Name Matched against host tag names.
Name *string `json:"name,omitempty"`
// Sudo Whether users in the group will have sudo permission on matching hosts.
Sudo *bool `json:"sudo,omitempty"`
// Value Matched against host tag values.
Value *string `json:"value,omitempty"`
}
// Group A group is a set of users that have been synced from an identity provider.
type Group struct {
HostGrants *[]Grant `json:"hostGrants,omitempty"`
// Id A UUID identifying the group.
Id *string `json:"id,omitempty"`
// Name The name of the group.
Name *string `json:"name,omitempty"`
PosixGroups *[]PosixGroup `json:"posixGroups,omitempty"`
// Principals Additional principals that will be appended to users' certilficates, in addition to the user's email and POSIX username.
Principals *[]string `json:"principals,omitempty"`
}
// Host A host where Smallstep has been installed to manage SSH access.
type Host struct {
// Active A host is active until it is unregistered.
Active *bool `json:"active,omitempty"`
// Bastion Whether or not this host is a bastion.
Bastion *bool `json:"bastion,omitempty"`
// BastionHostname The hostname of the bastion server required to access this host, if any.
BastionHostname *string `json:"bastionHostname,omitempty"`
// CreatedAt Timestamp in RFC3339 format when the host was registered.
CreatedAt *time.Time `json:"createdAt,omitempty"`
// Hostname The hostname detected during installation.
Hostname *string `json:"hostname,omitempty"`
// Id A UUID identifying this host.
Id *string `json:"id,omitempty"`
Tags *[]Tag `json:"tags,omitempty"`
// UpdatedAt Timestamp in RFC3339 format when the host was last updated.
UpdatedAt *time.Time `json:"updatedAt,omitempty"`
}
// JwkProvisioner A [provisioner](https://smallstep.com/docs/step-ca/provisioners/#jwk) that uses public-key cryptography to sign and validate a JSON Web Token (JWT).
// EncryptedKey The JWE encrypted private key.
EncryptedKey *string `json:"encryptedKey,omitempty"`
// Key The public JSON web key.
// ManagedConfiguration The agent and managed endpoints used in one host. This object is experimental and subject to change.
type ManagedConfiguration struct {
// AgentConfigurationID UUID identifying the agent configuration.
AgentConfigurationID string `json:"agentConfigurationID"`
// HostID UUID identifying the host this managed configuration is for. Will be generated on server-side if not provided.
HostID *string `json:"hostID,omitempty"`
// Id UUID identifying this managed configuration. Read only.
Id *string `json:"id,omitempty"`
// ManagedEndpoints The list of endpoints managed by this configuration.
ManagedEndpoints []ManagedEndpoint `json:"managedEndpoints"`
// Name The name of this managed configuration.
Name string `json:"name"`
// ManagedEndpoint All the information used by an agent to grant a certificate to an endpoint. Exactly one of `x509CertificateData` or `sshCertificateData` must be set and must match the endpoint configuration certificate info type. This object is experimental and subject to change.
type ManagedEndpoint struct {
// EndpointConfigurationID UUID identifying the endpoint configuration.
EndpointConfigurationID string `json:"endpointConfigurationID"`
// Id UUID identifying this managed endpoint. Read only.
// SshCertificateData Contains the information to include when granting an SSH certificate to a managed endpoint.
SshCertificateData *EndpointSSHCertificateData `json:"sshCertificateData,omitempty"`
// X509CertificateData Contains the information to include when granting an x509 certificate to a managed endpoint.
X509CertificateData *EndpointX509CertificateData `json:"x509CertificateData,omitempty"`
// NameConstraints X509 certificate name constratins.
type NameConstraints struct {
// Critical Whether or not name constraints are marked critical.
Critical *bool `json:"critical,omitempty"`
ExcludedDNSDomains *[]string `json:"excludedDNSDomains,omitempty"`
ExcludedEmailAddresses *[]string `json:"excludedEmailAddresses,omitempty"`
ExcludedIPRanges *[]string `json:"excludedIPRanges,omitempty"`
ExcludedURIDomains *[]string `json:"excludedURIDomains,omitempty"`
PermittedDNSDomains *[]string `json:"permittedDNSDomains,omitempty"`
PermittedEmailAddresses *[]string `json:"permittedEmailAddresses,omitempty"`
PermittedIPRanges *[]string `json:"permittedIPRanges,omitempty"`
PermittedURIDomains *[]string `json:"permittedURIDomains,omitempty"`
}
// NewAuthority The body of a request to create a new authority.
type NewAuthority struct {
// ActiveRevocation Whether to enable CRL and OCSP on an advanced authority.
ActiveRevocation *bool `json:"activeRevocation,omitempty"`
// AdminEmails Users that will have admin access to manage the authority.
AdminEmails []string `json:"adminEmails"`
// IntermediateIssuer A Customized X509 issuer for an authority.
IntermediateIssuer *X509Issuer `json:"intermediateIssuer,omitempty"`
// Name The name of the authority.
Name string `json:"name"`
// RootIssuer A Customized X509 issuer for an authority.
RootIssuer *X509Issuer `json:"rootIssuer,omitempty"`
// Subdomain The new authority will be available at <subdomain>.<team slug>.ca.smallstep.com.
Subdomain string `json:"subdomain"`
// Type Create either a devops or advanced authority.
Type NewAuthorityType `json:"type"`
}
// NewAuthorityType Create either a devops or advanced authority.
type NewAuthorityType string
// NewAuthorityCsr Body of a request to create a new X509 advanced authority with an external root.
type NewAuthorityCsr struct {
// ActiveRevocation Whether to enable CRL and OCSP on the authority.
ActiveRevocation *bool `json:"activeRevocation,omitempty"`
// IntermediateIssuer A Customized X509 issuer for an authority.
IntermediateIssuer X509Issuer `json:"intermediateIssuer"`
// Name The name of the authority.
Name string `json:"name"`
// Subdomain The new authority will be available at <subdomain>.<team slug>.ca.smallstep.com.
Subdomain string `json:"subdomain"`
}
// NewCollection Body of a request to create a new collection.
// DisplayName A user-friendly name for the collection.
DisplayName *string `json:"displayName,omitempty"`
// SchemaURI Reference to a schema that all instances in the collection must conform to.
SchemaURI *string `json:"schemaURI,omitempty"`
// Slug A lowercase name identifying the collection.
Slug string `json:"slug"`
}
// NewGrant The body of a request to add a grant to a group.
type NewGrant struct {
// GroupID A UUID identifying the group this grant is attached to.
GroupID string `json:"groupID"`
// Name Matched against host tag names
Name string `json:"name"`
// Sudo Whether users in the group will have sudo permission on matching hosts
Sudo *bool `json:"sudo,omitempty"`
// Value Matched against host tag values
Value *string `json:"value,omitempty"`
}
// NewTag The body of a request to add a tag to a host.
type NewTag struct {
// Name The key for the host tag.
Name *string `json:"name,omitempty"`
// Value The value for the host tag.
Value *string `json:"value,omitempty"`
}
// OidcProvisioner A [provisioner](https://smallstep.com/docs/step-ca/provisioners/#oauthoidc-single-sign-on) that is configured to trust and accept an OAuth provider's ID tokens for authentication. By default, the issued certificate will use the subject (sub) claim from the identity token as its subject. The value of the token's email claim is also included as an email SAN in the certificate.
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
type OidcProvisioner struct {
// Admins The emails of admin users in an OpenID Connect provisioner. These users will not have restrictions in the certificates to sign.
Admins *[]string `json:"admins,omitempty"`
// ClientID The id used to validate the audience in an OpenID Connect token.
ClientID string `json:"clientID"`
// ClientSecret The secret used to obtain the OpenID Connect tokens.
ClientSecret string `json:"clientSecret"`
// ConfigurationEndpoint OpenID Connect configuration URL.
ConfigurationEndpoint string `json:"configurationEndpoint"`
// Domains The domains used to validate the email claim in an OpenID Connect provisioner.
Domains *[]string `json:"domains,omitempty"`
// Groups The group list used to validate the groups extension in an OpenID Connect token.
Groups *[]string `json:"groups,omitempty"`
// ListenAddress The callback address used in the OpenID Connect flow.
ListenAddress *string `json:"listenAddress,omitempty"`
// TenantID The tenant-id used to replace the templatized tenantid value in the OpenID Configuration.
TenantID *string `json:"tenantID,omitempty"`
}
// PosixGroup A POSIX group represents a group that exists on a host with the given group name and gid.
// A managed group will be created or deleted on the host by Smallstep.
// Unmanaged groups must already exist on the host.
//
// An SSH Group may have multiple POSIX groups.
// An SSH User belonging to the group will be a member of the POSIX group when they access the host.
type PosixGroup struct {
// Gid The numeric group ID.
Gid *int `json:"gid,omitempty"`
// Id A UUID identifying the POSIX group.
Id *string `json:"id,omitempty"`
// Managed Whether Smallstep should create and delete the group.
Managed *bool `json:"managed,omitempty"`
// Name The name of the group.
Name *string `json:"name,omitempty"`
}
// PosixUser A POSIX user is the login user on the SSH Host. It will be generated automatically if not supplied by the team's Identity Provider.
type PosixUser struct {
// Gid The numeric group ID of the user.
Gid *int `json:"gid,omitempty"`
// HomeDir The user's home directory.
HomeDir *string `json:"homeDir,omitempty"`
// Shell The user's shell.
Shell *string `json:"shell,omitempty"`
// Uid The numeric ID of the user.
Uid *int `json:"uid,omitempty"`
// Username The login name of the user.
Username *string `json:"username,omitempty"`
}
// Provisioner defines model for provisioner.
type Provisioner struct {
// Claims A set of constraints configuring how this provisioner can be used to issue certificates.
Claims *ProvisionerClaims `json:"claims,omitempty"`
// CreatedAt Timestamp of when the provisioner was created in RFC 3339 format. Generated server-side.
CreatedAt *time.Time `json:"createdAt,omitempty"`
// Id A UUID identifying this provisioner. Generated server-side when the provisioner is created.
Id *string `json:"id,omitempty"`
// Name The name of the provisioner.
Name string `json:"name"`
// Options Options that apply when issuing certificates with this provisioner.
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
Options *ProvisionerOptions `json:"options,omitempty"`
// Type The type of provisioner.
Type ProvisionerType `json:"type"`
union json.RawMessage
}
// ProvisionerType The type of provisioner.
type ProvisionerType string
// ProvisionerClaims A set of constraints configuring how this provisioner can be used to issue certificates.
type ProvisionerClaims struct {
// AllowRenewalAfterExpiry Allow renewals for expired certificates generated by this provisioner.
AllowRenewalAfterExpiry *bool `json:"allowRenewalAfterExpiry,omitempty"`
// DefaultHostSSHCertDuration The default duration for an SSH host certificate generated by this provisioner. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
DefaultHostSSHCertDuration *string `json:"defaultHostSSHCertDuration,omitempty"`
// DefaultTLSCertDuration The default duration for an x509 certificate generated by this provisioner. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
DefaultTLSCertDuration *string `json:"defaultTLSCertDuration,omitempty"`
// DefaultUserSSHCertDuration The default duration for an SSH user certificate generated by this provisioner. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
DefaultUserSSHCertDuration *string `json:"defaultUserSSHCertDuration,omitempty"`
// DisableRenewal Disable renewal for all certificates generated by this provisioner.
DisableRenewal *bool `json:"disableRenewal,omitempty"`
// EnableSSHCA Allow this provisioner to be used to generate SSH certificates.
EnableSSHCA *bool `json:"enableSSHCA,omitempty"`
// MaxHostSSHCertDuration The maximum duration for an SSH host certificate generated by this provisioner. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
MaxHostSSHCertDuration *string `json:"maxHostSSHCertDuration,omitempty"`
// MaxTLSCertDuration The maximum duration for an x509 certificate generated by this provisioner. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
MaxTLSCertDuration *string `json:"maxTLSCertDuration,omitempty"`
// MaxUserSSHCertDuration The maximum duration for an SSH user certificate generated by this provisioner. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
MaxUserSSHCertDuration *string `json:"maxUserSSHCertDuration,omitempty"`
// MinHostSSHCertDuration The minimum duration for an SSH host certificate generated by this provisioner. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
MinHostSSHCertDuration *string `json:"minHostSSHCertDuration,omitempty"`
// MinTLSCertDuration The minimum duration for an x509 certificate generated by this provisioner. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
MinTLSCertDuration *string `json:"minTLSCertDuration,omitempty"`
// MinUserSSHCertDuration The minimum duration for an SSH user certificate generated by this provisioner. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
MinUserSSHCertDuration *string `json:"minUserSSHCertDuration,omitempty"`
}
// ProvisionerOptions Options that apply when issuing certificates with this provisioner.
type ProvisionerOptions struct {
// Ssh Options that apply when issuing SSH certificates
Ssh *SshOptions `json:"ssh,omitempty"`
Webhooks *[]ProvisionerWebhook `json:"webhooks,omitempty"`
// X509 Options that apply when issuing x509 certificates.
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
// ProvisionerWebhook A [webhook](https://smallstep.com/docs/step-ca/webhooks/) to call when a certificate request is being processed.
type ProvisionerWebhook struct {
// BasicAuth Configures provisioner webhook requests to include an Authorization header with these credentials. Optional for `EXTERNAL` webhook servers; not allowed with hosted webhook servers. At most one of `bearerToken` and `basicAuth` may be set.
BasicAuth *BasicAuth `json:"basicAuth,omitempty"`
// BearerToken Webhook requests will include an Authorization header with the token. Optional for `EXTERNAL` webhook servers; not allowed with hosted webhook servers. At most one of `bearerToken` and `basicAuth` may be set.
BearerToken *string `json:"bearerToken,omitempty"`
CertType ProvisionerWebhookCertType `json:"certType"`
// CollectionSlug For HOSTED_ATTESTATION webhooks, the collectionSlug is a reference to the collection that holds the devices that may be issued certificates. This collection must already exist. Required for `HOSTED_ATTESTATION` webhook servers; not allowed for `EXTERNAL`.
CollectionSlug *string `json:"collectionSlug,omitempty"`
// DisableTLSClientAuth The CA will not send a client certificate when requested by the webhook server. Optional for `EXTERNAL` webhook servers; not allowed with hosted webhook servers.
DisableTLSClientAuth *bool `json:"disableTLSClientAuth,omitempty"`
// Id UUID identifying this webhook. Generated server-side when the webhook is created. Will be sent to the webhook server in every request in the `X-Smallstep-Webhook-ID` header.
Id *string `json:"id,omitempty"`
// Kind The webhook kind indicates how and when it is called.
//
// ENRICHING webhooks are called before rendering the certificate template. They have two functions. First, they must allow the certificate request or it will be aborted. Second, they can return additional data to be referenced in the certificate template. The payload sent to the webhook server varies based on whether an X509 or SSH certificate is to be signed and based on the type of provisioner.
Kind ProvisionerWebhookKind `json:"kind"`
// Name The name of the webhook. For `ENRICHING` webhooks, the returned data can be referenced in the certificate under the path `.Webhooks.<name>`. Must be unique to the provisioner.
Name string `json:"name"`
// Secret The shared secret used to authenticate the payload sent to the webhook server. Generated server-side. This is returned only for `EXTERNAL` webhook servers and only once, at the time of creation.
Secret *string `json:"secret,omitempty"`
// ServerType An EXTERNAL webhook server is not operated by Smallstep. The caller must use the returned ID and secret to configure the server.
//
// A HOSTED_ATTESTATION webhook server is hosted by Smallstep and must be used with an `ENRICHING` webhook type and an ACME Attestation provisioner. The webhook server will verify the attested permanent identifier exists as the ID of an instance in the configured collection. The data of the instance in the collection will be added to the template data.
ServerType ProvisionerWebhookServerType `json:"serverType"`
// Url The URL of the webhook server. Required for `EXTERNAL` webhook servers; read-only for hosted webhook servers.
Url *string `json:"url,omitempty"`
}
// ProvisionerWebhookCertType defines model for ProvisionerWebhook.CertType.
type ProvisionerWebhookCertType string
// ProvisionerWebhookKind The webhook kind indicates how and when it is called.
//
// ENRICHING webhooks are called before rendering the certificate template. They have two functions. First, they must allow the certificate request or it will be aborted. Second, they can return additional data to be referenced in the certificate template. The payload sent to the webhook server varies based on whether an X509 or SSH certificate is to be signed and based on the type of provisioner.
type ProvisionerWebhookKind string
// ProvisionerWebhookServerType An EXTERNAL webhook server is not operated by Smallstep. The caller must use the returned ID and secret to configure the server.
//
// A HOSTED_ATTESTATION webhook server is hosted by Smallstep and must be used with an `ENRICHING` webhook type and an ACME Attestation provisioner. The webhook server will verify the attested permanent identifier exists as the ID of an instance in the configured collection. The data of the instance in the collection will be added to the template data.
type ProvisionerWebhookServerType string
// SshOptions Options that apply when issuing SSH certificates
type SshOptions struct {
// Template A JSON representation of the SSH certificate to be created. [More info](https://smallstep.com/docs/step-ca/templates/#ssh-templates).
Template *string `json:"template,omitempty"`
// TemplateData A map of data that can be used by the certificate template.
TemplateData *interface{} `json:"templateData,omitempty"`
}
// Tag A key-value pair attached to a host.
// Smallstep determines access by comparing host tags to group grants when a user attempts to SSH to a host.
type Tag struct {
// Id A UUID identifying this host tag.
Id *string `json:"id,omitempty"`
// Name The key for the host tag.
Name *string `json:"name,omitempty"`
// Value The value for the host tag.
Value *string `json:"value,omitempty"`
}
// User SSH Users are synced from the team's Identity Provider, or from the default Smallstep directory if no external Identity Provider has been configured.
type User struct {
// Active Whether the user has been deactivated in the team's Identity Provider.
Active *bool `json:"active,omitempty"`
// DisplayName The user's display name.
DisplayName *string `json:"displayName,omitempty"`
Emails *[]Email `json:"emails,omitempty"`
// FamilyName The user's family name.
FamilyName *string `json:"familyName,omitempty"`
// GivenName The user's given name.
GivenName *string `json:"givenName,omitempty"`
Groups *[]Group `json:"groups,omitempty"`
// Id A UUID identifying the user.
Id *string `json:"id,omitempty"`
PosixUsers *[]PosixUser `json:"posixUsers,omitempty"`
}
// X509Issuer A Customized X509 issuer for an authority.
type X509Issuer struct {
// Duration The certificate lifetime. Parsed as a [Golang duration](https://pkg.go.dev/time#ParseDuration).
Duration *string `json:"duration,omitempty"`
// KeyVersion The signature algorithm.
KeyVersion X509IssuerKeyVersion `json:"keyVersion"`
MaxPathLength *int `json:"maxPathLength,omitempty"`
// Name The name of the issuer.
Name string `json:"name"`
// NameConstraints X509 certificate name constratins.
NameConstraints *NameConstraints `json:"nameConstraints,omitempty"`
// Subject Name used in x509 certificates
Subject *DistinguishedName `json:"subject,omitempty"`
}
// X509IssuerKeyVersion The signature algorithm.
type X509IssuerKeyVersion string
// X509Options Options that apply when issuing x509 certificates.
type X509Options struct {
// Template A JSON representation of the x509 certificate to be created. [More info](https://smallstep.com/docs/step-ca/templates/#x509-templates).
Template *string `json:"template,omitempty"`
// TemplateData A map of data that can be used by the certificate template.
TemplateData *interface{} `json:"templateData,omitempty"`
}
// X5cProvisioner A [provisioner](https://smallstep.com/docs/step-ca/provisioners/#x5c---x509-certificate) that authenticates a certificate request with an existing x509 certificate.
type X5cProvisioner struct {
// Roots A list of pem-encoded x509 certificates. Any certificate bundle that chains up to any of these roots can be used in a certificate request.
Roots []string `json:"roots"`
}
// Accept defines model for accept.
type Accept = string
// AgentConfigurationID defines model for agentConfigurationID.
type AgentConfigurationID = string
// AttestationAuthorityID defines model for attestationAuthorityID.
type AttestationAuthorityID = string
// AuthorityID defines model for authorityID.
type AuthorityID = string
// CollectionSlug defines model for collectionSlug.
type CollectionSlug = string
// EndpointConfigurationID defines model for endpointConfigurationID.
type EndpointConfigurationID = string
// GrantID defines model for grantID.
type GrantID = string
