coulomb/flex-auth
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Implement canonical schema foundation
Some checks failed
CI / Build and Test (push) Has been cancelled
Details
CI / Lint (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Bernd Worsch
2026-05-17 04:59:18 +02:00
parent dd0b9663c4
commit 7fdf6d63d5
29 changed files with 1905 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
schemas/README.md
View File

@@ -3,9 +3,13 @@
JSON Schema definitions for flex-auth's canonical artefacts:
- `resource_manifest.schema.json` (pinned in `FLEX-WP-0005 P5.3`)
- `protected_system_manifest.schema.json`
- `subject_manifest.schema.json`
- `relationship_fact.schema.json`
- `policy_package_frontmatter.schema.json`
- `caring_profile.schema.json`
- `caring_access_descriptor.schema.json`
- `policy_package.schema.json`
- `policy_fixture.schema.json`
- `check_request.schema.json`
- `decision_envelope.schema.json`
- `audit_event.schema.json`

20
schemas/audit_event.schema.json Normal file
View File

@@ -0,0 +1,20 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://flex-auth.netkingdom/schemas/audit_event.schema.json",
"title": "AuditEvent",
"type": "object",
"additionalProperties": false,
"required": ["id", "type", "subject"],
"properties": {
"id": {"type": "string", "minLength": 1},
"type": {"type": "string", "minLength": 1},
"decision_id": {"type": "string", "minLength": 1},
"subject": {"$ref": "https://flex-auth.netkingdom/schemas/check_request.schema.json#/$defs/subject_ref"},
"resource": {"$ref": "https://flex-auth.netkingdom/schemas/check_request.schema.json#/$defs/resource_ref"},
"action": {"type": "string", "minLength": 1},
"effect": {"enum": ["allow", "deny", "redact", "audit_only", "not_applicable"]},
"timestamp": {"type": "string", "minLength": 1},
"exposure_event": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/exposure_event"},
"metadata": {"type": "object", "additionalProperties": true}
}
}

358
schemas/caring_access_descriptor.schema.json Normal file
View File

@@ -0,0 +1,358 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json",
"title": "CaringAccessDescriptor",
"description": "Executable flex-auth representation of a CARING access descriptor pinned to CARING 0.4.0-RC2.",
"type": "object",
"additionalProperties": false,
"required": [
"profile",
"subject_type",
"organization_relation",
"canonical_role",
"scope",
"planes",
"capabilities"
],
"properties": {
"id": {"type": "string", "minLength": 1},
"profile": {"const": "caring-0.4.0-rc2"},
"subject_type": {"$ref": "#/$defs/subject_type"},
"organization_relation": {"$ref": "#/$defs/organization_relation"},
"canonical_role": {"$ref": "#/$defs/canonical_role"},
"scope": {"$ref": "#/$defs/scope"},
"planes": {
"type": "array",
"items": {"$ref": "#/$defs/plane"},
"minItems": 1,
"uniqueItems": true
},
"capabilities": {
"type": "array",
"items": {"$ref": "#/$defs/capability"},
"minItems": 1,
"uniqueItems": true
},
"exposure_modes": {
"type": "array",
"items": {"$ref": "#/$defs/exposure_mode"},
"uniqueItems": true
},
"conditions": {
"type": "array",
"items": {"$ref": "#/$defs/condition"},
"uniqueItems": true
},
"lifecycle_state": {"$ref": "#/$defs/lifecycle_state"},
"restrictions": {
"type": "array",
"items": {"$ref": "#/$defs/restriction"},
"uniqueItems": true
},
"exposure_event": {"$ref": "#/$defs/exposure_event_type"},
"derived_capabilities": {
"type": "array",
"items": {"$ref": "#/$defs/derived_capability"}
},
"access_path": {"enum": ["direct", "delegated", "mediated", "induced"]},
"metadata": {"type": "object", "additionalProperties": true}
},
"$defs": {
"subject_type": {
"enum": [
"Human",
"Group",
"Organization",
"Service",
"Automation",
"Agent",
"System",
"Device",
"Process",
"Anonymous",
"Unknown"
]
},
"organization_relation": {
"enum": [
"Vendor",
"ServiceProvider",
"Distributor",
"Consultant",
"Customer",
"Community",
"Authority",
"Unknown"
]
},
"canonical_role": {
"enum": [
"Creator",
"Builder",
"Verifier",
"Maintainer",
"Integrator",
"Operator",
"Manager",
"Coach",
"Doer"
]
},
"scope_level": {
"enum": [
"Ecosystem",
"Product",
"Platform",
"Cluster",
"Environment",
"Tenant",
"Namespace",
"Domain",
"Workspace",
"Project",
"Process",
"Dataset",
"Resource",
"Subresource",
"Record",
"Field",
"Action"
]
},
"scope": {
"type": "object",
"additionalProperties": false,
"required": ["level", "id"],
"properties": {
"level": {"$ref": "#/$defs/scope_level"},
"id": {"type": "string", "minLength": 1},
"parent": {"type": "string", "minLength": 1},
"tenant": {"type": "string", "minLength": 1},
"resource": {"type": "string", "minLength": 1},
"attributes": {"type": "object", "additionalProperties": true}
}
},
"plane": {
"enum": [
"Intent",
"Build",
"Runtime",
"Execution",
"Configuration",
"Data",
"Identity",
"Policy",
"Secret",
"Audit",
"Commercial",
"Community"
]
},
"capability": {
"enum": [
"View",
"ViewCollection",
"Observe",
"Create",
"EditOwn",
"EditAssigned",
"EditAny",
"DeleteOwn",
"DeleteAny",
"BulkDelete",
"Submit",
"Comment",
"Review",
"Approve",
"Reject",
"Publish",
"Archive",
"Restore",
"Execute",
"Configure",
"Operate",
"Deploy",
"Integrate",
"Grant",
"Revoke",
"Delegate",
"Impersonate",
"Export",
"Import",
"Replicate",
"Encrypt",
"Decrypt",
"Mask",
"Inspect",
"Audit",
"Override",
"Escalate",
"Bind",
"Use"
]
},
"exposure_mode": {
"enum": [
"None",
"Metadata",
"Masked",
"Aggregated",
"Synthetic",
"Pseudonymous",
"Encrypted",
"Plaintext",
"SecretMaterial",
"Exportable",
"CrossTenantAggregate"
]
},
"condition": {
"enum": [
"MFARequired",
"DeviceTrusted",
"NetworkTrusted",
"TicketRequired",
"TenantConsentRequired",
"CustomerApprovalRequired",
"DualApprovalRequired",
"TimeLimited",
"BusinessHoursOnly",
"EmergencyOnly",
"TrainingRequired",
"ContractRequired",
"NDARequired",
"PurposeBound",
"CaseBound",
"EnvironmentBound",
"NamespaceBound",
"PipelineBound",
"ChangeWindowBound",
"Logged",
"Recorded",
"NotificationRequired",
"PostReviewRequired",
"HumanReviewRequired",
"PolicyReviewRequired",
"WorkloadIdentityRequired"
]
},
"lifecycle_state": {
"enum": [
"Design",
"Build",
"Test",
"Review",
"Release",
"Onboard",
"Integrate",
"Migrate",
"Operate",
"Support",
"Improve",
"Deprecate",
"Archive",
"Incident",
"Legal",
"Terminate"
]
},
"restriction": {
"enum": [
"NoAccess",
"Suspended",
"Terminated",
"Quarantined",
"ScopeExcluded",
"DataClassRestricted",
"LegalHold",
"ExportBlocked",
"ImpersonationBlocked",
"CrossTenantBlocked",
"SecretAccessBlocked",
"PolicyFrozen",
"EmergencyLocked",
"RiskDenied",
"ExecutionBlocked",
"WorkloadCreationBlocked",
"PrivilegeEscalationBlocked"
]
},
"exposure_event_type": {
"enum": [
"X-Support",
"X-BreakGlass",
"X-SecurityTest",
"X-Incident",
"X-LegalDemand",
"X-ComplianceAudit",
"X-Migration",
"X-Recovery",
"X-Adversarial",
"X-Misconfiguration",
"X-InducedAccess",
"X-PrivilegeEscalation"
]
},
"derived_capability": {
"type": "object",
"additionalProperties": false,
"required": ["capability", "reason"],
"properties": {
"capability": {"$ref": "#/$defs/capability"},
"reason": {"type": "string", "minLength": 1},
"source": {"type": "string", "minLength": 1},
"planes": {
"type": "array",
"items": {"$ref": "#/$defs/plane"},
"uniqueItems": true
},
"exposure_modes": {
"type": "array",
"items": {"$ref": "#/$defs/exposure_mode"},
"uniqueItems": true
}
}
},
"conformance_finding": {
"type": "object",
"additionalProperties": false,
"required": ["code", "severity", "message"],
"properties": {
"code": {"type": "string", "minLength": 1},
"severity": {"enum": ["info", "warning", "violation", "blocked"]},
"message": {"type": "string", "minLength": 1},
"fields": {"type": "array", "items": {"type": "string", "minLength": 1}},
"descriptor": {"type": "string", "minLength": 1},
"metadata": {"type": "object", "additionalProperties": true}
}
},
"exposure_event": {
"type": "object",
"additionalProperties": false,
"required": ["id", "type", "actor", "subject", "reason"],
"properties": {
"id": {"type": "string", "minLength": 1},
"type": {"$ref": "#/$defs/exposure_event_type"},
"actor": {"type": "string", "minLength": 1},
"subject": {"type": "string", "minLength": 1},
"descriptor": {"$ref": "#"},
"scope": {"$ref": "#/$defs/scope"},
"planes": {"type": "array", "items": {"$ref": "#/$defs/plane"}},
"capabilities_used": {"type": "array", "items": {"$ref": "#/$defs/capability"}},
"derived_capabilities": {"type": "array", "items": {"$ref": "#/$defs/derived_capability"}},
"exposure_modes": {"type": "array", "items": {"$ref": "#/$defs/exposure_mode"}},
"reason": {"type": "string", "minLength": 1},
"authority_source": {"type": "string", "minLength": 1},
"approval": {"type": "string", "minLength": 1},
"start_time": {"type": "string", "minLength": 1},
"end_time": {"type": "string", "minLength": 1},
"resources_accessed": {"type": "array", "items": {"type": "string", "minLength": 1}},
"evidence": {"type": "array", "items": {"type": "string", "minLength": 1}},
"notification_status": {"type": "string", "minLength": 1},
"post_review": {"type": "string", "minLength": 1},
"conformance_findings": {"type": "array", "items": {"$ref": "#/$defs/conformance_finding"}},
"metadata": {"type": "object", "additionalProperties": true}
}
}
}
}

16
schemas/caring_profile.schema.json Normal file
View File

@@ -0,0 +1,16 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://flex-auth.netkingdom/schemas/caring_profile.schema.json",
"title": "CaringProfile",
"description": "Machine-readable pin for a CARING profile supported by flex-auth.",
"type": "object",
"additionalProperties": false,
"required": ["id", "standard", "version"],
"properties": {
"id": {"const": "caring-0.4.0-rc2"},
"standard": {"const": "CARING"},
"version": {"const": "0.4.0-RC2"},
"source": {"type": "string", "minLength": 1},
"metadata": {"type": "object", "additionalProperties": true}
}
}

42
schemas/check_request.schema.json Normal file
View File

@@ -0,0 +1,42 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://flex-auth.netkingdom/schemas/check_request.schema.json",
"title": "CheckRequest",
"type": "object",
"additionalProperties": false,
"required": ["subject", "action", "resource"],
"properties": {
"id": {"type": "string", "minLength": 1},
"subject": {"$ref": "#/$defs/subject_ref"},
"action": {"type": "string", "minLength": 1},
"resource": {"$ref": "#/$defs/resource_ref"},
"context": {"type": "object", "additionalProperties": true},
"caring_context": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json"},
"policy_version": {"type": "string", "minLength": 1}
},
"$defs": {
"subject_ref": {
"type": "object",
"additionalProperties": false,
"required": ["id"],
"properties": {
"id": {"type": "string", "minLength": 1},
"type": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/subject_type"},
"tenant": {"type": "string", "minLength": 1},
"attributes": {"type": "object", "additionalProperties": true}
}
},
"resource_ref": {
"type": "object",
"additionalProperties": false,
"required": ["id"],
"properties": {
"id": {"type": "string", "minLength": 1},
"type": {"type": "string", "minLength": 1},
"system": {"type": "string", "minLength": 1},
"tenant": {"type": "string", "minLength": 1},
"attributes": {"type": "object", "additionalProperties": true}
}
}
}
}

74
schemas/decision_envelope.schema.json Normal file
View File

@@ -0,0 +1,74 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://flex-auth.netkingdom/schemas/decision_envelope.schema.json",
"title": "DecisionEnvelope",
"type": "object",
"additionalProperties": false,
"required": ["id", "effect", "resource", "subject", "provenance"],
"properties": {
"id": {"type": "string", "minLength": 1},
"request_id": {"type": "string", "minLength": 1},
"effect": {"enum": ["allow", "deny", "redact", "audit_only", "not_applicable"]},
"reason": {"type": "string"},
"matched_policy_version": {"type": "string", "minLength": 1},
"matched_rule": {"type": "string", "minLength": 1},
"resource": {"$ref": "https://flex-auth.netkingdom/schemas/check_request.schema.json#/$defs/resource_ref"},
"subject": {"$ref": "https://flex-auth.netkingdom/schemas/check_request.schema.json#/$defs/subject_ref"},
"obligations": {"type": "array", "items": {"$ref": "#/$defs/obligation"}},
"diagnostics": {"type": "object", "additionalProperties": true},
"provenance": {"$ref": "#/$defs/provenance"},
"caring": {"$ref": "#/$defs/caring_decision_metadata"}
},
"$defs": {
"obligation": {
"type": "object",
"additionalProperties": false,
"required": ["type"],
"properties": {
"type": {"type": "string", "minLength": 1},
"parameters": {"type": "object", "additionalProperties": true}
}
},
"provenance": {
"type": "object",
"additionalProperties": false,
"required": ["evaluator", "mode"],
"properties": {
"evaluator": {"type": "string", "minLength": 1},
"mode": {"type": "string", "minLength": 1},
"policy_package": {"type": "string", "minLength": 1},
"policy_version": {"type": "string", "minLength": 1},
"directory_etag": {"type": "string", "minLength": 1},
"decision_time": {"type": "string", "minLength": 1}
}
},
"caring_decision_metadata": {
"type": "object",
"additionalProperties": false,
"required": ["profile"],
"properties": {
"profile": {"const": "caring-0.4.0-rc2"},
"descriptor": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json"},
"restrictions_evaluated": {
"type": "array",
"items": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/restriction"},
"uniqueItems": true
},
"exposure_modes": {
"type": "array",
"items": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/exposure_mode"},
"uniqueItems": true
},
"derived_capabilities": {
"type": "array",
"items": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/derived_capability"}
},
"conformance_findings": {
"type": "array",
"items": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/conformance_finding"}
},
"exposure_event": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/exposure_event"}
}
}
}
}

33
schemas/policy_fixture.schema.json Normal file
View File

@@ -0,0 +1,33 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://flex-auth.netkingdom/schemas/policy_fixture.schema.json",
"title": "PolicyFixture",
"type": "object",
"additionalProperties": false,
"required": ["id", "request", "expect"],
"properties": {
"id": {"type": "string", "minLength": 1},
"request": {"$ref": "https://flex-auth.netkingdom/schemas/check_request.schema.json"},
"expect": {"$ref": "#/$defs/decision_expectation"},
"metadata": {"type": "object", "additionalProperties": true}
},
"$defs": {
"decision_expectation": {
"type": "object",
"additionalProperties": false,
"required": ["effect"],
"properties": {
"effect": {"enum": ["allow", "deny", "redact", "audit_only", "not_applicable"]},
"reason": {"type": "string", "minLength": 1},
"obligations": {
"type": "array",
"items": {"$ref": "https://flex-auth.netkingdom/schemas/decision_envelope.schema.json#/$defs/obligation"}
},
"conformance_findings": {
"type": "array",
"items": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/conformance_finding"}
}
}
}
}
}

68
schemas/policy_package.schema.json Normal file
View File

@@ -0,0 +1,68 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://flex-auth.netkingdom/schemas/policy_package.schema.json",
"title": "PolicyPackageMetadata",
"type": "object",
"additionalProperties": false,
"required": ["id", "version", "package", "caring"],
"properties": {
"id": {"type": "string", "minLength": 1},
"name": {"type": "string", "minLength": 1},
"version": {"type": "string", "minLength": 1},
"status": {"type": "string", "minLength": 1},
"package": {"type": "string", "minLength": 1},
"caring": {"$ref": "#/$defs/caring_policy_metadata"},
"activation": {"type": "object", "additionalProperties": true},
"metadata": {"type": "object", "additionalProperties": true}
},
"$defs": {
"caring_policy_metadata": {
"type": "object",
"additionalProperties": false,
"required": ["profile"],
"properties": {
"profile": {"const": "caring-0.4.0-rc2"},
"canonical_roles": {
"type": "array",
"items": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/canonical_role"},
"uniqueItems": true
},
"organization_relations": {
"type": "array",
"items": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/organization_relation"},
"uniqueItems": true
},
"scopes": {
"type": "array",
"items": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/scope"}
},
"planes": {
"type": "array",
"items": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/plane"},
"uniqueItems": true
},
"capabilities": {
"type": "array",
"items": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/capability"},
"uniqueItems": true
},
"exposure_modes": {
"type": "array",
"items": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/exposure_mode"},
"uniqueItems": true
},
"conditions": {
"type": "array",
"items": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/condition"},
"uniqueItems": true
},
"restrictions": {
"type": "array",
"items": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/restriction"},
"uniqueItems": true
},
"metadata": {"type": "object", "additionalProperties": true}
}
}
}
}

69
schemas/protected_system_manifest.schema.json Normal file
View File

@@ -0,0 +1,69 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://flex-auth.netkingdom/schemas/protected_system_manifest.schema.json",
"title": "ProtectedSystemManifest",
"type": "object",
"additionalProperties": false,
"required": ["id"],
"properties": {
"id": {"type": "string", "minLength": 1},
"name": {"type": "string", "minLength": 1},
"description": {"type": "string"},
"resource_types": {
"type": "array",
"items": {"$ref": "#/$defs/resource_type"}
},
"actions": {
"type": "array",
"items": {"$ref": "#/$defs/action"}
},
"caring_profiles": {
"type": "array",
"items": {"const": "caring-0.4.0-rc2"},
"uniqueItems": true
},
"metadata": {"type": "object", "additionalProperties": true}
},
"$defs": {
"resource_type": {
"type": "object",
"additionalProperties": false,
"required": ["name"],
"properties": {
"name": {"type": "string", "minLength": 1},
"parent_types": {"type": "array", "items": {"type": "string", "minLength": 1}},
"scope_level": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/scope_level"},
"planes": {
"type": "array",
"items": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/plane"},
"uniqueItems": true
},
"metadata": {"type": "object", "additionalProperties": true}
}
},
"action": {
"type": "object",
"additionalProperties": false,
"required": ["name"],
"properties": {
"name": {"type": "string", "minLength": 1},
"capabilities": {
"type": "array",
"items": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/capability"},
"uniqueItems": true
},
"planes": {
"type": "array",
"items": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/plane"},
"uniqueItems": true
},
"exposure_modes": {
"type": "array",
"items": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/exposure_mode"},
"uniqueItems": true
},
"metadata": {"type": "object", "additionalProperties": true}
}
}
}
}

24
schemas/relationship_fact.schema.json Normal file
View File

@@ -0,0 +1,24 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://flex-auth.netkingdom/schemas/relationship_fact.schema.json",
"title": "RelationshipFact",
"type": "object",
"additionalProperties": false,
"required": ["id", "subject", "relation", "object"],
"properties": {
"id": {"type": "string", "minLength": 1},
"system": {"type": "string", "minLength": 1},
"subject": {"type": "string", "minLength": 1},
"relation": {"type": "string", "minLength": 1},
"object": {"type": "string", "minLength": 1},
"tenant": {"type": "string", "minLength": 1},
"conditions": {
"type": "array",
"items": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/condition"},
"uniqueItems": true
},
"caring": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json"},
"provenance": {"type": "object", "additionalProperties": true},
"metadata": {"type": "object", "additionalProperties": true}
}
}

9
schemas/resource_manifest.schema.json
View File

@@ -28,6 +28,11 @@
"items": {"type": "string", "minLength": 1},
"uniqueItems": true
},
"caring_profile": {
"type": "string",
"description": "Optional CARING profile identifier used by resource-level descriptors.",
"const": "caring-0.4.0-rc2"
},
"metadata": {
"type": "object",
"description": "Free-form provenance and contract metadata. Conventions: 'source' (origin description), 'flex_auth_contract' (contract version string, currently 'resource-registration-v0').",
@@ -76,6 +81,10 @@
"description": "Owner identifier, conventionally 'team:<slug>' or 'user:<slug>'.",
"minLength": 1
},
"caring": {
"description": "Optional CARING descriptor for this resource. Policy packages may require this field for conformance checks.",
"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json"
},
"attributes": {
"type": "object",
"description": "Free-form attributes that policy packages may consult. Reserved keys may be defined by individual policy packages.",

68
schemas/subject_manifest.schema.json Normal file
View File

@@ -0,0 +1,68 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://flex-auth.netkingdom/schemas/subject_manifest.schema.json",
"title": "SubjectManifest",
"type": "object",
"additionalProperties": false,
"required": ["id"],
"properties": {
"id": {"type": "string", "minLength": 1},
"subjects": {"type": "array", "items": {"$ref": "#/$defs/subject"}},
"groups": {"type": "array", "items": {"$ref": "#/$defs/group"}},
"teams": {"type": "array", "items": {"$ref": "#/$defs/group"}},
"tenants": {"type": "array", "items": {"$ref": "#/$defs/tenant"}},
"metadata": {"type": "object", "additionalProperties": true}
},
"$defs": {
"subject": {
"type": "object",
"additionalProperties": false,
"required": ["id", "type"],
"properties": {
"id": {"type": "string", "minLength": 1},
"type": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/subject_type"},
"display_name": {"type": "string", "minLength": 1},
"organization_relation": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/organization_relation"},
"roles": {
"type": "array",
"items": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/canonical_role"},
"uniqueItems": true
},
"groups": {"type": "array", "items": {"type": "string", "minLength": 1}},
"tenant": {"type": "string", "minLength": 1},
"claims": {"type": "object", "additionalProperties": true},
"caring_descriptors": {
"type": "array",
"items": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json"}
},
"metadata": {"type": "object", "additionalProperties": true}
}
},
"group": {
"type": "object",
"additionalProperties": false,
"required": ["id"],
"properties": {
"id": {"type": "string", "minLength": 1},
"display_name": {"type": "string", "minLength": 1},
"members": {"type": "array", "items": {"type": "string", "minLength": 1}},
"tenant": {"type": "string", "minLength": 1},
"caring_descriptors": {
"type": "array",
"items": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json"}
},
"metadata": {"type": "object", "additionalProperties": true}
}
},
"tenant": {
"type": "object",
"additionalProperties": false,
"required": ["id"],
"properties": {
"id": {"type": "string", "minLength": 1},
"name": {"type": "string", "minLength": 1},
"metadata": {"type": "object", "additionalProperties": true}
}
}
}
}