generated from coulomb/repo-seed
336 lines
17 KiB
Go
336 lines
17 KiB
Go
package api
|
|
|
|
// CaringProfileCaring040RC2 is the executable profile identifier for the
|
|
// CARING 0.4.0-RC2 standard pinned by flex-auth.
|
|
const CaringProfileCaring040RC2 = "caring-0.4.0-rc2"
|
|
|
|
// SubjectType is the CARING subject dimension.
|
|
type SubjectType string
|
|
|
|
const (
|
|
SubjectTypeHuman SubjectType = "Human"
|
|
SubjectTypeGroup SubjectType = "Group"
|
|
SubjectTypeOrganization SubjectType = "Organization"
|
|
SubjectTypeService SubjectType = "Service"
|
|
SubjectTypeAutomation SubjectType = "Automation"
|
|
SubjectTypeAgent SubjectType = "Agent"
|
|
SubjectTypeSystem SubjectType = "System"
|
|
SubjectTypeDevice SubjectType = "Device"
|
|
SubjectTypeProcess SubjectType = "Process"
|
|
SubjectTypeAnonymous SubjectType = "Anonymous"
|
|
SubjectTypeUnknown SubjectType = "Unknown"
|
|
)
|
|
|
|
// OrganizationRelation is the CARING organization-relation dimension.
|
|
type OrganizationRelation string
|
|
|
|
const (
|
|
OrganizationRelationVendor OrganizationRelation = "Vendor"
|
|
OrganizationRelationServiceProvider OrganizationRelation = "ServiceProvider"
|
|
OrganizationRelationDistributor OrganizationRelation = "Distributor"
|
|
OrganizationRelationConsultant OrganizationRelation = "Consultant"
|
|
OrganizationRelationCustomer OrganizationRelation = "Customer"
|
|
OrganizationRelationCommunity OrganizationRelation = "Community"
|
|
OrganizationRelationAuthority OrganizationRelation = "Authority"
|
|
OrganizationRelationUnknown OrganizationRelation = "Unknown"
|
|
)
|
|
|
|
// CanonicalRole is the CARING lifecycle responsibility posture.
|
|
type CanonicalRole string
|
|
|
|
const (
|
|
CanonicalRoleCreator CanonicalRole = "Creator"
|
|
CanonicalRoleBuilder CanonicalRole = "Builder"
|
|
CanonicalRoleVerifier CanonicalRole = "Verifier"
|
|
CanonicalRoleMaintainer CanonicalRole = "Maintainer"
|
|
CanonicalRoleIntegrator CanonicalRole = "Integrator"
|
|
CanonicalRoleOperator CanonicalRole = "Operator"
|
|
CanonicalRoleManager CanonicalRole = "Manager"
|
|
CanonicalRoleCoach CanonicalRole = "Coach"
|
|
CanonicalRoleDoer CanonicalRole = "Doer"
|
|
)
|
|
|
|
// ScopeLevel is the CARING scope ladder.
|
|
type ScopeLevel string
|
|
|
|
const (
|
|
ScopeLevelEcosystem ScopeLevel = "Ecosystem"
|
|
ScopeLevelProduct ScopeLevel = "Product"
|
|
ScopeLevelPlatform ScopeLevel = "Platform"
|
|
ScopeLevelCluster ScopeLevel = "Cluster"
|
|
ScopeLevelEnvironment ScopeLevel = "Environment"
|
|
ScopeLevelTenant ScopeLevel = "Tenant"
|
|
ScopeLevelNamespace ScopeLevel = "Namespace"
|
|
ScopeLevelDomain ScopeLevel = "Domain"
|
|
ScopeLevelWorkspace ScopeLevel = "Workspace"
|
|
ScopeLevelProject ScopeLevel = "Project"
|
|
ScopeLevelProcess ScopeLevel = "Process"
|
|
ScopeLevelDataset ScopeLevel = "Dataset"
|
|
ScopeLevelResource ScopeLevel = "Resource"
|
|
ScopeLevelSubresource ScopeLevel = "Subresource"
|
|
ScopeLevelRecord ScopeLevel = "Record"
|
|
ScopeLevelField ScopeLevel = "Field"
|
|
ScopeLevelAction ScopeLevel = "Action"
|
|
)
|
|
|
|
// Plane is the CARING access-surface dimension.
|
|
type Plane string
|
|
|
|
const (
|
|
PlaneIntent Plane = "Intent"
|
|
PlaneBuild Plane = "Build"
|
|
PlaneRuntime Plane = "Runtime"
|
|
PlaneExecution Plane = "Execution"
|
|
PlaneConfiguration Plane = "Configuration"
|
|
PlaneData Plane = "Data"
|
|
PlaneIdentity Plane = "Identity"
|
|
PlanePolicy Plane = "Policy"
|
|
PlaneSecret Plane = "Secret"
|
|
PlaneAudit Plane = "Audit"
|
|
PlaneCommercial Plane = "Commercial"
|
|
PlaneCommunity Plane = "Community"
|
|
)
|
|
|
|
// Capability is a CARING capability verb.
|
|
type Capability string
|
|
|
|
const (
|
|
CapabilityView Capability = "View"
|
|
CapabilityViewCollection Capability = "ViewCollection"
|
|
CapabilityObserve Capability = "Observe"
|
|
CapabilityCreate Capability = "Create"
|
|
CapabilityEditOwn Capability = "EditOwn"
|
|
CapabilityEditAssigned Capability = "EditAssigned"
|
|
CapabilityEditAny Capability = "EditAny"
|
|
CapabilityDeleteOwn Capability = "DeleteOwn"
|
|
CapabilityDeleteAny Capability = "DeleteAny"
|
|
CapabilityBulkDelete Capability = "BulkDelete"
|
|
CapabilitySubmit Capability = "Submit"
|
|
CapabilityComment Capability = "Comment"
|
|
CapabilityReview Capability = "Review"
|
|
CapabilityApprove Capability = "Approve"
|
|
CapabilityReject Capability = "Reject"
|
|
CapabilityPublish Capability = "Publish"
|
|
CapabilityArchive Capability = "Archive"
|
|
CapabilityRestore Capability = "Restore"
|
|
CapabilityExecute Capability = "Execute"
|
|
CapabilityConfigure Capability = "Configure"
|
|
CapabilityOperate Capability = "Operate"
|
|
CapabilityDeploy Capability = "Deploy"
|
|
CapabilityIntegrate Capability = "Integrate"
|
|
CapabilityGrant Capability = "Grant"
|
|
CapabilityRevoke Capability = "Revoke"
|
|
CapabilityDelegate Capability = "Delegate"
|
|
CapabilityImpersonate Capability = "Impersonate"
|
|
CapabilityExport Capability = "Export"
|
|
CapabilityImport Capability = "Import"
|
|
CapabilityReplicate Capability = "Replicate"
|
|
CapabilityEncrypt Capability = "Encrypt"
|
|
CapabilityDecrypt Capability = "Decrypt"
|
|
CapabilityMask Capability = "Mask"
|
|
CapabilityInspect Capability = "Inspect"
|
|
CapabilityAudit Capability = "Audit"
|
|
CapabilityOverride Capability = "Override"
|
|
CapabilityEscalate Capability = "Escalate"
|
|
CapabilityBind Capability = "Bind"
|
|
CapabilityUse Capability = "Use"
|
|
)
|
|
|
|
// ExposureMode describes how much information becomes visible or extractable.
|
|
type ExposureMode string
|
|
|
|
const (
|
|
ExposureModeNone ExposureMode = "None"
|
|
ExposureModeMetadata ExposureMode = "Metadata"
|
|
ExposureModeMasked ExposureMode = "Masked"
|
|
ExposureModeAggregated ExposureMode = "Aggregated"
|
|
ExposureModeSynthetic ExposureMode = "Synthetic"
|
|
ExposureModePseudonymous ExposureMode = "Pseudonymous"
|
|
ExposureModeEncrypted ExposureMode = "Encrypted"
|
|
ExposureModePlaintext ExposureMode = "Plaintext"
|
|
ExposureModeSecretMaterial ExposureMode = "SecretMaterial"
|
|
ExposureModeExportable ExposureMode = "Exportable"
|
|
ExposureModeCrossTenantAggregate ExposureMode = "CrossTenantAggregate"
|
|
)
|
|
|
|
// Condition is a CARING runtime or governance condition.
|
|
type Condition string
|
|
|
|
const (
|
|
ConditionMFARequired Condition = "MFARequired"
|
|
ConditionDeviceTrusted Condition = "DeviceTrusted"
|
|
ConditionNetworkTrusted Condition = "NetworkTrusted"
|
|
ConditionTicketRequired Condition = "TicketRequired"
|
|
ConditionTenantConsentRequired Condition = "TenantConsentRequired"
|
|
ConditionCustomerApprovalRequired Condition = "CustomerApprovalRequired"
|
|
ConditionDualApprovalRequired Condition = "DualApprovalRequired"
|
|
ConditionTimeLimited Condition = "TimeLimited"
|
|
ConditionBusinessHoursOnly Condition = "BusinessHoursOnly"
|
|
ConditionEmergencyOnly Condition = "EmergencyOnly"
|
|
ConditionTrainingRequired Condition = "TrainingRequired"
|
|
ConditionContractRequired Condition = "ContractRequired"
|
|
ConditionNDARequired Condition = "NDARequired"
|
|
ConditionPurposeBound Condition = "PurposeBound"
|
|
ConditionCaseBound Condition = "CaseBound"
|
|
ConditionEnvironmentBound Condition = "EnvironmentBound"
|
|
ConditionNamespaceBound Condition = "NamespaceBound"
|
|
ConditionPipelineBound Condition = "PipelineBound"
|
|
ConditionChangeWindowBound Condition = "ChangeWindowBound"
|
|
ConditionLogged Condition = "Logged"
|
|
ConditionRecorded Condition = "Recorded"
|
|
ConditionNotificationRequired Condition = "NotificationRequired"
|
|
ConditionPostReviewRequired Condition = "PostReviewRequired"
|
|
ConditionHumanReviewRequired Condition = "HumanReviewRequired"
|
|
ConditionPolicyReviewRequired Condition = "PolicyReviewRequired"
|
|
ConditionWorkloadIdentityRequired Condition = "WorkloadIdentityRequired"
|
|
)
|
|
|
|
// LifecycleState describes why access exists now.
|
|
type LifecycleState string
|
|
|
|
const (
|
|
LifecycleStateDesign LifecycleState = "Design"
|
|
LifecycleStateBuild LifecycleState = "Build"
|
|
LifecycleStateTest LifecycleState = "Test"
|
|
LifecycleStateReview LifecycleState = "Review"
|
|
LifecycleStateRelease LifecycleState = "Release"
|
|
LifecycleStateOnboard LifecycleState = "Onboard"
|
|
LifecycleStateIntegrate LifecycleState = "Integrate"
|
|
LifecycleStateMigrate LifecycleState = "Migrate"
|
|
LifecycleStateOperate LifecycleState = "Operate"
|
|
LifecycleStateSupport LifecycleState = "Support"
|
|
LifecycleStateImprove LifecycleState = "Improve"
|
|
LifecycleStateDeprecate LifecycleState = "Deprecate"
|
|
LifecycleStateArchive LifecycleState = "Archive"
|
|
LifecycleStateIncident LifecycleState = "Incident"
|
|
LifecycleStateLegal LifecycleState = "Legal"
|
|
LifecycleStateTerminate LifecycleState = "Terminate"
|
|
)
|
|
|
|
// Restriction is an overriding CARING deny or limiting policy effect.
|
|
type Restriction string
|
|
|
|
const (
|
|
RestrictionNoAccess Restriction = "NoAccess"
|
|
RestrictionSuspended Restriction = "Suspended"
|
|
RestrictionTerminated Restriction = "Terminated"
|
|
RestrictionQuarantined Restriction = "Quarantined"
|
|
RestrictionScopeExcluded Restriction = "ScopeExcluded"
|
|
RestrictionDataClassRestricted Restriction = "DataClassRestricted"
|
|
RestrictionLegalHold Restriction = "LegalHold"
|
|
RestrictionExportBlocked Restriction = "ExportBlocked"
|
|
RestrictionImpersonationBlocked Restriction = "ImpersonationBlocked"
|
|
RestrictionCrossTenantBlocked Restriction = "CrossTenantBlocked"
|
|
RestrictionSecretAccessBlocked Restriction = "SecretAccessBlocked"
|
|
RestrictionPolicyFrozen Restriction = "PolicyFrozen"
|
|
RestrictionEmergencyLocked Restriction = "EmergencyLocked"
|
|
RestrictionRiskDenied Restriction = "RiskDenied"
|
|
RestrictionExecutionBlocked Restriction = "ExecutionBlocked"
|
|
RestrictionWorkloadCreationBlocked Restriction = "WorkloadCreationBlocked"
|
|
RestrictionPrivilegeEscalationBlocked Restriction = "PrivilegeEscalationBlocked"
|
|
)
|
|
|
|
// ExposureEventType is a CARING exceptional or irregular access class.
|
|
type ExposureEventType string
|
|
|
|
const (
|
|
ExposureEventSupport ExposureEventType = "X-Support"
|
|
ExposureEventBreakGlass ExposureEventType = "X-BreakGlass"
|
|
ExposureEventSecurityTest ExposureEventType = "X-SecurityTest"
|
|
ExposureEventIncident ExposureEventType = "X-Incident"
|
|
ExposureEventLegalDemand ExposureEventType = "X-LegalDemand"
|
|
ExposureEventComplianceAudit ExposureEventType = "X-ComplianceAudit"
|
|
ExposureEventMigration ExposureEventType = "X-Migration"
|
|
ExposureEventRecovery ExposureEventType = "X-Recovery"
|
|
ExposureEventAdversarial ExposureEventType = "X-Adversarial"
|
|
ExposureEventMisconfiguration ExposureEventType = "X-Misconfiguration"
|
|
ExposureEventInducedAccess ExposureEventType = "X-InducedAccess"
|
|
ExposureEventPrivilegeEscalation ExposureEventType = "X-PrivilegeEscalation"
|
|
)
|
|
|
|
// AccessPath describes how access is exercised.
|
|
type AccessPath string
|
|
|
|
const (
|
|
AccessPathDirect AccessPath = "direct"
|
|
AccessPathDelegated AccessPath = "delegated"
|
|
AccessPathMediated AccessPath = "mediated"
|
|
AccessPathInduced AccessPath = "induced"
|
|
)
|
|
|
|
// CaringScope identifies where a CARING descriptor applies.
|
|
type CaringScope struct {
|
|
Level ScopeLevel `json:"level" yaml:"level"`
|
|
ID string `json:"id" yaml:"id"`
|
|
Parent string `json:"parent,omitempty" yaml:"parent,omitempty"`
|
|
Tenant string `json:"tenant,omitempty" yaml:"tenant,omitempty"`
|
|
Resource string `json:"resource,omitempty" yaml:"resource,omitempty"`
|
|
Attributes map[string]any `json:"attributes,omitempty" yaml:"attributes,omitempty"`
|
|
}
|
|
|
|
// CaringAccessDescriptor is the executable flex-auth representation of a
|
|
// CARING access assignment.
|
|
type CaringAccessDescriptor struct {
|
|
ID string `json:"id,omitempty" yaml:"id,omitempty"`
|
|
Profile string `json:"profile" yaml:"profile"`
|
|
SubjectType SubjectType `json:"subject_type" yaml:"subject_type"`
|
|
OrganizationRelation OrganizationRelation `json:"organization_relation" yaml:"organization_relation"`
|
|
CanonicalRole CanonicalRole `json:"canonical_role" yaml:"canonical_role"`
|
|
Scope CaringScope `json:"scope" yaml:"scope"`
|
|
Planes []Plane `json:"planes" yaml:"planes"`
|
|
Capabilities []Capability `json:"capabilities" yaml:"capabilities"`
|
|
ExposureModes []ExposureMode `json:"exposure_modes,omitempty" yaml:"exposure_modes,omitempty"`
|
|
Conditions []Condition `json:"conditions,omitempty" yaml:"conditions,omitempty"`
|
|
LifecycleState LifecycleState `json:"lifecycle_state,omitempty" yaml:"lifecycle_state,omitempty"`
|
|
Restrictions []Restriction `json:"restrictions,omitempty" yaml:"restrictions,omitempty"`
|
|
ExposureEvent ExposureEventType `json:"exposure_event,omitempty" yaml:"exposure_event,omitempty"`
|
|
DerivedCapabilities []CaringDerivedCapability `json:"derived_capabilities,omitempty" yaml:"derived_capabilities,omitempty"`
|
|
AccessPath AccessPath `json:"access_path,omitempty" yaml:"access_path,omitempty"`
|
|
Metadata map[string]any `json:"metadata,omitempty" yaml:"metadata,omitempty"`
|
|
}
|
|
|
|
// CaringDerivedCapability records effective authority created by another grant.
|
|
type CaringDerivedCapability struct {
|
|
Capability Capability `json:"capability" yaml:"capability"`
|
|
Reason string `json:"reason" yaml:"reason"`
|
|
Source string `json:"source,omitempty" yaml:"source,omitempty"`
|
|
Planes []Plane `json:"planes,omitempty" yaml:"planes,omitempty"`
|
|
ExposureModes []ExposureMode `json:"exposure_modes,omitempty" yaml:"exposure_modes,omitempty"`
|
|
}
|
|
|
|
// CaringConformanceFinding is a diagnostic emitted by descriptive or
|
|
// prescriptive CARING validation.
|
|
type CaringConformanceFinding struct {
|
|
Code string `json:"code" yaml:"code"`
|
|
Severity string `json:"severity" yaml:"severity"`
|
|
Message string `json:"message" yaml:"message"`
|
|
Fields []string `json:"fields,omitempty" yaml:"fields,omitempty"`
|
|
Descriptor string `json:"descriptor,omitempty" yaml:"descriptor,omitempty"`
|
|
Metadata map[string]any `json:"metadata,omitempty" yaml:"metadata,omitempty"`
|
|
}
|
|
|
|
// CaringExposureEvent records exceptional or irregular information exposure.
|
|
type CaringExposureEvent struct {
|
|
ID string `json:"id" yaml:"id"`
|
|
Type ExposureEventType `json:"type" yaml:"type"`
|
|
Actor string `json:"actor" yaml:"actor"`
|
|
Subject string `json:"subject" yaml:"subject"`
|
|
Descriptor *CaringAccessDescriptor `json:"descriptor,omitempty" yaml:"descriptor,omitempty"`
|
|
Scope *CaringScope `json:"scope,omitempty" yaml:"scope,omitempty"`
|
|
Planes []Plane `json:"planes,omitempty" yaml:"planes,omitempty"`
|
|
CapabilitiesUsed []Capability `json:"capabilities_used,omitempty" yaml:"capabilities_used,omitempty"`
|
|
DerivedCapabilities []CaringDerivedCapability `json:"derived_capabilities,omitempty" yaml:"derived_capabilities,omitempty"`
|
|
ExposureModes []ExposureMode `json:"exposure_modes,omitempty" yaml:"exposure_modes,omitempty"`
|
|
Reason string `json:"reason" yaml:"reason"`
|
|
AuthoritySource string `json:"authority_source,omitempty" yaml:"authority_source,omitempty"`
|
|
Approval string `json:"approval,omitempty" yaml:"approval,omitempty"`
|
|
StartTime string `json:"start_time,omitempty" yaml:"start_time,omitempty"`
|
|
EndTime string `json:"end_time,omitempty" yaml:"end_time,omitempty"`
|
|
ResourcesAccessed []string `json:"resources_accessed,omitempty" yaml:"resources_accessed,omitempty"`
|
|
Evidence []string `json:"evidence,omitempty" yaml:"evidence,omitempty"`
|
|
NotificationStatus string `json:"notification_status,omitempty" yaml:"notification_status,omitempty"`
|
|
PostReview string `json:"post_review,omitempty" yaml:"post_review,omitempty"`
|
|
ConformanceFindings []CaringConformanceFinding `json:"conformance_findings,omitempty" yaml:"conformance_findings,omitempty"`
|
|
Metadata map[string]any `json:"metadata,omitempty" yaml:"metadata,omitempty"`
|
|
}
|