diff --git a/pkg/domain/cloudproviders.go b/pkg/domain/cloudproviders.go index 178668c6..1a129962 100644 --- a/pkg/domain/cloudproviders.go +++ b/pkg/domain/cloudproviders.go @@ -1,5 +1,7 @@ package domain +import "github.com/google/uuid" + type CloudProvider struct { ID string Name string @@ -27,3 +29,133 @@ type GetCloudKeystoreRequest struct { CloudKeystoreID *string CloudKeystoreName *string } + +type MachineIdentityStatus int + +const ( + MachineIdentityStatusUnknown MachineIdentityStatus = iota + MachineIdentityStatusNew + MachineIdentityStatusPending + MachineIdentityStatusInstalled + MachineIdentityStatusDiscovered + MachineIdentityStatusValidated + MachineIdentityStatusMissing + MachineIdentityStatusFailed + + MachineIdentityStatusUnknownStr = "UNKNOWN" + MachineIdentityStatusNewStr = "NEW" + MachineIdentityStatusPendingStr = "PENDING" + MachineIdentityStatusInstalledStr = "INSTALLED" + MachineIdentityStatusDiscoveredStr = "DISCOVERED" + MachineIdentityStatusValidatedStr = "VALIDATED" + MachineIdentityStatusMissingStr = "MISSING" + MachineIdentityStatusFailedStr = "FAILED" + + CloudMetadataACM = "AWS" + CloudMetadataGCM = "GCM" + CloudMetadataAKV = "AKV" + CloudMetadataUnknown = "UNKNOWN" +) + +func (mis MachineIdentityStatus) String() string { + switch mis { + case MachineIdentityStatusNew: + return MachineIdentityStatusNewStr + case MachineIdentityStatusPending: + return MachineIdentityStatusPendingStr + case MachineIdentityStatusInstalled: + return MachineIdentityStatusInstalledStr + case MachineIdentityStatusDiscovered: + return MachineIdentityStatusDiscoveredStr + case MachineIdentityStatusValidated: + return MachineIdentityStatusValidatedStr + case MachineIdentityStatusMissing: + return MachineIdentityStatusMissingStr + case MachineIdentityStatusFailed: + return MachineIdentityStatusFailedStr + default: + return MachineIdentityStatusUnknownStr + } +} + +func GetMachineIdentityStatus(status string) MachineIdentityStatus { + switch status { + case MachineIdentityStatusNewStr: + return MachineIdentityStatusNew + case MachineIdentityStatusPendingStr: + return MachineIdentityStatusPending + case MachineIdentityStatusInstalledStr: + return MachineIdentityStatusInstalled + case MachineIdentityStatusDiscoveredStr: + return MachineIdentityStatusDiscovered + case MachineIdentityStatusValidatedStr: + return MachineIdentityStatusValidated + case MachineIdentityStatusMissingStr: + return MachineIdentityStatusMissing + case MachineIdentityStatusFailedStr: + return MachineIdentityStatusFailed + default: + return MachineIdentityStatusUnknown + } +} + +type CertificateCloudMetadata struct { + values map[string]interface{} +} + +func NewCertificateCloudMetadata(values map[string]interface{}) CertificateCloudMetadata { + return CertificateCloudMetadata{ + values: values, + } +} + +func (ccm *CertificateCloudMetadata) GetType() string { + typ := ccm.GetValue("__typename") + if typ == nil { + return CloudMetadataUnknown + } + switch typ { + case "AWSCertificateMetadata": + return CloudMetadataACM + case "AzureCertificateMetadata": + return CloudMetadataGCM + case "GCPCertificateMetadata": + return CloudMetadataAKV + default: + return CloudMetadataUnknown + } +} + +func (ccm *CertificateCloudMetadata) GetMetadata() map[string]interface{} { + return ccm.values +} + +func (ccm *CertificateCloudMetadata) GetValue(key string) interface{} { + if key == "" { + return nil + } + if ccm.values == nil { + return nil + } + return ccm.values[key] +} + +type CloudMachineIdentity struct { + ID uuid.UUID + CloudKeystoreID uuid.UUID + CloudKeystoreName string + CloudProviderID uuid.UUID + CloudProviderName string + CertificateID uuid.UUID + Metadata *CertificateCloudMetadata + Status MachineIdentityStatus + StatusDetails string +} + +type GetCloudMachineIdentityRequest struct { + KeystoreID *string + MachineIdentityID *string + Fingerprints []string + NewlyDiscovered *bool + Metadata *string +} diff --git a/pkg/venafi/cloud/cloudproviders.go b/pkg/venafi/cloud/cloudproviders.go index 0df3dcb2..7e4dfe45 100644 --- a/pkg/venafi/cloud/cloudproviders.go +++ b/pkg/venafi/cloud/cloudproviders.go @@ -225,8 +225,6 @@ func (c *Connector) GetCloudKeystoreByName(cloudProviderID string, cloudKeystore request := domain.GetCloudKeystoreRequest{ CloudProviderID: &cloudProviderID, - CloudProviderName: nil, - CloudKeystoreID: nil, CloudKeystoreName: &cloudKeystoreName, } @@ -240,6 +238,23 @@ func (c *Connector) GetCloudKeystoreByName(cloudProviderID string, cloudKeystore return cloudKeystore, nil } +func (c *Connector) GetMachineIdentityByID(machineIdentityID string) (*domain.CloudMachineIdentity, error) { + if machineIdentityID == "" { + return nil, fmt.Errorf("machine identity ID cannot be empty") + } + request := domain.GetCloudMachineIdentityRequest{ + MachineIdentityID: &machineIdentityID, + } + machineIdentity, err := c.cloudProvidersClient.GetMachineIdentity(context.Background(), request) + if err != nil { + return nil, fmt.Errorf("failed to retrieve Cloud Machine Identity with ID %s: %w", machineIdentityID, err) + } + if machineIdentity == nil { + return nil, fmt.Errorf("could not find Cloud Machine Identity with ID %s", machineIdentityID) + } + return machineIdentity, nil +} + func getCloudMetadataFromWebsocketResponse(respMap interface{}, keystoreType string, keystoreId string) (*CloudProvisioningMetadata, error) { val := CloudKeystoreProvisioningResult{} diff --git a/pkg/webclient/cloudproviders/cloudproviders.gen.go b/pkg/webclient/cloudproviders/cloudproviders.gen.go index 31dd6ed3..badf28e2 100644 --- a/pkg/webclient/cloudproviders/cloudproviders.gen.go +++ b/pkg/webclient/cloudproviders/cloudproviders.gen.go @@ -4,6 +4,8 @@ package cloudproviders import ( "context" + "encoding/json" + "fmt" "github.com/Khan/genqlient/graphql" ) @@ -294,6 +296,357 @@ func (v *GetCloudProviderByNameResponse) GetCloudProviders() *GetCloudProviderBy return v.CloudProviders } +// GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnection includes the requested fields of the GraphQL type MachineIdentityConnection. +// The GraphQL type's documentation follows. +// +// A page of MachineIdentity results +type GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnection struct { + // MachineIdentity in the current page, without cursor + Nodes []*GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity `json:"nodes"` +} + +// GetNodes returns GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnection.Nodes, and is useful for accessing the field via an interface. +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnection) GetNodes() []*GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity { + return v.Nodes +} + +// GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity includes the requested fields of the GraphQL type MachineIdentity. +type GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity struct { + Id string `json:"id"` + CloudKeystoreId string `json:"cloudKeystoreId"` + CloudKeystoreName *string `json:"cloudKeystoreName"` + CloudProviderId *string `json:"cloudProviderId"` + CloudProviderName *string `json:"cloudProviderName"` + Metadata *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataCertificateCloudMetadata `json:"-"` + Status MachineIdentityStatus `json:"status"` + StatusDetails *string `json:"statusDetails"` + CertificateId string `json:"certificateId"` +} + +// GetId returns GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity.Id, and is useful for accessing the field via an interface. +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity) GetId() string { + return v.Id +} + +// GetCloudKeystoreId returns GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity.CloudKeystoreId, and is useful for accessing the field via an interface. +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity) GetCloudKeystoreId() string { + return v.CloudKeystoreId +} + +// GetCloudKeystoreName returns GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity.CloudKeystoreName, and is useful for accessing the field via an interface. +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity) GetCloudKeystoreName() *string { + return v.CloudKeystoreName +} + +// GetCloudProviderId returns GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity.CloudProviderId, and is useful for accessing the field via an interface. +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity) GetCloudProviderId() *string { + return v.CloudProviderId +} + +// GetCloudProviderName returns GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity.CloudProviderName, and is useful for accessing the field via an interface. +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity) GetCloudProviderName() *string { + return v.CloudProviderName +} + +// GetMetadata returns GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity.Metadata, and is useful for accessing the field via an interface. +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity) GetMetadata() *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataCertificateCloudMetadata { + return v.Metadata +} + +// GetStatus returns GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity.Status, and is useful for accessing the field via an interface. +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity) GetStatus() MachineIdentityStatus { + return v.Status +} + +// GetStatusDetails returns GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity.StatusDetails, and is useful for accessing the field via an interface. +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity) GetStatusDetails() *string { + return v.StatusDetails +} + +// GetCertificateId returns GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity.CertificateId, and is useful for accessing the field via an interface. +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity) GetCertificateId() string { + return v.CertificateId +} + +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity) UnmarshalJSON(b []byte) error { + + if string(b) == "null" { + return nil + } + + var firstPass struct { + *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity + Metadata json.RawMessage `json:"metadata"` + graphql.NoUnmarshalJSON + } + firstPass.GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity = v + + err := json.Unmarshal(b, &firstPass) + if err != nil { + return err + } + + { + dst := &v.Metadata + src := firstPass.Metadata + if len(src) != 0 && string(src) != "null" { + *dst = new(GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataCertificateCloudMetadata) + err = __unmarshalGetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataCertificateCloudMetadata( + src, *dst) + if err != nil { + return fmt.Errorf( + "unable to unmarshal GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity.Metadata: %w", err) + } + } + } + return nil +} + +type __premarshalGetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity struct { + Id string `json:"id"` + + CloudKeystoreId string `json:"cloudKeystoreId"` + + CloudKeystoreName *string `json:"cloudKeystoreName"` + + CloudProviderId *string `json:"cloudProviderId"` + + CloudProviderName *string `json:"cloudProviderName"` + + Metadata json.RawMessage `json:"metadata"` + + Status MachineIdentityStatus `json:"status"` + + StatusDetails *string `json:"statusDetails"` + + CertificateId string `json:"certificateId"` +} + +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity) MarshalJSON() ([]byte, error) { + premarshaled, err := v.__premarshalJSON() + if err != nil { + return nil, err + } + return json.Marshal(premarshaled) +} + +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity) __premarshalJSON() (*__premarshalGetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity, error) { + var retval __premarshalGetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity + + retval.Id = v.Id + retval.CloudKeystoreId = v.CloudKeystoreId + retval.CloudKeystoreName = v.CloudKeystoreName + retval.CloudProviderId = v.CloudProviderId + retval.CloudProviderName = v.CloudProviderName + { + + dst := &retval.Metadata + src := v.Metadata + if src != nil { + var err error + *dst, err = __marshalGetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataCertificateCloudMetadata( + src) + if err != nil { + return nil, fmt.Errorf( + "unable to marshal GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity.Metadata: %w", err) + } + } + } + retval.Status = v.Status + retval.StatusDetails = v.StatusDetails + retval.CertificateId = v.CertificateId + return &retval, nil +} + +// GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataAWSCertificateMetadata includes the requested fields of the GraphQL type AWSCertificateMetadata. +type GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataAWSCertificateMetadata struct { + Typename *string `json:"__typename"` + Arn string `json:"arn"` +} + +// GetTypename returns GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataAWSCertificateMetadata.Typename, and is useful for accessing the field via an interface. +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataAWSCertificateMetadata) GetTypename() *string { + return v.Typename +} + +// GetArn returns GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataAWSCertificateMetadata.Arn, and is useful for accessing the field via an interface. +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataAWSCertificateMetadata) GetArn() string { + return v.Arn +} + +// GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataAzureCertificateMetadata includes the requested fields of the GraphQL type AzureCertificateMetadata. +type GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataAzureCertificateMetadata struct { + Typename *string `json:"__typename"` + AzureId string `json:"azureId"` + Name string `json:"name"` + Version string `json:"version"` +} + +// GetTypename returns GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataAzureCertificateMetadata.Typename, and is useful for accessing the field via an interface. +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataAzureCertificateMetadata) GetTypename() *string { + return v.Typename +} + +// GetAzureId returns GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataAzureCertificateMetadata.AzureId, and is useful for accessing the field via an interface. +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataAzureCertificateMetadata) GetAzureId() string { + return v.AzureId +} + +// GetName returns GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataAzureCertificateMetadata.Name, and is useful for accessing the field via an interface. +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataAzureCertificateMetadata) GetName() string { + return v.Name +} + +// GetVersion returns GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataAzureCertificateMetadata.Version, and is useful for accessing the field via an interface. +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataAzureCertificateMetadata) GetVersion() string { + return v.Version +} + +// GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataCertificateCloudMetadata includes the requested fields of the GraphQL interface CertificateCloudMetadata. +// +// GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataCertificateCloudMetadata is implemented by the following types: +// GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataAWSCertificateMetadata +// GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataAzureCertificateMetadata +// GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataGCPCertificateMetadata +type GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataCertificateCloudMetadata interface { + implementsGraphQLInterfaceGetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataCertificateCloudMetadata() + // GetTypename returns the receiver's concrete GraphQL type-name (see interface doc for possible values). + GetTypename() *string +} + +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataAWSCertificateMetadata) implementsGraphQLInterfaceGetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataCertificateCloudMetadata() { +} +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataAzureCertificateMetadata) implementsGraphQLInterfaceGetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataCertificateCloudMetadata() { +} +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataGCPCertificateMetadata) implementsGraphQLInterfaceGetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataCertificateCloudMetadata() { +} + +func __unmarshalGetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataCertificateCloudMetadata(b []byte, v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataCertificateCloudMetadata) error { + if string(b) == "null" { + return nil + } + + var tn struct { + TypeName string `json:"__typename"` + } + err := json.Unmarshal(b, &tn) + if err != nil { + return err + } + + switch tn.TypeName { + case "AWSCertificateMetadata": + *v = new(GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataAWSCertificateMetadata) + return json.Unmarshal(b, *v) + case "AzureCertificateMetadata": + *v = new(GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataAzureCertificateMetadata) + return json.Unmarshal(b, *v) + case "GCPCertificateMetadata": + *v = new(GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataGCPCertificateMetadata) + return json.Unmarshal(b, *v) + case "": + return fmt.Errorf( + "response was missing CertificateCloudMetadata.__typename") + default: + return fmt.Errorf( + `unexpected concrete type for GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataCertificateCloudMetadata: "%v"`, tn.TypeName) + } +} + +func __marshalGetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataCertificateCloudMetadata(v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataCertificateCloudMetadata) ([]byte, error) { + + var typename string + switch v := (*v).(type) { + case *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataAWSCertificateMetadata: + typename = "AWSCertificateMetadata" + + result := struct { + TypeName string `json:"__typename"` + *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataAWSCertificateMetadata + }{typename, v} + return json.Marshal(result) + case *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataAzureCertificateMetadata: + typename = "AzureCertificateMetadata" + + result := struct { + TypeName string `json:"__typename"` + *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataAzureCertificateMetadata + }{typename, v} + return json.Marshal(result) + case *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataGCPCertificateMetadata: + typename = "GCPCertificateMetadata" + + result := struct { + TypeName string `json:"__typename"` + *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataGCPCertificateMetadata + }{typename, v} + return json.Marshal(result) + case nil: + return []byte("null"), nil + default: + return nil, fmt.Errorf( + `unexpected concrete type for GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataCertificateCloudMetadata: "%T"`, v) + } +} + +// GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataGCPCertificateMetadata includes the requested fields of the GraphQL type GCPCertificateMetadata. +type GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataGCPCertificateMetadata struct { + Typename *string `json:"__typename"` + GcpId string `json:"gcpId"` + Name string `json:"name"` +} + +// GetTypename returns GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataGCPCertificateMetadata.Typename, and is useful for accessing the field via an interface. +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataGCPCertificateMetadata) GetTypename() *string { + return v.Typename +} + +// GetGcpId returns GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataGCPCertificateMetadata.GcpId, and is useful for accessing the field via an interface. +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataGCPCertificateMetadata) GetGcpId() string { + return v.GcpId +} + +// GetName returns GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataGCPCertificateMetadata.Name, and is useful for accessing the field via an interface. +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentityMetadataGCPCertificateMetadata) GetName() string { + return v.Name +} + +// GetMachineIdentitiesResponse is returned by GetMachineIdentities on success. +type GetMachineIdentitiesResponse struct { + // Retrieves machine identities for a Cloud Keystore. + // The pagination can be either forward or backward. To enable forward pagination, two arguments + // are used: `after` and `first`. To enable backward pagination, two arguments are used: `before` and `last`. + // If arguments for both forward and backward pagination are supplied, forward pagination wil be used. If no arguments + // are supplied, it returns the first page of 10 machine identities (i.e. defaults `first` to 10). The result is sorted by + // the added on date in descending order. + // - after: returns the elements in the list that come after the specified cursor. Defaults to empty string, meaning + // that we return the first page of certificates, if `first` value is supplied + // - first: non-negative integer, denoting the first `n` number of records to return after the `after` cursor value. + // Max value is 1000 + // - before: returns the elements in the list that come before the specified cursor. By default is the empty string, + // meaning that the results will be the last page, if `last` value is supplied + // - last: non-negative integer, denoting the last `n` number of records to return before the `before` cursor value. + // Max value is 1000 + CloudMachineIdentities *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnection `json:"cloudMachineIdentities"` +} + +// GetCloudMachineIdentities returns GetMachineIdentitiesResponse.CloudMachineIdentities, and is useful for accessing the field via an interface. +func (v *GetMachineIdentitiesResponse) GetCloudMachineIdentities() *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnection { + return v.CloudMachineIdentities +} + +type MachineIdentityStatus string + +const ( + MachineIdentityStatusNew MachineIdentityStatus = "NEW" + MachineIdentityStatusPending MachineIdentityStatus = "PENDING" + MachineIdentityStatusInstalled MachineIdentityStatus = "INSTALLED" + MachineIdentityStatusDiscovered MachineIdentityStatus = "DISCOVERED" + MachineIdentityStatusValidated MachineIdentityStatus = "VALIDATED" + MachineIdentityStatusMissing MachineIdentityStatus = "MISSING" + MachineIdentityStatusFailed MachineIdentityStatus = "FAILED" +) + // ProvisionCertificateProvisionToCloudKeystoreWorkflowResult includes the requested fields of the GraphQL type WorkflowResult. type ProvisionCertificateProvisionToCloudKeystoreWorkflowResult struct { WorkflowId string `json:"workflowId"` @@ -349,6 +702,30 @@ type __GetCloudProviderByNameInput struct { // GetName returns __GetCloudProviderByNameInput.Name, and is useful for accessing the field via an interface. func (v *__GetCloudProviderByNameInput) GetName() string { return v.Name } +// __GetMachineIdentitiesInput is used internally by genqlient +type __GetMachineIdentitiesInput struct { + CloudKeystoreId *string `json:"cloudKeystoreId"` + MachineIdentityId *string `json:"machineIdentityId"` + Fingerprints []string `json:"fingerprints"` + NewlyDiscovered *bool `json:"newlyDiscovered"` + Metadata *string `json:"metadata"` +} + +// GetCloudKeystoreId returns __GetMachineIdentitiesInput.CloudKeystoreId, and is useful for accessing the field via an interface. +func (v *__GetMachineIdentitiesInput) GetCloudKeystoreId() *string { return v.CloudKeystoreId } + +// GetMachineIdentityId returns __GetMachineIdentitiesInput.MachineIdentityId, and is useful for accessing the field via an interface. +func (v *__GetMachineIdentitiesInput) GetMachineIdentityId() *string { return v.MachineIdentityId } + +// GetFingerprints returns __GetMachineIdentitiesInput.Fingerprints, and is useful for accessing the field via an interface. +func (v *__GetMachineIdentitiesInput) GetFingerprints() []string { return v.Fingerprints } + +// GetNewlyDiscovered returns __GetMachineIdentitiesInput.NewlyDiscovered, and is useful for accessing the field via an interface. +func (v *__GetMachineIdentitiesInput) GetNewlyDiscovered() *bool { return v.NewlyDiscovered } + +// GetMetadata returns __GetMachineIdentitiesInput.Metadata, and is useful for accessing the field via an interface. +func (v *__GetMachineIdentitiesInput) GetMetadata() *string { return v.Metadata } + // __ProvisionCertificateInput is used internally by genqlient type __ProvisionCertificateInput struct { CertificateId string `json:"certificateId"` @@ -459,6 +836,73 @@ func GetCloudProviderByName( return &data_, err_ } +// The query or mutation executed by GetMachineIdentities. +const GetMachineIdentities_Operation = ` +query GetMachineIdentities ($cloudKeystoreId: UUID, $machineIdentityId: UUID, $fingerprints: [String!], $newlyDiscovered: Boolean, $metadata: String) { + cloudMachineIdentities(filter: {cloudKeystoreId:$cloudKeystoreId,machineIdentityId:$machineIdentityId,fingerprints:$fingerprints,newlyDiscovered:$newlyDiscovered,metadata:$metadata}) { + nodes { + id + cloudKeystoreId + cloudKeystoreName + cloudProviderId + cloudProviderName + metadata { + __typename + ... on AWSCertificateMetadata { + arn + } + ... on AzureCertificateMetadata { + azureId + name + version + } + ... on GCPCertificateMetadata { + gcpId + name + } + } + status + statusDetails + certificateId + } + } +} +` + +func GetMachineIdentities( + ctx_ context.Context, + client_ graphql.Client, + cloudKeystoreId *string, + machineIdentityId *string, + fingerprints []string, + newlyDiscovered *bool, + metadata *string, +) (*GetMachineIdentitiesResponse, error) { + req_ := &graphql.Request{ + OpName: "GetMachineIdentities", + Query: GetMachineIdentities_Operation, + Variables: &__GetMachineIdentitiesInput{ + CloudKeystoreId: cloudKeystoreId, + MachineIdentityId: machineIdentityId, + Fingerprints: fingerprints, + NewlyDiscovered: newlyDiscovered, + Metadata: metadata, + }, + } + var err_ error + + var data_ GetMachineIdentitiesResponse + resp_ := &graphql.Response{Data: &data_} + + err_ = client_.MakeRequest( + ctx_, + req_, + resp_, + ) + + return &data_, err_ +} + // The query or mutation executed by ProvisionCertificate. const ProvisionCertificate_Operation = ` mutation ProvisionCertificate ($certificateId: UUID!, $cloudKeystoreId: UUID!, $wsClientId: UUID!, $options: CertificateProvisioningOptionsInput) { diff --git a/pkg/webclient/cloudproviders/cloudproviders.go b/pkg/webclient/cloudproviders/cloudproviders.go index 07a499e4..f69788f0 100644 --- a/pkg/webclient/cloudproviders/cloudproviders.go +++ b/pkg/webclient/cloudproviders/cloudproviders.go @@ -2,10 +2,12 @@ package cloudproviders import ( "context" + "encoding/json" "fmt" "net/http" "github.com/Khan/genqlient/graphql" + "github.com/google/uuid" "github.com/Venafi/vcert/v5/pkg/domain" ) @@ -83,6 +85,24 @@ func (c *CloudProvidersClient) GetCloudKeystore(ctx context.Context, request dom }, nil } +func (c *CloudProvidersClient) GetMachineIdentity(ctx context.Context, request domain.GetCloudMachineIdentityRequest) (*domain.CloudMachineIdentity, error) { + if request.MachineIdentityID == nil { + return nil, fmt.Errorf("machine identity ID missing") + } + + resp, err := GetMachineIdentities(ctx, c.graphqlClient, request.KeystoreID, request.MachineIdentityID, request.Fingerprints, request.NewlyDiscovered, request.Metadata) + if err != nil { + return nil, fmt.Errorf("failed to retrieve cloud machine identity with id %s: %w", *request.MachineIdentityID, err) + } + if len(resp.CloudMachineIdentities.Nodes) != 1 { + return nil, fmt.Errorf("could not find cloud machine identity with with ID %s", *request.MachineIdentityID) + } + + mi := resp.CloudMachineIdentities.Nodes[0] + + return mi.toDomain() +} + func getKeystoreOptionsString(cloudProviderID *string, cloudKeystoreID *string, cloudProviderName *string, cloudKeystoreName *string) string { msg := "" if cloudProviderID != nil { @@ -125,3 +145,97 @@ func (c *CloudProvidersClient) ProvisionCertificate(ctx context.Context, certifi WorkflowName: resp.GetProvisionToCloudKeystore().GetWorkflowName(), }, nil } + +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity) toDomain() (*domain.CloudMachineIdentity, error) { + id, err := uuid.Parse(v.Id) + if err != nil { + return nil, fmt.Errorf("failed to parse cloud machine identity id %s: %w", v.Id, err) + } + keystoreID, err := uuid.Parse(v.CloudKeystoreId) + if err != nil { + return nil, fmt.Errorf("failed to parse cloud key store id %s: %w", v.CloudKeystoreId, err) + } + certificateID, err := uuid.Parse(v.CertificateId) + if err != nil { + return nil, fmt.Errorf("failed to parse cloud certificate id %s: %w", v.CertificateId, err) + } + providerIDStr := "" + if v.CloudProviderId != nil { + providerIDStr = *v.CloudProviderId + } + providerID, err := uuid.Parse(providerIDStr) + if err != nil { + return nil, fmt.Errorf("failed to parse cloud provider id %s: %w", providerIDStr, err) + } + + keystoreName := "" + if v.CloudKeystoreName != nil { + keystoreName = *v.CloudKeystoreName + } + providerName := "" + if v.CloudProviderName != nil { + providerName = *v.CloudProviderName + } + statusDetails := "" + if v.StatusDetails != nil { + statusDetails = *v.StatusDetails + } + metadata, err := v.metadataToDomain() + if err != nil { + return nil, fmt.Errorf("failed to parse cloud certificate metadata: %w", err) + } + + return &domain.CloudMachineIdentity{ + ID: id, + CloudKeystoreID: keystoreID, + CloudKeystoreName: keystoreName, + CloudProviderID: providerID, + CloudProviderName: providerName, + CertificateID: certificateID, + Metadata: metadata, + Status: v.Status.toDomain(), + StatusDetails: statusDetails, + }, nil +} + +func (mis MachineIdentityStatus) toDomain() domain.MachineIdentityStatus { + switch mis { + case MachineIdentityStatusNew: + return domain.MachineIdentityStatusNew + case MachineIdentityStatusPending: + return domain.MachineIdentityStatusPending + case MachineIdentityStatusInstalled: + return domain.MachineIdentityStatusInstalled + case MachineIdentityStatusDiscovered: + return domain.MachineIdentityStatusDiscovered + case MachineIdentityStatusValidated: + return domain.MachineIdentityStatusValidated + case MachineIdentityStatusMissing: + return domain.MachineIdentityStatusMissing + case MachineIdentityStatusFailed: + return domain.MachineIdentityStatusFailed + default: + return domain.MachineIdentityStatusUnknown + } +} + +func (v *GetMachineIdentitiesCloudMachineIdentitiesMachineIdentityConnectionNodesMachineIdentity) metadataToDomain() (*domain.CertificateCloudMetadata, error) { + if v.Metadata == nil { + return nil, nil + } + m := *v.Metadata + + data, err := json.Marshal(m) + if err != nil { + return nil, fmt.Errorf("failed to marshal cloud certificate metadata: %w", err) + } + + values := make(map[string]interface{}) + err = json.Unmarshal(data, &values) + if err != nil { + return nil, fmt.Errorf("failed to unmarshal cloud certificate metadata: %w", err) + } + + certMetadata := domain.NewCertificateCloudMetadata(values) + return &certMetadata, nil +} diff --git a/pkg/webclient/cloudproviders/genqlient.graphql b/pkg/webclient/cloudproviders/genqlient.graphql index 13aff8eb..3bdf6122 100644 --- a/pkg/webclient/cloudproviders/genqlient.graphql +++ b/pkg/webclient/cloudproviders/genqlient.graphql @@ -33,3 +33,32 @@ query GetCloudProviderByName($name: String!){ } } } + +query GetMachineIdentities($cloudKeystoreId: UUID, $machineIdentityId: UUID, $fingerprints: [String!], $newlyDiscovered: Boolean, $metadata: String){ + cloudMachineIdentities(filter: {cloudKeystoreId: $cloudKeystoreId, machineIdentityId: $machineIdentityId, fingerprints: $fingerprints, newlyDiscovered: $newlyDiscovered, metadata: $metadata}){ + nodes { + id + cloudKeystoreId + cloudKeystoreName + cloudProviderId + cloudProviderName + metadata { + ... on AWSCertificateMetadata { + arn + } + ... on AzureCertificateMetadata { + azureId + name + version + } + ... on GCPCertificateMetadata { + gcpId + name + } + } + status + statusDetails + certificateId + } + } +} \ No newline at end of file diff --git a/pkg/webclient/cloudproviders/genqlient.yaml b/pkg/webclient/cloudproviders/genqlient.yaml index 05150a0e..ff824f0a 100644 --- a/pkg/webclient/cloudproviders/genqlient.yaml +++ b/pkg/webclient/cloudproviders/genqlient.yaml @@ -1,6 +1,6 @@ # For full documentation see: # https://github.com/Khan/genqlient/blob/main/docs/genqlient.yaml -schema: ../../../api/graphql/schema.graphql +schema: schema.graphql operations: - genqlient.graphql generated: cloudproviders.gen.go diff --git a/api/graphql/schema.graphql b/pkg/webclient/cloudproviders/schema.graphql similarity index 87% rename from api/graphql/schema.graphql rename to pkg/webclient/cloudproviders/schema.graphql index e706324b..b234d9bb 100644 --- a/api/graphql/schema.graphql +++ b/pkg/webclient/cloudproviders/schema.graphql @@ -68,21 +68,6 @@ type ApplicationMatchingRule included: Boolean } -""" -ApplicationMatchingRuleResourceConfig provides a configuration structure for applications that should be included in matching -""" -input ApplicationMatchingRuleResourceConfig -@join__type(graph: COMPLIANCE_POLICY) -{ - """ApplicationID is the ID of the application to be used in matching""" - applicationID: String! - - """ - Included states if this application is included or excluded in matching - """ - included: Boolean -} - enum AttributeEnumOperator @join__type(graph: TLSPK) { @@ -224,12 +209,12 @@ type Certificate All other versions of the current certificate. This will return null for nested certificates. The pagination can be either forward or backward. To enable forward pagination, two arguments are used: `after` and `first`. To enable backward pagination, two arguments are used: `before` and `last`. - However, 'after' and 'before' arguments are only valid for 'certificate' queries. + However, 'after' and 'before' arguments are only valid for 'certificate' queries (i.e. single certificate result) If arguments for both forward and backward pagination are supplied, forward pagination will be used. If no arguments - are supplied, it returns the first page of 10 certificates (i.e. defaults `first` to 10). The result is sorted by - fingerprints in ascending order. + are supplied, it returns the first page of 10 certificates (i.e. defaults `first` to 10). If orderBy is not + specified, the result will be sorted by fingerprints in ascending order. """ - relatedCertificates(after: String, before: String, first: Int, last: Int): CertificateConnection @join__field(graph: CERTIFICATE_INVENTORY) + relatedCertificates(after: String, before: String, first: Int, last: Int, orderBy: [RelatedCertificateOrderInput!]): CertificateConnection @join__field(graph: CERTIFICATE_INVENTORY) certificateValidationErrors: [ValidationError!] @join__field(graph: CERTIFICATE_INVENTORY) certificateErrorCount: ValidationErrorCount! @join__field(graph: CERTIFICATE_INVENTORY) @join__field(graph: COMPUTED_FIELDS, external: true) origins: [String!]! @join__field(graph: CERTIFICATE_INVENTORY, override: "computed-fields") @@ -413,6 +398,24 @@ type CertificateEdge cursor: String! } +""" +CertificateEvaluationRuleAttributesInput provides information on which attributes are used for evaluation +""" +input CertificateEvaluationRuleAttributesInput +@join__type(graph: COMPLIANCE_POLICY) +{ + """ + CertificateAuthorityFingerprints allows to filter by certificate authority for Issuing CA evaluation type + """ + certificateAuthorityFingerprints: CompliancePolicyFieldStringFilter + + """And allows for chaining AND logic""" + and: [CertificateEvaluationRuleAttributesInput!] + + """Or allows for chaining OR logic""" + or: [CertificateEvaluationRuleAttributesInput!] +} + """ Identifies the intended usage for which the public-key certificate has been issued """ @@ -471,14 +474,33 @@ input CertificateListFilter hasValue: Boolean } +""" +CertificateMatchingRuleAttributesInput provides information on which attributes are used for matching for certificate resources +""" +input CertificateMatchingRuleAttributesInput +@join__type(graph: COMPLIANCE_POLICY) +{ + """ApplicationIDs allows to filter by application""" + applicationIDs: CompliancePolicyFieldStringFilter + + """Tags allows to filter by application""" + tags: CompliancePolicyFieldStringFilter + + """And allows for chaining AND logic""" + and: [CertificateMatchingRuleAttributesInput!] + + """Or allows for chaining OR logic""" + or: [CertificateMatchingRuleAttributesInput!] +} + input CertificateNumberFilter @join__type(graph: SEARCH) { """The generic number value for certificate we want to match""" - eq: Int + eq: Int64 """The generic number value for certificate we don't want to match""" - neq: Int + neq: Int64 """ The generic number range value for certificate that we want to assert whether the number value is within the specified range @@ -495,10 +517,10 @@ input CertificateNumberRange @join__type(graph: SEARCH) { """The minimum number value we want to match on""" - gte: Int + gte: Int64 """The maximum number value we want to match on""" - lte: Int + lte: Int64 } """CertificateOrderField defines the fields that can be used for ordering""" @@ -525,6 +547,9 @@ enum CertificateOrderField """Order by field lastModifiedTime""" LAST_MODIFIED_TIME @join__enumValue(graph: SEARCH) + + """Order by field revocation.status""" + REVOCATION_STATUS @join__enumValue(graph: SEARCH) } """ @@ -738,6 +763,9 @@ input CertificateSearchAttributesInput """Filter by field 'origins'""" origins: CertificateOriginFilter + """Filter by field 'revocation.status'""" + revocationStatus: RevocationStatusFilter + """Filter by field 'dekHash'""" dekHash: CertificateStringFilter @@ -760,7 +788,7 @@ input CertificateSearchAttributesInput publicKeyInformationOID: CertificateStringFilter """Filter by field 'subjectHashAlgorithm'""" - signatureHashAlgorithm: CertificateStringFilter + signatureHashAlgorithm: SignatureHashAlgorithmFilter """Filter by field 'status'""" status: CertificateStatusFilter @@ -835,6 +863,9 @@ input CertificateSearchAttributesInput """Filter by field 'validity.to'""" validityTo: CertificateDateFilter + """Filter by field 'validity.period'""" + validityPeriod: CertificateNumberFilter + """Filter by field 'clusterCertificateInstallations.nodes.__typename'""" clusterCertificateInstallationTypeName: CertificateStringFilter @@ -855,11 +886,8 @@ input CertificateSearchAttributesInput """ clusterCertificateInstallationClusterSecretUsedBy: CertificateStringFilter - """Filter by field 'cloudInstallations.nodes.metadata.arn'""" - cloudInstallationsMetadataArn: CertificateStringFilter - - """Filter by field 'cloudInstallations.nodes.metadata.name'""" - cloudInstallationsMetadataName: CertificateStringFilter + """Filter by field 'cloudInstallations.nodes.metadata.cloudId'""" + cloudInstallationsCloudId: CertificateStringFilter """Filter by field 'cloudInstallations.nodes.cloudKeystoreId'""" cloudInstallationsCloudKeystoreId: CertificateStringFilter @@ -970,6 +998,20 @@ input CertificateStringFilter hasValue: Boolean } +""" +CertificateType defines what type of certificate the trusted CA cert is +""" +enum CertificateType +@join__type(graph: CERTIFICATE) +{ + ROOT_CA @join__enumValue(graph: CERTIFICATE) + SELF_ISSUED_CA @join__enumValue(graph: CERTIFICATE) + CA @join__enumValue(graph: CERTIFICATE) + CROSS_CA @join__enumValue(graph: CERTIFICATE) + END_ENTITY @join__enumValue(graph: CERTIFICATE) + END_ENTITY_AC @join__enumValue(graph: CERTIFICATE) +} + type CertificateValidationError implements ValidationError @join__implements(graph: CERTIFICATE_INVENTORY, interface: "ValidationError") @join__type(graph: CERTIFICATE_INVENTORY) @@ -998,6 +1040,9 @@ type CertificateValidity { from: DateTime to: DateTime + + """ certificate validity period in seconds""" + period: Int64 } type ChainValidationError implements ValidationError @@ -1071,6 +1116,17 @@ type CloudDiscoveryConfiguration includeRevokedCertificates: Boolean! } +input CloudDiscoveryConfigurationInput +@join__type(graph: CLOUD_PROVIDERS) +{ + """ + A crontab expression representing when the scheduled discovery will run, eg: '00 03 * * *' -> 3 AM every day + """ + scheduleSpecification: String + includeExpiredCertificates: Boolean + includeRevokedCertificates: Boolean +} + """Indicates the status of a cloud discovery""" enum CloudDiscoveryStatus @join__type(graph: CLOUD_PROVIDERS) @@ -1239,6 +1295,7 @@ input CloudKeystoreInput acmConfiguration: CloudKeystoreACMConfigurationInput akvConfiguration: CloudKeystoreAKVConfigurationInput gcmConfiguration: CloudKeystoreGCMConfigurationInput + discoveryConfiguration: CloudDiscoveryConfigurationInput } """ @@ -1321,12 +1378,14 @@ input CloudKeystoreUpdateInput name: String teamId: UUID authorizedTeams: [UUID!] + discoveryConfiguration: CloudDiscoveryConfigurationInput } input CloudMachineIdentitiesFilterInput @join__type(graph: CLOUD_PROVIDERS) { cloudKeystoreId: UUID + machineIdentityId: UUID fingerprints: [String!] newlyDiscovered: Boolean metadata: String @@ -1641,9 +1700,14 @@ type Cluster serviceAccount: ServiceAccount """ - CertificateConnection is the connection to list of certificates per cluster + Certificates is the connection to list of certificates per cluster that were sent to cert-inventory """ certificates: CertificateConnection + + """ + UniqueCertificates is the total number of unique certificates currently in the cluster + """ + uniqueCertificates: Int! } type ClusterCertificateBinding @@ -1847,8 +1911,16 @@ type CompliancePolicy """Findings is a list of findings found per policy""" findings: CompliancePolicyFindingConnection - """CreatedOn shows the time the compliance policy was created""" - createdOn: String + """UpdatedOn shows the time the compliance policy was last updated""" + updatedOn: String + + """Active states whether this policy is active for evaluation""" + active: Boolean + + """ + RemediationText is text used to inform a user of what steps can be taken to fix issues + """ + remediationText: String } """ @@ -1882,15 +1954,20 @@ input CompliancePolicyCreateInput """Description is the description to create for the compliance policy""" description: String + """ + RemediationText is the input to provide feedback on how to resolve policy issues + """ + remediationText: String + """ MatchingRules is the configured matching rules to attach to the compliance policy """ - matchingRules: [CompliancePolicyMatchingRuleInput!] + matchingRules: CompliancePolicyMatchingRuleInput """ EvaluationRules is the configured evaluation rules to attach to the compliance policy """ - evaluationRules: [CompliancePolicyEvaluationRuleInput!] + evaluationRules: CompliancePolicyEvaluationRuleInput } """CompliancePolicyEdge is used for the CompliancePolicyConnection""" @@ -1914,7 +1991,7 @@ type CompliancePolicyEvaluationRule type: CompliancePolicyEvaluationRuleType """Severity shows the level of importance for the policy in its findings""" - severity: CompliancePolicyEvaluationRuleSeverity + severity: CompliancePolicySeverity """ EvaluationValue is used to display information about the configuration of the evaluation rule @@ -1928,38 +2005,23 @@ CompliancePolicyEvaluationRuleInput provides details about an evaluation rule to input CompliancePolicyEvaluationRuleInput @join__type(graph: COMPLIANCE_POLICY) { - """Type is used to determine which grouping this evaluation rule targets""" - type: CompliancePolicyEvaluationRuleType - - """EvaluationValues stores a list of values related to the configuration""" - evaluationValues: [EvaluationRuleValueInput!] - """ - Severity allows the client to set a severity level for the evaluation rule + CertificateEvaluationValues stores a list of values related to the configuration """ - severity: CompliancePolicyEvaluationRuleSeverity + certificateEvaluationValues: CompliancePolicyEvaluationRuleRootInput } """ -CompliancePolicyEvalutionRuleSeverity denotes how severe the finding is in its evaluation result for a policy +CompliancePolicyEvaluationRuleRootInput provides the root level matching operators for evaluation rules """ -enum CompliancePolicyEvaluationRuleSeverity +input CompliancePolicyEvaluationRuleRootInput @join__type(graph: COMPLIANCE_POLICY) { - """Critical determines critical severity""" - CRITICAL @join__enumValue(graph: COMPLIANCE_POLICY) - - """High determines high severity""" - HIGH @join__enumValue(graph: COMPLIANCE_POLICY) + """And allows for chaining AND logic at the root level""" + and: [CertificateEvaluationRuleAttributesInput!] - """Medium determines medium severity""" - MEDIUM @join__enumValue(graph: COMPLIANCE_POLICY) - - """Low determines low severity""" - LOW @join__enumValue(graph: COMPLIANCE_POLICY) - - """Info determines info severity""" - INFO @join__enumValue(graph: COMPLIANCE_POLICY) + """Or allows for chaining OR logic at the root level""" + or: [CertificateEvaluationRuleAttributesInput!] } """ @@ -1968,8 +2030,26 @@ CompliancePolicyEvaluationRuleType denotes what group of rules an evaluation rul enum CompliancePolicyEvaluationRuleType @join__type(graph: COMPLIANCE_POLICY) { - """Certificate_Authorities is for the group of rules related to CAs""" - CERTIFICATE_AUTHORITIES @join__enumValue(graph: COMPLIANCE_POLICY) + """IssuingCA is for the group of rules related to issuing CAs""" + ISSUING_CA @join__enumValue(graph: COMPLIANCE_POLICY) +} + +""" +CompliancePolicyFieldStringFilter provides a list of options for fields in matching and evaluation rules +""" +input CompliancePolicyFieldStringFilter +@join__type(graph: COMPLIANCE_POLICY) +{ + """Includes is used for checking if elements are in list""" + includes: [String!] + + """Excludes is used for checking if elements are not in list""" + excludes: [String!] + + """ + HasValue is used to include/exclude all of a resource (all applications, etc.) + """ + hasValue: Boolean } """ @@ -1981,11 +2061,17 @@ type CompliancePolicyFinding """ Type is used to differentiate which type of finding resource is in the finding """ - type: CompliancePolicyFindingType + type: CompliancePolicyResourceType """CompliancePolicy is the policy that evaluated and created this finding""" compliancePolicy: CompliancePolicy + """Status is used to show the status of the finding""" + status: CompliancePolicyFindingStatus + + """Severity shows the level of importance for the policy for this finding""" + severity: CompliancePolicySeverity + """FindingResource is the parent resource that this finding came from""" findingResource: FindingResource } @@ -2027,18 +2113,47 @@ type CompliancePolicyFindingEdge } """ -CompliancePolicyFindingType denotes which resource was evaluated against for the finding +CompliancePolicyFindingResource is the resource generated for a finding and is used to store the CompliancePolicyFinding """ -enum CompliancePolicyFindingType +type CompliancePolicyFindingResource @join__type(graph: COMPLIANCE_POLICY) { + """ID is the ID of the compliance policy finding evaluation""" + id: UUID! + """ - Certificate is used to show the evaluation found a finding on a certificate + EvaluationRuleID is the ID of the evaluation rule that the compliance policy finding evaluation is associated with """ - CERTIFICATE @join__enumValue(graph: COMPLIANCE_POLICY) + evaluationRuleId: UUID! - """Ingress is used to show the evaluation found a finding on an ingress""" - INGRESS @join__enumValue(graph: COMPLIANCE_POLICY) + """ + ResourceType is the type of resource that the compliance policy finding evaluation is associated with + """ + resourceType: String! + + """ + ResourceId is the ID of the resource that the compliance policy finding evaluation is associated with + """ + resourceId: String! + + """Status is the status of the compliance policy finding evaluation""" + status: CompliancePolicyFindingStatus + + """ + CreatedAt is the time the compliance policy finding evaluation was created + """ + createdAt: String +} + +"""CompliancePolicyFindingStatus denotes the status of the policy finding""" +enum CompliancePolicyFindingStatus +@join__type(graph: COMPLIANCE_POLICY) +{ + """Passed states that the finding passed evaluation""" + PASSED @join__enumValue(graph: COMPLIANCE_POLICY) + + """Failed states that the finding failed evaluation""" + FAILED @join__enumValue(graph: COMPLIANCE_POLICY) } """ @@ -2048,50 +2163,46 @@ type CompliancePolicyMatchingRule @join__type(graph: COMPLIANCE_POLICY) { """Type is used to differentiate which type of matching rule is stored""" - type: CompliancePolicyMatchingRuleType + type: CompliancePolicyResourceType + + """AllApplications is the flag to determine if all applications are set""" + allApplications: Boolean """ Applications is the list of all applications that have been set for this matching rule """ applications: [ApplicationMatchingRule!] + """AllTags is the flag to determine if all tags are set""" + allTags: Boolean + """Tags is the list of all tags that have been set for this matching rule""" tags: [TagMatchingRule!] } """ -CompliancePolicyMatchingRuleInput provides information on a matching rule +CompliancePolicyMatchingRuleInput provides details about a matching rule to be processed """ input CompliancePolicyMatchingRuleInput @join__type(graph: COMPLIANCE_POLICY) { """ - Type determines what type of resource is being looked for in matching resources - """ - type: CompliancePolicyMatchingRuleType - - """ - Applications stores all the config for applications that should be checked in matching + CertificateMatchingValues stores a list of values related to the configuration """ - applications: [ApplicationMatchingRuleResourceConfig!] - - """Tags stores all the config for tags that should be checked in matching""" - tags: [TagMatchingRuleResourceConfig!] + certificateMatchingValues: CompliancePolicyMatchingRuleRootInput } """ -CompliancePolicyMatchingRuleType denotes which resource type the matching rule will target +CompliancePolicyMatchingRuleRootInput provides the root level matching operators for matching rules """ -enum CompliancePolicyMatchingRuleType +input CompliancePolicyMatchingRuleRootInput @join__type(graph: COMPLIANCE_POLICY) { - """ - Certificate is used to show the matching is evaluating certificate resources - """ - CERTIFICATE @join__enumValue(graph: COMPLIANCE_POLICY) + """And allows for chaining AND logic at the root level""" + and: [CertificateMatchingRuleAttributesInput!] - """Ingress is used to show the matching is evaluating ingress resources""" - INGRESS @join__enumValue(graph: COMPLIANCE_POLICY) + """Or allows for chaining OR logic at the root level""" + or: [CertificateMatchingRuleAttributesInput!] } """CompliancePolicyOrderDirection denotes the different ordering types""" @@ -2124,6 +2235,21 @@ input CompliancePolicyOrderInput direction: CompliancePolicyOrderDirection } +""" +CompliancePolicyResourceType denotes which resource type the matching rule will target +""" +enum CompliancePolicyResourceType +@join__type(graph: COMPLIANCE_POLICY) +{ + """ + Certificate is used to show the matching is evaluating certificate resources + """ + CERTIFICATE @join__enumValue(graph: COMPLIANCE_POLICY) + + """Ingress is used to show the matching is evaluating ingress resources""" + INGRESS @join__enumValue(graph: COMPLIANCE_POLICY) +} + """ CompliancePolicySearchAttributesInput provides information on which filter attributes are used for filtering """ @@ -2156,6 +2282,28 @@ input CompliancePolicySearchFilterInput or: [CompliancePolicySearchAttributesInput!] } +""" +CompliancePolicySeverity denotes how severe the finding is in its evaluation result for a policy +""" +enum CompliancePolicySeverity +@join__type(graph: COMPLIANCE_POLICY) +{ + """Critical determines critical severity""" + CRITICAL @join__enumValue(graph: COMPLIANCE_POLICY) + + """High determines high severity""" + HIGH @join__enumValue(graph: COMPLIANCE_POLICY) + + """Medium determines medium severity""" + MEDIUM @join__enumValue(graph: COMPLIANCE_POLICY) + + """Low determines low severity""" + LOW @join__enumValue(graph: COMPLIANCE_POLICY) + + """Info determines info severity""" + INFO @join__enumValue(graph: COMPLIANCE_POLICY) +} + """ CompliancePolicyStatus denotes the status for a compliance policy in terms of activity """ @@ -2165,13 +2313,23 @@ enum CompliancePolicyStatus """Created refers to a policy that has been created but not activated""" CREATED @join__enumValue(graph: COMPLIANCE_POLICY) - """Active refers to a policy that has been created and activated""" + """ + Running refers to a policy when it is currently evaluating (will switch to ACTIVE or INACTIVE) + """ + RUNNING @join__enumValue(graph: COMPLIANCE_POLICY) + + """ + Active refers to a policy that has finished running and is actively listening to resources for evaluation + """ ACTIVE @join__enumValue(graph: COMPLIANCE_POLICY) """ - Inactive refers to a policy that has been created, activated, and then inactivated + Inactive refers to a policy that has finished running and is set to an inactive status to not actively listen to resources for evaluation """ INACTIVE @join__enumValue(graph: COMPLIANCE_POLICY) + + """Error refers to a policy that has run into an error during evaluation""" + ERROR @join__enumValue(graph: COMPLIANCE_POLICY) } """ @@ -2211,15 +2369,20 @@ input CompliancePolicyUpdateInput """Description is the description to update for the compliance policy""" description: String + """ + RemediationText is the input to provide feedback on how to resolve policy issues + """ + remediationText: String + """ MatchingRules is the configured matching rules to attach to the compliance policy """ - matchingRules: [CompliancePolicyMatchingRuleInput!] + matchingRules: CompliancePolicyMatchingRuleInput """ EvaluationRules is the configured evaluation rules to attach to the compliance policy """ - evaluationRules: [CompliancePolicyEvaluationRuleInput!] + evaluationRules: CompliancePolicyEvaluationRuleInput } input ConditionInputForEnum @@ -2289,6 +2452,7 @@ of the RFC 3339 profile of the ISO 8601 standard for representation of dates and """ scalar DateTime @join__type(graph: CAOPERATIONS) +@join__type(graph: CERTIFICATE) @join__type(graph: CERTIFICATE_INVENTORY) @join__type(graph: CLOUD_PROVIDERS) @join__type(graph: ENTITLEMENTS) @@ -2296,6 +2460,36 @@ scalar DateTime @join__type(graph: OUTAGEDETECTION) @join__type(graph: SEARCH) +""" +DeleteCertificateInput defines the input required for deleting a retired certificates +""" +input DeleteCertificateInput +@join__type(graph: CERTIFICATE_INVENTORY) +{ + """The fingerprint for the certificate to delete""" + fingerprint: ID! +} + +""" +DeleteCertificatePayload holds the result of deleting a retired certificate +""" +type DeleteCertificatePayload +@join__type(graph: CERTIFICATE_INVENTORY) +{ + """The fingerprint for the certificate that was deleted""" + fingerprint: ID! +} + +""" +DeleteCertificatesInput defines the input required for deleting one or more retired certificates +""" +input DeleteCertificatesInput +@join__type(graph: CERTIFICATE_INVENTORY) +{ + """List of certificates to delete""" + certificates: [DeleteCertificateInput!]! +} + """Represents the payload for deleting an integration.""" type DeleteIntegrationPayload @join__type(graph: MESSAGING) @@ -2398,42 +2592,13 @@ type ErrorInformation } """ -EvaluationCertificateAuthorities provides a configuration on which CAs of a certificate are evaluated against and how they should be treated +EvaluationIssuingCAs provides a configuration on which CAs of a certificate are evaluated against and how they should be treated """ -type EvaluationCertificateAuthorities +type EvaluationIssuingCAs @join__type(graph: COMPLIANCE_POLICY) { """Approved stores a list of IDs approved for evaluation""" - approved: [String!] - - """ - Unapproved stores a list of IDs that should result in a finding in evaluation - """ - unapproved: [String!] - - """ - UnknownAsUnapproved stores whether unknown CAs should be counted as unapproved - """ - unknownAsUnapproved: Boolean -} - -""" -EvaluationRuleValueInput provides options for a specific value to be used for a evaluation rule key -""" -input EvaluationRuleValueInput -@join__type(graph: COMPLIANCE_POLICY) -{ - """Key defines what element is being stored in the evaluation rule""" - key: String - - """StringValue stores string values for a particular key""" - stringValue: String - - """ListValue stores list values for a particular key""" - listValue: [String!] - - """BooleanValue stores boolean values for a particular key""" - booleanValue: Boolean + trustedCAs: [TrustedCAEvaluationRule!] } """ @@ -2441,8 +2606,8 @@ EvaluationRuleValueType is a collection of types that will provide a structure f """ union EvaluationRuleValueType @join__type(graph: COMPLIANCE_POLICY) -@join__unionMember(graph: COMPLIANCE_POLICY, member: "EvaluationCertificateAuthorities") -= EvaluationCertificateAuthorities +@join__unionMember(graph: COMPLIANCE_POLICY, member: "EvaluationIssuingCAs") += EvaluationIssuingCAs """Represents an individual feature.""" type Feature @@ -2573,6 +2738,11 @@ type IdentityEdge node: Identity! } +"""A data type that represents a 64 bit signed integer""" +scalar Int64 +@join__type(graph: CERTIFICATE_INVENTORY) +@join__type(graph: SEARCH) + """Represents a configured integration details.""" type Integration @join__type(graph: MESSAGING) @@ -2677,6 +2847,7 @@ scalar join__FieldSet enum join__Graph { CAOPERATIONS @join__graph(name: "caoperations", url: "http://caoperations-service:2522/system/graphql") + CERTIFICATE @join__graph(name: "certificate", url: "http://certificate-service:2322/system/graphql") CERTIFICATE_INVENTORY @join__graph(name: "certificate-inventory", url: "http://certificate-query-service:80/graphql") CLOUD_PROVIDERS @join__graph(name: "cloud-providers", url: "http://cloudproviders-service:4488/graphql") COMPLIANCE_POLICY @join__graph(name: "compliance-policy", url: "http://compliance-policy-service:8080/graphql") @@ -2896,6 +3067,7 @@ enum MachineInstallationStatus type Mutation @join__type(graph: CAOPERATIONS) +@join__type(graph: CERTIFICATE_INVENTORY) @join__type(graph: CLOUD_PROVIDERS) @join__type(graph: COMPLIANCE_POLICY) @join__type(graph: MESSAGING) @@ -2904,6 +3076,18 @@ type Mutation """Revoke a certificate by SHA1 fingerprint""" revokeCertificate(fingerprint: ID!, certificateAuthorityAccountId: UUID, revocationReason: RevocationReason!, revocationComment: String): Certificate @join__field(graph: CAOPERATIONS) + """ + Retire one or more certificates. If a current certificate (i.e. latest version of a certificate) is retired, all + previous versions of the certificate will be retired as well. + """ + retireCertificates(input: RetireCertificatesInput!): [RetireCertificatePayload]! @join__field(graph: CERTIFICATE_INVENTORY) + + """Recover one or more retired certificates.""" + recoverCertificates(input: RecoverCertificatesInput!): [RecoverCertificatePayload]! @join__field(graph: CERTIFICATE_INVENTORY) + + """Delete one or more retired certificates.""" + deleteCertificates(input: DeleteCertificatesInput!): [DeleteCertificatePayload]! @join__field(graph: CERTIFICATE_INVENTORY) + """Creates a Cloud Provider""" createCloudProvider(input: CloudProviderInput!): CloudProvider @join__field(graph: CLOUD_PROVIDERS) @@ -3002,6 +3186,7 @@ PageInfo provides pagination information as defined by [https://relay.dev/graphq """ type PageInfo @join__type(graph: CAOPERATIONS) +@join__type(graph: CERTIFICATE) @join__type(graph: CERTIFICATE_INVENTORY) @join__type(graph: CLOUD_PROVIDERS) @join__type(graph: COMPLIANCE_POLICY) @@ -3118,6 +3303,7 @@ input PublicKeyInformationTypeFilter """The query root of Venafi Control Plane GraphQL interface.""" type Query @join__type(graph: CAOPERATIONS) +@join__type(graph: CERTIFICATE) @join__type(graph: CERTIFICATE_INVENTORY) @join__type(graph: CLOUD_PROVIDERS) @join__type(graph: COMPLIANCE_POLICY) @@ -3144,6 +3330,15 @@ type Query """ certificateAuthorityAccounts(after: String, before: String, first: Int, last: Int): CertificateAuthorityAccountConnection @join__field(graph: CAOPERATIONS) + """ + Returns a list of trusted CA certificates. + - after: returns the trusted CA certificates in the list that come after the specified cursor + - before: returns the trusted CA certificates in the list that come before the specified cursor + - first: returns the first _n_ trusted CA certificates from the list + - last: returns the last _n_ trusted CA certificates from the list + """ + trustedCaCertificates(after: String, before: String, first: Int, last: Int): TrustedCaCertificatesConnection @join__field(graph: CERTIFICATE) + """Deprecated, use `certificate` instead""" getCertificate(fingerprint: ID!): Certificate @join__field(graph: CERTIFICATE_INVENTORY) @deprecated(reason: "Deprecated, use `certificate` instead") @@ -3399,6 +3594,110 @@ type Query clustersSummary: TlspkClustersSummary @join__field(graph: TLSPK) } +""" +RecoverCertificateInput defines the input required for recovering a retired certificate +""" +input RecoverCertificateInput +@join__type(graph: CERTIFICATE_INVENTORY) +{ + """The fingerprint for the certificate to recover""" + fingerprint: ID! +} + +""" +RecoverCertificatePayload holds the result of recovering a retired certificate +""" +type RecoverCertificatePayload +@join__type(graph: CERTIFICATE_INVENTORY) +{ + """The fingerprint for the certificate that was recovered""" + fingerprint: ID! +} + +""" +RecoverCertificateInput defines the input required for recovering one or more retired certificates +""" +input RecoverCertificatesInput +@join__type(graph: CERTIFICATE_INVENTORY) +{ + """List of certificates to recover""" + certificates: [RecoverCertificateInput!]! + + """ + An optional list of application IDs to associate with the recovered certificates + """ + applicationIds: [ID!] +} + +""" +RelatedCertificateOrderDirection represents the ordering direction for related certificates. +""" +enum RelatedCertificateOrderDirection +@join__type(graph: CERTIFICATE_INVENTORY) +{ + """ASC is the ascending order""" + ASC @join__enumValue(graph: CERTIFICATE_INVENTORY) + + """DESC is the descending order""" + DESC @join__enumValue(graph: CERTIFICATE_INVENTORY) +} + +""" +RelatedCertificateOrderField defines the fields that can be used for ordering the related certificates. +""" +enum RelatedCertificateOrderField +@join__type(graph: CERTIFICATE_INVENTORY) +{ + """Order by field 'fingerprint'""" + FINGERPRINT @join__enumValue(graph: CERTIFICATE_INVENTORY) + + """Order by field 'archivedTime'""" + ARCHIVED_TIME @join__enumValue(graph: CERTIFICATE_INVENTORY) +} + +""" +RelatedCertificateOrderInput contains the ordering information for the related certificates. +""" +input RelatedCertificateOrderInput +@join__type(graph: CERTIFICATE_INVENTORY) +{ + field: RelatedCertificateOrderField! + direction: RelatedCertificateOrderDirection! +} + +""" +RetireCertificateInput defines the input required for retiring a certificate +""" +input RetireCertificateInput +@join__type(graph: CERTIFICATE_INVENTORY) +{ + """The fingerprint for the certificate to retire""" + fingerprint: ID! +} + +"""RetireCertificatePayload holds the result of retiring a certificate""" +type RetireCertificatePayload +@join__type(graph: CERTIFICATE_INVENTORY) +{ + """The fingerprint for the certificate that was retired""" + fingerprint: ID! +} + +""" +RetireCertificatesInput defines the input required for retiring one or more certificates +""" +input RetireCertificatesInput +@join__type(graph: CERTIFICATE_INVENTORY) +{ + """List of certificates to retire""" + certificates: [RetireCertificateInput!]! + + """ + Indicate whether to add the certificates to the blocklist as well. If missing, defaults to false + """ + addToBlocklist: Boolean +} + type Revocation @join__type(graph: CAOPERATIONS) { @@ -3420,11 +3719,25 @@ enum RevocationReason CESSATION_OF_OPERATION @join__enumValue(graph: CAOPERATIONS) } +"""Indicates the revocation status of a certificate""" enum RevocationStatus @join__type(graph: CAOPERATIONS) +@join__type(graph: SEARCH) { - SUBMITTED @join__enumValue(graph: CAOPERATIONS) - FAILED @join__enumValue(graph: CAOPERATIONS) + SUBMITTED @join__enumValue(graph: CAOPERATIONS) @join__enumValue(graph: SEARCH) + FAILED @join__enumValue(graph: CAOPERATIONS) @join__enumValue(graph: SEARCH) +} + +input RevocationStatusFilter +@join__type(graph: SEARCH) +{ + """The string value we want to match""" + eq: RevocationStatus + + """ + The boolean value that we want to assert whether the boolean field is null or not + """ + hasValue: Boolean } type RFC822Name @@ -3513,6 +3826,39 @@ type ServiceAccountEdge node: ServiceAccount! } +"""Indicates the signature hash algorithm of a certificate""" +enum SignatureHashAlgorithm +@join__type(graph: SEARCH) +{ + GOST_R3410_2001 @join__enumValue(graph: SEARCH) + GOST_R3410_94 @join__enumValue(graph: SEARCH) + GOST_R3411_2012 @join__enumValue(graph: SEARCH) + MD2 @join__enumValue(graph: SEARCH) + MD5 @join__enumValue(graph: SEARCH) + SHA1 @join__enumValue(graph: SEARCH) + SHA224 @join__enumValue(graph: SEARCH) + SHA256 @join__enumValue(graph: SEARCH) + SHA384 @join__enumValue(graph: SEARCH) + SHA512 @join__enumValue(graph: SEARCH) + SHA3_256 @join__enumValue(graph: SEARCH) + SHA3_512 @join__enumValue(graph: SEARCH) + SM3 @join__enumValue(graph: SEARCH) + RIPEMD160 @join__enumValue(graph: SEARCH) + UNKNOWN @join__enumValue(graph: SEARCH) +} + +input SignatureHashAlgorithmFilter +@join__type(graph: SEARCH) +{ + """The string value we want to match""" + eq: SignatureHashAlgorithm + + """ + The list of strings that we want to assert whether the string value is included in the provided list + """ + in: [SignatureHashAlgorithm!] +} + """Identifies certificate's subject alternative name type""" enum SubjectAlternativeNameType @join__type(graph: SEARCH) @@ -3591,19 +3937,6 @@ type TagMatchingRule included: Boolean } -""" -TagMatchingRuleResourceConfig provides a configuration structure for tags that should be included in matching -""" -input TagMatchingRuleResourceConfig -@join__type(graph: COMPLIANCE_POLICY) -{ - """Tags is the tag to be used in matching""" - tag: String! - - """Included states if this tag is included or excluded in matching""" - included: Boolean -} - """A team of users""" type Team @join__type(graph: CLOUD_PROVIDERS) @@ -3760,6 +4093,13 @@ type TlspkClustersIngressesWidget categories: [TlspkClustersIngressesCategory] } +type TlspkClustersLLCertsNotManagedByCertManagerCategory +@join__type(graph: TLSPK) +{ + id: String + count: Int +} + type TlspkClustersLLCertsNotManagedByCertManagerWidget @join__type(graph: TLSPK) { @@ -3770,6 +4110,11 @@ type TlspkClustersLLCertsNotManagedByCertManagerWidget notManagedByCertManager is the number of long lived certfiicates found in clusters that are not managed by Cert-Manager """ notManagedByCertManager: Int + + """ + categories is the list of long lived certificates found in clusters that are either managed by Cert-Manager or not managed by Cert-Manager + """ + categories: [TlspkClustersLLCertsNotManagedByCertManagerCategory] } type TlspkClustersLongLivedCertificatesCategory @@ -3932,6 +4277,85 @@ input TLSValidationErrorTypeFilter hasValue: Boolean } +""" +TrustedCaCertificate is the trusted CA certificate that is trusted by the user for use in issuing certificates +""" +type TrustedCaCertificate +@join__type(graph: CERTIFICATE, key: "fingerprint") +@join__type(graph: COMPLIANCE_POLICY, key: "fingerprint", resolvable: false) +{ + """Fingerprint of the trusted CA certificate""" + fingerprint: ID! + + """ + CertificateType defines what type of certificate the trusted CA cert is + """ + certificateType: CertificateType! @join__field(graph: CERTIFICATE) + + """Source defines how the certificate was loaded into the system""" + source: TrustedCACertificateSource! @join__field(graph: CERTIFICATE) + + """SubjectCN of the trusted CA certificate""" + subjectCN: [String]! @join__field(graph: CERTIFICATE) +} + +""" +TrustedCaCertificatesConnection is used to provide pagination to trusted CA certificates +""" +type TrustedCaCertificatesConnection +@join__type(graph: CERTIFICATE) +{ + """PageInfo is information for pagination""" + pageInfo: PageInfo! + + """TotalCount of trusted CA certificates""" + totalCount: Int! + + """Nodes of the trusted CA certificate connection for paginated results""" + nodes: [TrustedCaCertificate!] + + """Edges of the trusted CA certificate connection for linking""" + edges: [TrustedCaCertificatesEdge] +} + +""" +TrustedCaCertificatesEdge is used for the TrustedCaCertificatesConnection edges +""" +type TrustedCaCertificatesEdge +@join__type(graph: CERTIFICATE) +{ + """Node of the trusted CA certificate connection""" + node: TrustedCaCertificate! + + """Cursor is the link to the next edge""" + cursor: String! +} + +""" +TrustedCACertificateSource defines how the certificate was loaded into the system +""" +enum TrustedCACertificateSource +@join__type(graph: CERTIFICATE) +{ + GLOBALLY_TRUSTED @join__enumValue(graph: CERTIFICATE) + USER_PROVIDED @join__enumValue(graph: CERTIFICATE) +} + +""" +TrustedCAEvaluationRule wraps the Trusted CA type to add included to it +""" +type TrustedCAEvaluationRule +@join__type(graph: COMPLIANCE_POLICY) +{ + """TrustedCA is the reference to the Trusted CA to include or exclude""" + trustedCA: TrustedCaCertificate + + """ + Included states whether this Trusted CA should be included in matching for resources + """ + included: Boolean +} + type UniformResourceIdentifier @join__type(graph: CERTIFICATE_INVENTORY) { @@ -4020,6 +4444,7 @@ enum UserStatus """A field whose value is a generic Universally Unique Identifier.""" scalar UUID @join__type(graph: CAOPERATIONS) +@join__type(graph: CERTIFICATE) @join__type(graph: CLOUD_PROVIDERS) @join__type(graph: COMPLIANCE_POLICY) @join__type(graph: LEGACY)