vaultrs/api/transit/requests.rs
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794
use super::responses::{
BackupKeyResponse, DecryptDataResponse, EncryptDataResponse, ExportKeyResponse,
GenerateDataKeyResponse, GenerateHmacResponse, GenerateRandomBytesResponse, HashDataResponse,
ListKeysResponse, ReadKeyResponse, ReadTransitCacheConfigurationResponse, RewrapDataResponse,
SignDataResponse, VerifySignedDataResponse,
};
use super::{HashAlgorithm, KeyType, MarshalingAlgorithm, OutputFormat, SignatureAlgorithm};
use rustify_derive::Endpoint;
use serde::Serialize;
use std::fmt::Debug;
/// ## Create Key
/// This endpoint creates a new named encryption key of the specified type. The
/// values set here cannot be changed after key creation.
///
/// * Path: {self.mount}/keys/{self.name}
/// * Method: POST
/// * Response: N/A
/// * Reference: <https://developer.hashicorp.com/vault/api-docs/secret/transit#create-key>
#[derive(Builder, Debug, Default, Endpoint, Serialize)]
#[endpoint(
path = "{self.mount}/keys/{self.name}",
method = "POST",
builder = "true"
)]
#[builder(setter(into, strip_option), default)]
pub struct CreateKeyRequest {
#[endpoint(skip)]
pub mount: String,
/// Specifies the name of the encryption key to create.
#[endpoint(skip)]
pub name: String,
/// If enabled, the key will support convergent encryption, where the same
/// plaintext creates the same ciphertext. This requires derived to be set
/// to true. When enabled, each encryption(/decryption/rewrap/datakey)
/// operation will derive a nonce value rather than randomly generate it.
pub convergent_encryption: Option<bool>,
/// Specifies if key derivation is to be used. If enabled, all
/// encrypt/decrypt requests to this named key must provide a context which
/// is used for key derivation.
pub derived: Option<bool>,
/// Enables keys to be exportable. This allows for all the valid keys in the
/// key ring to be exported. Once set, this cannot be disabled.
pub exportable: Option<bool>,
/// If set, enables taking backup of named key in the plaintext format. Once
/// set, this cannot be disabled.
pub allow_plaintext_backup: Option<bool>,
/// Specifies the type of key to create.
#[serde(rename = "type")]
pub key_type: Option<KeyType>,
/// The period at which this key should be rotated automatically. Setting
/// this to "0" (the default) will disable automatic key rotation. This
/// value cannot be shorter than one hour.
pub auto_rotate_period: Option<String>,
}
/// ## Read Key
/// This endpoint returns information about a named encryption key. The keys
/// object shows the creation time of each key version; the values are not the
/// keys themselves. Depending on the type of key, different information may be
/// returned, e.g. an asymmetric key will return its public key in a standard
/// format for the type.
///
/// * Path: {self.mount}/keys/{self.name}
/// * Method: GET
/// * Response: ReadKeyResponse
/// * Reference: <https://developer.hashicorp.com/vault/api-docs/secret/transit#read-key>
#[derive(Builder, Debug, Default, Endpoint)]
#[endpoint(
path = "{self.mount}/keys/{self.name}",
response = "ReadKeyResponse",
builder = "true"
)]
#[builder(setter(into), default)]
pub struct ReadKeyRequest {
#[endpoint(skip)]
pub mount: String,
#[endpoint(skip)]
pub name: String,
}
/// ## List Keys
/// This endpoint returns a list of keys. Only the key names are returned (not
/// the actual keys themselves).
///
/// * Path: {self.mount}/keys
/// * Method: LIST
/// * Response: ListKeysResponse
/// * Reference: <https://developer.hashicorp.com/vault/api-docs/secret/transit#list-keys>
#[derive(Builder, Debug, Default, Endpoint)]
#[endpoint(
path = "{self.mount}/keys",
response = "ListKeysResponse",
method = "LIST",
builder = "true"
)]
#[builder(setter(into), default)]
pub struct ListKeysRequest {
#[endpoint(skip)]
pub mount: String,
}
/// ## Update Key Configuration
/// This endpoint allows tuning configuration values for a given key. (These
/// values are returned during a read operation on the named key.)
///
/// * Path: {self.mount}/keys/{self.name}/config
/// * Method: POST
/// * Response: N/A
/// * Reference: <https://developer.hashicorp.com/vault/api-docs/secret/transit#update-key-configuration>
#[derive(Builder, Debug, Default, Endpoint)]
#[endpoint(
path = "{self.mount}/keys/{self.name}/config",
method = "POST",
builder = "true"
)]
#[builder(setter(into), default)]
pub struct UpdateKeyConfigurationRequest {
#[endpoint(skip)]
pub mount: String,
#[endpoint(skip)]
pub name: String,
/// Specifies the minimum version of ciphertext allowed to be decrypted.
/// Adjusting this as part of a key rotation policy can prevent old copies
/// of ciphertext from being decrypted, should they fall into the wrong
/// hands. For signatures, this value controls the minimum version of
/// signature that can be verified against. For HMACs, this controls the
/// minimum version of a key allowed to be used as the key for verification.
pub min_decryption_version: Option<u64>,
/// Specifies the minimum version of the key that can be used to encrypt
/// plaintext, sign payloads, or generate HMACs. Must be 0 (which will use
/// the latest version) or a value greater or equal to
/// min_decryption_version.
pub min_encryption_version: Option<u64>,
/// Specifies if the key is allowed to be deleted.
pub deletion_allowed: Option<bool>,
/// Enables keys to be exportable. This allows for all the valid keys in the
/// key ring to be exported. Once set, this cannot be disabled.
pub exportable: Option<bool>,
/// If set, enables taking backup of named key in the plaintext format. Once
/// set, this cannot be disabled.
pub allow_plaintext_backup: Option<bool>,
/// The period at which this key should be rotated automatically. Setting
/// this to "0" will disable automatic key rotation. This value cannot be
/// shorter than one hour. When no value is provided, the period remains
/// unchanged.
pub auto_rotate_period: Option<String>,
}
/// ## Delete Key
/// This endpoint deletes a named encryption key. It will no longer be possible
/// to decrypt any data encrypted with the named key. Because this is a
/// potentially catastrophic operation, the deletion_allowed tunable must be set
/// in the key's `/config` endpoint.
///
/// * Path: {self.mount}/keys/{self.name}
/// * Method: DELETE
/// * Response: N/A
/// * Reference: <https://developer.hashicorp.com/vault/api-docs/secret/transit#delete-key>
#[derive(Builder, Debug, Default, Endpoint)]
#[endpoint(
path = "{self.mount}/keys/{self.name}",
method = "DELETE",
builder = "true"
)]
#[builder(setter(into), default)]
pub struct DeleteKeyRequest {
#[endpoint(skip)]
pub mount: String,
#[endpoint(skip)]
pub name: String,
}
/// ## Rotate Key
/// This endpoint rotates the version of the named key. After rotation, new
/// plaintext requests will be encrypted with the new version of the key. To
/// upgrade ciphertext to be encrypted with the latest version of the key, use
/// the rewrap endpoint. This is only supported with keys that support
/// encryption and decryption operations.
///
/// * Path: {self.mount}/keys/{self.name}/rotate
/// * Method: POST
/// * Response: N/A
/// * Reference: <https://developer.hashicorp.com/vault/api-docs/secret/transit#rotate-key>
#[derive(Builder, Debug, Default, Endpoint)]
#[endpoint(
path = "{self.mount}/keys/{self.name}/rotate",
method = "POST",
builder = "true"
)]
#[builder(setter(into), default)]
pub struct RotateKeyRequest {
#[endpoint(skip)]
pub mount: String,
#[endpoint(skip)]
pub name: String,
}
/// ## Export Key
/// This endpoint returns the named key. The keys object shows the value of the
/// key for each version. If version is specified, the specific version will be
/// returned. If latest is provided as the version, the current key will be
/// provided. Depending on the type of key, different information may be
/// returned. The key must be exportable to support this operation and the
/// version must still be valid.
///
/// * Path: {self.mount}/export/{self.key_type}/{self.name}(/{self.version})
/// * Method: GET
/// * Response: ExportKeyResponse
/// * Reference: <https://developer.hashicorp.com/vault/api-docs/secret/transit#export-key>
#[derive(Builder, Debug, Default, Endpoint)]
#[endpoint(
path = "{self.mount}/export/{self.key_type}/{self.name}{self.version}",
response = "ExportKeyResponse",
builder = "true"
)]
#[builder(setter(into), default)]
pub struct ExportKeyRequest {
#[endpoint(skip)]
pub mount: String,
#[endpoint(skip)]
pub key_type: ExportKeyType,
#[endpoint(skip)]
pub name: String,
#[endpoint(skip)]
pub version: ExportVersion,
}
#[derive(Clone, Copy, Debug)]
pub enum ExportKeyType {
EncryptionKey,
SigningKey,
HmacKey,
}
#[allow(clippy::derivable_impls)]
impl Default for ExportKeyType {
fn default() -> Self {
ExportKeyType::EncryptionKey
}
}
impl std::fmt::Display for ExportKeyType {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
match self {
Self::EncryptionKey => write!(f, "encryption-key"),
Self::SigningKey => write!(f, "signing-key"),
Self::HmacKey => write!(f, "hmac-key"),
}
}
}
#[derive(Clone, Copy, Debug)]
pub enum ExportVersion {
All,
Latest,
Version(u64),
}
#[allow(clippy::derivable_impls)]
impl Default for ExportVersion {
fn default() -> Self {
ExportVersion::Latest
}
}
impl std::fmt::Display for ExportVersion {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
match self {
Self::All => Ok(()),
Self::Latest => write!(f, "/latest"),
Self::Version(n) => write!(f, "/{}", n),
}
}
}
/// ## Encrypt Data
/// This endpoint encrypts the provided plaintext using the named key. This path
/// supports the create and update policy capabilities as follows: if the user
/// has the create capability for this endpoint in their policies, and the key
/// does not exist, it will be upserted with default values (whether the key
/// requires derivation depends on whether the context parameter is empty or
/// not). If the user only has update capability and the key does not exist, an
/// error will be returned.
///
/// * Path: {self.mount}/encrypt/{self.name}
/// * Method: POST
/// * Response: EncryptDataResponse
/// * Reference: <https://developer.hashicorp.com/vault/api-docs/secret/transit#encrypt-data>
#[derive(Builder, Debug, Default, Endpoint)]
#[endpoint(
path = "{self.mount}/encrypt/{self.name}",
method = "POST",
response = "EncryptDataResponse",
builder = "true"
)]
#[builder(setter(into, strip_option), default)]
pub struct EncryptDataRequest {
#[endpoint(skip)]
pub mount: String,
/// Specifies the name of the encryption key to encrypt against.
#[endpoint(skip)]
pub name: String,
/// Specifies base64 encoded plaintext to be encoded.
/// NOTE: All plaintext data must be base64-encoded. The reason for this
/// requirement is that Vault does not require that the plaintext is "text".
/// It could be a binary file such as a PDF or image. The easiest safe
/// transport mechanism for this data as part of a JSON payload is to
/// base64-encode it.
pub plaintext: String,
/// Specifies the base64 encoded context for key derivation. This is
/// required if key derivation is enabled for this key.
pub context: Option<String>,
/// Specifies the version of the key to use for encryption. If not set, uses
/// the latest version. Must be greater than or equal to the key's
/// min_encryption_version, if set.
pub key_version: Option<u64>,
/// Specifies the base64 encoded nonce value. This must be provided if
/// convergent encryption is enabled for this key and the key was generated
/// with Vault 0.6.1. Not required for keys created in 0.6.2+. The value
/// must be exactly 96 bits (12 bytes) long and the user must ensure that
/// for any given context (and thus, any given encryption key) this nonce
/// value is never reused.
pub nonce: Option<String>,
/// This parameter is required when encryption key is expected to be
/// created. When performing an upsert operation, the type of key to create.
pub key_type: Option<KeyType>,
/// This parameter will only be used when a key is expected to be created.
/// Whether to support convergent encryption. This is only supported when
/// using a key with key derivation enabled and will require all requests to
/// carry both a context and 96-bit (12-byte) nonce. The given nonce will be
/// used in place of a randomly generated nonce. As a result, when the same
/// context and nonce are supplied, the same ciphertext is generated. It is
/// very important when using this mode that you ensure that all nonces are
/// unique for a given context. Failing to do so will severely impact the
/// ciphertext's security.
pub convergent_encryption: Option<String>,
}
/// ## Decrypt Data
/// This endpoint decrypts the provided ciphertext using the named key.
///
/// * Path: {self.mount}/decrypt/{self.name}
/// * Method: POST
/// * Response: DecryptDataResponse
/// * Reference: <https://developer.hashicorp.com/vault/api-docs/secret/transit#decrypt-data>
#[derive(Builder, Debug, Default, Endpoint)]
#[endpoint(
path = "{self.mount}/decrypt/{self.name}",
method = "POST",
response = "DecryptDataResponse",
builder = "true"
)]
#[builder(setter(into, strip_option), default)]
pub struct DecryptDataRequest {
#[endpoint(skip)]
pub mount: String,
/// Specifies the name of the encryption key to decrypt against.
#[endpoint(skip)]
pub name: String,
/// Specifies the ciphertext to decrypt.
pub ciphertext: String,
/// Specifies the base64 encoded context for key derivation. This is
/// required if key derivation is enabled.
pub context: Option<String>,
/// Specifies a base64 encoded nonce value used during encryption. Must be
/// provided if convergent encryption is enabled for this key and the key
/// was generated with Vault 0.6.1. Not required for keys created in 0.6.2+.
pub nonce: Option<String>,
}
/// ## Rewrap Data
/// This endpoint rewraps the provided ciphertext using the latest version of
/// the named key. Because this never returns plaintext, it is possible to
/// delegate this functionality to untrusted users or scripts.
///
/// * Path: {self.mount}/rewrap/{self.name}
/// * Method: POST
/// * Response: RewrapDataResponse
/// * Reference: <https://developer.hashicorp.com/vault/api-docs/secret/transit#rewrap-data>
#[derive(Builder, Debug, Default, Endpoint)]
#[endpoint(
path = "{self.mount}/rewrap/{self.name}",
method = "POST",
response = "RewrapDataResponse",
builder = "true"
)]
#[builder(setter(into, strip_option), default)]
pub struct RewrapDataRequest {
#[endpoint(skip)]
pub mount: String,
/// Specifies the name of the encryption key to re-encrypt against.
#[endpoint(skip)]
pub name: String,
/// Specifies the ciphertext to re-encrypt.
pub ciphertext: String,
/// Specifies the base64 encoded context for key derivation. This is
/// required if key derivation is enabled.
pub context: Option<String>,
/// Specifies the version of the key to use for the operation. If not set,
/// uses the latest version. Must be greater than or equal to the key's
/// min_encryption_version, if set.
pub key_version: Option<u64>,
/// Specifies a base64 encoded nonce value used during encryption. Must be
/// provided if convergent encryption is enabled for this key and the key
/// was generated with Vault 0.6.1. Not required for keys created in 0.6.2+.
pub nonce: Option<String>,
}
/// ## Generate Data Key
/// This endpoint generates a new high-entropy key and the value encrypted with
/// the named key. Optionally return the plaintext of the key as well. Whether
/// plaintext is returned depends on the path; as a result, you can use Vault
/// ACL policies to control whether a user is allowed to retrieve the plaintext
/// value of a key. This is useful if you want an untrusted user or operation to
/// generate keys that are then made available to trusted users.
///
/// * Path: {self.mount}/datakey/{self.key_type}/{self.name}
/// * Method: POST
/// * Response: GenerateDataKeyResponse
/// * Reference: <https://developer.hashicorp.com/vault/api-docs/secret/transit#generate-data-key>
#[derive(Builder, Debug, Default, Endpoint)]
#[endpoint(
path = "{self.mount}/datakey/{self.key_type}/{self.name}",
method = "POST",
response = "GenerateDataKeyResponse",
builder = "true"
)]
#[builder(setter(into, strip_option), default)]
pub struct GenerateDataKeyRequest {
#[endpoint(skip)]
pub mount: String,
/// Specifies the type of key to generate. If plaintext, the plaintext key
/// will be returned along with the ciphertext. If wrapped, only the
/// ciphertext value will be returned.
#[endpoint(skip)]
pub key_type: DataKeyType,
/// Specifies the name of the encryption key to use to encrypt the datakey.
#[endpoint(skip)]
pub name: String,
/// Specifies the key derivation context, provided as a base64-encoded
/// string. This must be provided if derivation is enabled.
pub context: Option<String>,
/// Specifies a nonce value, provided as base64 encoded. Must be provided if
/// convergent encryption is enabled for this key and the key was generated
/// with Vault 0.6.1. Not required for keys created in 0.6.2+. The value
/// must be exactly 96 bits (12 bytes) long and the user must ensure that
/// for any given context (and thus, any given encryption key) this nonce
/// value is never reused.
pub nonce: Option<String>,
/// Specifies the number of bits in the desired key. Can be 128, 256, or
/// 512. Default is 256 bits.
pub bits: Option<u16>,
}
#[derive(Clone, Copy, Debug)]
pub enum DataKeyType {
Plaintext,
Wrapped,
}
#[allow(clippy::derivable_impls)]
impl Default for DataKeyType {
fn default() -> Self {
DataKeyType::Wrapped
}
}
impl std::fmt::Display for DataKeyType {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
match self {
Self::Plaintext => write!(f, "plaintext"),
Self::Wrapped => write!(f, "wrapped"),
}
}
}
/// ## Generate Random Bytes
/// This endpoint returns high-quality random bytes of the specified length.
///
/// * Path: {self.mount}/random(/{self.source})(/{self.bytes})
/// * Method: POST
/// * Response: GenerateRandomBytesResponse
/// * Reference: <https://developer.hashicorp.com/vault/api-docs/secret/transit#generate-random-bytes>
#[derive(Builder, Debug, Default, Endpoint)]
#[endpoint(
path = "{self.mount}/random",
method = "POST",
response = "GenerateRandomBytesResponse",
builder = "true"
)]
#[builder(setter(into, strip_option), default)]
pub struct GenerateRandomBytesRequest {
#[endpoint(skip)]
pub mount: String,
/// Specifies the number of bytes to return. Default is 32.
pub bytes: Option<u32>,
/// Specifies the output encoding.
pub format: OutputFormat,
/// Specifies the source of the requested bytes.
pub source: RandomBytesSource,
}
#[derive(Clone, Copy, Debug, Serialize)]
#[serde(rename_all = "kebab-case")]
pub enum RandomBytesSource {
/// Sources bytes from the platform's entropy source.
Platform,
/// Sources from entropy augmentation (enterprise only).
Seal,
/// Mixes bytes from all available sources.
All,
}
#[allow(clippy::derivable_impls)]
impl Default for RandomBytesSource {
fn default() -> Self {
RandomBytesSource::Platform
}
}
/// ## Hash Data
/// This endpoint returns the cryptographic hash of given data using the
/// specified algorithm.
///
/// * Path: {self.mount}/hash(/{self.algorithm)
/// * Method: POST
/// * Response: HashDataResponse
/// * Reference: <https://developer.hashicorp.com/vault/api-docs/secret/transit#hash-data>
#[derive(Builder, Debug, Default, Endpoint)]
#[endpoint(
path = "{self.mount}/hash",
method = "POST",
response = "HashDataResponse",
builder = "true"
)]
#[builder(setter(into, strip_option), default)]
pub struct HashDataRequest {
#[endpoint(skip)]
pub mount: String,
/// Specifies the hash algorithm to use.
pub algorithm: Option<HashAlgorithm>,
/// Specifies the base64 encoded input data.
pub input: String,
/// Specifies the output encoding.
pub format: Option<OutputFormat>,
}
/// ## Generate HMAC
/// This endpoint returns the digest of given data using the specified hash
/// algorithm and the named key. The key can be of any type supported by
/// transit; the raw key will be marshaled into bytes to be used for the HMAC
/// function. If the key is of a type that supports rotation, the latest
/// (current) version will be used.
///
/// * Path: {self.mount}/hmac/{self.name}(/{self.algorithm)
/// * Method: POST
/// * Response: GenerateHmacResponse
/// * Reference: <https://developer.hashicorp.com/vault/api-docs/secret/transit#generate-hmac>
#[derive(Builder, Debug, Default, Endpoint)]
#[endpoint(
path = "{self.mount}/hmac/{self.name}",
method = "POST",
response = "GenerateHmacResponse",
builder = "true"
)]
#[builder(setter(into, strip_option), default)]
pub struct GenerateHmacRequest {
#[endpoint(skip)]
pub mount: String,
#[endpoint(skip)]
pub name: String,
/// Specifies the version of the key to use for the operation. If not set,
/// uses the latest version. Must be greater than or equal to the key's
/// min_encryption_version, if set.
pub key_version: Option<u64>,
/// Specifies the hash algorithm to use.
pub algorithm: Option<HashAlgorithm>,
/// Specifies the base64 encoded input data.
pub input: String,
}
/// ## Sign Data
/// This endpoint returns the cryptographic signature of the given data using
/// the named key and the specified hash algorithm. The key must be of a type
/// that supports signing.
///
/// * Path: {self.mount}/sign/{self.name}(/{self.hash_algorithm)
/// * Method: POST
/// * Response: SignDataResponse
/// * Reference: <https://developer.hashicorp.com/vault/api-docs/secret/transit#sign-data>
#[derive(Builder, Debug, Default, Endpoint)]
#[endpoint(
path = "{self.mount}/sign/{self.name}",
method = "POST",
response = "SignDataResponse",
builder = "true"
)]
#[builder(setter(into, strip_option), default)]
pub struct SignDataRequest {
#[endpoint(skip)]
pub mount: String,
#[endpoint(skip)]
pub name: String,
/// Specifies the version of the key to use for the operation. If not set,
/// uses the latest version. Must be greater than or equal to the key's
/// min_encryption_version, if set.
pub key_version: Option<u64>,
/// Specifies the hash algorithm to use.
pub hash_algorithm: Option<HashAlgorithm>,
/// Specifies the base64 encoded input data.
pub input: String,
/// Base64 encoded context for key derivation. Required if key derivation is
/// enabled; currently only available with ed25519 keys.
pub context: Option<String>,
/// Set to true when the input is already hashed. If the key type is
/// rsa-2048, rsa-3072 or rsa-4096, then the algorithm used to hash the
/// input should be indicated by the hash_algorithm parameter. Just as the
/// value to sign should be the base64-encoded representation of the exact
/// binary data you want signed, when set, input is expected to be
/// base64-encoded binary hashed data, not hex-formatted.
pub prehashed: Option<bool>,
/// When using a RSA key, specifies the RSA signature algorithm to use for
/// signing.
pub signature_algorithm: Option<SignatureAlgorithm>,
/// Specifies the way in which the signature should be marshaled. This
/// currently only applies to ECDSA keys.
pub marshaling_algorithm: Option<MarshalingAlgorithm>,
}
/// ## Verify Signed Data
/// This endpoint returns whether the provided signature is valid for the given
/// data.
///
/// * Path: {self.mount}/verify/{self.name}(/{self.hash_algorithm)
/// * Method: POST
/// * Response: VerifySignedDataResponse
/// * Reference: <https://developer.hashicorp.com/vault/api-docs/secret/transit#verify-signed-data>
#[derive(Builder, Debug, Default, Endpoint)]
#[endpoint(
path = "{self.mount}/verify/{self.name}",
method = "POST",
response = "VerifySignedDataResponse",
builder = "true"
)]
#[builder(setter(into, strip_option), default)]
pub struct VerifySignedDataRequest {
#[endpoint(skip)]
pub mount: String,
#[endpoint(skip)]
pub name: String,
/// Specifies the hash algorithm to use.
pub hash_algorithm: Option<HashAlgorithm>,
/// Specifies the base64 encoded input data.
pub input: String,
/// Specifies the signature output from the /transit/sign function. Either
/// this must be supplied or hmac must be supplied.
pub signature: Option<String>,
/// Specifies the signature output from the /transit/hmac function. Either
/// this must be supplied or signature must be supplied.
pub hmac: Option<String>,
/// Base64 encoded context for key derivation. Required if key derivation is
/// enabled; currently only available with ed25519 keys.
pub context: Option<String>,
/// Set to true when the input is already hashed. If the key type is
/// rsa-2048, rsa-3072 or rsa-4096, then the algorithm used to hash the
/// input should be indicated by the hash_algorithm parameter.
pub prehashed: Option<bool>,
/// When using a RSA key, specifies the RSA signature algorithm to use for
/// signature verification.
pub signature_algorithm: Option<SignatureAlgorithm>,
/// Specifies the way in which the signature was originally marshaled. This
/// currently only applies to ECDSA keys.
pub marshaling_algorithm: Option<MarshalingAlgorithm>,
}
/// ## Backup Key
/// This endpoint returns a plaintext backup of a named key. The backup contains
/// all the configuration data and keys of all the versions along with the HMAC
/// key. The response from this endpoint can be used with the /restore endpoint
/// to restore the key.
///
/// * Path: {self.mount}/backup/{self.name}
/// * Method: GET
/// * Response: BackupKeyResponse
/// * Reference: <https://developer.hashicorp.com/vault/api-docs/secret/transit#backup-key>
#[derive(Builder, Debug, Default, Endpoint)]
#[endpoint(
path = "{self.mount}/backup/{self.name}",
response = "BackupKeyResponse",
builder = "true"
)]
#[builder(setter(into), default)]
pub struct BackupKeyRequest {
#[endpoint(skip)]
pub mount: String,
#[endpoint(skip)]
pub name: String,
}
/// ## Restore Key
/// This endpoint restores the backup as a named key. This will restore the key
/// configurations and all the versions of the named key along with HMAC keys.
/// The input to this endpoint should be the output of /backup endpoint.
///
/// * Path: {self.mount}/restore(/{self.name})
/// * Method: POST
/// * Response: N/A
/// * Reference: <https://developer.hashicorp.com/vault/api-docs/secret/transit#restore-key>
#[derive(Builder, Debug, Default, Endpoint)]
#[endpoint(path = "{self.mount}/restore", method = "POST", builder = "true")]
#[builder(setter(into, strip_option), default)]
pub struct RestoreKeyRequest {
#[endpoint(skip)]
pub mount: String,
/// Backed up key data to be restored. This should be the output from the
/// /backup endpoint.
pub backup: String,
/// If set, this will be the name of the restored key.
pub name: Option<String>,
/// If set, force the restore to proceed even if a key by this name already
/// exists.
pub force: Option<bool>,
}
/// ## Trim Key
/// This endpoint trims older key versions setting a minimum version for the
/// keyring. Once trimmed, previous versions of the key cannot be recovered.
///
/// * Path: {self.mount}/keys/{self.name}/trim
/// * Method: POST
/// * Response: N/A
/// * Reference: <https://developer.hashicorp.com/vault/api-docs/secret/transit#trim-key>
#[derive(Builder, Debug, Default, Endpoint)]
#[endpoint(
path = "{self.mount}/keys/{self.name}/trim",
method = "POST",
builder = "true"
)]
#[builder(setter(into), default)]
pub struct TrimKeyRequest {
#[endpoint(skip)]
pub mount: String,
#[endpoint(skip)]
pub name: String,
/// The minimum available version for the key ring. All versions before this
/// version will be permanently deleted. This value can at most be equal to
/// the lesser of min_decryption_version and min_encryption_version. This is
/// not allowed to be set when either min_encryption_version or
/// min_decryption_version is set to zero.
pub min_available_version: u64,
}
/// ## Configure Cache
/// This endpoint is used to configure the transit engine's cache. Note that
/// configuration changes will not be applied until the transit plugin is
/// reloaded which can be achieved using the /sys/plugins/reload/backend
/// endpoint.
///
/// * Path: {self.mount}/transit/cache-config
/// * Method: POST
/// * Response: N/A
/// * Reference: <https://developer.hashicorp.com/vault/api-docs/secret/transit#configure-cache>
#[derive(Builder, Debug, Default, Endpoint)]
#[endpoint(path = "{self.mount}/cache-config", method = "POST", builder = "true")]
#[builder(setter(into, strip_option), default)]
pub struct ConfigureCacheRequest {
#[endpoint(skip)]
pub mount: String,
/// Specifies the size in terms of number of entries. A size of 0 means
/// unlimited. A Least Recently Used (LRU) caching strategy is used for a
/// non-zero cache size. Must be 0 (default) or a value greater or equal to
/// 10 (minimum cache size).
pub size: Option<u64>,
}
/// ## Read Transit Cache Configuration
/// This endpoint retrieves configurations for the transit engine's cache.
///
/// * Path: {self.mount}/transit/cache-config
/// * Method: GET
/// * Response: ReadTransitCacheConfigurationResponse
/// * Reference: <https://developer.hashicorp.com/vault/api-docs/secret/transit#read-transit-cache-configuration>
#[derive(Builder, Debug, Default, Endpoint)]
#[endpoint(
path = "{self.mount}/cache-config",
response = "ReadTransitCacheConfigurationResponse",
builder = "true"
)]
#[builder(setter(into), default)]
pub struct ReadTransitCacheConfigurationRequest {
#[endpoint(skip)]
pub mount: String,
}