@cubist-labs/cubesigner-sdk 0.4.236 → 0.4.237

package/src/client/api_client.ts

@@ -54,7 +54,6 @@ import type {
   UpdatePolicyRequest,
   ListPoliciesResponse,
   PolicyType,
-  PolicyInfo,
   DiffieHellmanRequest,
   DiffieHellmanResponse,
   KeyInfoJwt,
@@ -67,6 +66,9 @@ import type {
   KeyAttestationQuery,
   RoleAttestationQuery,
   ErrorResponse,
+  ListBucketsResponse,
+  UpdateBucketRequest,
+  PolicyInfo,
 } from "../schema_types";
 import { encodeToBase64 } from "../util";
 import {
@@ -152,6 +154,9 @@ import {
   type GetUserByOidcResponse,
   type EmailTemplatePurpose,
   ErrResponse,
+  coerceBucketInfo,
+  coercePolicyInfo,
+  type BucketInfo,
 } from "../index";
 import { assertOk, op, type Op, type Operation, apiFetch } from "../fetch";
 import { BaseClient, type ClientConfig, signerSessionFromSessionInfo } from "./base_client";
@@ -1525,14 +1530,14 @@ export class ApiClient extends BaseClient {
     acl?: JsonValue[],
   ): Promise<PolicyInfo> {
     const o = op("/v0/org/{org_id}/policies", "post");
-    return (await this.exec(o, {
+    return await this.exec(o, {
       body: {
         name,
         policy_type: type,
         rules,
         acl,
       },
-    })) as PolicyInfo;
+    }).then(coercePolicyInfo);
   }
 
   /**
@@ -1544,9 +1549,9 @@ export class ApiClient extends BaseClient {
    */
   async policyGet(policyId: string, version: policy.Version): Promise<PolicyInfo> {
     const o = op("/v0/org/{org_id}/policies/{policy_id}/{version}", "get");
-    return (await this.exec(o, {
+    return await this.exec(o, {
       params: { path: { policy_id: policyId, version } },
-    })) as PolicyInfo;
+    }).then(coercePolicyInfo);
   }
 
   /**
@@ -1583,17 +1588,13 @@ export class ApiClient extends BaseClient {
     mfaReceipt?: MfaReceipts,
   ): Promise<CubeSignerResponse<PolicyInfo>> {
     const o = op("/v0/org/{org_id}/policies/{policy_id}", "patch");
-    const signFn = async (headers?: HeadersInit) =>
+    const reqFn = async (headers?: HeadersInit) =>
       this.exec(o, {
         params: { path: { policy_id: policyId } },
         body: request,
         headers,
-      });
-    return (await CubeSignerResponse.create(
-      this.env,
-      signFn,
-      mfaReceipt,
-    )) as CubeSignerResponse<PolicyInfo>;
+      }).then((resp) => mapResponse(resp, coercePolicyInfo));
+    return await CubeSignerResponse.create(this.env, reqFn, mfaReceipt);
   }
 
   /**
@@ -1638,6 +1639,62 @@ export class ApiClient extends BaseClient {
 
   // #endregion
 
+  // #region BUCKET: bucket(Get|List|Update)
+
+  /**
+   * List available meta information about all policy buckets in the org.
+   *
+   * @param page Pagination options. Defaults to fetching the entire result set.
+   * @returns Paginator for iterating over policy buckets.
+   */
+  bucketsList(page?: PageOpts): Paginator<ListBucketsResponse, BucketInfo[]> {
+    const o = op("/v0/org/{org_id}/policy/buckets", "get");
+    return Paginator.items(
+      page ?? Page.default(),
+      (pageQuery) => this.exec(o, { params: { query: { ...pageQuery } } }),
+      (r) => r.buckets,
+      (r) => r.last_evaluated_key,
+    ) as Paginator<ListBucketsResponse, BucketInfo[]>;
+  }
+
+  /**
+   * Get the meta information of a policy KV store bucket.
+   *
+   * @param bucketName The name of the bucket to get
+   * @returns The bucket information
+   */
+  async bucketGet(bucketName: string): Promise<BucketInfo> {
+    const o = op("/v0/org/{org_id}/policy/buckets/{bucket_name}", "get");
+    return await this.exec(o, {
+      params: { path: { bucket_name: bucketName } },
+    }).then(coerceBucketInfo);
+  }
+
+  /**
+   * Set or update meta information for a policy KV store bucket.
+   *
+   * @param bucketName The name of the bucket to update.
+   * @param request The update request
+   * @param mfaReceipt Option MFA receipt(s)
+   * @returns The updated bucket information
+   */
+  async bucketUpdate(
+    bucketName: string,
+    request: UpdateBucketRequest,
+    mfaReceipt?: MfaReceipts,
+  ): Promise<CubeSignerResponse<BucketInfo>> {
+    const o = op("/v0/org/{org_id}/policy/buckets/{bucket_name}", "patch");
+    const reqFn = async (headers?: HeadersInit) =>
+      this.exec(o, {
+        params: { path: { bucket_name: bucketName } },
+        body: request,
+        headers,
+      }).then((resp) => mapResponse(resp, coerceBucketInfo));
+    return await CubeSignerResponse.create(this.env, reqFn, mfaReceipt);
+  }
+
+  // #endregion
+
   // #region WASM: wasm(PolicyUpload)
 
   /**

package/src/index.ts

@@ -34,6 +34,8 @@ export * from "./contact";
 export * from "./scopes";
 /** Policies */
 export * from "./policy";
+/** Buckets */
+export * from "./bucket";
 /** Access control */
 export * from "./acl";
 /** Utils */

package/src/policy.ts

@@ -10,15 +10,15 @@ import type {
   KeyPolicyRule,
   MfaReceipts,
   PolicyAttachedToId,
-  PolicyInfo,
   PolicyType,
   RolePolicy,
   RolePolicyRule,
   UpdatePolicyRequest,
   WasmRule,
-  Acl,
   AceAttribute,
   PolicyAction,
+  Ace,
+  PolicyInfo,
 } from ".";
 
 import { loadSubtleCrypto } from ".";
@@ -32,7 +32,7 @@ export type PolicyRule = KeyPolicyRule | RolePolicyRule | WasmRule;
  * A helper type for {@link PolicyInfo} with a more detailed `acl` type.
  */
 type NamedPolicyInfo = PolicyInfo & {
-  acl?: Acl<PolicyAction, PolicyCtx>;
+  acl?: PolicyAcl;
 };
 
 /**
@@ -67,7 +67,10 @@ export type C2FInfo = WasmPolicyInfo;
 export type Version = `v${number}` | `latest`;
 
 /** A policy access control entry. */
-export type PolicyAcl = Acl<PolicyAction, PolicyCtx>;
+export type PolicyAce = Ace<PolicyAction, PolicyCtx>;
+
+/** A policy access control list. */
+export type PolicyAcl = PolicyAce[];
 
 /** Additional contexts when using policies. */
 export type PolicyCtx = {
@@ -476,7 +479,7 @@ export class C2FFunction extends NamedPolicy {
     // upload the policy object
     const hash = await uploadWasmFunction(this.apiClient, policy);
 
-    // update this policy with the new policy verison.
+    // update this policy with the new policy version.
     const body: UpdatePolicyRequest = { rules: [{ hash }] };
     this.data = (await this.update(body, mfaReceipt)) as C2FInfo;
   }

package/src/schema.ts

@@ -1035,6 +1035,31 @@ export interface paths {
      */
     post: operations["invokePolicy"];
   };
+  "/v0/org/{org_id}/policy/buckets": {
+    /**
+     * List Buckets
+     * @description List Buckets
+     *
+     * List available meta information about all policy KV store buckets in the org.
+     */
+    get: operations["listPolicyBuckets"];
+  };
+  "/v0/org/{org_id}/policy/buckets/{bucket_name}": {
+    /**
+     * Get Bucket
+     * @description Get Bucket
+     *
+     * Returns the meta information of a policy KV store bucket.
+     */
+    get: operations["getPolicyBucket"];
+    /**
+     * Update Bucket
+     * @description Update Bucket
+     *
+     * Updates meta information for an existing policy KV store bucket.
+     */
+    patch: operations["updatePolicyBucket"];
+  };
   "/v0/org/{org_id}/policy/import_key": {
     /**
      * Create Policy Import Key
@@ -1050,7 +1075,7 @@ export interface paths {
      * Get the org-wide policy secrets.
      * @description Get the org-wide policy secrets.
      *
-     * Note that this only returns the keys for the secrets, omiting the values.
+     * Note that this only returns the keys for the secrets, omitting the values.
      * The values are secret and are not accessible outside Wasm policy execution.
      */
     get: operations["getPolicySecrets"];
@@ -1859,8 +1884,7 @@ export interface components {
      */
     Aud: string | string[];
     AuditLogEntry: {
-      /** @description The name of the event */
-      event: string;
+      event: components["schemas"]["OrgEventDiscriminants"];
       /** @description UUID of the event. Unique across all events. */
       event_id: string;
       org_id: components["schemas"]["Id"];
@@ -2997,6 +3021,9 @@ export interface components {
       | "SetPolicySecret"
       | "DeletePolicySecret"
       | "CreatePolicyImportKey"
+      | "GetPolicyBucket"
+      | "ListPolicyBuckets"
+      | "UpdatePolicyBucket"
       | "UserExportDelete"
       | "UserExportList"
       | "UserExportInit"
@@ -3328,6 +3355,57 @@ export interface components {
        */
       value: number;
     };
+    /**
+     * @description The access-controlled actions that can be performed on a bucket
+     * @enum {string}
+     */
+    BucketAction:
+      | "read:key:value"
+      | "read:key:exists"
+      | "update:key:value"
+      | "delete:key:value"
+      | "scan:keys"
+      | "update:bucket:owner"
+      | "update:bucket:acl"
+      | "update:bucket:metadata";
+    /** @description Information about a policy KV store bucket. */
+    BucketInfo: ({
+      created?: components["schemas"]["EpochDateTime"] | null;
+      last_modified?: components["schemas"]["EpochDateTime"] | null;
+      /**
+       * Format: int64
+       * @description Version of this object
+       */
+      version?: number;
+    } & {
+      /** @description The access-control entries for the bucket. */
+      acl?: unknown[] | null;
+      /** @description Arbitrary user-defined metadata. */
+      metadata?: unknown;
+      owner: components["schemas"]["Id"];
+    }) & {
+      /** @description The name of the bucket. */
+      name: string;
+    };
+    /**
+     * @description Sub-entity of org where per-bucket metadata (like ACL) is stored.
+     * The [Id] of a [BucketMeta] must be the bucket name.
+     */
+    BucketMeta: {
+      created?: components["schemas"]["EpochDateTime"] | null;
+      last_modified?: components["schemas"]["EpochDateTime"] | null;
+      /**
+       * Format: int64
+       * @description Version of this object
+       */
+      version?: number;
+    } & {
+      /** @description The access-control entries for the bucket. */
+      acl?: unknown[] | null;
+      /** @description Arbitrary user-defined metadata. */
+      metadata?: unknown;
+      owner: components["schemas"]["Id"];
+    };
     CancelInvitationRequest: {
       email: components["schemas"]["Email"];
     };
@@ -4749,6 +4827,13 @@ export interface components {
       | "manage:policy:secrets:update:values"
       | "manage:policy:secrets:update:acl"
       | "manage:policy:secrets:update:editPolicy"
+      | "manage:policy:buckets:*"
+      | "manage:policy:buckets:get"
+      | "manage:policy:buckets:list"
+      | "manage:policy:buckets:update:*"
+      | "manage:policy:buckets:update:owner"
+      | "manage:policy:buckets:update:acl"
+      | "manage:policy:buckets:update:metadata"
       | "manage:contact:*"
       | "manage:contact:readonly"
       | "manage:contact:create"
@@ -5007,6 +5092,7 @@ export interface components {
       | "AutoAddBlsKeyToProtectedRole"
       | "UserNotPolicyOwner"
       | "UserNotContactOwner"
+      | "UserNotBucketOwner"
       | "LegacySessionCannotHaveScopeCeiling"
       | "RoleInParentOrgNotAllowed"
       | "RemoveKeyFromRoleUserNotAllowed"
@@ -6060,6 +6146,7 @@ export interface components {
       | "OrgExportCiphertextNotFound"
       | "UploadObjectNotFound"
       | "PolicySecretNotFound"
+      | "BucketMetaNotFound"
       | "TimestreamDisabled"
       | "CustomChainNotFound"
       | "InvitationNotFound"
@@ -6740,6 +6827,21 @@ export interface components {
        */
       last_evaluated_key?: string | null;
     };
+    /**
+     * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
+     * value (which can the user pass back to use as a url query parameter to continue pagination).
+     */
+    PaginatedListBucketsResponse: {
+      /** @description The buckets in the organization. */
+      buckets: components["schemas"]["BucketInfo"][];
+    } & {
+      /**
+       * @description If set, the content of `response` does not contain the entire result set.
+       * To fetch the next page of the result set, call the same endpoint
+       * but specify this value as the 'page.start' query parameter.
+       */
+      last_evaluated_key?: string | null;
+    };
     /**
      * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
      * value (which can the user pass back to use as a url query parameter to continue pagination).
@@ -7060,16 +7162,16 @@ export interface components {
     }) &
       Record<string, never>;
     /**
-     * PolicyAction
      * @description The access-controlled actions that can be performed on a named policy.
-     * @example read:policy
      * @enum {string}
      */
     PolicyAction:
       | "read:*"
+      | "read"
       | "read:policy"
       | "read:logs"
       | "update:*"
+      | "update"
       | "update:name"
       | "update:rules"
       | "update:metadata"
@@ -8791,6 +8893,23 @@ export interface components {
       /** @description Optional policy evaluation tree. */
       policy_eval_tree?: unknown;
     } & Record<string, never>;
+    /** @description The information needed to update a bucket. */
+    UpdateBucketRequest: {
+      /** @description Access-control entries defining how the bucket can be accessed. */
+      acl?: unknown;
+      /**
+       * Format: int64
+       * @description If set, updating only succeeds if the current version matches this value.
+       */
+      expected_version?: number | null;
+      /** @description Optional metadata. */
+      metadata?: unknown;
+      /**
+       * @description Update the owner of the bucket
+       * @example User#00000000-0000-0000-0000-000000000000
+       */
+      owner?: string | null;
+    };
     /** @description The information needed to update a Contact. */
     UpdateContactRequest: {
       addresses?: components["schemas"]["AddressMap"] | null;
@@ -9621,6 +9740,29 @@ export interface components {
         };
       };
     };
+    /** @description Information about a policy KV store bucket. */
+    BucketInfo: {
+      content: {
+        "application/json": ({
+          created?: components["schemas"]["EpochDateTime"] | null;
+          last_modified?: components["schemas"]["EpochDateTime"] | null;
+          /**
+           * Format: int64
+           * @description Version of this object
+           */
+          version?: number;
+        } & {
+          /** @description The access-control entries for the bucket. */
+          acl?: unknown[] | null;
+          /** @description Arbitrary user-defined metadata. */
+          metadata?: unknown;
+          owner: components["schemas"]["Id"];
+        }) & {
+          /** @description The name of the bucket. */
+          name: string;
+        };
+      };
+    };
     /** @description The number of users and keys in an org, organized by user role and key type */
     ComputeCountsResponse: {
       content: {
@@ -10342,6 +10484,21 @@ export interface components {
         };
       };
     };
+    PaginatedListBucketsResponse: {
+      content: {
+        "application/json": {
+          /** @description The buckets in the organization. */
+          buckets: components["schemas"]["BucketInfo"][];
+        } & {
+          /**
+           * @description If set, the content of `response` does not contain the entire result set.
+           * To fetch the next page of the result set, call the same endpoint
+           * but specify this value as the 'page.start' query parameter.
+           */
+          last_evaluated_key?: string | null;
+        };
+      };
+    };
     PaginatedListContactsResponse: {
       content: {
         "application/json": {
@@ -14602,6 +14759,108 @@ export interface operations {
       };
     };
   };
+  /**
+   * List Buckets
+   * @description List Buckets
+   *
+   * List available meta information about all policy KV store buckets in the org.
+   */
+  listPolicyBuckets: {
+    parameters: {
+      query?: {
+        /**
+         * @description Max number of items to return per page.
+         *
+         * If the actual number of returned items may be less that this, even if there exist more
+         * data in the result set. To reliably determine if more data is left in the result set,
+         * inspect the [UnencryptedLastEvalKey] value in the response object.
+         */
+        "page.size"?: number;
+        /**
+         * @description The start of the page.  Omit to start from the beginning; otherwise, only specify a
+         * the exact value previously returned as 'last_evaluated_key' from the same endpoint.
+         */
+        "page.start"?: string | null;
+      };
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["PaginatedListBucketsResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Get Bucket
+   * @description Get Bucket
+   *
+   * Returns the meta information of a policy KV store bucket.
+   */
+  getPolicyBucket: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        bucket_name: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["BucketInfo"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Update Bucket
+   * @description Update Bucket
+   *
+   * Updates meta information for an existing policy KV store bucket.
+   */
+  updatePolicyBucket: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        bucket_name: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["UpdateBucketRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["BucketInfo"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * Create Policy Import Key
    * @description Create Policy Import Key
@@ -14632,7 +14891,7 @@ export interface operations {
    * Get the org-wide policy secrets.
    * @description Get the org-wide policy secrets.
    *
-   * Note that this only returns the keys for the secrets, omiting the values.
+   * Note that this only returns the keys for the secrets, omitting the values.
    * The values are secret and are not accessible outside Wasm policy execution.
    */
   getPolicySecrets: {

package/src/schema_types.ts

@@ -291,10 +291,20 @@ export type ImportKeyRequestMaterial = schemas["ImportKeyRequestMaterial"];
 export type InvitationAcceptRequest = schemas["InvitationAcceptRequest"];
 
 export type KeyTypeAndDerivationPath = schemas["KeyTypeAndDerivationPath"];
-
 export type PolicyInfo = schemas["PolicyInfo"] & {
   acl?: JsonValue[];
 };
+
+/**
+ * Coerce the less accurate `PolicyInfo` type from the OpenAPI schema to a more accurate {@link PolicyInfo}.
+ *
+ * @param p The policy info received on the wire
+ * @returns The same value coerced to {@link PolicyInfo}
+ */
+export function coercePolicyInfo(p: schemas["PolicyInfo"]): PolicyInfo {
+  return p as PolicyInfo;
+}
+
 export type UpdatePolicyRequest = schemas["UpdatePolicyRequest"] & {
   rules?: JsonValue[];
   acl?: JsonValue[];
@@ -303,6 +313,10 @@ export type ListPoliciesResponse = schemas["PaginatedListPoliciesResponse"];
 export type PolicyType = schemas["PolicyType"];
 export type PolicyAttachedToId = schemas["PolicyAttachedToId"];
 
+export type ListBucketsResponse = schemas["PaginatedListBucketsResponse"];
+export type UpdateBucketRequest = schemas["UpdateBucketRequest"];
+export type BucketAction = schemas["BucketAction"];
+
 export type UploadWasmPolicyRequest = schemas["UploadWasmPolicyRequest"];
 export type UploadWasmPolicyResponse = schemas["UploadWasmPolicyResponse"];
 export type InvokePolicyRequest = schemas["InvokePolicyRequest"];

package/src/scopes.ts

@@ -115,6 +115,13 @@ export const AllScopes: Record<ExplicitScope, string> =
   "manage:policy:secrets:update:values"         : "Allows access only to the policy secrets 'update' endpoint, but restricting updates to the secrets keys and values",
   "manage:policy:secrets:update:acl"            : "Allows access only to the policy secrets 'update' endpoint, but restricting updates to the secrets acl",
   "manage:policy:secrets:update:editPolicy"     : "Allows access only to the policy secrets 'update' endpoint, but restricting updates to the `edit_policy` property",
+  "manage:policy:buckets:*"                     : "Allows access to all policy buckets endpoints",
+  "manage:policy:buckets:get"                   : "Allows access only to the policy buckets 'get' endpoint",
+  "manage:policy:buckets:list"                  : "Allows access only to the policy buckets 'list' endpoint",
+  "manage:policy:buckets:update:*"              : "Allows access only to the policy buckets 'update' endpoint",
+  "manage:policy:buckets:update:owner"          : "Allows access only to the policy buckets 'update' endpoint, but restricting updates to the `owner` property",
+  "manage:policy:buckets:update:acl"            : "Allows access only to the policy buckets 'update' endpoint, but restricting updates to the `acl` property",
+  "manage:policy:buckets:update:metadata"       : "Allows access only to the policy buckets 'update' endpoint, but restricting updates to the `metadata` property",
   "manage:contact:*"                            : "Allows access to all contact endpoints",
   "manage:contact:readonly"                     : "Allows access to all contact readonly endpoints",
   "manage:contact:create"                       : "Allows access to the contact 'create' endpoint",