class EventsRealmVlobsUpdatedRepSchema(BaseRepSchema):
event = fields.EnumCheckedConstant(APIEvent.REALM_VLOBS_UPDATED,
required=True)
realm_id = fields.UUID(required=True)
checkpoint = fields.Integer(required=True)
src_id = fields.UUID(required=True)
src_version = fields.Integer(required=True)
class EventsRealmVlobsUpdatedRepSchema(BaseRepSchema):
status = fields.CheckedConstant("ok", required=True)
event = fields.CheckedConstant("realm.vlobs_updated", required=True)
realm_id = fields.UUID(required=True)
checkpoint = fields.Integer(required=True)
src_id = fields.UUID(required=True)
src_version = fields.Integer(required=True)
class EventsBeaconUpdatedRepSchema(BaseRepSchema):
status = fields.CheckedConstant("ok", required=True)
event = fields.CheckedConstant("beacon.updated", required=True)
beacon_id = fields.UUID(required=True)
index = fields.Integer(required=True)
src_id = fields.UUID(required=True)
src_version = fields.Integer(required=True)
class VlobCreateReqSchema(BaseReqSchema):
realm_id = fields.UUID(required=True)
encryption_revision = fields.Integer(required=True)
vlob_id = fields.UUID(required=True)
# If blob contains a signed message, it timestamp cannot be directly enforced
# by the backend (given the message is probably also encrypted).
# Hence the timestamp is passed in clear so backend can reject the message
# if it considers the timestamp invalid. On top of that each client asking
# for the message will receive the declared timestamp to check against
# the actual timestamp within the message.
timestamp = fields.DateTime(required=True)
blob = fields.Bytes(required=True)
class PkiEnrollmentListItemSchema(BaseSchema):
enrollment_id = fields.UUID(required=True)
submitted_on = fields.DateTime(required=True)
submitter_der_x509_certificate = fields.Bytes(required=True)
submit_payload_signature = fields.Bytes(required=True)
submit_payload = fields.Bytes(
required=True) # Signature should be checked before loading
class HandshakeInvitedAnswerSchema(BaseSchema):
handshake = fields.CheckedConstant("answer", required=True)
type = fields.EnumCheckedConstant(HandshakeType.INVITED, required=True)
client_api_version = ApiVersionField(required=True)
organization_id = OrganizationIDField(required=True)
invitation_type = InvitationTypeField(required=True)
token = fields.UUID(required=True)
class RealmStartReencryptionMaintenanceReqSchema(BaseReqSchema):
realm_id = fields.UUID(required=True)
encryption_revision = fields.Integer(required=True)
timestamp = fields.DateTime(required=True)
per_participant_message = fields.Map(UserIDField(),
fields.Bytes(required=True),
required=True)
class SCHEMA_CLS(BaseSignedDataSchema):
type = fields.CheckedConstant("realm_role_certificate", required=True)
realm_id = fields.UUID(required=True)
user_id = UserIDField(required=True)
role = RealmRoleField(required=True, allow_none=True)
@post_load
def make_obj(self, data: Dict[str, Any]) -> "RealmRoleCertificateContent":
data.pop("type")
return RealmRoleCertificateContent(**data)
class PkiEnrollmentAcceptReqSchema(BaseReqSchema):
enrollment_id = fields.UUID(required=True)
accepter_der_x509_certificate = fields.Bytes(required=True)
accept_payload_signature = fields.Bytes(required=True)
accept_payload = fields.Bytes(
required=True) # Signature should be checked before loading
user_certificate = fields.Bytes(required=True)
device_certificate = fields.Bytes(required=True)
# Same certificates than above, but expurged of human_handle/device_label
redacted_user_certificate = fields.Bytes(required=True)
redacted_device_certificate = fields.Bytes(required=True)
class SCHEMA_CLS(BaseSchema):
type = fields.CheckedConstant("local_pending_enrollment", required=True)
x509_certificate = fields.Nested(X509Certificate.SCHEMA_CLS, required=True)
addr = BackendPkiEnrollmentAddrField(required=True)
submitted_on = fields.DateTime(required=True)
enrollment_id = fields.UUID(required=True)
submit_payload = fields.Nested(PkiEnrollmentSubmitPayload.SCHEMA_CLS, required=True)
encrypted_key = fields.Bytes(required=True)
ciphertext = fields.Bytes(required=True) # An encrypted PendingDeviceKeys
@post_load
def make_obj(self, data):
data.pop("type", None)
return LocalPendingEnrollment(**data)
class PkiEnrollmentSubmitReqSchema(BaseReqSchema):
enrollment_id = fields.UUID(required=True)
# Existing enrollment with SUMBITTED status prevent submitting new
# enrollment with similir x509 certificate unless force flag is set.
force = fields.Boolean(required=True)
submitter_der_x509_certificate = fields.Bytes(required=True)
# Duplicated certificate email field. (The backend need to check if the email is used without loading the certificate)
submitter_der_x509_certificate_email = fields.String(required=False,
missing=None,
allow_none=True)
submit_payload_signature = fields.Bytes(required=True)
submit_payload = fields.Bytes(
required=True) # Signature should be checked before loading
class EventsRealmRolesUpdatedRepSchema(BaseRepSchema):
event = fields.EnumCheckedConstant(APIEvent.REALM_ROLES_UPDATED,
required=True)
realm_id = fields.UUID(required=True)
role = RealmRoleField(required=True, allow_none=True)
class VlobPollChangesRepSchema(BaseRepSchema):
changes = fields.Map(fields.UUID(), fields.Integer(required=True), required=True)
current_checkpoint = fields.Integer(required=True)
class PkiEnrollmentInfoReqSchema(BaseReqSchema):
enrollment_id = fields.UUID(required=True)
class Invite1GreeterWaitPeerReqSchema(BaseReqSchema):
token = fields.UUID(required=True)
greeter_public_key = fields.PublicKey(required=True)
class EventsInviteStatusChangedRepSchema(BaseRepSchema):
event = fields.EnumCheckedConstant(APIEvent.INVITE_STATUS_CHANGED,
required=True)
token = fields.UUID(required=True)
invitation_status = InvitationStatusField(required=True)
class InviteDeleteReqSchema(BaseReqSchema):
token = fields.UUID(required=True)
reason = InvitationDeletedReasonField(required=True)
class InviteListItemUserSchema(BaseSchema):
type = fields.EnumCheckedConstant(InvitationType.USER, required=True)
token = fields.UUID(required=True)
created_on = fields.DateTime(required=True)
claimer_email = fields.String(required=True)
status = InvitationStatusField(required=True)
class BlockReadReqSchema(BaseReqSchema):
block_id = fields.UUID(required=True)
class Invite3bGreeterSignifyTrustReqSchema(BaseReqSchema):
token = fields.UUID(required=True)
class Invite3aGreeterWaitPeerTrustReqSchema(BaseReqSchema):
token = fields.UUID(required=True)
class Invite2bGreeterSendNonceReqSchema(BaseReqSchema):
token = fields.UUID(required=True)
greeter_nonce = fields.Bytes(required=True)
class Invite2aGreeterGetHashedNonceReqSchema(BaseReqSchema):
token = fields.UUID(required=True)
class VlobPollChangesReqSchema(BaseReqSchema):
realm_id = fields.UUID(required=True)
last_checkpoint = fields.Integer(required=True)
class EventsRealmMaintenanceFinishedRepSchema(BaseRepSchema):
event = fields.EnumCheckedConstant(APIEvent.REALM_MAINTENANCE_FINISHED,
required=True)
realm_id = fields.UUID(required=True)
encryption_revision = fields.Integer(required=True)
class VlobListVersionsReqSchema(BaseReqSchema):
vlob_id = fields.UUID(required=True)
class Invite4GreeterCommunicateReqSchema(BaseReqSchema):
token = fields.UUID(required=True)
payload = fields.Bytes(required=True)
class InviteListItemDeviceSchema(BaseSchema):
type = fields.EnumCheckedConstant(InvitationType.DEVICE, required=True)
token = fields.UUID(required=True)
created_on = fields.DateTime(required=True)
status = InvitationStatusField(required=True)
class BlockCreateReqSchema(BaseReqSchema):
block_id = fields.UUID(required=True)
realm_id = fields.UUID(required=True)
block = fields.Bytes(required=True)
class InviteNewRepSchema(BaseRepSchema):
token = fields.UUID(required=True)
