From ae55df8aaf03fde52e14e9619111a5437b55e740 Mon Sep 17 00:00:00 2001 From: Lisa Cawley Date: Wed, 8 Jan 2025 06:51:32 -0800 Subject: [PATCH] Add security.bulk_update_api_keys and security.delegate_pki (#3402) * Add security.bulk_update_api_keys * Add security.delegate_pki * Add examples * Add body to security.delegate_pki * Add doc_id * examples in subfolder * Update specification/security/bulk_update_api_keys/SecurityBulkUpdateApiKeysRequest.ts Co-authored-by: Laura Trotta <153528055+l-trotta@users.noreply.github.com> * Update specification/security/bulk_update_api_keys/SecurityBulkUpdateApiKeysResponse.ts Co-authored-by: Laura Trotta <153528055+l-trotta@users.noreply.github.com> * Update specification/security/bulk_update_api_keys/SecurityBulkUpdateApiKeysResponse.ts Co-authored-by: Laura Trotta <153528055+l-trotta@users.noreply.github.com> * Update specification/security/delegate_pki/SecurityDelegatePkiResponse.ts Co-authored-by: Laura Trotta <153528055+l-trotta@users.noreply.github.com> * Fix style * added authentication field to delegate pki res --------- Co-authored-by: Laura Trotta Co-authored-by: Laura Trotta <153528055+l-trotta@users.noreply.github.com> (cherry picked from commit a91c810ae0aae359bae368b9ca5876ee71fb15e4) --- .../elasticsearch-openapi-overlays.yaml | 35 ++ .../elasticsearch-shared-overlays.yaml | 2 +- output/openapi/elasticsearch-openapi.json | 248 ++++++++ output/schema/schema.json | 534 +++++++++++++++++- output/schema/validation-errors.json | 6 - output/typescript/types.ts | 48 ++ specification/_doc_ids/table.csv | 3 + .../_json_spec/security.delegate_pki.json | 26 + .../SecurityBulkUpdateApiKeysRequest.ts | 77 +++ .../SecurityBulkUpdateApiKeysResponse.ts | 28 + ...rityBulkUpdateApiKeysResponseExample1.yaml | 9 + ...urityBulkUpdateApiKeysRequestExample1.yaml | 22 + ...urityBulkUpdateApiKeysRequestExample2.yaml | 9 + .../SecurityDelegatePkiRequest.ts | 50 ++ .../SecurityDelegatePkiResponse.ts | 61 ++ .../SecurityDelegatePkiResponseExample1.yaml | 26 + .../SecurityDelegatePkiRequestExample1.yaml | 5 + 17 files changed, 1178 insertions(+), 11 deletions(-) create mode 100644 specification/_json_spec/security.delegate_pki.json create mode 100644 specification/security/bulk_update_api_keys/SecurityBulkUpdateApiKeysRequest.ts create mode 100644 specification/security/bulk_update_api_keys/SecurityBulkUpdateApiKeysResponse.ts create mode 100644 specification/security/bulk_update_api_keys/examples/200_response/SecurityBulkUpdateApiKeysResponseExample1.yaml create mode 100644 specification/security/bulk_update_api_keys/examples/request/SecurityBulkUpdateApiKeysRequestExample1.yaml create mode 100644 specification/security/bulk_update_api_keys/examples/request/SecurityBulkUpdateApiKeysRequestExample2.yaml create mode 100644 specification/security/delegate_pki/SecurityDelegatePkiRequest.ts create mode 100644 specification/security/delegate_pki/SecurityDelegatePkiResponse.ts create mode 100644 specification/security/delegate_pki/examples/200_response/SecurityDelegatePkiResponseExample1.yaml create mode 100644 specification/security/delegate_pki/examples/request/SecurityDelegatePkiRequestExample1.yaml diff --git a/docs/overlays/elasticsearch-openapi-overlays.yaml b/docs/overlays/elasticsearch-openapi-overlays.yaml index 1e2898179f..495e49f2be 100644 --- a/docs/overlays/elasticsearch-openapi-overlays.yaml +++ b/docs/overlays/elasticsearch-openapi-overlays.yaml @@ -471,3 +471,38 @@ actions: $ref: "../../specification/search_application/render_query/SearchApplicationsRenderQueryRequestExample1.yaml" renderSearchApplicationQueryResponseExample1: $ref: "../../specification/search_application/render_query/SearchApplicationsRenderQueryResponseExample1.yaml" + + - target: "$.paths['/_security/api_key/_bulk_update']['post']" + description: "Add examples for bulk update API keys operation" + update: + requestBody: + content: + application/json: + examples: + bulkUpdateApiKeysRequestExample1: + $ref: "../../specification/security/bulk_update_api_keys/examples/request/SecurityBulkUpdateApiKeysRequestExample1.yaml" + bulkUpdateApiKeysRequestExample2: + $ref: "../../specification/security/bulk_update_api_keys/examples/request/SecurityBulkUpdateApiKeysRequestExample2.yaml" + responses: + 200: + content: + application/json: + examples: + bulkUpdateApiKeysResponseExample1: + $ref: "../../specification/security/bulk_update_api_keys/examples/200_response/SecurityBulkUpdateApiKeysResponseExample1.yaml" + - target: "$.paths['/_security/delegate_pki']['post']" + description: "Add examples for delegate PKI operation" + update: + requestBody: + content: + application/json: + examples: + delegatePkiRequestExample1: + $ref: "../../specification/security/delegate_pki/examples/request/SecurityDelegatePkiRequestExample1.yaml" + responses: + 200: + content: + application/json: + examples: + delegatePkiResponseExample1: + $ref: "../../specification/security/delegate_pki/examples/200_response/SecurityDelegatePkiResponseExample1.yaml" \ No newline at end of file diff --git a/docs/overlays/elasticsearch-shared-overlays.yaml b/docs/overlays/elasticsearch-shared-overlays.yaml index cf00af8c6d..40892cbd4b 100644 --- a/docs/overlays/elasticsearch-shared-overlays.yaml +++ b/docs/overlays/elasticsearch-shared-overlays.yaml @@ -1334,7 +1334,7 @@ actions: application/json: examples: indicesResolveResponseExample1: - $ref: "../../specification/indices/resolve_index/indicesResolveResponseExample1.yaml" + $ref: "../../specification/indices/resolve_index/ResolveIndexResponseExample1.yaml" - target: "$.components['requestBodies']['indices.rollover']" description: "Add example for rollover index request" update: diff --git a/output/openapi/elasticsearch-openapi.json b/output/openapi/elasticsearch-openapi.json index dcb49122dd..538ea16cd7 100644 --- a/output/openapi/elasticsearch-openapi.json +++ b/output/openapi/elasticsearch-openapi.json @@ -28600,6 +28600,92 @@ "x-state": "Added in 8.15.0" } }, + "/_security/api_key/_bulk_update": { + "post": { + "tags": [ + "security" + ], + "summary": "Bulk update API keys", + "description": "Update the attributes for multiple API keys.\n\nIMPORTANT: It is not possible to use an API key as the authentication credential for this API. To update API keys, the owner user's credentials are required.\n\nThis API is similar to the update API key API but enables you to apply the same update to multiple API keys in one API call. This operation can greatly improve performance over making individual updates.\n\nIt is not possible to update expired or invalidated API keys.\n\nThis API supports updates to API key access scope, metadata and expiration.\nThe access scope of each API key is derived from the `role_descriptors` you specify in the request and a snapshot of the owner user's permissions at the time of the request.\nThe snapshot of the owner's permissions is updated automatically on every call.\n\nIMPORTANT: If you don't specify `role_descriptors` in the request, a call to this API might still change an API key's access scope. This change can occur if the owner user's permissions have changed since the API key was created or last modified.\n\nA successful request returns a JSON structure that contains the IDs of all updated API keys, the IDs of API keys that already had the requested changes and did not require an update, and error details for any failed update.", + "operationId": "security-bulk-update-api-keys", + "requestBody": { + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "expiration": { + "$ref": "#/components/schemas/_types:Duration" + }, + "ids": { + "description": "The API key identifiers.", + "oneOf": [ + { + "type": "string" + }, + { + "type": "array", + "items": { + "type": "string" + } + } + ] + }, + "metadata": { + "$ref": "#/components/schemas/_types:Metadata" + }, + "role_descriptors": { + "description": "The role descriptors to assign to the API keys.\nAn API key's effective permissions are an intersection of its assigned privileges and the point-in-time snapshot of permissions of the owner user.\nYou can assign new privileges by specifying them in this parameter.\nTo remove assigned privileges, supply the `role_descriptors` parameter as an empty object `{}`.\nIf an API key has no assigned privileges, it inherits the owner user's full permissions.\nThe snapshot of the owner's permissions is always updated, whether you supply the `role_descriptors` parameter.\nThe structure of a role descriptor is the same as the request for the create API keys API.", + "type": "object", + "additionalProperties": { + "$ref": "#/components/schemas/security._types:RoleDescriptor" + } + } + }, + "required": [ + "ids" + ] + } + } + }, + "required": true + }, + "responses": { + "200": { + "description": "", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "errors": { + "$ref": "#/components/schemas/security._types:BulkError" + }, + "noops": { + "type": "array", + "items": { + "type": "string" + } + }, + "updated": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "noops", + "updated" + ] + } + } + } + } + }, + "x-state": "Added in 8.5.0" + } + }, "/_security/user/{username}/_password": { "put": { "tags": [ @@ -29495,6 +29581,76 @@ } } }, + "/_security/delegate_pki": { + "post": { + "tags": [ + "security" + ], + "summary": "Delegate PKI authentication", + "description": "This API implements the exchange of an X509Certificate chain for an Elasticsearch access token.\nThe certificate chain is validated, according to RFC 5280, by sequentially considering the trust configuration of every installed PKI realm that has `delegation.enabled` set to `true`.\nA successfully trusted client certificate is also subject to the validation of the subject distinguished name according to thw `username_pattern` of the respective realm.\n\nThis API is called by smart and trusted proxies, such as Kibana, which terminate the user's TLS session but still want to authenticate the user by using a PKI realm—-​as if the user connected directly to Elasticsearch.\n\nIMPORTANT: The association between the subject public key in the target certificate and the corresponding private key is not validated.\nThis is part of the TLS authentication process and it is delegated to the proxy that calls this API.\nThe proxy is trusted to have performed the TLS authentication and this API translates that authentication into an Elasticsearch access token.", + "externalDocs": { + "url": "https://www.elastic.co/guide/en/elasticsearch/reference/current/pki-realm.html" + }, + "operationId": "security-delegate-pki", + "requestBody": { + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "x509_certificate_chain": { + "description": "The X509Certificate chain, which is represented as an ordered string array.\nEach string in the array is a base64-encoded (Section 4 of RFC4648 - not base64url-encoded) of the certificate's DER encoding.\n\nThe first element is the target certificate that contains the subject distinguished name that is requesting access.\nThis may be followed by additional certificates; each subsequent certificate is used to certify the previous one.", + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "x509_certificate_chain" + ] + } + } + }, + "required": true + }, + "responses": { + "200": { + "description": "", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "access_token": { + "description": "An access token associated with the subject distinguished name of the client's certificate.", + "type": "string" + }, + "expires_in": { + "description": "The amount of time (in seconds) before the token expires.", + "type": "number" + }, + "type": { + "description": "The type of token.", + "type": "string" + }, + "authentication": { + "$ref": "#/components/schemas/security.delegate_pki:Authentication" + } + }, + "required": [ + "access_token", + "expires_in", + "type" + ] + } + } + } + } + }, + "x-state": "Added in 7.4.0" + } + }, "/_security/privilege/{application}/{name}": { "get": { "tags": [ @@ -84877,6 +85033,98 @@ "value" ] }, + "security.delegate_pki:Authentication": { + "type": "object", + "properties": { + "username": { + "type": "string" + }, + "roles": { + "type": "array", + "items": { + "type": "string" + } + }, + "full_name": { + "oneOf": [ + { + "type": "string" + }, + { + "nullable": true, + "type": "string" + } + ] + }, + "email": { + "oneOf": [ + { + "type": "string" + }, + { + "nullable": true, + "type": "string" + } + ] + }, + "token": { + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "metadata": { + "$ref": "#/components/schemas/_types:Metadata" + }, + "enabled": { + "type": "boolean" + }, + "authentication_realm": { + "$ref": "#/components/schemas/security.delegate_pki:AuthenticationRealm" + }, + "lookup_realm": { + "$ref": "#/components/schemas/security.delegate_pki:AuthenticationRealm" + }, + "authentication_type": { + "type": "string" + }, + "api_key": { + "type": "object", + "additionalProperties": { + "type": "string" + } + } + }, + "required": [ + "username", + "roles", + "full_name", + "email", + "metadata", + "enabled", + "authentication_realm", + "lookup_realm", + "authentication_type" + ] + }, + "security.delegate_pki:AuthenticationRealm": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "type": { + "type": "string" + }, + "domain": { + "type": "string" + } + }, + "required": [ + "name", + "type" + ] + }, "security.delete_privileges:FoundStatus": { "type": "object", "properties": { diff --git a/output/schema/schema.json b/output/schema/schema.json index ee781e54b8..7060ebee13 100644 --- a/output/schema/schema.json +++ b/output/schema/schema.json @@ -15838,19 +15838,32 @@ { "availability": { "stack": { + "since": "8.5.0", "stability": "stable", "visibility": "public" } }, - "description": "Updates the attributes of multiple existing API keys.", - "docUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-bulk-update-api-keys.html", + "description": "Bulk update API keys.\nUpdate the attributes for multiple API keys.\n\nIMPORTANT: It is not possible to use an API key as the authentication credential for this API. To update API keys, the owner user's credentials are required.\n\nThis API is similar to the update API key API but enables you to apply the same update to multiple API keys in one API call. This operation can greatly improve performance over making individual updates.\n\nIt is not possible to update expired or invalidated API keys.\n\nThis API supports updates to API key access scope, metadata and expiration.\nThe access scope of each API key is derived from the `role_descriptors` you specify in the request and a snapshot of the owner user's permissions at the time of the request.\nThe snapshot of the owner's permissions is updated automatically on every call.\n\nIMPORTANT: If you don't specify `role_descriptors` in the request, a call to this API might still change an API key's access scope. This change can occur if the owner user's permissions have changed since the API key was created or last modified.\n\nA successful request returns a JSON structure that contains the IDs of all updated API keys, the IDs of API keys that already had the requested changes and did not require an update, and error details for any failed update.", + "docId": "security-api-bulk-update-key", + "docUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-bulk-update-api-keys.html", "name": "security.bulk_update_api_keys", - "request": null, + "privileges": { + "cluster": [ + "manage_own_api_key" + ] + }, + "request": { + "name": "Request", + "namespace": "security.bulk_update_api_keys" + }, "requestBodyRequired": true, "requestMediaType": [ "application/json" ], - "response": null, + "response": { + "name": "Response", + "namespace": "security.bulk_update_api_keys" + }, "responseMediaType": [ "application/json" ], @@ -16210,6 +16223,45 @@ } ] }, + { + "availability": { + "stack": { + "since": "7.4.0", + "stability": "stable" + } + }, + "description": "Delegate PKI authentication.\nThis API implements the exchange of an X509Certificate chain for an Elasticsearch access token.\nThe certificate chain is validated, according to RFC 5280, by sequentially considering the trust configuration of every installed PKI realm that has `delegation.enabled` set to `true`.\nA successfully trusted client certificate is also subject to the validation of the subject distinguished name according to thw `username_pattern` of the respective realm.\n\nThis API is called by smart and trusted proxies, such as Kibana, which terminate the user's TLS session but still want to authenticate the user by using a PKI realm—-​as if the user connected directly to Elasticsearch.\n\nIMPORTANT: The association between the subject public key in the target certificate and the corresponding private key is not validated.\nThis is part of the TLS authentication process and it is delegated to the proxy that calls this API.\nThe proxy is trusted to have performed the TLS authentication and this API translates that authentication into an Elasticsearch access token.", + "docId": "security-api-delegate-pki", + "docUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-delegate-pki-authentication.html", + "extDocId": "pki-realm", + "extDocUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/pki-realm.html", + "name": "security.delegate_pki", + "privileges": { + "cluster": [ + "all" + ] + }, + "request": { + "name": "Request", + "namespace": "security.delegate_pki" + }, + "requestBodyRequired": true, + "response": { + "name": "Response", + "namespace": "security.delegate_pki" + }, + "responseMediaType": [ + "application/json" + ], + "urls": [ + { + "methods": [ + "POST" + ], + "path": "/_security/delegate_pki" + } + ] + }, { "availability": { "serverless": { @@ -193704,6 +193756,157 @@ }, "specLocation": "security/bulk_put_role/SecurityBulkPutRoleResponse.ts#L22-L41" }, + { + "kind": "request", + "attachedBehaviors": [ + "CommonQueryParameters" + ], + "body": { + "kind": "properties", + "properties": [ + { + "description": "Expiration time for the API keys.\nBy default, API keys never expire.\nThis property can be omitted to leave the value unchanged.", + "name": "expiration", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "Duration", + "namespace": "_types" + } + } + }, + { + "description": "The API key identifiers.", + "name": "ids", + "required": true, + "type": { + "kind": "union_of", + "items": [ + { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + }, + { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + } + ] + } + }, + { + "description": "Arbitrary nested metadata to associate with the API keys.\nWithin the `metadata` object, top-level keys beginning with an underscore (`_`) are reserved for system usage.\nAny information specified with this parameter fully replaces metadata previously associated with the API key.", + "name": "metadata", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "Metadata", + "namespace": "_types" + } + } + }, + { + "description": "The role descriptors to assign to the API keys.\nAn API key's effective permissions are an intersection of its assigned privileges and the point-in-time snapshot of permissions of the owner user.\nYou can assign new privileges by specifying them in this parameter.\nTo remove assigned privileges, supply the `role_descriptors` parameter as an empty object `{}`.\nIf an API key has no assigned privileges, it inherits the owner user's full permissions.\nThe snapshot of the owner's permissions is always updated, whether you supply the `role_descriptors` parameter.\nThe structure of a role descriptor is the same as the request for the create API keys API.", + "name": "role_descriptors", + "required": false, + "type": { + "kind": "dictionary_of", + "key": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + }, + "singleKey": false, + "value": { + "kind": "instance_of", + "type": { + "name": "RoleDescriptor", + "namespace": "security._types" + } + } + } + } + ] + }, + "description": "Bulk update API keys.\nUpdate the attributes for multiple API keys.\n\nIMPORTANT: It is not possible to use an API key as the authentication credential for this API. To update API keys, the owner user's credentials are required.\n\nThis API is similar to the update API key API but enables you to apply the same update to multiple API keys in one API call. This operation can greatly improve performance over making individual updates.\n\nIt is not possible to update expired or invalidated API keys.\n\nThis API supports updates to API key access scope, metadata and expiration.\nThe access scope of each API key is derived from the `role_descriptors` you specify in the request and a snapshot of the owner user's permissions at the time of the request.\nThe snapshot of the owner's permissions is updated automatically on every call.\n\nIMPORTANT: If you don't specify `role_descriptors` in the request, a call to this API might still change an API key's access scope. This change can occur if the owner user's permissions have changed since the API key was created or last modified.\n\nA successful request returns a JSON structure that contains the IDs of all updated API keys, the IDs of API keys that already had the requested changes and did not require an update, and error details for any failed update.", + "inherits": { + "type": { + "name": "RequestBase", + "namespace": "_types" + } + }, + "name": { + "name": "Request", + "namespace": "security.bulk_update_api_keys" + }, + "path": [], + "query": [], + "specLocation": "security/bulk_update_api_keys/SecurityBulkUpdateApiKeysRequest.ts#L26-L77" + }, + { + "kind": "response", + "body": { + "kind": "properties", + "properties": [ + { + "name": "errors", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "BulkError", + "namespace": "security._types" + } + } + }, + { + "name": "noops", + "required": true, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + } + }, + { + "name": "updated", + "required": true, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + } + } + ] + }, + "name": { + "name": "Response", + "namespace": "security.bulk_update_api_keys" + }, + "specLocation": "security/bulk_update_api_keys/SecurityBulkUpdateApiKeysResponse.ts#L22-L28" + }, { "kind": "request", "attachedBehaviors": [ @@ -194780,6 +194983,329 @@ ], "specLocation": "security/create_service_token/types.ts#L22-L25" }, + { + "kind": "interface", + "name": { + "name": "Authentication", + "namespace": "security.delegate_pki" + }, + "properties": [ + { + "name": "username", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "name": "roles", + "required": true, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + } + }, + { + "name": "full_name", + "required": true, + "type": { + "kind": "union_of", + "items": [ + { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + }, + { + "kind": "instance_of", + "type": { + "name": "null", + "namespace": "_builtins" + } + } + ] + } + }, + { + "name": "email", + "required": true, + "type": { + "kind": "union_of", + "items": [ + { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + }, + { + "kind": "instance_of", + "type": { + "name": "null", + "namespace": "_builtins" + } + } + ] + } + }, + { + "name": "token", + "required": false, + "type": { + "kind": "dictionary_of", + "key": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + }, + "singleKey": false, + "value": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + } + }, + { + "name": "metadata", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "Metadata", + "namespace": "_types" + } + } + }, + { + "name": "enabled", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "boolean", + "namespace": "_builtins" + } + } + }, + { + "name": "authentication_realm", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "AuthenticationRealm", + "namespace": "security.delegate_pki" + } + } + }, + { + "name": "lookup_realm", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "AuthenticationRealm", + "namespace": "security.delegate_pki" + } + } + }, + { + "name": "authentication_type", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "name": "api_key", + "required": false, + "type": { + "kind": "dictionary_of", + "key": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + }, + "singleKey": false, + "value": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + } + } + ], + "specLocation": "security/delegate_pki/SecurityDelegatePkiResponse.ts#L43-L55" + }, + { + "kind": "interface", + "name": { + "name": "AuthenticationRealm", + "namespace": "security.delegate_pki" + }, + "properties": [ + { + "name": "name", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "name": "type", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "name": "domain", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + } + ], + "specLocation": "security/delegate_pki/SecurityDelegatePkiResponse.ts#L57-L61" + }, + { + "kind": "request", + "attachedBehaviors": [ + "CommonQueryParameters" + ], + "body": { + "kind": "properties", + "properties": [ + { + "description": "The X509Certificate chain, which is represented as an ordered string array.\nEach string in the array is a base64-encoded (Section 4 of RFC4648 - not base64url-encoded) of the certificate's DER encoding.\n\nThe first element is the target certificate that contains the subject distinguished name that is requesting access.\nThis may be followed by additional certificates; each subsequent certificate is used to certify the previous one.", + "name": "x509_certificate_chain", + "required": true, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + } + } + ] + }, + "description": "Delegate PKI authentication.\nThis API implements the exchange of an X509Certificate chain for an Elasticsearch access token.\nThe certificate chain is validated, according to RFC 5280, by sequentially considering the trust configuration of every installed PKI realm that has `delegation.enabled` set to `true`.\nA successfully trusted client certificate is also subject to the validation of the subject distinguished name according to thw `username_pattern` of the respective realm.\n\nThis API is called by smart and trusted proxies, such as Kibana, which terminate the user's TLS session but still want to authenticate the user by using a PKI realm—-​as if the user connected directly to Elasticsearch.\n\nIMPORTANT: The association between the subject public key in the target certificate and the corresponding private key is not validated.\nThis is part of the TLS authentication process and it is delegated to the proxy that calls this API.\nThe proxy is trusted to have performed the TLS authentication and this API translates that authentication into an Elasticsearch access token.", + "inherits": { + "type": { + "name": "RequestBase", + "namespace": "_types" + } + }, + "name": { + "name": "Request", + "namespace": "security.delegate_pki" + }, + "path": [], + "query": [], + "specLocation": "security/delegate_pki/SecurityDelegatePkiRequest.ts#L22-L50" + }, + { + "kind": "response", + "body": { + "kind": "properties", + "properties": [ + { + "description": "An access token associated with the subject distinguished name of the client's certificate.", + "name": "access_token", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "description": "The amount of time (in seconds) before the token expires.", + "name": "expires_in", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "long", + "namespace": "_types" + } + } + }, + { + "description": "The type of token.", + "name": "type", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "name": "authentication", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "Authentication", + "namespace": "security.delegate_pki" + } + } + } + ] + }, + "name": { + "name": "Response", + "namespace": "security.delegate_pki" + }, + "specLocation": "security/delegate_pki/SecurityDelegatePkiResponse.ts#L24-L41" + }, { "kind": "interface", "name": { diff --git a/output/schema/validation-errors.json b/output/schema/validation-errors.json index 299cdcd4fc..56bcc67a46 100644 --- a/output/schema/validation-errors.json +++ b/output/schema/validation-errors.json @@ -680,12 +680,6 @@ ], "response": [] }, - "security.bulk_update_api_keys": { - "request": [ - "Missing request & response" - ], - "response": [] - }, "security.get_settings": { "request": [ "Missing request & response" diff --git a/output/typescript/types.ts b/output/typescript/types.ts index 6eb0316d42..493e5aa2d8 100644 --- a/output/typescript/types.ts +++ b/output/typescript/types.ts @@ -18167,6 +18167,21 @@ export interface SecurityBulkPutRoleResponse { errors?: SecurityBulkError } +export interface SecurityBulkUpdateApiKeysRequest extends RequestBase { + body?: { + expiration?: Duration + ids: string | string[] + metadata?: Metadata + role_descriptors?: Record + } +} + +export interface SecurityBulkUpdateApiKeysResponse { + errors?: SecurityBulkError + noops: string[] + updated: string[] +} + export interface SecurityChangePasswordRequest extends RequestBase { username?: Username refresh?: Refresh @@ -18284,6 +18299,39 @@ export interface SecurityCreateServiceTokenToken { value: string } +export interface SecurityDelegatePkiAuthentication { + username: string + roles: string[] + full_name: string | null + email: string | null + token?: Record + metadata: Metadata + enabled: boolean + authentication_realm: SecurityDelegatePkiAuthenticationRealm + lookup_realm: SecurityDelegatePkiAuthenticationRealm + authentication_type: string + api_key?: Record +} + +export interface SecurityDelegatePkiAuthenticationRealm { + name: string + type: string + domain?: string +} + +export interface SecurityDelegatePkiRequest extends RequestBase { + body?: { + x509_certificate_chain: string[] + } +} + +export interface SecurityDelegatePkiResponse { + access_token: string + expires_in: long + type: string + authentication?: SecurityDelegatePkiAuthentication +} + export interface SecurityDeletePrivilegesFoundStatus { found: boolean } diff --git a/specification/_doc_ids/table.csv b/specification/_doc_ids/table.csv index 63e512d7ac..c2cc0b63f2 100644 --- a/specification/_doc_ids/table.csv +++ b/specification/_doc_ids/table.csv @@ -383,6 +383,7 @@ paginate-search-results,https://www.elastic.co/guide/en/elasticsearch/reference/ painless-contexts,https://www.elastic.co/guide/en/elasticsearch/painless/{branch}/painless-contexts.html painless-execute-api,https://www.elastic.co/guide/en/elasticsearch/painless/{branch}/painless-execute-api.html pipeline-processor,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/pipeline-processor.html +pki-realm,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/pki-realm.html point-in-time-api,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/point-in-time-api.html preview-dfanalytics,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/preview-dfanalytics.html preview-transform,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/preview-transform.html @@ -591,6 +592,7 @@ searchable-snapshots-apis,https://www.elastic.co/guide/en/elasticsearch/referenc search-templates,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/search-template.html secure-settings,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/secure-settings.html security-api-authenticate,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-authenticate.html +security-api-bulk-update-key,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-bulk-update-api-keys.html security-api-change-password,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-change-password.html security-api-clear-api-key-cache,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-clear-api-key-cache.html security-api-clear-cache,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-clear-cache.html @@ -599,6 +601,7 @@ security-api-clear-role-cache,https://www.elastic.co/guide/en/elasticsearch/refe security-api-clear-service-token-caches,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-clear-service-token-caches.html security-api-create-api-key,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-create-api-key.html security-api-create-service-token,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-create-service-token.html +security-api-delegate-pki,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-delegate-pki-authentication.html security-api-delete-privilege,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-delete-privilege.html security-api-delete-role-mapping,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-delete-role-mapping.html security-api-delete-role,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/security-api-delete-role.html diff --git a/specification/_json_spec/security.delegate_pki.json b/specification/_json_spec/security.delegate_pki.json new file mode 100644 index 0000000000..90d48dc826 --- /dev/null +++ b/specification/_json_spec/security.delegate_pki.json @@ -0,0 +1,26 @@ +{ + "security.delegate_pki": { + "documentation": { + "url": "https://www.elastic.co/guide/en/elasticsearch/reference/master/security-api-delegate-pki-authentication.html", + "description": "Delegate PKI authentication." + }, + "stability": "stable", + "visibility": "public", + "headers": { + "accept": ["application/json"] + }, + "url": { + "paths": [ + { + "path": "/_security/delegate_pki", + "methods": ["POST"] + } + ] + }, + "params": {}, + "body": { + "description": "The X509Certificate chain.", + "required": true + } + } +} diff --git a/specification/security/bulk_update_api_keys/SecurityBulkUpdateApiKeysRequest.ts b/specification/security/bulk_update_api_keys/SecurityBulkUpdateApiKeysRequest.ts new file mode 100644 index 0000000000..6eeea20b44 --- /dev/null +++ b/specification/security/bulk_update_api_keys/SecurityBulkUpdateApiKeysRequest.ts @@ -0,0 +1,77 @@ +/* + * Licensed to Elasticsearch B.V. under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch B.V. licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import { RoleDescriptor } from '@security/_types/RoleDescriptor' +import { Dictionary } from '@spec_utils/Dictionary' +import { RequestBase } from '@_types/Base' +import { Metadata } from '@_types/common' +import { Duration } from '@_types/Time' + +/** + * Bulk update API keys. + * Update the attributes for multiple API keys. + * + * IMPORTANT: It is not possible to use an API key as the authentication credential for this API. To update API keys, the owner user's credentials are required. + * + * This API is similar to the update API key API but enables you to apply the same update to multiple API keys in one API call. This operation can greatly improve performance over making individual updates. + * + * It is not possible to update expired or invalidated API keys. + * + * This API supports updates to API key access scope, metadata and expiration. + * The access scope of each API key is derived from the `role_descriptors` you specify in the request and a snapshot of the owner user's permissions at the time of the request. + * The snapshot of the owner's permissions is updated automatically on every call. + * + * IMPORTANT: If you don't specify `role_descriptors` in the request, a call to this API might still change an API key's access scope. This change can occur if the owner user's permissions have changed since the API key was created or last modified. + * + * A successful request returns a JSON structure that contains the IDs of all updated API keys, the IDs of API keys that already had the requested changes and did not require an update, and error details for any failed update. + * @rest_spec_name security.bulk_update_api_keys + * @availability stack since=8.5.0 stability=stable visibility=public + * @doc_id security-api-bulk-update-key + * @cluster_privileges manage_own_api_key + */ +export interface Request extends RequestBase { + body: { + /** + * Expiration time for the API keys. + * By default, API keys never expire. + * This property can be omitted to leave the value unchanged. + */ + expiration?: Duration + /** + * The API key identifiers. + */ + ids: string | string[] + /** + * Arbitrary nested metadata to associate with the API keys. + * Within the `metadata` object, top-level keys beginning with an underscore (`_`) are reserved for system usage. + * Any information specified with this parameter fully replaces metadata previously associated with the API key. + */ + metadata?: Metadata + /** + * The role descriptors to assign to the API keys. + * An API key's effective permissions are an intersection of its assigned privileges and the point-in-time snapshot of permissions of the owner user. + * You can assign new privileges by specifying them in this parameter. + * To remove assigned privileges, supply the `role_descriptors` parameter as an empty object `{}`. + * If an API key has no assigned privileges, it inherits the owner user's full permissions. + * The snapshot of the owner's permissions is always updated, whether you supply the `role_descriptors` parameter. + * The structure of a role descriptor is the same as the request for the create API keys API. + */ + role_descriptors?: Dictionary + } +} diff --git a/specification/security/bulk_update_api_keys/SecurityBulkUpdateApiKeysResponse.ts b/specification/security/bulk_update_api_keys/SecurityBulkUpdateApiKeysResponse.ts new file mode 100644 index 0000000000..c25e4dba98 --- /dev/null +++ b/specification/security/bulk_update_api_keys/SecurityBulkUpdateApiKeysResponse.ts @@ -0,0 +1,28 @@ +/* + * Licensed to Elasticsearch B.V. under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch B.V. licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import { BulkError } from '@security/_types/Bulk' + +export class Response { + body: { + errors?: BulkError + noops: string[] + updated: string[] + } +} diff --git a/specification/security/bulk_update_api_keys/examples/200_response/SecurityBulkUpdateApiKeysResponseExample1.yaml b/specification/security/bulk_update_api_keys/examples/200_response/SecurityBulkUpdateApiKeysResponseExample1.yaml new file mode 100644 index 0000000000..338a16e66c --- /dev/null +++ b/specification/security/bulk_update_api_keys/examples/200_response/SecurityBulkUpdateApiKeysResponseExample1.yaml @@ -0,0 +1,9 @@ +# summary: +description: A successful response from updating two API keys. +# type": "response", +# response_code": 200, +value: + updated: + - VuaCfGcBCdbkQm-e5aOx + - H3_AhoIBA9hmeQJdg7ij + noops: [] diff --git a/specification/security/bulk_update_api_keys/examples/request/SecurityBulkUpdateApiKeysRequestExample1.yaml b/specification/security/bulk_update_api_keys/examples/request/SecurityBulkUpdateApiKeysRequestExample1.yaml new file mode 100644 index 0000000000..06a69f77a4 --- /dev/null +++ b/specification/security/bulk_update_api_keys/examples/request/SecurityBulkUpdateApiKeysRequestExample1.yaml @@ -0,0 +1,22 @@ +# summary: +description: Assign new role descriptors and metadata and update the expiration time for two API keys. +# type": "response", +# response_code": 200, +value: + ids: + - VuaCfGcBCdbkQm-e5aOx + - H3_AhoIBA9hmeQJdg7ij + role_descriptors: + role-a: + indices: + - names: + - '*' + privileges: + - write + metadata: + environment: + level: 2 + trusted: true + tags: + - production + expiration: 30d diff --git a/specification/security/bulk_update_api_keys/examples/request/SecurityBulkUpdateApiKeysRequestExample2.yaml b/specification/security/bulk_update_api_keys/examples/request/SecurityBulkUpdateApiKeysRequestExample2.yaml new file mode 100644 index 0000000000..83a155083c --- /dev/null +++ b/specification/security/bulk_update_api_keys/examples/request/SecurityBulkUpdateApiKeysRequestExample2.yaml @@ -0,0 +1,9 @@ +# summary: +description: Remove the previously assigned permissions for two API keys, making them inherit the owner user's full permissions. +# type": "response", +# response_code": 200, +value: + ids: + - VuaCfGcBCdbkQm-e5aOx + - H3_AhoIBA9hmeQJdg7ij + role_descriptors: {} diff --git a/specification/security/delegate_pki/SecurityDelegatePkiRequest.ts b/specification/security/delegate_pki/SecurityDelegatePkiRequest.ts new file mode 100644 index 0000000000..a0499586cf --- /dev/null +++ b/specification/security/delegate_pki/SecurityDelegatePkiRequest.ts @@ -0,0 +1,50 @@ +/* + * Licensed to Elasticsearch B.V. under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch B.V. licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import { RequestBase } from '@_types/Base' + +/** + * Delegate PKI authentication. + * This API implements the exchange of an X509Certificate chain for an Elasticsearch access token. + * The certificate chain is validated, according to RFC 5280, by sequentially considering the trust configuration of every installed PKI realm that has `delegation.enabled` set to `true`. + * A successfully trusted client certificate is also subject to the validation of the subject distinguished name according to thw `username_pattern` of the respective realm. + * + * This API is called by smart and trusted proxies, such as Kibana, which terminate the user's TLS session but still want to authenticate the user by using a PKI realm—-​as if the user connected directly to Elasticsearch. + * + * IMPORTANT: The association between the subject public key in the target certificate and the corresponding private key is not validated. + * This is part of the TLS authentication process and it is delegated to the proxy that calls this API. + * The proxy is trusted to have performed the TLS authentication and this API translates that authentication into an Elasticsearch access token. + * @rest_spec_name security.delegate_pki + * @availability stack since=7.4.0 stability=stable + * @cluster_privileges all + * @doc_id security-api-delegate-pki + * @ext_doc_id pki-realm + */ +export interface Request extends RequestBase { + body: { + /** + * The X509Certificate chain, which is represented as an ordered string array. + * Each string in the array is a base64-encoded (Section 4 of RFC4648 - not base64url-encoded) of the certificate's DER encoding. + * + * The first element is the target certificate that contains the subject distinguished name that is requesting access. + * This may be followed by additional certificates; each subsequent certificate is used to certify the previous one. + */ + x509_certificate_chain: string[] + } +} diff --git a/specification/security/delegate_pki/SecurityDelegatePkiResponse.ts b/specification/security/delegate_pki/SecurityDelegatePkiResponse.ts new file mode 100644 index 0000000000..e37ce5770f --- /dev/null +++ b/specification/security/delegate_pki/SecurityDelegatePkiResponse.ts @@ -0,0 +1,61 @@ +/* + * Licensed to Elasticsearch B.V. under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch B.V. licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import { Dictionary } from '@spec_utils/Dictionary' +import { Metadata } from '@_types/common' +import { long } from '@_types/Numeric' + +export class Response { + body: { + /** + * An access token associated with the subject distinguished name of the client's certificate. + */ + access_token: string + /** + * The amount of time (in seconds) before the token expires. + */ + expires_in: long + /** + * The type of token. + */ + type: string + + authentication?: Authentication + } +} + +export class Authentication { + username: string + roles: string[] + full_name: string | null + email: string | null + token?: Dictionary + metadata: Metadata + enabled: boolean + authentication_realm: AuthenticationRealm + lookup_realm: AuthenticationRealm + authentication_type: string + api_key?: Dictionary +} + +export class AuthenticationRealm { + name: string + type: string + domain?: string +} diff --git a/specification/security/delegate_pki/examples/200_response/SecurityDelegatePkiResponseExample1.yaml b/specification/security/delegate_pki/examples/200_response/SecurityDelegatePkiResponseExample1.yaml new file mode 100644 index 0000000000..64f041358f --- /dev/null +++ b/specification/security/delegate_pki/examples/200_response/SecurityDelegatePkiResponseExample1.yaml @@ -0,0 +1,26 @@ +# summary: +description: A successful response from delegating a one element certificate chain. +# type": "response", +# response_code": 200, +value: + access_token: >- + dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ== + type: Bearer + expires_in: 1200 + authentication: + username: Elasticsearch Test Client + roles: [] + full_name: null + email: null + metadata: + pki_dn: O=org, OU=Elasticsearch, CN=Elasticsearch Test Client + pki_delegated_by_user: test_admin + pki_delegated_by_realm: file + enabled: true + authentication_realm: + name: pki1 + type: pki + lookup_realm: + name: pki1 + type: pki + authentication_type: realm diff --git a/specification/security/delegate_pki/examples/request/SecurityDelegatePkiRequestExample1.yaml b/specification/security/delegate_pki/examples/request/SecurityDelegatePkiRequestExample1.yaml new file mode 100644 index 0000000000..f1f70c7a91 --- /dev/null +++ b/specification/security/delegate_pki/examples/request/SecurityDelegatePkiRequestExample1.yaml @@ -0,0 +1,5 @@ +# summary: +description: Delegate a one element certificate chain. +# type": "response", +# response_code": 200, +value: "{\n\"x509_certificate_chain\": [\"MIIDeDCCAmCgAwIBAgIUBzj/nGGKxP2iXawsSquHmQjCJmMwDQYJKoZIhvcNAQELBQAwUzErMCkGA1UEAxMiRWxhc3RpY3NlYXJjaCBUZXN0IEludGVybWVkaWF0ZSBDQTEWMBQGA1UECxMNRWxhc3RpY3NlYXJjaDEMMAoGA1UEChMDb3JnMB4XDTIzMDcxODE5MjkwNloXDTQzMDcxMzE5MjkwNlowSjEiMCAGA1UEAxMZRWxhc3RpY3NlYXJjaCBUZXN0IENsaWVudDEWMBQGA1UECxMNRWxhc3RpY3NlYXJjaDEMMAoGA1UEChMDb3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAllHL4pQkkfwAm/oLkxYYO+r950DEy1bjH+4viCHzNADLCTWO+lOZJVlNx7QEzJE3QGMdif9CCBBxQFMapA7oUFCLq84fPSQQu5AnvvbltVD9nwVtCs+9ZGDjMKsz98RhSLMFIkxdxi6HkQ3Lfa4ZSI4lvba4oo+T/GveazBDS+NgmKyq00EOXt3tWi1G9vEVItommzXWfv0agJWzVnLMldwkPqsw0W7zrpyT7FZS4iLbQADGceOW8fiauOGMkscu9zAnDR/SbWl/chYioQOdw6ndFLn1YIFPd37xL0WsdsldTpn0vH3YfzgLMffT/3P6YlwBegWzsx6FnM/93Ecb4wIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQKNRwjW+Ad/FN1Rpoqme/5+jrFWzAfBgNVHSMEGDAWgBRcya0c0x/PaI7MbmJVIylWgLqXNjANBgkqhkiG9w0BAQsFAAOCAQEACZ3PF7Uqu47lplXHP6YlzYL2jL0D28hpj5lGtdha4Muw1m/BjDb0Pu8l0NQ1z3AP6AVcvjNDkQq6Y5jeSz0bwQlealQpYfo7EMXjOidrft1GbqOMFmTBLpLA9SvwYGobSTXWTkJzonqVaTcf80HpMgM2uEhodwTcvz6v1WEfeT/HMjmdIsq4ImrOL9RNrcZG6nWfw0HR3JNOgrbfyEztEI471jHznZ336OEcyX7gQuvHE8tOv5+oD1d7s3Xg1yuFp+Ynh+FfOi3hPCuaHA+7F6fLmzMDLVUBAllugst1C3U+L/paD7tqIa4ka+KNPCbSfwazmJrt4XNiivPR4hwH5g==\"]\n}"