fusillade-api.yml

openapi: 3.0.0
info:
  title: Fusillade app demo
  description: |
    Human Cell Atlas Data Coordination Platform Fusillade app demo

    Log in: [Auth0](/login?state=ABC&redirect_uri=https://$API_DOMAIN_NAME/internal/echo)

    [OIDC spec](https://openid.net/specs/openid-connect-core-1_0.html#toc)

    # Pagination
    The Fusillade API supports pagination in a manner consistent with the
    [GitHub API](https://developer.github.com/v3/guides/traversing-with-pagination/),
    which is based on [RFC 5988](https://tools.ietf.org/html/rfc5988). When the
    results of an API call exceed the page size specified, the HTTP response will
    contain a `Link` header of the following form:
    `Link: <https://auth.data.humancellatlas.org/v1/users?per_page=30&next_token=123>; rel="next"`.
    The URL in the header refers to the next page of the results to be fetched;
    if no `Link rel="next"` URL is included, then all results have been fetched.
    The client should recognize and parse the `Link` header appropriately according
    to RFC 5988, and retrieve the next page if requested by the user, or if all
    results are being retrieved.
    Additional Pagination Headers are returned to assist with client pagination these are:
    `X-OpenAPI-Pagination` - boolean that indicates if there are more pages.
    `X-OpenAPI-Paginated-Content-Key` - string that indicates which key in the response will be paged.

  version: $FUS_VERSION
servers:
  - url: https://$API_DOMAIN_NAME
paths:
  /login:
    get:
      summary: Establish the users identity using the OIDC provider
      description: Send the user agent to an identity provider selector and
        generate a user account to establish the user's identity. This is a
        redirect endpoint.
      operationId: fusillade.api.oauth.login
      tags:
        - oauth
      parameters:
        - name: redirect_uri
          description: Where to redirect to once login is complete.
          in: query
          required: true
          schema:
            type: string
        - name: state
          description: An opaque parameter that is returned back to the `redirect_uri`.
          in: query
          schema:
            type: string
      responses:
        301:
          description: OK.
        default:
          description: Unexpected error.
  /logout:
    get:
      summary: Logout the user from current sessions with the OIDC provider.
      description: Logout the user from current sessions with the OIDC provider. You can log the users out from a
        specific application if the you know the client_id for the application. Otherwise the user will be logged out
        of the default application by oauth2_config.
      operationId: fusillade.api.oauth.logout
      tags:
        - oauth
      parameters:
        - name: client_id
          in: query
          schema:
            type: string
      responses:
        200:
          description: OK.
        default:
          description: Unexpected error.
  /.well-known/openid-configuration:
    get:
      summary: See documentation at
        [Provider Config](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig)
      description: This endpoint is part of OIDC, see documentation at
        [Provider Config](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig)
      tags:
        - oauth
      parameters:
        - in: header
          name: host
          schema:
            type: string
            default: $API_DOMAIN_NAME
          required: true
          description: Must be `$API_DOMAIN_NAME`.
      operationId: fusillade.api.oauth.serve_openid_config
      responses:
        200:
          description: Returns the supported openid endpoints.
  /.well-known/jwks.json:
    get:
      summary: This endpoint is part of OIDC
      description: Provide the public key used to sign all JWTs minted by the OIDC provider.
        See [JSON Web Key Set](https://auth0.com/docs/jwks) for more info.
      tags:
        - oauth
      operationId: fusillade.api.oauth.serve_jwks_json
      responses:
        200:
          description: Returns the well known jwks.
  /oauth/authorize:
    get:
      summary: See [Auth Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest)
      description: This endpoint is part of OIDC and is used to redirect to an openid provider.
        See [Auth Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest)
      operationId: fusillade.api.oauth.authorize
      tags:
        - oauth
      parameters:
        - name: redirect_uri
          in: query
          schema:
            type: string
        - name: state
          in: query
          schema:
            type: string
        - name: client_id
          in: query
          schema:
            type: string
        - name: scope
          in: query
          schema:
            type: string
        - name: respone_type
          in: query
          schema:
            type: string
        - name: nonce
          in: query
          schema:
            type: string
        - name: prompt
          in: query
          schema:
            type: string
      responses:
        302:
          description: Redirecting to authentication server.
          headers:
            Location:
              schema:
                type: string
        default:
          description: Unexpected error.
  /oauth/revoke:
    post:
      summary: Revoke a refresh token
      description: Revokes a refresh token from a client making all future token refresh requests fail.
      operationId: fusillade.api.oauth.revoke
      tags:
        - oauth
      requestBody:
        content:
          application/json:
            schema:
              type: object
              required:
                - client_id
                - token
              properties:
                client_id:
                  type: string
                token:
                  type: string
                  description: The refresh token to revoke.
      responses:
        200:
          description: OK.
        default:
          description: Unexpected error.
  /oauth/token:
    post:
      summary: Retrieve the authentications token
      description: This endpoint is part of OIDC and is used to redirect to an openid provider.
        See [Token Endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint), and
        [Refresh Tokens](https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens)
      operationId: fusillade.api.oauth.serve_oauth_token
      requestBody:
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              properties:
                redirect_uri:
                  description: Where to redirect to once login is complete.
                  type: string
                code:
                  description: The code used to retrieve an access token from OIDC authentication flow.
                  type: string
                grant_type:
                  description: The type of grant requested.
                  type: string
                client_id:
                  type: string
                client_secret:
                  type: string
                refresh_token:
                  type: string
                scope:
                  type: string

      tags:
        - oauth
      responses:
        302:
          description: OK.
          headers:
            Cache-Control:
              schema:
                type: string
            Pragma:
              schema:
                type: string
          content:
            application/json:
              schema:
                type: object
        default:
          description: Unexpected error.
  /oauth/userinfo:
    get:
      summary: See [User Info](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
      description: This endpoint is part of OIDC and is used to redirect to an openid provider.
        See [User Info](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
      operationId: fusillade.api.oauth.get_userinfo
      security:
        - BearerAuth: []
      tags:
        - oauth
      responses:
        200:
          $ref: '#/components/responses/userinfo'
        401:
          $ref: '#/components/responses/401'
    post:
      summary: See [User Info](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
      description: This endpoint is part of OIDC and is used to redirect to an openid provider.
        See [User Info](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
      operationId: fusillade.api.oauth.post_userinfo
      security:
        - BearerAuth: []
      tags:
        - oauth
      responses:
        200:
          $ref: '#/components/responses/userinfo'
        401:
          $ref: '#/components/responses/401'
  /echo:
    get:
      summary: echoes the response
      description: Echoes the response back.
      operationId: fusillade.api.internal.echo
      responses:
        200:
          description: Echo.
  /v1/policies/evaluate:
    post:
      summary: Evaluate a user's permissions
      description: Given a set of principals, actions, and resources, return a
        set of access control decisions.
      operationId: fusillade.api.evaluate.evaluate_policy_api
      security:
        - BearerAuth: []
      requestBody:
        content:
          application/json:
            schema:
              required:
                - principal
                - action
                - resource
              type: object
              properties:
                principal:
                  description: Attested user identifier.
                  type: string
                action:
                  description: The action the principal is attempting to perform.
                  type: array
                  items:
                    $ref: '#/components/schemas/policy_action'
                resource:
                  description: The resource the principal will perform the action against.
                  type: array
                  maxItems: 1
                  minItems: 1
                  items:
                    $ref: '#/components/schemas/resource_name'
      responses:
        200:
          description: The result of the policy evaluation.
          content:
            application/json:
              schema:
                type: object
                properties:
                  result:
                    type: boolean
                  reason:
                    type: string
        default:
          description: Unexpected error.
  /v1/users:
    get:
      summary: List users
      description: Paginate through all users.
      operationId: fusillade.api.users.get_users
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/next_token'
        - $ref: '#/components/parameters/per_page'
      responses:
        200:
          $ref: '#/components/responses/200_paged'
        206:
          $ref: '#/components/responses/206'
        404:
          $ref: '#/components/responses/404'
        default:
          description: Unexpected error.
      tags:
        - user
  /v1/user:
    post:
      summary: Create a new user
      description: Create a new user with the specified groups, roles, and iam policy.
      operationId: fusillade.api.users.post_user
      security:
        - BearerAuth: []
      requestBody:
        content:
          application/json:
            schema:
              required:
                - user_id
              type: object
              properties:
                user_id:
                  $ref: '#/components/schemas/custom_identifier'
                groups:
                  type: array
                  items:
                    $ref: '#/components/schemas/custom_identifier'
                roles:
                  type: array
                  items:
                    $ref: '#/components/schemas/custom_identifier'
                policy:
                  $ref: '#/components/schemas/policy_document'
      tags:
        - user
      responses:
        201:
          description: User was created.
        401:
          $ref: '#/components/responses/401'
        default:
          description: Unexpected error.
  /v1/user/{user_id}:
    get:
      summary: Retrieve information about a user
      description: Retrieve information about the user's status and the policies attached.
      operationId: fusillade.api.users.get_user
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/user_id'
      tags:
        - user
      responses:
        200:
          description: Information about the user is returned.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/User'
        404:
          $ref: '#/components/responses/404'
        default:
          description: Unexpected error.
    put:
      summary: Modify user status
      description: Enable or disable a user. A disabled user will return false
        for all evaluations with that user as principal.
      operationId: fusillade.api.users.put_user
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/user_id'
        - $ref: '#/components/parameters/user_status'
      tags:
        - user
      responses:
        200:
          description: Status set.
        401:
          $ref: '#/components/responses/401'
        default:
          description: Unexpected error.
  /v1/user/{user_id}/owns:
    get:
      summary: Retrieve the resources owned by the user
      description: Paginate through a list of resources owned by a user.
      operationId: fusillade.api.users.get_users_owns
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/user_id'
        - $ref: '#/components/parameters/next_token'
        - $ref: '#/components/parameters/per_page'
        - $ref: '#/components/parameters/resource_type'
      tags:
        - user
      responses:
        200:
          $ref: '#/components/responses/200_paged'
        206:
          $ref: '#/components/responses/206'
        404:
          $ref: '#/components/responses/404'
        default:
          description: Unexpected error.
  /v1/user/{user_id}/groups:
    get:
      summary: Retrieve group(s) for a user
      description: Paginate through a list of groups of which a user is a member.
      operationId: fusillade.api.users.get_users_groups
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/user_id'
        - $ref: '#/components/parameters/next_token'
        - $ref: '#/components/parameters/per_page'
      tags:
        - user
      responses:
        200:
          $ref: '#/components/responses/200_paged'
        206:
          $ref: '#/components/responses/206'
        404:
          $ref: '#/components/responses/404'
        default:
          description: Unexpected error.
    put:
      summary: Add or remove a user from group(s)
      description: Modify group(s) in which a user is a member.
      operationId: fusillade.api.users.put_users_groups
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/user_id'
        - $ref: '#/components/parameters/action'
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/groups'
      tags:
        - user
      responses:
        200:
          description: Action successful.
        401:
          $ref: '#/components/responses/401'
        304:
          description: The user is already a member of this group.
        default:
          description: Unexpected error.
  /v1/user/{user_id}/roles:
    get:
      summary: Retrieve roles a user is in
      description: Paginate through all roles attached to a user.
      operationId: fusillade.api.users.get_users_roles
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/user_id'
        - $ref: '#/components/parameters/next_token'
        - $ref: '#/components/parameters/per_page'
      tags:
        - user
      responses:
        200:
          $ref: '#/components/responses/200_paged'
        206:
          $ref: '#/components/responses/206'
        404:
          $ref: '#/components/responses/404'
        default:
          description: Unexpected error.
    put:
      summary: Add or remove user from role(s)
      description: Modify the role(s) attached to a user.
      operationId: fusillade.api.users.put_users_roles
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/user_id'
        - $ref: '#/components/parameters/action'
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/roles'
      tags:
        - user
      responses:
        200:
          description: Action successful.
        401:
          $ref: '#/components/responses/401'
        304:
          description: The user already has this role attached.
        default:
          description: Unexpected error.
  /v1/user/{user_id}/policy:
    put:
      summary: Modify policy
      description: Modify or add the user's IAM policy.
      operationId: fusillade.api.users.put_user_policy
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/user_id'
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                policy:
                  $ref: '#/components/schemas/policy_document'
      responses:
        200:
          description: Policy modified.
        401:
          $ref: '#/components/responses/401'
        default:
          description: Unexpected error.
      tags:
        - user
  /v1/groups:
    get:
      summary: List groups
      description: Paginate through all groups.
      operationId: fusillade.api.groups.get_groups
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/next_token'
        - $ref: '#/components/parameters/per_page'
      responses:
        200:
          $ref: '#/components/responses/200_paged'
        206:
          $ref: '#/components/responses/206'
        404:
          $ref: '#/components/responses/404'
        default:
          description: Unexpected error.
      tags:
        - group
  /v1/group:
    post:
      summary: Create a new group
      description: Create a new group, attach an IAM policy, and assign roles.
      operationId: fusillade.api.groups.post_group
      security:
        - BearerAuth: []
      requestBody:
        content:
          application/json:
            schema:
              allOf:
                - type: object
                  required:
                    - group_id
                  properties:
                    group_id:
                      $ref: '#/components/schemas/custom_identifier'
                    policy:
                      $ref: '#/components/schemas/policy_document'
                - $ref: '#/components/schemas/roles'
      responses:
        201:
          description: Group was successfully created.
        401:
          $ref: '#/components/responses/401'
        default:
          description: Unexpected error.
      tags:
        - group
  /v1/group/{group_id}:
    get:
      summary: Get properties of a group
      description: Get properties of a group, including the group's IAM policy.
      operationId: fusillade.api.groups.get_group
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/group_id'
      responses:
        200:
          description: Information about the group was successfully returned.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Group'
        404:
          $ref: '#/components/responses/404'
        default:
          description: Unexpected error.
      tags:
        - group
    delete:
      summary: Remove a group from the system
      description: Remove all users, policies, and roles from the group, and delete the group.
      operationId: fusillade.api.groups.delete_group
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/group_id'
      responses:
        200:
          description: Group was successfully deleted.
        401:
          $ref: '#/components/responses/401'
        default:
          description: Unexpected error.
      tags:
        - group
  /v1/group/{group_id}/roles:
    get:
      summary: Retrieve role(s) for a group
      description: Paginate through all roles assigned to the group.
      operationId: fusillade.api.groups.get_groups_roles
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/group_id'
        - $ref: '#/components/parameters/next_token'
        - $ref: '#/components/parameters/per_page'
      responses:
        200:
          description: All roles have been successfully returned.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/roles'
        206:
          $ref: '#/components/responses/206'
        404:
          $ref: '#/components/responses/404'
        default:
          description: Unexpected error.
      tags:
        - group
    put:
      summary: Add or remove a group from role(s)
      description: Modify the role(s) assigned to a group.
      operationId: fusillade.api.groups.put_groups_roles
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/group_id'
        - $ref: '#/components/parameters/action'
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/roles'
      responses:
        200:
          description: Action successful.
        401:
          $ref: '#/components/responses/401'
        304:
          description: The group already has this role attached.
        default:
          description: Unexpected error.
      tags:
        - group
  /v1/group/{group_id}/users:
    get:
      summary: Retrieve user(s) in a group
      description: Paginate through all users in a group.
      operationId: fusillade.api.groups.get_group_users
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/group_id'
        - $ref: '#/components/parameters/next_token'
        - $ref: '#/components/parameters/per_page'
      responses:
        200:
          description: All users have been returned.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/users'
        206:
          $ref: '#/components/responses/206'
        404:
          $ref: '#/components/responses/404'
        default:
          description: Unexpected error.
      tags:
        - group
    put:
      summary: Add or remove user(s) from a group
      description: Modify the user(s) assigned to a group.
      operationId: fusillade.api.groups.put_groups_users
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/group_id'
        - $ref: '#/components/parameters/action'
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                users:
                  type: array
                  minItems: 1
                  maxItems: 10
                  items:
                    $ref: '#/components/schemas/custom_identifier'
      responses:
        200:
          description: Action successful.
        401:
          $ref: '#/components/responses/401'
        304:
          description: One or more users is already in this group.
        default:
          description: Unexpected error.
      tags:
        - group
  /v1/group/{group_id}/policy:
    put:
      summary: Modify policy
      description: Modify or create a policy attached to a group.
      operationId: fusillade.api.groups.put_group_policy
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/group_id'
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                policy:
                  $ref: '#/components/schemas/policy_document'
      responses:
        200:
          description: Policy modified.
        401:
          $ref: '#/components/responses/401'
        default:
          description: Unexpected error.
      tags:
        - group
  /v1/roles:
    get:
      summary: List roles
      description: Paginate through all roles.
      operationId: fusillade.api.roles.get_roles
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/next_token'
        - $ref: '#/components/parameters/per_page'
      responses:
        200:
          $ref: '#/components/responses/200_paged'
        206:
          $ref: '#/components/responses/206'
        404:
          $ref: '#/components/responses/404'
        default:
          description: Unexpected error.
      tags:
        - role
  /v1/role:
    post:
      summary: Create a new role
      description: Create a new role and attach a IAM policy.
      operationId: fusillade.api.roles.post_role
      security:
        - BearerAuth: []
      requestBody:
        content:
          application/json:
            schema:
              type: object
              required:
                - role_id
                - policy
              properties:
                role_id:
                  $ref: '#/components/schemas/custom_identifier'
                policy:
                  $ref: '#/components/schemas/policy_document'
      responses:
        201:
          description: Role was created.
        401:
          $ref: '#/components/responses/401'
        403:
          $ref: '#/components/responses/403'
        409:
          $ref: '#/components/responses/409'
        default:
          description: Unexpected error.
      tags:
        - role
  /v1/role/{role_id}:
    get:
      summary: Get properties of a role
      description: Get properties of a role.
      operationId: fusillade.api.roles.get_role
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/role_id'
      responses:
        200:
          description: Information about the role is returned.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Role'
        404:
          $ref: '#/components/responses/404'
        default:
          description: Unexpected error.
      tags:
        - role
    delete:
      summary: Remove a role from the system
      description: Remove the role from all users and groups, and finally delete the role.
      operationId: fusillade.api.roles.delete_role
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/role_id'
      responses:
        200:
          description: Role was deleted.
        401:
          $ref: '#/components/responses/401'
        default:
          description: Unexpected error.
      tags:
        - role
  /v1/role/{role_id}/policy:
    put:
      summary: Modify policy
      description: Modify the IAM policy attached to the role.
      operationId: fusillade.api.roles.put_role_policy
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/role_id'
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                policy:
                  $ref: '#/components/schemas/policy_document'
      responses:
        200:
          description: Policy modified.
        401:
          $ref: '#/components/responses/401'
        default:
          description: Unexpected error.
      tags:
        - role
  /v1/resources:
    get:
      summary:  List available resource types
      description: List available resource types
      operationId: fusillade.api.resources.get
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/next_token'
        - $ref: '#/components/parameters/per_page'
      responses:
        200:
          $ref: '#/components/responses/200_paged'
        206:
          $ref: '#/components/responses/206'
        401:
          $ref: '#/components/responses/401'
        403:
          $ref: '#/components/responses/403'
        default:
          description: Unexpected error.
      tags:
        - resource
  /v1/resource/{resource_type_name}:
    get:
      summary: List all resources for this resource type
      description: List all resources for this resource type
      operationId: fusillade.api.resource.resource_type_name.get
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/resource_type_name'
        - $ref: '#/components/parameters/next_token'
        - $ref: '#/components/parameters/per_page'
      responses:
        200:
          $ref: '#/components/responses/200_paged'
        206:
          $ref: '#/components/responses/206'
        401:
          $ref: '#/components/responses/401'
        403:
          $ref: '#/components/responses/403'
        404:
          $ref: '#/components/responses/404'
        default:
          description: Unexpected error.
      tags:
        - resource
    post:
      summary: Create a new resource type.
      description: Create a new resource type.
      operationId: fusillade.api.resource.resource_type_name.post
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/resource_type_name'
      requestBody:
        content:
          application/json:
            schema:
              allOf:
                - type: object
                  properties:
                    owner_policy:
                      $ref: '#/components/schemas/policy_document'
                - $ref: '#/components/schemas/policy_actions'
      responses:
        201:
          description: The new resource type has been created.
        401:
          $ref: '#/components/responses/401'
        403:
          $ref: '#/components/responses/403'
        409:
          $ref: '#/components/responses/409'
        default:
          description: Unexpected error.
      tags:
        - resource
    delete:
      summary: Delete an existing resource type.
      description: Delete an existing resource type if there are no ids of that resource type stored.
      operationId: fusillade.api.resource.resource_type_name.delete
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/resource_type_name'
      responses:
        201:
          description: The resource has been deleted.
        401:
          $ref: '#/components/responses/401'
        403:
          $ref: '#/components/responses/403'
        409:
          $ref: '#/components/responses/Resource_not_empty'
        default:
          description: Unexpected error.
      tags:
        - resource
  /v1/resource/{resource_type_name}/actions:
    get:
      summary: List all actions for this resource type.
      description: List all actions for this resource type.
      operationId: fusillade.api.resource.resource_type_name.actions.get
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/resource_type_name'
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/policy_actions'
        401:
          $ref: '#/components/responses/401'
        403:
          $ref: '#/components/responses/403'
        404:
          $ref: '#/components/responses/404'
        default:
          description: Unexpected error.
      tags:
        - resource
    put:
      summary: Add a new action for a resource type.
      description: Add a new action for a resource type.
      operationId: fusillade.api.resource.resource_type_name.actions.put
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/resource_type_name'
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/policy_actions'
      responses:
        200:
          description: OK
        401:
          $ref: '#/components/responses/401'
        403:
          $ref: '#/components/responses/403'
        404:
          $ref: '#/components/responses/404'
        409:
          $ref: '#/components/responses/409'
        default:
          description: Unexpected error.
      tags:
        - resource
    delete:
      summary: Delete an existing action for a resource type.
      description: Delete an existing action for a resource type.
      operationId: fusillade.api.resource.resource_type_name.actions.delete
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/resource_type_name'
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/policy_actions'
      responses:
        200:
          description: OK
        401:
          $ref: '#/components/responses/401'
        403:
          $ref: '#/components/responses/403'
        404:
          $ref: '#/components/responses/404'
        409:
          $ref: '#/components/responses/409'
        default:
          description: Unexpected error.
      tags:
        - resource
  /v1/resource/{resource_type_name}/policies:
    get:
      summary: List the available policies for this resource type.
      description: List the available policies for this resource type.
      operationId: fusillade.api.resource.resource_type_name.policies.get
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/resource_type_name'
        - $ref: '#/components/parameters/next_token'
        - $ref: '#/components/parameters/per_page'
      responses:
        200:
          $ref: '#/components/responses/200_paged'
        206:
          $ref: '#/components/responses/206'
        401:
          $ref: '#/components/responses/401'
        403:
          $ref: '#/components/responses/403'
        404:
          $ref: '#/components/responses/404'
        default:
          description: Unexpected error.
      tags:
        - resource
  /v1/resource/{resource_type_name}/policy/{policy_name}:
    get:
      summary: Retrieve information about resource policy
      description: Retrieve information about resource policy.
      operationId: fusillade.api.resource.resource_type_name.policy.policy_name.get
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/resource_type_name'
        - $ref: '#/components/parameters/policy_name'
      tags:
        - resource
      responses:
        200:
          description: The {policy_name} policy for {resource_type_name} returned.
          content:
            application/json:
              schema:
                type: object
                properties:
                  policy:
                    $ref: '#/components/schemas/policy_document'
                  policy_type:
                    $ref: '#/components/schemas/policy_type'
        401:
          $ref: '#/components/responses/401'
        403:
          $ref: '#/components/responses/403'
        404:
          $ref: '#/components/responses/404'
        default:
          description: Unexpected error.
    post:
      summary: Add a new resource policy for the specified resource type.
      description: Add a new resource policy. This makes the resource policy available for all resources of that type
        . Once added, the new resource policy can be applied to members by using PUT
        /v1/resource/{resource_type_name}/id/{resource_id}/members
      operationId: fusillade.api.resource.resource_type_name.policy.policy_name.post
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/resource_type_name'
        - $ref: '#/components/parameters/policy_name'
      requestBody:
        content:
          application/json:
            schema:
              type: object
              required:
                - policy
              properties:
                  policy:
                    $ref: '#/components/schemas/policy_document'
                  policy_type:
                    $ref: '#/components/schemas/policy_type'
      tags:
        - resource
      responses:
        200:
          description: Created the {policy_name} policy for {resource_type_name}.
        401:
          $ref: '#/components/responses/401'
        403:
          $ref: '#/components/responses/403'
        404:
          $ref: '#/components/responses/404'
        409:
          $ref: '#/components/responses/409'
        default:
          description: Unexpected error.
    put:
      summary: Modify an existing resource policy for the specified resource type
      description: Modify an existing resource policy. This will affect all members that use this resource policy to access a {resource_type_name}/{resource_ids}.
      operationId: fusillade.api.resource.resource_type_name.policy.policy_name.put
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/resource_type_name'
        - $ref: '#/components/parameters/policy_name'
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                policy:
                  $ref: '#/components/schemas/policy_document'
      responses:
        200:
          description: Modified the {policy_name} policy for {resource_type_name}.
        401:
          $ref: '#/components/responses/401'
        403:
          $ref: '#/components/responses/403'
        404:
          $ref: '#/components/responses/404'
        default:
          description: Unexpected error.
      tags:
        - resource
    delete:
      summary: Delete an existing resource policy for the specified resource type.
      description: Delete an existing resource policy. This will affect all members that use this resource policy to access a {resource_type_name}/{resource_ids}.
      operationId: fusillade.api.resource.resource_type_name.policy.policy_name.delete
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/resource_type_name'
        - $ref: '#/components/parameters/policy_name'
      tags:
        - resource
      responses:
        200:
          description: Deleted the {policy_name} policy for {resource_type_name}.
        401:
          $ref: '#/components/responses/401'
        403:
          $ref: '#/components/responses/403'
        404:
          $ref: '#/components/responses/404'
        default:
          description: Unexpected error.
  /v1/resource/{resource_type_name}/ids:
    get:
      summary: List ids of all resources matching the specified resource type.
      description: List ids of all resources matching the specified resource type.
      operationId: fusillade.api.resource.resource_type_name.ids.get
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/resource_type_name'
        - $ref: '#/components/parameters/next_token'
        - $ref: '#/components/parameters/per_page'
      responses:
        200:
          $ref: '#/components/responses/200_paged'
        206:
          $ref: '#/components/responses/206'
        401:
          $ref: '#/components/responses/401'
        403:
          $ref: '#/components/responses/403'
        404:
          $ref: '#/components/responses/404'
        default:
          description: Unexpected error.
      tags:
        - resource
  /v1/resource/{resource_type_name}/id/{resource_id}:
    get:
      summary: Check if a resource of type resource_type_name with id resource_id exist.
      description: Check if a resource of type resource_type_name with id resource_id exist.
      operationId: fusillade.api.resource.resource_type_name.id.resource_id.get
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/resource_type_name'
        - $ref: '#/components/parameters/resource_id'
      responses:
        200:
          description: Resource was found.
        401:
          $ref: '#/components/responses/401'
        403:
          $ref: '#/components/responses/403'
        409:
          $ref: '#/components/responses/409'
        default:
          description: Unexpected error.
      tags:
        - resource
    post:
      summary: Create a new resource.
      description: Create a new resource.
      operationId: fusillade.api.resource.resource_type_name.id.resource_id.post
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/resource_type_name'
        - $ref: '#/components/parameters/resource_id'
      responses:
        200:
          description: Resource was created.
        401:
          $ref: '#/components/responses/401'
        403:
          $ref: '#/components/responses/403'
        409:
          $ref: '#/components/responses/409'
        default:
          description: Unexpected error.
      tags:
        - resource
    delete:
      summary: Delete a resource.
      description: Delete a resource.
      operationId: fusillade.api.resource.resource_type_name.id.resource_id.delete
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/resource_type_name'
        - $ref: '#/components/parameters/resource_id'
      responses:
        200:
          description: Resource was deleted.
        401:
          $ref: '#/components/responses/401'
        403:
          $ref: '#/components/responses/403'
        404:
          $ref: '#/components/responses/404'
        default:
          description: Unexpected error.
      tags:
        - resource
  /v1/resource/{resource_type_name}/id/{resource_id}/members:
    get:
      summary: List all members that have access to this resource.
      description: List all members that have access to this resource. Members include users, and groups with any
        level of access to this resource.
      operationId: fusillade.api.resource.resource_type_name.id.resource_id.members.get
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/resource_type_name'
        - $ref: '#/components/parameters/resource_id'
        - $ref: '#/components/parameters/next_token'
        - $ref: '#/components/parameters/per_page'
      responses:
        200:
          $ref: '#/components/responses/200_paged'
        206:
          $ref: '#/components/responses/206'
        401:
          $ref: '#/components/responses/401'
        403:
          $ref: '#/components/responses/403'
        404:
          $ref: '#/components/responses/404'
    put:
      summary: Give a principal access defined by a {resource_policy} to {resource_type_name}/{resource_id}.
      description:  Give a principal access defined by {policy_name} to {resource_type_name}/{resource_id}.
      operationId: fusillade.api.resource.resource_type_name.id.resource_id.members.put
      security:
        - BearerAuth: []
      parameters:
        - $ref: '#/components/parameters/resource_type_name'
        - $ref: '#/components/parameters/resource_id'
      requestBody:
        content:
          application/json:
            schema:
              type: array
              items:
                $ref: '#/components/schemas/resource_member'
              maxItems: 1
              minItems: 1
      responses:
        200:
          description: The {type}/{entity_id} has been added to the policy.
        401:
          $ref: '#/components/responses/401'
        403:
          $ref: '#/components/responses/403'
        404:
          $ref: '#/components/responses/404'
        default:
          description: Unexpected error.
      tags:
        - resource
components:
  parameters:
    user_id:
      name: user_id
      in: path
      required: true
      description: User ID (email).
      schema:
        $ref: '#/components/schemas/custom_identifier'
    role_id:
      name: role_id
      in: path
      description: The name of the role.
      required: true
      schema:
        $ref: '#/components/schemas/custom_identifier'
    group_id:
      name: group_id
      in: path
      description: The name of the group.
      required: true
      schema:
        $ref: '#/components/schemas/custom_identifier'
    resource_type:
      name: resource_type
      in: query
      required: true
      schema:
        $ref: '#/components/schemas/custom_identifier'
    resource_type_name:
      name: resource_type_name
      in: path
      required: true
      description: The name of a type of resources to which a resource policy can be applied.
      schema:
        $ref: '#/components/schemas/custom_identifier'
    resource_id:
      name: resource_id
      in: path
      required: true
      description: The id of the resource.
      schema:
        $ref: '#/components/schemas/custom_identifier'
    action:
      name: action
      in: query
      required: true
      schema:
        type: string
        enum: [add, remove]
    user_status:
      name: status
      in: query
      required: true
      schema:
        $ref: '#/components/schemas/user_status'
    next_token:
      name: next_token
      in: query
      required: false
      schema:
        type: string
    per_page:
      name: per_page
      in: query
      required: false
      schema:
        type: integer
        minimum: 5
        maximum: 30
        default: 15
    policy_name:
      name: policy_name
      in: path
      required: true
      schema:
        type: string
  schemas:
    principal_type:
      type: string
      enum: [user, group]
    paged_results:
      type: array
      items:
        type: string
    policy_type:
      type: string
      enum: ['ResourcePolicy', 'IAMPolicy']
    resource_types:
      description: A list of resource types.
      type: object
      properties:
        resources:
          $ref: '#/components/schemas/paged_results'
    resource_ids:
      description: A list of resource ids from a resource type.
      type: object
      properties:
        resource_ids:
          $ref: '#/components/schemas/paged_results'
        resource_type:
          type: string
    resource_name:
      type: string
      pattern: 'arn:([\w\-\*]+:){2,4}[\w\-\*/]+'
    resource_member:
      type: object
      properties:
        member:
          type: string
        member_type:
          $ref: '#/components/schemas/principal_type'
        access_level:
          type: string
      required:
        - member
        - member_type
      example:
        Add or update access:
          value:
            member: i_am_a_user_name
            member_type: user
            access_level: read
        Remove access:
          value:
            member: i_am_a_user_name
            member_type: user
    policy_action:
      type: string
      pattern: '[A-z]\w*[^\W_]:[A-z]\w*[^\W_]'
    policy_actions:
      type: object
      properties:
        actions:
          type: array
          items:
            $ref: '#/components/schemas/policy_action'
    members:
      type: object
      properties:
        members:
          type: array
          items:
            $ref: '#/components/schemas/resource_member'
    policy_document:
      description: A resource policy, used for controlling access to a resource.
      type: object
      nullable: true
      properties:
        Statements:
          type: array
          items:
            type: object
            properties:
              Sid:
                type: string
              Effect:
                type: string
                enum: ['Allow', 'Deny']
              Actions:
                type: array
                items:
                  $ref: '#/components/schemas/policy_action'
              Resource:
                type: array
                items:
                  $ref: '#/components/schemas/resource_name'
    policies:
      type: array
      items:
        $ref: '#/components/schemas/policy_document'
    groups:
      type: object
      properties:
        groups:
          $ref: '#/components/schemas/paged_results'
    roles:
      type: object
      properties:
        roles:
          $ref: '#/components/schemas/paged_results'
    users:
      type: object
      properties:
        users:
          $ref: '#/components/schemas/paged_results'
    custom_identifier:
      description: Used to identify users, groups, and roles.
      type: string
      minLength: 1
      maxLength: 128
      pattern: '^[0-9a-zA-Z.@_\-$,=]*$'
    user_status:
      type: string
      enum: ['enabled', 'disabled']
    User:
      type: object
      properties:
        user_id:
          $ref: '#/components/schemas/custom_identifier'
        status:
          $ref: '#/components/schemas/user_status'
        policies:
          type: object
          nullable: true
    Group:
      type: object
      properties:
        group_id:
          $ref: '#/components/schemas/custom_identifier'
        policies:
          $ref: '#/components/schemas/policy_document'
        roles:
          type: array
          items:
            $ref: '#/components/schemas/custom_identifier'
        users:
          type: array
          items:
            $ref: '#/components/schemas/custom_identifier'
    Role:
      type: object
      properties:
        role_id:
          $ref: '#/components/schemas/custom_identifier'
        policies:
          $ref: '#/components/schemas/policy_document'
  responses:
    userinfo:
      description: OK
      content:
        application/json:
          schema:
            type: object
            properties:
              sub:
                description: A unique identifier for the user. This is part of the OIDC standard.
                type: string
              email:
                description: The user's email associated with access token.
                type: string
              https://$API_DOMAIN_NAME/app_metadata:
                description: Contains information about what the user has access too.
                type: object
                properties:
                  authorization:
                    type: object
                    properties:
                      role:
                        description: A list of roles the user can use.
                        type: array
                        items:
                          type: string
                      group:
                        description: A list of groups the user is in.
                        type: array
                        items:
                          type: string
                      scope:
                        description: A list of actions the user can perform.
                        type: array
                        items:
                          type: string
    200_paged:
      description: All results have been retrieved.
      content:
        application/json:
          schema:
            anyOf:
              - $ref: '#/components/schemas/groups'
              - $ref: '#/components/schemas/roles'
              - $ref: '#/components/schemas/users'
              - $ref: '#/components/schemas/members'
              - $ref: '#/components/schemas/resource_types'
              - $ref: '#/components/schemas/policies'
              - $ref: '#/components/schemas/resource_ids'
    206:
      description: A single page of results was retrieved.
      headers:
        X-OpenAPI-Pagination:
          schema:
            type: boolean
        X-OpenAPI-Paginated-Content-Key:
          schema:
            type: string
          description: The JSON response body key containing an array of results that are paginated.
        Link:
          description: URL to retrieve the next page of results.
          schema:
            type: string
      content:
        application/json:
          schema:
            anyOf:
              - $ref: '#/components/schemas/groups'
              - $ref: '#/components/schemas/roles'
              - $ref: '#/components/schemas/users'
              - $ref: '#/components/schemas/members'
              - $ref: '#/components/schemas/resource_types'
              - $ref: '#/components/schemas/policies'
              - $ref: '#/components/schemas/resource_ids'
    401:
      description: The users credentials failed to authenticate.
    403:
      description: The user is not authorized because they do not have adequate
        permission to perform the action.
    404:
      description: Resource not found.
    409:
      description: The object already exists.
    Resource_not_empty:
      description: All resource ids must be deleted before the resource type can be deleted.
  securitySchemes:
    BearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
      x-bearerInfoFunc: fusillade.utils.security.verify_jwt