@piiano/vault-client

import type { DecryptedObject } from '../models/DecryptedObject'; import type { DecryptionRequest } from '../models/DecryptionRequest'; import type { EncryptedValue } from '../models/EncryptedValue'; import type { EncryptionRequest } from '../models/EncryptionRequest'; import type { EncryptionType } from '../models/EncryptionType'; import type { HashObjectRequest } from '../models/HashObjectRequest'; import type { PropertyName } from '../models/PropertyName'; import type { TokenValue } from '../models/TokenValue'; import type { UpdateEncryptionRequest } from '../models/UpdateEncryptionRequest'; import type { CancelablePromise } from '../core/CancelablePromise'; import type { BaseHttpRequest } from '../core/BaseHttpRequest'; export declare class CryptoClient { readonly httpRequest: BaseHttpRequest; constructor(httpRequest: BaseHttpRequest); /** * Encrypt * Creates ciphertext that includes the values of an object's properties. Supports bulk operations. * * You can encrypt: * * 1. Objects stored in Vault by providing their ID. * 2. Fields not stored in Vault by providing a map of their properties and property values. However, fields must conform to the collection schema specified in the request. * 3. Ciphertext. This enables you to create a ciphertext including a subset of another ciphertext's properties or with a different encryption type or scope. To update the property values, use the [update encrypted](/api/operations/update-encrypted) operation. * * :bulb: For brevity, this guide uses the term `object` to refer to the content being encrypted. * * If any request details are invalid, none of the objects are encrypted. * * You can generate ciphertext for the encrypted object with a random initialization vector (randomized) or based on the collection name, input object, and scope (deterministic). * * Using `props`, you can request that the ciphertext include a subset of the collection schema's properties. However, if a property isn't present in the object or the property value is null, it is not included in the encrypted ciphertext. Also, if you want to include built-in properties, you must include them in `props`. * * The role performing this operation must have both of these: * * - The `CapCryptoEncrypter` capability. * - At least one allowing policy and no denying policies for the `encrypt` operation for each of the collection properties specified in the call. * * See [identity and access management](/data-security/identity-and-access-management) for more information about how Vault uses capabilities to control access to operations and policies to control access to data. * * @returns EncryptedValue The request is successful. * @throws ApiError */ encrypt({ collection, requestBody, expirationSecs, adhocReason, reason, customAudit, reloadCache, xTenantId, additionalHeaders, }: { collection: string; /** * Details of the encryption request. */ requestBody: Array<EncryptionRequest>; /** * Encrypted object expiration time in seconds. If not set, the default expiration time is used. See the `PVAULT_EXPIRATION_TOKENS` variable. If set to an empty value, the encrypted will be marked to not expire. */ expirationSecs?: string; /** * An ad-hoc reason for accessing the Vault data. Required when `reason` is set to `Other`. */ adhocReason?: string; /** * Details of the reason for requesting the property. The default is set when no access reason is provided and PVAULT_SERVICE_FORCE_ACCESS_REASON is false. */ reason?: 'AppFunctionality' | 'Analytics' | 'Notifications' | 'Marketing' | 'ThirdPartyMarketing' | 'FraudPreventionSecurityAndCompliance' | 'AccountManagement' | 'Maintenance' | 'DataSubjectRequest' | 'Other'; /** * Custom audit information to be included in the audit log. */ customAudit?: string; /** * Reloads the cache before the action. */ reloadCache?: boolean; /** * List of tenant IDs to enforce on the request. */ xTenantId?: Array<string>; additionalHeaders?: Record<string, string>; }): CancelablePromise<Array<EncryptedValue>>; /** * Update ciphertext and metadata * Returns ciphertext that includes property values from another ciphertext. Supports bulk operations. * * This enables the creation of encrypted ciphertext without exposing encrypted property values to the user. * * The returned ciphertext can have different encryption type, scope, properties, or property values to the source ciphertext. Any property values in the source ciphertext not updated in the request are preserved in the new ciphertext as long as they are included in `props`. * * For example, if the source ciphertext contains `first_name`, `last_name`, and `telephone_number` and `props` specifies `[first_name, last_name]`, then `telephone_number` isn't included in the new encrypted ciphertext. * * The request must include the scope used to encrypt the source ciphertext. * * If any request details are invalid, no ciphertexts are created. * * The role performing this operation must have both of these: * * - The `CapCryptoDecrypter` and `CapCryptoEncrypter` capabilities. * - At least one allowing policy and no denying policies for the `decrypt` and `encrypt` operations for each of the collection properties specified in the call. * * See [identity and access management](/data-security/identity-and-access-management) for more information about how Vault uses capabilities to control access to operations and policies to control access to data. * * @returns EncryptedValue The request is successful. * @throws ApiError */ updateEncrypted({ collection, requestBody, options, expirationSecs, adhocReason, reason, customAudit, reloadCache, xTenantId, additionalHeaders, }: { collection: string; /** * Details of the update encrypted object request. * The request includes the encrypted object to update and the property values to update the encrypted object with. * */ requestBody: Array<UpdateEncryptionRequest>; /** * Options for the request. * - `archived` - whether to update only archived encrypted objects. If not specified, update only active encrypted objects. * */ options?: Array<'archived'>; /** * Encrypted object expiration time in seconds. If not set, the default expiration time is used. See the `PVAULT_EXPIRATION_TOKENS` variable. */ expirationSecs?: string; /** * An ad-hoc reason for accessing the Vault data. Required when `reason` is set to `Other`. */ adhocReason?: string; /** * Details of the reason for requesting the property. The default is set when no access reason is provided and PVAULT_SERVICE_FORCE_ACCESS_REASON is false. */ reason?: 'AppFunctionality' | 'Analytics' | 'Notifications' | 'Marketing' | 'ThirdPartyMarketing' | 'FraudPreventionSecurityAndCompliance' | 'AccountManagement' | 'Maintenance' | 'DataSubjectRequest' | 'Other'; /** * Custom audit information to be included in the audit log. */ customAudit?: string; /** * Reloads the cache before the action. */ reloadCache?: boolean; /** * List of tenant IDs to enforce on the request. */ xTenantId?: Array<string>; additionalHeaders?: Record<string, string>; }): CancelablePromise<Array<EncryptedValue>>; /** * Decrypt * Decrypts ciphertext. Supports bulk operations. * * To decrypt ciphertext, the request must include the scope used when the ciphertext was encrypted. By default, only ciphertext considered active is decrypted. Ciphertext is considered active when its metadata `expiration` property is for the current or a future date. If `options` is set to `archived`, the ciphertext is only decrypted if its metadata `expiration` property is for a date in the past. * * By default, all property values from the ciphertext are returned. Use `props` to return a subset of the encrypted property values. * * If any request details are invalid, none of the ciphertexts are decrypted. * * The role performing this operation must have both of these: * * - The `CapCryptoDecrypter` capability. * - At least one allowing policy and no denying policies for the `decrypt` operation for each of the collection properties specified in the call. * * See [identity and access management](/data-security/identity-and-access-management) for more information about how Vault uses capabilities to control access to operations and policies to control access to data. * * @returns DecryptedObject The request is successful. * @throws ApiError */ decrypt({ collection, requestBody, options, adhocReason, reason, customAudit, reloadCache, xTenantId, additionalHeaders, }: { collection: string; /** * Details of the decryption request. */ requestBody: Array<DecryptionRequest>; /** * Options for the operation. Options include: * - `archived` – whether to decrypt only archived objects. If not specified, decrypts only active objects. * - `include_metadata` - show the encrypted object metadata. * */ options?: Array<'archived' | 'include_metadata'>; /** * An ad-hoc reason for accessing the Vault data. Required when `reason` is set to `Other`. */ adhocReason?: string; /** * Details of the reason for requesting the property. The default is set when no access reason is provided and PVAULT_SERVICE_FORCE_ACCESS_REASON is false. */ reason?: 'AppFunctionality' | 'Analytics' | 'Notifications' | 'Marketing' | 'ThirdPartyMarketing' | 'FraudPreventionSecurityAndCompliance' | 'AccountManagement' | 'Maintenance' | 'DataSubjectRequest' | 'Other'; /** * Custom audit information to be included in the audit log. */ customAudit?: string; /** * Reloads the cache before the action. */ reloadCache?: boolean; /** * List of tenant IDs to enforce on the request. */ xTenantId?: Array<string>; additionalHeaders?: Record<string, string>; }): CancelablePromise<Array<DecryptedObject>>; /** * Encrypt blob * Creates ciphertext for the value of a BLOB type property. * * Receives a query parameter, `prop`, containing the name of a BLOB type property, and raw bytes (not a JSON object) in the request body. The ciphertext is returned in the response body as raw bytes (application/octet-stream`). * * See [Encrypt](/api/operations/encrypt) for more information about the encryption process and request parameters. * @returns binary The request is successful. * @throws ApiError */ encryptBlob({ collection, prop, requestBody, expirationSecs, adhocReason, reason, customAudit, reloadCache, type, scope, tags, additionalHeaders, }: { collection: string; prop: PropertyName; /** * Details of the encryption request. */ requestBody: Blob; /** * Encrypted object expiration time in seconds. If not set, the default expiration time is used. See the `PVAULT_EXPIRATION_TOKENS` variable. If set to an empty value, the encrypted ciphertext blob does not expire. */ expirationSecs?: string; /** * An ad-hoc reason for accessing the Vault data. Required when `reason` is set to `Other`. */ adhocReason?: string; /** * Details of the reason for requesting the property. The default is set when no access reason is provided and PVAULT_SERVICE_FORCE_ACCESS_REASON is false. */ reason?: 'AppFunctionality' | 'Analytics' | 'Notifications' | 'Marketing' | 'ThirdPartyMarketing' | 'FraudPreventionSecurityAndCompliance' | 'AccountManagement' | 'Maintenance' | 'DataSubjectRequest' | 'Other'; /** * Custom audit information to be included in the audit log. */ customAudit?: string; /** * Reloads the cache before the action. */ reloadCache?: boolean; type?: EncryptionType; /** * A classification for the encrypted object that is added to the ciphertext as associated data (AAD). * An object encrypted with a scope can be decrypted only with the same scope. * */ scope?: string; /** * Comma-separated list of tags to attach to the metadata of the encrypted object. * The maximum number of allowed tags is defined by the [`PVAULT_DB_MAX_TOKEN_TAGS` environment variable](/guides/configure/environment-variables#database) (default 10). * Tags are not supported for the `deterministic` encryption type. * */ tags?: string; additionalHeaders?: Record<string, string>; }): CancelablePromise<Blob>; /** * Decrypt blob * Decrypts ciphertext and returns the plaintext as raw bytes (`application/octet-stream`) not a JSON object. * * See [Decrypt](/api/operations/decrypt) for more information about the decryption process and request parameters. * @returns binary The request is successful. * @throws ApiError */ decryptBlob({ collection, prop, requestBody, options, adhocReason, reason, customAudit, reloadCache, scope, additionalHeaders, }: { collection: string; prop: PropertyName; /** * Details of the decryption request. */ requestBody: Blob; /** * Options for the operation. Options include: * - `archived` – whether to decrypt only archived objects. If not specified, decrypts only active objects. * */ options?: Array<'archived'>; /** * An ad-hoc reason for accessing the Vault data. Required when `reason` is set to `Other`. */ adhocReason?: string; /** * Details of the reason for requesting the property. The default is set when no access reason is provided and PVAULT_SERVICE_FORCE_ACCESS_REASON is false. */ reason?: 'AppFunctionality' | 'Analytics' | 'Notifications' | 'Marketing' | 'ThirdPartyMarketing' | 'FraudPreventionSecurityAndCompliance' | 'AccountManagement' | 'Maintenance' | 'DataSubjectRequest' | 'Other'; /** * Custom audit information to be included in the audit log. */ customAudit?: string; /** * Reloads the cache before the action. */ reloadCache?: boolean; /** * A classification for the encrypted object that is added to the ciphertext as associated data (AAD). * An object encrypted with a scope can be decrypted only with the same scope. * */ scope?: string; additionalHeaders?: Record<string, string>; }): CancelablePromise<Blob>; /** * Create hash * Creates a deterministic hash based on an object's property values, collection, and scope. Supports bulk operations. * * This operation is similar to using the [tokenize](/api/operations/tokenize) operation for a token of type `deterministic`. The hash value is identical to the token ID generated for the same combination of collection, object, property values, and scope. However, unlike the token, this hash is not stored in Vault's storage and, as such, cannot be detokenized, searched, or invalidated. * * The role performing this operation must have both of these: * * - The `CapCryptoHasher` capability. * - At least one allowing policy and no denying policies for the `hash` operation for each of the collection properties specified in the call. * * See [identity and access management](/data-security/identity-and-access-management) for more information about how Vault uses capabilities to control access to operations and policies to control access to data. * `` * @returns TokenValue The request is successful. * @throws ApiError */ hashObjects({ collection, requestBody, adhocReason, reason, customAudit, reloadCache, additionalHeaders, }: { collection: string; /** * Details of the hashing request. */ requestBody: Array<HashObjectRequest>; /** * An ad-hoc reason for accessing the Vault data. Required when `reason` is set to `Other`. */ adhocReason?: string; /** * Details of the reason for requesting the property. The default is set when no access reason is provided and PVAULT_SERVICE_FORCE_ACCESS_REASON is false. */ reason?: 'AppFunctionality' | 'Analytics' | 'Notifications' | 'Marketing' | 'ThirdPartyMarketing' | 'FraudPreventionSecurityAndCompliance' | 'AccountManagement' | 'Maintenance' | 'DataSubjectRequest' | 'Other'; /** * Custom audit information to be included in the audit log. */ customAudit?: string; /** * Reloads the cache before the action. */ reloadCache?: boolean; additionalHeaders?: Record<string, string>; }): CancelablePromise<Array<TokenValue>>; } //# sourceMappingURL=CryptoClient.d.ts.map