Merge pull request #77 from vpetersson/main

Tweak OpenAPI specs and workflows

Author: madpah

.gitignore

@@ -1,2 +1,3 @@
 .idea/
-out/*
+out/*
+.DS_Store

api-flow/consumer.md

@@ -1,7 +1,7 @@
 # Transparency Exchange API: Consumer access
 
 
-The consumer access starts with a TEI, A transparency Exchange Identifier. This is used to find the API server as 
+The consumer access starts with a TEI, A transparency Exchange Identifier. This is used to find the API server as
 described in the [discovery document](/discovery/readme.md).
 
 ## API usage
@@ -27,25 +27,26 @@ sequenceDiagram
     autonumber
     actor user
     participant discovery as TEA Discovery with TEI
-    box LightGrey TEA API service
-    participant teaindex as TEA Index
-    end
-   
-  
+
+    participant tea_product as TEA Product
+    participant tea_leaf as TEA Leaf
+    participant tea_collection as TEA Collection
+    participant tea_artifact as TEA Artefact
+
 
     user ->> discovery: Discovery using DNS
     discovery ->> user: List of API servers
 
-    user ->> teaindex: Finding all product parts
-    teaindex ->> user: List of product parts
-    create participant tealeaf as TEA Leaf Index
-    user ->> tealeaf: Finding all versions of a part
-    tealeaf ->> user: List of all available versions (paginated)
-    create  participant teacoll as TEA Collection
-    user ->> teacoll: Finding all artefacts for version in scope
-    teacoll ->> user: List of artefacts and formats available for each artefact
-    create participant artefact as Artefact
-    user ->> artefact: Download artefact
+    user ->> tea_product: Finding all product parts
+    tea_product ->> user: List of product parts
+
+    user ->> tea_leaf: Finding all versions of a part
+    tea_leaf ->> user: List of all available versions (paginated)
+
+    user ->> tea_collection: Finding all artefacts for version in scope
+    tea_collection ->> user: List of artefacts and formats available for each artefact
+
+    user ->> tea_artifact: Download artefact
 
 
 

api-flow/publisher.md

@@ -1,96 +1,61 @@
 # Overview of the TEA API from a producer standpoint
 
-* Note: Suggestion, input for the group
-
+## Bootstrapping
 
 ```mermaid
-sequenceDiagram
-    participant Vendor
-    participant TEA_API
-    participant TEA_Index
-    participant Product_Repository
-    participant SBOM_Generator
-    participant VEX_Generator
-    participant VDR_Generator
-    participant Consumer
-
-    Vendor->>Product_Repository: Create new product version
-    Product_Repository-->>Vendor: Product version created
-
-    Vendor->>TEA_API: POST /collection (Create new collection with FIRST_MENTION lifecycle event)
-    TEA_API->>TEA_Index: Update index with new collection
-    TEA_API-->>Vendor: Collection created (UUID)
-
-    Vendor->>TEA_API: POST /product (Create new TEA Product with TEI)
-    TEA_API->>TEA_Index: Update index with new product
-    TEA_API-->>Vendor: Product created (TEI)
-
-    Vendor->>TEA_API: POST /leaf (Create new leaf for product version)
-    TEA_API->>TEA_Index: Update index with new leaf
-    TEA_API-->>Vendor: Leaf created (UUID)
-
-    Vendor->>SBOM_Generator: Generate SBOM for new version (including TEI)
-    SBOM_Generator-->>Vendor: CycloneDX SBOM (signed)
-    SBOM_Generator-->>Vendor: SPDX SBOM (signed)
-
-    Vendor->>TEA_API: POST /artifact (Add CycloneDX SBOM)
-    TEA_API->>TEA_Index: Update index with new artifact
-    TEA_API-->>Vendor: CycloneDX artifact added
-
-    Vendor->>TEA_API: POST /artifact (Add SPDX SBOM)
-    TEA_API->>TEA_Index: Update index with new artifact
-    TEA_API-->>Vendor: SPDX artifact added
 
-    Note over Vendor,VEX_Generator: CVE discovered in SBOM dependency graph
-
-    Vendor->>VEX_Generator: Generate VEX document (triage state)
-    VEX_Generator-->>Vendor: CycloneDX VEX (signed, with bom-link)
-
-    Vendor->>TEA_API: POST /artifact (Add CycloneDX VEX as independent artifact)
-    TEA_API->>TEA_Index: Update index with new artifact
-    TEA_API-->>Vendor: CycloneDX VEX artifact added
-
-    Note over Vendor,TEA_API: Time passes, product enters beta testing
+sequenceDiagram
+    autonumber
+    actor Vendor
+    participant tea_product as TEA Product
+    participant tea_leaf as TEA Leaf
+    participant tea_collection as TEA Collection
 
-    Vendor->>TEA_API: PUT /collection/{UUID} (Update collection with BETA_TESTING lifecycle event)
-    TEA_API->>TEA_Index: Update index with lifecycle change
-    TEA_API-->>Vendor: Collection updated
+    Vendor ->> tea_product: POST to /v1/product to create new product
+    tea_product -->> Vendor: Product is created and TEA Product Identifier (PI) returned
 
-    Note over Vendor,TEA_API: Product reaches General Availability
+    Vendor ->> tea_leaf: POST to /v1/leaf with the TEA PI and leaf version as the payload
+    tea_leaf ->> Vendor: Leaf is created and a TEA Leaf ID is returned
 
-    Vendor->>TEA_API: PUT /collection/{UUID} (Update collection with GENERAL_AVAILABILITY lifecycle event)
-    TEA_API->>TEA_Index: Update index with lifecycle change
-    TEA_API-->>Vendor: Collection updated
+    Vendor ->> tea_collection: POST to /v1/collection with the TEA Leaf ID as the and the artifact as payload
+    tea_collection ->> Vendor: Collection is created with the collection ID returned
 
-    Note over Vendor,VDR_Generator: Security researcher reports a new vulnerability
+```
 
-    Vendor->>VDR_Generator: Generate VDR for reported vulnerability
-    VDR_Generator-->>Vendor: CycloneDX VDR (signed, with bom-link)
+## Release life cycle
 
-    Vendor->>TEA_API: POST /artifact (Add CycloneDX VDR as independent artifact)
-    TEA_API->>TEA_Index: Update index with new artifact
-    TEA_API-->>Vendor: CycloneDX VDR artifact added
+```mermaid
+sequenceDiagram
+    autonumber
+    actor Vendor
+    participant tea_product as TEA Product
+    participant tea_leaf as TEA Leaf
+    participant tea_collection as TEA Collection
 
-    Note over Vendor,VEX_Generator: Vulnerability status changes (e.g., patch available)
+    Note over Vendor,tea_leaf: Create new release
 
-    Vendor->>VEX_Generator: Generate new VEX document
-    VEX_Generator-->>Vendor: New CycloneDX VEX (signed, with bom-link)
+    Vendor ->> tea_leaf: POST to /v1/leaf with the TEA PI and leaf version as the payload
+    tea_leaf ->> Vendor: Leaf is created and a TEA Leaf ID is returned
 
-    Vendor->>TEA_API: POST /artifact (Add new CycloneDX VEX as independent artifact)
-    TEA_API->>TEA_Index: Update index with new artifact
-    TEA_API-->>Vendor: New CycloneDX VEX artifact added
+    Note over Vendor,TEA Leaf: Add an artifact (e.g. SBOM)
+    Vendor ->> tea_collection: POST to /v1/collection with the TEA Leaf ID as the and the artifact as payload
+    tea_collection ->> Vendor: Collection is created with the collection ID returned
 
-    Note over Consumer,TEA_API: Consumer performs a search
+```
 
-    Consumer->>TEA_API: GET /search (Search for products or collections)
-    TEA_API->>TEA_Index: Query index
-    TEA_Index-->>TEA_API: Search results
-    TEA_API-->>Consumer: Return search results
+## Adding a new artifact
 
-    Note over Vendor,TEA_API: Product reaches End of Life
+```mermaid
+sequenceDiagram
+    autonumber
+    actor Vendor
+    participant tea_product as TEA Product
+    participant tea_leaf as TEA Leaf
+    participant tea_collection as TEA Collection
 
-    Vendor->>TEA_API: PUT /collection/{UUID} (Update collection with END_OF_LIFE lifecycle event)
-    TEA_API->>TEA_Index: Update index with lifecycle change
-    TEA_API-->>Vendor: Collection updated
+    Vendor ->> tea_leaf: GET to /v1/leaf with the TEA PI to get the latest version
+    tea_leaf ->> Vendor: Leaf will be returned
 
+    Vendor ->> tea_collection: POST to /v1/collection with the TEA Leaf ID as the and the artifact as payload
+    tea_collection ->> Vendor: Collection is created with the collection ID returned
 ```

spec/README.md

@@ -8,6 +8,23 @@ The OpenAPI 3.1 specification for the Transparency Exchange API is available in
 
 We use the OpenAPI Generator with configuration per language/framework in the `generators` folder. An example is:
 
+```bash
+docker run \
+    --rm \
+    -v "$(PWD):/local" \
+    openapitools/openapi-generator-cli \
+    batch --clean /local/spec/generators/typescript.yaml
 ```
-docker run --rm -v "$(PWD):/local" openapitools/openapi-generator-cli batch --clean /local/spec/generators/typescript.yaml
-```
+
+## Preview Specs
+
+Fire up the `swagger-ui` with Docker from the root of the repository:
+
+```bash
+docker run \
+    -p 8080:8080 \
+    -e SWAGGER_JSON=/koala/spec/openapi.json \
+    -v $(pwd):/koala swaggerapi/swagger-ui
+```
+
+And browse to [http://localhost:8080](http://localhost:8080).