// Copyright 2019 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. syntax = "proto3"; // Package v1 provides protocol buffer for AuditLogs API. package AuditLogs.v1; import "google/api/annotations.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/struct.proto"; import "google/protobuf/timestamp.proto"; option go_package = "github.com/GoogleCloudPlatform/healthcare-federated-access-services/proto/audits/v1"; // AuditLogs service. service AuditLogs { // Lists the AuditLogs Logs. rpc ListAuditLogs(ListAuditLogsRequest) returns (ListAuditLogsResponse) { option (google.api.http) = { get: "/v1/auditlogs" }; } } // An AuditLog records request for access. They contain the following // information: // - Where: the name of the service that made the decision. // - What: the requested Action (e.g. read/write/...) and // the Resource (e.g. GCS bucket, a resource at an endpoint). // - When: the time the decision was made. // - Who: the identity and authentication information for the requester. // - Decision: the authorization decision, and the reason for it. // - Metadata: the request, response, status code, tracing id, etc. message AuditLog { /* * Shared field for any type of log */ // Name of the audit log. // Format: `users/{user_id}/logs/{log_id}`. string name = 1; // Type of log entry. could be "access" or "policy". LogType type = 2; // ServiceName is the name of the service which made the decision. string service_name = 3; // ServiceType is the type of the service which made the decision. string service_type = 4; // TokenID is the id of the token, maybe "jti". string token_id = 5; // TokenSubject is the "sub" of the token. string token_subject = 6; // TokenIssuer is the iss of the token. string token_issuer = 7; // Decision is the PassAuthCheck if the request passes the auth check. Decision decision = 8; // ErrorType of deny. // TODO: consider making this an enum. string error_type = 9; // The reason for the deny decision. string reason = 10; // Time at which the decision was made. google.protobuf.Timestamp time = 11; // ResourceName is the name of the resource that was target of the operation. string resource_name = 12; /* * fields for access log */ // MethodName is the name of the service method or operation. string method_name = 13; // TracingID is the id of request from proxies. string tracing_id = 14; // Requester's IP. string caller_ip = 15; // HTTP Response Code. int64 http_response_code = 16; // HTTP Request. google.protobuf.Struct http_request = 17; /* * fields for policy log */ // TTL that user requested for the access. google.protobuf.Duration ttl = 19; // CartId of the request. string cart_id = 20; // ConfigRevision that the request using. string config_revision = 21; } // Decision is the result of an auth check. enum Decision { UNSPECIFIED = 0; PASS = 1; FAIL = 2; } // LogType is the type of log. enum LogType { NONE = 0; REQUEST = 1; POLICY = 2; } message ListAuditLogsRequest { string user_id = 1; string filter = 2; int32 page_size = 3; string page_token = 4; } message ListAuditLogsResponse { repeated AuditLog audit_logs = 1; string next_page_token = 2; }