// Copyright 2019 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. syntax = "proto3"; // Package com defines messages shared between IC and DAM server. package common; import "google/protobuf/timestamp.proto"; option go_package = "github.com/GoogleCloudPlatform/healthcare-federated-access-services/proto/common/v1"; message Descriptor { string label = 1; string description = 2; string regexp = 3; string type = 4; bool is_list = 5; repeated string enum_values = 6; string min = 7; string max = 8; string default_value = 9; } message Condition { string type = 1; string source = 2; string value = 3; string by = 4; } message ConditionSet { repeated Condition all_of = 1; } message Assertion { string type = 1; string source = 2; string value = 3; string asserted_duration = 4; string expires_duration = 5; // Disjunction of Conjunctions (OR of ANDs). // If at least one of these ConditionSets evaluates to true, then the // conditions on this assertion have been met. repeated ConditionSet any_of_conditions = 6; string by = 7; int64 asserted = 8; int64 exp = 9; } // VisaRejection is filled in by a policy engine to understand why a visa was // rejected. Visas unrelated to the policy are not considered rejected unless // they are not trusted. message VisaRejection { string reason = 1; string field = 2; string description = 3; } // RejectedVisa provides insight into why a policy engine is not making use of // visas that are present within the passport. message RejectedVisa { string token_format = 1; string issuer = 2; string subject = 3; Assertion assertion = 4; VisaRejection rejection = 5; } // RejectedPolicy provides insight into why a policy engine is rejecct a // passport for a visa. message RejectedPolicy { int32 rejections = 1; repeated RejectedVisa rejected_visas = 2; repeated string policy_basis = 3; string requested_resource = 4; string message = 5; } message Passport { map<string, string> standard_claims = 1; repeated Assertion ga4gh_assertions = 2; repeated bytes internal_encrypted_visas = 11; string extra_scopes = 3; } message TestPersona { Passport passport = 1; repeated string access = 2; map<string, string> ui = 3; } message Permissions { message PermissionUser { map<string, int64> roles = 1; } string version = 1; int64 revision = 2; double commit_time = 3; map<string, PermissionUser> users = 4; } // LoginState records states for login and login callback. message LoginState { // Step Of login flow. enum Step { LOGIN = 0; CONSENT = 1; } Step step = 1; string provider = 2; string realm = 3; string login_challenge = 4; string subject = 5; string scope = 6; string login_hint = 7; string consent_challenge = 8; repeated string audience = 9; string client_name = 10; } message TokenMetadata { string name = 1; string issued_at = 2; string expires = 3; } message CliState { string id = 1; string email = 2; string client_id = 3; string scope = 4; string auth_url = 5; google.protobuf.Timestamp created_at = 6; google.protobuf.Timestamp expires_at = 7; string nonce = 8; bytes encrypted_secret = 9; bytes encrypted_code = 10; string secret = 11; string access_token = 12; string refresh_token = 13; string state = 14; google.protobuf.Timestamp accepted_at = 15; map<string, string> user_profile = 16; } message HistoryEntry { int64 revision = 1; string user = 2; double commit_time = 3; string path = 4; string query = 5; string desc = 6; string method = 7; string change_type = 8; string original_value = 9; string change_request = 10; } message History { repeated HistoryEntry history = 1; string next_page_token = 2; } /////////////////////////////////////////////////// // oidc message OidcConfig { string issuer = 1 [json_name = "issuer"]; string jwks_uri = 2 [json_name = "jwks_uri"]; string auth_endpoint = 3 [json_name = "authorization_endpoint"]; repeated string response_types_supported = 4 [json_name = "response_types_supported"]; string token_endpoint = 5 [json_name = "token_endpoint"]; string revocation_endpoint = 8 [json_name = "revocation_endpoint"]; string userinfo_endpoint = 6 [json_name = "userinfo_endpoint"]; repeated string scopes_supported = 7 [json_name = "scopes_supported"]; } message OidcTokenResponse { message Info { string name = 1; string email = 2; } string access_token = 1 [ json_name = "access_token", (datapol.semantic_type) = ST_ACCOUNT_CREDENTIAL ]; string token_type = 2 [json_name = "token_type"]; int32 expires_in = 3 [json_name = "expires_in"]; string refresh_token = 4 [ json_name = "refresh_token", (datapol.semantic_type) = ST_ACCOUNT_CREDENTIAL ]; string id_token = 5 [json_name = "id_token"]; string scope = 6; string uid = 7; Info info = 8; }