proto/dam/v1/dam_service.proto (431 lines of code) (raw):
// Copyright 2019 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
// Package dam provides protocol buffer versions of the DAM API, allowing
// end points to receive requests and returns responses using these messages.
package dam.v1;
import "proto/common/v1/common.proto"; /* copybara-comment */
import "proto/common/v1/oauthclient.proto"; /* copybara-comment */
import "proto/process/v1/process.proto"; /* copybara-comment */
option go_package = "github.com/GoogleCloudPlatform/healthcare-federated-access-services/proto/dam/v1";
message DamConfig {
string version = 1;
int64 revision = 2;
double commit_time = 3;
map<string, TrustedIssuer> trusted_issuers = 4;
map<string, TrustedSource> trusted_sources = 5;
map<string, Policy> policies = 6;
map<string, Resource> resources = 7;
map<string, common.Client> clients = 8;
map<string, ServiceTemplate> service_templates = 9;
map<string, VisaType> visa_types = 10;
map<string, common.TestPersona> test_personas = 11;
ConfigOptions options = 12;
map<string, string> ui = 13;
}
message TrustedIssuer {
string issuer = 1;
string translate_using = 2;
string client_id = 3;
string auth_url = 4;
string token_url = 5;
map<string, string> ui = 6;
}
message TrustedSource {
repeated string sources = 1;
repeated string visa_types = 2;
map<string, string> ui = 3;
}
message Policy {
repeated common.ConditionSet any_of = 1;
map<string, VariableFormat> variable_definitions = 2;
map<string, string> ui = 3;
}
message View {
message Item {
map<string, string> args = 1;
map<string, string> labels = 2;
}
string service_template = 1;
map<string, string> labels = 2;
repeated string content_types = 3;
map<string, ViewRole> roles = 4;
string default_role = 5;
repeated Item items = 6;
map<string, string> ui = 7;
// Computed fields.
map<string, Interface> computed_interfaces = 8 [json_name = "interfaces"];
}
message Interface {
repeated string uri = 1;
map<string, string> labels = 2;
}
message Resource {
string umbrella = 1;
map<string, View> views = 2;
repeated string clients = 3;
string max_token_ttl = 4;
map<string, string> ui = 5;
}
message ServiceTemplate {
string service_name = 1;
map<string, string> interfaces = 2;
map<string, ServiceRole> service_roles = 3 [json_name = "roles"];
map<string, string> ui = 4;
}
message ServiceRole {
message ServiceArg {
repeated string values = 2;
}
map<string, ServiceArg> service_args = 1;
repeated string dam_role_categories = 2;
map<string, string> ui = 3;
}
message ViewRole {
message ViewPolicy {
string name = 1;
map<string, string> args = 2;
}
repeated ViewPolicy policies = 1;
repeated string computed_role_categories = 2 [json_name = "roleCategories"];
map<string, bool> computed_policy_basis = 3 [json_name = "policyBasis"];
}
message ConfigOptions {
bool read_only_master_realm = 1;
string gcp_managed_keys_max_requested_ttl = 3;
int32 gcp_managed_keys_per_account = 4;
string gcp_service_account_project = 5;
map<string, common.Descriptor> computed_descriptors = 6
[json_name = "descriptors"];
string gcp_iam_billing_project = 7;
int32 aws_managed_keys_per_iam_user = 8;
}
message VisaType {
map<string, string> ui = 2;
}
message ServiceDescriptor {
message Properties {
bool is_aggregate = 1;
bool can_be_aggregated = 2;
bool single_item = 3;
}
string platform = 1;
map<string, VariableFormat> service_variables = 2;
map<string, VariableFormat> item_variables = 3;
Properties properties = 4;
map<string, string> ui = 6;
}
message VariableFormat {
string regexp = 1;
bool optional = 2;
map<string, string> ui = 3;
string type = 4;
// A variable marked with `experimental` will only be available when the
// experimental flag is set to true. Otherwise any configuration usage of an
// experimental variable in a non-experimental environment will invalidate
// the configuration.
bool experimental = 5;
}
message Realm {}
message PassportTranslator {
repeated string compatible_issuers = 1;
map<string, string> ui = 2;
}
///////////////////////////////////////////////////
message GetInfoRequest {}
message GetInfoResponse {
string name = 1;
repeated string versions = 2;
int64 start_time = 3;
repeated string modules = 4;
map<string, string> ui = 5;
}
message RealmRequest {
Realm item = 1;
}
message RealmResponse {}
message GetResourcesRequest {
string filter = 1;
string include = 2;
}
message GetResourcesResponse {
map<string, Resource> resources = 1;
}
message GetFlatViewsRequest {}
message GetFlatViewsResponse {
message FlatView {
string resource_path = 1;
string umbrella = 2;
string resource_name = 3;
string view_name = 4;
string role_name = 5;
string interface_name = 6;
string interface_uri = 7;
string content_type = 8;
map<string, string> labels = 9;
string service_name = 10;
string platform = 11;
string platform_service = 12;
string max_token_ttl = 13;
map<string, string> resource_ui = 14;
map<string, string> view_ui = 15;
map<string, string> role_ui = 16;
repeated string role_categories = 17;
}
map<string, FlatView> views = 1;
}
message GetResourceRequest {}
message GetResourceResponse {
Resource resource = 1;
repeated string access = 2;
}
message GetViewsRequest {}
message GetViewsResponse {
map<string, View> views = 1;
repeated string access = 2;
}
message GetViewRequest {}
message GetViewResponse {
View view = 1;
repeated string access = 2;
}
message GetViewRolesRequest {}
message GetViewRolesResponse {
map<string, ViewRole> roles = 1;
repeated string access = 2;
}
message GetViewRoleRequest {}
message GetViewRoleResponse {
ViewRole role = 1;
repeated string access = 2;
}
message GetTokenRequest {
string return = 1;
string data_use = 2;
string ttl = 3;
}
message GetTestResultsRequest {}
message GetTestResultsResponse {
message RejectedVisa {
string reason = 1;
string field = 2;
string description = 3;
string visa_type = 4;
string source = 5;
string value = 6;
string by = 7;
}
message TestResult {
string name = 1;
string result = 2;
repeated string access = 3;
map<string, string> no_access = 4;
repeated RejectedVisa rejected_visas = 5;
string error = 6;
}
string version = 1;
int64 revision = 2;
double timestamp = 3;
map<string, common.TestPersona> personas = 4;
repeated TestResult test_results = 5;
ConfigModification modification = 6;
int32 executed = 7;
int32 passed = 8;
string error = 9;
}
message ServicesRequest {}
message ServicesResponse {
map<string, ServiceDescriptor> services = 1;
}
message PassportTranslatorsRequest {}
message PassportTranslatorsResponse {
map<string, PassportTranslator> passport_translators = 1;
}
message DamRoleCategoriesRequest {}
message RoleCategory {
int32 order = 1;
map<string, string> ui = 2;
}
message DamRoleCategoriesResponse {
map<string, RoleCategory> dam_role_categories = 1;
}
message GetTestPersonasRequest {}
message GetTestPersonasResponse {
map<string, common.TestPersona> personas = 1;
map<string, string> standard_claims = 2;
}
message BackgroundProcessesRequest {}
message BackgroundProcessesResponse {
map<string, process.Process> processes = 1;
}
message BackgroundProcessRequest {}
message BackgroundProcessResponse {
process.Process process = 1;
}
message TokensRequest {}
message TokensResponse {
repeated common.TokenMetadata tokens = 1;
}
message TokenRequest {}
message TokenResponse {
common.TokenMetadata token = 1;
}
////////////////////////////////////////////////
message ConfigModification {
message PersonaModification {
repeated string access = 1;
repeated string add_access = 2;
repeated string remove_access = 3;
}
int64 revision = 1;
map<string, PersonaModification> test_personas = 2;
bool dry_run = 3;
}
// ConfigResponse is a common response message across all config changes
message ConfigResponse {}
////////////////////////////////////////////////
message ConfigRequest {
DamConfig item = 1;
ConfigModification modification = 2;
}
message ConfigResourceRequest {
Resource item = 1;
ConfigModification modification = 2;
}
message ConfigViewRequest {
View item = 1;
ConfigModification modification = 2;
}
message ConfigTrustedIssuerRequest {
TrustedIssuer item = 1;
// client_secret is write only field.
string client_secret = 3;
ConfigModification modification = 2;
}
message ConfigTrustedSourceRequest {
TrustedSource item = 1;
ConfigModification modification = 2;
}
message ConfigPolicyRequest {
Policy item = 1;
ConfigModification modification = 2;
}
message ConfigOptionsRequest {
ConfigOptions item = 1;
ConfigModification modification = 2;
}
message ConfigVisaTypeRequest {
VisaType item = 1;
ConfigModification modification = 2;
}
message ConfigServiceTemplateRequest {
ServiceTemplate item = 1;
ConfigModification modification = 2;
}
message ConfigTestPersonaRequest {
common.TestPersona item = 1;
ConfigModification modification = 2;
}
message ResourceTokenRequestState {
enum TokenType {
UNSPECIFIED = 0;
DATASET = 1;
ENDPOINT = 2;
}
TokenType type = 12;
message Resource {
string realm = 1;
string resource = 2;
string view = 3;
string role = 4;
string interface = 5;
string url = 6;
}
repeated Resource resources = 1;
string client_id = 2;
string state = 3 [deprecated = true];
string broker = 4;
string redirect = 5 [deprecated = true];
int64 ttl = 6;
bool response_key_file = 7;
string login_challenge = 8;
string issuer = 9;
string subject = 10;
int64 epoch_seconds = 11;
string realm = 13;
repeated string identities = 14;
repeated string requested_audience = 15;
repeated string requested_scope = 16;
string consent_challenge = 17;
string client_name = 18;
}
message AuthCode {
string client_id = 1 [deprecated = true];
string state = 2;
int64 epoch_seconds = 3;
}
// ResourceResults is the output from a ResourceTokens request.
message ResourceResults {
// ResourceDescriptor contains metadata about resource, not specific to the
// user's request execept for an "access" key to link how to access the
// resource.
message ResourceDescriptor {
// Maps an interface name (example: "http:gcp:gs") to metadata about the
// resource.
map<string, InterfaceEntry> interfaces = 1;
// Returns the access key into ResourceResults.Access map for how to access
// this resource.
string access = 2;
// A list of DAM Role Categories related to the access level that has been
// granted.
repeated string permissions = 3;
}
// A map placeholder to store a list of ResourceInterface items.
message InterfaceEntry {
// Metadata about the resource item, including a URI to the resource item.
// A single resource can be consisted of multiple resource items.
repeated ResourceInterface items = 1;
}
// ResourceInterface contains metadata about a resource's interface, such as
// what bucket the data lives in by URL.
message ResourceInterface {
// An identifier or locator for the resource.
string uri = 1;
// A map of metadata key/value pairs about the resource, taken from the view
// and item config.
map<string, string> labels = 2;
}
// ResourceAccess contains access tokens or other user-specific or
// request-specific results.
message ResourceAccess {
// Maps of credentials. Example: {"account": "user1@example.com",
// "access_token": "ya..."}.
map<string, string> credentials = 1;
// A map of metadata key/value pairs about the resource, taken from the view
// and item config.
map<string, string> labels = 2;
// Based on the OIDC /token response spec, this is the number of seconds
// until access expires.
uint32 expires_in = 3 [json_name = "expires_in"];
}
// Maps a key (fully-qualified resource/view/role/interface URL) to
// descriptors.
map<string, ResourceDescriptor> resources = 1;
// Maps an access key name from the resource descriptor to access information
// for the user.
map<string, ResourceAccess> access = 2;
// Time of the request to map OIDC "expires_in" or other credential info to a
// time-of-request value.
uint32 epoch_seconds = 3;
}