-
Notifications
You must be signed in to change notification settings - Fork 9
/
dam_service.proto
514 lines (431 loc) · 12.7 KB
/
dam_service.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
// Copyright 2019 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
// Package dam provides protocol buffer versions of the DAM API, allowing
// end points to receive requests and returns responses using these messages.
package dam.v1;
import "proto/common/v1/common.proto"; /* copybara-comment */
import "proto/common/v1/oauthclient.proto"; /* copybara-comment */
import "proto/process/v1/process.proto"; /* copybara-comment */
option go_package = "github.com/GoogleCloudPlatform/healthcare-federated-access-services/proto/dam/v1";
message DamConfig {
string version = 1;
int64 revision = 2;
double commit_time = 3;
map<string, TrustedIssuer> trusted_issuers = 4;
map<string, TrustedSource> trusted_sources = 5;
map<string, Policy> policies = 6;
map<string, Resource> resources = 7;
map<string, common.Client> clients = 8;
map<string, ServiceTemplate> service_templates = 9;
map<string, VisaType> visa_types = 10;
map<string, common.TestPersona> test_personas = 11;
ConfigOptions options = 12;
map<string, string> ui = 13;
}
message TrustedIssuer {
string issuer = 1;
string translate_using = 2;
string client_id = 3;
string auth_url = 4;
string token_url = 5;
map<string, string> ui = 6;
}
message TrustedSource {
repeated string sources = 1;
repeated string visa_types = 2;
map<string, string> ui = 3;
}
message Policy {
repeated common.ConditionSet any_of = 1;
map<string, VariableFormat> variable_definitions = 2;
map<string, string> ui = 3;
}
message View {
message Item {
map<string, string> args = 1;
map<string, string> labels = 2;
}
string service_template = 1;
map<string, string> labels = 2;
repeated string content_types = 3;
map<string, ViewRole> roles = 4;
string default_role = 5;
repeated Item items = 6;
map<string, string> ui = 7;
// Computed fields.
map<string, Interface> computed_interfaces = 8 [json_name = "interfaces"];
}
message Interface {
repeated string uri = 1;
map<string, string> labels = 2;
}
message Resource {
string umbrella = 1;
map<string, View> views = 2;
repeated string clients = 3;
string max_token_ttl = 4;
map<string, string> ui = 5;
}
message ServiceTemplate {
string service_name = 1;
map<string, string> interfaces = 2;
map<string, ServiceRole> service_roles = 3 [json_name = "roles"];
map<string, string> ui = 4;
}
message ServiceRole {
message ServiceArg {
repeated string values = 2;
}
map<string, ServiceArg> service_args = 1;
repeated string dam_role_categories = 2;
map<string, string> ui = 3;
}
message ViewRole {
message ViewPolicy {
string name = 1;
map<string, string> args = 2;
}
repeated ViewPolicy policies = 1;
repeated string computed_role_categories = 2 [json_name = "roleCategories"];
map<string, bool> computed_policy_basis = 3 [json_name = "policyBasis"];
}
message ConfigOptions {
bool read_only_master_realm = 1;
string gcp_managed_keys_max_requested_ttl = 3;
int32 gcp_managed_keys_per_account = 4;
string gcp_service_account_project = 5;
map<string, common.Descriptor> computed_descriptors = 6
[json_name = "descriptors"];
string gcp_iam_billing_project = 7;
int32 aws_managed_keys_per_iam_user = 8;
}
message VisaType {
map<string, string> ui = 2;
}
message ServiceDescriptor {
message Properties {
bool is_aggregate = 1;
bool can_be_aggregated = 2;
bool single_item = 3;
}
string platform = 1;
map<string, VariableFormat> service_variables = 2;
map<string, VariableFormat> item_variables = 3;
Properties properties = 4;
map<string, string> ui = 6;
}
message VariableFormat {
string regexp = 1;
bool optional = 2;
map<string, string> ui = 3;
string type = 4;
// A variable marked with `experimental` will only be available when the
// experimental flag is set to true. Otherwise any configuration usage of an
// experimental variable in a non-experimental environment will invalidate
// the configuration.
bool experimental = 5;
}
message Realm {}
message PassportTranslator {
repeated string compatible_issuers = 1;
map<string, string> ui = 2;
}
///////////////////////////////////////////////////
message GetInfoRequest {}
message GetInfoResponse {
string name = 1;
repeated string versions = 2;
int64 start_time = 3;
repeated string modules = 4;
map<string, string> ui = 5;
}
message RealmRequest {
Realm item = 1;
}
message RealmResponse {}
message GetResourcesRequest {
string filter = 1;
string include = 2;
}
message GetResourcesResponse {
map<string, Resource> resources = 1;
}
message GetFlatViewsRequest {}
message GetFlatViewsResponse {
message FlatView {
string resource_path = 1;
string umbrella = 2;
string resource_name = 3;
string view_name = 4;
string role_name = 5;
string interface_name = 6;
string interface_uri = 7;
string content_type = 8;
map<string, string> labels = 9;
string service_name = 10;
string platform = 11;
string platform_service = 12;
string max_token_ttl = 13;
map<string, string> resource_ui = 14;
map<string, string> view_ui = 15;
map<string, string> role_ui = 16;
repeated string role_categories = 17;
}
map<string, FlatView> views = 1;
}
message GetResourceRequest {}
message GetResourceResponse {
Resource resource = 1;
repeated string access = 2;
}
message GetViewsRequest {}
message GetViewsResponse {
map<string, View> views = 1;
repeated string access = 2;
}
message GetViewRequest {}
message GetViewResponse {
View view = 1;
repeated string access = 2;
}
message GetViewRolesRequest {}
message GetViewRolesResponse {
map<string, ViewRole> roles = 1;
repeated string access = 2;
}
message GetViewRoleRequest {}
message GetViewRoleResponse {
ViewRole role = 1;
repeated string access = 2;
}
message GetTokenRequest {
string return = 1;
string data_use = 2;
string ttl = 3;
}
message GetTestResultsRequest {}
message GetTestResultsResponse {
message RejectedVisa {
string reason = 1;
string field = 2;
string description = 3;
string visa_type = 4;
string source = 5;
string value = 6;
string by = 7;
}
message TestResult {
string name = 1;
string result = 2;
repeated string access = 3;
map<string, string> no_access = 4;
repeated RejectedVisa rejected_visas = 5;
string error = 6;
}
string version = 1;
int64 revision = 2;
double timestamp = 3;
map<string, common.TestPersona> personas = 4;
repeated TestResult test_results = 5;
ConfigModification modification = 6;
int32 executed = 7;
int32 passed = 8;
string error = 9;
}
message ServicesRequest {}
message ServicesResponse {
map<string, ServiceDescriptor> services = 1;
}
message PassportTranslatorsRequest {}
message PassportTranslatorsResponse {
map<string, PassportTranslator> passport_translators = 1;
}
message DamRoleCategoriesRequest {}
message RoleCategory {
int32 order = 1;
map<string, string> ui = 2;
}
message DamRoleCategoriesResponse {
map<string, RoleCategory> dam_role_categories = 1;
}
message GetTestPersonasRequest {}
message GetTestPersonasResponse {
map<string, common.TestPersona> personas = 1;
map<string, string> standard_claims = 2;
}
message BackgroundProcessesRequest {}
message BackgroundProcessesResponse {
map<string, process.Process> processes = 1;
}
message BackgroundProcessRequest {}
message BackgroundProcessResponse {
process.Process process = 1;
}
message TokensRequest {}
message TokensResponse {
repeated common.TokenMetadata tokens = 1;
}
message TokenRequest {}
message TokenResponse {
common.TokenMetadata token = 1;
}
////////////////////////////////////////////////
message ConfigModification {
message PersonaModification {
repeated string access = 1;
repeated string add_access = 2;
repeated string remove_access = 3;
}
int64 revision = 1;
map<string, PersonaModification> test_personas = 2;
bool dry_run = 3;
}
// ConfigResponse is a common response message across all config changes
message ConfigResponse {}
////////////////////////////////////////////////
message ConfigRequest {
DamConfig item = 1;
ConfigModification modification = 2;
}
message ConfigResourceRequest {
Resource item = 1;
ConfigModification modification = 2;
}
message ConfigViewRequest {
View item = 1;
ConfigModification modification = 2;
}
message ConfigTrustedIssuerRequest {
TrustedIssuer item = 1;
// client_secret is write only field.
string client_secret = 3;
ConfigModification modification = 2;
}
message ConfigTrustedSourceRequest {
TrustedSource item = 1;
ConfigModification modification = 2;
}
message ConfigPolicyRequest {
Policy item = 1;
ConfigModification modification = 2;
}
message ConfigOptionsRequest {
ConfigOptions item = 1;
ConfigModification modification = 2;
}
message ConfigVisaTypeRequest {
VisaType item = 1;
ConfigModification modification = 2;
}
message ConfigServiceTemplateRequest {
ServiceTemplate item = 1;
ConfigModification modification = 2;
}
message ConfigTestPersonaRequest {
common.TestPersona item = 1;
ConfigModification modification = 2;
}
message ResourceTokenRequestState {
enum TokenType {
UNSPECIFIED = 0;
DATASET = 1;
ENDPOINT = 2;
}
TokenType type = 12;
message Resource {
string realm = 1;
string resource = 2;
string view = 3;
string role = 4;
string interface = 5;
string url = 6;
}
repeated Resource resources = 1;
string client_id = 2;
string state = 3 [deprecated = true];
string broker = 4;
string redirect = 5 [deprecated = true];
int64 ttl = 6;
bool response_key_file = 7;
string login_challenge = 8;
string issuer = 9;
string subject = 10;
int64 epoch_seconds = 11;
string realm = 13;
repeated string identities = 14;
repeated string requested_audience = 15;
repeated string requested_scope = 16;
string consent_challenge = 17;
string client_name = 18;
}
message AuthCode {
string client_id = 1 [deprecated = true];
string state = 2;
int64 epoch_seconds = 3;
}
// ResourceResults is the output from a ResourceTokens request.
message ResourceResults {
// ResourceDescriptor contains metadata about resource, not specific to the
// user's request execept for an "access" key to link how to access the
// resource.
message ResourceDescriptor {
// Maps an interface name (example: "http:gcp:gs") to metadata about the
// resource.
map<string, InterfaceEntry> interfaces = 1;
// Returns the access key into ResourceResults.Access map for how to access
// this resource.
string access = 2;
// A list of DAM Role Categories related to the access level that has been
// granted.
repeated string permissions = 3;
}
// A map placeholder to store a list of ResourceInterface items.
message InterfaceEntry {
// Metadata about the resource item, including a URI to the resource item.
// A single resource can be consisted of multiple resource items.
repeated ResourceInterface items = 1;
}
// ResourceInterface contains metadata about a resource's interface, such as
// what bucket the data lives in by URL.
message ResourceInterface {
// An identifier or locator for the resource.
string uri = 1;
// A map of metadata key/value pairs about the resource, taken from the view
// and item config.
map<string, string> labels = 2;
}
// ResourceAccess contains access tokens or other user-specific or
// request-specific results.
message ResourceAccess {
// Maps of credentials. Example: {"account": "[email protected]",
// "access_token": "ya..."}.
map<string, string> credentials = 1;
// A map of metadata key/value pairs about the resource, taken from the view
// and item config.
map<string, string> labels = 2;
// Based on the OIDC /token response spec, this is the number of seconds
// until access expires.
uint32 expires_in = 3 [json_name = "expires_in"];
}
// Maps a key (fully-qualified resource/view/role/interface URL) to
// descriptors.
map<string, ResourceDescriptor> resources = 1;
// Maps an access key name from the resource descriptor to access information
// for the user.
map<string, ResourceAccess> access = 2;
// Time of the request to map OIDC "expires_in" or other credential info to a
// time-of-request value.
uint32 epoch_seconds = 3;
}