451 lines
13 KiB
Protocol Buffer
451 lines
13 KiB
Protocol Buffer
syntax = "proto3";
|
|
package pb;
|
|
|
|
import "google/protobuf/timestamp.proto";
|
|
|
|
message Empty {}
|
|
|
|
message Header {
|
|
repeated string header = 1;
|
|
}
|
|
|
|
message ProtoError {
|
|
uint32 err_type = 1;
|
|
string err_msg = 2;
|
|
int64 err_code = 3;
|
|
}
|
|
|
|
// Paths is the structure of special paths that is used for SpecialPaths.
|
|
message Paths {
|
|
// Root are the paths that require a root token to access
|
|
repeated string root = 1;
|
|
|
|
// Unauthenticated are the paths that can be accessed without any auth.
|
|
repeated string unauthenticated = 2;
|
|
|
|
// LocalStorage are paths (prefixes) that are local to this instance; this
|
|
// indicates that these paths should not be replicated
|
|
repeated string local_storage = 3;
|
|
|
|
// SealWrapStorage are storage paths that, when using a capable seal,
|
|
// should be seal wrapped with extra encryption. It is exact matching
|
|
// unless it ends with '/' in which case it will be treated as a prefix.
|
|
repeated string seal_wrap_storage = 4;
|
|
}
|
|
|
|
message Request {
|
|
// Id is the uuid associated with each request
|
|
string id = 1;
|
|
|
|
// If set, the name given to the replication secondary where this request
|
|
// originated
|
|
string ReplicationCluster = 2;
|
|
|
|
// Operation is the requested operation type
|
|
string operation = 3;
|
|
|
|
// Path is the part of the request path not consumed by the
|
|
// routing. As an example, if the original request path is "prod/aws/foo"
|
|
// and the AWS logical backend is mounted at "prod/aws/", then the
|
|
// final path is "foo" since the mount prefix is trimmed.
|
|
string path = 4;
|
|
|
|
// Request data is an opaque map that must have string keys.
|
|
bytes data = 5;
|
|
|
|
// Secret will be non-nil only for Revoke and Renew operations
|
|
// to represent the secret that was returned prior.
|
|
Secret secret = 6;
|
|
|
|
// Auth will be non-nil only for Renew operations
|
|
// to represent the auth that was returned prior.
|
|
Auth auth = 7;
|
|
|
|
// Headers will contain the http headers from the request. This value will
|
|
// be used in the audit broker to ensure we are auditing only the allowed
|
|
// headers.
|
|
map<string, Header> headers = 8;
|
|
|
|
// ClientToken is provided to the core so that the identity
|
|
// can be verified and ACLs applied. This value is passed
|
|
// through to the logical backends but after being salted and
|
|
// hashed.
|
|
string client_token = 9;
|
|
|
|
// ClientTokenAccessor is provided to the core so that the it can get
|
|
// logged as part of request audit logging.
|
|
string client_token_accessor = 10;
|
|
|
|
// DisplayName is provided to the logical backend to help associate
|
|
// dynamic secrets with the source entity. This is not a sensitive
|
|
// name, but is useful for operators.
|
|
string display_name = 11;
|
|
|
|
// MountPoint is provided so that a logical backend can generate
|
|
// paths relative to itself. The `Path` is effectively the client
|
|
// request path with the MountPoint trimmed off.
|
|
string mount_point = 12;
|
|
|
|
// MountType is provided so that a logical backend can make decisions
|
|
// based on the specific mount type (e.g., if a mount type has different
|
|
// aliases, generating different defaults depending on the alias)
|
|
string mount_type = 13;
|
|
|
|
// MountAccessor is provided so that identities returned by the authentication
|
|
// backends can be tied to the mount it belongs to.
|
|
string mount_accessor = 14;
|
|
|
|
// WrapInfo contains requested response wrapping parameters
|
|
RequestWrapInfo wrap_info = 15;
|
|
|
|
// ClientTokenRemainingUses represents the allowed number of uses left on the
|
|
// token supplied
|
|
int64 client_token_remaining_uses = 16;
|
|
|
|
// EntityID is the identity of the caller extracted out of the token used
|
|
// to make this request
|
|
string entity_id = 17;
|
|
|
|
// PolicyOverride indicates that the requestor wishes to override
|
|
// soft-mandatory Sentinel policies
|
|
bool policy_override = 18;
|
|
|
|
// Whether the request is unauthenticated, as in, had no client token
|
|
// attached. Useful in some situations where the client token is not made
|
|
// accessible.
|
|
bool unauthenticated = 19;
|
|
}
|
|
|
|
message Alias {
|
|
// MountType is the backend mount's type to which this identity belongs
|
|
string mount_type = 1;
|
|
|
|
// MountAccessor is the identifier of the mount entry to which this
|
|
// identity belongs
|
|
string mount_accessor = 2;
|
|
|
|
// Name is the identifier of this identity in its authentication source
|
|
string name = 3;
|
|
}
|
|
|
|
message Auth {
|
|
LeaseOptions lease_options = 1;
|
|
|
|
// InternalData is JSON-encodable data that is stored with the auth struct.
|
|
// This will be sent back during a Renew/Revoke for storing internal data
|
|
// used for those operations.
|
|
bytes internal_data = 2;
|
|
|
|
// DisplayName is a non-security sensitive identifier that is
|
|
// applicable to this Auth. It is used for logging and prefixing
|
|
// of dynamic secrets. For example, DisplayName may be "armon" for
|
|
// the github credential backend. If the client token is used to
|
|
// generate a SQL credential, the user may be "github-armon-uuid".
|
|
// This is to help identify the source without using audit tables.
|
|
string display_name = 3;
|
|
|
|
// Policies is the list of policies that the authenticated user
|
|
// is associated with.
|
|
repeated string policies = 4;
|
|
|
|
// Metadata is used to attach arbitrary string-type metadata to
|
|
// an authenticated user. This metadata will be outputted into the
|
|
// audit log.
|
|
map<string, string> metadata = 5;
|
|
|
|
// ClientToken is the token that is generated for the authentication.
|
|
// This will be filled in by Vault core when an auth structure is
|
|
// returned. Setting this manually will have no effect.
|
|
string client_token = 6;
|
|
|
|
// Accessor is the identifier for the ClientToken. This can be used
|
|
// to perform management functionalities (especially revocation) when
|
|
// ClientToken in the audit logs are obfuscated. Accessor can be used
|
|
// to revoke a ClientToken and to lookup the capabilities of the ClientToken,
|
|
// both without actually knowing the ClientToken.
|
|
string accessor = 7;
|
|
|
|
// Period indicates that the token generated using this Auth object
|
|
// should never expire. The token should be renewed within the duration
|
|
// specified by this period.
|
|
int64 period = 8;
|
|
|
|
// Number of allowed uses of the issued token
|
|
int64 num_uses = 9;
|
|
|
|
// EntityID is the identifier of the entity in identity store to which the
|
|
// identity of the authenticating client belongs to.
|
|
string entity_id = 10;
|
|
|
|
// Alias is the information about the authenticated client returned by
|
|
// the auth backend
|
|
Alias alias = 11;
|
|
|
|
// GroupAliases are the informational mappings of external groups which an
|
|
// authenticated user belongs to. This is used to check if there are
|
|
// mappings groups for the group aliases in identity store. For all the
|
|
// matching groups, the entity ID of the user will be added.
|
|
repeated Alias group_aliases = 12;
|
|
}
|
|
|
|
message LeaseOptions {
|
|
int64 TTL = 1;
|
|
|
|
bool renewable = 2;
|
|
|
|
int64 increment = 3;
|
|
|
|
google.protobuf.Timestamp issue_time = 4;
|
|
}
|
|
|
|
message Secret {
|
|
LeaseOptions lease_options = 1;
|
|
|
|
// InternalData is JSON-encodable data that is stored with the secret.
|
|
// This will be sent back during a Renew/Revoke for storing internal data
|
|
// used for those operations.
|
|
bytes internal_data = 2;
|
|
|
|
// LeaseID is the ID returned to the user to manage this secret.
|
|
// This is generated by Vault core. Any set value will be ignored.
|
|
// For requests, this will always be blank.
|
|
string lease_id = 3;
|
|
}
|
|
|
|
message Response {
|
|
// Secret, if not nil, denotes that this response represents a secret.
|
|
Secret secret = 1;
|
|
|
|
// Auth, if not nil, contains the authentication information for
|
|
// this response. This is only checked and means something for
|
|
// credential backends.
|
|
Auth auth = 2;
|
|
|
|
// Response data is an opaque map that must have string keys. For
|
|
// secrets, this data is sent down to the user as-is. To store internal
|
|
// data that you don't want the user to see, store it in
|
|
// Secret.InternalData.
|
|
bytes data = 3;
|
|
|
|
// Redirect is an HTTP URL to redirect to for further authentication.
|
|
// This is only valid for credential backends. This will be blanked
|
|
// for any logical backend and ignored.
|
|
string redirect = 4;
|
|
|
|
// Warnings allow operations or backends to return warnings in response
|
|
// to user actions without failing the action outright.
|
|
repeated string warnings = 5;
|
|
|
|
// Information for wrapping the response in a cubbyhole
|
|
ResponseWrapInfo wrap_info = 6;
|
|
}
|
|
|
|
message ResponseWrapInfo {
|
|
// Setting to non-zero specifies that the response should be wrapped.
|
|
// Specifies the desired TTL of the wrapping token.
|
|
int64 TTL = 1;
|
|
|
|
// The token containing the wrapped response
|
|
string token = 2;
|
|
|
|
// The token accessor for the wrapped response token
|
|
string accessor = 3;
|
|
|
|
// The creation time. This can be used with the TTL to figure out an
|
|
// expected expiration.
|
|
google.protobuf.Timestamp creation_time = 4;
|
|
|
|
// If the contained response is the output of a token creation call, the
|
|
// created token's accessor will be accessible here
|
|
string wrapped_accessor = 5;
|
|
|
|
// WrappedEntityID is the entity identifier of the caller who initiated the
|
|
// wrapping request
|
|
string wrapped_entity_id = 6;
|
|
|
|
// The format to use. This doesn't get returned, it's only internal.
|
|
string format = 7;
|
|
|
|
// CreationPath is the original request path that was used to create
|
|
// the wrapped response.
|
|
string creation_path = 8;
|
|
|
|
// Controls seal wrapping behavior downstream for specific use cases
|
|
bool seal_wrap = 9;
|
|
}
|
|
|
|
message RequestWrapInfo {
|
|
// Setting to non-zero specifies that the response should be wrapped.
|
|
// Specifies the desired TTL of the wrapping token.
|
|
int64 TTL = 1;
|
|
|
|
// The format to use for the wrapped response; if not specified it's a bare
|
|
// token
|
|
string format = 2;
|
|
|
|
// A flag to conforming backends that data for a given request should be
|
|
// seal wrapped
|
|
bool seal_wrap = 3;
|
|
}
|
|
|
|
// HandleRequestArgs is the args for HandleRequest method.
|
|
message HandleRequestArgs {
|
|
uint32 storage_id = 1;
|
|
Request request = 2;
|
|
}
|
|
|
|
// HandleRequestReply is the reply for HandleRequest method.
|
|
message HandleRequestReply {
|
|
Response response = 1;
|
|
ProtoError err = 2;
|
|
}
|
|
|
|
// SpecialPathsReply is the reply for SpecialPaths method.
|
|
message SpecialPathsReply {
|
|
Paths paths = 1;
|
|
}
|
|
|
|
// HandleExistenceCheckArgs is the args for HandleExistenceCheck method.
|
|
message HandleExistenceCheckArgs {
|
|
uint32 storage_id = 1;
|
|
Request request = 2;
|
|
}
|
|
|
|
// HandleExistenceCheckReply is the reply for HandleExistenceCheck method.
|
|
message HandleExistenceCheckReply {
|
|
bool check_found = 1;
|
|
bool exists = 2;
|
|
ProtoError err = 3;
|
|
}
|
|
|
|
// SetupArgs is the args for Setup method.
|
|
message SetupArgs {
|
|
uint32 broker_id = 1;
|
|
map<string, string> Config = 2;
|
|
}
|
|
|
|
// SetupReply is the reply for Setup method.
|
|
message SetupReply {
|
|
string err = 1;
|
|
}
|
|
|
|
// TypeReply is the reply for the Type method.
|
|
message TypeReply {
|
|
uint32 type = 1;
|
|
}
|
|
|
|
message InvalidateKeyArgs {
|
|
string key = 1;
|
|
}
|
|
|
|
service Backend {
|
|
rpc HandleRequest(HandleRequestArgs) returns (HandleRequestReply);
|
|
rpc SpecialPaths(Empty) returns (SpecialPathsReply);
|
|
rpc HandleExistenceCheck(HandleExistenceCheckArgs) returns (HandleExistenceCheckReply);
|
|
rpc Initialize(Empty) returns (Empty);
|
|
rpc Cleanup(Empty) returns (Empty);
|
|
rpc InvalidateKey(InvalidateKeyArgs) returns (Empty);
|
|
rpc Setup(SetupArgs) returns (SetupReply);
|
|
rpc Type(Empty) returns (TypeReply);
|
|
}
|
|
|
|
message StorageEntry {
|
|
string key = 1;
|
|
bytes value = 2;
|
|
bool seal_wrap = 3;
|
|
}
|
|
|
|
message StorageListArgs {
|
|
string prefix = 1;
|
|
}
|
|
|
|
message StorageListReply {
|
|
repeated string keys = 1;
|
|
string err = 2;
|
|
}
|
|
|
|
message StorageGetArgs {
|
|
string key = 1;
|
|
}
|
|
|
|
message StorageGetReply {
|
|
StorageEntry entry = 1;
|
|
string err = 2;
|
|
}
|
|
|
|
message StoragePutArgs {
|
|
StorageEntry entry = 1;
|
|
}
|
|
|
|
message StoragePutReply {
|
|
string err = 1;
|
|
}
|
|
|
|
message StorageDeleteArgs {
|
|
string key = 1;
|
|
}
|
|
|
|
message StorageDeleteReply {
|
|
string err = 1;
|
|
}
|
|
|
|
service Storage {
|
|
rpc List(StorageListArgs) returns (StorageListReply);
|
|
rpc Get(StorageGetArgs) returns (StorageGetReply);
|
|
rpc Put(StoragePutArgs) returns (StoragePutReply);
|
|
rpc Delete(StorageDeleteArgs) returns (StorageDeleteReply);
|
|
}
|
|
|
|
message TTLReply {
|
|
int64 TTL = 1;
|
|
}
|
|
|
|
message SudoPrivilegeArgs {
|
|
string path = 1;
|
|
string token = 2;
|
|
}
|
|
|
|
message SudoPrivilegeReply {
|
|
bool sudo = 1;
|
|
}
|
|
|
|
message TaintedReply {
|
|
bool tainted = 1;
|
|
}
|
|
|
|
message CachingDisabledReply {
|
|
bool disabled = 1;
|
|
}
|
|
|
|
message ReplicationStateReply {
|
|
int32 state = 1;
|
|
}
|
|
|
|
message ResponseWrapDataArgs {
|
|
bytes data = 1;
|
|
int64 TTL = 2;
|
|
bool JWT = 3;
|
|
}
|
|
|
|
message ResponseWrapDataReply {
|
|
ResponseWrapInfo wrap_info = 1;
|
|
string err = 2;
|
|
}
|
|
|
|
message MlockEnabledReply {
|
|
bool enabled = 1;
|
|
}
|
|
|
|
service SystemView {
|
|
rpc DefaultLeaseTTL(Empty) returns (TTLReply);
|
|
rpc MaxLeaseTTL(Empty) returns (TTLReply);
|
|
rpc SudoPrivilege(SudoPrivilegeArgs) returns (SudoPrivilegeReply);
|
|
rpc Tainted(Empty) returns (TaintedReply);
|
|
rpc CachingDisabled(Empty) returns (CachingDisabledReply);
|
|
rpc ReplicationState(Empty) returns (ReplicationStateReply);
|
|
rpc ResponseWrapData(ResponseWrapDataArgs) returns (ResponseWrapDataReply);
|
|
rpc MlockEnabled(Empty) returns (MlockEnabledReply);
|
|
}
|
|
|
|
|