schwarzit.stackit-public/audit-go
1
0
Fork 0
mirror of https://dev.azure.com/schwarzit/schwarzit.stackit-public/_git/audit-go synced 2026-02-08 00:57:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Additional schema changes

Browse source
This commit is contained in:
Christian Schaible 2024-07-23 13:28:20 +02:00
parent 65fac35d23
commit 9bd5be52b7
9 changed files with 864 additions and 2575 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
audit/api/api.go
View file

@ -46,7 +46,7 @@ type AuditApi interface {
*/
Log(
ctx context.Context,
event *auditV1.AuditEvent,
event *auditV1.AuditLogEntry,
visibility auditV1.Visibility,
routingIdentifier *RoutingIdentifier,
objectIdentifier *auditV1.ObjectIdentifier,
@ -55,7 +55,7 @@ type AuditApi interface {
// ValidateAndSerialize validates and serializes the event into a byte representation.
// The result has to be sent explicitly by calling the Send method.
ValidateAndSerialize(
event *auditV1.AuditEvent,
event *auditV1.AuditLogEntry,
visibility auditV1.Visibility,
routingIdentifier *RoutingIdentifier,
objectIdentifier *auditV1.ObjectIdentifier,
@ -114,6 +114,9 @@ type CloudEvent struct {
// The object type (i.e. the fully qualified protobuf type name)
dataType string
// The identifier of the referring object.
subject string
// The serialized payload
data []byte
}

3
audit/api/api_common.go
View file

@ -50,7 +50,7 @@ var ErrSerializedPayloadNil = errors.New("serialized payload nil")
func validateAndSerializePartially(
validator *ProtobufValidator,
event *auditV1.AuditEvent,
event *auditV1.AuditLogEntry,
visibility auditV1.Visibility,
routingIdentifier *RoutingIdentifier,
objectIdentifier *auditV1.ObjectIdentifier,
@ -162,6 +162,7 @@ func send(
applicationAttributes["cloudEvents:time"] = cloudEvent.time.UnixMilli()
applicationAttributes["cloudEvents:datacontenttype"] = cloudEvent.dataContentType
applicationAttributes["cloudEvents:type"] = cloudEvent.dataType
applicationAttributes["cloudEvents:subject"] = cloudEvent.subject
return (*messagingApi).Send(
ctx,

92
audit/api/api_legacy.go
View file

@ -6,6 +6,7 @@ import (
"errors"
"fmt"
"github.com/google/uuid"
"net/url"
"time"
"dev.azure.com/schwarzit/schwarzit.stackit-core-platform/common-audit.git/audit/messaging"
@ -68,7 +69,7 @@ func NewLegacyAuditApi(
// Log implements AuditApi.Log
func (a *LegacyAuditApi) Log(
ctx context.Context,
event *auditV1.AuditEvent,
event *auditV1.AuditLogEntry,
visibility auditV1.Visibility,
routingIdentifier *RoutingIdentifier,
objectIdentifier *auditV1.ObjectIdentifier,
@ -85,7 +86,7 @@ func (a *LegacyAuditApi) Log(
// ValidateAndSerialize implements AuditApi.ValidateAndSerialize.
// It serializes the event into the byte representation of the legacy audit log system.
func (a *LegacyAuditApi) ValidateAndSerialize(
event *auditV1.AuditEvent,
event *auditV1.AuditLogEntry,
visibility auditV1.Visibility,
routingIdentifier *RoutingIdentifier,
objectIdentifier *auditV1.ObjectIdentifier,
@ -109,13 +110,16 @@ func (a *LegacyAuditApi) ValidateAndSerialize(
}
message := CloudEvent{
specVersion: "1.0",
source: event.EventSource,
specVersion: "1.0",
source: event.ProtoPayload.ServiceName,
// TODO what is the correct id?
id: uuid.NewString(),
time: event.EventTimeStamp.AsTime(),
time: event.ProtoPayload.RequestMetadata.RequestAttributes.Time.AsTime(),
dataContentType: "application/cloudevents+protobuf",
dataType: fmt.Sprintf("%v", routableEvent.ProtoReflect().Descriptor().FullName()),
data: legacyBytes,
// TODO check if this is correct
subject: event.ProtoPayload.ResourceName,
data: legacyBytes,
}
return &message, nil
}
@ -132,7 +136,7 @@ func (a *LegacyAuditApi) Send(
// convertAndSerializeIntoLegacyFormat converts the protobuf events into the json serialized legacy audit log format
func (a *LegacyAuditApi) convertAndSerializeIntoLegacyFormat(
event *auditV1.AuditEvent,
event *auditV1.AuditLogEntry,
routableEvent *auditV1.RoutableAuditEvent,
) ([]byte, error) {
@ -152,45 +156,53 @@ func (a *LegacyAuditApi) convertAndSerializeIntoLegacyFormat(
if len(event.ProtoPayload.AuthenticationInfo.ServiceAccountDelegationInfo) > 0 {
var principals []LegacyAuditEventPrincipal
for _, principal := range event.ProtoPayload.AuthenticationInfo.ServiceAccountDelegationInfo {
if principal != nil {
p := LegacyAuditEventPrincipal{
Id: principal.GetFirstPartyPrincipal().Id,
Email: &principal.GetFirstPartyPrincipal().PrincipalEmail,
}
principals = append(principals, p)
switch principalValue := principal.Authority.(type) {
case *auditV1.ServiceAccountDelegationInfo_IdpPrincipal_:
principals = append(principals, LegacyAuditEventPrincipal{
Id: principalValue.IdpPrincipal.PrincipalId,
Email: principalValue.IdpPrincipal.PrincipalEmail,
})
case *auditV1.ServiceAccountDelegationInfo_SystemPrincipal_:
principals = append(principals, LegacyAuditEventPrincipal{
Id: "system",
})
}
}
serviceAccountDelegationInfo = &LegacyAuditEventServiceAccountDelegationInfo{Principals: principals}
}
// Request
var request LegacyAuditEventRequest
if event.Request == nil {
if event.ProtoPayload.RequestMetadata.RequestAttributes == nil {
request = LegacyAuditEventRequest{
Endpoint: "none",
}
} else {
var parameters map[string]interface{} = nil
if event.Request.Parameters != nil {
parameters = event.Request.Parameters.AsMap()
if event.ProtoPayload.RequestMetadata.RequestAttributes.Path != "" && event.ProtoPayload.RequestMetadata.RequestAttributes.Query != "" {
parsedUrl, err := url.Parse(fmt.Sprintf("%s?%s", event.ProtoPayload.RequestMetadata.RequestAttributes.Path, event.ProtoPayload.RequestMetadata.RequestAttributes.Query))
if err != nil {
return nil, err
}
for k, v := range parsedUrl.Query() {
parameters[k] = v
}
}
var body map[string]interface{} = nil
if event.Request.Body != nil {
body = event.Request.Body.AsMap()
if event.ProtoPayload.Request != nil {
body = event.ProtoPayload.Request.AsMap()
}
var headers map[string]interface{} = nil
if event.Request.Headers != nil {
if event.ProtoPayload.RequestMetadata.RequestAttributes.Headers != nil {
headers = map[string]interface{}{}
for _, header := range event.Request.Headers {
if header != nil {
headers[header.Key] = header.Value
}
for key, value := range event.ProtoPayload.RequestMetadata.RequestAttributes.Headers {
headers[key] = value
}
}
request = LegacyAuditEventRequest{
Endpoint: event.Request.Endpoint,
Endpoint: event.ProtoPayload.RequestMetadata.RequestAttributes.Path,
Parameters: &parameters,
Body: &body,
Headers: &headers,
@ -205,7 +217,7 @@ func (a *LegacyAuditApi) convertAndSerializeIntoLegacyFormat(
eventType = "ADMIN_ACTIVITY"
if ref.ObjectIdentifier.Type == auditV1.ObjectType_OBJECT_TYPE_ORGANIZATION {
messageContext = &LegacyAuditEventContext{
OrganizationId: nil,
OrganizationId: &ref.ObjectIdentifier.Identifier,
FolderId: nil,
ProjectId: nil,
}
@ -213,14 +225,14 @@ func (a *LegacyAuditApi) convertAndSerializeIntoLegacyFormat(
} else if ref.ObjectIdentifier.Type == auditV1.ObjectType_OBJECT_TYPE_FOLDER {
messageContext = &LegacyAuditEventContext{
OrganizationId: nil,
FolderId: nil,
FolderId: &ref.ObjectIdentifier.Identifier,
ProjectId: nil,
}
} else if ref.ObjectIdentifier.Type == auditV1.ObjectType_OBJECT_TYPE_PROJECT {
messageContext = &LegacyAuditEventContext{
OrganizationId: nil,
FolderId: nil,
ProjectId: nil,
ProjectId: &ref.ObjectIdentifier.Identifier,
}
} else {
return nil, ErrUnsupportedObjectIdentifierType
@ -233,36 +245,30 @@ func (a *LegacyAuditApi) convertAndSerializeIntoLegacyFormat(
}
// Details
var details map[string]interface{} = nil
if event.Details != nil {
details = event.Details.AsMap()
}
var details = event.ProtoPayload.Request.AsMap()
// Result
var result map[string]interface{} = nil
if event.Result != nil {
result = event.Result.AsMap()
}
var result = event.ProtoPayload.Response.AsMap()
// Instantiate the legacy event - missing values are filled with defaults
legacyAuditEvent := LegacyAuditEvent{
Severity: "INFO",
Visibility: routableEvent.Visibility.String(),
EventType: eventType,
EventTimeStamp: event.EventTimeStamp.AsTime(),
EventName: event.EventName,
EventTimeStamp: event.ProtoPayload.RequestMetadata.RequestAttributes.Time.AsTime(),
EventName: event.LogName,
SourceIpAddress: sourceIpAddress,
UserAgent: userAgent,
Initiator: LegacyAuditEventPrincipal{
Id: event.Initiator.Id,
Email: event.Initiator.Email,
Id: event.ProtoPayload.AuthenticationInfo.PrincipalId,
Email: &event.ProtoPayload.AuthenticationInfo.PrincipalEmail,
},
ServiceAccountDelegationInfo: serviceAccountDelegationInfo,
Request: request,
Context: messageContext,
ResourceId: event.ResourceId,
ResourceName: event.ResourceName,
CorrelationId: event.CorrelationId,
ResourceId: &event.LogName,
ResourceName: &event.ProtoPayload.ResourceName,
CorrelationId: &event.CorrelationId,
Result: &result,
Details: &details,
}

15
audit/api/api_mock.go
View file

@ -30,7 +30,7 @@ func NewMockAuditApi() (*AuditApi, error) {
// Validates and serializes the event but doesn't send it.
func (a *MockAuditApi) Log(
_ context.Context,
event *auditV1.AuditEvent,
event *auditV1.AuditLogEntry,
visibility auditV1.Visibility,
routingIdentifier *RoutingIdentifier,
objectIdentifier *auditV1.ObjectIdentifier,
@ -42,7 +42,7 @@ func (a *MockAuditApi) Log(
// ValidateAndSerialize implements AuditApi.ValidateAndSerialize
func (a *MockAuditApi) ValidateAndSerialize(
event *auditV1.AuditEvent,
event *auditV1.AuditLogEntry,
visibility auditV1.Visibility,
routingIdentifier *RoutingIdentifier,
objectIdentifier *auditV1.ObjectIdentifier,
@ -59,13 +59,16 @@ func (a *MockAuditApi) ValidateAndSerialize(
}
message := CloudEvent{
specVersion: "1.0",
source: event.EventSource,
specVersion: "1.0",
source: event.ProtoPayload.ServiceName,
// TODO what is the correct id?
id: uuid.NewString(),
time: event.EventTimeStamp.AsTime(),
time: event.ProtoPayload.RequestMetadata.RequestAttributes.Time.AsTime(),
dataContentType: "application/cloudevents+protobuf",
dataType: fmt.Sprintf("%v", routableEvent.ProtoReflect().Descriptor().FullName()),
data: routableEventBytes,
// TODO check if this is correct
subject: event.ProtoPayload.ResourceName,
data: routableEventBytes,
}
return &message, nil

15
audit/api/api_routable.go
View file

@ -84,7 +84,7 @@ func newRoutableAuditApi(
// Log implements AuditApi.Log
func (a *routableAuditApi) Log(
ctx context.Context,
event *auditV1.AuditEvent,
event *auditV1.AuditLogEntry,
visibility auditV1.Visibility,
routingIdentifier *RoutingIdentifier,
objectIdentifier *auditV1.ObjectIdentifier,
@ -100,7 +100,7 @@ func (a *routableAuditApi) Log(
// ValidateAndSerialize implements AuditApi.ValidateAndSerialize
func (a *routableAuditApi) ValidateAndSerialize(
event *auditV1.AuditEvent,
event *auditV1.AuditLogEntry,
visibility auditV1.Visibility,
routingIdentifier *RoutingIdentifier,
objectIdentifier *auditV1.ObjectIdentifier,
@ -123,13 +123,16 @@ func (a *routableAuditApi) ValidateAndSerialize(
}
message := CloudEvent{
specVersion: "1.0",
source: event.EventSource,
specVersion: "1.0",
source: event.ProtoPayload.ServiceName,
// TODO what is the correct id?
id: uuid.NewString(),
time: event.EventTimeStamp.AsTime(),
time: event.ProtoPayload.RequestMetadata.RequestAttributes.Time.AsTime(),
dataContentType: "application/cloudevents+protobuf",
dataType: fmt.Sprintf("%v", routableEvent.ProtoReflect().Descriptor().FullName()),
data: routableEventBytes,
// TODO check if this is correct
subject: event.ProtoPayload.ResourceName,
data: routableEventBytes,
}
return &message, nil

26
audit/api/test_data.go
View file

@ -13,16 +13,16 @@ import (
func NewOrganizationAuditEvent(
customization *func(
*auditV1.AuditEvent,
*auditV1.AuditLogEntry,
*RoutingIdentifier,
*auditV1.ObjectIdentifier,
)) (
*auditV1.AuditEvent,
*auditV1.AuditLogEntry,
*RoutingIdentifier,
*auditV1.ObjectIdentifier,
) {
auditEvent := &auditV1.AuditEvent{
auditEvent := &auditV1.AuditLogEntry{
EventSource: "resource-manager",
Region: auditV1.Region_REGION_EU01,
SequenceNumber: wrapperspb.Int64(0),
@ -53,10 +53,10 @@ func NewOrganizationAuditEvent(
return auditEvent, routingIdentifier, objectIdentifier
}
func NewOrganizationAuditEventWithDetails() (*auditV1.AuditEvent,
func NewOrganizationAuditEventWithDetails() (*auditV1.AuditLogEntry,
*RoutingIdentifier,
*auditV1.ObjectIdentifier) {
customization := func(event *auditV1.AuditEvent,
customization := func(event *auditV1.AuditLogEntry,
routingIdentifier *RoutingIdentifier,
objectIdentifier *auditV1.ObjectIdentifier) {
userAgent := "firefox"
@ -100,16 +100,16 @@ func NewOrganizationAuditEventWithDetails() (*auditV1.AuditEvent,
func NewFolderAuditEvent(
customization *func(
*auditV1.AuditEvent,
*auditV1.AuditLogEntry,
*RoutingIdentifier,
*auditV1.ObjectIdentifier,
)) (
*auditV1.AuditEvent,
*auditV1.AuditLogEntry,
*RoutingIdentifier,
*auditV1.ObjectIdentifier,
) {
auditEvent := &auditV1.AuditEvent{
auditEvent := &auditV1.AuditLogEntry{
EventSource: "resource-manager",
Region: auditV1.Region_REGION_EU01,
SequenceNumber: wrapperspb.Int64(0),
@ -141,16 +141,16 @@ func NewFolderAuditEvent(
func NewProjectAuditEvent(
customization *func(
*auditV1.AuditEvent,
*auditV1.AuditLogEntry,
*RoutingIdentifier,
*auditV1.ObjectIdentifier,
)) (
*auditV1.AuditEvent,
*auditV1.AuditLogEntry,
*RoutingIdentifier,
*auditV1.ObjectIdentifier,
) {
auditEvent := &auditV1.AuditEvent{
auditEvent := &auditV1.AuditLogEntry{
EventSource: "resource-manager",
Region: auditV1.Region_REGION_EU01,
SequenceNumber: wrapperspb.Int64(0),
@ -182,9 +182,9 @@ func NewProjectAuditEvent(
}
func NewSystemAuditEvent(
customization *func(*auditV1.AuditEvent)) *auditV1.AuditEvent {
customization *func(*auditV1.AuditLogEntry)) *auditV1.AuditLogEntry {
auditEvent := &auditV1.AuditEvent{
auditEvent := &auditV1.AuditLogEntry{
EventSource: "resource-manager",
Region: auditV1.Region_REGION_EU01,
SequenceNumber: wrapperspb.Int64(0),

1695
gen/go/audit/v1/audit_event.pb.go
View file

File diff suppressed because it is too large Load diff

1191
gen/go/audit/v1/audit_event.pb.validate.go
View file

File diff suppressed because it is too large Load diff

395
proto/audit/v1/audit_event.proto
View file

@ -14,99 +14,55 @@ option java_multiple_files = true;
option java_package = "com.schwarz.stackit.audit.v1";
// TODO update numbers of elements in messages
// TODO decide which fields should be optional
// The audit log entry can be used to record an incident in the audit log.
message AuditLogEntry {
// The resource name of the log to which this log entry belongs.
// Example: projects/<identifier>/logs/<eventType>
string log_name = 12;
// The monitored resource that produced this log entry.
//
// Example: a log entry that reports a database error would be associated with
// the monitored resource designating the particular database that reported
// the error.
MonitoredResource resource = 8;
// The log entry payload, which is always an AuditLog for STACKIT Audit Log events.
AuditLog proto_payload = 2;
// TODO can we specify how the format should look like?
// TODO Encode sequence number into it?
// https://softwaremind.com/blog/the-unique-features-of-snowflake-id-and-its-comparison-to-uuid/
// A unique identifier for the log entry.
// Is generated and set by the SDK.
// Format:
// <timestamp>/<region>/<worker-id>/<sequence-number>
string insert_id = 4;
// A set of user-defined (key, value) data that provides additional
// information about the log entry.
map<string, string> labels = 11;
// Information about an operation associated with the log entry, if applicable.
LogEntryOperation operation = 15;
// Correlate multiple audit logs by setting the same id
string correlation_id = 15;
// The time the event described by the log entry occurred.
google.protobuf.Timestamp timestamp = 9;
// TODO do we need it? where will we set it?
// The time the log entry was received by Logging.
google.protobuf.Timestamp receive_timestamp = 24;
// The severity of the log entry.
LogSeverity severity = 10;
// TODO check example
// Resource name of the trace associated with the log entry, if any. It
// contains a relative resource name. Example:
// `projects/my-projectid/traces/06796866738c859f2f19b7cfb3214824`
string trace = 22;
// TODO check format and description
// The span ID within the trace associated with the log entry, if any.
// W3C conform trace parent header:
// https://www.w3.org/TR/trace-context/#traceparent-header
//
// For Trace spans, this is the same format that the Trace API v2 uses: a
// 16-character hexadecimal encoding of an 8-byte array, such as
// `000000000000004a`.
string span_id = 27;
// Example:
// `00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01`
string trace_parent = 22;
// Information indicating this log entry is part of a sequence of multiple logs
// split from a single log entry.
LogSplit split = 35;
// W3C conform trace state header:
// https://www.w3.org/TR/trace-context/#tracestate-header
//
// Example:
// `rojo=00f067aa0ba902b7,congo=t61rcWkgMzE`.
string trace_state = 27;
}
// An object representing a resource that can be used for monitoring, logging,
// billing, or other purposes.
message MonitoredResource {
// Required. The monitored resource type. For example, the type of a
// STACKIT Server instance is `gce_instance`.
string type = 1;
// TODO check the label values
// Values for all of the labels listed in the associated monitored
// resource descriptor. For example, STACKIT Server instances use the
// labels `"project_id"`, `"instance_id"`, and `"zone"`.
map<string, string> labels = 2;
}
// Additional information about a potentially long-running operation with which
// a log entry is associated.
message LogEntryOperation {
// An arbitrary operation identifier. Log entries with the same
// identifier are assumed to be part of the same operation.
string id = 1;
// TODO check examples
// An arbitrary producer identifier. The combination of `id` and
// `producer` must be globally unique. Examples for `producer`:
// `"MyDivision.MyBigCompany.com"`, `"github.com/MyProject/MyApplication"`.
string producer = 2;
// True if this is the first log entry in the operation.
bool first = 3;
// True if this is the last log entry in the operation.
bool last = 4;
}
// TODO check description and levels
// The severity of the event described in a log entry, expressed as one of the
// standard severity levels listed below. For your reference, the levels are
// assigned the listed numeric values. The effect of using numeric values other
@ -144,56 +100,34 @@ enum LogSeverity {
EMERGENCY = 800;
}
// TODO check description
// Common audit log format for STACKIT API operations.
// Copied from
// https://github.com/googleapis/googleapis/blob/master/google/cloud/audit/audit_log.proto,
// but changing service_data from Any to Struct.
message AuditLog {
// TODO check example
// The name of the API service performing the operation. For example,
// `"datastore.googleapis.com"`.
// `"resource-manager"`.
string service_name = 7;
// TODO check example
// TODO: Add extra field to open api spec for the method_name
// The name of the service method or operation.
// For API calls, this should be the name of the API method.
// The format should is:
// stackit.<product>.<version>.<object>.<operation>
//
// For example,
//
// "google.datastore.v1.Datastore.RunQuery"
// "google.logging.v1.LoggingService.DeleteLog"
string method_name = 8;
// "stackit.resourcemanager.v1.organization.created"
// "stackit.authorization.v2.organization.moved"
// "stackit.authorization.v2.folder.moved"
optional string method_name = 8;
// TODO check example
// The resource or collection that is the target of the operation.
// The name is a scheme-less URI, not including the API service name.
// For example:
//
// "shelves/SHELF_ID/books"
// "shelves/SHELF_ID/books/BOOK_ID"
// "projects/<id>/zones/<region-zone>/vms/<vm-id>"
// "projects/<id>/zones/<region-zone>/vms/<vm-id>/ports/<port-id>"
// "projects/<id>/zones/<region-zone>/instances/instance-20240723-184227
string resource_name = 11;
// The resource location information.
ResourceLocation resource_location = 20;
// TODO check what's meant with @type property
// The resource's original state before mutation. Present only for
// operations which have successfully modified the targeted resource(s).
// In general, this field should contain all changed fields, except those
// that are already been included in `request`, `response`, `metadata` or
// `service_data` fields.
// When the JSON object represented here has a proto equivalent,
// the proto name will be indicated in the `@type` property.
google.protobuf.Struct resource_original_state = 19;
// The number of items returned from a List or Query API method,
// if applicable.
int64 num_response_items = 12;
// The status of the overall operation.
RpcStatus status = 2;
// Authentication information.
AuthenticationInfo authentication_info = 3;
@ -205,22 +139,22 @@ message AuditLog {
// Metadata about the operation.
RequestMetadata request_metadata = 4;
// TODO check what's meant with @type property
// The operation request. This may not include all request parameters,
// such as those that are too large, privacy-sensitive, or duplicated
// elsewhere in the log record.
// It should never include user-generated data, such as file contents.
// When the JSON object represented here has a proto equivalent, the proto
// name will be indicated in the `@type` property.
google.protobuf.Struct request = 16;
// TODO check what's meant with @type property
// The status of the overall operation.
ResponseStatus status = 2;
// The number of items returned from a List or Query API method,
// if applicable.
optional int64 num_response_items = 12;
// The operation response. This may not include all response elements,
// such as those that are too large, privacy-sensitive, or duplicated
// elsewhere in the log record.
// It should never include user-generated data, such as file contents.
// When the JSON object represented here has a proto equivalent, the proto
// name will be indicated in the `@type` property.
google.protobuf.Struct response = 17;
// Other service-specific data about the request, response, and other
@ -231,33 +165,18 @@ message AuditLog {
// Authentication information for the operation.
message AuthenticationInfo {
// TODO check description - do we need the id as well?
// The email address of the authenticated user (or service account on behalf
// of third party principal) making the request. For third party identity
// callers, the `principal_subject` field is populated instead of this field.
// For privacy reasons, the principal email address is sometimes redacted.
// For more information, see [Caller identities in audit
// logs](https://cloud.google.com/logging/docs/audit#user-id).
string principal_email = 1;
// Principal id
string principal_id = 1;
// The authority selector specified by the requestor, if any.
// It is not guaranteed that the principal was allowed to use this authority.
string authority_selector = 2;
// The email address of the authenticated user
string principal_email = 2;
// TODO check @type
// The third party identification (if any) of the authenticated user making
// the request.
// When the JSON object represented here has a proto equivalent, the proto
// name will be indicated in the `@type` property.
google.protobuf.Struct third_party_principal = 4;
// TODO check example
// The name of the service account key used to create or exchange
// The name of the service account used to create or exchange
// credentials for authenticating the service account making the request.
// This is a scheme-less URI full resource name. For example:
// Example:
//
// "//iam.googleapis.com/projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}"
string service_account_key_name = 5;
// "projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}"
optional string service_account_name = 5;
// Identity delegation history of an authenticated service account that makes
// the request. It contains information on the real authorities that try to
@ -265,19 +184,16 @@ message AuthenticationInfo {
// authorities present, they are guaranteed to be sorted based on the original
// ordering of the identity delegation events.
repeated ServiceAccountDelegationInfo service_account_delegation_info = 6;
// String representation of identity of requesting party.
// Populated for both first and third party identities.
string principal_subject = 8;
}
// Authorization information for the operation.
message AuthorizationInfo {
// TODO check example
// The resource being accessed, as a REST-style string. For example:
// The resource being accessed, as a REST-style string.
//
// bigquery.googleapis.com/projects/PROJECTID/datasets/DATASETID
// For example:
// Project scoped resource: projects/test-project-123/zones/us-central1-b/instances/instance-20240723-174217
// Global Resource: projects/_/buckets/adfeaf
string resource = 1;
// The required IAM permission.
@ -286,14 +202,6 @@ message AuthorizationInfo {
// Whether or not authorization for `resource` and `permission`
// was granted.
bool granted = 3;
// Resource attributes used in IAM condition evaluation. This field contains
// resource attributes like resource type and resource name.
//
// To get the whole view of the attributes used in IAM
// condition evaluation, the user must also look into
// `AuditLog.request_metadata.request_attributes`.
AttributeContext.Resource resource_attributes = 5;
}
// TODO check description
@ -316,32 +224,6 @@ message AuthorizationInfo {
// a system.
message AttributeContext {
// This message defines attributes for a node that handles a network request.
// The node can be either a service or an application that sends, forwards,
// or receives the request. Service peers should fill in
// `principal` and `labels` as appropriate.
message Peer {
// The IP address of the peer.
string ip = 1;
// The network port of the peer.
int64 port = 2;
// The labels associated with the peer.
map<string, string> labels = 6;
// The identity of this peer. Similar to `Request.auth.principal`, but
// relative to the peer instead of the request. For example, the
// identity associated with a load balancer that forwarded the request.
string principal = 7;
// The CLDR country/region code associated with the above IP address.
// If the IP address is private, the `region_code` should reflect the
// physical location where this peer is running.
string region_code = 8;
}
// This message defines request authentication attributes. Terminology is
// based on the JSON Web Token (JWT) standard, but the terms also
// correlate to concepts in other standards.
@ -396,16 +278,6 @@ message AttributeContext {
// SAML assertions are similarly specified, but with an identity provider
// dependent structure.
google.protobuf.Struct claims = 4;
// TODO check description
// A list of access level resource names that allow resources to be
// accessed by authenticated requester. It is part of Secure GCP processing
// for the incoming request. An access level string has the format:
// "//{api_service_name}/accessPolicies/{policy_id}/accessLevels/{short_name}"
//
// Example:
// "//accesscontextmanager.googleapis.com/accessPolicies/MY_POLICY_ID/accessLevels/MY_LEVEL"
repeated string access_levels = 5;
}
// This message defines attributes for an HTTP request. If the actual
@ -443,19 +315,12 @@ message AttributeContext {
// the request.
google.protobuf.Timestamp time = 9;
// The HTTP request size in bytes. If unknown, it must be -1.
int64 size = 10;
// The network protocol used with the request, such as "http/1.1",
// "spdy/3", "h2", "h2c", "webrtc", "tcp", "udp", "quic". See
// https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
// for details.
string protocol = 11;
// A special parameter for request reason. It is used by security systems
// to associate auditing information with a request.
string reason = 12;
// The request authentication. May be absent for unauthenticated requests.
// Derived from the HTTP request `Authorization` header or equivalent.
Auth auth = 13;
@ -480,60 +345,15 @@ message AttributeContext {
// the response.
google.protobuf.Timestamp time = 4;
}
// This message defines core attributes for a resource. A resource is an
// addressable (named) entity provided by the destination service. For
// example, a file stored on a network storage service.
message Resource {
// TODO check description
// The name of the service that this resource belongs to, such as
// `pubsub.googleapis.com`. The service may be different from the DNS
// hostname that actually serves the request.
string service = 1;
// TODO check description
// The stable identifier (name) of a resource on the `service`. A resource
// can be logically identified as "//{resource.service}/{resource.name}".
// The differences between a resource name and a URI are:
//
// * Resource name is a logical identifier, independent of network
// protocol and API version. For example,
// `//pubsub.googleapis.com/projects/123/topics/news-feed`.
// * URI often includes protocol and version information, so it can
// be used directly by applications. For example,
// `https://pubsub.googleapis.com/v1/projects/123/topics/news-feed`.
//
// See https://cloud.google.com/apis/design/resource_names for details.
string name = 2;
// TODO check description
// The type of the resource. The syntax is platform-specific because
// different platforms define their resources differently.
//
// For Google APIs, the type format must be "{service}/{kind}".
string type = 3;
// TODO check description (AWS)
// The labels or tags on the resource, such as AWS resource tags and
// Kubernetes resource labels.
map<string, string> labels = 4;
}
}
// Metadata about the request.
message RequestMetadata {
// TODO check description
// The IP address of the caller.
// For caller from internet, this will be public IPv4 or IPv6 address.
// For caller from a Compute Engine VM with external IP address, this
// will be the VM's external IP address. For caller from a Compute
// Engine VM without external IP address, if the VM is in the same
// organization (or project) as the accessed resource, `caller_ip` will
// be the VM's internal IPv4 address, otherwise the `caller_ip` will be
// redacted to "gce-internal-ip".
// See https://cloud.google.com/compute/docs/vpc/ for more information.
// For caller from a VM / K8s Service / etc, this
// will be the SIT proxy's IPv4 address.
string caller_ip = 1;
// TODO check description
@ -550,16 +370,6 @@ message RequestMetadata {
// The request was made from the `my-project` App Engine app.
string caller_supplied_user_agent = 2;
// TODO check description
// The network of the caller.
// Set only if the network host project is part of the same GCP organization
// (or project) as the accessed resource.
// See https://cloud.google.com/compute/docs/vpc/ for more information.
// This is a scheme-less URI full resource name. For example:
//
// "//compute.googleapis.com/projects/PROJECT_ID/global/networks/NETWORK_ID"
string caller_network = 3;
// TODO check description
// Request attributes used in IAM condition evaluation. This field contains
// request attributes like request time and access levels associated with
@ -569,93 +379,47 @@ message RequestMetadata {
// condition evaluation, the user must also look into
// `AuditLog.authentication_info.resource_attributes`.
AttributeContext.Request request_attributes = 7;
// TODO check description
// The destination of a network activity, such as accepting a TCP connection.
// In a multi hop network activity, the destination represents the receiver of
// the last hop. Only two fields are used in this message, Peer.port and
// Peer.ip. These fields are optionally populated by those services utilizing
// the IAM condition feature.
AttributeContext.Peer destination_attributes = 8;
}
// Location information about a resource.
message ResourceLocation {
// The locations of a resource after the execution of the operation.
// Requests to create or delete a location based resource must populate
// the 'current_locations' field and not the 'original_locations' field.
// For example:
//
// "eu01"
repeated string current_locations = 1;
// The locations of a resource prior to the execution of the operation.
// Requests that mutate the resource's location must populate both the
// 'original_locations' as well as the 'current_locations' fields.
// For example:
//
// "eu01"
repeated string original_locations = 2;
}
// TODO check description
// The `Status` type defines a logical error model that is suitable for
// different programming environments, including REST APIs and RPC APIs. It is
// used by [gRPC](https://github.com/grpc). Each `Status` message contains
// three pieces of data: error code, error message, and error details.
//
// You can find out more about this error model and how to work with it in the
// [API Design Guide](https://cloud.google.com/apis/design/errors).
message RpcStatus {
// different programming environments, including REST APIs and RPC APIs.
// Each `ResponseStatus` message contains three pieces of data:
// error code, error message, and error details.
message ResponseStatus {
// TODO check description
// The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
// The http or gRPC status code.
int32 code = 1;
// A developer-facing error message, which should be in English. Any
// user-facing error message should be localized and sent in the
// RpcStatus.details field, or localized by the client.
// Short description of the error
string message = 2;
// TODO replace any with something different (e.g. struct) and update description
// A list of messages that carry the error details. There is a common set of
// message types for APIs to use.
repeated google.protobuf.Any details = 3;
// Error details
repeated google.protobuf.Struct details = 3;
}
// Identity delegation history of an authenticated service account.
message ServiceAccountDelegationInfo {
// TODO Introduce but check if needed
// Anonymous system principal to be used when no user identity is available.
message SystemPrincipal {
// Metadata about the service that uses the service account.
google.protobuf.Struct service_metadata = 3;
}
// First party identity principal.
message FirstPartyPrincipal {
// STACKIT idp principal.
message IdpPrincipal {
// TODO was added - check if correct
// STACKIT principal id
string id = 1;
string principal_id = 1;
// The email address
// Optional email address
optional string principal_email = 2;
// Metadata about the service that uses the service account.
google.protobuf.Struct service_metadata = 3;
}
// TODO check if needed
// Third party identity principal.
message ThirdPartyPrincipal {
// Metadata about third party identity.
google.protobuf.Struct third_party_claims = 1;
}
// Entity that creates credentials for service account and assumes its
// identity for authentication.
oneof Authority {
@ -663,28 +427,7 @@ message ServiceAccountDelegationInfo {
// System identity
SystemPrincipal system_principal = 1;
// First party (STACKIT) identity as the real authority.
FirstPartyPrincipal first_party_principal = 2;
// Third party identity as the real authority.
ThirdPartyPrincipal third_party_principal = 3;
// STACKIT IDP identity
IdpPrincipal idp_principal = 2;
}
}
// Additional information used to correlate multiple LogEntries. Used when a
// single log entry would exceed the STACKIT logging size limit and is split
// across multiple entries.
message LogSplit {
// A globally unique identifier for all log entries in a sequence of split
// logs. All log entries with the same |LogSplit.uid| are assumed to be part of
// the same sequence of split logs.
string uid = 1;
// The index of this log entry in the sequence of split logs. Log entries are
// given |index| values 0, 1, ..., n-1 for a sequence of n entries.
int32 index = 2;
// The total number of logs that the original log entry was split into.
int32 total_splits = 3;
}