Additional schema changes

audit/api/api.go

@@ -46,7 +46,7 @@ type AuditApi interface {
 	*/
 	Log(
 		ctx context.Context,
-		event *auditV1.AuditEvent,
+		event *auditV1.AuditLogEntry,
 		visibility auditV1.Visibility,
 		routingIdentifier *RoutingIdentifier,
 		objectIdentifier *auditV1.ObjectIdentifier,
@@ -55,7 +55,7 @@ type AuditApi interface {
 	// ValidateAndSerialize validates and serializes the event into a byte representation.
 	// The result has to be sent explicitly by calling the Send method.
 	ValidateAndSerialize(
-		event *auditV1.AuditEvent,
+		event *auditV1.AuditLogEntry,
 		visibility auditV1.Visibility,
 		routingIdentifier *RoutingIdentifier,
 		objectIdentifier *auditV1.ObjectIdentifier,
@@ -114,6 +114,9 @@ type CloudEvent struct {
 	// The object type (i.e. the fully qualified protobuf type name)
 	dataType string
 
+	// The identifier of the referring object.
+	subject string
+
 	// The serialized payload
 	data []byte
 }

audit/api/api_common.go

@@ -50,7 +50,7 @@ var ErrSerializedPayloadNil = errors.New("serialized payload nil")
 
 func validateAndSerializePartially(
 	validator *ProtobufValidator,
-	event *auditV1.AuditEvent,
+	event *auditV1.AuditLogEntry,
 	visibility auditV1.Visibility,
 	routingIdentifier *RoutingIdentifier,
 	objectIdentifier *auditV1.ObjectIdentifier,
@@ -162,6 +162,7 @@ func send(
 	applicationAttributes["cloudEvents:time"] = cloudEvent.time.UnixMilli()
 	applicationAttributes["cloudEvents:datacontenttype"] = cloudEvent.dataContentType
 	applicationAttributes["cloudEvents:type"] = cloudEvent.dataType
+	applicationAttributes["cloudEvents:subject"] = cloudEvent.subject
 
 	return (*messagingApi).Send(
 		ctx,

audit/api/api_legacy.go

@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"github.com/google/uuid"
+	"net/url"
 	"time"
 
 	"dev.azure.com/schwarzit/schwarzit.stackit-core-platform/common-audit.git/audit/messaging"
@@ -68,7 +69,7 @@ func NewLegacyAuditApi(
 // Log implements AuditApi.Log
 func (a *LegacyAuditApi) Log(
 	ctx context.Context,
-	event *auditV1.AuditEvent,
+	event *auditV1.AuditLogEntry,
 	visibility auditV1.Visibility,
 	routingIdentifier *RoutingIdentifier,
 	objectIdentifier *auditV1.ObjectIdentifier,
@@ -85,7 +86,7 @@ func (a *LegacyAuditApi) Log(
 // ValidateAndSerialize implements AuditApi.ValidateAndSerialize.
 // It serializes the event into the byte representation of the legacy audit log system.
 func (a *LegacyAuditApi) ValidateAndSerialize(
-	event *auditV1.AuditEvent,
+	event *auditV1.AuditLogEntry,
 	visibility auditV1.Visibility,
 	routingIdentifier *RoutingIdentifier,
 	objectIdentifier *auditV1.ObjectIdentifier,
@@ -109,13 +110,16 @@ func (a *LegacyAuditApi) ValidateAndSerialize(
 	}
 
 	message := CloudEvent{
-		specVersion:     "1.0",
+		specVersion: "1.0",
-		source:          event.EventSource,
+		source:      event.ProtoPayload.ServiceName,
+		// TODO what is the correct id?
 		id:              uuid.NewString(),
-		time:            event.EventTimeStamp.AsTime(),
+		time:            event.ProtoPayload.RequestMetadata.RequestAttributes.Time.AsTime(),
 		dataContentType: "application/cloudevents+protobuf",
 		dataType:        fmt.Sprintf("%v", routableEvent.ProtoReflect().Descriptor().FullName()),
-		data:            legacyBytes,
+		// TODO check if this is correct
+		subject: event.ProtoPayload.ResourceName,
+		data:    legacyBytes,
 	}
 	return &message, nil
 }
@@ -132,7 +136,7 @@ func (a *LegacyAuditApi) Send(
 
 // convertAndSerializeIntoLegacyFormat converts the protobuf events into the json serialized legacy audit log format
 func (a *LegacyAuditApi) convertAndSerializeIntoLegacyFormat(
-	event *auditV1.AuditEvent,
+	event *auditV1.AuditLogEntry,
 	routableEvent *auditV1.RoutableAuditEvent,
 ) ([]byte, error) {
 
@@ -152,45 +156,53 @@ func (a *LegacyAuditApi) convertAndSerializeIntoLegacyFormat(
 	if len(event.ProtoPayload.AuthenticationInfo.ServiceAccountDelegationInfo) > 0 {
 		var principals []LegacyAuditEventPrincipal
 		for _, principal := range event.ProtoPayload.AuthenticationInfo.ServiceAccountDelegationInfo {
-			if principal != nil {
+			switch principalValue := principal.Authority.(type) {
-				p := LegacyAuditEventPrincipal{
+			case *auditV1.ServiceAccountDelegationInfo_IdpPrincipal_:
-					Id:    principal.GetFirstPartyPrincipal().Id,
+				principals = append(principals, LegacyAuditEventPrincipal{
-					Email: &principal.GetFirstPartyPrincipal().PrincipalEmail,
+					Id:    principalValue.IdpPrincipal.PrincipalId,
-				}
+					Email: principalValue.IdpPrincipal.PrincipalEmail,
-				principals = append(principals, p)
+				})
+			case *auditV1.ServiceAccountDelegationInfo_SystemPrincipal_:
+				principals = append(principals, LegacyAuditEventPrincipal{
+					Id: "system",
+				})
+
 			}
 		}
 		serviceAccountDelegationInfo = &LegacyAuditEventServiceAccountDelegationInfo{Principals: principals}
 	}
 
-	// Request
 	var request LegacyAuditEventRequest
-	if event.Request == nil {
+	if event.ProtoPayload.RequestMetadata.RequestAttributes == nil {
 		request = LegacyAuditEventRequest{
 			Endpoint: "none",
 		}
 	} else {
 		var parameters map[string]interface{} = nil
-		if event.Request.Parameters != nil {
+		if event.ProtoPayload.RequestMetadata.RequestAttributes.Path != "" && event.ProtoPayload.RequestMetadata.RequestAttributes.Query != "" {
-			parameters = event.Request.Parameters.AsMap()
+			parsedUrl, err := url.Parse(fmt.Sprintf("%s?%s", event.ProtoPayload.RequestMetadata.RequestAttributes.Path, event.ProtoPayload.RequestMetadata.RequestAttributes.Query))
+			if err != nil {
+				return nil, err
+			}
+			for k, v := range parsedUrl.Query() {
+				parameters[k] = v
+			}
 		}
 
 		var body map[string]interface{} = nil
-		if event.Request.Body != nil {
+		if event.ProtoPayload.Request != nil {
-			body = event.Request.Body.AsMap()
+			body = event.ProtoPayload.Request.AsMap()
 		}
 		var headers map[string]interface{} = nil
-		if event.Request.Headers != nil {
+		if event.ProtoPayload.RequestMetadata.RequestAttributes.Headers != nil {
 			headers = map[string]interface{}{}
-			for _, header := range event.Request.Headers {
+			for key, value := range event.ProtoPayload.RequestMetadata.RequestAttributes.Headers {
-				if header != nil {
+				headers[key] = value
-					headers[header.Key] = header.Value
-				}
 			}
 		}
 
 		request = LegacyAuditEventRequest{
-			Endpoint:   event.Request.Endpoint,
+			Endpoint:   event.ProtoPayload.RequestMetadata.RequestAttributes.Path,
 			Parameters: &parameters,
 			Body:       &body,
 			Headers:    &headers,
@@ -205,7 +217,7 @@ func (a *LegacyAuditApi) convertAndSerializeIntoLegacyFormat(
 		eventType = "ADMIN_ACTIVITY"
 		if ref.ObjectIdentifier.Type == auditV1.ObjectType_OBJECT_TYPE_ORGANIZATION {
 			messageContext = &LegacyAuditEventContext{
-				OrganizationId: nil,
+				OrganizationId: &ref.ObjectIdentifier.Identifier,
 				FolderId:       nil,
 				ProjectId:      nil,
 			}
@@ -213,14 +225,14 @@ func (a *LegacyAuditApi) convertAndSerializeIntoLegacyFormat(
 		} else if ref.ObjectIdentifier.Type == auditV1.ObjectType_OBJECT_TYPE_FOLDER {
 			messageContext = &LegacyAuditEventContext{
 				OrganizationId: nil,
-				FolderId:       nil,
+				FolderId:       &ref.ObjectIdentifier.Identifier,
 				ProjectId:      nil,
 			}
 		} else if ref.ObjectIdentifier.Type == auditV1.ObjectType_OBJECT_TYPE_PROJECT {
 			messageContext = &LegacyAuditEventContext{
 				OrganizationId: nil,
 				FolderId:       nil,
-				ProjectId:      nil,
+				ProjectId:      &ref.ObjectIdentifier.Identifier,
 			}
 		} else {
 			return nil, ErrUnsupportedObjectIdentifierType
@@ -233,36 +245,30 @@ func (a *LegacyAuditApi) convertAndSerializeIntoLegacyFormat(
 	}
 
 	// Details
-	var details map[string]interface{} = nil
+	var details = event.ProtoPayload.Request.AsMap()
-	if event.Details != nil {
-		details = event.Details.AsMap()
-	}
 
 	// Result
-	var result map[string]interface{} = nil
+	var result = event.ProtoPayload.Response.AsMap()
-	if event.Result != nil {
-		result = event.Result.AsMap()
-	}
 
 	// Instantiate the legacy event - missing values are filled with defaults
 	legacyAuditEvent := LegacyAuditEvent{
 		Severity:        "INFO",
 		Visibility:      routableEvent.Visibility.String(),
 		EventType:       eventType,
-		EventTimeStamp:  event.EventTimeStamp.AsTime(),
+		EventTimeStamp:  event.ProtoPayload.RequestMetadata.RequestAttributes.Time.AsTime(),
-		EventName:       event.EventName,
+		EventName:       event.LogName,
 		SourceIpAddress: sourceIpAddress,
 		UserAgent:       userAgent,
 		Initiator: LegacyAuditEventPrincipal{
-			Id:    event.Initiator.Id,
+			Id:    event.ProtoPayload.AuthenticationInfo.PrincipalId,
-			Email: event.Initiator.Email,
+			Email: &event.ProtoPayload.AuthenticationInfo.PrincipalEmail,
 		},
 		ServiceAccountDelegationInfo: serviceAccountDelegationInfo,
 		Request:                      request,
 		Context:                      messageContext,
-		ResourceId:                   event.ResourceId,
+		ResourceId:                   &event.LogName,
-		ResourceName:                 event.ResourceName,
+		ResourceName:                 &event.ProtoPayload.ResourceName,
-		CorrelationId:                event.CorrelationId,
+		CorrelationId:                &event.CorrelationId,
 		Result:                       &result,
 		Details:                      &details,
 	}

audit/api/api_mock.go

@@ -30,7 +30,7 @@ func NewMockAuditApi() (*AuditApi, error) {
 // Validates and serializes the event but doesn't send it.
 func (a *MockAuditApi) Log(
 	_ context.Context,
-	event *auditV1.AuditEvent,
+	event *auditV1.AuditLogEntry,
 	visibility auditV1.Visibility,
 	routingIdentifier *RoutingIdentifier,
 	objectIdentifier *auditV1.ObjectIdentifier,
@@ -42,7 +42,7 @@ func (a *MockAuditApi) Log(
 
 // ValidateAndSerialize implements AuditApi.ValidateAndSerialize
 func (a *MockAuditApi) ValidateAndSerialize(
-	event *auditV1.AuditEvent,
+	event *auditV1.AuditLogEntry,
 	visibility auditV1.Visibility,
 	routingIdentifier *RoutingIdentifier,
 	objectIdentifier *auditV1.ObjectIdentifier,
@@ -59,13 +59,16 @@ func (a *MockAuditApi) ValidateAndSerialize(
 	}
 
 	message := CloudEvent{
-		specVersion:     "1.0",
+		specVersion: "1.0",
-		source:          event.EventSource,
+		source:      event.ProtoPayload.ServiceName,
+		// TODO what is the correct id?
 		id:              uuid.NewString(),
-		time:            event.EventTimeStamp.AsTime(),
+		time:            event.ProtoPayload.RequestMetadata.RequestAttributes.Time.AsTime(),
 		dataContentType: "application/cloudevents+protobuf",
 		dataType:        fmt.Sprintf("%v", routableEvent.ProtoReflect().Descriptor().FullName()),
-		data:            routableEventBytes,
+		// TODO check if this is correct
+		subject: event.ProtoPayload.ResourceName,
+		data:    routableEventBytes,
 	}
 
 	return &message, nil

audit/api/api_routable.go

@@ -84,7 +84,7 @@ func newRoutableAuditApi(
 // Log implements AuditApi.Log
 func (a *routableAuditApi) Log(
 	ctx context.Context,
-	event *auditV1.AuditEvent,
+	event *auditV1.AuditLogEntry,
 	visibility auditV1.Visibility,
 	routingIdentifier *RoutingIdentifier,
 	objectIdentifier *auditV1.ObjectIdentifier,
@@ -100,7 +100,7 @@ func (a *routableAuditApi) Log(
 
 // ValidateAndSerialize implements AuditApi.ValidateAndSerialize
 func (a *routableAuditApi) ValidateAndSerialize(
-	event *auditV1.AuditEvent,
+	event *auditV1.AuditLogEntry,
 	visibility auditV1.Visibility,
 	routingIdentifier *RoutingIdentifier,
 	objectIdentifier *auditV1.ObjectIdentifier,
@@ -123,13 +123,16 @@ func (a *routableAuditApi) ValidateAndSerialize(
 	}
 
 	message := CloudEvent{
-		specVersion:     "1.0",
+		specVersion: "1.0",
-		source:          event.EventSource,
+		source:      event.ProtoPayload.ServiceName,
+		// TODO what is the correct id?
 		id:              uuid.NewString(),
-		time:            event.EventTimeStamp.AsTime(),
+		time:            event.ProtoPayload.RequestMetadata.RequestAttributes.Time.AsTime(),
 		dataContentType: "application/cloudevents+protobuf",
 		dataType:        fmt.Sprintf("%v", routableEvent.ProtoReflect().Descriptor().FullName()),
-		data:            routableEventBytes,
+		// TODO check if this is correct
+		subject: event.ProtoPayload.ResourceName,
+		data:    routableEventBytes,
 	}
 
 	return &message, nil

audit/api/test_data.go

@@ -13,16 +13,16 @@ import (
 
 func NewOrganizationAuditEvent(
 	customization *func(
-		*auditV1.AuditEvent,
+		*auditV1.AuditLogEntry,
 		*RoutingIdentifier,
 		*auditV1.ObjectIdentifier,
 	)) (
-	*auditV1.AuditEvent,
+	*auditV1.AuditLogEntry,
 	*RoutingIdentifier,
 	*auditV1.ObjectIdentifier,
 ) {
 
-	auditEvent := &auditV1.AuditEvent{
+	auditEvent := &auditV1.AuditLogEntry{
 		EventSource:    "resource-manager",
 		Region:         auditV1.Region_REGION_EU01,
 		SequenceNumber: wrapperspb.Int64(0),
@@ -53,10 +53,10 @@ func NewOrganizationAuditEvent(
 	return auditEvent, routingIdentifier, objectIdentifier
 }
 
-func NewOrganizationAuditEventWithDetails() (*auditV1.AuditEvent,
+func NewOrganizationAuditEventWithDetails() (*auditV1.AuditLogEntry,
 	*RoutingIdentifier,
 	*auditV1.ObjectIdentifier) {
-	customization := func(event *auditV1.AuditEvent,
+	customization := func(event *auditV1.AuditLogEntry,
 		routingIdentifier *RoutingIdentifier,
 		objectIdentifier *auditV1.ObjectIdentifier) {
 		userAgent := "firefox"
@@ -100,16 +100,16 @@ func NewOrganizationAuditEventWithDetails() (*auditV1.AuditEvent,
 
 func NewFolderAuditEvent(
 	customization *func(
-		*auditV1.AuditEvent,
+		*auditV1.AuditLogEntry,
 		*RoutingIdentifier,
 		*auditV1.ObjectIdentifier,
 	)) (
-	*auditV1.AuditEvent,
+	*auditV1.AuditLogEntry,
 	*RoutingIdentifier,
 	*auditV1.ObjectIdentifier,
 ) {
 
-	auditEvent := &auditV1.AuditEvent{
+	auditEvent := &auditV1.AuditLogEntry{
 		EventSource:    "resource-manager",
 		Region:         auditV1.Region_REGION_EU01,
 		SequenceNumber: wrapperspb.Int64(0),
@@ -141,16 +141,16 @@ func NewFolderAuditEvent(
 
 func NewProjectAuditEvent(
 	customization *func(
-		*auditV1.AuditEvent,
+		*auditV1.AuditLogEntry,
 		*RoutingIdentifier,
 		*auditV1.ObjectIdentifier,
 	)) (
-	*auditV1.AuditEvent,
+	*auditV1.AuditLogEntry,
 	*RoutingIdentifier,
 	*auditV1.ObjectIdentifier,
 ) {
 
-	auditEvent := &auditV1.AuditEvent{
+	auditEvent := &auditV1.AuditLogEntry{
 		EventSource:    "resource-manager",
 		Region:         auditV1.Region_REGION_EU01,
 		SequenceNumber: wrapperspb.Int64(0),
@@ -182,9 +182,9 @@ func NewProjectAuditEvent(
 }
 
 func NewSystemAuditEvent(
-	customization *func(*auditV1.AuditEvent)) *auditV1.AuditEvent {
+	customization *func(*auditV1.AuditLogEntry)) *auditV1.AuditLogEntry {
 
-	auditEvent := &auditV1.AuditEvent{
+	auditEvent := &auditV1.AuditLogEntry{
 		EventSource:    "resource-manager",
 		Region:         auditV1.Region_REGION_EU01,
 		SequenceNumber: wrapperspb.Int64(0),

proto/audit/v1/audit_event.proto

@@ -14,99 +14,55 @@ option java_multiple_files = true;
 option java_package = "com.schwarz.stackit.audit.v1";
 
 // TODO update numbers of elements in messages
+// TODO decide which fields should be optional
 
 // The audit log entry can be used to record an incident in the audit log.
 message AuditLogEntry {
 
   // The resource name of the log to which this log entry belongs.
+  // Example: projects/<identifier>/logs/<eventType>
   string log_name = 12;
 
-  // The monitored resource that produced this log entry.
-  //
-  // Example: a log entry that reports a database error would be associated with
-  // the monitored resource designating the particular database that reported
-  // the error.
-  MonitoredResource resource = 8;
-
   // The log entry payload, which is always an AuditLog for STACKIT Audit Log events.
   AuditLog proto_payload = 2;
 
+  // TODO can we specify how the format should look like?
+  // TODO Encode sequence number into it?
+  // https://softwaremind.com/blog/the-unique-features-of-snowflake-id-and-its-comparison-to-uuid/
   // A unique identifier for the log entry.
+  // Is generated and set by the SDK.
+  // Format:
+  // <timestamp>/<region>/<worker-id>/<sequence-number>
   string insert_id = 4;
 
   // A set of user-defined (key, value) data that provides additional
   // information about the log entry.
   map<string, string> labels = 11;
 
-  // Information about an operation associated with the log entry, if applicable.
+  // Correlate multiple audit logs by setting the same id
-  LogEntryOperation operation = 15;
+  string correlation_id = 15;
 
   // The time the event described by the log entry occurred.
   google.protobuf.Timestamp timestamp = 9;
 
-  // TODO do we need it? where will we set it?
-  // The time the log entry was received by Logging.
-  google.protobuf.Timestamp receive_timestamp = 24;
-
   // The severity of the log entry.
   LogSeverity severity = 10;
 
-  // TODO check example
+  // W3C conform trace parent header:
-  // Resource name of the trace associated with the log entry, if any. It
+  // https://www.w3.org/TR/trace-context/#traceparent-header
-  // contains a relative resource name. Example:
-  // `projects/my-projectid/traces/06796866738c859f2f19b7cfb3214824`
-  string trace = 22;
-
-  // TODO check format and description
-  // The span ID within the trace associated with the log entry, if any.
   //
-  // For Trace spans, this is the same format that the Trace API v2 uses: a
+  // Example:
-  // 16-character hexadecimal encoding of an 8-byte array, such as
+  // `00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01`
-  // `000000000000004a`.
+  string trace_parent = 22;
-  string span_id = 27;
 
-  // Information indicating this log entry is part of a sequence of multiple logs
+  // W3C conform trace state header:
-  // split from a single log entry.
+  // https://www.w3.org/TR/trace-context/#tracestate-header
-  LogSplit split = 35;
+  //
+  // Example:
+  // `rojo=00f067aa0ba902b7,congo=t61rcWkgMzE`.
+  string trace_state = 27;
 }
 
-// An object representing a resource that can be used for monitoring, logging,
-// billing, or other purposes.
-message MonitoredResource {
-
-  // Required. The monitored resource type. For example, the type of a
-  // STACKIT Server instance is `gce_instance`.
-  string type = 1;
-
-  // TODO check the label values
-  // Values for all of the labels listed in the associated monitored
-  // resource descriptor. For example, STACKIT Server instances use the
-  // labels `"project_id"`, `"instance_id"`, and `"zone"`.
-  map<string, string> labels = 2;
-}
-
-// Additional information about a potentially long-running operation with which
-// a log entry is associated.
-message LogEntryOperation {
-
-  // An arbitrary operation identifier. Log entries with the same
-  // identifier are assumed to be part of the same operation.
-  string id = 1;
-
-  // TODO check examples
-  // An arbitrary producer identifier. The combination of `id` and
-  // `producer` must be globally unique. Examples for `producer`:
-  // `"MyDivision.MyBigCompany.com"`, `"github.com/MyProject/MyApplication"`.
-  string producer = 2;
-
-  // True if this is the first log entry in the operation.
-  bool first = 3;
-
-  // True if this is the last log entry in the operation.
-  bool last = 4;
-}
-
-// TODO check description and levels
 // The severity of the event described in a log entry, expressed as one of the
 // standard severity levels listed below.  For your reference, the levels are
 // assigned the listed numeric values. The effect of using numeric values other
@@ -144,56 +100,34 @@ enum LogSeverity {
   EMERGENCY = 800;
 }
 
-// TODO check description
 // Common audit log format for STACKIT API operations.
-// Copied from
-// https://github.com/googleapis/googleapis/blob/master/google/cloud/audit/audit_log.proto,
-// but changing service_data from Any to Struct.
 message AuditLog {
 
-  // TODO check example
   // The name of the API service performing the operation. For example,
-  // `"datastore.googleapis.com"`.
+  // `"resource-manager"`.
   string service_name = 7;
 
-  // TODO check example
+  // TODO: Add extra field to open api spec for the method_name
   // The name of the service method or operation.
-  // For API calls, this should be the name of the API method.
+  // The format should is:
+  // stackit.<product>.<version>.<object>.<operation>
+  //
   // For example,
   //
-  //     "google.datastore.v1.Datastore.RunQuery"
+  //     "stackit.resourcemanager.v1.organization.created"
-  //     "google.logging.v1.LoggingService.DeleteLog"
+  //     "stackit.authorization.v2.organization.moved"
-  string method_name = 8;
+  //     "stackit.authorization.v2.folder.moved"
+  optional string method_name = 8;
 
-  // TODO check example
   // The resource or collection that is the target of the operation.
   // The name is a scheme-less URI, not including the API service name.
   // For example:
   //
-  //     "shelves/SHELF_ID/books"
+  //     "projects/<id>/zones/<region-zone>/vms/<vm-id>"
-  //     "shelves/SHELF_ID/books/BOOK_ID"
+  //     "projects/<id>/zones/<region-zone>/vms/<vm-id>/ports/<port-id>"
+  //     "projects/<id>/zones/<region-zone>/instances/instance-20240723-184227
   string resource_name = 11;
 
-  // The resource location information.
-  ResourceLocation resource_location = 20;
-
-  // TODO check what's meant with @type property
-  // The resource's original state before mutation. Present only for
-  // operations which have successfully modified the targeted resource(s).
-  // In general, this field should contain all changed fields, except those
-  // that are already been included in `request`, `response`, `metadata` or
-  // `service_data` fields.
-  // When the JSON object represented here has a proto equivalent,
-  // the proto name will be indicated in the `@type` property.
-  google.protobuf.Struct resource_original_state = 19;
-
-  // The number of items returned from a List or Query API method,
-  // if applicable.
-  int64 num_response_items = 12;
-
-  // The status of the overall operation.
-  RpcStatus status = 2;
-
   // Authentication information.
   AuthenticationInfo authentication_info = 3;
 
@@ -205,22 +139,22 @@ message AuditLog {
   // Metadata about the operation.
   RequestMetadata request_metadata = 4;
 
-  // TODO check what's meant with @type property
   // The operation request. This may not include all request parameters,
   // such as those that are too large, privacy-sensitive, or duplicated
   // elsewhere in the log record.
   // It should never include user-generated data, such as file contents.
-  // When the JSON object represented here has a proto equivalent, the proto
-  // name will be indicated in the `@type` property.
   google.protobuf.Struct request = 16;
 
-  // TODO check what's meant with @type property
+  // The status of the overall operation.
+  ResponseStatus status = 2;
+
+  // The number of items returned from a List or Query API method,
+  // if applicable.
+  optional int64 num_response_items = 12;
+
   // The operation response. This may not include all response elements,
   // such as those that are too large, privacy-sensitive, or duplicated
   // elsewhere in the log record.
-  // It should never include user-generated data, such as file contents.
-  // When the JSON object represented here has a proto equivalent, the proto
-  // name will be indicated in the `@type` property.
   google.protobuf.Struct response = 17;
 
   // Other service-specific data about the request, response, and other
@@ -231,33 +165,18 @@ message AuditLog {
 // Authentication information for the operation.
 message AuthenticationInfo {
 
-  // TODO check description - do we need the id as well?
+  // Principal id
-  // The email address of the authenticated user (or service account on behalf
+  string principal_id = 1;
-  // of third party principal) making the request. For third party identity
-  // callers, the `principal_subject` field is populated instead of this field.
-  // For privacy reasons, the principal email address is sometimes redacted.
-  // For more information, see [Caller identities in audit
-  // logs](https://cloud.google.com/logging/docs/audit#user-id).
-  string principal_email = 1;
 
-  // The authority selector specified by the requestor, if any.
+  // The email address of the authenticated user
-  // It is not guaranteed that the principal was allowed to use this authority.
+  string principal_email = 2;
-  string authority_selector = 2;
 
-  // TODO check @type
+  // The name of the service account used to create or exchange
-  // The third party identification (if any) of the authenticated user making
-  // the request.
-  // When the JSON object represented here has a proto equivalent, the proto
-  // name will be indicated in the `@type` property.
-  google.protobuf.Struct third_party_principal = 4;
-
-  // TODO check example
-  // The name of the service account key used to create or exchange
   // credentials for authenticating the service account making the request.
-  // This is a scheme-less URI full resource name. For example:
+  // Example:
   //
-  // "//iam.googleapis.com/projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}"
+  // "projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}"
-  string service_account_key_name = 5;
+  optional string service_account_name = 5;
 
   // Identity delegation history of an authenticated service account that makes
   // the request. It contains information on the real authorities that try to
@@ -265,19 +184,16 @@ message AuthenticationInfo {
   // authorities present, they are guaranteed to be sorted based on the original
   // ordering of the identity delegation events.
   repeated ServiceAccountDelegationInfo service_account_delegation_info = 6;
-
-  // String representation of identity of requesting party.
-  // Populated for both first and third party identities.
-  string principal_subject = 8;
 }
 
 // Authorization information for the operation.
 message AuthorizationInfo {
 
-  // TODO check example
+  // The resource being accessed, as a REST-style string.
-  // The resource being accessed, as a REST-style string. For example:
   //
-  //     bigquery.googleapis.com/projects/PROJECTID/datasets/DATASETID
+  // For example:
+  //     Project scoped resource: projects/test-project-123/zones/us-central1-b/instances/instance-20240723-174217
+  //     Global Resource: projects/_/buckets/adfeaf
   string resource = 1;
 
   // The required IAM permission.
@@ -286,14 +202,6 @@ message AuthorizationInfo {
   // Whether or not authorization for `resource` and `permission`
   // was granted.
   bool granted = 3;
-
-  // Resource attributes used in IAM condition evaluation. This field contains
-  // resource attributes like resource type and resource name.
-  //
-  // To get the whole view of the attributes used in IAM
-  // condition evaluation, the user must also look into
-  // `AuditLog.request_metadata.request_attributes`.
-  AttributeContext.Resource resource_attributes = 5;
 }
 
 // TODO check description
@@ -316,32 +224,6 @@ message AuthorizationInfo {
 // a system.
 message AttributeContext {
 
-  // This message defines attributes for a node that handles a network request.
-  // The node can be either a service or an application that sends, forwards,
-  // or receives the request. Service peers should fill in
-  // `principal` and `labels` as appropriate.
-  message Peer {
-
-    // The IP address of the peer.
-    string ip = 1;
-
-    // The network port of the peer.
-    int64 port = 2;
-
-    // The labels associated with the peer.
-    map<string, string> labels = 6;
-
-    // The identity of this peer. Similar to `Request.auth.principal`, but
-    // relative to the peer instead of the request. For example, the
-    // identity associated with a load balancer that forwarded the request.
-    string principal = 7;
-
-    // The CLDR country/region code associated with the above IP address.
-    // If the IP address is private, the `region_code` should reflect the
-    // physical location where this peer is running.
-    string region_code = 8;
-  }
-
   // This message defines request authentication attributes. Terminology is
   // based on the JSON Web Token (JWT) standard, but the terms also
   // correlate to concepts in other standards.
@@ -396,16 +278,6 @@ message AttributeContext {
     // SAML assertions are similarly specified, but with an identity provider
     // dependent structure.
     google.protobuf.Struct claims = 4;
-
-    // TODO check description
-    // A list of access level resource names that allow resources to be
-    // accessed by authenticated requester. It is part of Secure GCP processing
-    // for the incoming request. An access level string has the format:
-    // "//{api_service_name}/accessPolicies/{policy_id}/accessLevels/{short_name}"
-    //
-    // Example:
-    // "//accesscontextmanager.googleapis.com/accessPolicies/MY_POLICY_ID/accessLevels/MY_LEVEL"
-    repeated string access_levels = 5;
   }
 
   // This message defines attributes for an HTTP request. If the actual
@@ -443,19 +315,12 @@ message AttributeContext {
     // the request.
     google.protobuf.Timestamp time = 9;
 
-    // The HTTP request size in bytes. If unknown, it must be -1.
-    int64 size = 10;
-
     // The network protocol used with the request, such as "http/1.1",
     // "spdy/3", "h2", "h2c", "webrtc", "tcp", "udp", "quic". See
     // https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
     // for details.
     string protocol = 11;
 
-    // A special parameter for request reason. It is used by security systems
-    // to associate auditing information with a request.
-    string reason = 12;
-
     // The request authentication. May be absent for unauthenticated requests.
     // Derived from the HTTP request `Authorization` header or equivalent.
     Auth auth = 13;
@@ -480,60 +345,15 @@ message AttributeContext {
     // the response.
     google.protobuf.Timestamp time = 4;
   }
-
-  // This message defines core attributes for a resource. A resource is an
-  // addressable (named) entity provided by the destination service. For
-  // example, a file stored on a network storage service.
-  message Resource {
-
-    // TODO check description
-    // The name of the service that this resource belongs to, such as
-    // `pubsub.googleapis.com`. The service may be different from the DNS
-    // hostname that actually serves the request.
-    string service = 1;
-
-    // TODO check description
-    // The stable identifier (name) of a resource on the `service`. A resource
-    // can be logically identified as "//{resource.service}/{resource.name}".
-    // The differences between a resource name and a URI are:
-    //
-    // *   Resource name is a logical identifier, independent of network
-    //     protocol and API version. For example,
-    //     `//pubsub.googleapis.com/projects/123/topics/news-feed`.
-    // *   URI often includes protocol and version information, so it can
-    //     be used directly by applications. For example,
-    //     `https://pubsub.googleapis.com/v1/projects/123/topics/news-feed`.
-    //
-    // See https://cloud.google.com/apis/design/resource_names for details.
-    string name = 2;
-
-    // TODO check description
-    // The type of the resource. The syntax is platform-specific because
-    // different platforms define their resources differently.
-    //
-    // For Google APIs, the type format must be "{service}/{kind}".
-    string type = 3;
-
-    // TODO check description (AWS)
-    // The labels or tags on the resource, such as AWS resource tags and
-    // Kubernetes resource labels.
-    map<string, string> labels = 4;
-  }
 }
 
 // Metadata about the request.
 message RequestMetadata {
 
-  // TODO check description
   // The IP address of the caller.
   // For caller from internet, this will be public IPv4 or IPv6 address.
-  // For caller from a Compute Engine VM with external IP address, this
+  // For caller from a VM / K8s Service / etc, this
-  // will be the VM's external IP address. For caller from a Compute
+  // will be the SIT proxy's IPv4 address.
-  // Engine VM without external IP address, if the VM is in the same
-  // organization (or project) as the accessed resource, `caller_ip` will
-  // be the VM's internal IPv4 address, otherwise the `caller_ip` will be
-  // redacted to "gce-internal-ip".
-  // See https://cloud.google.com/compute/docs/vpc/ for more information.
   string caller_ip = 1;
 
   // TODO check description
@@ -550,16 +370,6 @@ message RequestMetadata {
   //     The request was made from the `my-project` App Engine app.
   string caller_supplied_user_agent = 2;
 
-  // TODO check description
-  // The network of the caller.
-  // Set only if the network host project is part of the same GCP organization
-  // (or project) as the accessed resource.
-  // See https://cloud.google.com/compute/docs/vpc/ for more information.
-  // This is a scheme-less URI full resource name. For example:
-  //
-  //     "//compute.googleapis.com/projects/PROJECT_ID/global/networks/NETWORK_ID"
-  string caller_network = 3;
-
   // TODO check description
   // Request attributes used in IAM condition evaluation. This field contains
   // request attributes like request time and access levels associated with
@@ -569,93 +379,47 @@ message RequestMetadata {
   // condition evaluation, the user must also look into
   // `AuditLog.authentication_info.resource_attributes`.
   AttributeContext.Request request_attributes = 7;
-
-  // TODO check description
-  // The destination of a network activity, such as accepting a TCP connection.
-  // In a multi hop network activity, the destination represents the receiver of
-  // the last hop. Only two fields are used in this message, Peer.port and
-  // Peer.ip. These fields are optionally populated by those services utilizing
-  // the IAM condition feature.
-  AttributeContext.Peer destination_attributes = 8;
 }
 
-// Location information about a resource.
-message ResourceLocation {
-
-  // The locations of a resource after the execution of the operation.
-  // Requests to create or delete a location based resource must populate
-  // the 'current_locations' field and not the 'original_locations' field.
-  // For example:
-  //
-  //     "eu01"
-  repeated string current_locations = 1;
-
-  // The locations of a resource prior to the execution of the operation.
-  // Requests that mutate the resource's location must populate both the
-  // 'original_locations' as well as the 'current_locations' fields.
-  // For example:
-  //
-  //     "eu01"
-  repeated string original_locations = 2;
-}
-
-// TODO check description
 // The `Status` type defines a logical error model that is suitable for
-// different programming environments, including REST APIs and RPC APIs. It is
+// different programming environments, including REST APIs and RPC APIs.
-// used by [gRPC](https://github.com/grpc). Each `Status` message contains
+// Each `ResponseStatus` message contains three pieces of data:
-// three pieces of data: error code, error message, and error details.
+// error code, error message, and error details.
-//
+message ResponseStatus {
-// You can find out more about this error model and how to work with it in the
-// [API Design Guide](https://cloud.google.com/apis/design/errors).
-message RpcStatus {
 
-  // TODO check description
+  // The http or gRPC status code.
-  // The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
   int32 code = 1;
 
-  // A developer-facing error message, which should be in English. Any
+  // Short description of the error
-  // user-facing error message should be localized and sent in the
-  // RpcStatus.details field, or localized by the client.
   string message = 2;
 
-  // TODO replace any with something different (e.g. struct) and update description
+  // Error details
-  // A list of messages that carry the error details.  There is a common set of
+  repeated google.protobuf.Struct details = 3;
-  // message types for APIs to use.
-  repeated google.protobuf.Any details = 3;
 }
 
 // Identity delegation history of an authenticated service account.
 message ServiceAccountDelegationInfo {
 
-  // TODO Introduce but check if needed
+  // Anonymous system principal to be used when no user identity is available.
   message SystemPrincipal {
 
     // Metadata about the service that uses the service account.
     google.protobuf.Struct service_metadata = 3;
   }
 
-  // First party identity principal.
+  // STACKIT idp principal.
-  message FirstPartyPrincipal {
+  message IdpPrincipal {
 
-    // TODO was added - check if correct
     // STACKIT principal id
-    string id = 1;
+    string principal_id = 1;
 
-    // The email address
+    // Optional email address
     optional string principal_email = 2;
 
     // Metadata about the service that uses the service account.
     google.protobuf.Struct service_metadata = 3;
   }
 
-  // TODO check if needed
-  // Third party identity principal.
-  message ThirdPartyPrincipal {
-
-    // Metadata about third party identity.
-    google.protobuf.Struct third_party_claims = 1;
-  }
-
   // Entity that creates credentials for service account and assumes its
   // identity for authentication.
   oneof Authority {
@@ -663,28 +427,7 @@ message ServiceAccountDelegationInfo {
     // System identity
     SystemPrincipal system_principal = 1;
 
-    // First party (STACKIT) identity as the real authority.
+    // STACKIT IDP identity
-    FirstPartyPrincipal first_party_principal = 2;
+    IdpPrincipal idp_principal = 2;
-
-    // Third party identity as the real authority.
-    ThirdPartyPrincipal third_party_principal = 3;
   }
-}
-
-// Additional information used to correlate multiple LogEntries. Used when a
-// single log entry would exceed the STACKIT logging size limit and is split
-// across multiple entries.
-message LogSplit {
-
-  // A globally unique identifier for all log entries in a sequence of split
-  // logs. All log entries with the same |LogSplit.uid| are assumed to be part of
-  // the same sequence of split logs.
-  string uid = 1;
-
-  // The index of this log entry in the sequence of split logs. Log entries are
-  // given |index| values 0, 1, ..., n-1 for a sequence of n entries.
-  int32 index = 2;
-
-  // The total number of logs that the original log entry was split into.
-  int32 total_splits = 3;
 }