schwarzit.stackit-public/audit-go
1
0
Fork 0
mirror of https://dev.azure.com/schwarzit/schwarzit.stackit-public/_git/audit-go synced 2026-02-08 00:57:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Format protobuf files

Browse source
This commit is contained in:
Christian Schaible 2024-10-09 11:15:01 +02:00
parent 63ac2962e9
commit a990233715
2 changed files with 54 additions and 75 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

81
proto/audit/v1/audit_event.proto
View file

@ -1,19 +1,18 @@
syntax = "proto3";
package audit.v1;
import "buf/validate/validate.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/timestamp.proto";
import "google/protobuf/wrappers.proto";
package audit.v1;
option go_package = "./audit;auditV1";
option java_multiple_files = true;
option java_package = "com.schwarz.stackit.audit.v1";
// The audit log entry can be used to record an incident in the audit log.
message AuditLogEntry {
// The resource name of the log to which this log entry belongs.
//
// Format: <pluralType>/<identifier>/logs/<eventType>
@ -34,9 +33,7 @@ message AuditLogEntry {
// The log entry payload, which is always an AuditLog for STACKIT Audit Log events.
//
// Required: true
AuditLog proto_payload = 2 [
(buf.validate.field).required = true
];
AuditLog proto_payload = 2 [(buf.validate.field).required = true];
// A unique identifier for the log entry.
// Is used to check completeness of audit events over time.
@ -53,7 +50,7 @@ message AuditLogEntry {
// "1721899117/eu01/319a7fb9-edd2-46c6-953a-a724bb377c61/8792726390909855142"
//
// Required: true
string insert_id = 3[
string insert_id = 3 [
(buf.validate.field).required = true,
(buf.validate.field).string.pattern = "^[0-9]+/[a-z0-9-]+/[a-z0-9-]+/[0-9]+$"
];
@ -97,9 +94,7 @@ message AuditLogEntry {
// "00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01"
//
// Required: false
optional string trace_parent = 8 [
(buf.validate.field).string.pattern = "^[0-9]+-[a-z0-9]+-[a-z0-9]+-[0-9]+$"
];
optional string trace_parent = 8 [(buf.validate.field).string.pattern = "^[0-9]+-[a-z0-9]+-[a-z0-9]+-[0-9]+$"];
// Customer set W3C conform trace state header:
// https://www.w3.org/TR/trace-context/#tracestate-header
@ -116,7 +111,6 @@ message AuditLogEntry {
// The severity of the event described in a log entry, expressed as one of the
// standard severity levels listed below.
enum LogSeverity {
LOG_SEVERITY_UNSPECIFIED = 0;
// (1) The log entry has no assigned severity level.
@ -150,7 +144,6 @@ enum LogSeverity {
// Common audit log format for STACKIT API operations.
message AuditLog {
// The name of the API service performing the operation.
//
// Examples:
@ -202,7 +195,7 @@ message AuditLog {
// "projects/dd7d1807-54e9-4426-8994-721758b5b554/locations/eu01/vms/b6851b4e-7a9d-4973-ab0f-a80a13ee3060/ports/78f8bad4-a291-4fa3-b07f-4a1985d3dbe8"
//
// Required: true
string resource_name = 3[
string resource_name = 3 [
(buf.validate.field).required = true,
(buf.validate.field).string.pattern = "^[a-z]+/[a-z0-9-]+(?:/[a-z0-9-]+/[a-z0-9-_]+)*$",
(buf.validate.field).string.min_len = 1,
@ -212,9 +205,7 @@ message AuditLog {
// Authentication information.
//
// Required: true
AuthenticationInfo authentication_info = 4 [
(buf.validate.field).required = true
];
AuthenticationInfo authentication_info = 4 [(buf.validate.field).required = true];
// Authorization information. If there are multiple resources or permissions involved, then there is
// one AuthorizationInfo element for each {resource, permission} tuple.
@ -225,9 +216,7 @@ message AuditLog {
// Metadata about the operation.
//
// Required: true
RequestMetadata request_metadata = 6 [
(buf.validate.field).required = true
];
RequestMetadata request_metadata = 6 [(buf.validate.field).required = true];
// The operation request. This may not include all request parameters,
// such as those that are too large, privacy-sensitive, or duplicated
@ -240,9 +229,7 @@ message AuditLog {
// The status of the overall operation.
//
// Required: true
ResponseMetadata response_metadata = 8 [
(buf.validate.field).required = true
];
ResponseMetadata response_metadata = 8 [(buf.validate.field).required = true];
// The operation response. This may not include all response elements,
// such as those that are too large, privacy-sensitive, or duplicated
@ -251,7 +238,6 @@ message AuditLog {
// Required: false
optional google.protobuf.Struct response = 9;
// Other service-specific data about the request, response, and other
// information associated with the current audited event.
//
@ -261,7 +247,6 @@ message AuditLog {
// Authentication information for the operation.
message AuthenticationInfo {
// STACKIT principal id
//
// Required: true
@ -289,9 +274,7 @@ message AuthenticationInfo {
// "projects/29b2c56f-f712-4a9c-845b-f0907158e53c/service-accounts/a606dc68-8b97-421b-89a9-116bcbd004df"
//
// Required: false
optional string service_account_name = 3 [
(buf.validate.field).string.pattern = "^[a-z-]+/[a-z0-9-]+/service-accounts/[a-z0-9-]+$"
];
optional string service_account_name = 3 [(buf.validate.field).string.pattern = "^[a-z-]+/[a-z0-9-]+/service-accounts/[a-z0-9-]+$"];
// Identity delegation history of an authenticated service account that makes
// the request. It contains information on the real authorities that try to
@ -305,7 +288,6 @@ message AuthenticationInfo {
// Authorization information for the operation.
message AuthorizationInfo {
// The resource being accessed, as a REST-style string.
//
// Format: <pluralType>/<id>[/<details>]
@ -332,9 +314,7 @@ message AuthorizationInfo {
// "resourcemanager.project.edit"
//
// Required: false
optional string permission = 2 [
(buf.validate.field).string.pattern = "^[a-z-]+(?:\\.[a-z-]+)*\\.[a-z-]+$"
];
optional string permission = 2 [(buf.validate.field).string.pattern = "^[a-z-]+(?:\\.[a-z-]+)*\\.[a-z-]+$"];
// IAM permission check result.
//
@ -347,12 +327,10 @@ message AuthorizationInfo {
// An attribute is a piece of metadata that describes an activity on a network
// service.
message AttributeContext {
// This message defines request authentication attributes. Terminology is
// based on the JSON Web Token (JWT) standard, but the terms also
// correlate to concepts in other standards.
message Auth {
// The authenticated principal. Reflects the issuer ("iss") and subject
// ("sub") claims within a JWT.
//
@ -396,9 +374,7 @@ message AttributeContext {
// }
//
// Required: true
google.protobuf.Struct claims = 3 [
(buf.validate.field).required = true
];
google.protobuf.Struct claims = 3 [(buf.validate.field).required = true];
}
enum HttpMethod {
@ -419,7 +395,6 @@ message AttributeContext {
// request is not an HTTP request, the runtime system should try to map
// the actual request to an equivalent HTTP request.
message Request {
// The unique ID for a request, which can be propagated to downstream
// systems. The ID should have low probability of collision
// within a single day for a specific service.
@ -451,9 +426,7 @@ message AttributeContext {
// Internal IP-Addresses have to be removed (e.g. in x-forwarded-xxx headers).
//
// Required: true
map<string, string> headers = 3 [
(buf.validate.field).required = true
];
map<string, string> headers = 3 [(buf.validate.field).required = true];
// The gRPC / HTTP URL path.
//
@ -510,28 +483,21 @@ message AttributeContext {
// The request authentication.
//
// Required: true
Auth auth = 10 [
(buf.validate.field).required = true
];
Auth auth = 10 [(buf.validate.field).required = true];
}
// This message defines attributes for a typical network response. It
// generally models semantics of an HTTP response.
message Response {
// The number of items returned to the client if applicable.
//
// Required: false
optional google.protobuf.Int64Value num_response_items = 1 [
(buf.validate.field).int64.gte = 0
];
optional google.protobuf.Int64Value num_response_items = 1 [(buf.validate.field).int64.gte = 0];
// The HTTP response size in bytes.
//
// Required: false
optional google.protobuf.Int64Value size = 2 [
(buf.validate.field).int64.gte = 0
];
optional google.protobuf.Int64Value size = 2 [(buf.validate.field).int64.gte = 0];
// The HTTP response headers. If multiple headers share the same key, they
// must be merged according to HTTP spec. All header keys must be
@ -553,7 +519,6 @@ message AttributeContext {
// Metadata about the request.
message RequestMetadata {
// The IP address of the caller.
// For caller from internet, this will be public IPv4 or IPv6 address.
// For caller from a VM / K8s Service / etc, this will be the SIT proxy's IPv4 address.
@ -582,14 +547,11 @@ message RequestMetadata {
// This field contains request attributes like request url, time, etc.
//
// Required: true
AttributeContext.Request request_attributes = 3 [
(buf.validate.field).required = true
];
AttributeContext.Request request_attributes = 3 [(buf.validate.field).required = true];
}
// Metadata about the response
message ResponseMetadata {
// The http or gRPC status code.
//
// Examples:
@ -615,17 +577,13 @@ message ResponseMetadata {
// This field contains response attributes like headers, time, etc.
//
// Required: true
AttributeContext.Response response_attributes = 4[
(buf.validate.field).required = true
];
AttributeContext.Response response_attributes = 4 [(buf.validate.field).required = true];
}
// Identity delegation history of an authenticated service account.
message ServiceAccountDelegationInfo {
// Anonymous system principal to be used when no user identity is available.
message SystemPrincipal {
// Metadata about the service that uses the service account.
//
// Required: false
@ -634,7 +592,6 @@ message ServiceAccountDelegationInfo {
// STACKIT idp principal.
message IdpPrincipal {
// STACKIT principal id
//
// Required: true
@ -670,4 +627,4 @@ message ServiceAccountDelegationInfo {
// STACKIT IDP identity
IdpPrincipal idp_principal = 2;
}
}
}

48
proto/audit/v1/routable_event.proto
View file

@ -1,9 +1,9 @@
syntax = "proto3";
import "buf/validate/validate.proto";
package audit.v1;
import "buf/validate/validate.proto";
option go_package = "./audit;auditV1";
option java_multiple_files = true;
option java_package = "com.schwarz.stackit.audit.v1";
@ -23,30 +23,44 @@ message ObjectIdentifier {
// Identifier of the respective entity (e.g. Identifier of an organization)
//
// Required: true
string identifier = 1 [(buf.validate.field).required = true, (buf.validate.field).string.uuid = true];
string identifier = 1 [
(buf.validate.field).required = true,
(buf.validate.field).string.uuid = true
];
// Entity data type relevant for routing - one of the list of supported singular types.
//
// Required: true
string type = 2 [(buf.validate.field).required = true, (buf.validate.field).string.min_len = 1];
string type = 2 [
(buf.validate.field).required = true,
(buf.validate.field).string.min_len = 1
];
}
message EncryptedData {
// Encrypted serialized protobuf content (the actual audit event)
//
// Required: true
bytes data = 1 [(buf.validate.field).required = true, (buf.validate.field).bytes.min_len = 1];
bytes data = 1 [
(buf.validate.field).required = true,
(buf.validate.field).bytes.min_len = 1
];
// Name of the protobuf type
//
// Required: true
string protobuf_type = 2 [(buf.validate.field).required = true, (buf.validate.field).string.min_len = 1];
string protobuf_type = 2 [
(buf.validate.field).required = true,
(buf.validate.field).string.min_len = 1
];
// The password taken to derive the encryption key from
//
// Required: true
string encrypted_password = 3 [(buf.validate.field).required = true, (buf.validate.field).string.min_len = 1];
string encrypted_password = 3 [
(buf.validate.field).required = true,
(buf.validate.field).string.min_len = 1
];
// Version of the encrypted key
//
@ -58,16 +72,21 @@ message UnencryptedData {
// Unencrypted serialized protobuf content (the actual audit event)
//
// Required: true
bytes data = 1 [(buf.validate.field).required = true, (buf.validate.field).bytes.min_len = 1];
bytes data = 1 [
(buf.validate.field).required = true,
(buf.validate.field).bytes.min_len = 1
];
// Name of the protobuf type
//
// Required: true
string protobuf_type = 2 [(buf.validate.field).required = true, (buf.validate.field).string.min_len = 1];
string protobuf_type = 2 [
(buf.validate.field).required = true,
(buf.validate.field).string.min_len = 1
];
}
message RoutableAuditEvent {
// Functional event name with pattern
//
// Format: stackit.<product>.<version>.<type-chain>.<operation>
@ -93,7 +112,10 @@ message RoutableAuditEvent {
// Visibility relevant for differentiating between internal and public events
//
// Required: true
Visibility visibility = 2 [(buf.validate.field).required = true, (buf.validate.field).enum.defined_only = true];
Visibility visibility = 2 [
(buf.validate.field).required = true,
(buf.validate.field).enum.defined_only = true
];
// Identifier the audit log event refers to.
//
@ -110,4 +132,4 @@ message RoutableAuditEvent {
UnencryptedData unencrypted_data = 4;
EncryptedData encrypted_data = 5;
}
}
}