diff --git a/proto/audit/v1/audit_event.proto b/proto/audit/v1/audit_event.proto index b451a5a..8676b27 100644 --- a/proto/audit/v1/audit_event.proto +++ b/proto/audit/v1/audit_event.proto @@ -1,19 +1,18 @@ syntax = "proto3"; +package audit.v1; + import "buf/validate/validate.proto"; import "google/protobuf/struct.proto"; import "google/protobuf/timestamp.proto"; import "google/protobuf/wrappers.proto"; -package audit.v1; - option go_package = "./audit;auditV1"; option java_multiple_files = true; option java_package = "com.schwarz.stackit.audit.v1"; // The audit log entry can be used to record an incident in the audit log. message AuditLogEntry { - // The resource name of the log to which this log entry belongs. // // Format: //logs/ @@ -34,9 +33,7 @@ message AuditLogEntry { // The log entry payload, which is always an AuditLog for STACKIT Audit Log events. // // Required: true - AuditLog proto_payload = 2 [ - (buf.validate.field).required = true - ]; + AuditLog proto_payload = 2 [(buf.validate.field).required = true]; // A unique identifier for the log entry. // Is used to check completeness of audit events over time. @@ -53,7 +50,7 @@ message AuditLogEntry { // "1721899117/eu01/319a7fb9-edd2-46c6-953a-a724bb377c61/8792726390909855142" // // Required: true - string insert_id = 3[ + string insert_id = 3 [ (buf.validate.field).required = true, (buf.validate.field).string.pattern = "^[0-9]+/[a-z0-9-]+/[a-z0-9-]+/[0-9]+$" ]; @@ -97,9 +94,7 @@ message AuditLogEntry { // "00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01" // // Required: false - optional string trace_parent = 8 [ - (buf.validate.field).string.pattern = "^[0-9]+-[a-z0-9]+-[a-z0-9]+-[0-9]+$" - ]; + optional string trace_parent = 8 [(buf.validate.field).string.pattern = "^[0-9]+-[a-z0-9]+-[a-z0-9]+-[0-9]+$"]; // Customer set W3C conform trace state header: // https://www.w3.org/TR/trace-context/#tracestate-header @@ -116,7 +111,6 @@ message AuditLogEntry { // The severity of the event described in a log entry, expressed as one of the // standard severity levels listed below. enum LogSeverity { - LOG_SEVERITY_UNSPECIFIED = 0; // (1) The log entry has no assigned severity level. @@ -150,7 +144,6 @@ enum LogSeverity { // Common audit log format for STACKIT API operations. message AuditLog { - // The name of the API service performing the operation. // // Examples: @@ -202,7 +195,7 @@ message AuditLog { // "projects/dd7d1807-54e9-4426-8994-721758b5b554/locations/eu01/vms/b6851b4e-7a9d-4973-ab0f-a80a13ee3060/ports/78f8bad4-a291-4fa3-b07f-4a1985d3dbe8" // // Required: true - string resource_name = 3[ + string resource_name = 3 [ (buf.validate.field).required = true, (buf.validate.field).string.pattern = "^[a-z]+/[a-z0-9-]+(?:/[a-z0-9-]+/[a-z0-9-_]+)*$", (buf.validate.field).string.min_len = 1, @@ -212,9 +205,7 @@ message AuditLog { // Authentication information. // // Required: true - AuthenticationInfo authentication_info = 4 [ - (buf.validate.field).required = true - ]; + AuthenticationInfo authentication_info = 4 [(buf.validate.field).required = true]; // Authorization information. If there are multiple resources or permissions involved, then there is // one AuthorizationInfo element for each {resource, permission} tuple. @@ -225,9 +216,7 @@ message AuditLog { // Metadata about the operation. // // Required: true - RequestMetadata request_metadata = 6 [ - (buf.validate.field).required = true - ]; + RequestMetadata request_metadata = 6 [(buf.validate.field).required = true]; // The operation request. This may not include all request parameters, // such as those that are too large, privacy-sensitive, or duplicated @@ -240,9 +229,7 @@ message AuditLog { // The status of the overall operation. // // Required: true - ResponseMetadata response_metadata = 8 [ - (buf.validate.field).required = true - ]; + ResponseMetadata response_metadata = 8 [(buf.validate.field).required = true]; // The operation response. This may not include all response elements, // such as those that are too large, privacy-sensitive, or duplicated @@ -251,7 +238,6 @@ message AuditLog { // Required: false optional google.protobuf.Struct response = 9; - // Other service-specific data about the request, response, and other // information associated with the current audited event. // @@ -261,7 +247,6 @@ message AuditLog { // Authentication information for the operation. message AuthenticationInfo { - // STACKIT principal id // // Required: true @@ -289,9 +274,7 @@ message AuthenticationInfo { // "projects/29b2c56f-f712-4a9c-845b-f0907158e53c/service-accounts/a606dc68-8b97-421b-89a9-116bcbd004df" // // Required: false - optional string service_account_name = 3 [ - (buf.validate.field).string.pattern = "^[a-z-]+/[a-z0-9-]+/service-accounts/[a-z0-9-]+$" - ]; + optional string service_account_name = 3 [(buf.validate.field).string.pattern = "^[a-z-]+/[a-z0-9-]+/service-accounts/[a-z0-9-]+$"]; // Identity delegation history of an authenticated service account that makes // the request. It contains information on the real authorities that try to @@ -305,7 +288,6 @@ message AuthenticationInfo { // Authorization information for the operation. message AuthorizationInfo { - // The resource being accessed, as a REST-style string. // // Format: /[/
] @@ -332,9 +314,7 @@ message AuthorizationInfo { // "resourcemanager.project.edit" // // Required: false - optional string permission = 2 [ - (buf.validate.field).string.pattern = "^[a-z-]+(?:\\.[a-z-]+)*\\.[a-z-]+$" - ]; + optional string permission = 2 [(buf.validate.field).string.pattern = "^[a-z-]+(?:\\.[a-z-]+)*\\.[a-z-]+$"]; // IAM permission check result. // @@ -347,12 +327,10 @@ message AuthorizationInfo { // An attribute is a piece of metadata that describes an activity on a network // service. message AttributeContext { - // This message defines request authentication attributes. Terminology is // based on the JSON Web Token (JWT) standard, but the terms also // correlate to concepts in other standards. message Auth { - // The authenticated principal. Reflects the issuer ("iss") and subject // ("sub") claims within a JWT. // @@ -396,9 +374,7 @@ message AttributeContext { // } // // Required: true - google.protobuf.Struct claims = 3 [ - (buf.validate.field).required = true - ]; + google.protobuf.Struct claims = 3 [(buf.validate.field).required = true]; } enum HttpMethod { @@ -419,7 +395,6 @@ message AttributeContext { // request is not an HTTP request, the runtime system should try to map // the actual request to an equivalent HTTP request. message Request { - // The unique ID for a request, which can be propagated to downstream // systems. The ID should have low probability of collision // within a single day for a specific service. @@ -451,9 +426,7 @@ message AttributeContext { // Internal IP-Addresses have to be removed (e.g. in x-forwarded-xxx headers). // // Required: true - map headers = 3 [ - (buf.validate.field).required = true - ]; + map headers = 3 [(buf.validate.field).required = true]; // The gRPC / HTTP URL path. // @@ -510,28 +483,21 @@ message AttributeContext { // The request authentication. // // Required: true - Auth auth = 10 [ - (buf.validate.field).required = true - ]; + Auth auth = 10 [(buf.validate.field).required = true]; } // This message defines attributes for a typical network response. It // generally models semantics of an HTTP response. message Response { - // The number of items returned to the client if applicable. // // Required: false - optional google.protobuf.Int64Value num_response_items = 1 [ - (buf.validate.field).int64.gte = 0 - ]; + optional google.protobuf.Int64Value num_response_items = 1 [(buf.validate.field).int64.gte = 0]; // The HTTP response size in bytes. // // Required: false - optional google.protobuf.Int64Value size = 2 [ - (buf.validate.field).int64.gte = 0 - ]; + optional google.protobuf.Int64Value size = 2 [(buf.validate.field).int64.gte = 0]; // The HTTP response headers. If multiple headers share the same key, they // must be merged according to HTTP spec. All header keys must be @@ -553,7 +519,6 @@ message AttributeContext { // Metadata about the request. message RequestMetadata { - // The IP address of the caller. // For caller from internet, this will be public IPv4 or IPv6 address. // For caller from a VM / K8s Service / etc, this will be the SIT proxy's IPv4 address. @@ -582,14 +547,11 @@ message RequestMetadata { // This field contains request attributes like request url, time, etc. // // Required: true - AttributeContext.Request request_attributes = 3 [ - (buf.validate.field).required = true - ]; + AttributeContext.Request request_attributes = 3 [(buf.validate.field).required = true]; } // Metadata about the response message ResponseMetadata { - // The http or gRPC status code. // // Examples: @@ -615,17 +577,13 @@ message ResponseMetadata { // This field contains response attributes like headers, time, etc. // // Required: true - AttributeContext.Response response_attributes = 4[ - (buf.validate.field).required = true - ]; + AttributeContext.Response response_attributes = 4 [(buf.validate.field).required = true]; } // Identity delegation history of an authenticated service account. message ServiceAccountDelegationInfo { - // Anonymous system principal to be used when no user identity is available. message SystemPrincipal { - // Metadata about the service that uses the service account. // // Required: false @@ -634,7 +592,6 @@ message ServiceAccountDelegationInfo { // STACKIT idp principal. message IdpPrincipal { - // STACKIT principal id // // Required: true @@ -670,4 +627,4 @@ message ServiceAccountDelegationInfo { // STACKIT IDP identity IdpPrincipal idp_principal = 2; } -} \ No newline at end of file +} diff --git a/proto/audit/v1/routable_event.proto b/proto/audit/v1/routable_event.proto index 2af414d..6b12c66 100644 --- a/proto/audit/v1/routable_event.proto +++ b/proto/audit/v1/routable_event.proto @@ -1,9 +1,9 @@ syntax = "proto3"; -import "buf/validate/validate.proto"; - package audit.v1; +import "buf/validate/validate.proto"; + option go_package = "./audit;auditV1"; option java_multiple_files = true; option java_package = "com.schwarz.stackit.audit.v1"; @@ -23,30 +23,44 @@ message ObjectIdentifier { // Identifier of the respective entity (e.g. Identifier of an organization) // // Required: true - string identifier = 1 [(buf.validate.field).required = true, (buf.validate.field).string.uuid = true]; + string identifier = 1 [ + (buf.validate.field).required = true, + (buf.validate.field).string.uuid = true + ]; // Entity data type relevant for routing - one of the list of supported singular types. // // Required: true - string type = 2 [(buf.validate.field).required = true, (buf.validate.field).string.min_len = 1]; + string type = 2 [ + (buf.validate.field).required = true, + (buf.validate.field).string.min_len = 1 + ]; } message EncryptedData { - // Encrypted serialized protobuf content (the actual audit event) // // Required: true - bytes data = 1 [(buf.validate.field).required = true, (buf.validate.field).bytes.min_len = 1]; + bytes data = 1 [ + (buf.validate.field).required = true, + (buf.validate.field).bytes.min_len = 1 + ]; // Name of the protobuf type // // Required: true - string protobuf_type = 2 [(buf.validate.field).required = true, (buf.validate.field).string.min_len = 1]; + string protobuf_type = 2 [ + (buf.validate.field).required = true, + (buf.validate.field).string.min_len = 1 + ]; // The password taken to derive the encryption key from // // Required: true - string encrypted_password = 3 [(buf.validate.field).required = true, (buf.validate.field).string.min_len = 1]; + string encrypted_password = 3 [ + (buf.validate.field).required = true, + (buf.validate.field).string.min_len = 1 + ]; // Version of the encrypted key // @@ -58,16 +72,21 @@ message UnencryptedData { // Unencrypted serialized protobuf content (the actual audit event) // // Required: true - bytes data = 1 [(buf.validate.field).required = true, (buf.validate.field).bytes.min_len = 1]; + bytes data = 1 [ + (buf.validate.field).required = true, + (buf.validate.field).bytes.min_len = 1 + ]; // Name of the protobuf type // // Required: true - string protobuf_type = 2 [(buf.validate.field).required = true, (buf.validate.field).string.min_len = 1]; + string protobuf_type = 2 [ + (buf.validate.field).required = true, + (buf.validate.field).string.min_len = 1 + ]; } message RoutableAuditEvent { - // Functional event name with pattern // // Format: stackit.... @@ -93,7 +112,10 @@ message RoutableAuditEvent { // Visibility relevant for differentiating between internal and public events // // Required: true - Visibility visibility = 2 [(buf.validate.field).required = true, (buf.validate.field).enum.defined_only = true]; + Visibility visibility = 2 [ + (buf.validate.field).required = true, + (buf.validate.field).enum.defined_only = true + ]; // Identifier the audit log event refers to. // @@ -110,4 +132,4 @@ message RoutableAuditEvent { UnencryptedData unencrypted_data = 4; EncryptedData encrypted_data = 5; } -} \ No newline at end of file +}