schwarzit.stackit-public/audit-go
1
0
Fork 0
mirror of https://dev.azure.com/schwarzit/schwarzit.stackit-public/_git/audit-go synced 2026-02-18 21:51:55 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Format protobuf files

Browse source
This commit is contained in:
Christian Schaible 2024-10-09 11:15:01 +02:00
parent 63ac2962e9
commit a990233715
2 changed files with 54 additions and 75 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

81
proto/audit/v1/audit_event.proto
View file

@ -1,19 +1,18 @@
syntax = "proto3"; syntax = "proto3";
package audit.v1;
import "buf/validate/validate.proto"; import "buf/validate/validate.proto";
import "google/protobuf/struct.proto"; import "google/protobuf/struct.proto";
import "google/protobuf/timestamp.proto"; import "google/protobuf/timestamp.proto";
import "google/protobuf/wrappers.proto"; import "google/protobuf/wrappers.proto";
package audit.v1;
option go_package = "./audit;auditV1"; option go_package = "./audit;auditV1";
option java_multiple_files = true; option java_multiple_files = true;
option java_package = "com.schwarz.stackit.audit.v1"; option java_package = "com.schwarz.stackit.audit.v1";
// The audit log entry can be used to record an incident in the audit log. // The audit log entry can be used to record an incident in the audit log.
message AuditLogEntry { message AuditLogEntry {
// The resource name of the log to which this log entry belongs. // The resource name of the log to which this log entry belongs.
// //
// Format: <pluralType>/<identifier>/logs/<eventType> // Format: <pluralType>/<identifier>/logs/<eventType>
@ -34,9 +33,7 @@ message AuditLogEntry {
// The log entry payload, which is always an AuditLog for STACKIT Audit Log events. // The log entry payload, which is always an AuditLog for STACKIT Audit Log events.
// //
// Required: true // Required: true
AuditLog proto_payload = 2 [ AuditLog proto_payload = 2 [(buf.validate.field).required = true];
(buf.validate.field).required = true
];
// A unique identifier for the log entry. // A unique identifier for the log entry.
// Is used to check completeness of audit events over time. // Is used to check completeness of audit events over time.
@ -53,7 +50,7 @@ message AuditLogEntry {
// "1721899117/eu01/319a7fb9-edd2-46c6-953a-a724bb377c61/8792726390909855142" // "1721899117/eu01/319a7fb9-edd2-46c6-953a-a724bb377c61/8792726390909855142"
// //
// Required: true // Required: true
string insert_id = 3[ string insert_id = 3 [
(buf.validate.field).required = true, (buf.validate.field).required = true,
(buf.validate.field).string.pattern = "^[0-9]+/[a-z0-9-]+/[a-z0-9-]+/[0-9]+$" (buf.validate.field).string.pattern = "^[0-9]+/[a-z0-9-]+/[a-z0-9-]+/[0-9]+$"
]; ];
@ -97,9 +94,7 @@ message AuditLogEntry {
// "00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01" // "00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01"
// //
// Required: false // Required: false
optional string trace_parent = 8 [ optional string trace_parent = 8 [(buf.validate.field).string.pattern = "^[0-9]+-[a-z0-9]+-[a-z0-9]+-[0-9]+$"];
(buf.validate.field).string.pattern = "^[0-9]+-[a-z0-9]+-[a-z0-9]+-[0-9]+$"
];
// Customer set W3C conform trace state header: // Customer set W3C conform trace state header:
// https://www.w3.org/TR/trace-context/#tracestate-header // https://www.w3.org/TR/trace-context/#tracestate-header
@ -116,7 +111,6 @@ message AuditLogEntry {
// The severity of the event described in a log entry, expressed as one of the // The severity of the event described in a log entry, expressed as one of the
// standard severity levels listed below. // standard severity levels listed below.
enum LogSeverity { enum LogSeverity {
LOG_SEVERITY_UNSPECIFIED = 0; LOG_SEVERITY_UNSPECIFIED = 0;
// (1) The log entry has no assigned severity level. // (1) The log entry has no assigned severity level.
@ -150,7 +144,6 @@ enum LogSeverity {
// Common audit log format for STACKIT API operations. // Common audit log format for STACKIT API operations.
message AuditLog { message AuditLog {
// The name of the API service performing the operation. // The name of the API service performing the operation.
// //
// Examples: // Examples:
@ -202,7 +195,7 @@ message AuditLog {
// "projects/dd7d1807-54e9-4426-8994-721758b5b554/locations/eu01/vms/b6851b4e-7a9d-4973-ab0f-a80a13ee3060/ports/78f8bad4-a291-4fa3-b07f-4a1985d3dbe8" // "projects/dd7d1807-54e9-4426-8994-721758b5b554/locations/eu01/vms/b6851b4e-7a9d-4973-ab0f-a80a13ee3060/ports/78f8bad4-a291-4fa3-b07f-4a1985d3dbe8"
// //
// Required: true // Required: true
string resource_name = 3[ string resource_name = 3 [
(buf.validate.field).required = true, (buf.validate.field).required = true,
(buf.validate.field).string.pattern = "^[a-z]+/[a-z0-9-]+(?:/[a-z0-9-]+/[a-z0-9-_]+)*$", (buf.validate.field).string.pattern = "^[a-z]+/[a-z0-9-]+(?:/[a-z0-9-]+/[a-z0-9-_]+)*$",
(buf.validate.field).string.min_len = 1, (buf.validate.field).string.min_len = 1,
@ -212,9 +205,7 @@ message AuditLog {
// Authentication information. // Authentication information.
// //
// Required: true // Required: true
AuthenticationInfo authentication_info = 4 [ AuthenticationInfo authentication_info = 4 [(buf.validate.field).required = true];
(buf.validate.field).required = true
];
// Authorization information. If there are multiple resources or permissions involved, then there is // Authorization information. If there are multiple resources or permissions involved, then there is
// one AuthorizationInfo element for each {resource, permission} tuple. // one AuthorizationInfo element for each {resource, permission} tuple.
@ -225,9 +216,7 @@ message AuditLog {
// Metadata about the operation. // Metadata about the operation.
// //
// Required: true // Required: true
RequestMetadata request_metadata = 6 [ RequestMetadata request_metadata = 6 [(buf.validate.field).required = true];
(buf.validate.field).required = true
];
// The operation request. This may not include all request parameters, // The operation request. This may not include all request parameters,
// such as those that are too large, privacy-sensitive, or duplicated // such as those that are too large, privacy-sensitive, or duplicated
@ -240,9 +229,7 @@ message AuditLog {
// The status of the overall operation. // The status of the overall operation.
// //
// Required: true // Required: true
ResponseMetadata response_metadata = 8 [ ResponseMetadata response_metadata = 8 [(buf.validate.field).required = true];
(buf.validate.field).required = true
];
// The operation response. This may not include all response elements, // The operation response. This may not include all response elements,
// such as those that are too large, privacy-sensitive, or duplicated // such as those that are too large, privacy-sensitive, or duplicated
@ -251,7 +238,6 @@ message AuditLog {
// Required: false // Required: false
optional google.protobuf.Struct response = 9; optional google.protobuf.Struct response = 9;
// Other service-specific data about the request, response, and other // Other service-specific data about the request, response, and other
// information associated with the current audited event. // information associated with the current audited event.
// //
@ -261,7 +247,6 @@ message AuditLog {
// Authentication information for the operation. // Authentication information for the operation.
message AuthenticationInfo { message AuthenticationInfo {
// STACKIT principal id // STACKIT principal id
// //
// Required: true // Required: true
@ -289,9 +274,7 @@ message AuthenticationInfo {
// "projects/29b2c56f-f712-4a9c-845b-f0907158e53c/service-accounts/a606dc68-8b97-421b-89a9-116bcbd004df" // "projects/29b2c56f-f712-4a9c-845b-f0907158e53c/service-accounts/a606dc68-8b97-421b-89a9-116bcbd004df"
// //
// Required: false // Required: false
optional string service_account_name = 3 [ optional string service_account_name = 3 [(buf.validate.field).string.pattern = "^[a-z-]+/[a-z0-9-]+/service-accounts/[a-z0-9-]+$"];
(buf.validate.field).string.pattern = "^[a-z-]+/[a-z0-9-]+/service-accounts/[a-z0-9-]+$"
];
// Identity delegation history of an authenticated service account that makes // Identity delegation history of an authenticated service account that makes
// the request. It contains information on the real authorities that try to // the request. It contains information on the real authorities that try to
@ -305,7 +288,6 @@ message AuthenticationInfo {
// Authorization information for the operation. // Authorization information for the operation.
message AuthorizationInfo { message AuthorizationInfo {
// The resource being accessed, as a REST-style string. // The resource being accessed, as a REST-style string.
// //
// Format: <pluralType>/<id>[/<details>] // Format: <pluralType>/<id>[/<details>]
@ -332,9 +314,7 @@ message AuthorizationInfo {
// "resourcemanager.project.edit" // "resourcemanager.project.edit"
// //
// Required: false // Required: false
optional string permission = 2 [ optional string permission = 2 [(buf.validate.field).string.pattern = "^[a-z-]+(?:\\.[a-z-]+)*\\.[a-z-]+$"];
(buf.validate.field).string.pattern = "^[a-z-]+(?:\\.[a-z-]+)*\\.[a-z-]+$"
];
// IAM permission check result. // IAM permission check result.
// //
@ -347,12 +327,10 @@ message AuthorizationInfo {
// An attribute is a piece of metadata that describes an activity on a network // An attribute is a piece of metadata that describes an activity on a network
// service. // service.
message AttributeContext { message AttributeContext {
// This message defines request authentication attributes. Terminology is // This message defines request authentication attributes. Terminology is
// based on the JSON Web Token (JWT) standard, but the terms also // based on the JSON Web Token (JWT) standard, but the terms also
// correlate to concepts in other standards. // correlate to concepts in other standards.
message Auth { message Auth {
// The authenticated principal. Reflects the issuer ("iss") and subject // The authenticated principal. Reflects the issuer ("iss") and subject
// ("sub") claims within a JWT. // ("sub") claims within a JWT.
// //
@ -396,9 +374,7 @@ message AttributeContext {
// } // }
// //
// Required: true // Required: true
google.protobuf.Struct claims = 3 [ google.protobuf.Struct claims = 3 [(buf.validate.field).required = true];
(buf.validate.field).required = true
];
} }
enum HttpMethod { enum HttpMethod {
@ -419,7 +395,6 @@ message AttributeContext {
// request is not an HTTP request, the runtime system should try to map // request is not an HTTP request, the runtime system should try to map
// the actual request to an equivalent HTTP request. // the actual request to an equivalent HTTP request.
message Request { message Request {
// The unique ID for a request, which can be propagated to downstream // The unique ID for a request, which can be propagated to downstream
// systems. The ID should have low probability of collision // systems. The ID should have low probability of collision
// within a single day for a specific service. // within a single day for a specific service.
@ -451,9 +426,7 @@ message AttributeContext {
// Internal IP-Addresses have to be removed (e.g. in x-forwarded-xxx headers). // Internal IP-Addresses have to be removed (e.g. in x-forwarded-xxx headers).
// //
// Required: true // Required: true
map<string, string> headers = 3 [ map<string, string> headers = 3 [(buf.validate.field).required = true];
(buf.validate.field).required = true
];
// The gRPC / HTTP URL path. // The gRPC / HTTP URL path.
// //
@ -510,28 +483,21 @@ message AttributeContext {
// The request authentication. // The request authentication.
// //
// Required: true // Required: true
Auth auth = 10 [ Auth auth = 10 [(buf.validate.field).required = true];
(buf.validate.field).required = true
];
} }
// This message defines attributes for a typical network response. It // This message defines attributes for a typical network response. It
// generally models semantics of an HTTP response. // generally models semantics of an HTTP response.
message Response { message Response {
// The number of items returned to the client if applicable. // The number of items returned to the client if applicable.
// //
// Required: false // Required: false
optional google.protobuf.Int64Value num_response_items = 1 [ optional google.protobuf.Int64Value num_response_items = 1 [(buf.validate.field).int64.gte = 0];
(buf.validate.field).int64.gte = 0
];
// The HTTP response size in bytes. // The HTTP response size in bytes.
// //
// Required: false // Required: false
optional google.protobuf.Int64Value size = 2 [ optional google.protobuf.Int64Value size = 2 [(buf.validate.field).int64.gte = 0];
(buf.validate.field).int64.gte = 0
];
// The HTTP response headers. If multiple headers share the same key, they // The HTTP response headers. If multiple headers share the same key, they
// must be merged according to HTTP spec. All header keys must be // must be merged according to HTTP spec. All header keys must be
@ -553,7 +519,6 @@ message AttributeContext {
// Metadata about the request. // Metadata about the request.
message RequestMetadata { message RequestMetadata {
// The IP address of the caller. // The IP address of the caller.
// For caller from internet, this will be public IPv4 or IPv6 address. // For caller from internet, this will be public IPv4 or IPv6 address.
// For caller from a VM / K8s Service / etc, this will be the SIT proxy's IPv4 address. // For caller from a VM / K8s Service / etc, this will be the SIT proxy's IPv4 address.
@ -582,14 +547,11 @@ message RequestMetadata {
// This field contains request attributes like request url, time, etc. // This field contains request attributes like request url, time, etc.
// //
// Required: true // Required: true
AttributeContext.Request request_attributes = 3 [ AttributeContext.Request request_attributes = 3 [(buf.validate.field).required = true];
(buf.validate.field).required = true
];
} }
// Metadata about the response // Metadata about the response
message ResponseMetadata { message ResponseMetadata {
// The http or gRPC status code. // The http or gRPC status code.
// //
// Examples: // Examples:
@ -615,17 +577,13 @@ message ResponseMetadata {
// This field contains response attributes like headers, time, etc. // This field contains response attributes like headers, time, etc.
// //
// Required: true // Required: true
AttributeContext.Response response_attributes = 4[ AttributeContext.Response response_attributes = 4 [(buf.validate.field).required = true];
(buf.validate.field).required = true
];
} }
// Identity delegation history of an authenticated service account. // Identity delegation history of an authenticated service account.
message ServiceAccountDelegationInfo { message ServiceAccountDelegationInfo {
// Anonymous system principal to be used when no user identity is available. // Anonymous system principal to be used when no user identity is available.
message SystemPrincipal { message SystemPrincipal {
// Metadata about the service that uses the service account. // Metadata about the service that uses the service account.
// //
// Required: false // Required: false
@ -634,7 +592,6 @@ message ServiceAccountDelegationInfo {
// STACKIT idp principal. // STACKIT idp principal.
message IdpPrincipal { message IdpPrincipal {
// STACKIT principal id // STACKIT principal id
// //
// Required: true // Required: true
@ -670,4 +627,4 @@ message ServiceAccountDelegationInfo {
// STACKIT IDP identity // STACKIT IDP identity
IdpPrincipal idp_principal = 2; IdpPrincipal idp_principal = 2;
} }
} }

48
proto/audit/v1/routable_event.proto
View file

@ -1,9 +1,9 @@
syntax = "proto3"; syntax = "proto3";
import "buf/validate/validate.proto";
package audit.v1; package audit.v1;
import "buf/validate/validate.proto";
option go_package = "./audit;auditV1"; option go_package = "./audit;auditV1";
option java_multiple_files = true; option java_multiple_files = true;
option java_package = "com.schwarz.stackit.audit.v1"; option java_package = "com.schwarz.stackit.audit.v1";
@ -23,30 +23,44 @@ message ObjectIdentifier {
// Identifier of the respective entity (e.g. Identifier of an organization) // Identifier of the respective entity (e.g. Identifier of an organization)
// //
// Required: true // Required: true
string identifier = 1 [(buf.validate.field).required = true, (buf.validate.field).string.uuid = true]; string identifier = 1 [
(buf.validate.field).required = true,
(buf.validate.field).string.uuid = true
];
// Entity data type relevant for routing - one of the list of supported singular types. // Entity data type relevant for routing - one of the list of supported singular types.
// //
// Required: true // Required: true
string type = 2 [(buf.validate.field).required = true, (buf.validate.field).string.min_len = 1]; string type = 2 [
(buf.validate.field).required = true,
(buf.validate.field).string.min_len = 1
];
} }
message EncryptedData { message EncryptedData {
// Encrypted serialized protobuf content (the actual audit event) // Encrypted serialized protobuf content (the actual audit event)
// //
// Required: true // Required: true
bytes data = 1 [(buf.validate.field).required = true, (buf.validate.field).bytes.min_len = 1]; bytes data = 1 [
(buf.validate.field).required = true,
(buf.validate.field).bytes.min_len = 1
];
// Name of the protobuf type // Name of the protobuf type
// //
// Required: true // Required: true
string protobuf_type = 2 [(buf.validate.field).required = true, (buf.validate.field).string.min_len = 1]; string protobuf_type = 2 [
(buf.validate.field).required = true,
(buf.validate.field).string.min_len = 1
];
// The password taken to derive the encryption key from // The password taken to derive the encryption key from
// //
// Required: true // Required: true
string encrypted_password = 3 [(buf.validate.field).required = true, (buf.validate.field).string.min_len = 1]; string encrypted_password = 3 [
(buf.validate.field).required = true,
(buf.validate.field).string.min_len = 1
];
// Version of the encrypted key // Version of the encrypted key
// //
@ -58,16 +72,21 @@ message UnencryptedData {
// Unencrypted serialized protobuf content (the actual audit event) // Unencrypted serialized protobuf content (the actual audit event)
// //
// Required: true // Required: true
bytes data = 1 [(buf.validate.field).required = true, (buf.validate.field).bytes.min_len = 1]; bytes data = 1 [
(buf.validate.field).required = true,
(buf.validate.field).bytes.min_len = 1
];
// Name of the protobuf type // Name of the protobuf type
// //
// Required: true // Required: true
string protobuf_type = 2 [(buf.validate.field).required = true, (buf.validate.field).string.min_len = 1]; string protobuf_type = 2 [
(buf.validate.field).required = true,
(buf.validate.field).string.min_len = 1
];
} }
message RoutableAuditEvent { message RoutableAuditEvent {
// Functional event name with pattern // Functional event name with pattern
// //
// Format: stackit.<product>.<version>.<type-chain>.<operation> // Format: stackit.<product>.<version>.<type-chain>.<operation>
@ -93,7 +112,10 @@ message RoutableAuditEvent {
// Visibility relevant for differentiating between internal and public events // Visibility relevant for differentiating between internal and public events
// //
// Required: true // Required: true
Visibility visibility = 2 [(buf.validate.field).required = true, (buf.validate.field).enum.defined_only = true]; Visibility visibility = 2 [
(buf.validate.field).required = true,
(buf.validate.field).enum.defined_only = true
];
// Identifier the audit log event refers to. // Identifier the audit log event refers to.
// //
@ -110,4 +132,4 @@ message RoutableAuditEvent {
UnencryptedData unencrypted_data = 4; UnencryptedData unencrypted_data = 4;
EncryptedData encrypted_data = 5; EncryptedData encrypted_data = 5;
} }
} }