syntax = "proto3";

package audit.v1;

import "buf/validate/validate.proto";

option go_package = "./audit;auditV1";
option java_multiple_files = true;
option java_package = "com.schwarz.stackit.audit.v1";

enum Visibility {
  VISIBILITY_UNSPECIFIED = 0;
  // Will be routed to customer data sinks
  VISIBILITY_PUBLIC = 1;
  // Will NOT be routed to customer data sinks
  VISIBILITY_PRIVATE = 2;
}

// Identifier of an object.
//
// For system events, the nil UUID must be used: 00000000-0000-0000-0000-000000000000.
message ObjectIdentifier {
  // Identifier of the respective entity (e.g. Identifier of an organization)
  //
  // Required: true
  string identifier = 1 [
    (buf.validate.field).required = true,
    (buf.validate.field).string.uuid = true
  ];

  // Entity data type relevant for routing - one of the list of supported object types.
  //
  // Required: true
  string type = 2 [
    (buf.validate.field).required = true,
    (buf.validate.field).string.min_len = 1
  ];
}

message EncryptedData {
  // Encrypted serialized protobuf content (the actual audit event)
  //
  // Required: true
  bytes data = 1 [
    (buf.validate.field).required = true,
    (buf.validate.field).bytes.min_len = 1
  ];

  // Name of the protobuf type
  //
  // Required: true
  string protobuf_type = 2 [
    (buf.validate.field).required = true,
    (buf.validate.field).string.min_len = 1
  ];

  // The password taken to derive the encryption key from
  //
  // Required: true
  string encrypted_password = 3 [
    (buf.validate.field).required = true,
    (buf.validate.field).string.min_len = 1
  ];

  // Version of the encrypted key
  //
  // Required: true
  int32 key_version = 4 [(buf.validate.field).int32.gte = 1];
}

message UnencryptedData {
  // Unencrypted serialized protobuf content (the actual audit event)
  //
  // Required: true
  bytes data = 1 [
    (buf.validate.field).required = true,
    (buf.validate.field).bytes.min_len = 1
  ];

  // Name of the protobuf type
  //
  // Required: true
  string protobuf_type = 2 [
    (buf.validate.field).required = true,
    (buf.validate.field).string.min_len = 1
  ];
}

message RoutableAuditEvent {
  // Functional event name with pattern
  //
  // Format: stackit.<product>.<version>.<type-chain>.<operation>
  // Where:
  //   Product: The name of the service in lowercase
  //   Version: Optional API version
  //   Type-Chain: Chained path to object
  //   Operation: The name of the operation in lowercase
  //
  // Examples:
  //   "stackit.resource-manager.v1.organizations.create"
  //   "stackit.authorization.v1.projects.volumes.create"
  //   "stackit.authorization.v2alpha.projects.volumes.create"
  //   "stackit.authorization.v2.folders.move"
  //   "stackit.resource-manager.health"
  //
  // Required: true
  string operation_name = 1 [
    (buf.validate.field).required = true,
    (buf.validate.field).string.pattern = "^stackit\\.[a-z0-9-]+\\.(?:v[0-9]+\\.)?(?:[a-z0-9-.]+\\.)?[a-z0-9-]+$"
  ];

  // Visibility relevant for differentiating between internal and public events
  //
  // Required: true
  Visibility visibility = 2 [
    (buf.validate.field).required = true,
    (buf.validate.field).enum.defined_only = true
  ];

  // Identifier the audit log event refers to.
  //
  // System events, will not be routed to the end-user.
  //
  // Required: true
  ObjectIdentifier object_identifier = 3 [(buf.validate.field).required = true];

  // The actual audit event is transferred in one of the attributes below
  //
  // Required: true
  oneof data {
    option (buf.validate.oneof).required = true;
    UnencryptedData unencrypted_data = 4;
    EncryptedData encrypted_data = 5;
  }
}