syntax = "proto3";

import "buf/validate/validate.proto";

import "audit/v1/common.proto";

package audit.v1;

option go_package = "./audit;auditV1";
option java_multiple_files = true;
option java_package = "com.schwarz.stackit.audit.v1";

enum Visibility {
  VISIBILITY_UNSPECIFIED = 0;
  // Will be routed to customer data sinks
  VISIBILITY_PUBLIC = 1;
  // Will NOT be routed to customer data sinks
  VISIBILITY_PRIVATE = 2;
}

message EncryptedData {
  // Encrypted serialized protobuf content (the actual audit event)
  bytes data = 1 [(buf.validate.field).required = true, (buf.validate.field).bytes.min_len = 1];

  // Name of the protobuf type
  string protobuf_type = 2 [(buf.validate.field).required = true, (buf.validate.field).string.min_len = 1];

  // The password taken to derive the encryption key from
  string encrypted_password = 3 [(buf.validate.field).required = true, (buf.validate.field).string.min_len = 1];

  // Version of the encrypted key
  int32 key_version = 4 [(buf.validate.field).int32.gte = 1];
}

message UnencryptedData {
  // Unencrypted serialized protobuf content (the actual audit event)
  bytes data = 1 [(buf.validate.field).required = true, (buf.validate.field).bytes.min_len = 1];

  // Name of the protobuf type
  string protobuf_type = 2 [(buf.validate.field).required = true, (buf.validate.field).string.min_len = 1];
}

message RoutableAuditEvent {

  // Functional event name with pattern <TYPE>_<ACTION>, e.g. ORGANIZATION_CREATED
  // Will be copied over by the SDK from the AuditEvent
  string event_name = 1 [(buf.validate.field).required = true, (buf.validate.field).string.pattern = "^[A-Z]+_[A-Z]+$"];

  // Visibility relevant for differentiating between internal and public events
  Visibility visibility = 2 [(buf.validate.field).required = true, (buf.validate.field).enum.defined_only = true];

  // Identifier the audit log event refers to
  oneof resource_reference {
    option (buf.validate.oneof).required = true;
    // If it is a technical event not related to an organization, folder or project
    // Will NOT be routed to the end-user, only for internal analysis ->
    // Clarify what do in the router
    ObjectName object_name = 3;
    ObjectIdentifier object_identifier = 4;
  }

  // The actual audit event is transferred in one of the attributes below
  oneof data {
    option (buf.validate.oneof).required = true;
    UnencryptedData unencrypted_data = 5;
    EncryptedData encrypted_data = 6;
  }
}