From 993bd6801eeb1e1cf0d9c417cae3291b272d4f0f Mon Sep 17 00:00:00 2001 From: Abhinav Kumar Date: Thu, 30 Apr 2026 13:11:07 +0000 Subject: [PATCH] Add profile ID in Get Request --- authz/authz.pb.go | 281 +++++++++++++++++++++++++++++------------ authz/authz.proto | 2 + authz/authz_grpc.pb.go | 129 +++++++++++++++++-- 3 files changed, 323 insertions(+), 89 deletions(-) diff --git a/authz/authz.pb.go b/authz/authz.pb.go index 85462595..5fd20767 100644 --- a/authz/authz.pb.go +++ b/authz/authz.pb.go @@ -1,8 +1,27 @@ +// +// Copyright 2021, 2022 Google Inc. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +// This file defines the gNSI API to be used for gRPC-level Authorization Policy +// management. + // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.8 -// protoc v6.32.0 -// source: github.com/openconfig/gnsi/authz/authz.proto +// protoc-gen-go v1.36.11 +// protoc v3.21.12 +// source: authz/authz.proto package authz @@ -21,6 +40,7 @@ const ( _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) ) +// Action is the defined action for an gRPC-level Authorization Policy. type ProbeResponse_Action int32 const ( @@ -54,11 +74,11 @@ func (x ProbeResponse_Action) String() string { } func (ProbeResponse_Action) Descriptor() protoreflect.EnumDescriptor { - return file_github_com_openconfig_gnsi_authz_authz_proto_enumTypes[0].Descriptor() + return file_authz_authz_proto_enumTypes[0].Descriptor() } func (ProbeResponse_Action) Type() protoreflect.EnumType { - return &file_github_com_openconfig_gnsi_authz_authz_proto_enumTypes[0] + return &file_authz_authz_proto_enumTypes[0] } func (x ProbeResponse_Action) Number() protoreflect.EnumNumber { @@ -67,25 +87,49 @@ func (x ProbeResponse_Action) Number() protoreflect.EnumNumber { // Deprecated: Use ProbeResponse_Action.Descriptor instead. func (ProbeResponse_Action) EnumDescriptor() ([]byte, []int) { - return file_github_com_openconfig_gnsi_authz_authz_proto_rawDescGZIP(), []int{6, 0} + return file_authz_authz_proto_rawDescGZIP(), []int{6, 0} } +// Request messages to rotate existing gRPC-level Authorization Policy on +// the target. type RotateAuthzRequest struct { state protoimpl.MessageState `protogen:"open.v1"` + // Request Messages. + // // Types that are valid to be assigned to RotateRequest: // // *RotateAuthzRequest_UploadRequest // *RotateAuthzRequest_FinalizeRotation - RotateRequest isRotateAuthzRequest_RotateRequest `protobuf_oneof:"rotate_request"` - ForceOverwrite bool `protobuf:"varint,3,opt,name=force_overwrite,json=forceOverwrite,proto3" json:"force_overwrite,omitempty"` - AuthzProfileId string `protobuf:"bytes,4,opt,name=authz_profile_id,json=authzProfileId,proto3" json:"authz_profile_id,omitempty"` + RotateRequest isRotateAuthzRequest_RotateRequest `protobuf_oneof:"rotate_request"` + // If set to `true` the requested operation will succeed even if the specified + // `version` is already in use (is not unique). + // If set to `false` the requested operation will fail and the streaming RPC + // will be closed with the `ALREADY_EXISTS` gRPC error if the specified + // version` is already in use (is not unique). + // It is a no-op for the `finalize_rotation` request. + ForceOverwrite bool `protobuf:"varint,3,opt,name=force_overwrite,json=forceOverwrite,proto3" json:"force_overwrite,omitempty"` + // The profile for which the authz policy is being rotated. In the case that + // this field is not specified, the default authz policy which applies to all + // gRPC endpoints run by the target is assumed. Where non-default policies + // are to supported by an endpoint, the value of the profile determines which + // set of policies are to be rotated. + // + // It is not permitted to rotate multiple profiles' policies at the same time + // - if a `Rotate` RPC is in progress for profile "foo" (i.e., + // `upload_request` has been supplied, but the rotation has not been + // finalised), and a second `RotateAuthzRequest` with `upload_request` is sent + // from the client for profile "bar" this is considered an error. + // + // Note that the authz profile is considered independent from a SSL profile + // ID (as referenced by gnsi.Certz). + AuthzProfileId string `protobuf:"bytes,4,opt,name=authz_profile_id,json=authzProfileId,proto3" json:"authz_profile_id,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } func (x *RotateAuthzRequest) Reset() { *x = RotateAuthzRequest{} - mi := &file_github_com_openconfig_gnsi_authz_authz_proto_msgTypes[0] + mi := &file_authz_authz_proto_msgTypes[0] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -97,7 +141,7 @@ func (x *RotateAuthzRequest) String() string { func (*RotateAuthzRequest) ProtoMessage() {} func (x *RotateAuthzRequest) ProtoReflect() protoreflect.Message { - mi := &file_github_com_openconfig_gnsi_authz_authz_proto_msgTypes[0] + mi := &file_authz_authz_proto_msgTypes[0] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -110,7 +154,7 @@ func (x *RotateAuthzRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use RotateAuthzRequest.ProtoReflect.Descriptor instead. func (*RotateAuthzRequest) Descriptor() ([]byte, []int) { - return file_github_com_openconfig_gnsi_authz_authz_proto_rawDescGZIP(), []int{0} + return file_authz_authz_proto_rawDescGZIP(), []int{0} } func (x *RotateAuthzRequest) GetRotateRequest() isRotateAuthzRequest_RotateRequest { @@ -168,8 +212,11 @@ func (*RotateAuthzRequest_UploadRequest) isRotateAuthzRequest_RotateRequest() {} func (*RotateAuthzRequest_FinalizeRotation) isRotateAuthzRequest_RotateRequest() {} +// Response messages from the target. type RotateAuthzResponse struct { state protoimpl.MessageState `protogen:"open.v1"` + // Response messages. + // // Types that are valid to be assigned to RotateResponse: // // *RotateAuthzResponse_UploadResponse @@ -180,7 +227,7 @@ type RotateAuthzResponse struct { func (x *RotateAuthzResponse) Reset() { *x = RotateAuthzResponse{} - mi := &file_github_com_openconfig_gnsi_authz_authz_proto_msgTypes[1] + mi := &file_authz_authz_proto_msgTypes[1] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -192,7 +239,7 @@ func (x *RotateAuthzResponse) String() string { func (*RotateAuthzResponse) ProtoMessage() {} func (x *RotateAuthzResponse) ProtoReflect() protoreflect.Message { - mi := &file_github_com_openconfig_gnsi_authz_authz_proto_msgTypes[1] + mi := &file_authz_authz_proto_msgTypes[1] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -205,7 +252,7 @@ func (x *RotateAuthzResponse) ProtoReflect() protoreflect.Message { // Deprecated: Use RotateAuthzResponse.ProtoReflect.Descriptor instead. func (*RotateAuthzResponse) Descriptor() ([]byte, []int) { - return file_github_com_openconfig_gnsi_authz_authz_proto_rawDescGZIP(), []int{1} + return file_authz_authz_proto_rawDescGZIP(), []int{1} } func (x *RotateAuthzResponse) GetRotateResponse() isRotateAuthzResponse_RotateResponse { @@ -234,6 +281,12 @@ type RotateAuthzResponse_UploadResponse struct { func (*RotateAuthzResponse_UploadResponse) isRotateAuthzResponse_RotateResponse() {} +// A Finalize message is sent to the target to confirm the rotation of +// the gRPC-level Authorization Policy, indicating that it should not be +// rolled back when the stream concludes. +// Note that the gRPC-level Authorization Policy change is considered rolled +// back by the target if the target returns an error in response to the +// Finalize message. type FinalizeRequest struct { state protoimpl.MessageState `protogen:"open.v1"` unknownFields protoimpl.UnknownFields @@ -242,7 +295,7 @@ type FinalizeRequest struct { func (x *FinalizeRequest) Reset() { *x = FinalizeRequest{} - mi := &file_github_com_openconfig_gnsi_authz_authz_proto_msgTypes[2] + mi := &file_authz_authz_proto_msgTypes[2] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -254,7 +307,7 @@ func (x *FinalizeRequest) String() string { func (*FinalizeRequest) ProtoMessage() {} func (x *FinalizeRequest) ProtoReflect() protoreflect.Message { - mi := &file_github_com_openconfig_gnsi_authz_authz_proto_msgTypes[2] + mi := &file_authz_authz_proto_msgTypes[2] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -267,21 +320,47 @@ func (x *FinalizeRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use FinalizeRequest.ProtoReflect.Descriptor instead. func (*FinalizeRequest) Descriptor() ([]byte, []int) { - return file_github_com_openconfig_gnsi_authz_authz_proto_rawDescGZIP(), []int{2} + return file_authz_authz_proto_rawDescGZIP(), []int{2} } +// UploadRequest instructs the target to store the given gRPC-level +// Authorization Policy. +// +// An UploadRequest must fail, if there is an active RotateAuthzRequest RPC +// stream. type UploadRequest struct { - state protoimpl.MessageState `protogen:"open.v1"` - Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"` - CreatedOn uint64 `protobuf:"varint,2,opt,name=created_on,json=createdOn,proto3" json:"created_on,omitempty"` - Policy string `protobuf:"bytes,3,opt,name=policy,proto3" json:"policy,omitempty"` + state protoimpl.MessageState `protogen:"open.v1"` + // `version` contains versioning information that is controlled by + // the policy manager and reported as-is by the telemetry reporting system + // (ie, transparent to the target policy management service). Policy managers + // should choose version strings as discrete as possible to ease alert + // generation (eg, for policies sourced from a bundle, the timestamp of + // the bundle should be used, not the time when the policy is pushed to + // a particular device). Also, this version string must be persisted by + // the device for preservation across system reboots / cold-starts. + Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"` + // `created_on` contains information when the policy was created. + // This information is controlled by the policy manager and reported as-is + // by the telemetry reporting system (ie, transparent to the device policy + // management service). Policy manager should use the timestamp of the moment + // when policy was created, not the time when the policy is pushed to + // a particular device). + // Also, this timestamp must be persisted by the device for preservation + // across system reboots / cold-starts. + // `created_on` is a timestamp: the number of seconds since + // January 1st, 1970 00:00:00 GMT, a.k.a. unix epoch. + CreatedOn uint64 `protobuf:"varint,2,opt,name=created_on,json=createdOn,proto3" json:"created_on,omitempty"` + // The actual gRPC-level Authorization Policy. + // It is provided as a JSON formatted string whose structure is defined in + // https://github.com/grpc/proposal/blob/master/A43-grpc-authorization-api.md + Policy string `protobuf:"bytes,3,opt,name=policy,proto3" json:"policy,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } func (x *UploadRequest) Reset() { *x = UploadRequest{} - mi := &file_github_com_openconfig_gnsi_authz_authz_proto_msgTypes[3] + mi := &file_authz_authz_proto_msgTypes[3] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -293,7 +372,7 @@ func (x *UploadRequest) String() string { func (*UploadRequest) ProtoMessage() {} func (x *UploadRequest) ProtoReflect() protoreflect.Message { - mi := &file_github_com_openconfig_gnsi_authz_authz_proto_msgTypes[3] + mi := &file_authz_authz_proto_msgTypes[3] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -306,7 +385,7 @@ func (x *UploadRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use UploadRequest.ProtoReflect.Descriptor instead. func (*UploadRequest) Descriptor() ([]byte, []int) { - return file_github_com_openconfig_gnsi_authz_authz_proto_rawDescGZIP(), []int{3} + return file_authz_authz_proto_rawDescGZIP(), []int{3} } func (x *UploadRequest) GetVersion() string { @@ -338,7 +417,7 @@ type UploadResponse struct { func (x *UploadResponse) Reset() { *x = UploadResponse{} - mi := &file_github_com_openconfig_gnsi_authz_authz_proto_msgTypes[4] + mi := &file_authz_authz_proto_msgTypes[4] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -350,7 +429,7 @@ func (x *UploadResponse) String() string { func (*UploadResponse) ProtoMessage() {} func (x *UploadResponse) ProtoReflect() protoreflect.Message { - mi := &file_github_com_openconfig_gnsi_authz_authz_proto_msgTypes[4] + mi := &file_authz_authz_proto_msgTypes[4] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -363,20 +442,27 @@ func (x *UploadResponse) ProtoReflect() protoreflect.Message { // Deprecated: Use UploadResponse.ProtoReflect.Descriptor instead. func (*UploadResponse) Descriptor() ([]byte, []int) { - return file_github_com_openconfig_gnsi_authz_authz_proto_rawDescGZIP(), []int{4} + return file_authz_authz_proto_rawDescGZIP(), []int{4} } +// ProbeRequest contains a single user name and the fully qualified name of the +// gRPC call being attempted. type ProbeRequest struct { - state protoimpl.MessageState `protogen:"open.v1"` - User string `protobuf:"bytes,1,opt,name=user,proto3" json:"user,omitempty"` - Rpc string `protobuf:"bytes,2,opt,name=rpc,proto3" json:"rpc,omitempty"` + state protoimpl.MessageState `protogen:"open.v1"` + // The user name to be used to perform the evaluation. + User string `protobuf:"bytes,1,opt,name=user,proto3" json:"user,omitempty"` + // The gRPC RPC name to be used to perform the evaluation. + // It has to be a fully qualified name, like: + // + // "/gnsi.ssh.Ssh/MutateHostCredentials" + Rpc string `protobuf:"bytes,2,opt,name=rpc,proto3" json:"rpc,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } func (x *ProbeRequest) Reset() { *x = ProbeRequest{} - mi := &file_github_com_openconfig_gnsi_authz_authz_proto_msgTypes[5] + mi := &file_authz_authz_proto_msgTypes[5] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -388,7 +474,7 @@ func (x *ProbeRequest) String() string { func (*ProbeRequest) ProtoMessage() {} func (x *ProbeRequest) ProtoReflect() protoreflect.Message { - mi := &file_github_com_openconfig_gnsi_authz_authz_proto_msgTypes[5] + mi := &file_authz_authz_proto_msgTypes[5] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -401,7 +487,7 @@ func (x *ProbeRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use ProbeRequest.ProtoReflect.Descriptor instead. func (*ProbeRequest) Descriptor() ([]byte, []int) { - return file_github_com_openconfig_gnsi_authz_authz_proto_rawDescGZIP(), []int{5} + return file_authz_authz_proto_rawDescGZIP(), []int{5} } func (x *ProbeRequest) GetUser() string { @@ -418,6 +504,11 @@ func (x *ProbeRequest) GetRpc() string { return "" } +// ProbeResponse returns the ACK/NACK for a single user request +// as evaluated against the current policy, along with the version of the policy +// that the gRPC call/user were evaluated against. +// If no policy has been defined, the default response is ACTION_PERMIT, with +// a zero-length version string. type ProbeResponse struct { state protoimpl.MessageState `protogen:"open.v1"` Action ProbeResponse_Action `protobuf:"varint,1,opt,name=action,proto3,enum=gnsi.authz.v1.ProbeResponse_Action" json:"action,omitempty"` @@ -428,7 +519,7 @@ type ProbeResponse struct { func (x *ProbeResponse) Reset() { *x = ProbeResponse{} - mi := &file_github_com_openconfig_gnsi_authz_authz_proto_msgTypes[6] + mi := &file_authz_authz_proto_msgTypes[6] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -440,7 +531,7 @@ func (x *ProbeResponse) String() string { func (*ProbeResponse) ProtoMessage() {} func (x *ProbeResponse) ProtoReflect() protoreflect.Message { - mi := &file_github_com_openconfig_gnsi_authz_authz_proto_msgTypes[6] + mi := &file_authz_authz_proto_msgTypes[6] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -453,7 +544,7 @@ func (x *ProbeResponse) ProtoReflect() protoreflect.Message { // Deprecated: Use ProbeResponse.ProtoReflect.Descriptor instead. func (*ProbeResponse) Descriptor() ([]byte, []int) { - return file_github_com_openconfig_gnsi_authz_authz_proto_rawDescGZIP(), []int{6} + return file_authz_authz_proto_rawDescGZIP(), []int{6} } func (x *ProbeResponse) GetAction() ProbeResponse_Action { @@ -470,15 +561,18 @@ func (x *ProbeResponse) GetVersion() string { return "" } +// GetRequest used to request the gRPC-level Authorization Policy. type GetRequest struct { - state protoimpl.MessageState `protogen:"open.v1"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache + state protoimpl.MessageState `protogen:"open.v1"` + // The profile for which the authz policy is being requested. + AuthzProfileId string `protobuf:"bytes,1,opt,name=authz_profile_id,json=authzProfileId,proto3" json:"authz_profile_id,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache } func (x *GetRequest) Reset() { *x = GetRequest{} - mi := &file_github_com_openconfig_gnsi_authz_authz_proto_msgTypes[7] + mi := &file_authz_authz_proto_msgTypes[7] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -490,7 +584,7 @@ func (x *GetRequest) String() string { func (*GetRequest) ProtoMessage() {} func (x *GetRequest) ProtoReflect() protoreflect.Message { - mi := &file_github_com_openconfig_gnsi_authz_authz_proto_msgTypes[7] + mi := &file_authz_authz_proto_msgTypes[7] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -503,21 +597,51 @@ func (x *GetRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use GetRequest.ProtoReflect.Descriptor instead. func (*GetRequest) Descriptor() ([]byte, []int) { - return file_github_com_openconfig_gnsi_authz_authz_proto_rawDescGZIP(), []int{7} + return file_authz_authz_proto_rawDescGZIP(), []int{7} +} + +func (x *GetRequest) GetAuthzProfileId() string { + if x != nil { + return x.AuthzProfileId + } + return "" } +// GetResponse returns the requested instance of the gRPC-level Authorization +// Policy together with `version` and `created_on` information. type GetResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` - Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"` - CreatedOn uint64 `protobuf:"varint,2,opt,name=created_on,json=createdOn,proto3" json:"created_on,omitempty"` - Policy string `protobuf:"bytes,3,opt,name=policy,proto3" json:"policy,omitempty"` + state protoimpl.MessageState `protogen:"open.v1"` + // `version` contains versioning information that is controlled by + // the policy manager and reported as-is by the telemetry reporting system + // (ie, transparent to the target policy management service). Policy managers + // should choose version strings as discrete as possible to ease alert + // generation (eg, for policies sourced from a bundle, the timestamp of + // the bundle should be used, not the time when the policy is pushed to + // a particular device). Also, this version string must be persisted by + // the device for preservation across system reboots / cold-starts. + Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"` + // `created_on` contains information when the policy was created. + // This information is controlled by the policy manager and reported as-is + // by the telemetry reporting system (ie, transparent to the device policy + // management service). Policy manager should use the timestamp of the moment + // when policy was created, not the time when the policy is pushed to + // a particular device). + // Also, this timestamp should be persisted by the device for preservation + // across system reboots / cold-starts. + // `created_on` is a timestamp: the number of seconds since + // January 1st, 1970 00:00:00 GMT, a.k.a. unix epoch. + CreatedOn uint64 `protobuf:"varint,2,opt,name=created_on,json=createdOn,proto3" json:"created_on,omitempty"` + // The actual gRPC-level Authorization Policy. + // It is provided as a JSON formatted string whose structure is defined by + // gRPC. + Policy string `protobuf:"bytes,3,opt,name=policy,proto3" json:"policy,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } func (x *GetResponse) Reset() { *x = GetResponse{} - mi := &file_github_com_openconfig_gnsi_authz_authz_proto_msgTypes[8] + mi := &file_authz_authz_proto_msgTypes[8] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -529,7 +653,7 @@ func (x *GetResponse) String() string { func (*GetResponse) ProtoMessage() {} func (x *GetResponse) ProtoReflect() protoreflect.Message { - mi := &file_github_com_openconfig_gnsi_authz_authz_proto_msgTypes[8] + mi := &file_authz_authz_proto_msgTypes[8] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -542,7 +666,7 @@ func (x *GetResponse) ProtoReflect() protoreflect.Message { // Deprecated: Use GetResponse.ProtoReflect.Descriptor instead. func (*GetResponse) Descriptor() ([]byte, []int) { - return file_github_com_openconfig_gnsi_authz_authz_proto_rawDescGZIP(), []int{8} + return file_authz_authz_proto_rawDescGZIP(), []int{8} } func (x *GetResponse) GetVersion() string { @@ -566,11 +690,11 @@ func (x *GetResponse) GetPolicy() string { return "" } -var File_github_com_openconfig_gnsi_authz_authz_proto protoreflect.FileDescriptor +var File_authz_authz_proto protoreflect.FileDescriptor -const file_github_com_openconfig_gnsi_authz_authz_proto_rawDesc = "" + +const file_authz_authz_proto_rawDesc = "" + "\n" + - ",github.com/openconfig/gnsi/authz/authz.proto\x12\rgnsi.authz.v1\"\x8f\x02\n" + + "\x11authz/authz.proto\x12\rgnsi.authz.v1\"\x8f\x02\n" + "\x12RotateAuthzRequest\x12E\n" + "\x0eupload_request\x18\x01 \x01(\v2\x1c.gnsi.authz.v1.UploadRequestH\x00R\ruploadRequest\x12M\n" + "\x11finalize_rotation\x18\x02 \x01(\v2\x1e.gnsi.authz.v1.FinalizeRequestH\x00R\x10finalizeRotation\x12'\n" + @@ -596,9 +720,10 @@ const file_github_com_openconfig_gnsi_authz_authz_proto_rawDesc = "" + "\x06Action\x12\x16\n" + "\x12ACTION_UNSPECIFIED\x10\x00\x12\x0f\n" + "\vACTION_DENY\x10\x01\x12\x11\n" + - "\rACTION_PERMIT\x10\x02\"\f\n" + + "\rACTION_PERMIT\x10\x02\"6\n" + "\n" + - "GetRequest\"^\n" + + "GetRequest\x12(\n" + + "\x10authz_profile_id\x18\x01 \x01(\tR\x0eauthzProfileId\"^\n" + "\vGetResponse\x12\x18\n" + "\aversion\x18\x01 \x01(\tR\aversion\x12\x1d\n" + "\n" + @@ -610,20 +735,20 @@ const file_github_com_openconfig_gnsi_authz_authz_proto_rawDesc = "" + "\x03Get\x12\x19.gnsi.authz.v1.GetRequest\x1a\x1a.gnsi.authz.v1.GetResponseB\"Z github.com/openconfig/gnsi/authzb\x06proto3" var ( - file_github_com_openconfig_gnsi_authz_authz_proto_rawDescOnce sync.Once - file_github_com_openconfig_gnsi_authz_authz_proto_rawDescData []byte + file_authz_authz_proto_rawDescOnce sync.Once + file_authz_authz_proto_rawDescData []byte ) -func file_github_com_openconfig_gnsi_authz_authz_proto_rawDescGZIP() []byte { - file_github_com_openconfig_gnsi_authz_authz_proto_rawDescOnce.Do(func() { - file_github_com_openconfig_gnsi_authz_authz_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_github_com_openconfig_gnsi_authz_authz_proto_rawDesc), len(file_github_com_openconfig_gnsi_authz_authz_proto_rawDesc))) +func file_authz_authz_proto_rawDescGZIP() []byte { + file_authz_authz_proto_rawDescOnce.Do(func() { + file_authz_authz_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_authz_authz_proto_rawDesc), len(file_authz_authz_proto_rawDesc))) }) - return file_github_com_openconfig_gnsi_authz_authz_proto_rawDescData + return file_authz_authz_proto_rawDescData } -var file_github_com_openconfig_gnsi_authz_authz_proto_enumTypes = make([]protoimpl.EnumInfo, 1) -var file_github_com_openconfig_gnsi_authz_authz_proto_msgTypes = make([]protoimpl.MessageInfo, 9) -var file_github_com_openconfig_gnsi_authz_authz_proto_goTypes = []any{ +var file_authz_authz_proto_enumTypes = make([]protoimpl.EnumInfo, 1) +var file_authz_authz_proto_msgTypes = make([]protoimpl.MessageInfo, 9) +var file_authz_authz_proto_goTypes = []any{ (ProbeResponse_Action)(0), // 0: gnsi.authz.v1.ProbeResponse.Action (*RotateAuthzRequest)(nil), // 1: gnsi.authz.v1.RotateAuthzRequest (*RotateAuthzResponse)(nil), // 2: gnsi.authz.v1.RotateAuthzResponse @@ -635,7 +760,7 @@ var file_github_com_openconfig_gnsi_authz_authz_proto_goTypes = []any{ (*GetRequest)(nil), // 8: gnsi.authz.v1.GetRequest (*GetResponse)(nil), // 9: gnsi.authz.v1.GetResponse } -var file_github_com_openconfig_gnsi_authz_authz_proto_depIdxs = []int32{ +var file_authz_authz_proto_depIdxs = []int32{ 4, // 0: gnsi.authz.v1.RotateAuthzRequest.upload_request:type_name -> gnsi.authz.v1.UploadRequest 3, // 1: gnsi.authz.v1.RotateAuthzRequest.finalize_rotation:type_name -> gnsi.authz.v1.FinalizeRequest 5, // 2: gnsi.authz.v1.RotateAuthzResponse.upload_response:type_name -> gnsi.authz.v1.UploadResponse @@ -653,34 +778,34 @@ var file_github_com_openconfig_gnsi_authz_authz_proto_depIdxs = []int32{ 0, // [0:4] is the sub-list for field type_name } -func init() { file_github_com_openconfig_gnsi_authz_authz_proto_init() } -func file_github_com_openconfig_gnsi_authz_authz_proto_init() { - if File_github_com_openconfig_gnsi_authz_authz_proto != nil { +func init() { file_authz_authz_proto_init() } +func file_authz_authz_proto_init() { + if File_authz_authz_proto != nil { return } - file_github_com_openconfig_gnsi_authz_authz_proto_msgTypes[0].OneofWrappers = []any{ + file_authz_authz_proto_msgTypes[0].OneofWrappers = []any{ (*RotateAuthzRequest_UploadRequest)(nil), (*RotateAuthzRequest_FinalizeRotation)(nil), } - file_github_com_openconfig_gnsi_authz_authz_proto_msgTypes[1].OneofWrappers = []any{ + file_authz_authz_proto_msgTypes[1].OneofWrappers = []any{ (*RotateAuthzResponse_UploadResponse)(nil), } type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: unsafe.Slice(unsafe.StringData(file_github_com_openconfig_gnsi_authz_authz_proto_rawDesc), len(file_github_com_openconfig_gnsi_authz_authz_proto_rawDesc)), + RawDescriptor: unsafe.Slice(unsafe.StringData(file_authz_authz_proto_rawDesc), len(file_authz_authz_proto_rawDesc)), NumEnums: 1, NumMessages: 9, NumExtensions: 0, NumServices: 1, }, - GoTypes: file_github_com_openconfig_gnsi_authz_authz_proto_goTypes, - DependencyIndexes: file_github_com_openconfig_gnsi_authz_authz_proto_depIdxs, - EnumInfos: file_github_com_openconfig_gnsi_authz_authz_proto_enumTypes, - MessageInfos: file_github_com_openconfig_gnsi_authz_authz_proto_msgTypes, + GoTypes: file_authz_authz_proto_goTypes, + DependencyIndexes: file_authz_authz_proto_depIdxs, + EnumInfos: file_authz_authz_proto_enumTypes, + MessageInfos: file_authz_authz_proto_msgTypes, }.Build() - File_github_com_openconfig_gnsi_authz_authz_proto = out.File - file_github_com_openconfig_gnsi_authz_authz_proto_goTypes = nil - file_github_com_openconfig_gnsi_authz_authz_proto_depIdxs = nil + File_authz_authz_proto = out.File + file_authz_authz_proto_goTypes = nil + file_authz_authz_proto_depIdxs = nil } diff --git a/authz/authz.proto b/authz/authz.proto index 27920ccd..156e3156 100644 --- a/authz/authz.proto +++ b/authz/authz.proto @@ -251,6 +251,8 @@ message ProbeResponse { // GetRequest used to request the gRPC-level Authorization Policy. message GetRequest { + // The profile for which the authz policy is being requested. + string authz_profile_id = 1; } // GetResponse returns the requested instance of the gRPC-level Authorization diff --git a/authz/authz_grpc.pb.go b/authz/authz_grpc.pb.go index bc9a44d9..a934fae8 100644 --- a/authz/authz_grpc.pb.go +++ b/authz/authz_grpc.pb.go @@ -1,8 +1,27 @@ +// +// Copyright 2021, 2022 Google Inc. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +// This file defines the gNSI API to be used for gRPC-level Authorization Policy +// management. + // Code generated by protoc-gen-go-grpc. DO NOT EDIT. // versions: -// - protoc-gen-go-grpc v1.5.1 -// - protoc v6.32.0 -// source: github.com/openconfig/gnsi/authz/authz.proto +// - protoc-gen-go-grpc v1.6.1 +// - protoc v3.21.12 +// source: authz/authz.proto package authz @@ -28,8 +47,51 @@ const ( // // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. type AuthzClient interface { + // Rotate will replace an existing gRPC-level Authorization Policy on the + // target. + // + // If the stream is broken or any of the steps fail the + // target must rollback to the original state, i.e. revert any changes to + // the gRPC-level Authorization Policy made during this RPC. + // + // Note that only one such RPC can be in progress. An attempt to call this + // RPC while another is already in progress will be rejected with the + // `UNAVAILABLE` gRPC error. + // + // The following describes the sequence of messages that must be exchanged + // in the Rotate() RPC. + // + // Sequence of expected messages: + // + // Step 1: Start the stream + // Client ----> Rotate() RPC stream begin ------> Target + // + // Step 2: Send gRPC-level Authorization Policy to Target. + // Client --> UploadRequest(authz_policy) ----> Target + // Client <-- UploadResponse <--- Target + // + // Step 3 (optional): Test/Validation by the client. + // During this step client attempts to call a RPC that is allowed + // in the new policy and validates that the new policy "works". + // Additionally the client should call a RPC that is not allowed and + // the attempt must fail proving that the gRPC-level Authorization Policy + // "works". + // Once verified, the client then proceeds to finalize the rotation. + // If the new verification did not succeed the client will cancel the + // RPC thereby forcing the target to rollback of the new gRPC-level + // Authorization Policy. + // + // Step 4: Final commit. + // Client ---> FinalizeRequest ----> Target Rotate(ctx context.Context, opts ...grpc.CallOption) (grpc.BidiStreamingClient[RotateAuthzRequest, RotateAuthzResponse], error) + // Probe allows for evaluation of the gRPC-level Authorization Policy engine + // response to a gRPC call performed by a user. + // The response is based on the instance of policy specified in the request + // and is evaluated without actually performing the gRPC call. Probe(ctx context.Context, in *ProbeRequest, opts ...grpc.CallOption) (*ProbeResponse, error) + // Get returns current instance of the gRPC-level Authorization Policy + // together with its version and created-on information. + // If no policy has been set, Get() returns FAILED_PRECONDITION. Get(ctx context.Context, in *GetRequest, opts ...grpc.CallOption) (*GetResponse, error) } @@ -75,15 +137,59 @@ func (c *authzClient) Get(ctx context.Context, in *GetRequest, opts ...grpc.Call } // AuthzServer is the server API for Authz service. -// All implementations should embed UnimplementedAuthzServer +// All implementations must embed UnimplementedAuthzServer // for forward compatibility. type AuthzServer interface { + // Rotate will replace an existing gRPC-level Authorization Policy on the + // target. + // + // If the stream is broken or any of the steps fail the + // target must rollback to the original state, i.e. revert any changes to + // the gRPC-level Authorization Policy made during this RPC. + // + // Note that only one such RPC can be in progress. An attempt to call this + // RPC while another is already in progress will be rejected with the + // `UNAVAILABLE` gRPC error. + // + // The following describes the sequence of messages that must be exchanged + // in the Rotate() RPC. + // + // Sequence of expected messages: + // + // Step 1: Start the stream + // Client ----> Rotate() RPC stream begin ------> Target + // + // Step 2: Send gRPC-level Authorization Policy to Target. + // Client --> UploadRequest(authz_policy) ----> Target + // Client <-- UploadResponse <--- Target + // + // Step 3 (optional): Test/Validation by the client. + // During this step client attempts to call a RPC that is allowed + // in the new policy and validates that the new policy "works". + // Additionally the client should call a RPC that is not allowed and + // the attempt must fail proving that the gRPC-level Authorization Policy + // "works". + // Once verified, the client then proceeds to finalize the rotation. + // If the new verification did not succeed the client will cancel the + // RPC thereby forcing the target to rollback of the new gRPC-level + // Authorization Policy. + // + // Step 4: Final commit. + // Client ---> FinalizeRequest ----> Target Rotate(grpc.BidiStreamingServer[RotateAuthzRequest, RotateAuthzResponse]) error + // Probe allows for evaluation of the gRPC-level Authorization Policy engine + // response to a gRPC call performed by a user. + // The response is based on the instance of policy specified in the request + // and is evaluated without actually performing the gRPC call. Probe(context.Context, *ProbeRequest) (*ProbeResponse, error) + // Get returns current instance of the gRPC-level Authorization Policy + // together with its version and created-on information. + // If no policy has been set, Get() returns FAILED_PRECONDITION. Get(context.Context, *GetRequest) (*GetResponse, error) + mustEmbedUnimplementedAuthzServer() } -// UnimplementedAuthzServer should be embedded to have +// UnimplementedAuthzServer must be embedded to have // forward compatible implementations. // // NOTE: this should be embedded by value instead of pointer to avoid a nil @@ -91,15 +197,16 @@ type AuthzServer interface { type UnimplementedAuthzServer struct{} func (UnimplementedAuthzServer) Rotate(grpc.BidiStreamingServer[RotateAuthzRequest, RotateAuthzResponse]) error { - return status.Errorf(codes.Unimplemented, "method Rotate not implemented") + return status.Error(codes.Unimplemented, "method Rotate not implemented") } func (UnimplementedAuthzServer) Probe(context.Context, *ProbeRequest) (*ProbeResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method Probe not implemented") + return nil, status.Error(codes.Unimplemented, "method Probe not implemented") } func (UnimplementedAuthzServer) Get(context.Context, *GetRequest) (*GetResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method Get not implemented") + return nil, status.Error(codes.Unimplemented, "method Get not implemented") } -func (UnimplementedAuthzServer) testEmbeddedByValue() {} +func (UnimplementedAuthzServer) mustEmbedUnimplementedAuthzServer() {} +func (UnimplementedAuthzServer) testEmbeddedByValue() {} // UnsafeAuthzServer may be embedded to opt out of forward compatibility for this service. // Use of this interface is not recommended, as added methods to AuthzServer will @@ -109,7 +216,7 @@ type UnsafeAuthzServer interface { } func RegisterAuthzServer(s grpc.ServiceRegistrar, srv AuthzServer) { - // If the following call pancis, it indicates UnimplementedAuthzServer was + // If the following call panics, it indicates UnimplementedAuthzServer was // embedded by pointer and is nil. This will cause panics if an // unimplemented method is ever invoked, so we test this at initialization // time to prevent it from happening at runtime later due to I/O. @@ -186,5 +293,5 @@ var Authz_ServiceDesc = grpc.ServiceDesc{ ClientStreams: true, }, }, - Metadata: "github.com/openconfig/gnsi/authz/authz.proto", + Metadata: "authz/authz.proto", }