// Copyright (c) HashiCorp, Inc. // SPDX-License-Identifier: MPL-2.0 syntax = "proto3"; package controller.api.services.v1; import "controller/api/resources/authmethods/v1/auth_method.proto"; import "controller/api/resources/authtokens/v1/authtoken.proto"; import "controller/custom_options/v1/options.proto"; import "google/api/annotations.proto"; import "google/api/visibility.proto"; import "google/protobuf/field_mask.proto"; import "google/protobuf/struct.proto"; import "protoc-gen-openapiv2/options/annotations.proto"; option go_package = "github.com/hashicorp/boundary/internal/gen/controller/api/services;services"; option (custom_options.v1.domain) = "auth"; service AuthMethodService { // GetAuthMethod returns a stored Auth Method if present. The provided request // must include the Auth Method id. If missing, malformed or referencing a // non existing resource an error is returned. rpc GetAuthMethod(GetAuthMethodRequest) returns (GetAuthMethodResponse) { option (google.api.http) = { get: "/v1/auth-methods/{id}" response_body: "item" }; option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Gets a single Auth Method."}; } // ListAuthMethods returns a list of stored Auth Methods which are in the // provided scope. The request must include the scope id and if missing, // malformed, or referencing a non existing scope, an error is returned. rpc ListAuthMethods(ListAuthMethodsRequest) returns (ListAuthMethodsResponse) { option (google.api.http) = {get: "/v1/auth-methods"}; option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Lists all Auth Methods."}; } // CreateAuthMethod creates and stores an Auth Method in boundary. The // provided request must include the scope in which the Auth Method will be // created. If the scope id is missing, malformed or referencing a // non existing resource an error is returned. If a name is provided that is // in use in another Auth Method in the same scope, an error is returned. rpc CreateAuthMethod(CreateAuthMethodRequest) returns (CreateAuthMethodResponse) { option (google.api.http) = { post: "/v1/auth-methods" body: "item" response_body: "item" }; option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Creates a single Auth Method."}; } // UpdateAuthMethod updates an existing Auth Method in boundary. The provided // Auth Method must not have any read only fields set. The update mask must be // included in the request and contain at least 1 mutable field. To unset // a field's value, include the field in the update mask and don't set it // in the provided user. An error is returned if the Auth Method id is missing // or reference a non existing resource. An error is also returned if the // request attempts to update the name to one that is already in use by // another Auth Method in the parent scope. rpc UpdateAuthMethod(UpdateAuthMethodRequest) returns (UpdateAuthMethodResponse) { option (google.api.http) = { patch: "/v1/auth-methods/{id}" body: "item" response_body: "item" }; option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Updates an Auth Method."}; } // DeleteAuthMethod removes an Auth Method from Boundary. If the Auth Method id // is malformed or not provided an error is returned. rpc DeleteAuthMethod(DeleteAuthMethodRequest) returns (DeleteAuthMethodResponse) { option (google.api.http) = {delete: "/v1/auth-methods/{id}"}; option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Deletes an AuthMethod"}; } // ChangeState changes the state of an Auth Method from Boundary. rpc ChangeState(ChangeStateRequest) returns (ChangeStateResponse) { option (google.api.http) = { post: "/v1/auth-methods/{id}:change-state" body: "*" response_body: "item" }; option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Changes the state of an OIDC AuthMethod"}; } // Authenticate validates credentials provided and returns an Auth Token. rpc Authenticate(AuthenticateRequest) returns (AuthenticateResponse) { option (google.api.http) = { post: "/v1/auth-methods/{auth_method_id}:authenticate" body: "*" }; option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Authenticate a user to an scope and retrieve an authentication token."}; } } message GetAuthMethodRequest { string id = 1; // @gotags: `class:"public" eventstream:"observation"` } message GetAuthMethodResponse { resources.authmethods.v1.AuthMethod item = 1; } message ListAuthMethodsRequest { string scope_id = 1 [json_name = "scope_id"]; // @gotags: `class:"public" eventstream:"observation"` bool recursive = 20 [json_name = "recursive"]; // @gotags: `class:"public" eventstream:"observation"` string filter = 30 [json_name = "filter"]; // @gotags: `class:"public"` } message ListAuthMethodsResponse { repeated resources.authmethods.v1.AuthMethod items = 1; } message CreateAuthMethodRequest { resources.authmethods.v1.AuthMethod item = 1; } message CreateAuthMethodResponse { string uri = 1; // @gotags: `class:"public" eventstream:"observation"` resources.authmethods.v1.AuthMethod item = 2; } message UpdateAuthMethodRequest { string id = 1; // @gotags: `class:"public" eventstream:"observation"` resources.authmethods.v1.AuthMethod item = 2; google.protobuf.FieldMask update_mask = 3 [json_name = "update_mask"]; } message UpdateAuthMethodResponse { resources.authmethods.v1.AuthMethod item = 1; } message DeleteAuthMethodRequest { string id = 1; // @gotags: `class:"public" eventstream:"observation"` } message DeleteAuthMethodResponse {} // Attributes specific to changing the state of an oidc auth method. message OidcChangeStateAttributes { // state must be `inactive`, `active-private`, or `active-public` string state = 1; // @gotags: `class:"public"` // This flag is only useful for an oidc auth method. It should not be used // unless the oidc provider's config is incorrectly set and is stopping the // activation of this auth method. bool disable_discovered_config_validation = 2 [json_name = "disable_discovered_config_validation"]; // @gotags: `class:"public"` } message ChangeStateRequest { string id = 1; // @gotags: `class:"public"` // Version is used to ensure this resource has not changed. // The mutation will fail if the version does not match the latest known good version. uint32 version = 2; // @gotags: `class:"public"` oneof attrs { // The attributes specific to this auth method's state. google.protobuf.Struct attributes = 4 [(custom_options.v1.subtype) = "default"]; OidcChangeStateAttributes oidc_change_state_attributes = 5 [ (custom_options.v1.subtype) = "oidc", (google.api.field_visibility).restriction = "INTERNAL" ]; } } message ChangeStateResponse { resources.authmethods.v1.AuthMethod item = 1; } // The layout of the struct for "attributes" field in AuthenticateRequest for a password type. This message isn't directly referenced anywhere but is used here to define the expected field names and // types. message PasswordLoginAttributes { string login_name = 1 [json_name = "login_name"]; // @gotags: `class:"sensitive"` string password = 2; // @gotags: `class:"secret"` } // The layout of the struct for "attributes" field in AuthenticateRequest for a oidc type's start command. This message isn't directly referenced anywhere but is used here to define the expected field // names and types. message OidcStartAttributes { // An object which will be marshaled as JSON and roundtripped in the token command call. google.protobuf.Struct roundtrip_payload = 1 [json_name = "roundtrip_payload"]; // Cached marshaled payload. This is not ingressed from the client; anything found will be thrown out. string cached_roundtrip_payload = 2; // @gotags: `class:"sensitive"` } // The layout of the struct for "attributes" field in AuthenticateRequest for an // ldap type. This message isn't directly referenced anywhere but is used here // to define the expected field names and types. message LdapLoginAttributes { string login_name = 10 [json_name = "login_name"]; // @gotags: `class:"sensitive"` string password = 20; // @gotags: `class:"secret"` } message AuthenticateRequest { // The ID of the Auth Method in the system that should be used for authentication. string auth_method_id = 1 [json_name = "auth_method_id"]; // @gotags: `class:"public" eventstream:"observation"` // This can be "cookie" or "token". If not provided, "token" will be used. "cookie" activates a split-cookie method where the token is split partially between http-only and regular cookies in order // to keep it safe from rogue JS in the browser. Deprecated, use "type" instead. string token_type = 2 [ json_name = "token_type", deprecated = true ]; // @gotags: `class:"public"` // This can be "cookie" or "token". If not provided, "token" will be used. "cookie" activates a split-cookie method where the token is split partially between http-only and regular cookies in order // to keep it safe from rogue JS in the browser. string type = 6 [json_name = "type"]; // @gotags: `class:"public" eventstream:"observation"` oneof attrs { // Attributes are passed to the Auth Method; the valid keys and values depend on the type of Auth Method as well as the command. google.protobuf.Struct attributes = 4; // Note: these fields have a custom mapping function for transforming to and from the generic attributes, // they do not use the standard attribute transformation. PasswordLoginAttributes password_login_attributes = 7 [(google.api.field_visibility).restriction = "INTERNAL"]; OidcStartAttributes oidc_start_attributes = 8 [(google.api.field_visibility).restriction = "INTERNAL"]; controller.api.resources.authmethods.v1.OidcAuthMethodAuthenticateCallbackRequest oidc_auth_method_authenticate_callback_request = 9 [(google.api.field_visibility).restriction = "INTERNAL"]; controller.api.resources.authmethods.v1.OidcAuthMethodAuthenticateTokenRequest oidc_auth_method_authenticate_token_request = 10 [(google.api.field_visibility).restriction = "INTERNAL"]; LdapLoginAttributes ldap_login_attributes = 11 [(google.api.field_visibility).restriction = "INTERNAL"]; } // The command to perform. string command = 5 [json_name = "command"]; // @gotags: `class:"public"` // Deprecated fields reserved "credentials"; reserved 3; } message AuthenticateResponse { reserved 1, 2; // Old item and token_type reserved "item", "token_type"; // The type of the token returned. Either "cookie" or "token". string type = 3; // @gotags: `class:"public" eventstream:"observation"` oneof attrs { // Valid keys and values depend on the type of Auth Method as well as the command. google.protobuf.Struct attributes = 4 [json_name = "attributes"]; // Note: these fields have a custom mapping function for transforming to and from the generic attributes, // they do not use the standard attribute transformation. controller.api.resources.authmethods.v1.OidcAuthMethodAuthenticateStartResponse oidc_auth_method_authenticate_start_response = 6 [(google.api.field_visibility).restriction = "INTERNAL"]; controller.api.resources.authmethods.v1.OidcAuthMethodAuthenticateCallbackResponse oidc_auth_method_authenticate_callback_response = 7 [(google.api.field_visibility).restriction = "INTERNAL"]; controller.api.resources.authmethods.v1.OidcAuthMethodAuthenticateTokenResponse oidc_auth_method_authenticate_token_response = 8 [(google.api.field_visibility).restriction = "INTERNAL"]; controller.api.resources.authtokens.v1.AuthToken auth_token_response = 9 [(google.api.field_visibility).restriction = "INTERNAL"]; } // The command that was performed. string command = 5 [json_name = "command"]; // @gotags: `class:"public"` }