boundary/internal/proto/controller/api/services/v1/auth_method_service.proto

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

syntax = "proto3";

package controller.api.services.v1;

import "controller/api/resources/authmethods/v1/auth_method.proto";
import "controller/api/resources/authtokens/v1/authtoken.proto";
import "controller/custom_options/v1/options.proto";
import "google/api/annotations.proto";
import "google/api/visibility.proto";
import "google/protobuf/field_mask.proto";
import "google/protobuf/struct.proto";
import "protoc-gen-openapiv2/options/annotations.proto";

option go_package = "github.com/hashicorp/boundary/internal/gen/controller/api/services;services";
option (custom_options.v1.domain) = "auth";

service AuthMethodService {
  // GetAuthMethod returns a stored Auth Method if present.  The provided request
  // must include the Auth Method id. If missing, malformed or referencing a
  // non existing resource an error is returned.
  rpc GetAuthMethod(GetAuthMethodRequest) returns (GetAuthMethodResponse) {
    option (google.api.http) = {
      get: "/v1/auth-methods/{id}"
      response_body: "item"
    };
    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Gets a single Auth Method."};
  }

  // ListAuthMethods returns a list of stored Auth Methods which are in the
  // provided scope. The request must include the scope id and if missing,
  // malformed, or referencing a non existing scope, an error is returned.
  rpc ListAuthMethods(ListAuthMethodsRequest) returns (ListAuthMethodsResponse) {
    option (google.api.http) = {get: "/v1/auth-methods"};
    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Lists all Auth Methods."};
  }

  // CreateAuthMethod creates and stores an Auth Method in boundary.  The
  // provided request must include the scope in which the Auth Method will be
  // created. If the scope id is missing, malformed or referencing a
  // non existing resource an error is returned.  If a name is provided that is
  // in use in another Auth Method in the same scope, an error is returned.
  rpc CreateAuthMethod(CreateAuthMethodRequest) returns (CreateAuthMethodResponse) {
    option (google.api.http) = {
      post: "/v1/auth-methods"
      body: "item"
      response_body: "item"
    };
    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Creates a single Auth Method."};
  }

  // UpdateAuthMethod updates an existing Auth Method in boundary.  The provided
  // Auth Method must not have any read only fields set.  The update mask must be
  // included in the request and contain at least 1 mutable field.  To unset
  // a field's value, include the field in the update mask and don't set it
  // in the provided user. An error is returned if the Auth Method id is missing
  // or reference a non existing resource.  An error is also returned if the
  // request attempts to update the name to one that is already in use by
  // another Auth Method in the parent scope.
  rpc UpdateAuthMethod(UpdateAuthMethodRequest) returns (UpdateAuthMethodResponse) {
    option (google.api.http) = {
      patch: "/v1/auth-methods/{id}"
      body: "item"
      response_body: "item"
    };
    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Updates an Auth Method."};
  }

  // DeleteAuthMethod removes an Auth Method from Boundary. If the Auth Method id
  // is malformed or not provided an error is returned.
  rpc DeleteAuthMethod(DeleteAuthMethodRequest) returns (DeleteAuthMethodResponse) {
    option (google.api.http) = {delete: "/v1/auth-methods/{id}"};
    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Deletes an AuthMethod"};
  }

  // ChangeState changes the state of an Auth Method from Boundary.
  rpc ChangeState(ChangeStateRequest) returns (ChangeStateResponse) {
    option (google.api.http) = {
      post: "/v1/auth-methods/{id}:change-state"
      body: "*"
      response_body: "item"
    };
    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Changes the state of an OIDC AuthMethod"};
  }

  // Authenticate validates credentials provided and returns an Auth Token.
  rpc Authenticate(AuthenticateRequest) returns (AuthenticateResponse) {
    option (google.api.http) = {
      post: "/v1/auth-methods/{auth_method_id}:authenticate"
      body: "*"
    };
    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Authenticate a user to an scope and retrieve an authentication token."};
  }
}

message GetAuthMethodRequest {
  string id = 1; // @gotags: `class:"public" eventstream:"observation"`
}

message GetAuthMethodResponse {
  resources.authmethods.v1.AuthMethod item = 1;
}

message ListAuthMethodsRequest {
  string scope_id = 1 [json_name = "scope_id"]; // @gotags: `class:"public" eventstream:"observation"`
  bool recursive = 20 [json_name = "recursive"]; // @gotags: `class:"public" eventstream:"observation"`
  string filter = 30 [json_name = "filter"]; // @gotags: `class:"public"`
}

message ListAuthMethodsResponse {
  repeated resources.authmethods.v1.AuthMethod items = 1;
}

message CreateAuthMethodRequest {
  resources.authmethods.v1.AuthMethod item = 1;
}

message CreateAuthMethodResponse {
  string uri = 1; // @gotags: `class:"public" eventstream:"observation"`
  resources.authmethods.v1.AuthMethod item = 2;
}

message UpdateAuthMethodRequest {
  string id = 1; // @gotags: `class:"public" eventstream:"observation"`
  resources.authmethods.v1.AuthMethod item = 2;
  google.protobuf.FieldMask update_mask = 3 [json_name = "update_mask"];
}

message UpdateAuthMethodResponse {
  resources.authmethods.v1.AuthMethod item = 1;
}

message DeleteAuthMethodRequest {
  string id = 1; // @gotags: `class:"public" eventstream:"observation"`
}

message DeleteAuthMethodResponse {}

// Attributes specific to changing the state of an oidc auth method.
message OidcChangeStateAttributes {
  // state must be `inactive`, `active-private`, or `active-public`
  string state = 1; // @gotags: `class:"public"`
  // This flag is only useful for an oidc auth method.  It should not be used
  // unless the oidc provider's config is incorrectly set and is stopping the
  // activation of this auth method.
  bool disable_discovered_config_validation = 2 [json_name = "disable_discovered_config_validation"]; // @gotags: `class:"public"`
}

message ChangeStateRequest {
  string id = 1; // @gotags: `class:"public"`
  // Version is used to ensure this resource has not changed.
  // The mutation will fail if the version does not match the latest known good version.
  uint32 version = 2; // @gotags: `class:"public"`

  oneof attrs {
    // The attributes specific to this auth method's state.
    google.protobuf.Struct attributes = 4 [(custom_options.v1.subtype) = "default"];
    OidcChangeStateAttributes oidc_change_state_attributes = 5 [
      (custom_options.v1.subtype) = "oidc",
      (google.api.field_visibility).restriction = "INTERNAL"
    ];
  }
}

message ChangeStateResponse {
  resources.authmethods.v1.AuthMethod item = 1;
}

// The layout of the struct for "attributes" field in AuthenticateRequest for a password type. This message isn't directly referenced anywhere but is used here to define the expected field names and
// types.
message PasswordLoginAttributes {
  string login_name = 1 [json_name = "login_name"]; // @gotags: `class:"sensitive"`
  string password = 2; // @gotags: `class:"secret"`
}

// The layout of the struct for "attributes" field in AuthenticateRequest for a oidc type's start command. This message isn't directly referenced anywhere but is used here to define the expected field
// names and types.
message OidcStartAttributes {
  // An object which will be marshaled as JSON and roundtripped in the token command call.
  google.protobuf.Struct roundtrip_payload = 1 [json_name = "roundtrip_payload"];
  // Cached marshaled payload. This is not ingressed from the client; anything found will be thrown out.
  string cached_roundtrip_payload = 2; // @gotags: `class:"sensitive"`
}

// The layout of the struct for "attributes" field in AuthenticateRequest for an
// ldap type. This message isn't directly referenced anywhere but is used here
// to define the expected field names and types.
message LdapLoginAttributes {
  string login_name = 10 [json_name = "login_name"]; // @gotags: `class:"sensitive"`
  string password = 20; // @gotags: `class:"secret"`
}

message AuthenticateRequest {
  // The ID of the Auth Method in the system that should be used for authentication.
  string auth_method_id = 1 [json_name = "auth_method_id"]; // @gotags: `class:"public" eventstream:"observation"`
  // This can be "cookie" or "token". If not provided, "token" will be used. "cookie" activates a split-cookie method where the token is split partially between http-only and regular cookies in order
  // to keep it safe from rogue JS in the browser. Deprecated, use "type" instead.
  string token_type = 2 [
    json_name = "token_type",
    deprecated = true
  ]; // @gotags: `class:"public"`
  // This can be "cookie" or "token". If not provided, "token" will be used. "cookie" activates a split-cookie method where the token is split partially between http-only and regular cookies in order
  // to keep it safe from rogue JS in the browser.
  string type = 6 [json_name = "type"]; // @gotags: `class:"public" eventstream:"observation"`
  oneof attrs {
    // Attributes are passed to the Auth Method; the valid keys and values depend on the type of Auth Method as well as the command.
    google.protobuf.Struct attributes = 4;
    // Note: these fields have a custom mapping function for transforming to and from the generic attributes,
    // they do not use the standard attribute transformation.
    PasswordLoginAttributes password_login_attributes = 7 [(google.api.field_visibility).restriction = "INTERNAL"];
    OidcStartAttributes oidc_start_attributes = 8 [(google.api.field_visibility).restriction = "INTERNAL"];
    controller.api.resources.authmethods.v1.OidcAuthMethodAuthenticateCallbackRequest oidc_auth_method_authenticate_callback_request = 9 [(google.api.field_visibility).restriction = "INTERNAL"];
    controller.api.resources.authmethods.v1.OidcAuthMethodAuthenticateTokenRequest oidc_auth_method_authenticate_token_request = 10 [(google.api.field_visibility).restriction = "INTERNAL"];
    LdapLoginAttributes ldap_login_attributes = 11 [(google.api.field_visibility).restriction = "INTERNAL"];
  }
  // The command to perform.
  string command = 5 [json_name = "command"]; // @gotags: `class:"public"`

  // Deprecated fields
  reserved "credentials";
  reserved 3;
}

message AuthenticateResponse {
  reserved 1, 2; // Old item and token_type
  reserved "item", "token_type";
  // The type of the token returned. Either "cookie" or "token".
  string type = 3; // @gotags: `class:"public" eventstream:"observation"`
  oneof attrs {
    // Valid keys and values depend on the type of Auth Method as well as the command.
    google.protobuf.Struct attributes = 4 [json_name = "attributes"];
    // Note: these fields have a custom mapping function for transforming to and from the generic attributes,
    // they do not use the standard attribute transformation.
    controller.api.resources.authmethods.v1.OidcAuthMethodAuthenticateStartResponse oidc_auth_method_authenticate_start_response = 6 [(google.api.field_visibility).restriction = "INTERNAL"];
    controller.api.resources.authmethods.v1.OidcAuthMethodAuthenticateCallbackResponse oidc_auth_method_authenticate_callback_response = 7 [(google.api.field_visibility).restriction = "INTERNAL"];
    controller.api.resources.authmethods.v1.OidcAuthMethodAuthenticateTokenResponse oidc_auth_method_authenticate_token_response = 8 [(google.api.field_visibility).restriction = "INTERNAL"];
    controller.api.resources.authtokens.v1.AuthToken auth_token_response = 9 [(google.api.field_visibility).restriction = "INTERNAL"];
  }
  // The command that was performed.
  string command = 5 [json_name = "command"]; // @gotags: `class:"public"`
}