diff --git a/proto/zitadel/authorizations/v2/authorization.proto b/proto/zitadel/authorizations/v2/authorization.proto new file mode 100644 index 0000000000..d410cf5367 --- /dev/null +++ b/proto/zitadel/authorizations/v2/authorization.proto @@ -0,0 +1,104 @@ +syntax = "proto3"; + +package zitadel.authorizations.v2; + +import "validate/validate.proto"; +import "zitadel/object/v2/object.proto"; + +message AuthorizationQuery { + oneof query { + option (validate.required) = true; + + // Search for authorizations by their ID. + AuthorizationIDQuery authorization_id_query = 1; + // Search for authorizations by the ID of the user who was granted the authorization. + UserIDQuery user_id_query = 2; + // Search for authorizations by the ID of the organisation the user is part of. + UserOrganizationIDQuery user_organization_id_query = 3; + // Search for authorizations by the ID of the project the user was granted the authorization for. + ProjectIDQuery project_id_query = 4; + // Search for authorizations by the ID of the project grant the user was granted the authorization for. + ProjectGrantIDQuery project_grant_id_query = 5; + // Search for authorizations by the key of the role the user was granted. + RoleKeyQuery role_key_query = 6; + + // UserGrantProjectIDQuery project_id_query = 1; + // UserGrantUserIDQuery user_id_query = 2; + // UserGrantWithGrantedQuery with_granted_query = 3; + // UserGrantRoleKeyQuery role_key_query = 4; + // UserGrantProjectGrantIDQuery project_grant_id_query = 5; + // UserGrantUserNameQuery user_name_query = 6; + // UserGrantFirstNameQuery first_name_query = 7; + // UserGrantLastNameQuery last_name_query = 8; + // UserGrantEmailQuery email_query = 9; + // UserGrantOrgNameQuery org_name_query = 10; + // UserGrantOrgDomainQuery org_domain_query = 11; + // UserGrantProjectNameQuery project_name_query = 12; + // UserGrantDisplayNameQuery display_name_query = 13; + // UserGrantUserTypeQuery user_type_query = 14; + } +} + +message AuthorizationIDQuery { + string id = 1 [(validate.rules).string = { + min_len: 1 + max_len: 200 + }]; +} + +message UserIDQuery { + string user_id = 1 [(validate.rules).string = { + min_len: 1 + max_len: 200 + }]; +} + +message UserOrganizationIDQuery { + string user_organization_id = 1 [(validate.rules).string = { + min_len: 1 + max_len: 200 + }]; +} + +message ProjectIDQuery { + string project_id = 1 [(validate.rules).string = { + min_len: 1 + max_len: 200 + }]; +} + +message ProjectGrantIDQuery { + string project_grant_id = 1 [(validate.rules).string = { + min_len: 1 + max_len: 200 + }]; +} + +message RoleKeyQuery { + string role_key = 1 [(validate.rules).string = {max_len: 200}]; + zitadel.object.v2.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true]; +} + +message Authorization { + // ID is the unique identifier of the authorization. + string id = 1; + // UserID represents the ID of the user who was granted the authorization. + string user_id = 2; + // UserOrganisationID represents the ID of the organisation the user is part of. + string user_organization_id = 3; + // ProjectID represents the ID of the project the user was granted the authorization for. + string project_id = 4; + // ProjectGrantID represents the ID of the project grant the user was granted the authorization for. + // This field is only set if the authorization was granted for a project grant and not a project directly. + string project_grant_id = 5; + + // Roles contains the roles the user was granted for the project or project grant. + repeated Role roles = 6; +} + +message Role { + // Key is the unique identifier of the role. + string key = 1; + // DisplayName is the human readable name of the role. + string display_name = 2; +} diff --git a/proto/zitadel/authorizations/v2/authorization_service.proto b/proto/zitadel/authorizations/v2/authorization_service.proto new file mode 100644 index 0000000000..ddec1f9187 --- /dev/null +++ b/proto/zitadel/authorizations/v2/authorization_service.proto @@ -0,0 +1,156 @@ +syntax = "proto3"; + +package zitadel.authorizations.v2; + +import "google/protobuf/timestamp.proto"; +import "validate/validate.proto"; +import "zitadel/object/v2/object.proto"; +import "zitadel/authorizations/v2/authorization.proto"; + +// AuthorizationService provides methods to manage authorizations for users within your projects and applications. +// +// For managing permissions and roles for ZITADEL internal resources, like organizations, projects, +// users, etc., please use the PermissionsService. +service AuthorizationsService { + // ListAuthorizations returns all authorizations matching the request and necessary permissions. + // + // Required permissions: + // - "user.grant.read" + // - no permissions required for listing own authorizations + rpc ListAuthorizations(ListAuthorizationsRequest) returns (ListAuthorizationsResponse) {} + + // GetAuthorization returns the authorization by its ID. + // + // Required permissions: + // - "user.grant.read" + // - no permissions required for getting own authorization + rpc GetAuthorization(GetAuthorizationRequest) returns (GetAuthorizationResponse) {} + + // CreateAuthorization creates a new authorization for a user in a project or project grant. + // + // Required permissions: + // - "user.grant.write" + rpc CreateAuthorization(CreateAuthorizationRequest) returns (CreateAuthorizationResponse) {} + + // UpdateAuthorization updates the authorization. + // + // Note that any role keys previously granted to the user and not present in the request will be revoked. + // + // Required permissions: + // - "user.grant.write" + rpc UpdateAuthorization(UpdateAuthorizationRequest) returns (UpdateAuthorizationResponse) {} + + // DeleteAuthorization deletes the authorization. + // + // In case the authorization is not found, the request will return a successful response as + // the desired state is already achieved. + // You can check the deletion date in the response to verify if the authorization was deleted during the request. + // + // Required permissions: + // - "user.grant.delete" + rpc DeleteAuthorization(DeleteAuthorizationRequest) returns (DeleteAuthorizationResponse) {} +} + +message ListAuthorizationsRequest { + // Paginate through the results using a limit. + zitadel.object.v2.ListQuery query = 1; + // Filter the authorizations to be returned. + repeated AuthorizationQuery queries = 2; +} + +message ListAuthorizationsResponse { + // Details contains the pagination information. + zitadel.object.v2.ListDetails details = 1; + repeated Authorization authorizations = 2; +} + +message GetAuthorizationRequest { + // ID is the unique identifier of the authorization. + string id = 1 [(validate.rules).string = { + min_len: 1 + max_len: 200 + }]; +} + +message GetAuthorizationResponse { + Authorization authorization = 1; +} + +message CreateAuthorizationRequest { + // UserID is the ID of the user who should be granted the authorization. + string user_id = 1 [(validate.rules).string = { + min_len: 1 + max_len: 200 + }]; + // Grant on either the project directly or on a project grant. + oneof grant { + option (validate.required) = true; + + // Project is the ID of the project the user should be granted the authorization for. + string project_id = 2 [(validate.rules).string = { + min_len: 1 + max_len: 200 + }]; + // ProjectGrant is the ID of the project grant the user should be granted the authorization for. + string project_grant_id = 3 [(validate.rules).string = { + min_len: 1 + max_len: 200 + }]; + } + // RoleKeys are the keys of the roles the user should be granted. + repeated string role_keys = 4 [(validate.rules).repeated = { + unique: true + items: { + string: { + min_len: 1 + max_len: 200 + } + } + }]; +} + +message CreateAuthorizationResponse { + // ID is the unique identifier of the newly created authorization. + string id = 1; + // CreationDate is the timestamp when the authorization was created. + google.protobuf.Timestamp creation_date = 2; +} + +message UpdateAuthorizationRequest { + // ID is the unique identifier of the authorization. + string id = 1 [(validate.rules).string = { + min_len: 1 + max_len: 200 + }]; + // RoleKeys are the keys of the roles the user should be granted. + // Note that any role keys previously granted to the user and not present in the list will be revoked. + repeated string role_keys = 2 [(validate.rules).repeated = { + unique: true + items: { + string: { + min_len: 1 + max_len: 200 + } + } + }]; +} + +message UpdateAuthorizationResponse { + // ChangeDate is the timestamp when the authorization was last updated. + google.protobuf.Timestamp change_date = 1; +} + +message DeleteAuthorizationRequest { + // ID is the unique identifier of the authorization. + string id = 1 [(validate.rules).string = { + min_len: 1 + max_len: 200 + }]; +} + +message DeleteAuthorizationResponse { + // DeletionDate is the timestamp when the authorization was deleted. + // Note that the deletion date is only guaranteed to be set if the deletion was successful during the request. + // In case the deletion occurred in a previous request, the deletion date might not be set. + google.protobuf.Timestamp deletion_date = 1; +} diff --git a/proto/zitadel/metadata/v2/metadata.proto b/proto/zitadel/metadata/v2/metadata.proto new file mode 100644 index 0000000000..4957abd152 --- /dev/null +++ b/proto/zitadel/metadata/v2/metadata.proto @@ -0,0 +1,30 @@ +syntax = "proto3"; + +import "zitadel/object.proto"; +import "validate/validate.proto"; + +package zitadel.metadata.v2; + +option go_package ="github.com/zitadel/zitadel/pkg/grpc/metadata/v2"; + +message Metadata { + //zitadel.v1.ObjectDetails details = 1; TODO? + string key = 2; + bytes value = 3; +} + +message MetadataQuery { + oneof query { + option (validate.required) = true; + MetadataKeyQuery key_query = 1; + } +} + +message MetadataKeyQuery { + string key = 1 [ + (validate.rules).string = {max_len: 200} + ]; + zitadel.v1.TextQueryMethod method = 2 [ + (validate.rules).enum.defined_only = true + ]; +} diff --git a/proto/zitadel/permissions/v2/manager.proto b/proto/zitadel/permissions/v2/manager.proto new file mode 100644 index 0000000000..282054f485 --- /dev/null +++ b/proto/zitadel/permissions/v2/manager.proto @@ -0,0 +1,214 @@ +syntax = "proto3"; + +import "validate/validate.proto"; +import "zitadel/object/v2/object.proto"; + +package zitadel.permissions.v2; + +/* +message Manager2 { + // ID is the unique identifier of the manager role. + string id = 1; + // UserID is the ID of the user who was granted the manager role. + oneof user { + string user_id = 2; + User expanded = 3; + } + repeated string roles = 4; + + + oneof managerType { + // InstanceManager is the manager role for the instance. + InstanceManager instance_manager = 3; + // OrganizationManager is the manager role for the organization. + OrganizationManager organization_manager = 4; + // ProjectManager is the manager role for the project. + ProjectManager project_manager = 5; + // ProjectGrantManager is the manager role for the project grant. + ProjectGrantManager project_grant_manager = 6; + } +} +*/ + +message Manager { + + // ID is the unique identifier of the manager role. + string id = 1; + // User is the user who was granted the manager role. + User user = 2; +// string user_id = 3; +// string user_preferred_login_name = 4; +// string user_display_name = 5; +// string user_avatar_url = 6; +// string user_organization_id = 7; + // Resource is the type of the resource the manager roles were granted for. + oneof resource { + // Instance is returned if the manager roles were granted on the instance level. + bool instance = 3; + // Organization provides information about the organization the manager roles were granted for. + Organization organization = 4; + // Project provides information about the project the manager roles were granted for. + Project project = 5; + // ProjectGrant provides information about the project grant the manager roles were granted for. + ProjectGrant project_grant = 6; + } + // Roles are the roles that were granted to the user for the specified resource. + repeated string roles = 7; +} + +message User { + // ID is the unique identifier of the user. + string id = 1; + // PreferredLoginName is the preferred login name of the user. This value is unique across the whole instance.. + string preferred_login_name = 2; + // DisplayName is the public display name of the user. + // By default it's the user's given name and family name, their username or their email address. + string display_name = 3; + // AvatarURL is the URL to the user's public avatar image. + string avatar_url = 4; + // The organization the user belong to. + string organization_id = 5; + + // zitadel.user.v1.Type user_type = 10 TODO: peintner? +} + +message Organization { + // ID is the unique identifier of the organization the user was granted the manager role for. + string id = 1; + // Name is the name of the organization the user was granted the manager role for. + string name = 2; +} +message Project { + // ID is the unique identifier of the project the user was granted the manager role for. + string id = 1; + // Name is the name of the project the user was granted the manager role for. + string name = 2; + // OrganizationID is the ID of the organization the project belongs to. + string organization_id = 3; +} +message ProjectGrant { + // ID is the unique identifier of the project grant the user was granted the manager role for. + string id = 1; + // ProjectID is the ID of the project the project grant belongs to. + string project_id = 2; + // ProjectName is the name of the project the project grant belongs to. + string project_name = 3; + // OrganizationID is the ID of the organization the project grant belongs to. + string organization_id = 4; +} + +/* +message SetInstanceManager { + // Roles are the roles that should be granted to the user. + repeated string roles = 1 [(validate.rules).repeated = { + unique: true + items: { + string: { + min_len: 1 + max_len: 200 + prefix: "IAM_" // TODO: do we want to limit here as well? + } + } + }]; +} + +message SetOrganizationManager { + // OrganizationID is the ID of the organization the user should be granted the manager role for. + string organization_id = 1 [(validate.rules).string = { + min_len: 1 + max_len: 200 + }]; + // Roles are the roles that should be granted to the user within the specified organization. + repeated string roles = 2 [(validate.rules).repeated = { + unique: true + items: { + string: { + min_len: 1 + max_len: 200 + prefix: "ORG_" // TODO: do we want to limit here as well? + } + } + }]; +} + +message SetProjectManager { + // ProjectID is the ID of the project the user should be granted the manager role for. + string project_id = 1 [(validate.rules).string = { + min_len: 1 + max_len: 200 + }]; + // Roles are the roles that should be granted to the user within the specified project. + repeated string roles = 2 [(validate.rules).repeated = { + unique: true + items: { + string: { + min_len: 1 + max_len: 200 + prefix: "PROJECT_" // TODO: do we want to limit here as well? + } + } + }]; +} + +message SetProjectGrantManager { + // ProjectGrantID is the ID of the project grant the user should be granted the manager role for. + string project_grant_id = 1 [(validate.rules).string = { + min_len: 1 + max_len: 200 + }]; + // Roles are the roles that should be granted to the user within the specified project grant. + repeated string roles = 2 [(validate.rules).repeated = { + unique: true + items: { + string: { + min_len: 1 + max_len: 200 + prefix: "PROJECT_GRANT_" // TODO: do we want to limit here as well? + } + } + }]; +} +*/ + +message ManagerQuery { + oneof query { + option (validate.required) = true; + + // Search for managers roles granted to a specific user. + UserIDQuery user_id_query = 1; + // Search for managers roles granted for a specific resource. + ResourceQuery resource_query = 2; + // Search for managers roles granted with a specific role. + RoleQuery role_query = 3; + } +} + +message UserIDQuery { + // Search for managers by user ID. + string user_id = 1 [(validate.rules).string = { + min_len: 1 + max_len: 200 + }]; +} + +message ResourceQuery { + // Search for managers by the granted resource. + oneof resource { + // Search for managers granted on the instance level. + bool instance = 1; + // Search for managers granted on a specific organization. + string organization_id = 2; + // Search for managers granted on a specific project. + string project_id = 3; + // Search for managers granted on a specific project grant. + string project_grant_id = 4; + } +} + +message RoleQuery { + // Search for managers by the granted role. + string role_key = 1 [(validate.rules).string = { + min_len: 1 + max_len: 200 + }]; +} \ No newline at end of file diff --git a/proto/zitadel/permissions/v2/permission_service.proto b/proto/zitadel/permissions/v2/permission_service.proto new file mode 100644 index 0000000000..5638143e41 --- /dev/null +++ b/proto/zitadel/permissions/v2/permission_service.proto @@ -0,0 +1,189 @@ +syntax = "proto3"; + +package zitadel.permissions.v2; + +import "google/protobuf/timestamp.proto"; +import "validate/validate.proto"; +import "zitadel/object/v2/object.proto"; +import "zitadel/permissions/v2/manager.proto"; + +// PermissionsService provides methods to manage permissions for resource +// and their management in ZITADEL itself. +// +// If you want to manage permissions and roles within your project or application, +// please use the AuthorizationsService. +service PermissionsService { + // ListManagers returns all managers and its roles matching the request and necessary permissions. + // + // Required permissions depend on the resource type: + // - "iam.member.read" for instance managers + // - "org.member.read" for organization managers + // - "project.member.read" for project managers + // - "project.grant.member.read" for project grant managers + // - "user.membership.read" TODO: only this required? + // - no permissions required for listing own manager roles + rpc ListManagers(ListManagersRequest) returns (ListManagersResponse) {} + // GetManager returns the manager role by its ID. + // + // Required permissions depend on the resource type: + // - "iam.member.read" for instance managers + // - "org.member.read" for organization managers + // - "project.member.read" for project managers + // - "project.grant.member.read" for project grant managers + // - "user.membership.read" TODO: only this required? + // - no permissions required for getting own manager roles + rpc GetManager(GetManagerRequest) returns (GetManagerResponse) {} + // CreateManager grants a manager role to a user. + // + // Required permissions depend on the resource type: + // - "iam.member.write" for instance managers + // - "org.member.write" for organization managers + // - "project.member.write" for project managers + // - "project.grant.member.write" for project grant managers + rpc CreateManager(CreateManagerRequest) returns (CreateManagerResponse) {} + // UpdateManager updates the manager role. + // + // Note that any role previously granted to the user and not present in the request will be revoked. + // + // Required permissions depend on the resource type: + // - "iam.member.write" for instance managers + // - "org.member.write" for organization managers + // - "project.member.write" for project managers + // - "project.grant.member.write" for project grant managers + rpc UpdateManager(UpdateManagerRequest) returns (UpdateManagerResponse) {} + // DeleteManager revokes a manager role from a user. + // + // Note that the deletion is only guaranteed to be successful if the user has the required permissions. + // + // Required permissions depend on the resource type: + // - "iam.member.delete" for instance managers + // - "org.member.delete" for organization managers + // - "project.member.delete" for project managers + // - "project.grant.member.delete" for project grant managers + rpc DeleteManager(DeleteManagerRequest) returns (DeleteManagerResponse) {} +} + +message ListManagersRequest { + // Paginate through the results using a limit. + zitadel.object.v2.ListQuery query = 1; + // Filter the manager roles to be returned. + repeated ManagerQuery queries = 2; + repeated Expand expand = 3; // TODO: ? +} + +enum Expand { + EXPAND_UNSPECIFIED = 0; + EXPAND_USER = 1; + EXPAND_RESOURCE = 2; +} + +message ListManagersResponse { + // Details contains the pagination information. + zitadel.object.v2.ListDetails details = 1; + repeated Manager managers = 2; +} + +message GetManagerRequest { + // ID is the unique identifier of the manager. + string id = 1 [(validate.rules).string = { + min_len: 1 + max_len: 200 + }]; +} + +message GetManagerResponse { + Manager manager = 1; +} + +/* +message CreateManagerRequest { + // UserID is the ID of the user who should be granted the manager role. + string user_id = 1 [(validate.rules).string = { + min_len: 1 + max_len: 200 + }]; + oneof managerType { + SetInstanceManager instance_manager = 2; + SetOrganizationManager organization_manager = 3; + SetProjectManager project_manager = 4; + SetProjectGrantManager project_grant_manager = 5; + } +} +*/ + +message CreateManagerRequest { + // UserID is the ID of the user who should be granted the manager role. + string user_id = 1 [(validate.rules).string = { + min_len: 1 + max_len: 200 + }]; + // Resource is the type of the resource the manager roles should be granted for. + oneof resource { + option (validate.required) = true; + + // Instance is the resource type for granting manager privileges on the instance level. + bool instance = 2 [(validate.rules).bool = {const: true}]; + // OrganizationID is required to grant manager privileges for a specific organization. + string organization_id = 3; + // ProjectID is required to grant manager privileges for a specific project. + string project_id = 4; + // ProjectGrantID is required to grant manager privileges for a specific project grant. + string project_grant_id = 5; + } + // Roles are the roles that should be granted to the user for the specified resource. + repeated string roles = 6 [(validate.rules).repeated = { + unique: true + items: { + string: { + min_len: 1 + max_len: 200 + } + } + }]; +} + +message CreateManagerResponse { + // ID is the unique identifier of the newly created manager role. + string id = 1; + // CreationDate is the timestamp when the manager role was created. + google.protobuf.Timestamp creation_date = 2; +} + +message UpdateManagerRequest { + // ManagerID is the ID of the manager role that should be updated. + string manager_role_id = 1 [(validate.rules).string = { + min_len: 1 + max_len: 200 + }]; + // Roles are the roles that the user should be granted. + // Note that any role previously granted to the user and not present in the list will be revoked. + repeated string roles = 2 [(validate.rules).repeated = { + unique: true + items: { + string: { + min_len: 1 + max_len: 200 + } + } + }]; +} + +message UpdateManagerResponse { + // ChangeDate is the timestamp when the manager role was last updated. + google.protobuf.Timestamp change_date = 1; +} + +message DeleteManagerRequest { + // ManagerID is the ID of the manager role the user should be removed from. + string manager_role_id = 1 [(validate.rules).string = { + min_len: 1 + max_len: 200 + }]; +} + +message DeleteManagerResponse { + // DeletionDate is the timestamp when the manager role was deleted. + // Note that the deletion date is only guaranteed to be set if the deletion was successful during the request. + // In case the deletion occurred in a previous request, the deletion date might not be set. + google.protobuf.Timestamp deletion_date = 1; +} diff --git a/proto/zitadel/user/v2/user_service.proto b/proto/zitadel/user/v2/user_service.proto index 5457efd64e..7cd10d8bc3 100644 --- a/proto/zitadel/user/v2/user_service.proto +++ b/proto/zitadel/user/v2/user_service.proto @@ -11,10 +11,12 @@ import "zitadel/user/v2/idp.proto"; import "zitadel/user/v2/password.proto"; import "zitadel/user/v2/user.proto"; import "zitadel/user/v2/query.proto"; +import "zitadel/metadata/v2/metadata.proto"; import "google/api/annotations.proto"; import "google/api/field_behavior.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/struct.proto"; +import "google/protobuf/timestamp.proto"; import "protoc-gen-openapiv2/options/annotations.proto"; import "validate/validate.proto"; @@ -1232,6 +1234,140 @@ service UserService { }; } + // ListMetadata returns all matching metadata entries for a user. + // You can filter by key only. Filtering by value is not supported yet. + // If no filter is specified, all metadata entries are returned. + // + // Required permissions: + // - 'user.read' + // - no permissions required for listing own metadata + rpc ListMetadata (ListMetadataRequest) returns (ListMetadataResponse) {} + + // GetMetadata returns a single metadata entry of the user identified by the key. + // + // Required permissions: + // - 'user.read' + // - no permissions required for getting own metadata + rpc GetMetadata (GetMetadataRequest) returns (GetMetadataResponse) {} + + // AddMetadata adds a new metadata entry to the user. + // If the key already exists, an error is returned. + // + // Required permissions: + // - 'user.write' + rpc AddMetadata (AddMetadataRequest) returns (AddMetadataResponse) {} + + // UpdateMetadata updates an existing metadata entry of the user. + // If the key does not exist, an error is returned. + // + // Required permissions: + // - 'user.write' + rpc UpdateMetadata (UpdateMetadataRequest) returns (UpdateMetadataResponse) {} + + // Set Metadata adds or updates a metadata entry of the user identified by the key. + // If the key does not exist, a new entry is created. + // If the key already exists, the value is updated. + // In case a key from an existing entry needs to be updated, + // the existing entry must be removed and a new one created. + // + // Required permissions: + // - 'user.write' + rpc SetMetadata (SetMetadataRequest) returns (SetMetadataResponse) {} + + // Remove Metadata removes an existing metadata entry from the user. + // If the key does not exist, the request wil return a success as the + // desired state is already achieved. + // You can check the deletion date in the response to verify if the + // metadata entry was removed during the request. + // + // Required permissions: + // - 'user.write' + rpc RemoveMetadata (RemoveMetadataRequest) returns (RemoveMetadataResponse) {} +} + +message ListMetadataRequest{ + // The user ID of the user you like to get the metadata from. + string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; + // Paginate through the results using a limit. + zitadel.object.v2.ListQuery query = 2; + // Filter the metadata to be returned. + repeated zitadel.metadata.v2.MetadataQuery queries = 3; +} + +message ListMetadataResponse{ + zitadel.object.v2.ListDetails details = 1; + repeated zitadel.metadata.v2.Metadata result = 2; +} + +message GetMetadataRequest{ + // The user ID of the user you like to get the metadata from. + string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; + // Metadata key is the unique identifier of the metadata entry. + string metadata_key = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; +} + +message GetMetadataResponse{ + zitadel.metadata.v2.Metadata metadata = 1; +} + +message AddMetadataRequest{ + // The user ID of the user you like to add the metadata to. + string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; + // Metadata key is the unique identifier of the metadata entry. + // If an entry with the same key already exists, an error is returned. + string metadata_key = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; + // Metadata value is the value of the metadata entry. + bytes metadata_value = 3 [(validate.rules).bytes = {min_len: 1, max_len: 500000}]; +} + +message AddMetadataResponse{ + // CreationDate is the timestamp the metadata entry was created. + google.protobuf.Timestamp creation_date = 1; +} + +message UpdateMetadataRequest{ + // The user ID of the user you like to update the metadata from. + string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; + // Metadata key is the unique identifier of the metadata entry. + // If an entry with the same key does not exist, an error is returned. + string metadata_key = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; + // Metadata value is the value of the metadata entry. + bytes metadata_value = 3 [(validate.rules).bytes = {min_len: 1, max_len: 500000}]; +} + +message UpdateMetadataResponse{ + // ChangeDate is the the timestamp the metadata entry was last updated. + google.protobuf.Timestamp change_date = 1; +} + +message SetMetadataRequest{ + // The user ID of the user you like to set the metadata from. + string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; + // Metadata key is the unique identifier of the metadata entry. + // An existing entry with the same key will be updated. The key cannot be changed. + // If you need to change the key, remove the existing entry and create a new one. + string metadata_key = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; + // Metadata value is the value of the metadata entry. + bytes metadata_value = 3 [(validate.rules).bytes = {min_len: 1, max_len: 500000}]; +} + +message SetMetadataResponse{ + // ChangeDate is the the timestamp the metadata entry was last set, either created or updated. + google.protobuf.Timestamp change_date = 2; +} + +message RemoveMetadataRequest{ + // The user ID of the user you like to remove the metadata from. + string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; + // Metadata key is the unique identifier of the metadata entry. + string metadata_key = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; +} + +message RemoveMetadataResponse{ + // DeletionDate is the timestamp the metadata entry was deleted. + // Note that the deletion date is only guaranteed to be set if the deletion was successful during the request. + // In case the deletion occurred in a previous request, the deletion date might not be set. + google.protobuf.Timestamp deletion_date = 1; } message AddHumanUserRequest{