zitadel/pkg/grpc/admin/proto/admin.proto

syntax = "proto3";

import "google/api/annotations.proto";
import "google/protobuf/empty.proto";
import "google/protobuf/timestamp.proto";
import "google/protobuf/struct.proto";
import "validate/validate.proto";
import "protoc-gen-swagger/options/annotations.proto";
import "authoption/options.proto";

package caos.zitadel.admin.api.v1;

option go_package ="github.com/caos/zitadel/pkg/grpc/admin";

option (grpc.gateway.protoc_gen_swagger.options.openapiv2_swagger) = {
    info: {
        title: "admin service";
        version: "0.1";
        contact:{
            url: "https://github.com/caos/zitadel/pkg/admin"
        };
    };

    schemes: HTTPS;

    consumes: "application/json";
    consumes: "application/grpc";

    produces: "application/json";
    produces: "application/grpc";
};

service AdminService {
    // ---------
    // Probes
    // ---------

    // Healthz returns status OK as soon as the service started
    rpc Healthz(google.protobuf.Empty) returns (google.protobuf.Empty) {
        option (google.api.http) = {
           get: "/healthz"
        };
    }

    // Ready returns status OK as soon as all dependent services are available
    rpc Ready(google.protobuf.Empty) returns (google.protobuf.Empty) {
        option (google.api.http) = {
           get: "/ready"
        };
    }

    rpc Validate(google.protobuf.Empty) returns (google.protobuf.Struct) {
        option (google.api.http) = {
            get: "/validate"
        };
    }

//ORG
    rpc IsOrgUnique(UniqueOrgRequest) returns (UniqueOrgResponse) {
        option (google.api.http) = {
            get: "/orgs/_isunique"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.read"
        };
    }

    rpc GetOrgByID(OrgID) returns (Org) {
        option (google.api.http) = {
            get: "/orgs/{id}"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.read"
        };
    }

    rpc SearchOrgs(OrgSearchRequest) returns (OrgSearchResponse) {
        option (google.api.http) = {
            post: "/orgs/_search"
            body: "*"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.read"
        };
    }

    rpc SetUpOrg(OrgSetUpRequest) returns (OrgSetUpResponse) {
        option (google.api.http) = {
            post: "/orgs/_setup"
            body: "*"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.write"
        };
    }

    //ORG_IAM_POLICY
    rpc GetOrgIamPolicy(OrgIamPolicyID) returns (OrgIamPolicy) {
        option (google.api.http) = {
            get: "/orgs/{org_id}/iampolicy"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.policy.read"
        };
    }

    rpc CreateOrgIamPolicy(OrgIamPolicyRequest) returns (OrgIamPolicy) {
        option (google.api.http) = {
            post: "/orgs/{org_id}/iampolicy"
            body: "*"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.policy.write"
        };
    }

    rpc UpdateOrgIamPolicy(OrgIamPolicyRequest) returns (OrgIamPolicy) {
        option (google.api.http) = {
            put: "/orgs/{org_id}/iampolicy"
            body: "*"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.policy.write"
        };
    }

    rpc DeleteOrgIamPolicy(OrgIamPolicyID) returns (google.protobuf.Empty) {
        option (google.api.http) = {
            delete: "/orgs/{org_id}/iampolicy"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.policy.delete"
        };
    }

    rpc GetIamMemberRoles(google.protobuf.Empty) returns (IamMemberRoles) {
        option (google.api.http) = {
            get: "/members/roles"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.member.read"
        };
    }

    rpc AddIamMember(AddIamMemberRequest) returns (IamMember) {
        option (google.api.http) = {
            post: "/members"
            body: "*"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.member.write"
        };
    }

    rpc ChangeIamMember(ChangeIamMemberRequest) returns (IamMember) {
        option (google.api.http) = {
            put: "/members/{user_id}"
            body: "*"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.member.write"
        };
    }

    rpc RemoveIamMember(RemoveIamMemberRequest) returns (google.protobuf.Empty) {
        option (google.api.http) = {
            delete: "/members/{user_id}"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.member.delete"
        };
    }

    rpc SearchIamMembers(IamMemberSearchRequest) returns (IamMemberSearchResponse) {
        option (google.api.http) = {
            post: "/members/_search"
            body: "*"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.member.read"
        };
    }

    rpc GetViews(google.protobuf.Empty) returns (Views) {
        option (google.api.http) = {
            get: "/views"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.read"
        };
    }

    rpc ClearView(ViewID) returns (google.protobuf.Empty) {
        option (google.api.http) = {
            post: "/views/{database}/{view_name}"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.write"
        };
    }

    rpc GetFailedEvents(google.protobuf.Empty) returns (FailedEvents) {
        option (google.api.http) = {
            get: "/failedevents"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.read"
        };
    }

    rpc RemoveFailedEvent(FailedEventID) returns (google.protobuf.Empty) {
        option (google.api.http) = {
            delete: "/failedevents/{database}/{view_name}/{failed_sequence}"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.write"
        };
    }

    rpc IdpByID(IdpID) returns (IdpView) {
        option (google.api.http) = {
            get: "/idps/{id}"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.idp.read"
        };
    }

    rpc CreateOidcIdp(OidcIdpConfigCreate) returns (Idp) {
        option (google.api.http) = {
            post: "/idps/oidc"
            body: "*"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.idp.write"
        };
    }

    rpc UpdateIdpConfig(IdpUpdate) returns (Idp) {
        option (google.api.http) = {
            put: "/idps/{id}"
            body: "*"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.idp.write"
        };
    }

    rpc DeactivateIdpConfig(IdpID) returns (Idp) {
        option (google.api.http) = {
            put: "/idps/{id}/_deactivate"
            body: "*"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.idp.write"
        };
    }

    rpc ReactivateIdpConfig(IdpID) returns (Idp) {
        option (google.api.http) = {
            put: "/idps/{id}/_reactivate"
            body: "*"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.idp.write"
        };
    }

    rpc RemoveIdpConfig(IdpID) returns (google.protobuf.Empty) {
        option (google.api.http) = {
            delete: "/idps/{id}"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.idp.write"
        };
    }

    rpc UpdateOidcIdpConfig(OidcIdpConfigUpdate) returns (OidcIdpConfig) {
        option (google.api.http) = {
            put: "/idps/{idp_id}/oidcconfig"
            body: "*"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.idp.write"
        };
    }

    rpc SearchIdps(IdpSearchRequest) returns (IdpSearchResponse) {
        option (google.api.http) = {
            post: "/idps/_search"
            body: "*"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.idp.read"
        };
    }

    rpc GetDefaultLoginPolicy(google.protobuf.Empty) returns (DefaultLoginPolicyView) {
        option (google.api.http) = {
            get: "/policies/login"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.policy.read"
        };
    }

    rpc UpdateDefaultLoginPolicy(DefaultLoginPolicy) returns (DefaultLoginPolicy) {
        option (google.api.http) = {
            put: "/policies/login"
            body: "*"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.policy.write"
        };
    }

    rpc GetDefaultLoginPolicyIdpProviders(IdpProviderSearchRequest) returns (IdpProviderSearchResponse) {
        option (google.api.http) = {
            post: "/policies/login/idpproviders/_search"
            body: "*"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.policy.read"
        };
    }

    rpc AddIdpProviderToDefaultLoginPolicy(IdpProviderID) returns (IdpProviderID) {
        option (google.api.http) = {
            post: "/policies/login/idpproviders"
            body: "*"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.policy.write"
        };
    }

    rpc RemoveIdpProviderFromDefaultLoginPolicy(IdpProviderID) returns (google.protobuf.Empty) {
        option (google.api.http) = {
            post: "/policies/login/idpproviders/{idp_config_id}"
            body: "*"
        };

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "iam.policy.write"
        };
    }
}

message OrgID {
    string id = 1 [(validate.rules).string = {min_len: 1}];
}

message UniqueOrgRequest {
    string name = 1 [(validate.rules).string.min_len = 1];
    string domain = 2 [(validate.rules).string.min_len = 1];
}

message UniqueOrgResponse {
    bool is_unique = 1;
}

message Org {
    string id = 1;
    OrgState state = 2;
    google.protobuf.Timestamp creation_date = 3;
    google.protobuf.Timestamp change_date = 4;
    string name = 5;
    string domain = 6;
}

enum OrgState {
    ORGSTATE_UNSPECIFIED = 0;
    ORGSTATE_ACTIVE = 1;
    ORGSTATE_INACTIVE = 2;
}

message OrgSearchRequest {
    uint64 offset = 1;
    uint64 limit = 2;
    OrgSearchKey sorting_column = 3 [(validate.rules).enum = {not_in: [0]}];;
    bool asc = 4;
    repeated OrgSearchQuery queries = 5;
}

message OrgSearchQuery {
    OrgSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];;
    OrgSearchMethod method = 2;
    string value = 3;
}

enum OrgSearchKey {
    ORGSEARCHKEY_UNSPECIFIED = 0;
    ORGSEARCHKEY_NAME = 1;
    ORGSEARCHKEY_DOMAIN = 2;
    ORGSEARCHKEY_STATE = 3;
}

message OrgSearchResponse {
    uint64 offset = 1;
    uint64 limit = 2;
    uint64 total_result = 3;
    repeated Org result = 4;
    uint64 processed_sequence = 5;
    google.protobuf.Timestamp view_timestamp = 6;
}

enum OrgSearchMethod {
    ORGSEARCHMETHOD_EQUALS = 0;
    ORGSEARCHMETHOD_STARTS_WITH = 1;
    ORGSEARCHMETHOD_CONTAINS = 2;
}

message OrgSetUpRequest {
    CreateOrgRequest org = 1 [(validate.rules).message.required = true];
    CreateUserRequest user = 2 [(validate.rules).message.required = true];
}

message OrgSetUpResponse {
    Org org = 1;
    UserResponse user = 2;
}

message CreateUserRequest {
    string user_name = 1 [(validate.rules).string.pattern = "^[^[:space:]]{1,200}$"];

    oneof user {
      option (validate.required) = true;
  
      CreateHumanRequest human = 2;
      CreateMachineRequest machine = 3;
    }
}

message CreateHumanRequest {
    string first_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
    string last_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
    string nick_name = 3 [(validate.rules).string = {max_len: 200}];
    string preferred_language = 4 [(validate.rules).string = {max_len: 200}];
    Gender gender = 5;
    string email = 6 [(validate.rules).string = {min_len: 1, max_len: 200, email: true}];
    bool is_email_verified = 7;
    string phone = 8 [(validate.rules).string = {max_len: 20}];
    bool is_phone_verified = 9;
    string country = 10 [(validate.rules).string = {max_len: 200}];
    string locality = 11 [(validate.rules).string = {max_len: 200}];
    string postal_code = 12 [(validate.rules).string = {max_len: 200}];
    string region = 13 [(validate.rules).string = {max_len: 200}];
    string street_address = 14 [(validate.rules).string = {max_len: 200}];
    string password = 15 [(validate.rules).string = {max_len: 72}];
}

message CreateMachineRequest {
    string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
    string description = 2 [(validate.rules).string = {min_len: 1, max_len: 500}];
  }

message UserResponse {
    string id = 1;
    UserState state = 2;
    google.protobuf.Timestamp creation_date = 3;
    google.protobuf.Timestamp change_date = 4;
    uint64 sequence = 5;
    string user_name = 6;
  
    oneof user {
      option (validate.required) = true;
  
      HumanResponse human = 7;
      MachineResponse machine = 8;
    }
}

enum UserState {
    USERSTATE_UNSPECIFIED = 0;
    USERSTATE_ACTIVE = 1;
    USERSTATE_INACTIVE = 2;
    USERSTATE_DELETED = 3;
    USERSTATE_LOCKED = 4;
    USERSTATE_SUSPEND = 5;
    USERSTATE_INITIAL= 6;
}

enum Gender {
    GENDER_UNSPECIFIED = 0;
    GENDER_FEMALE = 1;
    GENDER_MALE = 2;
    GENDER_DIVERSE = 3;
}

message HumanResponse {
    string first_name = 1;
    string last_name = 2;
    string display_name = 3;
    string nick_name = 4;
    string preferred_language = 5;
    Gender gender = 6;
    string email = 7;
    bool is_email_verified = 8;
    string phone = 9;
    bool is_phone_verified = 10;
    string country = 11;
    string locality = 12;
    string postal_code = 13;
    string region = 14;
    string street_address = 15;
  }

  message MachineResponse {
    string name = 1;
    string description = 2;
    repeated MachineKeyResponse keys = 3;
  }

  message MachineKeyResponse {
    string id = 1;
    MachineKeyType type = 2;
    uint64 sequence = 3;
  
    google.protobuf.Timestamp creation_date = 4;
    google.protobuf.Timestamp expiration_date = 5;
  }

  enum MachineKeyType {
    MACHINEKEY_UNSPECIFIED = 0;
    MACHINEKEY_JSON = 1;
  }

message CreateOrgRequest {
    string name = 1 [(validate.rules).string.min_len = 1];
    string domain = 2;
}

message OrgIamPolicy {
    string org_id = 1;
    string description = 2;
    bool user_login_must_be_domain = 3;
    bool default = 4;
    uint64 sequence = 5;
    google.protobuf.Timestamp creation_date = 6;
    google.protobuf.Timestamp change_date = 7;
}

message OrgIamPolicyRequest {
    string org_id = 1 [(validate.rules).string = {min_len: 1}];
    string description = 2;
    bool user_login_must_be_domain = 3;
}

message OrgIamPolicyID {
    string org_id = 1 [(validate.rules).string = {min_len: 1}];
}

message IamMemberRoles {
    repeated string roles = 1;
}

message IamMember {
    string user_id = 1;
    repeated string roles = 2;
    google.protobuf.Timestamp change_date = 3;
    google.protobuf.Timestamp creation_date = 4;
    uint64 sequence = 5;
}

message AddIamMemberRequest {
    string user_id = 1 [(validate.rules).string = {min_len: 1}];
    repeated string roles = 2;
}

message ChangeIamMemberRequest {
    string user_id = 1 [(validate.rules).string = {min_len: 1}];
    repeated string roles = 2;
}

message RemoveIamMemberRequest {
    string user_id = 1 [(validate.rules).string = {min_len: 1}];
}

message IamMemberSearchResponse {
    uint64 offset = 1;
    uint64 limit = 2;
    uint64 total_result = 3;
    repeated IamMemberView result = 4;
    uint64 processed_sequence = 5;
    google.protobuf.Timestamp view_timestamp = 6;
}

message IamMemberView {
    string user_id = 1;
    repeated string roles = 2;
    google.protobuf.Timestamp change_date = 3;
    google.protobuf.Timestamp creation_date = 4;
    uint64 sequence = 5;
    string user_name = 6;
    string email = 7;
    string first_name = 8;
    string last_name = 9;
    string display_name = 10;
}

message IamMemberSearchRequest {
    uint64 offset = 1;
    uint64 limit = 2;
    repeated IamMemberSearchQuery queries = 3;
}

message IamMemberSearchQuery {
    IamMemberSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
    SearchMethod method = 2;
    string value = 3;
}

enum IamMemberSearchKey {
    IAMMEMBERSEARCHKEY_UNSPECIFIED = 0;
    IAMMEMBERSEARCHKEY_FIRST_NAME = 1;
    IAMMEMBERSEARCHKEY_LAST_NAME = 2;
    IAMMEMBERSEARCHKEY_EMAIL = 3;
    IAMMEMBERSEARCHKEY_USER_ID = 4;
}

enum SearchMethod {
    SEARCHMETHOD_EQUALS = 0;
    SEARCHMETHOD_STARTS_WITH = 1;
    SEARCHMETHOD_CONTAINS = 2;
    SEARCHMETHOD_EQUALS_IGNORE_CASE = 3;
    SEARCHMETHOD_STARTS_WITH_IGNORE_CASE = 4;
    SEARCHMETHOD_CONTAINS_IGNORE_CASE = 5;
    SEARCHMETHOD_NOT_EQUALS = 6;
    SEARCHMETHOD_GREATER_THAN = 7;
    SEARCHMETHOD_LESS_THAN = 8;
    SEARCHMETHOD_IS_ONE_OF = 9;
    SEARCHMETHOD_LIST_CONTAINS = 10;
}

message FailedEventID {
    string database = 1 [(validate.rules).string = {min_len: 1}];
    string view_name = 2 [(validate.rules).string = {min_len: 1}];
    uint64 failed_sequence = 3;
}

message FailedEvents {
    repeated FailedEvent failed_events = 1;
}

message FailedEvent {
    string database = 1;
    string view_name = 2;
    uint64 failed_sequence = 3;
    uint64 failure_count = 4;
    string error_message = 5;
}

message ViewID {
    string database = 1 [(validate.rules).string = {min_len: 1}];
    string view_name = 2 [(validate.rules).string = {min_len: 1}];
}

message Views {
    repeated View views = 1;
}

message View {
    string database = 1;
    string view_name = 2;
    uint64 processed_sequence = 3;
    google.protobuf.Timestamp view_timestamp = 4;
}

message IdpID {
    string id = 1 [(validate.rules).string = {min_len: 1}];
}

message Idp {
    string id = 1;
    IdpState state = 2;
    google.protobuf.Timestamp creation_date = 3;
    google.protobuf.Timestamp change_date = 4;
    string name = 5;
    bytes logo_src = 6;
    oneof idp_config {
        OidcIdpConfig oidc_config = 7;
    }
    uint64 sequence = 8;
}

message IdpUpdate {
    string id = 1 [(validate.rules).string = {min_len: 1}];
    string name = 2;
    bytes logo_src = 3;
}

message OidcIdpConfig {
    string client_id = 1;
    string client_secret = 2;
    string issuer = 3;
    repeated string scopes = 4;
}

enum IdpState {
    IDPCONFIGSTATE_UNSPECIFIED = 0;
    IDPCONFIGSTATE_ACTIVE = 1;
    IDPCONFIGSTATE_INACTIVE = 2;
}

message OidcIdpConfigCreate {
    string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
    bytes logo_src = 2;
    string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
    string client_secret = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
    string issuer = 5 [(validate.rules).string = {min_len: 1, max_len: 200}];
    repeated string scopes = 6;
}

message OidcIdpConfigUpdate {
    string idp_id = 1 [(validate.rules).string = {min_len: 1}];
    string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
    string client_secret = 3;
    string issuer = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
    repeated string scopes = 5;
}

message IdpSearchResponse {
    uint64 offset = 1;
    uint64 limit = 2;
    uint64 total_result = 3;
    repeated IdpView result = 4;
    uint64 processed_sequence = 5;
    google.protobuf.Timestamp view_timestamp = 6;
}

message IdpView {
    string id = 1;
    IdpState state = 2;
    google.protobuf.Timestamp creation_date = 3;
    google.protobuf.Timestamp change_date = 4;
    string name = 5;
    bytes logo_src = 6;
    oneof idp_config_view {
        OidcIdpConfigView oidc_config = 7;
    }
    uint64 sequence = 8;
}

message OidcIdpConfigView {
    string client_id = 1;
    string issuer = 2;
    repeated string scopes = 3;
}

message IdpSearchRequest {
    uint64 offset = 1;
    uint64 limit = 2;
    repeated IdpSearchQuery queries = 3;
}

message IdpSearchQuery {
    IdpSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
    SearchMethod method = 2;
    string value = 3;
}

enum IdpSearchKey {
    IDPSEARCHKEY_UNSPECIFIED = 0;
    IDPSEARCHKEY_IDP_CONFIG_ID = 1;
    IDPSEARCHKEY_NAME = 2;
}

message DefaultLoginPolicy {
    bool allow_username_password = 1;
    bool allow_register = 2;
    bool allow_external_idp = 3;
}

message IdpProviderID {
    string idp_config_id = 1 [(validate.rules).string = {min_len: 1}];
}

message DefaultLoginPolicyView {
    bool allow_username_password = 1;
    bool allow_register = 2;
    bool allow_external_idp = 3;
}

message IdpProviderView {
    string idp_config_id = 1;
    string name = 2;
    IdpType type = 3;
}

enum IdpType {
    IDPTYPE_UNSPECIFIED = 0;
    IDPTYPE_OIDC = 1;
    IDPTYPE_SAML = 2;
}

message IdpProviderSearchResponse {
    uint64 offset = 1;
    uint64 limit = 2;
    uint64 total_result = 3;
    repeated IdpProviderView result = 4;
    uint64 processed_sequence = 5;
    google.protobuf.Timestamp view_timestamp = 6;
}

message IdpProviderSearchRequest {
    uint64 offset = 1;
    uint64 limit = 2;
}