zitadel/pkg/grpc/admin/proto/admin.proto
Fabi db1d8f4efe
feat: idp and login policy configurations (#619)
* feat: oidc config

* fix: oidc configurations

* feat: oidc idp config

* feat: add oidc config test

* fix: tests

* fix: tests

* feat: translate new events

* feat: idp eventstore

* feat: idp eventstore

* fix: tests

* feat: command side idp

* feat: query side idp

* feat: idp config on org

* fix: tests

* feat: authz idp on org

* feat: org idps

* feat: login policy

* feat: login policy

* feat: login policy

* feat: add idp func on login policy

* feat: add validation to loginpolicy and idp provider

* feat: add default login policy

* feat: login policy on org

* feat: login policy on org

* fix: id config handlers

* fix: id config handlers

* fix: create idp on org

* fix: create idp on org

* fix: not existing idp config

* fix: default login policy

* fix: add login policy on org

* fix: idp provider search on org

* fix: test

* fix: remove idp on org

* fix: test

* fix: test

* fix: remove admin idp

* fix: logo src as byte

* fix: migration

* fix: tests

* Update internal/iam/repository/eventsourcing/iam.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* Update internal/iam/repository/eventsourcing/iam_test.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* Update internal/iam/repository/eventsourcing/iam_test.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* Update internal/iam/repository/eventsourcing/model/login_policy.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* Update internal/iam/repository/eventsourcing/model/login_policy.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* Update internal/org/repository/eventsourcing/org_test.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* Update internal/iam/repository/eventsourcing/model/login_policy_test.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* Update internal/iam/repository/eventsourcing/model/login_policy_test.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* fix: pr comments

* fix: tests

* Update types.go

* fix: merge request changes

* fix: reduce optimization

Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2020-08-26 09:56:23 +02:00

797 lines
20 KiB
Protocol Buffer

syntax = "proto3";
import "google/api/annotations.proto";
import "google/protobuf/empty.proto";
import "google/protobuf/timestamp.proto";
import "google/protobuf/struct.proto";
import "validate/validate.proto";
import "protoc-gen-swagger/options/annotations.proto";
import "authoption/options.proto";
package caos.zitadel.admin.api.v1;
option go_package ="github.com/caos/zitadel/pkg/grpc/admin";
option (grpc.gateway.protoc_gen_swagger.options.openapiv2_swagger) = {
info: {
title: "admin service";
version: "0.1";
contact:{
url: "https://github.com/caos/zitadel/pkg/admin"
};
};
schemes: HTTPS;
consumes: "application/json";
consumes: "application/grpc";
produces: "application/json";
produces: "application/grpc";
};
service AdminService {
// ---------
// Probes
// ---------
// Healthz returns status OK as soon as the service started
rpc Healthz(google.protobuf.Empty) returns (google.protobuf.Empty) {
option (google.api.http) = {
get: "/healthz"
};
}
// Ready returns status OK as soon as all dependent services are available
rpc Ready(google.protobuf.Empty) returns (google.protobuf.Empty) {
option (google.api.http) = {
get: "/ready"
};
}
rpc Validate(google.protobuf.Empty) returns (google.protobuf.Struct) {
option (google.api.http) = {
get: "/validate"
};
}
//ORG
rpc IsOrgUnique(UniqueOrgRequest) returns (UniqueOrgResponse) {
option (google.api.http) = {
get: "/orgs/_isunique"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.read"
};
}
rpc GetOrgByID(OrgID) returns (Org) {
option (google.api.http) = {
get: "/orgs/{id}"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.read"
};
}
rpc SearchOrgs(OrgSearchRequest) returns (OrgSearchResponse) {
option (google.api.http) = {
post: "/orgs/_search"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.read"
};
}
rpc SetUpOrg(OrgSetUpRequest) returns (OrgSetUpResponse) {
option (google.api.http) = {
post: "/orgs/_setup"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.write"
};
}
//ORG_IAM_POLICY
rpc GetOrgIamPolicy(OrgIamPolicyID) returns (OrgIamPolicy) {
option (google.api.http) = {
get: "/orgs/{org_id}/iampolicy"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.policy.read"
};
}
rpc CreateOrgIamPolicy(OrgIamPolicyRequest) returns (OrgIamPolicy) {
option (google.api.http) = {
post: "/orgs/{org_id}/iampolicy"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.policy.write"
};
}
rpc UpdateOrgIamPolicy(OrgIamPolicyRequest) returns (OrgIamPolicy) {
option (google.api.http) = {
put: "/orgs/{org_id}/iampolicy"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.policy.write"
};
}
rpc DeleteOrgIamPolicy(OrgIamPolicyID) returns (google.protobuf.Empty) {
option (google.api.http) = {
delete: "/orgs/{org_id}/iampolicy"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.policy.delete"
};
}
rpc GetIamMemberRoles(google.protobuf.Empty) returns (IamMemberRoles) {
option (google.api.http) = {
get: "/members/roles"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.member.read"
};
}
rpc AddIamMember(AddIamMemberRequest) returns (IamMember) {
option (google.api.http) = {
post: "/members"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.member.write"
};
}
rpc ChangeIamMember(ChangeIamMemberRequest) returns (IamMember) {
option (google.api.http) = {
put: "/members/{user_id}"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.member.write"
};
}
rpc RemoveIamMember(RemoveIamMemberRequest) returns (google.protobuf.Empty) {
option (google.api.http) = {
delete: "/members/{user_id}"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.member.delete"
};
}
rpc SearchIamMembers(IamMemberSearchRequest) returns (IamMemberSearchResponse) {
option (google.api.http) = {
post: "/members/_search"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.member.read"
};
}
rpc GetViews(google.protobuf.Empty) returns (Views) {
option (google.api.http) = {
get: "/views"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.read"
};
}
rpc ClearView(ViewID) returns (google.protobuf.Empty) {
option (google.api.http) = {
post: "/views/{database}/{view_name}"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.write"
};
}
rpc GetFailedEvents(google.protobuf.Empty) returns (FailedEvents) {
option (google.api.http) = {
get: "/failedevents"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.read"
};
}
rpc RemoveFailedEvent(FailedEventID) returns (google.protobuf.Empty) {
option (google.api.http) = {
delete: "/failedevents/{database}/{view_name}/{failed_sequence}"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.write"
};
}
rpc IdpByID(IdpID) returns (IdpView) {
option (google.api.http) = {
get: "/idps/{id}"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.idp.read"
};
}
rpc CreateOidcIdp(OidcIdpConfigCreate) returns (Idp) {
option (google.api.http) = {
post: "/idps/oidc"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.idp.write"
};
}
rpc UpdateIdpConfig(IdpUpdate) returns (Idp) {
option (google.api.http) = {
put: "/idps/{id}"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.idp.write"
};
}
rpc DeactivateIdpConfig(IdpID) returns (Idp) {
option (google.api.http) = {
put: "/idps/{id}/_deactivate"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.idp.write"
};
}
rpc ReactivateIdpConfig(IdpID) returns (Idp) {
option (google.api.http) = {
put: "/idps/{id}/_reactivate"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.idp.write"
};
}
rpc RemoveIdpConfig(IdpID) returns (google.protobuf.Empty) {
option (google.api.http) = {
delete: "/idps/{id}"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.idp.write"
};
}
rpc UpdateOidcIdpConfig(OidcIdpConfigUpdate) returns (OidcIdpConfig) {
option (google.api.http) = {
put: "/idps/{idp_id}/oidcconfig"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.idp.write"
};
}
rpc SearchIdps(IdpSearchRequest) returns (IdpSearchResponse) {
option (google.api.http) = {
post: "/idps/_search"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.idp.read"
};
}
rpc GetDefaultLoginPolicy(google.protobuf.Empty) returns (DefaultLoginPolicyView) {
option (google.api.http) = {
get: "/policies/login"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.policy.read"
};
}
rpc UpdateDefaultLoginPolicy(DefaultLoginPolicy) returns (DefaultLoginPolicy) {
option (google.api.http) = {
put: "/policies/login"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.policy.write"
};
}
rpc GetDefaultLoginPolicyIdpProviders(IdpProviderSearchRequest) returns (IdpProviderSearchResponse) {
option (google.api.http) = {
post: "/policies/login/idpproviders/_search"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.policy.read"
};
}
rpc AddIdpProviderToDefaultLoginPolicy(IdpProviderID) returns (IdpProviderID) {
option (google.api.http) = {
post: "/policies/login/idpproviders"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.policy.write"
};
}
rpc RemoveIdpProviderFromDefaultLoginPolicy(IdpProviderID) returns (google.protobuf.Empty) {
option (google.api.http) = {
post: "/policies/login/idpproviders/{idp_config_id}"
body: "*"
};
option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.policy.write"
};
}
}
message OrgID {
string id = 1;
}
message UniqueOrgRequest {
string name = 1 [(validate.rules).string.min_len = 1];
string domain = 2 [(validate.rules).string.min_len = 1];
}
message UniqueOrgResponse {
bool is_unique = 1;
}
message Org {
string id = 1;
OrgState state = 2;
google.protobuf.Timestamp creation_date = 3;
google.protobuf.Timestamp change_date = 4;
string name = 5;
string domain = 6;
}
enum OrgState {
ORGSTATE_UNSPECIFIED = 0;
ORGSTATE_ACTIVE = 1;
ORGSTATE_INACTIVE = 2;
}
message OrgSearchRequest {
uint64 offset = 1;
uint64 limit = 2;
OrgSearchKey sorting_column = 3 [(validate.rules).enum = {not_in: [0]}];;
bool asc = 4;
repeated OrgSearchQuery queries = 5;
}
message OrgSearchQuery {
OrgSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];;
OrgSearchMethod method = 2;
string value = 3;
}
enum OrgSearchKey {
ORGSEARCHKEY_UNSPECIFIED = 0;
ORGSEARCHKEY_ORG_NAME = 1;
ORGSEARCHKEY_DOMAIN = 2;
ORGSEARCHKEY_STATE = 3;
}
message OrgSearchResponse {
uint64 offset = 1;
uint64 limit = 2;
uint64 total_result = 3;
repeated Org result = 4;
uint64 processed_sequence = 5;
google.protobuf.Timestamp view_timestamp = 6;
}
enum OrgSearchMethod {
ORGSEARCHMETHOD_EQUALS = 0;
ORGSEARCHMETHOD_STARTS_WITH = 1;
ORGSEARCHMETHOD_CONTAINS = 2;
}
message OrgSetUpRequest {
CreateOrgRequest org = 1;
CreateUserRequest user = 2;
}
message OrgSetUpResponse {
Org org = 1;
User user = 2;
}
message CreateUserRequest {
string user_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
string first_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
string last_name = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
string nick_name = 4 [(validate.rules).string = {max_len: 200}];
string preferred_language = 5 [(validate.rules).string = {max_len: 200}];
Gender gender = 6;
string email = 7 [(validate.rules).string = {min_len: 1, max_len: 200, email: true}];
bool is_email_verified = 8;
string phone = 9 [(validate.rules).string = {max_len: 20}];
bool is_phone_verified = 10;
string country = 11 [(validate.rules).string = {max_len: 200}];
string locality = 12 [(validate.rules).string = {max_len: 200}];
string postal_code = 13 [(validate.rules).string = {max_len: 200}];
string region = 14 [(validate.rules).string = {max_len: 200}];
string street_address = 15 [(validate.rules).string = {max_len: 200}];
string password = 16 [(validate.rules).string = {max_len: 72}];
}
message User {
string id = 1;
UserState state = 2;
google.protobuf.Timestamp creation_date = 3;
google.protobuf.Timestamp change_date = 4;
string user_name = 5;
string first_name = 6;
string last_name = 7;
string nick_name = 8;
string display_name = 9;
string preferred_language = 10;
Gender gender = 11;
string email = 12;
bool isEmailVerified = 13;
string phone = 14;
bool isPhoneVerified = 15;
string country = 16;
string locality = 17;
string postal_code = 18;
string region = 19;
string street_address = 20;
uint64 sequence = 21;
}
enum UserState {
USERSTATE_UNSPECIFIED = 0;
USERSTATE_ACTIVE = 1;
USERSTATE_INACTIVE = 2;
USERSTATE_DELETED = 3;
USERSTATE_LOCKED = 4;
USERSTATE_SUSPEND = 5;
USERSTATE_INITIAL= 6;
}
enum Gender {
GENDER_UNSPECIFIED = 0;
GENDER_FEMALE = 1;
GENDER_MALE = 2;
GENDER_DIVERSE = 3;
}
message CreateOrgRequest {
string name = 1 [(validate.rules).string.min_len = 1];
string domain = 2;
}
message OrgIamPolicy {
string org_id = 1;
string description = 2;
bool user_login_must_be_domain = 3;
bool default = 4;
uint64 sequence = 5;
google.protobuf.Timestamp creation_date = 6;
google.protobuf.Timestamp change_date = 7;
}
message OrgIamPolicyRequest {
string org_id = 1;
string description = 2;
bool user_login_must_be_domain = 3;
}
message OrgIamPolicyID {
string org_id = 1;
}
message IamMemberRoles {
repeated string roles = 1;
}
message IamMember {
string user_id = 1;
repeated string roles = 2;
google.protobuf.Timestamp change_date = 3;
google.protobuf.Timestamp creation_date = 4;
uint64 sequence = 5;
}
message AddIamMemberRequest {
string user_id = 1;
repeated string roles = 2;
}
message ChangeIamMemberRequest {
string user_id = 1;
repeated string roles = 2;
}
message RemoveIamMemberRequest {
string user_id = 1;
}
message IamMemberSearchResponse {
uint64 offset = 1;
uint64 limit = 2;
uint64 total_result = 3;
repeated IamMemberView result = 4;
uint64 processed_sequence = 5;
google.protobuf.Timestamp view_timestamp = 6;
}
message IamMemberView {
string user_id = 1;
repeated string roles = 2;
google.protobuf.Timestamp change_date = 3;
google.protobuf.Timestamp creation_date = 4;
uint64 sequence = 5;
string user_name = 6;
string email = 7;
string first_name = 8;
string last_name = 9;
string display_name = 10;
}
message IamMemberSearchRequest {
uint64 offset = 1;
uint64 limit = 2;
repeated IamMemberSearchQuery queries = 3;
}
message IamMemberSearchQuery {
IamMemberSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
SearchMethod method = 2;
string value = 3;
}
enum IamMemberSearchKey {
IAMMEMBERSEARCHKEY_UNSPECIFIED = 0;
IAMMEMBERSEARCHKEY_FIRST_NAME = 1;
IAMMEMBERSEARCHKEY_LAST_NAME = 2;
IAMMEMBERSEARCHKEY_EMAIL = 3;
IAMMEMBERSEARCHKEY_USER_ID = 4;
}
enum SearchMethod {
SEARCHMETHOD_EQUALS = 0;
SEARCHMETHOD_STARTS_WITH = 1;
SEARCHMETHOD_CONTAINS = 2;
SEARCHMETHOD_EQUALS_IGNORE_CASE = 3;
SEARCHMETHOD_STARTS_WITH_IGNORE_CASE = 4;
SEARCHMETHOD_CONTAINS_IGNORE_CASE = 5;
SEARCHMETHOD_NOT_EQUALS = 6;
SEARCHMETHOD_GREATER_THAN = 7;
SEARCHMETHOD_LESS_THAN = 8;
SEARCHMETHOD_IS_ONE_OF = 9;
SEARCHMETHOD_LIST_CONTAINS = 10;
}
message FailedEventID {
string database = 1;
string view_name = 2;
uint64 failed_sequence = 3;
}
message FailedEvents {
repeated FailedEvent failed_events = 1;
}
message FailedEvent {
string database = 1;
string view_name = 2;
uint64 failed_sequence = 3;
uint64 failure_count = 4;
string error_message = 5;
}
message ViewID {
string database = 1;
string view_name = 2;
}
message Views {
repeated View views = 1;
}
message View {
string database = 1;
string view_name = 2;
uint64 processed_sequence = 3;
google.protobuf.Timestamp view_timestamp = 4;
}
message IdpID {
string id = 1;
}
message Idp {
string id = 1;
IdpState state = 2;
google.protobuf.Timestamp creation_date = 3;
google.protobuf.Timestamp change_date = 4;
string name = 5;
bytes logo_src = 6;
oneof idp_config {
OidcIdpConfig oidc_config = 7;
}
uint64 sequence = 8;
}
message IdpUpdate {
string id = 1;
string name = 2;
bytes logo_src = 3;
}
message OidcIdpConfig {
string client_id = 1;
string client_secret = 2;
string issuer = 3;
repeated string scopes = 4;
}
enum IdpState {
IDPCONFIGSTATE_UNSPECIFIED = 0;
IDPCONFIGSTATE_ACTIVE = 1;
IDPCONFIGSTATE_INACTIVE = 2;
}
message OidcIdpConfigCreate {
string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
bytes logo_src = 2;
string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
string client_secret = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
string issuer = 5 [(validate.rules).string = {min_len: 1, max_len: 200}];
repeated string scopes = 6;
}
message OidcIdpConfigUpdate {
string idp_id = 1;
string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
string client_secret = 3;
string issuer = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
repeated string scopes = 5;
}
message IdpSearchResponse {
uint64 offset = 1;
uint64 limit = 2;
uint64 total_result = 3;
repeated IdpView result = 4;
uint64 processed_sequence = 5;
google.protobuf.Timestamp view_timestamp = 6;
}
message IdpView {
string id = 1;
IdpState state = 2;
google.protobuf.Timestamp creation_date = 3;
google.protobuf.Timestamp change_date = 4;
string name = 5;
bytes logo_src = 6;
oneof idp_config_view {
OidcIdpConfigView oidc_config = 7;
}
uint64 sequence = 8;
}
message OidcIdpConfigView {
string client_id = 1;
string issuer = 2;
repeated string scopes = 3;
}
message IdpSearchRequest {
uint64 offset = 1;
uint64 limit = 2;
repeated IdpSearchQuery queries = 3;
}
message IdpSearchQuery {
IdpSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
SearchMethod method = 2;
string value = 3;
}
enum IdpSearchKey {
IDPSEARCHKEY_UNSPECIFIED = 0;
IDPSEARCHKEY_IDP_CONFIG_ID = 1;
IDPSEARCHKEY_NAME = 2;
}
message DefaultLoginPolicy {
bool allow_username_password = 1;
bool allow_register = 2;
bool allow_external_idp = 3;
}
message IdpProviderID {
string idp_config_id = 1;
}
message DefaultLoginPolicyView {
bool allow_username_password = 1;
bool allow_register = 2;
bool allow_external_idp = 3;
}
message IdpProviderViews {
repeated IdpProviderView providers = 1;
}
message IdpProviderView {
string idp_config_id = 1;
string name = 2;
IdpType type = 3;
}
enum IdpType {
IDPTYPE_UNSPECIFIED = 0;
IDPTYPE_OIDC = 1;
IDPTYPE_SAML = 2;
}
message IdpProviderSearchResponse {
uint64 offset = 1;
uint64 limit = 2;
uint64 total_result = 3;
repeated IdpProviderView result = 4;
uint64 processed_sequence = 5;
google.protobuf.Timestamp view_timestamp = 6;
}
message IdpProviderSearchRequest {
uint64 offset = 1;
uint64 limit = 2;
}