Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Application passwords management #127

Merged
merged 6 commits into from
May 27, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
152 changes: 152 additions & 0 deletions cs3/auth/applications/v1beta1/applications_api.proto
Original file line number Diff line number Diff line change
@@ -0,0 +1,152 @@
// Copyright 2018-2019 CERN
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// In applying this license, CERN does not waive the privileges and immunities
// granted to it by virtue of its status as an Intergovernmental Organization
// or submit itself to any jurisdiction.

syntax = "proto3";

package cs3.auth.applications.v1beta1;

option csharp_namespace = "Cs3.Auth.Applications.V1Beta1";
option go_package = "applicationsv1beta1";
option java_multiple_files = true;
option java_outer_classname = "ApplicationsApiProto";
option java_package = "com.cs3.auth.applications.v1beta1";
option objc_class_prefix = "CAA";
option php_namespace = "Cs3\\Auth\\Applications\\V1Beta1";

import "cs3/auth/applications/v1beta1/resources.proto";
import "cs3/auth/provider/v1beta1/resources.proto";
import "cs3/identity/user/v1beta1/resources.proto";
import "cs3/rpc/v1beta1/status.proto";
import "cs3/types/v1beta1/types.proto";

// Auth Applications API
//
// The Auth Applications API is meant to generate and manage authentication
// tokens with specified scopes to be used in third-party applications on behalf
// of the user.
//
// The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
// NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
// "OPTIONAL" in this document are to be interpreted as described in
// RFC 2119.
//
// The following are global requirements that apply to all methods:
// Any method MUST return CODE_OK on a succesful operation.
// Any method MAY return NOT_IMPLEMENTED.
// Any method MAY return INTERNAL.
// Any method MAY return UNKNOWN.
// Any method MAY return UNAUTHENTICATED.
service ApplicationsAPI {
// GenerateAppPassword creates a password with specified scope to be used by
// third-party applications.
rpc GenerateAppPassword(GenerateAppPasswordRequest) returns (GenerateAppPasswordResponse);
// ListAppPasswords lists the application passwords created by a user.
rpc ListAppPasswords(ListAppPasswordsRequest) returns (ListAppPasswordsResponse);
// InvalidateAppPassword invalidates a generated password.
rpc InvalidateAppPassword(InvalidateAppPasswordRequest) returns (InvalidateAppPasswordResponse);
// GetAppPassword retrieves the password information by the combination of username and password.
rpc GetAppPassword(GetAppPasswordRequest) returns (GetAppPasswordResponse);
}

message GenerateAppPasswordRequest {
// OPTIONAL.
// Opaque information.
cs3.types.v1beta1.Opaque opaque = 1;
// OPTIONAL.
// The scope of the token to be issued.
// This would be a list of resources with corresponding role-based access scope.
map<string, cs3.auth.provider.v1beta1.Scope> token_scope = 2;
// OPTIONAL.
// A label to be associated with the password.
string label = 3;
// OPTIONAL.
// The time when the token will expire.
cs3.types.v1beta1.Timestamp expiration = 4;
}

message GenerateAppPasswordResponse {
// REQUIRED.
// The response status.
cs3.rpc.v1beta1.Status status = 1;
// OPTIONAL.
// Opaque information.
cs3.types.v1beta1.Opaque opaque = 2;
// REQUIRED.
// The generated access password.
AppPassword app_password = 3;
}

message ListAppPasswordsRequest {
// OPTIONAL.
// Opaque information.
cs3.types.v1beta1.Opaque opaque = 1;
}

message ListAppPasswordsResponse {
// REQUIRED.
// The response status.
cs3.rpc.v1beta1.Status status = 1;
// OPTIONAL.
// Opaque information.
cs3.types.v1beta1.Opaque opaque = 2;
// REQUIRED.
// The generated access password.
repeated AppPassword app_passwords = 3;
}

message InvalidateAppPasswordRequest {
// OPTIONAL.
// Opaque information.
cs3.types.v1beta1.Opaque opaque = 1;
// REQUIRED.
// The password which has to be invalidated.
string password = 2;
}

message InvalidateAppPasswordResponse {
// REQUIRED.
// The response status.
cs3.rpc.v1beta1.Status status = 1;
// OPTIONAL.
// Opaque information.
cs3.types.v1beta1.Opaque opaque = 2;
}

message GetAppPasswordRequest {
// OPTIONAL.
// Opaque information.
cs3.types.v1beta1.Opaque opaque = 1;
// REQUIRED.
// The user who created the app password.
cs3.identity.user.v1beta1.UserId user = 2;
// REQUIRED.
// The password which has to be retrieved.
string password = 3;
}

message GetAppPasswordResponse {
// REQUIRED.
// The response status.
cs3.rpc.v1beta1.Status status = 1;
// OPTIONAL.
// Opaque information.
cs3.types.v1beta1.Opaque opaque = 2;
// REQUIRED.
// The generated access password.
AppPassword app_password = 3;
}
60 changes: 60 additions & 0 deletions cs3/auth/applications/v1beta1/resources.proto
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
// Copyright 2018-2019 CERN
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// In applying this license, CERN does not waive the privileges and immunities
// granted to it by virtue of its status as an Intergovernmental Organization
// or submit itself to any jurisdiction.

syntax = "proto3";

package cs3.auth.applications.v1beta1;

option csharp_namespace = "Cs3.Auth.Applications.V1Beta1";
option go_package = "applicationsv1beta1";
option java_multiple_files = true;
option java_outer_classname = "ResourcesProto";
option java_package = "com.cs3.auth.applications.v1beta1";
option objc_class_prefix = "CAA";
option php_namespace = "Cs3\\Auth\\Applications\\V1Beta1";

import "cs3/auth/provider/v1beta1/resources.proto";
import "cs3/identity/user/v1beta1/resources.proto";
import "cs3/types/v1beta1/types.proto";

// AppPassword stores information about secondary passwords generated by users
// to be used with third-party applications.
message AppPassword {
ishank011 marked this conversation as resolved.
Show resolved Hide resolved
// REQUIRED.
// The generated access password.
string password = 1;
// OPTIONAL.
// The scope of the token to be issued.
// This would be a list of resources with corresponding role-based access scope.
map<string, cs3.auth.provider.v1beta1.Scope> token_scope = 2;
// OPTIONAL.
// A label to be associated with the password.
string label = 3;
// REQUIRED.
// The user who created the password.
cs3.identity.user.v1beta1.UserId user = 4;
// OPTIONAL.
// The time when the token will expire.
cs3.types.v1beta1.Timestamp expiration = 5;
// REQUIRED.
// The creation time of the password.
cs3.types.v1beta1.Timestamp ctime = 6;
// REQUIRED.
// The last time the password was used.
cs3.types.v1beta1.Timestamp utime = 7;
}
13 changes: 13 additions & 0 deletions cs3/auth/provider/v1beta1/provider_api.proto
Original file line number Diff line number Diff line change
Expand Up @@ -54,13 +54,26 @@ service ProviderAPI {
}

message AuthenticateRequest {
// OPTIONAL.
// Opaque information.
cs3.types.v1beta1.Opaque opaque = 1;
// OPTIONAL.
// The id of the client.
// For basic authentication with username and password
// both client_id and client_secret are expected to be filled.
// However, for example, for OIDC only a token is necessary.
string client_id = 2;
// OPTIONAL.
// The secret of the client.
string client_secret = 3;
}

message AuthenticateResponse {
// REQUIRED.
// The response status.
cs3.rpc.v1beta1.Status status = 1;
// REQUIRED.
// The authenticated user.
cs3.identity.user.v1beta1.User user = 2;
// REQUIRED.
// The scope of the token to be issued.
Expand Down
16 changes: 15 additions & 1 deletion cs3/gateway/v1beta1/gateway_api.proto
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ option php_namespace = "Cs3\\Gateway\\V1Beta1";

import "cs3/app/provider/v1beta1/provider_api.proto";
import "cs3/app/registry/v1beta1/registry_api.proto";
import "cs3/auth/applications/v1beta1/applications_api.proto";
import "cs3/auth/registry/v1beta1/registry_api.proto";
import "cs3/gateway/v1beta1/resources.proto";
import "cs3/identity/group/v1beta1/group_api.proto";
Expand Down Expand Up @@ -75,6 +76,19 @@ service GatewayAPI {
// WhoAmI returns the information for a user.
rpc WhoAmI(WhoAmIRequest) returns (WhoAmIResponse);
// *****************************************************************/
// ********************** APPLICATIONS AUTH ************************/
// *****************************************************************/

// GenerateAppPassword creates a password with specified scope to be used by
// third-party applications.
rpc GenerateAppPassword(cs3.auth.applications.v1beta1.GenerateAppPasswordRequest) returns (cs3.auth.applications.v1beta1.GenerateAppPasswordResponse);
// ListAppPasswords lists the application passwords created by a user.
rpc ListAppPasswords(cs3.auth.applications.v1beta1.ListAppPasswordsRequest) returns (cs3.auth.applications.v1beta1.ListAppPasswordsResponse);
// InvalidateAppPassword invalidates a generated password.
rpc InvalidateAppPassword(cs3.auth.applications.v1beta1.InvalidateAppPasswordRequest) returns (cs3.auth.applications.v1beta1.InvalidateAppPasswordResponse);
// GetAppPassword retrieves the password information by the combination of username and password.
rpc GetAppPassword(cs3.auth.applications.v1beta1.GetAppPasswordRequest) returns (cs3.auth.applications.v1beta1.GetAppPasswordResponse);
// *****************************************************************/
// ************************ STORAGE PROVIDER ***********************/
// *****************************************************************/

Expand Down Expand Up @@ -389,7 +403,7 @@ message AuthenticateResponse {
// The access token.
string token = 3;
// REQUIRED.
// The user.
// The authenticated user.
cs3.identity.user.v1beta1.User user = 4;
}

Expand Down
Loading