-
Notifications
You must be signed in to change notification settings - Fork 1
/
auth.proto
132 lines (94 loc) · 3.04 KB
/
auth.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
syntax = "proto3";
package auth;
service AuthenticationService {
rpc RequestUserCredential (UserCredentialRequest) returns (stream CredentialResponse) {}
}
message SshCertificateRequest {
string public_key = 1;
}
message SshCertificate {
string certificate = 1;
}
message SshCertificateTtl {
string certificate_ttl = 1;
}
message ClientValidation {
// To make it harder to simply send a URL to another user and lure them into
// logging in with the goal of stealing their session, we do a validation
// by querying localhost:1215. If we get back the value presented in this
// field the request is considered to be genuine.
string ident = 1;
}
message VaultTokenRequest {
}
// Short lived Vault token
message VaultToken {
string token = 1;
}
// Short lived X.509 certificate with VMware attributes added
message VmwareCertificateRequest {
string csr = 1;
}
message VmwareCertificate {
string certificate = 1;
repeated string ca_chain = 2;
}
// Long lived X.509 certificate to be used together with the cookie.
// Long lived since browsers are quite annoying when a new cert is installed.
message BrowserCertificateRequest {
string csr = 1;
}
message BrowserCertificate {
string certificate = 1;
repeated string ca_chain = 2;
}
// Short lived X.509 certificate with Kubernetes attributes
message KubernetesCertificateRequest {
// TODO(bluecmd): Unused due to https://github.com/hashicorp/vault/issues/4562
string csr = 1;
}
message KubernetesCertificate {
string certificate = 1;
// TODO(bluecmd): Remove when https://github.com/hashicorp/vault/issues/4562 is fixed
string private_key = 2;
repeated string ca_chain = 3;
}
// Short lived browser cookie for authentication together with the
// BrowserCertificate. Cookie is already set by the backend in the browser if a
// user action was triggered.
message BrowserCookieRequest {
}
message BrowserCookie {
// This is also set in the browser when the flow is completed if the user
// was challenged.
string name = 1;
string value = 2;
// DNS domain (with wildcard) that the cookie applies to
string domain = 3;
// Epoch timestamp in seconds
uint64 expires = 4;
}
message UserCredentialRequest {
ClientValidation client_validation = 1;
SshCertificateRequest ssh_certificate_request = 2;
VaultTokenRequest vault_token_request = 3;
KubernetesCertificateRequest kubernetes_certificate_request = 4;
BrowserCookieRequest browser_cookie_request = 5;
BrowserCertificateRequest browser_certificate_request = 6;
VmwareCertificateRequest vmware_certificate_request = 7;
SshCertificateTtl ssh_certificate_ttl = 8;
}
message UserAction {
// Interactive URL needs to be visited and acted on
string url = 1;
}
message CredentialResponse {
// If set, the user needs to do something
UserAction required_action = 1;
SshCertificate ssh_certificate = 2;
VaultToken vault_token = 3;
KubernetesCertificate kubernetes_certificate = 4;
BrowserCookie browser_cookie = 5;
BrowserCertificate browser_certificate = 6;
VmwareCertificate vmware_certificate = 7;
}