-
Notifications
You must be signed in to change notification settings - Fork 458
/
common.proto
156 lines (131 loc) · 4.35 KB
/
common.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
syntax = "proto3";
package spire.common;
option go_package = "github.com/spiffe/spire/proto/spire/common";
/** Represents an empty message */
message Empty {}
/** A type which contains attestation data for specific platform. */
message AttestationData {
/** Type of attestation to perform. */
string type = 1;
/** The attestation data. */
bytes data = 2;
}
/** A type which describes the conditions under which a registration
entry is matched. */
message Selector {
/** A selector type represents the type of attestation used in attesting
the entity (Eg: AWS, K8). */
string type = 1;
/** The value to be attested. */
string value = 2;
}
/** Represents a type with a list of Selector. */
message Selectors {
/** A list of Selector. */
repeated Selector entries = 1;
}
/* Represents an attested SPIRE agent */
message AttestedNode {
// Node SPIFFE ID
string spiffe_id = 1;
// Attestation data type
string attestation_data_type = 2;
// Node certificate serial number
string cert_serial_number = 3;
// Node certificate not_after (seconds since unix epoch)
int64 cert_not_after = 4;
// Node certificate serial number
string new_cert_serial_number = 5;
// Node certificate not_after (seconds since unix epoch)
int64 new_cert_not_after = 6;
// Node selectors
repeated Selector selectors = 7;
}
/** This is a curated record that the Server uses to set up and
manage the various registered nodes and workloads that are controlled by it. */
message RegistrationEntry {
/** A list of selectors. */
repeated Selector selectors = 1;
/** The SPIFFE ID of an entity that is authorized to attest the validity
of a selector */
string parent_id = 2;
/** The SPIFFE ID is a structured string used to identify a resource or
caller. It is defined as a URI comprising a “trust domain” and an
associated path. */
string spiffe_id = 3;
/** Time to live. */
int32 ttl = 4;
/** A list of federated trust domain SPIFFE IDs. */
repeated string federates_with = 5;
/** Entry ID */
string entry_id = 6;
/** Whether or not the workload is an admin workload. Admin workloads
can use their SVID's to authenticate with the Server APIs, for
example. */
bool admin = 7;
/** To enable signing CA CSR in upstream spire server */
bool downstream = 8;
/** Expiration of this entry, in seconds from epoch */
int64 entryExpiry = 9;
/** DNS entries */
repeated string dns_names = 10;
/** Revision number is bumped every time the entry is updated */
int64 revision_number = 11;
/** Determines if the issued SVID must be stored through an SVIDStore plugin */
bool store_svid = 12;
}
/** The RegistrationEntryMask is used to update only selected fields of the RegistrationEntry */
message RegistrationEntryMask {
bool selectors = 1;
bool parent_id = 2;
bool spiffe_id = 3;
bool ttl = 4;
bool federates_with = 5;
bool entry_id = 6;
bool admin = 7;
bool downstream = 8;
bool entryExpiry = 9;
bool dns_names = 10;
bool store_svid = 11;
}
/** A list of registration entries. */
message RegistrationEntries {
/** A list of RegistrationEntry. */
repeated RegistrationEntry entries = 1;
}
/** Certificate represents a ASN.1/DER encoded X509 certificate */
message Certificate {
bytes der_bytes = 1;
}
/** PublicKey represents a PKIX encoded public key */
message PublicKey {
/** PKIX encoded key data */
bytes pkix_bytes = 1;
/** key identifier */
string kid = 2;
/** not after (seconds since unix epoch, 0 means "never expires") */
int64 not_after = 3;
}
message Bundle {
/** the SPIFFE ID of the trust domain the bundle belongs to */
string trust_domain_id = 1;
/** list of root CA certificates */
repeated Certificate root_cas = 2;
/** list of JWT signing keys */
repeated PublicKey jwt_signing_keys = 3;
/** refresh hint is a hint, in seconds, on how often a bundle consumer
* should poll for bundle updates */
int64 refresh_hint = 4;
}
message BundleMask {
bool root_cas = 1;
bool jwt_signing_keys = 2;
bool refresh_hint = 3;
}
message AttestedNodeMask{
bool attestation_data_type = 1;
bool cert_serial_number = 2;
bool cert_not_after = 3;
bool new_cert_serial_number = 4;
bool new_cert_not_after = 5;
}