forked from aristanetworks/ownership-voucher-grpc
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ovgs.proto
175 lines (142 loc) · 5.51 KB
/
ovgs.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
// Copyright (c) 2023 Arista Networks, Inc.
// Use of this source code is governed by the BSD 2-Clause License
// that can be found in the LICENSE file.
syntax = "proto3";
import "google/protobuf/timestamp.proto";
package ovgs.v1;
option go_package = "arista/sztp/ovgs/gen";
enum userRole {
UNSPEC = 0;
SUPPORT = 1;
ADMIN = 2;
REQUESTOR = 3;
}
message user {
string username = 1; // username or service account name
string user_type = 2; // "account" for service accounts and "user" for user accounts
string org_id = 3; // org_id = "org-" + org name
userRole user_role = 4; // role of the user, either ADMIN or REQUESTOR
}
message createGroupRequest {
string parent = 1; // parent group ID, it could be org ID or a group ID
string group_description = 2; // general description of the group
}
message createGroupResponse {
string group_id = 1;
}
message viewGroupRequest {
string group_id = 1;
}
message viewGroupResponse {
repeated string certs = 1;
repeated string switch_serials = 2;
repeated user users = 3;
repeated string children = 4;
}
message deleteGroupRequest {
string group_id = 1;
}
message deleteGroupResponse {}
message assignUserRoleRequest {
string username = 1; // username or service account name
string user_type = 2; // "account" for service accounts and "user" for user accounts
string org_id = 3; // org_id = "org-" + org name
string group_id = 4;
userRole user_role = 5; // role of the user, either ADMIN or REQUESTOR
}
message assignUserRoleResponse {}
message removeUserRoleRequest {
string username = 1; // username or service account name
string user_type = 2; // "account" for service accounts and "user" for user accounts
string org_id = 3; // org_id = "org-" + org name
string group_id = 4;
}
message removeUserRoleResponse {}
message viewUserRoleRequest {
string username = 1; // username or service account name
string user_type = 2; // "account" for service accounts and "user" for user accounts
string org_id = 3; // org_id = "org-" + org name
}
message viewUserRoleResponse {
map<string, userRole> group_to_role = 1; // mapping from a group to user's role in that group
}
message setDomainCertRequest {
string group_id = 1;
bytes certificate_der = 2;
bool revocation_checks = 3;
google.protobuf.Timestamp expiry_time = 4;
}
message setDomainCertResponse {
string cert_id = 1;
}
message readDomainCertRequest {
string cert_id = 1;
}
message readDomainCertResponse {
string group_id = 1;
bytes certificate_der = 2;
bool revocation_checks = 3;
google.protobuf.Timestamp expiry_time = 4;
}
message deleteDomainCertRequest {
string cert_id = 1;
}
message deleteDomainCertResponse {}
message assignSerialRequest {
string switch_serial = 1;
string group_id = 2;
}
message assignSerialResponse {}
message unassignSerialRequest {
string switch_serial = 1;
string group_id = 2;
}
message unassignSerialResponse {}
message viewSerialRequest {
string switch_serial = 1;
}
message viewSerialResponse {
bytes public_key_der = 1;
repeated string groups = 2;
string mac_addr = 3;
}
message ownershipVoucherRequest {
string switch_serial = 1;
string cert_id = 2;
google.protobuf.Timestamp lifetime = 3;
// ien is the device vendor's IANA Enterprise Number
string ien = 4;
}
message ownershipVoucherResponse {
bytes voucher_cms = 1; // binary CMS format (rfc5652)
bytes public_key_der = 2; // ASN.1 DER encoded
}
service OwnershipVoucherService {
// createGroup creates a group as a child of an existing group
rpc createGroup(createGroupRequest) returns (createGroupResponse);
// viewGroup returns the domain-certs (keyed by id), serials,
// and user/role mappings for that group and all the children.
rpc viewGroup(viewGroupRequest) returns (viewGroupResponse);
// deleteGroup deletes a named group. Will refuse to do so if there are children groups.
rpc deleteGroup(deleteGroupRequest) returns (deleteGroupResponse);
// assignUserRole assigns a role to a user in a named group.
rpc assignUserRole(assignUserRoleRequest) returns (assignUserRoleResponse);
// removeUserRole removes roles of a user in a named group.
rpc removeUserRole(removeUserRoleRequest) returns (removeUserRoleResponse);
// viewUserRole returns the roles of a user across the groups that they belong to.
rpc viewUserRole(viewUserRoleRequest) returns (viewUserRoleResponse);
// assignSerial assigns the serial to that group.
rpc assignSerial(assignSerialRequest) returns (assignSerialResponse);
// unassignSerial removes the serial from the group.
rpc unassignSerial(unassignSerialRequest) returns (unassignSerialResponse);
// viewSerial returns all the facts about the serial number.
rpc viewSerial(viewSerialRequest) returns (viewSerialResponse);
// setDomainCert sets the values for the certificate.
rpc setDomainCert(setDomainCertRequest) returns (setDomainCertResponse);
// readDomainCert reveals the details of the certificate.
rpc readDomainCert(readDomainCertRequest) returns (readDomainCertResponse);
// deleteDomainCert deletes the cert from the database.
rpc deleteDomainCert(deleteDomainCertRequest) returns (deleteDomainCertResponse);
// ownershipVoucher issues ownership voucher and returns TPM public key for the serial number
rpc ownershipVoucher(ownershipVoucherRequest) returns (ownershipVoucherResponse);
}