-
Notifications
You must be signed in to change notification settings - Fork 5
/
security.proto
88 lines (77 loc) · 2.5 KB
/
security.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
/*
* This plugin interface provides services to secure `geth` RPC servers, which includes:
*
* - TLS configuration to enable HTTPS/WSS servers
* - Authentication
*/
syntax = "proto3";
package proto;
import "github.com/golang/protobuf/ptypes/timestamp/timestamp.proto";
option go_package = "proto";
option java_package = "com.quorum.plugin.proto";
option java_outer_classname = "Security";
/**
* A wrapper message to logically group other messages
*/
message TLSConfiguration {
// It's an empty Request received by RPC service
message Request {
}
// Response from RPC service
message Response {
TLSConfiguration.Data data = 1;
}
// TLS configuration data for `geth`
message Data {
// Private key in PEM format
bytes keyPem = 1;
// Certificate in PEM format
bytes certPem = 2;
// List of cipher suites constants being supported by the server
repeated uint32 cipherSuites = 3;
}
}
/*
* `Optional`
* RPC service to provide TLS configuration to enable HTTPS/WSS in `geth` RPC Servers
*/
service TLSConfigurationSource {
rpc Get(TLSConfiguration.Request) returns (TLSConfiguration.Response);
}
/*
* Representing a permission being extracted from access token by the plugin implementation.
* This permission is then stored in security context of a request and
* used internally to decide if the access is granted/denied
*/
message GrantedAuthority {
// `geth` RPC API namespace. E.g.: rpc, eth, admin, debug, ...
string service = 1;
// `geth` RPC API function. E.g.: nodeInfo, blockNumber, ...
string method = 2;
// raw string of the the granted authority value. This gives plugin implementation freedom to interpret the value
string raw = 3;
}
/*
* Representing the access token for an authentication request
*/
message AuthenticationToken {
bytes rawToken = 1;
}
/*
* Representing an authenticated principal after `AuthenticationToken` has been processed
*/
message PreAuthenticatedAuthenticationToken {
bytes rawToken = 1;
google.protobuf.Timestamp expiredAt = 2;
repeated GrantedAuthority authorities = 3;
}
/*
* `Required`
* RPC service authenticate the preauthenticated token. Response is the token containing expiry date and granted authorities
*/
service AuthenticationManager {
/*
* Perform authentication of the token. Return a token that contains expiry date and granted authorities
*/
rpc Authenticate(AuthenticationToken) returns (PreAuthenticatedAuthenticationToken);
}