// Copyright 2020 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. syntax = "proto3"; package google.rpc.context; import "google/protobuf/struct.proto"; import "google/protobuf/timestamp.proto"; option cc_enable_arenas = true; option go_package = "google.golang.org/genproto/googleapis/rpc/context/attribute_context;attribute_context"; option java_multiple_files = true; option java_outer_classname = "AttributeContextProto"; option java_package = "com.google.rpc.context"; // This message defines the standard attribute vocabulary for Google APIs. // // An attribute is a piece of metadata that describes an activity on a network // service. For example, the size of an HTTP request, or the status code of // an HTTP response. // // Each attribute has a type and a name, which is logically defined as // a proto message field in `AttributeContext`. The field type becomes the // attribute type, and the field path becomes the attribute name. For example, // the attribute `source.ip` maps to field `AttributeContext.source.ip`. // // This message definition is guaranteed not to have any wire breaking change. // So you can use it directly for passing attributes across different systems. // // NOTE: Different system may generate different subset of attributes. Please // verify the system specification before relying on an attribute generated // a system. message AttributeContext { // This message defines attributes for a node that handles a network request. // The node can be either a service or an application that sends, forwards, // or receives the request. Service peers should fill in // `principal` and `labels` as appropriate. message Peer { // The IP address of the peer. string ip = 1; // The network port of the peer. int64 port = 2; // The labels associated with the peer. map labels = 6; // The identity of this peer. Similar to `Request.auth.principal`, but // relative to the peer instead of the request. For example, the // idenity associated with a load balancer that forwared the request. string principal = 7; // The CLDR country/region code associated with the above IP address. // If the IP address is private, the `region_code` should reflect the // physical location where this peer is running. string region_code = 8; } // This message defines attributes associated with API operations, such as // a network API request. The terminology is based on the conventions used // by Google APIs, Istio, and OpenAPI. message Api { // The API service name. It is a logical identifier for a networked API, // such as "pubsub.googleapis.com". The naming syntax depends on the // API management system being used for handling the request. string service = 1; // The API operation name. For gRPC requests, it is the fully qualified API // method name, such as "google.pubsub.v1.Publisher.Publish". For OpenAPI // requests, it is the `operationId`, such as "getPet". string operation = 2; // The API protocol used for sending the request, such as "http", "https", // "grpc", or "internal". string protocol = 3; // The API version associated with the API operation above, such as "v1" or // "v1alpha1". string version = 4; } // This message defines request authentication attributes. Terminology is // based on the JSON Web Token (JWT) standard, but the terms also // correlate to concepts in other standards. message Auth { // The authenticated principal. Reflects the issuer (`iss`) and subject // (`sub`) claims within a JWT. The issuer and subject should be `/` // delimited, with `/` percent-encoded within the subject fragment. For // Google accounts, the principal format is: // "https://accounts.google.com/{id}" string principal = 1; // The intended audience(s) for this authentication information. Reflects // the audience (`aud`) claim within a JWT. The audience // value(s) depends on the `issuer`, but typically include one or more of // the following pieces of information: // // * The services intended to receive the credential such as // ["pubsub.googleapis.com", "storage.googleapis.com"] // * A set of service-based scopes. For example, // ["https://www.googleapis.com/auth/cloud-platform"] // * The client id of an app, such as the Firebase project id for JWTs // from Firebase Auth. // // Consult the documentation for the credential issuer to determine the // information provided. repeated string audiences = 2; // The authorized presenter of the credential. Reflects the optional // Authorized Presenter (`azp`) claim within a JWT or the // OAuth client id. For example, a Google Cloud Platform client id looks // as follows: "123456789012.apps.googleusercontent.com". string presenter = 3; // Structured claims presented with the credential. JWTs include // `{key: value}` pairs for standard and private claims. The following // is a subset of the standard required and optional claims that would // typically be presented for a Google-based JWT: // // {'iss': 'accounts.google.com', // 'sub': '113289723416554971153', // 'aud': ['123456789012', 'pubsub.googleapis.com'], // 'azp': '123456789012.apps.googleusercontent.com', // 'email': 'jsmith@example.com', // 'iat': 1353601026, // 'exp': 1353604926} // // SAML assertions are similarly specified, but with an identity provider // dependent structure. google.protobuf.Struct claims = 4; // A list of access level resource names that allow resources to be // accessed by authenticated requester. It is part of Secure GCP processing // for the incoming request. An access level string has the format: // "//{api_service_name}/accessPolicies/{policy_id}/accessLevels/{short_name}" // // Example: // "//accesscontextmanager.googleapis.com/accessPolicies/MY_POLICY_ID/accessLevels/MY_LEVEL" repeated string access_levels = 5; } // This message defines attributes for an HTTP request. If the actual // request is not an HTTP request, the runtime system should try to map // the actual request to an equivalent HTTP request. message Request { // The unique ID for a request, which can be propagated to downstream // systems. The ID should have low probability of collision // within a single day for a specific service. string id = 1; // The HTTP request method, such as `GET`, `POST`. string method = 2; // The HTTP request headers. If multiple headers share the same key, they // must be merged according to the HTTP spec. All header keys must be // lowercased, because HTTP header keys are case-insensitive. map headers = 3; // The HTTP URL path. string path = 4; // The HTTP request `Host` header value. string host = 5; // The HTTP URL scheme, such as `http` and `https`. string scheme = 6; // The HTTP URL query in the format of `name1=value1&name2=value2`, as it // appears in the first line of the HTTP request. No decoding is performed. string query = 7; // The timestamp when the `destination` service receives the first byte of // the request. google.protobuf.Timestamp time = 9; // The HTTP request size in bytes. If unknown, it must be -1. int64 size = 10; // The network protocol used with the request, such as "http/1.1", // "spdy/3", "h2", "h2c", "webrtc", "tcp", "udp", "quic". See // https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids // for details. string protocol = 11; // A special parameter for request reason. It is used by security systems // to associate auditing information with a request. string reason = 12; // The request authentication. May be absent for unauthenticated requests. // Derived from the HTTP request `Authorization` header or equivalent. Auth auth = 13; } // This message defines attributes for a typical network response. It // generally models semantics of an HTTP response. message Response { // The HTTP response status code, such as `200` and `404`. int64 code = 1; // The HTTP response size in bytes. If unknown, it must be -1. int64 size = 2; // The HTTP response headers. If multiple headers share the same key, they // must be merged according to HTTP spec. All header keys must be // lowercased, because HTTP header keys are case-insensitive. map headers = 3; // The timestamp when the `destination` service generates the first byte of // the response. google.protobuf.Timestamp time = 4; } // This message defines core attributes for a resource. A resource is an // addressable (named) entity provided by the destination service. For // example, a file stored on a network storage service. message Resource { // The name of the service that this resource belongs to, such as // `pubsub.googleapis.com`. The service may be different from the DNS // hostname that actually serves the request. string service = 1; // The stable identifier (name) of a resource on the `service`. A resource // can be logically identified as "//{resource.service}/{resource.name}". // The differences between a resource name and a URI are: // // * Resource name is a logical identifier, independent of network // protocol and API version. For example, // `//pubsub.googleapis.com/projects/123/topics/news-feed`. // * URI often includes protocol and version information, so it can // be used directly by applications. For example, // `https://pubsub.googleapis.com/v1/projects/123/topics/news-feed`. // // See https://cloud.google.com/apis/design/resource_names for details. string name = 2; // The type of the resource. The syntax is platform-specific because // different platforms define their resources differently. // // For Google APIs, the type format must be "{service}/{kind}". string type = 3; // The labels or tags on the resource, such as AWS resource tags and // Kubernetes resource labels. map labels = 4; } // The origin of a network activity. In a multi hop network activity, // the origin represents the sender of the first hop. For the first hop, // the `source` and the `origin` must have the same content. Peer origin = 7; // The source of a network activity, such as starting a TCP connection. // In a multi hop network activity, the source represents the sender of the // last hop. Peer source = 1; // The destination of a network activity, such as accepting a TCP connection. // In a multi hop network activity, the destination represents the receiver of // the last hop. Peer destination = 2; // Represents a network request, such as an HTTP request. Request request = 3; // Represents a network response, such as an HTTP response. Response response = 4; // Represents a target resource that is involved with a network activity. // If multiple resources are involved with an activity, this must be the // primary one. Resource resource = 5; // Represents an API operation that is involved to a network activity. Api api = 6; }