1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.oslogin.v1beta; 18 19import "google/api/annotations.proto"; 20import "google/api/client.proto"; 21import "google/api/field_behavior.proto"; 22import "google/api/resource.proto"; 23import "google/cloud/oslogin/common/common.proto"; 24import "google/protobuf/empty.proto"; 25import "google/protobuf/field_mask.proto"; 26 27option csharp_namespace = "Google.Cloud.OsLogin.V1Beta"; 28option go_package = "cloud.google.com/go/oslogin/apiv1beta/osloginpb;osloginpb"; 29option java_multiple_files = true; 30option java_outer_classname = "OsLoginProto"; 31option java_package = "com.google.cloud.oslogin.v1beta"; 32option php_namespace = "Google\\Cloud\\OsLogin\\V1beta"; 33option ruby_package = "Google::Cloud::OsLogin::V1beta"; 34 35// Cloud OS Login API 36// 37// The Cloud OS Login API allows you to manage users and their associated SSH 38// public keys for logging into virtual machines on Google Cloud Platform. 39service OsLoginService { 40 option (google.api.default_host) = "oslogin.googleapis.com"; 41 option (google.api.oauth_scopes) = 42 "https://www.googleapis.com/auth/cloud-platform," 43 "https://www.googleapis.com/auth/cloud-platform.read-only," 44 "https://www.googleapis.com/auth/compute," 45 "https://www.googleapis.com/auth/compute.readonly"; 46 47 // Create an SSH public key 48 rpc CreateSshPublicKey(CreateSshPublicKeyRequest) 49 returns (google.cloud.oslogin.common.SshPublicKey) { 50 option (google.api.http) = { 51 post: "/v1beta/{parent=users/*}/sshPublicKeys" 52 body: "ssh_public_key" 53 }; 54 option (google.api.method_signature) = "parent,ssh_public_key"; 55 } 56 57 // Deletes a POSIX account. 58 rpc DeletePosixAccount(DeletePosixAccountRequest) 59 returns (google.protobuf.Empty) { 60 option (google.api.http) = { 61 delete: "/v1beta/{name=users/*/projects/*}" 62 }; 63 option (google.api.method_signature) = "name"; 64 } 65 66 // Deletes an SSH public key. 67 rpc DeleteSshPublicKey(DeleteSshPublicKeyRequest) 68 returns (google.protobuf.Empty) { 69 option (google.api.http) = { 70 delete: "/v1beta/{name=users/*/sshPublicKeys/*}" 71 }; 72 option (google.api.method_signature) = "name"; 73 } 74 75 // Retrieves the profile information used for logging in to a virtual machine 76 // on Google Compute Engine. 77 rpc GetLoginProfile(GetLoginProfileRequest) returns (LoginProfile) { 78 option (google.api.http) = { 79 get: "/v1beta/{name=users/*}/loginProfile" 80 }; 81 option (google.api.method_signature) = "name"; 82 } 83 84 // Retrieves an SSH public key. 85 rpc GetSshPublicKey(GetSshPublicKeyRequest) 86 returns (google.cloud.oslogin.common.SshPublicKey) { 87 option (google.api.http) = { 88 get: "/v1beta/{name=users/*/sshPublicKeys/*}" 89 }; 90 option (google.api.method_signature) = "name"; 91 } 92 93 // Adds an SSH public key and returns the profile information. Default POSIX 94 // account information is set when no username and UID exist as part of the 95 // login profile. 96 rpc ImportSshPublicKey(ImportSshPublicKeyRequest) 97 returns (ImportSshPublicKeyResponse) { 98 option (google.api.http) = { 99 post: "/v1beta/{parent=users/*}:importSshPublicKey" 100 body: "ssh_public_key" 101 }; 102 option (google.api.method_signature) = "parent,ssh_public_key"; 103 option (google.api.method_signature) = "parent,ssh_public_key,project_id"; 104 } 105 106 // Updates an SSH public key and returns the profile information. This method 107 // supports patch semantics. 108 rpc UpdateSshPublicKey(UpdateSshPublicKeyRequest) 109 returns (google.cloud.oslogin.common.SshPublicKey) { 110 option (google.api.http) = { 111 patch: "/v1beta/{name=users/*/sshPublicKeys/*}" 112 body: "ssh_public_key" 113 }; 114 option (google.api.method_signature) = "name,ssh_public_key"; 115 option (google.api.method_signature) = "name,ssh_public_key,update_mask"; 116 } 117 118 // Signs an SSH public key for a user to authenticate to an instance. 119 rpc SignSshPublicKey(SignSshPublicKeyRequest) 120 returns (SignSshPublicKeyResponse) { 121 option (google.api.http) = { 122 post: "/v1beta/{parent=users/*/projects/*/zones/*}:signSshPublicKey" 123 body: "*" 124 additional_bindings { 125 post: "/v1beta/{parent=users/*/projects/*/locations/*}:signSshPublicKey" 126 body: "*" 127 } 128 }; 129 option (google.api.method_signature) = "parent,ssh_public_key"; 130 } 131} 132 133// The user profile information used for logging in to a virtual machine on 134// Google Compute Engine. 135message LoginProfile { 136 // Required. A unique user ID. 137 string name = 1 [(google.api.field_behavior) = REQUIRED]; 138 139 // The list of POSIX accounts associated with the user. 140 repeated google.cloud.oslogin.common.PosixAccount posix_accounts = 2; 141 142 // A map from SSH public key fingerprint to the associated key object. 143 map<string, google.cloud.oslogin.common.SshPublicKey> ssh_public_keys = 3; 144 145 // The registered security key credentials for a user. 146 repeated SecurityKey security_keys = 5; 147} 148 149// A request message for creating an SSH public key. 150message CreateSshPublicKeyRequest { 151 // Required. The unique ID for the user in format `users/{user}`. 152 string parent = 1 [ 153 (google.api.field_behavior) = REQUIRED, 154 (google.api.resource_reference) = { 155 child_type: "oslogin.googleapis.com/SshPublicKey" 156 } 157 ]; 158 159 // Required. The SSH public key and expiration time. 160 google.cloud.oslogin.common.SshPublicKey ssh_public_key = 2 161 [(google.api.field_behavior) = REQUIRED]; 162} 163 164// A request message for deleting a POSIX account entry. 165message DeletePosixAccountRequest { 166 // Required. A reference to the POSIX account to update. POSIX accounts are 167 // identified by the project ID they are associated with. A reference to the 168 // POSIX account is in format `users/{user}/projects/{project}`. 169 string name = 1 [ 170 (google.api.field_behavior) = REQUIRED, 171 (google.api.resource_reference) = { 172 type: "oslogin.googleapis.com/PosixAccount" 173 } 174 ]; 175} 176 177// A request message for deleting an SSH public key. 178message DeleteSshPublicKeyRequest { 179 // Required. The fingerprint of the public key to update. Public keys are 180 // identified by their SHA-256 fingerprint. The fingerprint of the public key 181 // is in format `users/{user}/sshPublicKeys/{fingerprint}`. 182 string name = 1 [ 183 (google.api.field_behavior) = REQUIRED, 184 (google.api.resource_reference) = { 185 type: "oslogin.googleapis.com/SshPublicKey" 186 } 187 ]; 188} 189 190// A request message for retrieving the login profile information for a user. 191message GetLoginProfileRequest { 192 // Required. The unique ID for the user in format `users/{user}`. 193 string name = 1 [ 194 (google.api.field_behavior) = REQUIRED, 195 (google.api.resource_reference) = { type: "oslogin.googleapis.com/User" } 196 ]; 197 198 // The project ID of the Google Cloud Platform project. 199 string project_id = 2; 200 201 // A system ID for filtering the results of the request. 202 string system_id = 3; 203 204 // The view configures whether to retrieve security keys information. 205 LoginProfileView view = 4; 206} 207 208// A request message for retrieving an SSH public key. 209message GetSshPublicKeyRequest { 210 // Required. The fingerprint of the public key to retrieve. Public keys are 211 // identified by their SHA-256 fingerprint. The fingerprint of the public key 212 // is in format `users/{user}/sshPublicKeys/{fingerprint}`. 213 string name = 1 [ 214 (google.api.field_behavior) = REQUIRED, 215 (google.api.resource_reference) = { 216 type: "oslogin.googleapis.com/SshPublicKey" 217 } 218 ]; 219} 220 221// A request message for importing an SSH public key. 222message ImportSshPublicKeyRequest { 223 // The unique ID for the user in format `users/{user}`. 224 string parent = 1 [(google.api.resource_reference) = { 225 child_type: "oslogin.googleapis.com/SshPublicKey" 226 }]; 227 228 // Required. The SSH public key and expiration time. 229 google.cloud.oslogin.common.SshPublicKey ssh_public_key = 2 230 [(google.api.field_behavior) = REQUIRED]; 231 232 // The project ID of the Google Cloud Platform project. 233 string project_id = 3; 234 235 // The view configures whether to retrieve security keys information. 236 LoginProfileView view = 4; 237 238 // Optional. The regions to which to assert that the key was written. 239 // If unspecified, defaults to all regions. 240 // Regions are listed at https://cloud.google.com/about/locations#region. 241 repeated string regions = 5 [(google.api.field_behavior) = OPTIONAL]; 242} 243 244// A response message for importing an SSH public key. 245message ImportSshPublicKeyResponse { 246 // The login profile information for the user. 247 LoginProfile login_profile = 1; 248 249 // Detailed information about import results. 250 string details = 2; 251} 252 253// A request message for updating an SSH public key. 254message UpdateSshPublicKeyRequest { 255 // Required. The fingerprint of the public key to update. Public keys are 256 // identified by their SHA-256 fingerprint. The fingerprint of the public key 257 // is in format `users/{user}/sshPublicKeys/{fingerprint}`. 258 string name = 1 [ 259 (google.api.field_behavior) = REQUIRED, 260 (google.api.resource_reference) = { 261 type: "oslogin.googleapis.com/SshPublicKey" 262 } 263 ]; 264 265 // Required. The SSH public key and expiration time. 266 google.cloud.oslogin.common.SshPublicKey ssh_public_key = 2 267 [(google.api.field_behavior) = REQUIRED]; 268 269 // Mask to control which fields get updated. Updates all if not present. 270 google.protobuf.FieldMask update_mask = 3; 271} 272 273// The credential information for a Google registered security key. 274message SecurityKey { 275 // Public key text in SSH format, defined by 276 // [RFC4253]("https://www.ietf.org/rfc/rfc4253.txt") section 6.6. 277 string public_key = 1; 278 279 // Hardware-backed private key text in SSH format. 280 string private_key = 2; 281 282 // The FIDO protocol type used to register this credential. 283 oneof protocol_type { 284 // The U2F protocol type. 285 UniversalTwoFactor universal_two_factor = 3; 286 287 // The Web Authentication protocol type. 288 WebAuthn web_authn = 4; 289 } 290 291 // The security key nickname explicitly set by the user. 292 optional string device_nickname = 5; 293} 294 295// Security key information specific to the U2F protocol. 296message UniversalTwoFactor { 297 // Application ID for the U2F protocol. 298 string app_id = 1; 299} 300 301// Security key information specific to the Web Authentication protocol. 302message WebAuthn { 303 // Relying party ID for Web Authentication. 304 string rp_id = 1; 305} 306 307message SignSshPublicKeyRequest { 308 // The SSH public key to sign. 309 string ssh_public_key = 1; 310 311 // The parent project and zone for the signing request. This is needed to 312 // properly ensure per-organization ISS processing and potentially to provide 313 // for the possibility of zone-specific certificates used in the signing 314 // process. 315 string parent = 2; 316} 317 318message SignSshPublicKeyResponse { 319 // The signed SSH public key to use in the SSH handshake. 320 string signed_ssh_public_key = 1; 321} 322 323// The login profile view limits the user content retrieved. 324enum LoginProfileView { 325 // The default login profile view. The API defaults to the BASIC view. 326 LOGIN_PROFILE_VIEW_UNSPECIFIED = 0; 327 328 // Includes POSIX and SSH key information. 329 BASIC = 1; 330 331 // Include security key information for the user. 332 SECURITY_KEY = 2; 333} 334