2021-07-17 14:38:59 +02:00
syntax = "proto3" ;
2021-07-22 10:28:00 +02:00
import "google/protobuf/timestamp.proto" ;
2021-07-20 18:09:26 +02:00
option go_package = "/proto" ;
2021-07-17 14:38:59 +02:00
package management ;
service ManagementService {
2021-08-15 16:56:26 +02:00
// Login logs in peer. In case server returns codes.PermissionDenied this endpoint can be used to register Peer providing LoginRequest.setupKey
2022-02-08 18:03:27 +01:00
// Returns encrypted LoginResponse in EncryptedMessage.Body
2021-08-15 16:56:26 +02:00
rpc Login ( EncryptedMessage ) returns ( EncryptedMessage ) { }
2021-07-17 14:38:59 +02:00
2021-07-22 10:28:00 +02:00
// Sync enables peer synchronization. Each peer that is connected to this stream will receive updates from the server.
// For example, if a new peer has been added to an account all other connected peers will receive this peer's Wireguard public key as an update
// The initial SyncResponse contains all of the available peers so the local state can be refreshed
2022-02-08 18:03:27 +01:00
// Returns encrypted SyncResponse in EncryptedMessage.Body
2021-07-22 10:28:00 +02:00
rpc Sync ( EncryptedMessage ) returns ( stream EncryptedMessage ) { }
// Exposes a Wireguard public key of the Management service.
// This key is used to support message encryption between client and server
rpc GetServerKey ( Empty ) returns ( ServerKeyResponse ) { }
2021-07-17 14:38:59 +02:00
// health check endpoint
rpc isHealthy ( Empty ) returns ( Empty ) { }
2022-05-08 11:04:57 +02:00
// Exposes a device authorization flow information
// This is used for initiating a Oauth 2 device authorization grant flow
// which will be used by our clients to Login.
// EncryptedMessage of the request has a body of DeviceAuthorizationFlowRequest.
// EncryptedMessage of the response has a body of DeviceAuthorizationFlow.
rpc GetDeviceAuthorizationFlow ( EncryptedMessage ) returns ( EncryptedMessage ) { }
2023-07-27 11:31:07 +02:00
// Exposes a PKCE authorization code flow information
// This is used for initiating a Oauth 2 authorization grant flow
// with Proof Key for Code Exchange (PKCE) which will be used by our clients to Login.
// EncryptedMessage of the request has a body of PKCEAuthorizationFlowRequest.
// EncryptedMessage of the response has a body of PKCEAuthorizationFlow.
rpc GetPKCEAuthorizationFlow ( EncryptedMessage ) returns ( EncryptedMessage ) { }
2024-06-13 13:24:24 +02:00
// SyncMeta is used to sync metadata of the peer.
// After sync the peer if there is a change in peer posture check which needs to be evaluated by the client,
// sync meta will evaluate the checks and update the peer meta with the result.
// EncryptedMessage of the request has a body of Empty.
rpc SyncMeta ( EncryptedMessage ) returns ( Empty ) { }
2021-07-17 14:38:59 +02:00
}
2021-07-22 10:28:00 +02:00
message EncryptedMessage {
// Wireguard public key
string wgPubKey = 1 ;
// encrypted message Body
bytes body = 2 ;
2022-01-16 17:10:36 +01:00
// Version of the Wiretrustee Management Service protocol
int32 version = 3 ;
2021-07-22 10:28:00 +02:00
}
2024-06-13 13:24:24 +02:00
message SyncRequest {
// Meta data of the peer
PeerSystemMeta meta = 1 ;
}
2021-07-22 10:28:00 +02:00
2021-07-25 17:08:16 +02:00
// SyncResponse represents a state that should be applied to the local peer (e.g. Wiretrustee servers config as well as local peer and remote peers configs)
2021-07-22 10:28:00 +02:00
message SyncResponse {
2022-01-16 17:10:36 +01:00
2021-07-25 17:08:16 +02:00
// Global config
WiretrusteeConfig wiretrusteeConfig = 1 ;
2022-01-16 17:10:36 +01:00
// Deprecated. Use NetworkMap.PeerConfig
2021-07-25 17:08:16 +02:00
PeerConfig peerConfig = 2 ;
2022-01-16 17:10:36 +01:00
// Deprecated. Use NetworkMap.RemotePeerConfig
2021-07-25 17:08:16 +02:00
repeated RemotePeerConfig remotePeers = 3 ;
2022-01-16 17:10:36 +01:00
2021-09-07 18:36:46 +02:00
// Indicates whether remotePeers array is empty or not to bypass protobuf null and empty array equality.
2022-01-16 17:10:36 +01:00
// Deprecated. Use NetworkMap.remotePeersIsEmpty
2021-09-07 18:36:46 +02:00
bool remotePeersIsEmpty = 4 ;
2022-01-16 17:10:36 +01:00
NetworkMap NetworkMap = 5 ;
2024-06-13 13:24:24 +02:00
// Posture checks to be evaluated by client
repeated Checks Checks = 6 ;
}
message SyncMetaRequest {
// Meta data of the peer
PeerSystemMeta meta = 1 ;
2021-07-22 10:28:00 +02:00
}
2021-08-15 16:56:26 +02:00
message LoginRequest {
// Pre-authorized setup key (can be empty)
string setupKey = 1 ;
2021-08-24 11:50:19 +02:00
// Meta data of the peer (e.g. name, os_name, os_version,
PeerSystemMeta meta = 2 ;
2022-05-05 20:02:15 +02:00
// SSO token (can be empty)
string jwtToken = 3 ;
2022-06-23 17:04:53 +02:00
// Can be absent for now.
PeerKeys peerKeys = 4 ;
}
2024-06-13 13:24:24 +02:00
2022-06-23 17:04:53 +02:00
// PeerKeys is additional peer info like SSH pub key and WireGuard public key.
// This message is sent on Login or register requests, or when a key rotation has to happen.
message PeerKeys {
// sshPubKey represents a public SSH key of the peer. Can be absent.
bytes sshPubKey = 1 ;
// wgPubKey represents a public WireGuard key of the peer. Can be absent.
bytes wgPubKey = 2 ;
2021-08-24 11:50:19 +02:00
}
2024-03-01 15:15:56 +01:00
// Environment is part of the PeerSystemMeta and describes the environment the agent is running in.
message Environment {
// cloud is the cloud provider the agent is running in if applicable.
string cloud = 1 ;
// platform is the platform the agent is running on if applicable.
string platform = 2 ;
}
2024-06-13 13:24:24 +02:00
// File represents a file on the system.
message File {
// path is the path to the file.
string path = 1 ;
// exist indicate whether the file exists.
bool exist = 2 ;
// processIsRunning indicates whether the file is a running process or not.
bool processIsRunning = 3 ;
}
2022-06-23 17:04:53 +02:00
// PeerSystemMeta is machine meta data like OS and version.
2021-08-24 11:50:19 +02:00
message PeerSystemMeta {
string hostname = 1 ;
string goOS = 2 ;
string kernel = 3 ;
string core = 4 ;
string platform = 5 ;
string OS = 6 ;
string wiretrusteeVersion = 7 ;
2022-05-25 23:25:02 +02:00
string uiVersion = 8 ;
2024-02-20 09:59:56 +01:00
string kernelVersion = 9 ;
string OSVersion = 10 ;
2024-02-20 11:53:11 +01:00
repeated NetworkAddress networkAddresses = 11 ;
string sysSerialNumber = 12 ;
string sysProductName = 13 ;
string sysManufacturer = 14 ;
2024-03-01 15:15:56 +01:00
Environment environment = 15 ;
2024-06-13 13:24:24 +02:00
repeated File files = 16 ;
2021-07-17 14:38:59 +02:00
}
2021-08-15 16:56:26 +02:00
message LoginResponse {
// Global config
WiretrusteeConfig wiretrusteeConfig = 1 ;
// Peer local config
PeerConfig peerConfig = 2 ;
2024-06-13 13:24:24 +02:00
// Posture checks to be evaluated by client
repeated Checks Checks = 3 ;
2021-08-15 16:56:26 +02:00
}
2021-07-17 14:38:59 +02:00
2021-07-22 10:28:00 +02:00
message ServerKeyResponse {
// Server's Wireguard public key
string key = 1 ;
// Key expiration timestamp after which the key should be fetched again by the client
google.protobuf.Timestamp expiresAt = 2 ;
2022-01-16 17:10:36 +01:00
// Version of the Wiretrustee Management Service protocol
int32 version = 3 ;
2021-07-22 10:28:00 +02:00
}
2021-07-25 17:08:16 +02:00
message Empty { }
// WiretrusteeConfig is a common configuration of any Wiretrustee peer. It contains STUN, TURN, Signal and Management servers configurations
message WiretrusteeConfig {
// a list of STUN servers
repeated HostConfig stuns = 1 ;
// a list of TURN servers
repeated ProtectedHostConfig turns = 2 ;
// a Signal server config
HostConfig signal = 3 ;
}
// HostConfig describes connection properties of some server (e.g. STUN, Signal, Management)
message HostConfig {
2021-07-30 17:46:38 +02:00
// URI of the resource e.g. turns://stun.wiretrustee.com:4430 or signal.wiretrustee.com:10000
string uri = 1 ;
Protocol protocol = 2 ;
2021-07-25 17:08:16 +02:00
enum Protocol {
2021-07-30 17:46:38 +02:00
UDP = 0 ;
TCP = 1 ;
HTTP = 2 ;
HTTPS = 3 ;
DTLS = 4 ;
2021-07-25 17:08:16 +02:00
}
}
// ProtectedHostConfig is similar to HostConfig but has additional user and password
// Mostly used for TURN servers
message ProtectedHostConfig {
HostConfig hostConfig = 1 ;
string user = 2 ;
string password = 3 ;
}
// PeerConfig represents a configuration of a "our" peer.
// The properties are used to configure local Wireguard
message PeerConfig {
// Peer's virtual IP address within the Wiretrustee VPN (a Wireguard address config)
string address = 1 ;
// Wiretrustee DNS server (a Wireguard DNS config)
string dns = 2 ;
2022-06-23 17:04:53 +02:00
// SSHConfig of the peer.
SSHConfig sshConfig = 3 ;
2022-11-26 13:29:50 +01:00
// Peer fully qualified domain name
string fqdn = 4 ;
2021-07-25 17:08:16 +02:00
}
2022-01-16 17:10:36 +01:00
// NetworkMap represents a network state of the peer with the corresponding configuration parameters to establish peer-to-peer connections
message NetworkMap {
// Serial is an ID of the network state to be used by clients to order updates.
// The larger the Serial the newer the configuration.
// E.g. the client app should keep track of this id locally and discard all the configurations with a lower value
uint64 Serial = 1 ;
// PeerConfig represents configuration of a peer
PeerConfig peerConfig = 2 ;
// RemotePeerConfig represents a list of remote peers that the receiver can connect to
repeated RemotePeerConfig remotePeers = 3 ;
// Indicates whether remotePeers array is empty or not to bypass protobuf null and empty array equality.
bool remotePeersIsEmpty = 4 ;
2022-08-18 18:22:15 +02:00
// List of routes to be applied
repeated Route Routes = 5 ;
2022-11-07 15:38:21 +01:00
// DNS config to be applied
DNSConfig DNSConfig = 6 ;
2023-03-07 10:17:25 +01:00
// RemotePeerConfig represents a list of remote peers that the receiver can connect to
repeated RemotePeerConfig offlinePeers = 7 ;
2023-05-29 16:00:18 +02:00
// FirewallRule represents a list of firewall rules to be applied to peer
repeated FirewallRule FirewallRules = 8 ;
2023-05-31 19:04:38 +02:00
// firewallRulesIsEmpty indicates whether FirewallRule array is empty or not to bypass protobuf null and empty array equality.
bool firewallRulesIsEmpty = 9 ;
2022-01-16 17:10:36 +01:00
}
2021-07-25 17:08:16 +02:00
// RemotePeerConfig represents a configuration of a remote peer.
2023-03-07 10:17:25 +01:00
// The properties are used to configure WireGuard Peers sections
2021-07-25 17:08:16 +02:00
message RemotePeerConfig {
2023-03-07 10:17:25 +01:00
// A WireGuard public key of a remote peer
2021-07-25 17:08:16 +02:00
string wgPubKey = 1 ;
2021-07-17 14:38:59 +02:00
2023-03-07 10:17:25 +01:00
// WireGuard allowed IPs of a remote peer e.g. [10.30.30.1/32]
2021-07-25 17:08:16 +02:00
repeated string allowedIps = 2 ;
2022-06-23 17:04:53 +02:00
// SSHConfig is a SSH config of the remote peer. SSHConfig.sshPubKey should be ignored because peer knows it's SSH key.
SSHConfig sshConfig = 3 ;
2022-11-26 13:29:50 +01:00
// Peer fully qualified domain name
string fqdn = 4 ;
2022-05-08 11:04:57 +02:00
}
2022-06-23 17:04:53 +02:00
// SSHConfig represents SSH configurations of a peer.
message SSHConfig {
// sshEnabled indicates whether a SSH server is enabled on this peer
bool sshEnabled = 1 ;
// sshPubKey is a SSH public key of a peer to be added to authorized_hosts.
// This property should be ignore if SSHConfig comes from PeerConfig.
bytes sshPubKey = 2 ;
}
2022-05-08 11:04:57 +02:00
// DeviceAuthorizationFlowRequest empty struct for future expansion
message DeviceAuthorizationFlowRequest { }
// DeviceAuthorizationFlow represents Device Authorization Flow information
// that can be used by the client to login initiate a Oauth 2.0 device authorization grant flow
// see https://datatracker.ietf.org/doc/html/rfc8628
message DeviceAuthorizationFlow {
// An IDP provider , (eg. Auth0)
provider Provider = 1 ;
ProviderConfig ProviderConfig = 2 ;
enum provider {
HOSTED = 0 ;
}
}
2023-07-27 11:31:07 +02:00
// PKCEAuthorizationFlowRequest empty struct for future expansion
message PKCEAuthorizationFlowRequest { }
// PKCEAuthorizationFlow represents Authorization Code Flow information
// that can be used by the client to login initiate a Oauth 2.0 authorization code grant flow
// with Proof Key for Code Exchange (PKCE). See https://datatracker.ietf.org/doc/html/rfc7636
message PKCEAuthorizationFlow {
ProviderConfig ProviderConfig = 1 ;
}
// ProviderConfig has all attributes needed to initiate a device/pkce authorization flow
2022-05-08 11:04:57 +02:00
message ProviderConfig {
// An IDP application client id
string ClientID = 1 ;
// An IDP application client secret
string ClientSecret = 2 ;
// An IDP API domain
2022-08-23 15:46:12 +02:00
// Deprecated. Use a DeviceAuthEndpoint and TokenEndpoint
string Domain = 3 ;
2022-05-08 11:04:57 +02:00
// An Audience for validation
string Audience = 4 ;
2022-08-23 15:46:12 +02:00
// DeviceAuthEndpoint is an endpoint to request device authentication code.
string DeviceAuthEndpoint = 5 ;
// TokenEndpoint is an endpoint to request auth token.
string TokenEndpoint = 6 ;
2023-04-05 17:46:34 +02:00
// Scopes provides the scopes to be included in the token request
string Scope = 7 ;
// UseIDToken indicates if the id token should be used for authentication
bool UseIDToken = 8 ;
2023-07-27 11:31:07 +02:00
// AuthorizationEndpoint is the endpoint of an IDP manager where clients can obtain authorization code.
string AuthorizationEndpoint = 9 ;
// RedirectURLs handles authorization code from IDP manager
repeated string RedirectURLs = 10 ;
2022-05-25 23:25:02 +02:00
}
2022-08-18 18:22:15 +02:00
// Route represents a route.Route object
message Route {
string ID = 1 ;
2022-08-22 14:10:24 +02:00
string Network = 2 ;
int64 NetworkType = 3 ;
2022-08-18 18:22:15 +02:00
string Peer = 4 ;
int64 Metric = 5 ;
bool Masquerade = 6 ;
2022-08-22 14:10:24 +02:00
string NetID = 7 ;
2024-06-13 13:24:24 +02:00
repeated string Domains = 8 ;
bool keepRoute = 9 ;
2022-11-07 15:38:21 +01:00
}
// DNSConfig represents a dns.Update
message DNSConfig {
bool ServiceEnable = 1 ;
repeated NameServerGroup NameServerGroups = 2 ;
repeated CustomZone CustomZones = 3 ;
}
// CustomZone represents a dns.CustomZone
message CustomZone {
string Domain = 1 ;
repeated SimpleRecord Records = 2 ;
}
// SimpleRecord represents a dns.SimpleRecord
message SimpleRecord {
string Name = 1 ;
int64 Type = 2 ;
string Class = 3 ;
int64 TTL = 4 ;
string RData = 5 ;
}
// NameServerGroup represents a dns.NameServerGroup
message NameServerGroup {
repeated NameServer NameServers = 1 ;
bool Primary = 2 ;
repeated string Domains = 3 ;
2023-10-19 19:32:42 +02:00
bool SearchDomainsEnabled = 4 ;
2022-11-07 15:38:21 +01:00
}
// NameServer represents a dns.NameServer
message NameServer {
string IP = 1 ;
int64 NSType = 2 ;
int64 Port = 3 ;
2023-05-29 16:00:18 +02:00
}
// FirewallRule represents a firewall rule
message FirewallRule {
string PeerIP = 1 ;
direction Direction = 2 ;
action Action = 3 ;
protocol Protocol = 4 ;
string Port = 5 ;
enum direction {
IN = 0 ;
OUT = 1 ;
}
enum action {
ACCEPT = 0 ;
DROP = 1 ;
}
enum protocol {
UNKNOWN = 0 ;
ALL = 1 ;
TCP = 2 ;
UDP = 3 ;
ICMP = 4 ;
}
}
2024-02-20 11:53:11 +01:00
message NetworkAddress {
string netIP = 1 ;
string mac = 2 ;
}
2024-06-13 13:24:24 +02:00
message Checks {
repeated string Files = 1 ;
}