From be1c6f61d63131b8b5a61d2012ef61c9edfb884f Mon Sep 17 00:00:00 2001 From: Gaius Date: Thu, 1 Sep 2022 11:47:25 +0800 Subject: [PATCH] refactor: security proto (#12) Signed-off-by: Gaius --- pkg/apis/security/v1/security.pb.go | 79 +++++++++++--------- pkg/apis/security/v1/security.pb.validate.go | 33 +++++++- pkg/apis/security/v1/security.proto | 13 ++-- 3 files changed, 84 insertions(+), 41 deletions(-) diff --git a/pkg/apis/security/v1/security.pb.go b/pkg/apis/security/v1/security.pb.go index e8a8a54..02368a8 100644 --- a/pkg/apis/security/v1/security.pb.go +++ b/pkg/apis/security/v1/security.pb.go @@ -23,11 +23,13 @@ package v1 import ( context "context" + _ "github.com/envoyproxy/protoc-gen-validate/validate" grpc "google.golang.org/grpc" codes "google.golang.org/grpc/codes" status "google.golang.org/grpc/status" protoreflect "google.golang.org/protobuf/reflect/protoreflect" protoimpl "google.golang.org/protobuf/runtime/protoimpl" + durationpb "google.golang.org/protobuf/types/known/durationpb" reflect "reflect" sync "sync" ) @@ -52,8 +54,8 @@ type CertificateRequest struct { // The public key in the CSR is used to generate the certificate, // and other fields in the generated certificate may be overwritten by the CA. Csr string `protobuf:"bytes,1,opt,name=csr,proto3" json:"csr,omitempty"` - // Optional: requested certificate validity period, in seconds. - ValidityDuration int64 `protobuf:"varint,2,opt,name=validity_duration,json=validityDuration,proto3" json:"validity_duration,omitempty"` + // Optional: requested certificate validity period. + ValidityPeriod *durationpb.Duration `protobuf:"bytes,2,opt,name=validity_period,json=validityPeriod,proto3" json:"validity_period,omitempty"` } func (x *CertificateRequest) Reset() { @@ -95,11 +97,11 @@ func (x *CertificateRequest) GetCsr() string { return "" } -func (x *CertificateRequest) GetValidityDuration() int64 { +func (x *CertificateRequest) GetValidityPeriod() *durationpb.Duration { if x != nil { - return x.ValidityDuration + return x.ValidityPeriod } - return 0 + return nil } // Certificate response type. @@ -109,7 +111,7 @@ type CertificateResponse struct { unknownFields protoimpl.UnknownFields // PEM-encoded certificate chain. - CertificateChain []string `protobuf:"bytes,1,rep,name=certificate_chain,json=certificateChain,proto3" json:"certificate_chain,omitempty"` + CertificateChain [][]byte `protobuf:"bytes,1,rep,name=certificate_chain,json=certificateChain,proto3" json:"certificate_chain,omitempty"` } func (x *CertificateResponse) Reset() { @@ -144,7 +146,7 @@ func (*CertificateResponse) Descriptor() ([]byte, []int) { return file_pkg_apis_security_v1_security_proto_rawDescGZIP(), []int{1} } -func (x *CertificateResponse) GetCertificateChain() []string { +func (x *CertificateResponse) GetCertificateChain() [][]byte { if x != nil { return x.CertificateChain } @@ -156,26 +158,33 @@ var File_pkg_apis_security_v1_security_proto protoreflect.FileDescriptor var file_pkg_apis_security_v1_security_proto_rawDesc = []byte{ 0x0a, 0x23, 0x70, 0x6b, 0x67, 0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x08, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x22, - 0x53, 0x0a, 0x12, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x63, 0x73, 0x72, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x03, 0x63, 0x73, 0x72, 0x12, 0x2b, 0x0a, 0x11, 0x76, 0x61, 0x6c, 0x69, 0x64, - 0x69, 0x74, 0x79, 0x5f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, - 0x28, 0x03, 0x52, 0x10, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x69, 0x74, 0x79, 0x44, 0x75, 0x72, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x42, 0x0a, 0x13, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, - 0x61, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2b, 0x0a, 0x11, 0x63, - 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x63, 0x68, 0x61, 0x69, 0x6e, - 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x10, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, - 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x32, 0x67, 0x0a, 0x12, 0x43, 0x65, 0x72, 0x74, - 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x51, - 0x0a, 0x10, 0x49, 0x73, 0x73, 0x75, 0x65, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, - 0x74, 0x65, 0x12, 0x1c, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x43, 0x65, - 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, - 0x1a, 0x1d, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x43, 0x65, 0x72, 0x74, - 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, - 0x00, 0x42, 0x21, 0x5a, 0x1f, 0x64, 0x37, 0x79, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, - 0x70, 0x6b, 0x67, 0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, - 0x79, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x08, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x1a, + 0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, + 0x2f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, + 0x17, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, + 0x74, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x7d, 0x0a, 0x12, 0x43, 0x65, 0x72, 0x74, + 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x19, + 0x0a, 0x03, 0x63, 0x73, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04, + 0x72, 0x02, 0x10, 0x01, 0x52, 0x03, 0x63, 0x73, 0x72, 0x12, 0x4c, 0x0a, 0x0f, 0x76, 0x61, 0x6c, + 0x69, 0x64, 0x69, 0x74, 0x79, 0x5f, 0x70, 0x65, 0x72, 0x69, 0x6f, 0x64, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x08, 0xfa, + 0x42, 0x05, 0xaa, 0x01, 0x02, 0x08, 0x01, 0x52, 0x0e, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x69, 0x74, + 0x79, 0x50, 0x65, 0x72, 0x69, 0x6f, 0x64, 0x22, 0x4c, 0x0a, 0x13, 0x43, 0x65, 0x72, 0x74, 0x69, + 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x35, + 0x0a, 0x11, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x63, 0x68, + 0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0c, 0x42, 0x08, 0xfa, 0x42, 0x05, 0x92, 0x01, + 0x02, 0x08, 0x01, 0x52, 0x10, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, + 0x43, 0x68, 0x61, 0x69, 0x6e, 0x32, 0x67, 0x0a, 0x12, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, + 0x63, 0x61, 0x74, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x51, 0x0a, 0x10, 0x49, + 0x73, 0x73, 0x75, 0x65, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, + 0x1c, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, + 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1d, 0x2e, + 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, + 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x21, + 0x5a, 0x1f, 0x64, 0x37, 0x79, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x70, 0x6b, 0x67, + 0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, + 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -194,15 +203,17 @@ var file_pkg_apis_security_v1_security_proto_msgTypes = make([]protoimpl.Message var file_pkg_apis_security_v1_security_proto_goTypes = []interface{}{ (*CertificateRequest)(nil), // 0: security.CertificateRequest (*CertificateResponse)(nil), // 1: security.CertificateResponse + (*durationpb.Duration)(nil), // 2: google.protobuf.Duration } var file_pkg_apis_security_v1_security_proto_depIdxs = []int32{ - 0, // 0: security.CertificateService.IssueCertificate:input_type -> security.CertificateRequest - 1, // 1: security.CertificateService.IssueCertificate:output_type -> security.CertificateResponse - 1, // [1:2] is the sub-list for method output_type - 0, // [0:1] is the sub-list for method input_type - 0, // [0:0] is the sub-list for extension type_name - 0, // [0:0] is the sub-list for extension extendee - 0, // [0:0] is the sub-list for field type_name + 2, // 0: security.CertificateRequest.validity_period:type_name -> google.protobuf.Duration + 0, // 1: security.CertificateService.IssueCertificate:input_type -> security.CertificateRequest + 1, // 2: security.CertificateService.IssueCertificate:output_type -> security.CertificateResponse + 2, // [2:3] is the sub-list for method output_type + 1, // [1:2] is the sub-list for method input_type + 1, // [1:1] is the sub-list for extension type_name + 1, // [1:1] is the sub-list for extension extendee + 0, // [0:1] is the sub-list for field type_name } func init() { file_pkg_apis_security_v1_security_proto_init() } diff --git a/pkg/apis/security/v1/security.pb.validate.go b/pkg/apis/security/v1/security.pb.validate.go index 1061144..477ee8e 100644 --- a/pkg/apis/security/v1/security.pb.validate.go +++ b/pkg/apis/security/v1/security.pb.validate.go @@ -57,9 +57,27 @@ func (m *CertificateRequest) validate(all bool) error { var errors []error - // no validation rules for Csr + if utf8.RuneCountInString(m.GetCsr()) < 1 { + err := CertificateRequestValidationError{ + field: "Csr", + reason: "value length must be at least 1 runes", + } + if !all { + return err + } + errors = append(errors, err) + } - // no validation rules for ValidityDuration + if m.GetValidityPeriod() == nil { + err := CertificateRequestValidationError{ + field: "ValidityPeriod", + reason: "value is required", + } + if !all { + return err + } + errors = append(errors, err) + } if len(errors) > 0 { return CertificateRequestMultiError(errors) @@ -163,6 +181,17 @@ func (m *CertificateResponse) validate(all bool) error { var errors []error + if len(m.GetCertificateChain()) < 1 { + err := CertificateResponseValidationError{ + field: "CertificateChain", + reason: "value must contain at least 1 item(s)", + } + if !all { + return err + } + errors = append(errors, err) + } + if len(errors) > 0 { return CertificateResponseMultiError(errors) } diff --git a/pkg/apis/security/v1/security.proto b/pkg/apis/security/v1/security.proto index 44b009e..51acccf 100644 --- a/pkg/apis/security/v1/security.proto +++ b/pkg/apis/security/v1/security.proto @@ -18,6 +18,9 @@ syntax = "proto3"; package security; +import "google/protobuf/duration.proto"; +import "validate/validate.proto"; + option go_package = "d7y.io/api/pkg/apis/security/v1"; // Refer: https://github.com/istio/api/blob/master/security/v1alpha1/ca.proto @@ -31,15 +34,15 @@ message CertificateRequest { // PEM-encoded certificate request. // The public key in the CSR is used to generate the certificate, // and other fields in the generated certificate may be overwritten by the CA. - string csr = 1; - // Optional: requested certificate validity period, in seconds. - int64 validity_duration = 2; + string csr = 1 [(validate.rules).string.min_len = 1]; + // Optional: requested certificate validity period. + google.protobuf.Duration validity_period = 2 [(validate.rules).duration.required = true]; } // Certificate response type. message CertificateResponse { // PEM-encoded certificate chain. - repeated string certificate_chain = 1; + repeated bytes certificate_chain = 1 [(validate.rules).repeated.min_items = 1]; } // Service for managing certificates issued by the CA. @@ -48,4 +51,4 @@ service CertificateService { rpc IssueCertificate(CertificateRequest) returns (CertificateResponse) { } -} \ No newline at end of file +}