syntax = "proto3";
package spire.plugin.server.upstreamauthority.v1;
option go_package = "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/server/upstreamauthority/v1;upstreamauthorityv1";

import "spire/plugin/types/jwtkey.proto";
import "spire/plugin/types/x509certificate.proto";

service UpstreamAuthority {
    // Mints an X.509 CA and responds with the signed X.509 CA certificate
    // chain and upstream X.509 roots. If supported by the implementation,
    // subsequent responses on the stream contain upstream X.509 root updates,
    // otherwise the stream is closed after the initial response.
    //
    // Implementation note:
    // The stream should be kept open in the face of transient errors
    // encountered while tracking changes to the upstream X.509 roots as SPIRE
    // Server will not reopen a closed stream until the next X.509 CA rotation.
    rpc MintX509CAAndSubscribe(MintX509CARequest) returns (stream MintX509CAResponse);

    // Publishes a JWT signing key upstream and responds with the upstream JWT
    // keys. If supported by the implementation, subsequent responses on the
    // stream contain upstream JWT key updates, otherwise the stream is closed
    // after the initial response.
    //
    // This RPC is optional and will return NotImplemented if unsupported.
    //
    // Implementation note:
    // The stream should be kept open in the face of transient errors
    // encountered while tracking changes to the upstream JWT keys as SPIRE
    // Server will not reopen a closed stream until the next JWT key rotation.
    rpc PublishJWTKeyAndSubscribe(PublishJWTKeyRequest) returns (stream PublishJWTKeyResponse);

    // Returns the trust bundle of the local trust domain as seen by the upstream
    // authority. Returns the current set of X.509 roots and JWT public keys
    // that make up the trust bundle of the trust domain. If supported by the
    // implementation, subsequent responses on the stream contain trust bundle
    // updates, otherwise the stream is closed after the initial response.
    //
    // This RPC is optional and will return NotImplemented if unsupported.
    rpc SubscribeToLocalBundle(SubscribeToLocalBundleRequest) returns (stream SubscribeToLocalBundleResponse);
}

message MintX509CARequest {
    // Required. Certificate signing request (PKCS#10)
    bytes csr = 1;

    // Optional. Preferred TTL is the TTL preferred by SPIRE Server for signed CA. If
    // zero, the plugin should determine its own TTL value. Plugins are free to
    // ignore this and use their own policies around TTLs.
    int32 preferred_ttl = 2;
}

message MintX509CAResponse {
    // Required on the first response. Contains ASN.1 encoded certificates
    // representing the X.509 CA along with any intermediates necessary to
    // chain back to a certificate present in the upstream_x509_roots. The
    // first certificate in the chain is the newly minted X509 CA certificate.
    repeated spire.plugin.types.X509Certificate x509_ca_chain = 1;

    // Required. The trusted X.509 root authorities for the upstream authority.
    repeated spire.plugin.types.X509Certificate upstream_x509_roots = 2;
}

message PublishJWTKeyRequest {
    // Required. The JWT signing key to publish upstream.
    spire.plugin.types.JWTKey jwt_key = 1;
}

message PublishJWTKeyResponse {
    // Required. The upstream JWT signing keys.
    repeated spire.plugin.types.JWTKey upstream_jwt_keys = 1;
}

message SubscribeToLocalBundleRequest {
}

message SubscribeToLocalBundleResponse {
    // Required. The trusted X.509 root authorities for the upstream authority.
    repeated spire.plugin.types.X509Certificate upstream_x509_roots = 1;
    // Required. The upstream JWT signing keys.
    repeated spire.plugin.types.JWTKey upstream_jwt_keys = 2;
}