syntax = "proto3";

package management;

option go_package = "/proto";

import "google/protobuf/timestamp.proto";

// ProxyService - Management is the SERVER, Proxy is the CLIENT
// Proxy initiates connection to management
service ProxyService {
  rpc GetMappingUpdate(GetMappingUpdateRequest) returns (stream GetMappingUpdateResponse);

  rpc SendAccessLog(SendAccessLogRequest) returns (SendAccessLogResponse);

  rpc Authenticate(AuthenticateRequest) returns (AuthenticateResponse);
}

// GetMappingUpdateRequest is sent to initialise a mapping stream.
message GetMappingUpdateRequest {
  string proxy_id = 1;
  string version = 2;
  google.protobuf.Timestamp started_at = 3;
}

// GetMappingUpdateResponse contains zero or more ProxyMappings.
// No mappings may be sent to test the liveness of the Proxy.
// Mappings that are sent should be interpreted by the Proxy appropriately.
message GetMappingUpdateResponse {
  repeated ProxyMapping mapping = 1;
}

enum ProxyMappingUpdateType {
  UPDATE_TYPE_CREATED = 0;
  UPDATE_TYPE_MODIFIED = 1;
  UPDATE_TYPE_REMOVED = 2;
}

message PathMapping {
  string path = 1;
  string target = 2;
}

message Authentication {
  bool password = 1;
  bool pin = 2;
  optional OIDC oidc = 3;
  bool link = 4;
}

message OIDC {
  string oidc_provider_url = 1;
  string oidc_client_id = 2;
  string oidc_client_secret = 3;
  string oidc_redirect_url = 4;
  repeated string oidc_scopes = 5;
}

message ProxyMapping {
  ProxyMappingUpdateType type = 1;
  string id = 2;
  string account_id = 3;
  string domain = 4;
  repeated PathMapping path = 5;
  string setup_key = 6;
  Authentication auth = 7;
}

// SendAccessLogRequest consists of one or more AccessLogs from a Proxy.
message SendAccessLogRequest {
  AccessLog log = 1;
}

// SendAccessLogResponse is intentionally empty to allow for future expansion.
message SendAccessLogResponse {}

message AccessLog {
  google.protobuf.Timestamp timestamp = 1;
  string log_id = 2;
  string account_id = 3;
  string service_id = 4;
  string host = 5;
  string path = 6;
  int64 duration_ms = 7;
  string method = 8;
  int32 response_code = 9;
  string source_ip = 10;
  string auth_mechanism = 11;
  string user_id = 12;
  bool auth_success = 13;
}

message AuthenticateRequest {
  string id = 1;
  string account_id = 2;
  oneof request {
    PasswordRequest password = 3;
    PinRequest pin = 4;
    LinkRequest link = 5;
  }
}

message PasswordRequest {
  string password = 1;
}

message PinRequest {
  string pin = 1;
}

message LinkRequest {
  string email = 1;
  string redirect = 2;
}

message AuthenticateResponse {
  bool success = 1;
}