From 7f449b6d825a2af5ae32e8af502bd8aed57a3593 Mon Sep 17 00:00:00 2001 From: Nicolae Nicora Date: Wed, 11 Mar 2026 20:12:43 +0100 Subject: [PATCH 01/19] feat: krypton plugins --- .../cipher_wrapper/v1/cipher_wrapper.pb.go | 495 ++++++++++++++++++ .../v1/cipher_wrapper.pb.validate.go | 490 +++++++++++++++++ .../cipher_wrapper/v1/cipher_wrapper.proto | 96 ++++ .../v1/cipher_wrapper_ext_plugin.pb.go | 56 ++ .../v1/cipher_wrapper_grpc.pb.go | 176 +++++++ 5 files changed, 1313 insertions(+) create mode 100644 proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go create mode 100644 proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.validate.go create mode 100644 proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto create mode 100644 proto/plugin/cipher_wrapper/v1/cipher_wrapper_ext_plugin.pb.go create mode 100644 proto/plugin/cipher_wrapper/v1/cipher_wrapper_grpc.pb.go diff --git a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go new file mode 100644 index 0000000..3a1e966 --- /dev/null +++ b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go @@ -0,0 +1,495 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.36.11 +// protoc (unknown) +// source: plugin/cipher_wrapper/v1/cipher_wrapper.proto + +package cipher_wrapperv1 + +import ( + reflect "reflect" + sync "sync" + unsafe "unsafe" + + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// WrapRequest contains the raw key material and the context needed to encrypt it. +type WrapRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + // REQUIRED: The raw cryptographic material to be wrapped. + Plaintext []byte `protobuf:"bytes,1,opt,name=plaintext,proto3" json:"plaintext,omitempty"` + // REQUIRED: The universal locator for the cryptographic key (ARN, URI, or Path). + KeyUri string `protobuf:"bytes,2,opt,name=key_uri,json=keyUri,proto3" json:"key_uri,omitempty"` + // OPTIONAL: Standard Additional Authenticated Data (AAD) byte buffer. + // Explicitly marked optional so the Go plugin can check `if req.Aad != nil`. + Aad []byte `protobuf:"bytes,3,opt,name=aad,proto3,oneof" json:"aad,omitempty"` + // OPTIONAL (Map): Key-Value Encryption Context (used by AWS/GCP/Alibaba). + // Maps cannot use the 'optional' keyword in proto3, but are implicitly optional. + EncryptionContext map[string]string `protobuf:"bytes,4,rep,name=encryption_context,json=encryptionContext,proto3" json:"encryption_context,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` + // OPTIONAL: The explicit cryptographic wrapping mechanism (e.g., "RSA-OAEP-256"). + // Required for Azure and HSMs, safely omitted for AWS/Vault. + Mechanism *string `protobuf:"bytes,5,opt,name=mechanism,proto3,oneof" json:"mechanism,omitempty"` + // OPTIONAL: Initialization Vector (IV) or Nonce. + // Provided only if the CMK core is dictating the IV to an HSM. + Iv []byte `protobuf:"bytes,6,opt,name=iv,proto3,oneof" json:"iv,omitempty"` + // OPTIONAL (Map): Dynamic Configuration Pass-through. + Options map[string]string `protobuf:"bytes,7,rep,name=options,proto3" json:"options,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *WrapRequest) Reset() { + *x = WrapRequest{} + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *WrapRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*WrapRequest) ProtoMessage() {} + +func (x *WrapRequest) ProtoReflect() protoreflect.Message { + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use WrapRequest.ProtoReflect.Descriptor instead. +func (*WrapRequest) Descriptor() ([]byte, []int) { + return file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP(), []int{0} +} + +func (x *WrapRequest) GetPlaintext() []byte { + if x != nil { + return x.Plaintext + } + return nil +} + +func (x *WrapRequest) GetKeyUri() string { + if x != nil { + return x.KeyUri + } + return "" +} + +func (x *WrapRequest) GetAad() []byte { + if x != nil { + return x.Aad + } + return nil +} + +func (x *WrapRequest) GetEncryptionContext() map[string]string { + if x != nil { + return x.EncryptionContext + } + return nil +} + +func (x *WrapRequest) GetMechanism() string { + if x != nil && x.Mechanism != nil { + return *x.Mechanism + } + return "" +} + +func (x *WrapRequest) GetIv() []byte { + if x != nil { + return x.Iv + } + return nil +} + +func (x *WrapRequest) GetOptions() map[string]string { + if x != nil { + return x.Options + } + return nil +} + +// WrapResponse returns the provider-specific ciphertext and metadata. +type WrapResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + // REQUIRED: The opaque, vendor-specific ciphertext. + Ciphertext []byte `protobuf:"bytes,1,opt,name=ciphertext,proto3" json:"ciphertext,omitempty"` + // OPTIONAL: The exact key version ID used during the operation. + // Some providers (like HSMs) do not have a concept of version IDs. + KeyVersionId *string `protobuf:"bytes,2,opt,name=key_version_id,json=keyVersionId,proto3,oneof" json:"key_version_id,omitempty"` + // OPTIONAL: The Initialization Vector generated by the provider. + // Returned only if the provider generated it and CMK needs to store it. + Iv []byte `protobuf:"bytes,3,opt,name=iv,proto3,oneof" json:"iv,omitempty"` + // OPTIONAL (Map): Vendor-specific metadata. + Metadata map[string]string `protobuf:"bytes,4,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *WrapResponse) Reset() { + *x = WrapResponse{} + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *WrapResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*WrapResponse) ProtoMessage() {} + +func (x *WrapResponse) ProtoReflect() protoreflect.Message { + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use WrapResponse.ProtoReflect.Descriptor instead. +func (*WrapResponse) Descriptor() ([]byte, []int) { + return file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP(), []int{1} +} + +func (x *WrapResponse) GetCiphertext() []byte { + if x != nil { + return x.Ciphertext + } + return nil +} + +func (x *WrapResponse) GetKeyVersionId() string { + if x != nil && x.KeyVersionId != nil { + return *x.KeyVersionId + } + return "" +} + +func (x *WrapResponse) GetIv() []byte { + if x != nil { + return x.Iv + } + return nil +} + +func (x *WrapResponse) GetMetadata() map[string]string { + if x != nil { + return x.Metadata + } + return nil +} + +// UnwrapRequest contains the opaque ciphertext and the exact parameters +// originally used during the Wrap operation. +type UnwrapRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + // REQUIRED: The opaque ciphertext retrieved from the CMK persistent storage. + Ciphertext []byte `protobuf:"bytes,1,opt,name=ciphertext,proto3" json:"ciphertext,omitempty"` + // REQUIRED: The universal locator for the cryptographic key. + KeyUri string `protobuf:"bytes,2,opt,name=key_uri,json=keyUri,proto3" json:"key_uri,omitempty"` + // OPTIONAL: Standard Additional Authenticated Data (AAD) byte buffer. + Aad []byte `protobuf:"bytes,3,opt,name=aad,proto3,oneof" json:"aad,omitempty"` + // OPTIONAL (Map): Key-Value Encryption Context. + EncryptionContext map[string]string `protobuf:"bytes,4,rep,name=encryption_context,json=encryptionContext,proto3" json:"encryption_context,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` + // OPTIONAL: The explicit cryptographic unwrapping mechanism. + Mechanism *string `protobuf:"bytes,5,opt,name=mechanism,proto3,oneof" json:"mechanism,omitempty"` + // OPTIONAL: Initialization Vector (IV) or Nonce. + // Must be provided if it was returned in the WrapResponse. + Iv []byte `protobuf:"bytes,6,opt,name=iv,proto3,oneof" json:"iv,omitempty"` + // OPTIONAL (Map): Dynamic Configuration Pass-through. + Options map[string]string `protobuf:"bytes,7,rep,name=options,proto3" json:"options,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *UnwrapRequest) Reset() { + *x = UnwrapRequest{} + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *UnwrapRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*UnwrapRequest) ProtoMessage() {} + +func (x *UnwrapRequest) ProtoReflect() protoreflect.Message { + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[2] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use UnwrapRequest.ProtoReflect.Descriptor instead. +func (*UnwrapRequest) Descriptor() ([]byte, []int) { + return file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP(), []int{2} +} + +func (x *UnwrapRequest) GetCiphertext() []byte { + if x != nil { + return x.Ciphertext + } + return nil +} + +func (x *UnwrapRequest) GetKeyUri() string { + if x != nil { + return x.KeyUri + } + return "" +} + +func (x *UnwrapRequest) GetAad() []byte { + if x != nil { + return x.Aad + } + return nil +} + +func (x *UnwrapRequest) GetEncryptionContext() map[string]string { + if x != nil { + return x.EncryptionContext + } + return nil +} + +func (x *UnwrapRequest) GetMechanism() string { + if x != nil && x.Mechanism != nil { + return *x.Mechanism + } + return "" +} + +func (x *UnwrapRequest) GetIv() []byte { + if x != nil { + return x.Iv + } + return nil +} + +func (x *UnwrapRequest) GetOptions() map[string]string { + if x != nil { + return x.Options + } + return nil +} + +// UnwrapResponse returns the recovered raw cryptographic material. +type UnwrapResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + // REQUIRED: The recovered raw cryptographic material. + Plaintext []byte `protobuf:"bytes,1,opt,name=plaintext,proto3" json:"plaintext,omitempty"` + // OPTIONAL (Map): Vendor-specific metadata. + Metadata map[string]string `protobuf:"bytes,2,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *UnwrapResponse) Reset() { + *x = UnwrapResponse{} + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *UnwrapResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*UnwrapResponse) ProtoMessage() {} + +func (x *UnwrapResponse) ProtoReflect() protoreflect.Message { + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[3] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use UnwrapResponse.ProtoReflect.Descriptor instead. +func (*UnwrapResponse) Descriptor() ([]byte, []int) { + return file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP(), []int{3} +} + +func (x *UnwrapResponse) GetPlaintext() []byte { + if x != nil { + return x.Plaintext + } + return nil +} + +func (x *UnwrapResponse) GetMetadata() map[string]string { + if x != nil { + return x.Metadata + } + return nil +} + +var File_plugin_cipher_wrapper_v1_cipher_wrapper_proto protoreflect.FileDescriptor + +const file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDesc = "" + + "\n" + + "-plugin/cipher_wrapper/v1/cipher_wrapper.proto\x12\x18plugin.cipher_wrapper.v1\"\xed\x03\n" + + "\vWrapRequest\x12\x1c\n" + + "\tplaintext\x18\x01 \x01(\fR\tplaintext\x12\x17\n" + + "\akey_uri\x18\x02 \x01(\tR\x06keyUri\x12\x15\n" + + "\x03aad\x18\x03 \x01(\fH\x00R\x03aad\x88\x01\x01\x12k\n" + + "\x12encryption_context\x18\x04 \x03(\v2<.plugin.cipher_wrapper.v1.WrapRequest.EncryptionContextEntryR\x11encryptionContext\x12!\n" + + "\tmechanism\x18\x05 \x01(\tH\x01R\tmechanism\x88\x01\x01\x12\x13\n" + + "\x02iv\x18\x06 \x01(\fH\x02R\x02iv\x88\x01\x01\x12L\n" + + "\aoptions\x18\a \x03(\v22.plugin.cipher_wrapper.v1.WrapRequest.OptionsEntryR\aoptions\x1aD\n" + + "\x16EncryptionContextEntry\x12\x10\n" + + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\x1a:\n" + + "\fOptionsEntry\x12\x10\n" + + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\x06\n" + + "\x04_aadB\f\n" + + "\n" + + "_mechanismB\x05\n" + + "\x03_iv\"\x97\x02\n" + + "\fWrapResponse\x12\x1e\n" + + "\n" + + "ciphertext\x18\x01 \x01(\fR\n" + + "ciphertext\x12)\n" + + "\x0ekey_version_id\x18\x02 \x01(\tH\x00R\fkeyVersionId\x88\x01\x01\x12\x13\n" + + "\x02iv\x18\x03 \x01(\fH\x01R\x02iv\x88\x01\x01\x12P\n" + + "\bmetadata\x18\x04 \x03(\v24.plugin.cipher_wrapper.v1.WrapResponse.MetadataEntryR\bmetadata\x1a;\n" + + "\rMetadataEntry\x12\x10\n" + + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\x11\n" + + "\x0f_key_version_idB\x05\n" + + "\x03_iv\"\xf5\x03\n" + + "\rUnwrapRequest\x12\x1e\n" + + "\n" + + "ciphertext\x18\x01 \x01(\fR\n" + + "ciphertext\x12\x17\n" + + "\akey_uri\x18\x02 \x01(\tR\x06keyUri\x12\x15\n" + + "\x03aad\x18\x03 \x01(\fH\x00R\x03aad\x88\x01\x01\x12m\n" + + "\x12encryption_context\x18\x04 \x03(\v2>.plugin.cipher_wrapper.v1.UnwrapRequest.EncryptionContextEntryR\x11encryptionContext\x12!\n" + + "\tmechanism\x18\x05 \x01(\tH\x01R\tmechanism\x88\x01\x01\x12\x13\n" + + "\x02iv\x18\x06 \x01(\fH\x02R\x02iv\x88\x01\x01\x12N\n" + + "\aoptions\x18\a \x03(\v24.plugin.cipher_wrapper.v1.UnwrapRequest.OptionsEntryR\aoptions\x1aD\n" + + "\x16EncryptionContextEntry\x12\x10\n" + + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\x1a:\n" + + "\fOptionsEntry\x12\x10\n" + + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\x06\n" + + "\x04_aadB\f\n" + + "\n" + + "_mechanismB\x05\n" + + "\x03_iv\"\xbf\x01\n" + + "\x0eUnwrapResponse\x12\x1c\n" + + "\tplaintext\x18\x01 \x01(\fR\tplaintext\x12R\n" + + "\bmetadata\x18\x02 \x03(\v26.plugin.cipher_wrapper.v1.UnwrapResponse.MetadataEntryR\bmetadata\x1a;\n" + + "\rMetadataEntry\x12\x10\n" + + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x012\xc3\x01\n" + + "\rCipherWrapper\x12U\n" + + "\x04Wrap\x12%.plugin.cipher_wrapper.v1.WrapRequest\x1a&.plugin.cipher_wrapper.v1.WrapResponse\x12[\n" + + "\x06Unwrap\x12'.plugin.cipher_wrapper.v1.UnwrapRequest\x1a(.plugin.cipher_wrapper.v1.UnwrapResponseB\xff\x01\n" + + "\x1ccom.plugin.cipher_wrapper.v1B\x12CipherWrapperProtoP\x01ZMgithub.com/openkcm/plugin-sdk/proto/plugin/cipher_wrapper/v1;cipher_wrapperv1\xa2\x02\x03PCX\xaa\x02\x17Plugin.CipherWrapper.V1\xca\x02\x17Plugin\\CipherWrapper\\V1\xe2\x02#Plugin\\CipherWrapper\\V1\\GPBMetadata\xea\x02\x19Plugin::CipherWrapper::V1b\x06proto3" + +var ( + file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescOnce sync.Once + file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescData []byte +) + +func file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP() []byte { + file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescOnce.Do(func() { + file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDesc), len(file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDesc))) + }) + return file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescData +} + +var file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes = make([]protoimpl.MessageInfo, 10) +var file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_goTypes = []any{ + (*WrapRequest)(nil), // 0: plugin.cipher_wrapper.v1.WrapRequest + (*WrapResponse)(nil), // 1: plugin.cipher_wrapper.v1.WrapResponse + (*UnwrapRequest)(nil), // 2: plugin.cipher_wrapper.v1.UnwrapRequest + (*UnwrapResponse)(nil), // 3: plugin.cipher_wrapper.v1.UnwrapResponse + nil, // 4: plugin.cipher_wrapper.v1.WrapRequest.EncryptionContextEntry + nil, // 5: plugin.cipher_wrapper.v1.WrapRequest.OptionsEntry + nil, // 6: plugin.cipher_wrapper.v1.WrapResponse.MetadataEntry + nil, // 7: plugin.cipher_wrapper.v1.UnwrapRequest.EncryptionContextEntry + nil, // 8: plugin.cipher_wrapper.v1.UnwrapRequest.OptionsEntry + nil, // 9: plugin.cipher_wrapper.v1.UnwrapResponse.MetadataEntry +} +var file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_depIdxs = []int32{ + 4, // 0: plugin.cipher_wrapper.v1.WrapRequest.encryption_context:type_name -> plugin.cipher_wrapper.v1.WrapRequest.EncryptionContextEntry + 5, // 1: plugin.cipher_wrapper.v1.WrapRequest.options:type_name -> plugin.cipher_wrapper.v1.WrapRequest.OptionsEntry + 6, // 2: plugin.cipher_wrapper.v1.WrapResponse.metadata:type_name -> plugin.cipher_wrapper.v1.WrapResponse.MetadataEntry + 7, // 3: plugin.cipher_wrapper.v1.UnwrapRequest.encryption_context:type_name -> plugin.cipher_wrapper.v1.UnwrapRequest.EncryptionContextEntry + 8, // 4: plugin.cipher_wrapper.v1.UnwrapRequest.options:type_name -> plugin.cipher_wrapper.v1.UnwrapRequest.OptionsEntry + 9, // 5: plugin.cipher_wrapper.v1.UnwrapResponse.metadata:type_name -> plugin.cipher_wrapper.v1.UnwrapResponse.MetadataEntry + 0, // 6: plugin.cipher_wrapper.v1.CipherWrapper.Wrap:input_type -> plugin.cipher_wrapper.v1.WrapRequest + 2, // 7: plugin.cipher_wrapper.v1.CipherWrapper.Unwrap:input_type -> plugin.cipher_wrapper.v1.UnwrapRequest + 1, // 8: plugin.cipher_wrapper.v1.CipherWrapper.Wrap:output_type -> plugin.cipher_wrapper.v1.WrapResponse + 3, // 9: plugin.cipher_wrapper.v1.CipherWrapper.Unwrap:output_type -> plugin.cipher_wrapper.v1.UnwrapResponse + 8, // [8:10] is the sub-list for method output_type + 6, // [6:8] is the sub-list for method input_type + 6, // [6:6] is the sub-list for extension type_name + 6, // [6:6] is the sub-list for extension extendee + 0, // [0:6] is the sub-list for field type_name +} + +func init() { file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_init() } +func file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_init() { + if File_plugin_cipher_wrapper_v1_cipher_wrapper_proto != nil { + return + } + file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[0].OneofWrappers = []any{} + file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[1].OneofWrappers = []any{} + file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[2].OneofWrappers = []any{} + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: unsafe.Slice(unsafe.StringData(file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDesc), len(file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDesc)), + NumEnums: 0, + NumMessages: 10, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_goTypes, + DependencyIndexes: file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_depIdxs, + MessageInfos: file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes, + }.Build() + File_plugin_cipher_wrapper_v1_cipher_wrapper_proto = out.File + file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_goTypes = nil + file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_depIdxs = nil +} diff --git a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.validate.go b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.validate.go new file mode 100644 index 0000000..9f93709 --- /dev/null +++ b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.validate.go @@ -0,0 +1,490 @@ +// Code generated by protoc-gen-validate. DO NOT EDIT. +// source: plugin/cipher_wrapper/v1/cipher_wrapper.proto + +package cipher_wrapperv1 + +import ( + "bytes" + "errors" + "fmt" + "net" + "net/mail" + "net/url" + "regexp" + "sort" + "strings" + "time" + "unicode/utf8" + + "google.golang.org/protobuf/types/known/anypb" +) + +// ensure the imports are used +var ( + _ = bytes.MinRead + _ = errors.New("") + _ = fmt.Print + _ = utf8.UTFMax + _ = (*regexp.Regexp)(nil) + _ = (*strings.Reader)(nil) + _ = net.IPv4len + _ = time.Duration(0) + _ = (*url.URL)(nil) + _ = (*mail.Address)(nil) + _ = anypb.Any{} + _ = sort.Sort +) + +// Validate checks the field values on WrapRequest with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *WrapRequest) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on WrapRequest with the rules defined in +// the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in WrapRequestMultiError, or +// nil if none found. +func (m *WrapRequest) ValidateAll() error { + return m.validate(true) +} + +func (m *WrapRequest) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + // no validation rules for Plaintext + + // no validation rules for KeyUri + + // no validation rules for EncryptionContext + + // no validation rules for Options + + if m.Aad != nil { + // no validation rules for Aad + } + + if m.Mechanism != nil { + // no validation rules for Mechanism + } + + if m.Iv != nil { + // no validation rules for Iv + } + + if len(errors) > 0 { + return WrapRequestMultiError(errors) + } + + return nil +} + +// WrapRequestMultiError is an error wrapping multiple validation errors +// returned by WrapRequest.ValidateAll() if the designated constraints aren't met. +type WrapRequestMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m WrapRequestMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m WrapRequestMultiError) AllErrors() []error { return m } + +// WrapRequestValidationError is the validation error returned by +// WrapRequest.Validate if the designated constraints aren't met. +type WrapRequestValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e WrapRequestValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e WrapRequestValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e WrapRequestValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e WrapRequestValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e WrapRequestValidationError) ErrorName() string { return "WrapRequestValidationError" } + +// Error satisfies the builtin error interface +func (e WrapRequestValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sWrapRequest.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = WrapRequestValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = WrapRequestValidationError{} + +// Validate checks the field values on WrapResponse with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *WrapResponse) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on WrapResponse with the rules defined +// in the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in WrapResponseMultiError, or +// nil if none found. +func (m *WrapResponse) ValidateAll() error { + return m.validate(true) +} + +func (m *WrapResponse) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + // no validation rules for Ciphertext + + // no validation rules for Metadata + + if m.KeyVersionId != nil { + // no validation rules for KeyVersionId + } + + if m.Iv != nil { + // no validation rules for Iv + } + + if len(errors) > 0 { + return WrapResponseMultiError(errors) + } + + return nil +} + +// WrapResponseMultiError is an error wrapping multiple validation errors +// returned by WrapResponse.ValidateAll() if the designated constraints aren't met. +type WrapResponseMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m WrapResponseMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m WrapResponseMultiError) AllErrors() []error { return m } + +// WrapResponseValidationError is the validation error returned by +// WrapResponse.Validate if the designated constraints aren't met. +type WrapResponseValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e WrapResponseValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e WrapResponseValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e WrapResponseValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e WrapResponseValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e WrapResponseValidationError) ErrorName() string { return "WrapResponseValidationError" } + +// Error satisfies the builtin error interface +func (e WrapResponseValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sWrapResponse.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = WrapResponseValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = WrapResponseValidationError{} + +// Validate checks the field values on UnwrapRequest with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *UnwrapRequest) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on UnwrapRequest with the rules defined +// in the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in UnwrapRequestMultiError, or +// nil if none found. +func (m *UnwrapRequest) ValidateAll() error { + return m.validate(true) +} + +func (m *UnwrapRequest) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + // no validation rules for Ciphertext + + // no validation rules for KeyUri + + // no validation rules for EncryptionContext + + // no validation rules for Options + + if m.Aad != nil { + // no validation rules for Aad + } + + if m.Mechanism != nil { + // no validation rules for Mechanism + } + + if m.Iv != nil { + // no validation rules for Iv + } + + if len(errors) > 0 { + return UnwrapRequestMultiError(errors) + } + + return nil +} + +// UnwrapRequestMultiError is an error wrapping multiple validation errors +// returned by UnwrapRequest.ValidateAll() if the designated constraints +// aren't met. +type UnwrapRequestMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m UnwrapRequestMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m UnwrapRequestMultiError) AllErrors() []error { return m } + +// UnwrapRequestValidationError is the validation error returned by +// UnwrapRequest.Validate if the designated constraints aren't met. +type UnwrapRequestValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e UnwrapRequestValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e UnwrapRequestValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e UnwrapRequestValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e UnwrapRequestValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e UnwrapRequestValidationError) ErrorName() string { return "UnwrapRequestValidationError" } + +// Error satisfies the builtin error interface +func (e UnwrapRequestValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sUnwrapRequest.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = UnwrapRequestValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = UnwrapRequestValidationError{} + +// Validate checks the field values on UnwrapResponse with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *UnwrapResponse) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on UnwrapResponse with the rules defined +// in the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in UnwrapResponseMultiError, +// or nil if none found. +func (m *UnwrapResponse) ValidateAll() error { + return m.validate(true) +} + +func (m *UnwrapResponse) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + // no validation rules for Plaintext + + // no validation rules for Metadata + + if len(errors) > 0 { + return UnwrapResponseMultiError(errors) + } + + return nil +} + +// UnwrapResponseMultiError is an error wrapping multiple validation errors +// returned by UnwrapResponse.ValidateAll() if the designated constraints +// aren't met. +type UnwrapResponseMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m UnwrapResponseMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m UnwrapResponseMultiError) AllErrors() []error { return m } + +// UnwrapResponseValidationError is the validation error returned by +// UnwrapResponse.Validate if the designated constraints aren't met. +type UnwrapResponseValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e UnwrapResponseValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e UnwrapResponseValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e UnwrapResponseValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e UnwrapResponseValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e UnwrapResponseValidationError) ErrorName() string { return "UnwrapResponseValidationError" } + +// Error satisfies the builtin error interface +func (e UnwrapResponseValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sUnwrapResponse.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = UnwrapResponseValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = UnwrapResponseValidationError{} diff --git a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto new file mode 100644 index 0000000..d3a0553 --- /dev/null +++ b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto @@ -0,0 +1,96 @@ +syntax = "proto3"; + +package plugin.cipher_wrapper.v1; + +// KeyWrapper defines the universal envelope encryption interface for CMK. +// It allows the core engine to delegate cryptographic wrapping and unwrapping +// to any external provider (AWS KMS, Google Cloud KMS, Azure Key Vault, +// HashiCorp Vault, or hardware HSMs via PKCS#11) over a local gRPC socket. +service CipherWrapper { + // Wrap encrypts the provided plaintext using the remote KMS provider. + rpc Wrap(WrapRequest) returns (WrapResponse); + + // Unwrap decrypts the provided ciphertext using the remote KMS provider, + // returning the raw plaintext key material. + rpc Unwrap(UnwrapRequest) returns (UnwrapResponse); +} + +// WrapRequest contains the raw key material and the context needed to encrypt it. +message WrapRequest { + // REQUIRED: The raw cryptographic material to be wrapped. + bytes plaintext = 1; + + // REQUIRED: The universal locator for the cryptographic key (ARN, URI, or Path). + string key_uri = 2; + + // OPTIONAL: Standard Additional Authenticated Data (AAD) byte buffer. + // Explicitly marked optional so the Go plugin can check `if req.Aad != nil`. + optional bytes aad = 3; + + // OPTIONAL (Map): Key-Value Encryption Context (used by AWS/GCP/Alibaba). + // Maps cannot use the 'optional' keyword in proto3, but are implicitly optional. + map encryption_context = 4; + + // OPTIONAL: The explicit cryptographic wrapping mechanism (e.g., "RSA-OAEP-256"). + // Required for Azure and HSMs, safely omitted for AWS/Vault. + optional string mechanism = 5; + + // OPTIONAL: Initialization Vector (IV) or Nonce. + // Provided only if the CMK core is dictating the IV to an HSM. + optional bytes iv = 6; + + // OPTIONAL (Map): Dynamic Configuration Pass-through. + map options = 7; +} + +// WrapResponse returns the provider-specific ciphertext and metadata. +message WrapResponse { + // REQUIRED: The opaque, vendor-specific ciphertext. + bytes ciphertext = 1; + + // OPTIONAL: The exact key version ID used during the operation. + // Some providers (like HSMs) do not have a concept of version IDs. + optional string key_version_id = 2; + + // OPTIONAL: The Initialization Vector generated by the provider. + // Returned only if the provider generated it and CMK needs to store it. + optional bytes iv = 3; + + // OPTIONAL (Map): Vendor-specific metadata. + map metadata = 4; +} + +// UnwrapRequest contains the opaque ciphertext and the exact parameters +// originally used during the Wrap operation. +message UnwrapRequest { + // REQUIRED: The opaque ciphertext retrieved from the CMK persistent storage. + bytes ciphertext = 1; + + // REQUIRED: The universal locator for the cryptographic key. + string key_uri = 2; + + // OPTIONAL: Standard Additional Authenticated Data (AAD) byte buffer. + optional bytes aad = 3; + + // OPTIONAL (Map): Key-Value Encryption Context. + map encryption_context = 4; + + // OPTIONAL: The explicit cryptographic unwrapping mechanism. + optional string mechanism = 5; + + // OPTIONAL: Initialization Vector (IV) or Nonce. + // Must be provided if it was returned in the WrapResponse. + optional bytes iv = 6; + + // OPTIONAL (Map): Dynamic Configuration Pass-through. + map options = 7; +} + +// UnwrapResponse returns the recovered raw cryptographic material. +message UnwrapResponse { + // REQUIRED: The recovered raw cryptographic material. + bytes plaintext = 1; + + // OPTIONAL (Map): Vendor-specific metadata. + map metadata = 2; +} diff --git a/proto/plugin/cipher_wrapper/v1/cipher_wrapper_ext_plugin.pb.go b/proto/plugin/cipher_wrapper/v1/cipher_wrapper_ext_plugin.pb.go new file mode 100644 index 0000000..eebbf6a --- /dev/null +++ b/proto/plugin/cipher_wrapper/v1/cipher_wrapper_ext_plugin.pb.go @@ -0,0 +1,56 @@ +// Code generated by protoc-gen-go-extension. DO NOT EDIT. + +package cipher_wrapperv1 + +import ( + grpc "google.golang.org/grpc" + + api "github.com/openkcm/plugin-sdk/api" +) + +const ( + Type = "CipherWrapper" + GRPCServiceFullName = "plugin.cipher_wrapper.v1.CipherWrapper" +) + +func CipherWrapperPluginServer(server CipherWrapperServer) api.PluginServer { + return cipherWrapperPluginServer{CipherWrapperServer: server} +} + +type cipherWrapperPluginServer struct { + CipherWrapperServer +} + +func (s cipherWrapperPluginServer) Type() string { + return Type +} + +func (s cipherWrapperPluginServer) GRPCServiceName() string { + return GRPCServiceFullName +} + +func (s cipherWrapperPluginServer) RegisterServer(server *grpc.Server) any { + RegisterCipherWrapperServer(server, s.CipherWrapperServer) + return s.CipherWrapperServer +} + +type CipherWrapperPluginClient struct { + CipherWrapperClient +} + +func (s CipherWrapperPluginClient) Type() string { + return Type +} + +func (c *CipherWrapperPluginClient) IsInitialized() bool { + return c.CipherWrapperClient != nil +} + +func (c *CipherWrapperPluginClient) GRPCServiceName() string { + return GRPCServiceFullName +} + +func (c *CipherWrapperPluginClient) InitClient(conn grpc.ClientConnInterface) any { + c.CipherWrapperClient = NewCipherWrapperClient(conn) + return c.CipherWrapperClient +} diff --git a/proto/plugin/cipher_wrapper/v1/cipher_wrapper_grpc.pb.go b/proto/plugin/cipher_wrapper/v1/cipher_wrapper_grpc.pb.go new file mode 100644 index 0000000..197aeba --- /dev/null +++ b/proto/plugin/cipher_wrapper/v1/cipher_wrapper_grpc.pb.go @@ -0,0 +1,176 @@ +// Code generated by protoc-gen-go-grpc. DO NOT EDIT. +// versions: +// - protoc-gen-go-grpc v1.6.1 +// - protoc (unknown) +// source: plugin/cipher_wrapper/v1/cipher_wrapper.proto + +package cipher_wrapperv1 + +import ( + context "context" + + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" +) + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +// Requires gRPC-Go v1.64.0 or later. +const _ = grpc.SupportPackageIsVersion9 + +const ( + CipherWrapper_Wrap_FullMethodName = "/plugin.cipher_wrapper.v1.CipherWrapper/Wrap" + CipherWrapper_Unwrap_FullMethodName = "/plugin.cipher_wrapper.v1.CipherWrapper/Unwrap" +) + +// CipherWrapperClient is the client API for CipherWrapper service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. +// +// KeyWrapper defines the universal envelope encryption interface for CMK. +// It allows the core engine to delegate cryptographic wrapping and unwrapping +// to any external provider (AWS KMS, Google Cloud KMS, Azure Key Vault, +// HashiCorp Vault, or hardware HSMs via PKCS#11) over a local gRPC socket. +type CipherWrapperClient interface { + // Wrap encrypts the provided plaintext using the remote KMS provider. + Wrap(ctx context.Context, in *WrapRequest, opts ...grpc.CallOption) (*WrapResponse, error) + // Unwrap decrypts the provided ciphertext using the remote KMS provider, + // returning the raw plaintext key material. + Unwrap(ctx context.Context, in *UnwrapRequest, opts ...grpc.CallOption) (*UnwrapResponse, error) +} + +type cipherWrapperClient struct { + cc grpc.ClientConnInterface +} + +func NewCipherWrapperClient(cc grpc.ClientConnInterface) CipherWrapperClient { + return &cipherWrapperClient{cc} +} + +func (c *cipherWrapperClient) Wrap(ctx context.Context, in *WrapRequest, opts ...grpc.CallOption) (*WrapResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(WrapResponse) + err := c.cc.Invoke(ctx, CipherWrapper_Wrap_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *cipherWrapperClient) Unwrap(ctx context.Context, in *UnwrapRequest, opts ...grpc.CallOption) (*UnwrapResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(UnwrapResponse) + err := c.cc.Invoke(ctx, CipherWrapper_Unwrap_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +// CipherWrapperServer is the server API for CipherWrapper service. +// All implementations must embed UnimplementedCipherWrapperServer +// for forward compatibility. +// +// KeyWrapper defines the universal envelope encryption interface for CMK. +// It allows the core engine to delegate cryptographic wrapping and unwrapping +// to any external provider (AWS KMS, Google Cloud KMS, Azure Key Vault, +// HashiCorp Vault, or hardware HSMs via PKCS#11) over a local gRPC socket. +type CipherWrapperServer interface { + // Wrap encrypts the provided plaintext using the remote KMS provider. + Wrap(context.Context, *WrapRequest) (*WrapResponse, error) + // Unwrap decrypts the provided ciphertext using the remote KMS provider, + // returning the raw plaintext key material. + Unwrap(context.Context, *UnwrapRequest) (*UnwrapResponse, error) + mustEmbedUnimplementedCipherWrapperServer() +} + +// UnimplementedCipherWrapperServer must be embedded to have +// forward compatible implementations. +// +// NOTE: this should be embedded by value instead of pointer to avoid a nil +// pointer dereference when methods are called. +type UnimplementedCipherWrapperServer struct{} + +func (UnimplementedCipherWrapperServer) Wrap(context.Context, *WrapRequest) (*WrapResponse, error) { + return nil, status.Error(codes.Unimplemented, "method Wrap not implemented") +} +func (UnimplementedCipherWrapperServer) Unwrap(context.Context, *UnwrapRequest) (*UnwrapResponse, error) { + return nil, status.Error(codes.Unimplemented, "method Unwrap not implemented") +} +func (UnimplementedCipherWrapperServer) mustEmbedUnimplementedCipherWrapperServer() {} +func (UnimplementedCipherWrapperServer) testEmbeddedByValue() {} + +// UnsafeCipherWrapperServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to CipherWrapperServer will +// result in compilation errors. +type UnsafeCipherWrapperServer interface { + mustEmbedUnimplementedCipherWrapperServer() +} + +func RegisterCipherWrapperServer(s grpc.ServiceRegistrar, srv CipherWrapperServer) { + // If the following call panics, it indicates UnimplementedCipherWrapperServer was + // embedded by pointer and is nil. This will cause panics if an + // unimplemented method is ever invoked, so we test this at initialization + // time to prevent it from happening at runtime later due to I/O. + if t, ok := srv.(interface{ testEmbeddedByValue() }); ok { + t.testEmbeddedByValue() + } + s.RegisterService(&CipherWrapper_ServiceDesc, srv) +} + +func _CipherWrapper_Wrap_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(WrapRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(CipherWrapperServer).Wrap(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: CipherWrapper_Wrap_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(CipherWrapperServer).Wrap(ctx, req.(*WrapRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _CipherWrapper_Unwrap_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(UnwrapRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(CipherWrapperServer).Unwrap(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: CipherWrapper_Unwrap_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(CipherWrapperServer).Unwrap(ctx, req.(*UnwrapRequest)) + } + return interceptor(ctx, in, info, handler) +} + +// CipherWrapper_ServiceDesc is the grpc.ServiceDesc for CipherWrapper service. +// It's only intended for direct use with grpc.RegisterService, +// and not to be introspected or modified (even as a copy) +var CipherWrapper_ServiceDesc = grpc.ServiceDesc{ + ServiceName: "plugin.cipher_wrapper.v1.CipherWrapper", + HandlerType: (*CipherWrapperServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "Wrap", + Handler: _CipherWrapper_Wrap_Handler, + }, + { + MethodName: "Unwrap", + Handler: _CipherWrapper_Unwrap_Handler, + }, + }, + Streams: []grpc.StreamDesc{}, + Metadata: "plugin/cipher_wrapper/v1/cipher_wrapper.proto", +} From bedac885bd69f0ad157ec70016ce2669255a471b Mon Sep 17 00:00:00 2001 From: Nicolae Nicora Date: Wed, 11 Mar 2026 20:41:24 +0100 Subject: [PATCH 02/19] add tags for PluginConfig --- pkg/catalog/plugin.go | 47 +++++++++++++------------------------------ 1 file changed, 14 insertions(+), 33 deletions(-) diff --git a/pkg/catalog/plugin.go b/pkg/catalog/plugin.go index 4343dca..e3dbc47 100644 --- a/pkg/catalog/plugin.go +++ b/pkg/catalog/plugin.go @@ -24,40 +24,21 @@ import ( type PluginConfigs []PluginConfig type PluginConfig struct { - // Name of the plugin - Name string - - // Type is the plugin type - Type string - - // Path is the path on disk to the plugin. - Path string - - // Args are the command line arguments to supply to the plugin - Args []string - - // Env is the environment variables to supply to the plugin - Env map[string]string - - // Checksum is the hex-encoded SHA256 hash of the plugin binary. - Checksum string - - Version uint32 - - DataSource DataSource - - YamlConfiguration string - - LogLevel string - - Disabled bool - - Logger *slog.Logger - + Name string `yaml:"name" json:"name"` + Type string `yaml:"type" json:"type"` + Path string `yaml:"path" json:"path"` + Args []string `yaml:"args" json:"args"` + Env map[string]string `yaml:"env" json:"env"` + Checksum string `yaml:"checksum" json:"checksum"` + Version uint32 `yaml:"version" json:"version"` + YamlConfiguration string `yaml:"yamlConfiguration" json:"yamlConfiguration"` + LogLevel string `yaml:"logLevel" json:"logLevel"` + Disabled bool `yaml:"disabled" json:"disabled"` + Tags []string `yaml:"tags" json:"tags"` + + Logger *slog.Logger + DataSource DataSource HostServices []api.ServiceServer - - // Tags are the metadata associated with a plugin these can be used to filter plugins later e.g. ['FeatureA'] on client side. - Tags []string } func (c *PluginConfig) IsExternal() bool { From 3f56f302e43123dd5f404b9a6b035b7849de1db1 Mon Sep 17 00:00:00 2001 From: Nicolae Nicora Date: Wed, 11 Mar 2026 21:11:33 +0100 Subject: [PATCH 03/19] update the proto --- .../cipher_wrapper/v1/cipher_wrapper.pb.go | 214 +++++------------- .../v1/cipher_wrapper.pb.validate.go | 24 +- .../cipher_wrapper/v1/cipher_wrapper.proto | 48 +--- 3 files changed, 69 insertions(+), 217 deletions(-) diff --git a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go index 3a1e966..229fedc 100644 --- a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go +++ b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go @@ -27,24 +27,17 @@ type WrapRequest struct { state protoimpl.MessageState `protogen:"open.v1"` // REQUIRED: The raw cryptographic material to be wrapped. Plaintext []byte `protobuf:"bytes,1,opt,name=plaintext,proto3" json:"plaintext,omitempty"` - // REQUIRED: The universal locator for the cryptographic key (ARN, URI, or Path). - KeyUri string `protobuf:"bytes,2,opt,name=key_uri,json=keyUri,proto3" json:"key_uri,omitempty"` // OPTIONAL: Standard Additional Authenticated Data (AAD) byte buffer. - // Explicitly marked optional so the Go plugin can check `if req.Aad != nil`. - Aad []byte `protobuf:"bytes,3,opt,name=aad,proto3,oneof" json:"aad,omitempty"` - // OPTIONAL (Map): Key-Value Encryption Context (used by AWS/GCP/Alibaba). - // Maps cannot use the 'optional' keyword in proto3, but are implicitly optional. - EncryptionContext map[string]string `protobuf:"bytes,4,rep,name=encryption_context,json=encryptionContext,proto3" json:"encryption_context,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` - // OPTIONAL: The explicit cryptographic wrapping mechanism (e.g., "RSA-OAEP-256"). - // Required for Azure and HSMs, safely omitted for AWS/Vault. - Mechanism *string `protobuf:"bytes,5,opt,name=mechanism,proto3,oneof" json:"mechanism,omitempty"` + // Kept in proto because AAD often changes per request (e.g., binding to a specific Tenant ID). + Aad []byte `protobuf:"bytes,2,opt,name=aad,proto3,oneof" json:"aad,omitempty"` // OPTIONAL: Initialization Vector (IV) or Nonce. - // Provided only if the CMK core is dictating the IV to an HSM. - Iv []byte `protobuf:"bytes,6,opt,name=iv,proto3,oneof" json:"iv,omitempty"` - // OPTIONAL (Map): Dynamic Configuration Pass-through. - Options map[string]string `protobuf:"bytes,7,rep,name=options,proto3" json:"options,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache + // Cryptographically dynamic, must remain in proto. + Iv []byte `protobuf:"bytes,3,opt,name=iv,proto3,oneof" json:"iv,omitempty"` + // OPTIONAL: Per-request dynamic context (if needed). + // Kept as an escape hatch for truly dynamic per-request overrides. + DynamicContext map[string]string `protobuf:"bytes,900,rep,name=dynamic_context,json=dynamicContext,proto3" json:"dynamic_context,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache } func (x *WrapRequest) Reset() { @@ -84,13 +77,6 @@ func (x *WrapRequest) GetPlaintext() []byte { return nil } -func (x *WrapRequest) GetKeyUri() string { - if x != nil { - return x.KeyUri - } - return "" -} - func (x *WrapRequest) GetAad() []byte { if x != nil { return x.Aad @@ -98,20 +84,6 @@ func (x *WrapRequest) GetAad() []byte { return nil } -func (x *WrapRequest) GetEncryptionContext() map[string]string { - if x != nil { - return x.EncryptionContext - } - return nil -} - -func (x *WrapRequest) GetMechanism() string { - if x != nil && x.Mechanism != nil { - return *x.Mechanism - } - return "" -} - func (x *WrapRequest) GetIv() []byte { if x != nil { return x.Iv @@ -119,9 +91,9 @@ func (x *WrapRequest) GetIv() []byte { return nil } -func (x *WrapRequest) GetOptions() map[string]string { +func (x *WrapRequest) GetDynamicContext() map[string]string { if x != nil { - return x.Options + return x.DynamicContext } return nil } @@ -136,9 +108,7 @@ type WrapResponse struct { KeyVersionId *string `protobuf:"bytes,2,opt,name=key_version_id,json=keyVersionId,proto3,oneof" json:"key_version_id,omitempty"` // OPTIONAL: The Initialization Vector generated by the provider. // Returned only if the provider generated it and CMK needs to store it. - Iv []byte `protobuf:"bytes,3,opt,name=iv,proto3,oneof" json:"iv,omitempty"` - // OPTIONAL (Map): Vendor-specific metadata. - Metadata map[string]string `protobuf:"bytes,4,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` + Iv []byte `protobuf:"bytes,3,opt,name=iv,proto3,oneof" json:"iv,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } @@ -194,34 +164,22 @@ func (x *WrapResponse) GetIv() []byte { return nil } -func (x *WrapResponse) GetMetadata() map[string]string { - if x != nil { - return x.Metadata - } - return nil -} - // UnwrapRequest contains the opaque ciphertext and the exact parameters // originally used during the Wrap operation. type UnwrapRequest struct { state protoimpl.MessageState `protogen:"open.v1"` // REQUIRED: The opaque ciphertext retrieved from the CMK persistent storage. Ciphertext []byte `protobuf:"bytes,1,opt,name=ciphertext,proto3" json:"ciphertext,omitempty"` - // REQUIRED: The universal locator for the cryptographic key. - KeyUri string `protobuf:"bytes,2,opt,name=key_uri,json=keyUri,proto3" json:"key_uri,omitempty"` // OPTIONAL: Standard Additional Authenticated Data (AAD) byte buffer. - Aad []byte `protobuf:"bytes,3,opt,name=aad,proto3,oneof" json:"aad,omitempty"` - // OPTIONAL (Map): Key-Value Encryption Context. - EncryptionContext map[string]string `protobuf:"bytes,4,rep,name=encryption_context,json=encryptionContext,proto3" json:"encryption_context,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` - // OPTIONAL: The explicit cryptographic unwrapping mechanism. - Mechanism *string `protobuf:"bytes,5,opt,name=mechanism,proto3,oneof" json:"mechanism,omitempty"` + Aad []byte `protobuf:"bytes,2,opt,name=aad,proto3,oneof" json:"aad,omitempty"` // OPTIONAL: Initialization Vector (IV) or Nonce. // Must be provided if it was returned in the WrapResponse. - Iv []byte `protobuf:"bytes,6,opt,name=iv,proto3,oneof" json:"iv,omitempty"` - // OPTIONAL (Map): Dynamic Configuration Pass-through. - Options map[string]string `protobuf:"bytes,7,rep,name=options,proto3" json:"options,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache + Iv []byte `protobuf:"bytes,3,opt,name=iv,proto3,oneof" json:"iv,omitempty"` + // OPTIONAL: Per-request dynamic context (if needed). + // Kept as an escape hatch for truly dynamic per-request overrides. + DynamicContext map[string]string `protobuf:"bytes,900,rep,name=dynamic_context,json=dynamicContext,proto3" json:"dynamic_context,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache } func (x *UnwrapRequest) Reset() { @@ -261,13 +219,6 @@ func (x *UnwrapRequest) GetCiphertext() []byte { return nil } -func (x *UnwrapRequest) GetKeyUri() string { - if x != nil { - return x.KeyUri - } - return "" -} - func (x *UnwrapRequest) GetAad() []byte { if x != nil { return x.Aad @@ -275,20 +226,6 @@ func (x *UnwrapRequest) GetAad() []byte { return nil } -func (x *UnwrapRequest) GetEncryptionContext() map[string]string { - if x != nil { - return x.EncryptionContext - } - return nil -} - -func (x *UnwrapRequest) GetMechanism() string { - if x != nil && x.Mechanism != nil { - return *x.Mechanism - } - return "" -} - func (x *UnwrapRequest) GetIv() []byte { if x != nil { return x.Iv @@ -296,9 +233,9 @@ func (x *UnwrapRequest) GetIv() []byte { return nil } -func (x *UnwrapRequest) GetOptions() map[string]string { +func (x *UnwrapRequest) GetDynamicContext() map[string]string { if x != nil { - return x.Options + return x.DynamicContext } return nil } @@ -307,9 +244,7 @@ func (x *UnwrapRequest) GetOptions() map[string]string { type UnwrapResponse struct { state protoimpl.MessageState `protogen:"open.v1"` // REQUIRED: The recovered raw cryptographic material. - Plaintext []byte `protobuf:"bytes,1,opt,name=plaintext,proto3" json:"plaintext,omitempty"` - // OPTIONAL (Map): Vendor-specific metadata. - Metadata map[string]string `protobuf:"bytes,2,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` + Plaintext []byte `protobuf:"bytes,1,opt,name=plaintext,proto3" json:"plaintext,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } @@ -351,74 +286,43 @@ func (x *UnwrapResponse) GetPlaintext() []byte { return nil } -func (x *UnwrapResponse) GetMetadata() map[string]string { - if x != nil { - return x.Metadata - } - return nil -} - var File_plugin_cipher_wrapper_v1_cipher_wrapper_proto protoreflect.FileDescriptor const file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDesc = "" + "\n" + - "-plugin/cipher_wrapper/v1/cipher_wrapper.proto\x12\x18plugin.cipher_wrapper.v1\"\xed\x03\n" + + "-plugin/cipher_wrapper/v1/cipher_wrapper.proto\x12\x18plugin.cipher_wrapper.v1\"\x8e\x02\n" + "\vWrapRequest\x12\x1c\n" + - "\tplaintext\x18\x01 \x01(\fR\tplaintext\x12\x17\n" + - "\akey_uri\x18\x02 \x01(\tR\x06keyUri\x12\x15\n" + - "\x03aad\x18\x03 \x01(\fH\x00R\x03aad\x88\x01\x01\x12k\n" + - "\x12encryption_context\x18\x04 \x03(\v2<.plugin.cipher_wrapper.v1.WrapRequest.EncryptionContextEntryR\x11encryptionContext\x12!\n" + - "\tmechanism\x18\x05 \x01(\tH\x01R\tmechanism\x88\x01\x01\x12\x13\n" + - "\x02iv\x18\x06 \x01(\fH\x02R\x02iv\x88\x01\x01\x12L\n" + - "\aoptions\x18\a \x03(\v22.plugin.cipher_wrapper.v1.WrapRequest.OptionsEntryR\aoptions\x1aD\n" + - "\x16EncryptionContextEntry\x12\x10\n" + - "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + - "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\x1a:\n" + - "\fOptionsEntry\x12\x10\n" + + "\tplaintext\x18\x01 \x01(\fR\tplaintext\x12\x15\n" + + "\x03aad\x18\x02 \x01(\fH\x00R\x03aad\x88\x01\x01\x12\x13\n" + + "\x02iv\x18\x03 \x01(\fH\x01R\x02iv\x88\x01\x01\x12c\n" + + "\x0fdynamic_context\x18\x84\a \x03(\v29.plugin.cipher_wrapper.v1.WrapRequest.DynamicContextEntryR\x0edynamicContext\x1aA\n" + + "\x13DynamicContextEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\x06\n" + - "\x04_aadB\f\n" + - "\n" + - "_mechanismB\x05\n" + - "\x03_iv\"\x97\x02\n" + + "\x04_aadB\x05\n" + + "\x03_iv\"\x88\x01\n" + "\fWrapResponse\x12\x1e\n" + "\n" + "ciphertext\x18\x01 \x01(\fR\n" + "ciphertext\x12)\n" + "\x0ekey_version_id\x18\x02 \x01(\tH\x00R\fkeyVersionId\x88\x01\x01\x12\x13\n" + - "\x02iv\x18\x03 \x01(\fH\x01R\x02iv\x88\x01\x01\x12P\n" + - "\bmetadata\x18\x04 \x03(\v24.plugin.cipher_wrapper.v1.WrapResponse.MetadataEntryR\bmetadata\x1a;\n" + - "\rMetadataEntry\x12\x10\n" + - "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + - "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\x11\n" + + "\x02iv\x18\x03 \x01(\fH\x01R\x02iv\x88\x01\x01B\x11\n" + "\x0f_key_version_idB\x05\n" + - "\x03_iv\"\xf5\x03\n" + + "\x03_iv\"\x94\x02\n" + "\rUnwrapRequest\x12\x1e\n" + "\n" + "ciphertext\x18\x01 \x01(\fR\n" + - "ciphertext\x12\x17\n" + - "\akey_uri\x18\x02 \x01(\tR\x06keyUri\x12\x15\n" + - "\x03aad\x18\x03 \x01(\fH\x00R\x03aad\x88\x01\x01\x12m\n" + - "\x12encryption_context\x18\x04 \x03(\v2>.plugin.cipher_wrapper.v1.UnwrapRequest.EncryptionContextEntryR\x11encryptionContext\x12!\n" + - "\tmechanism\x18\x05 \x01(\tH\x01R\tmechanism\x88\x01\x01\x12\x13\n" + - "\x02iv\x18\x06 \x01(\fH\x02R\x02iv\x88\x01\x01\x12N\n" + - "\aoptions\x18\a \x03(\v24.plugin.cipher_wrapper.v1.UnwrapRequest.OptionsEntryR\aoptions\x1aD\n" + - "\x16EncryptionContextEntry\x12\x10\n" + - "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + - "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\x1a:\n" + - "\fOptionsEntry\x12\x10\n" + + "ciphertext\x12\x15\n" + + "\x03aad\x18\x02 \x01(\fH\x00R\x03aad\x88\x01\x01\x12\x13\n" + + "\x02iv\x18\x03 \x01(\fH\x01R\x02iv\x88\x01\x01\x12e\n" + + "\x0fdynamic_context\x18\x84\a \x03(\v2;.plugin.cipher_wrapper.v1.UnwrapRequest.DynamicContextEntryR\x0edynamicContext\x1aA\n" + + "\x13DynamicContextEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\x06\n" + - "\x04_aadB\f\n" + - "\n" + - "_mechanismB\x05\n" + - "\x03_iv\"\xbf\x01\n" + + "\x04_aadB\x05\n" + + "\x03_iv\".\n" + "\x0eUnwrapResponse\x12\x1c\n" + - "\tplaintext\x18\x01 \x01(\fR\tplaintext\x12R\n" + - "\bmetadata\x18\x02 \x03(\v26.plugin.cipher_wrapper.v1.UnwrapResponse.MetadataEntryR\bmetadata\x1a;\n" + - "\rMetadataEntry\x12\x10\n" + - "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + - "\x05value\x18\x02 \x01(\tR\x05value:\x028\x012\xc3\x01\n" + + "\tplaintext\x18\x01 \x01(\fR\tplaintext2\xc3\x01\n" + "\rCipherWrapper\x12U\n" + "\x04Wrap\x12%.plugin.cipher_wrapper.v1.WrapRequest\x1a&.plugin.cipher_wrapper.v1.WrapResponse\x12[\n" + "\x06Unwrap\x12'.plugin.cipher_wrapper.v1.UnwrapRequest\x1a(.plugin.cipher_wrapper.v1.UnwrapResponseB\xff\x01\n" + @@ -436,35 +340,27 @@ func file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP() []byte { return file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescData } -var file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes = make([]protoimpl.MessageInfo, 10) +var file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes = make([]protoimpl.MessageInfo, 6) var file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_goTypes = []any{ (*WrapRequest)(nil), // 0: plugin.cipher_wrapper.v1.WrapRequest (*WrapResponse)(nil), // 1: plugin.cipher_wrapper.v1.WrapResponse (*UnwrapRequest)(nil), // 2: plugin.cipher_wrapper.v1.UnwrapRequest (*UnwrapResponse)(nil), // 3: plugin.cipher_wrapper.v1.UnwrapResponse - nil, // 4: plugin.cipher_wrapper.v1.WrapRequest.EncryptionContextEntry - nil, // 5: plugin.cipher_wrapper.v1.WrapRequest.OptionsEntry - nil, // 6: plugin.cipher_wrapper.v1.WrapResponse.MetadataEntry - nil, // 7: plugin.cipher_wrapper.v1.UnwrapRequest.EncryptionContextEntry - nil, // 8: plugin.cipher_wrapper.v1.UnwrapRequest.OptionsEntry - nil, // 9: plugin.cipher_wrapper.v1.UnwrapResponse.MetadataEntry + nil, // 4: plugin.cipher_wrapper.v1.WrapRequest.DynamicContextEntry + nil, // 5: plugin.cipher_wrapper.v1.UnwrapRequest.DynamicContextEntry } var file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_depIdxs = []int32{ - 4, // 0: plugin.cipher_wrapper.v1.WrapRequest.encryption_context:type_name -> plugin.cipher_wrapper.v1.WrapRequest.EncryptionContextEntry - 5, // 1: plugin.cipher_wrapper.v1.WrapRequest.options:type_name -> plugin.cipher_wrapper.v1.WrapRequest.OptionsEntry - 6, // 2: plugin.cipher_wrapper.v1.WrapResponse.metadata:type_name -> plugin.cipher_wrapper.v1.WrapResponse.MetadataEntry - 7, // 3: plugin.cipher_wrapper.v1.UnwrapRequest.encryption_context:type_name -> plugin.cipher_wrapper.v1.UnwrapRequest.EncryptionContextEntry - 8, // 4: plugin.cipher_wrapper.v1.UnwrapRequest.options:type_name -> plugin.cipher_wrapper.v1.UnwrapRequest.OptionsEntry - 9, // 5: plugin.cipher_wrapper.v1.UnwrapResponse.metadata:type_name -> plugin.cipher_wrapper.v1.UnwrapResponse.MetadataEntry - 0, // 6: plugin.cipher_wrapper.v1.CipherWrapper.Wrap:input_type -> plugin.cipher_wrapper.v1.WrapRequest - 2, // 7: plugin.cipher_wrapper.v1.CipherWrapper.Unwrap:input_type -> plugin.cipher_wrapper.v1.UnwrapRequest - 1, // 8: plugin.cipher_wrapper.v1.CipherWrapper.Wrap:output_type -> plugin.cipher_wrapper.v1.WrapResponse - 3, // 9: plugin.cipher_wrapper.v1.CipherWrapper.Unwrap:output_type -> plugin.cipher_wrapper.v1.UnwrapResponse - 8, // [8:10] is the sub-list for method output_type - 6, // [6:8] is the sub-list for method input_type - 6, // [6:6] is the sub-list for extension type_name - 6, // [6:6] is the sub-list for extension extendee - 0, // [0:6] is the sub-list for field type_name + 4, // 0: plugin.cipher_wrapper.v1.WrapRequest.dynamic_context:type_name -> plugin.cipher_wrapper.v1.WrapRequest.DynamicContextEntry + 5, // 1: plugin.cipher_wrapper.v1.UnwrapRequest.dynamic_context:type_name -> plugin.cipher_wrapper.v1.UnwrapRequest.DynamicContextEntry + 0, // 2: plugin.cipher_wrapper.v1.CipherWrapper.Wrap:input_type -> plugin.cipher_wrapper.v1.WrapRequest + 2, // 3: plugin.cipher_wrapper.v1.CipherWrapper.Unwrap:input_type -> plugin.cipher_wrapper.v1.UnwrapRequest + 1, // 4: plugin.cipher_wrapper.v1.CipherWrapper.Wrap:output_type -> plugin.cipher_wrapper.v1.WrapResponse + 3, // 5: plugin.cipher_wrapper.v1.CipherWrapper.Unwrap:output_type -> plugin.cipher_wrapper.v1.UnwrapResponse + 4, // [4:6] is the sub-list for method output_type + 2, // [2:4] is the sub-list for method input_type + 2, // [2:2] is the sub-list for extension type_name + 2, // [2:2] is the sub-list for extension extendee + 0, // [0:2] is the sub-list for field type_name } func init() { file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_init() } @@ -481,7 +377,7 @@ func file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: unsafe.Slice(unsafe.StringData(file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDesc), len(file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDesc)), NumEnums: 0, - NumMessages: 10, + NumMessages: 6, NumExtensions: 0, NumServices: 1, }, diff --git a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.validate.go b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.validate.go index 9f93709..a7926e3 100644 --- a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.validate.go +++ b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.validate.go @@ -59,20 +59,12 @@ func (m *WrapRequest) validate(all bool) error { // no validation rules for Plaintext - // no validation rules for KeyUri - - // no validation rules for EncryptionContext - - // no validation rules for Options + // no validation rules for DynamicContext if m.Aad != nil { // no validation rules for Aad } - if m.Mechanism != nil { - // no validation rules for Mechanism - } - if m.Iv != nil { // no validation rules for Iv } @@ -178,8 +170,6 @@ func (m *WrapResponse) validate(all bool) error { // no validation rules for Ciphertext - // no validation rules for Metadata - if m.KeyVersionId != nil { // no validation rules for KeyVersionId } @@ -289,20 +279,12 @@ func (m *UnwrapRequest) validate(all bool) error { // no validation rules for Ciphertext - // no validation rules for KeyUri - - // no validation rules for EncryptionContext - - // no validation rules for Options + // no validation rules for DynamicContext if m.Aad != nil { // no validation rules for Aad } - if m.Mechanism != nil { - // no validation rules for Mechanism - } - if m.Iv != nil { // no validation rules for Iv } @@ -409,8 +391,6 @@ func (m *UnwrapResponse) validate(all bool) error { // no validation rules for Plaintext - // no validation rules for Metadata - if len(errors) > 0 { return UnwrapResponseMultiError(errors) } diff --git a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto index d3a0553..b33ce84 100644 --- a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto +++ b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto @@ -20,27 +20,17 @@ message WrapRequest { // REQUIRED: The raw cryptographic material to be wrapped. bytes plaintext = 1; - // REQUIRED: The universal locator for the cryptographic key (ARN, URI, or Path). - string key_uri = 2; - // OPTIONAL: Standard Additional Authenticated Data (AAD) byte buffer. - // Explicitly marked optional so the Go plugin can check `if req.Aad != nil`. - optional bytes aad = 3; - - // OPTIONAL (Map): Key-Value Encryption Context (used by AWS/GCP/Alibaba). - // Maps cannot use the 'optional' keyword in proto3, but are implicitly optional. - map encryption_context = 4; - - // OPTIONAL: The explicit cryptographic wrapping mechanism (e.g., "RSA-OAEP-256"). - // Required for Azure and HSMs, safely omitted for AWS/Vault. - optional string mechanism = 5; + // Kept in proto because AAD often changes per request (e.g., binding to a specific Tenant ID). + optional bytes aad = 2; // OPTIONAL: Initialization Vector (IV) or Nonce. - // Provided only if the CMK core is dictating the IV to an HSM. - optional bytes iv = 6; + // Cryptographically dynamic, must remain in proto. + optional bytes iv = 3; - // OPTIONAL (Map): Dynamic Configuration Pass-through. - map options = 7; + // OPTIONAL: Per-request dynamic context (if needed). + // Kept as an escape hatch for truly dynamic per-request overrides. + map dynamic_context = 900; } // WrapResponse returns the provider-specific ciphertext and metadata. @@ -55,9 +45,6 @@ message WrapResponse { // OPTIONAL: The Initialization Vector generated by the provider. // Returned only if the provider generated it and CMK needs to store it. optional bytes iv = 3; - - // OPTIONAL (Map): Vendor-specific metadata. - map metadata = 4; } // UnwrapRequest contains the opaque ciphertext and the exact parameters @@ -66,31 +53,20 @@ message UnwrapRequest { // REQUIRED: The opaque ciphertext retrieved from the CMK persistent storage. bytes ciphertext = 1; - // REQUIRED: The universal locator for the cryptographic key. - string key_uri = 2; - // OPTIONAL: Standard Additional Authenticated Data (AAD) byte buffer. - optional bytes aad = 3; - - // OPTIONAL (Map): Key-Value Encryption Context. - map encryption_context = 4; - - // OPTIONAL: The explicit cryptographic unwrapping mechanism. - optional string mechanism = 5; + optional bytes aad = 2; // OPTIONAL: Initialization Vector (IV) or Nonce. // Must be provided if it was returned in the WrapResponse. - optional bytes iv = 6; + optional bytes iv = 3; - // OPTIONAL (Map): Dynamic Configuration Pass-through. - map options = 7; + // OPTIONAL: Per-request dynamic context (if needed). + // Kept as an escape hatch for truly dynamic per-request overrides. + map dynamic_context = 900; } // UnwrapResponse returns the recovered raw cryptographic material. message UnwrapResponse { // REQUIRED: The recovered raw cryptographic material. bytes plaintext = 1; - - // OPTIONAL (Map): Vendor-specific metadata. - map metadata = 2; } From 1c90087315817649ec7ba09446be09b538f72b7f Mon Sep 17 00:00:00 2001 From: Nicolae Nicora Date: Wed, 11 Mar 2026 21:22:50 +0100 Subject: [PATCH 04/19] update the proto --- .../plugin/cipher_wrapper/v1/cipher_wrapper.pb.go | 15 +++++++++------ .../plugin/cipher_wrapper/v1/cipher_wrapper.proto | 12 ++++++++++-- 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go index 229fedc..a403184 100644 --- a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go +++ b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go @@ -11,6 +11,7 @@ import ( sync "sync" unsafe "unsafe" + _ "buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go/buf/validate" protoreflect "google.golang.org/protobuf/reflect/protoreflect" protoimpl "google.golang.org/protobuf/runtime/protoimpl" ) @@ -290,9 +291,10 @@ var File_plugin_cipher_wrapper_v1_cipher_wrapper_proto protoreflect.FileDescript const file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDesc = "" + "\n" + - "-plugin/cipher_wrapper/v1/cipher_wrapper.proto\x12\x18plugin.cipher_wrapper.v1\"\x8e\x02\n" + - "\vWrapRequest\x12\x1c\n" + - "\tplaintext\x18\x01 \x01(\fR\tplaintext\x12\x15\n" + + "-plugin/cipher_wrapper/v1/cipher_wrapper.proto\x12\x18plugin.cipher_wrapper.v1\x1a\x1bbuf/validate/validate.proto\"\x9a\x02\n" + + "\vWrapRequest\x12(\n" + + "\tplaintext\x18\x01 \x01(\fB\n" + + "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\tplaintext\x12\x15\n" + "\x03aad\x18\x02 \x01(\fH\x00R\x03aad\x88\x01\x01\x12\x13\n" + "\x02iv\x18\x03 \x01(\fH\x01R\x02iv\x88\x01\x01\x12c\n" + "\x0fdynamic_context\x18\x84\a \x03(\v29.plugin.cipher_wrapper.v1.WrapRequest.DynamicContextEntryR\x0edynamicContext\x1aA\n" + @@ -308,10 +310,11 @@ const file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDesc = "" + "\x0ekey_version_id\x18\x02 \x01(\tH\x00R\fkeyVersionId\x88\x01\x01\x12\x13\n" + "\x02iv\x18\x03 \x01(\fH\x01R\x02iv\x88\x01\x01B\x11\n" + "\x0f_key_version_idB\x05\n" + - "\x03_iv\"\x94\x02\n" + - "\rUnwrapRequest\x12\x1e\n" + + "\x03_iv\"\xa0\x02\n" + + "\rUnwrapRequest\x12*\n" + "\n" + - "ciphertext\x18\x01 \x01(\fR\n" + + "ciphertext\x18\x01 \x01(\fB\n" + + "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\n" + "ciphertext\x12\x15\n" + "\x03aad\x18\x02 \x01(\fH\x00R\x03aad\x88\x01\x01\x12\x13\n" + "\x02iv\x18\x03 \x01(\fH\x01R\x02iv\x88\x01\x01\x12e\n" + diff --git a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto index b33ce84..2cd1f55 100644 --- a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto +++ b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto @@ -2,6 +2,8 @@ syntax = "proto3"; package plugin.cipher_wrapper.v1; +import "buf/validate/validate.proto"; + // KeyWrapper defines the universal envelope encryption interface for CMK. // It allows the core engine to delegate cryptographic wrapping and unwrapping // to any external provider (AWS KMS, Google Cloud KMS, Azure Key Vault, @@ -18,7 +20,10 @@ service CipherWrapper { // WrapRequest contains the raw key material and the context needed to encrypt it. message WrapRequest { // REQUIRED: The raw cryptographic material to be wrapped. - bytes plaintext = 1; + bytes plaintext = 1 [ + (buf.validate.field).required = true, + (buf.validate.field).string.min_len = 1 + ]; // OPTIONAL: Standard Additional Authenticated Data (AAD) byte buffer. // Kept in proto because AAD often changes per request (e.g., binding to a specific Tenant ID). @@ -51,7 +56,10 @@ message WrapResponse { // originally used during the Wrap operation. message UnwrapRequest { // REQUIRED: The opaque ciphertext retrieved from the CMK persistent storage. - bytes ciphertext = 1; + bytes ciphertext = 1 [ + (buf.validate.field).required = true, + (buf.validate.field).string.min_len = 1 + ]; // OPTIONAL: Standard Additional Authenticated Data (AAD) byte buffer. optional bytes aad = 2; From fac6632c3f077a68748cbf23324379e010ac35b2 Mon Sep 17 00:00:00 2001 From: Nicolae Nicora Date: Wed, 11 Mar 2026 22:24:36 +0100 Subject: [PATCH 05/19] update the proto --- internal/proto/service/init/v1/init.pb.go | 5 ++--- internal/proto/service/init/v1/init_ext_service.pb.go | 3 +-- internal/proto/service/init/v1/init_grpc.pb.go | 1 - proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go | 4 ++-- proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto | 4 ++-- 5 files changed, 7 insertions(+), 10 deletions(-) diff --git a/internal/proto/service/init/v1/init.pb.go b/internal/proto/service/init/v1/init.pb.go index 9b50700..a0fe002 100644 --- a/internal/proto/service/init/v1/init.pb.go +++ b/internal/proto/service/init/v1/init.pb.go @@ -7,11 +7,10 @@ package initv1 import ( - reflect "reflect" - sync "sync" - protoreflect "google.golang.org/protobuf/reflect/protoreflect" protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" ) const ( diff --git a/internal/proto/service/init/v1/init_ext_service.pb.go b/internal/proto/service/init/v1/init_ext_service.pb.go index 2eb7c75..11b10a7 100644 --- a/internal/proto/service/init/v1/init_ext_service.pb.go +++ b/internal/proto/service/init/v1/init_ext_service.pb.go @@ -3,9 +3,8 @@ package initv1 import ( - grpc "google.golang.org/grpc" - api "github.com/openkcm/plugin-sdk/api" + grpc "google.golang.org/grpc" ) const ( diff --git a/internal/proto/service/init/v1/init_grpc.pb.go b/internal/proto/service/init/v1/init_grpc.pb.go index f4f4276..7fd786d 100644 --- a/internal/proto/service/init/v1/init_grpc.pb.go +++ b/internal/proto/service/init/v1/init_grpc.pb.go @@ -8,7 +8,6 @@ package initv1 import ( context "context" - grpc "google.golang.org/grpc" codes "google.golang.org/grpc/codes" status "google.golang.org/grpc/status" diff --git a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go index a403184..b23f6ba 100644 --- a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go +++ b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go @@ -294,7 +294,7 @@ const file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDesc = "" + "-plugin/cipher_wrapper/v1/cipher_wrapper.proto\x12\x18plugin.cipher_wrapper.v1\x1a\x1bbuf/validate/validate.proto\"\x9a\x02\n" + "\vWrapRequest\x12(\n" + "\tplaintext\x18\x01 \x01(\fB\n" + - "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\tplaintext\x12\x15\n" + + "\xbaH\a\xc8\x01\x01z\x02\x10\x01R\tplaintext\x12\x15\n" + "\x03aad\x18\x02 \x01(\fH\x00R\x03aad\x88\x01\x01\x12\x13\n" + "\x02iv\x18\x03 \x01(\fH\x01R\x02iv\x88\x01\x01\x12c\n" + "\x0fdynamic_context\x18\x84\a \x03(\v29.plugin.cipher_wrapper.v1.WrapRequest.DynamicContextEntryR\x0edynamicContext\x1aA\n" + @@ -314,7 +314,7 @@ const file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDesc = "" + "\rUnwrapRequest\x12*\n" + "\n" + "ciphertext\x18\x01 \x01(\fB\n" + - "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\n" + + "\xbaH\a\xc8\x01\x01z\x02\x10\x01R\n" + "ciphertext\x12\x15\n" + "\x03aad\x18\x02 \x01(\fH\x00R\x03aad\x88\x01\x01\x12\x13\n" + "\x02iv\x18\x03 \x01(\fH\x01R\x02iv\x88\x01\x01\x12e\n" + diff --git a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto index 2cd1f55..49b5586 100644 --- a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto +++ b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto @@ -22,7 +22,7 @@ message WrapRequest { // REQUIRED: The raw cryptographic material to be wrapped. bytes plaintext = 1 [ (buf.validate.field).required = true, - (buf.validate.field).string.min_len = 1 + (buf.validate.field).bytes.min_len = 1 ]; // OPTIONAL: Standard Additional Authenticated Data (AAD) byte buffer. @@ -58,7 +58,7 @@ message UnwrapRequest { // REQUIRED: The opaque ciphertext retrieved from the CMK persistent storage. bytes ciphertext = 1 [ (buf.validate.field).required = true, - (buf.validate.field).string.min_len = 1 + (buf.validate.field).bytes.min_len = 1 ]; // OPTIONAL: Standard Additional Authenticated Data (AAD) byte buffer. From 41bd7cf979ac680bd410655247b275074efe3d65 Mon Sep 17 00:00:00 2001 From: Nicolae Nicora Date: Thu, 12 Mar 2026 13:05:50 +0100 Subject: [PATCH 06/19] fix: add KeyMaterialStorage plugin --- .../v1/key_material_storage.pb.go | 358 +++++++++++ .../v1/key_material_storage.pb.validate.go | 600 ++++++++++++++++++ .../v1/key_material_storage.proto | 75 +++ .../v1/key_material_storage_ext_plugin.pb.go | 56 ++ .../v1/key_material_storage_grpc.pb.go | 174 +++++ 5 files changed, 1263 insertions(+) create mode 100644 proto/plugin/key_material_storage/v1/key_material_storage.pb.go create mode 100644 proto/plugin/key_material_storage/v1/key_material_storage.pb.validate.go create mode 100644 proto/plugin/key_material_storage/v1/key_material_storage.proto create mode 100644 proto/plugin/key_material_storage/v1/key_material_storage_ext_plugin.pb.go create mode 100644 proto/plugin/key_material_storage/v1/key_material_storage_grpc.pb.go diff --git a/proto/plugin/key_material_storage/v1/key_material_storage.pb.go b/proto/plugin/key_material_storage/v1/key_material_storage.pb.go new file mode 100644 index 0000000..855190e --- /dev/null +++ b/proto/plugin/key_material_storage/v1/key_material_storage.pb.go @@ -0,0 +1,358 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.36.11 +// protoc (unknown) +// source: plugin/key_material_storage/v1/key_material_storage.proto + +package key_material_storagev1 + +import ( + reflect "reflect" + sync "sync" + unsafe "unsafe" + + _ "buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go/buf/validate" + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// KeyMaterial represents a single unit of stored data. +// It is intentionally generic and algorithm-agnostic. +type KeyMaterial struct { + state protoimpl.MessageState `protogen:"open.v1"` + // REQUIRED: The unique identifier for this item. + // e.g., "L2_01H8XGJWBWBAQ9Z7J6C6XJ6C6X" + Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` + // REQUIRED: The opaque data blob. + // This typically contains the encrypted/wrapped key material. + Data []byte `protobuf:"bytes,2,opt,name=data,proto3" json:"data,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *KeyMaterial) Reset() { + *x = KeyMaterial{} + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *KeyMaterial) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*KeyMaterial) ProtoMessage() {} + +func (x *KeyMaterial) ProtoReflect() protoreflect.Message { + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use KeyMaterial.ProtoReflect.Descriptor instead. +func (*KeyMaterial) Descriptor() ([]byte, []int) { + return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP(), []int{0} +} + +func (x *KeyMaterial) GetId() string { + if x != nil { + return x.Id + } + return "" +} + +func (x *KeyMaterial) GetData() []byte { + if x != nil { + return x.Data + } + return nil +} + +type StoreRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + // REQUIRED: The namespace for this key material. This provides isolation + // and can be mapped to a tenant, project, or customer ID. + Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"` + // REQUIRED: The item to be stored. + KeyMaterial *KeyMaterial `protobuf:"bytes,2,opt,name=key_material,json=keyMaterial,proto3" json:"key_material,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *StoreRequest) Reset() { + *x = StoreRequest{} + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *StoreRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*StoreRequest) ProtoMessage() {} + +func (x *StoreRequest) ProtoReflect() protoreflect.Message { + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use StoreRequest.ProtoReflect.Descriptor instead. +func (*StoreRequest) Descriptor() ([]byte, []int) { + return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP(), []int{1} +} + +func (x *StoreRequest) GetNamespace() string { + if x != nil { + return x.Namespace + } + return "" +} + +func (x *StoreRequest) GetKeyMaterial() *KeyMaterial { + if x != nil { + return x.KeyMaterial + } + return nil +} + +type StoreResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *StoreResponse) Reset() { + *x = StoreResponse{} + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *StoreResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*StoreResponse) ProtoMessage() {} + +func (x *StoreResponse) ProtoReflect() protoreflect.Message { + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[2] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use StoreResponse.ProtoReflect.Descriptor instead. +func (*StoreResponse) Descriptor() ([]byte, []int) { + return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP(), []int{2} +} + +type LoadRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + // REQUIRED: The namespace for the item. + Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"` + // REQUIRED: The unique ID of the item to retrieve. + Id string `protobuf:"bytes,2,opt,name=id,proto3" json:"id,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *LoadRequest) Reset() { + *x = LoadRequest{} + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *LoadRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*LoadRequest) ProtoMessage() {} + +func (x *LoadRequest) ProtoReflect() protoreflect.Message { + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[3] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use LoadRequest.ProtoReflect.Descriptor instead. +func (*LoadRequest) Descriptor() ([]byte, []int) { + return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP(), []int{3} +} + +func (x *LoadRequest) GetNamespace() string { + if x != nil { + return x.Namespace + } + return "" +} + +func (x *LoadRequest) GetId() string { + if x != nil { + return x.Id + } + return "" +} + +type LoadResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The retrieved key material. + // If the key is not found, the RPC will return a `NOT_FOUND` gRPC error. + KeyMaterial *KeyMaterial `protobuf:"bytes,1,opt,name=key_material,json=keyMaterial,proto3" json:"key_material,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *LoadResponse) Reset() { + *x = LoadResponse{} + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[4] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *LoadResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*LoadResponse) ProtoMessage() {} + +func (x *LoadResponse) ProtoReflect() protoreflect.Message { + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[4] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use LoadResponse.ProtoReflect.Descriptor instead. +func (*LoadResponse) Descriptor() ([]byte, []int) { + return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP(), []int{4} +} + +func (x *LoadResponse) GetKeyMaterial() *KeyMaterial { + if x != nil { + return x.KeyMaterial + } + return nil +} + +var File_plugin_key_material_storage_v1_key_material_storage_proto protoreflect.FileDescriptor + +const file_plugin_key_material_storage_v1_key_material_storage_proto_rawDesc = "" + + "\n" + + "9plugin/key_material_storage/v1/key_material_storage.proto\x12\x1eplugin.key_material_storage.v1\x1a\x1bbuf/validate/validate.proto\"I\n" + + "\vKeyMaterial\x12\x1a\n" + + "\x02id\x18\x01 \x01(\tB\n" + + "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\x02id\x12\x1e\n" + + "\x04data\x18\x02 \x01(\fB\n" + + "\xbaH\a\xc8\x01\x01z\x02\x10\x01R\x04data\"\x90\x01\n" + + "\fStoreRequest\x12(\n" + + "\tnamespace\x18\x01 \x01(\tB\n" + + "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\tnamespace\x12V\n" + + "\fkey_material\x18\x02 \x01(\v2+.plugin.key_material_storage.v1.KeyMaterialB\x06\xbaH\x03\xc8\x01\x01R\vkeyMaterial\"\x0f\n" + + "\rStoreResponse\"S\n" + + "\vLoadRequest\x12(\n" + + "\tnamespace\x18\x01 \x01(\tB\n" + + "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\tnamespace\x12\x1a\n" + + "\x02id\x18\x02 \x01(\tB\n" + + "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\x02id\"^\n" + + "\fLoadResponse\x12N\n" + + "\fkey_material\x18\x01 \x01(\v2+.plugin.key_material_storage.v1.KeyMaterialR\vkeyMaterial2\xdd\x01\n" + + "\x12KeyMaterialStorage\x12d\n" + + "\x05Store\x12,.plugin.key_material_storage.v1.StoreRequest\x1a-.plugin.key_material_storage.v1.StoreResponse\x12a\n" + + "\x04Load\x12+.plugin.key_material_storage.v1.LoadRequest\x1a,.plugin.key_material_storage.v1.LoadResponseB\xaa\x02\n" + + "\"com.plugin.key_material_storage.v1B\x17KeyMaterialStorageProtoP\x01ZYgithub.com/openkcm/plugin-sdk/proto/plugin/key_material_storage/v1;key_material_storagev1\xa2\x02\x03PKX\xaa\x02\x1cPlugin.KeyMaterialStorage.V1\xca\x02\x1cPlugin\\KeyMaterialStorage\\V1\xe2\x02(Plugin\\KeyMaterialStorage\\V1\\GPBMetadata\xea\x02\x1ePlugin::KeyMaterialStorage::V1b\x06proto3" + +var ( + file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescOnce sync.Once + file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescData []byte +) + +func file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP() []byte { + file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescOnce.Do(func() { + file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_plugin_key_material_storage_v1_key_material_storage_proto_rawDesc), len(file_plugin_key_material_storage_v1_key_material_storage_proto_rawDesc))) + }) + return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescData +} + +var file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes = make([]protoimpl.MessageInfo, 5) +var file_plugin_key_material_storage_v1_key_material_storage_proto_goTypes = []any{ + (*KeyMaterial)(nil), // 0: plugin.key_material_storage.v1.KeyMaterial + (*StoreRequest)(nil), // 1: plugin.key_material_storage.v1.StoreRequest + (*StoreResponse)(nil), // 2: plugin.key_material_storage.v1.StoreResponse + (*LoadRequest)(nil), // 3: plugin.key_material_storage.v1.LoadRequest + (*LoadResponse)(nil), // 4: plugin.key_material_storage.v1.LoadResponse +} +var file_plugin_key_material_storage_v1_key_material_storage_proto_depIdxs = []int32{ + 0, // 0: plugin.key_material_storage.v1.StoreRequest.key_material:type_name -> plugin.key_material_storage.v1.KeyMaterial + 0, // 1: plugin.key_material_storage.v1.LoadResponse.key_material:type_name -> plugin.key_material_storage.v1.KeyMaterial + 1, // 2: plugin.key_material_storage.v1.KeyMaterialStorage.Store:input_type -> plugin.key_material_storage.v1.StoreRequest + 3, // 3: plugin.key_material_storage.v1.KeyMaterialStorage.Load:input_type -> plugin.key_material_storage.v1.LoadRequest + 2, // 4: plugin.key_material_storage.v1.KeyMaterialStorage.Store:output_type -> plugin.key_material_storage.v1.StoreResponse + 4, // 5: plugin.key_material_storage.v1.KeyMaterialStorage.Load:output_type -> plugin.key_material_storage.v1.LoadResponse + 4, // [4:6] is the sub-list for method output_type + 2, // [2:4] is the sub-list for method input_type + 2, // [2:2] is the sub-list for extension type_name + 2, // [2:2] is the sub-list for extension extendee + 0, // [0:2] is the sub-list for field type_name +} + +func init() { file_plugin_key_material_storage_v1_key_material_storage_proto_init() } +func file_plugin_key_material_storage_v1_key_material_storage_proto_init() { + if File_plugin_key_material_storage_v1_key_material_storage_proto != nil { + return + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: unsafe.Slice(unsafe.StringData(file_plugin_key_material_storage_v1_key_material_storage_proto_rawDesc), len(file_plugin_key_material_storage_v1_key_material_storage_proto_rawDesc)), + NumEnums: 0, + NumMessages: 5, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_plugin_key_material_storage_v1_key_material_storage_proto_goTypes, + DependencyIndexes: file_plugin_key_material_storage_v1_key_material_storage_proto_depIdxs, + MessageInfos: file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes, + }.Build() + File_plugin_key_material_storage_v1_key_material_storage_proto = out.File + file_plugin_key_material_storage_v1_key_material_storage_proto_goTypes = nil + file_plugin_key_material_storage_v1_key_material_storage_proto_depIdxs = nil +} diff --git a/proto/plugin/key_material_storage/v1/key_material_storage.pb.validate.go b/proto/plugin/key_material_storage/v1/key_material_storage.pb.validate.go new file mode 100644 index 0000000..c45a9d9 --- /dev/null +++ b/proto/plugin/key_material_storage/v1/key_material_storage.pb.validate.go @@ -0,0 +1,600 @@ +// Code generated by protoc-gen-validate. DO NOT EDIT. +// source: plugin/key_material_storage/v1/key_material_storage.proto + +package key_material_storagev1 + +import ( + "bytes" + "errors" + "fmt" + "net" + "net/mail" + "net/url" + "regexp" + "sort" + "strings" + "time" + "unicode/utf8" + + "google.golang.org/protobuf/types/known/anypb" +) + +// ensure the imports are used +var ( + _ = bytes.MinRead + _ = errors.New("") + _ = fmt.Print + _ = utf8.UTFMax + _ = (*regexp.Regexp)(nil) + _ = (*strings.Reader)(nil) + _ = net.IPv4len + _ = time.Duration(0) + _ = (*url.URL)(nil) + _ = (*mail.Address)(nil) + _ = anypb.Any{} + _ = sort.Sort +) + +// Validate checks the field values on KeyMaterial with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *KeyMaterial) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on KeyMaterial with the rules defined in +// the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in KeyMaterialMultiError, or +// nil if none found. +func (m *KeyMaterial) ValidateAll() error { + return m.validate(true) +} + +func (m *KeyMaterial) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + // no validation rules for Id + + // no validation rules for Data + + if len(errors) > 0 { + return KeyMaterialMultiError(errors) + } + + return nil +} + +// KeyMaterialMultiError is an error wrapping multiple validation errors +// returned by KeyMaterial.ValidateAll() if the designated constraints aren't met. +type KeyMaterialMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m KeyMaterialMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m KeyMaterialMultiError) AllErrors() []error { return m } + +// KeyMaterialValidationError is the validation error returned by +// KeyMaterial.Validate if the designated constraints aren't met. +type KeyMaterialValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e KeyMaterialValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e KeyMaterialValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e KeyMaterialValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e KeyMaterialValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e KeyMaterialValidationError) ErrorName() string { return "KeyMaterialValidationError" } + +// Error satisfies the builtin error interface +func (e KeyMaterialValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sKeyMaterial.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = KeyMaterialValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = KeyMaterialValidationError{} + +// Validate checks the field values on StoreRequest with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *StoreRequest) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on StoreRequest with the rules defined +// in the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in StoreRequestMultiError, or +// nil if none found. +func (m *StoreRequest) ValidateAll() error { + return m.validate(true) +} + +func (m *StoreRequest) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + // no validation rules for Namespace + + if all { + switch v := interface{}(m.GetKeyMaterial()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, StoreRequestValidationError{ + field: "KeyMaterial", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, StoreRequestValidationError{ + field: "KeyMaterial", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetKeyMaterial()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return StoreRequestValidationError{ + field: "KeyMaterial", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if len(errors) > 0 { + return StoreRequestMultiError(errors) + } + + return nil +} + +// StoreRequestMultiError is an error wrapping multiple validation errors +// returned by StoreRequest.ValidateAll() if the designated constraints aren't met. +type StoreRequestMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m StoreRequestMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m StoreRequestMultiError) AllErrors() []error { return m } + +// StoreRequestValidationError is the validation error returned by +// StoreRequest.Validate if the designated constraints aren't met. +type StoreRequestValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e StoreRequestValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e StoreRequestValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e StoreRequestValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e StoreRequestValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e StoreRequestValidationError) ErrorName() string { return "StoreRequestValidationError" } + +// Error satisfies the builtin error interface +func (e StoreRequestValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sStoreRequest.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = StoreRequestValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = StoreRequestValidationError{} + +// Validate checks the field values on StoreResponse with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *StoreResponse) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on StoreResponse with the rules defined +// in the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in StoreResponseMultiError, or +// nil if none found. +func (m *StoreResponse) ValidateAll() error { + return m.validate(true) +} + +func (m *StoreResponse) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + if len(errors) > 0 { + return StoreResponseMultiError(errors) + } + + return nil +} + +// StoreResponseMultiError is an error wrapping multiple validation errors +// returned by StoreResponse.ValidateAll() if the designated constraints +// aren't met. +type StoreResponseMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m StoreResponseMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m StoreResponseMultiError) AllErrors() []error { return m } + +// StoreResponseValidationError is the validation error returned by +// StoreResponse.Validate if the designated constraints aren't met. +type StoreResponseValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e StoreResponseValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e StoreResponseValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e StoreResponseValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e StoreResponseValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e StoreResponseValidationError) ErrorName() string { return "StoreResponseValidationError" } + +// Error satisfies the builtin error interface +func (e StoreResponseValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sStoreResponse.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = StoreResponseValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = StoreResponseValidationError{} + +// Validate checks the field values on LoadRequest with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *LoadRequest) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on LoadRequest with the rules defined in +// the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in LoadRequestMultiError, or +// nil if none found. +func (m *LoadRequest) ValidateAll() error { + return m.validate(true) +} + +func (m *LoadRequest) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + // no validation rules for Namespace + + // no validation rules for Id + + if len(errors) > 0 { + return LoadRequestMultiError(errors) + } + + return nil +} + +// LoadRequestMultiError is an error wrapping multiple validation errors +// returned by LoadRequest.ValidateAll() if the designated constraints aren't met. +type LoadRequestMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m LoadRequestMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m LoadRequestMultiError) AllErrors() []error { return m } + +// LoadRequestValidationError is the validation error returned by +// LoadRequest.Validate if the designated constraints aren't met. +type LoadRequestValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e LoadRequestValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e LoadRequestValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e LoadRequestValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e LoadRequestValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e LoadRequestValidationError) ErrorName() string { return "LoadRequestValidationError" } + +// Error satisfies the builtin error interface +func (e LoadRequestValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sLoadRequest.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = LoadRequestValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = LoadRequestValidationError{} + +// Validate checks the field values on LoadResponse with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *LoadResponse) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on LoadResponse with the rules defined +// in the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in LoadResponseMultiError, or +// nil if none found. +func (m *LoadResponse) ValidateAll() error { + return m.validate(true) +} + +func (m *LoadResponse) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + if all { + switch v := interface{}(m.GetKeyMaterial()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, LoadResponseValidationError{ + field: "KeyMaterial", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, LoadResponseValidationError{ + field: "KeyMaterial", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetKeyMaterial()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return LoadResponseValidationError{ + field: "KeyMaterial", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if len(errors) > 0 { + return LoadResponseMultiError(errors) + } + + return nil +} + +// LoadResponseMultiError is an error wrapping multiple validation errors +// returned by LoadResponse.ValidateAll() if the designated constraints aren't met. +type LoadResponseMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m LoadResponseMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m LoadResponseMultiError) AllErrors() []error { return m } + +// LoadResponseValidationError is the validation error returned by +// LoadResponse.Validate if the designated constraints aren't met. +type LoadResponseValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e LoadResponseValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e LoadResponseValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e LoadResponseValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e LoadResponseValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e LoadResponseValidationError) ErrorName() string { return "LoadResponseValidationError" } + +// Error satisfies the builtin error interface +func (e LoadResponseValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sLoadResponse.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = LoadResponseValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = LoadResponseValidationError{} diff --git a/proto/plugin/key_material_storage/v1/key_material_storage.proto b/proto/plugin/key_material_storage/v1/key_material_storage.proto new file mode 100644 index 0000000..8e0d036 --- /dev/null +++ b/proto/plugin/key_material_storage/v1/key_material_storage.proto @@ -0,0 +1,75 @@ +syntax = "proto3"; + +package plugin.key_material_storage.v1; + +import "buf/validate/validate.proto"; + +// KeyMaterialStorage defines the universal interface for persisting and +// retrieving opaque blobs of data, typically wrapped key material. +// This allows Krypton to delegate storage to any backend (DB, Vault, File) +// in a completely generic way. +service KeyMaterialStorage { + // Store persists a single item. This operation must be idempotent. + rpc Store(StoreRequest) returns (StoreResponse); + + // Load retrieves a single item by its unique ID. + rpc Load(LoadRequest) returns (LoadResponse); +} + +// KeyMaterial represents a single unit of stored data. +// It is intentionally generic and algorithm-agnostic. +message KeyMaterial { + // REQUIRED: The unique identifier for this item. + // e.g., "L2_01H8XGJWBWBAQ9Z7J6C6XJ6C6X" + string id = 1 [ + (buf.validate.field).required = true, + (buf.validate.field).string.min_len = 1 + ]; + + // REQUIRED: The opaque data blob. + // This typically contains the encrypted/wrapped key material. + bytes data = 2 [ + (buf.validate.field).required = true, + (buf.validate.field).bytes.min_len = 1 + ]; +} + +// --- Store RPC Messages --- + +message StoreRequest { + // REQUIRED: The namespace for this key material. This provides isolation + // and can be mapped to a tenant, project, or customer ID. + string namespace = 1 [ + (buf.validate.field).required = true, + (buf.validate.field).string.min_len = 1 + ]; + + // REQUIRED: The item to be stored. + KeyMaterial key_material = 2 [(buf.validate.field).required = true]; +} + +message StoreResponse { + // This response is empty on success. Errors are communicated via gRPC status codes. +} + +// --- Load RPC Messages --- + +message LoadRequest { + // REQUIRED: The namespace for the item. + string namespace = 1 [ + (buf.validate.field).required = true, + (buf.validate.field).string.min_len = 1 + ]; + + // REQUIRED: The unique ID of the item to retrieve. + string id = 2 [ + (buf.validate.field).required = true, + (buf.validate.field).string.min_len = 1 + ]; +} + +message LoadResponse { + // The retrieved key material. + // If the key is not found, the RPC will return a `NOT_FOUND` gRPC error. + KeyMaterial key_material = 1; +} diff --git a/proto/plugin/key_material_storage/v1/key_material_storage_ext_plugin.pb.go b/proto/plugin/key_material_storage/v1/key_material_storage_ext_plugin.pb.go new file mode 100644 index 0000000..9f108c7 --- /dev/null +++ b/proto/plugin/key_material_storage/v1/key_material_storage_ext_plugin.pb.go @@ -0,0 +1,56 @@ +// Code generated by protoc-gen-go-extension. DO NOT EDIT. + +package key_material_storagev1 + +import ( + grpc "google.golang.org/grpc" + + api "github.com/openkcm/plugin-sdk/api" +) + +const ( + Type = "KeyMaterialStorage" + GRPCServiceFullName = "plugin.key_material_storage.v1.KeyMaterialStorage" +) + +func KeyMaterialStoragePluginServer(server KeyMaterialStorageServer) api.PluginServer { + return keyMaterialStoragePluginServer{KeyMaterialStorageServer: server} +} + +type keyMaterialStoragePluginServer struct { + KeyMaterialStorageServer +} + +func (s keyMaterialStoragePluginServer) Type() string { + return Type +} + +func (s keyMaterialStoragePluginServer) GRPCServiceName() string { + return GRPCServiceFullName +} + +func (s keyMaterialStoragePluginServer) RegisterServer(server *grpc.Server) any { + RegisterKeyMaterialStorageServer(server, s.KeyMaterialStorageServer) + return s.KeyMaterialStorageServer +} + +type KeyMaterialStoragePluginClient struct { + KeyMaterialStorageClient +} + +func (s KeyMaterialStoragePluginClient) Type() string { + return Type +} + +func (c *KeyMaterialStoragePluginClient) IsInitialized() bool { + return c.KeyMaterialStorageClient != nil +} + +func (c *KeyMaterialStoragePluginClient) GRPCServiceName() string { + return GRPCServiceFullName +} + +func (c *KeyMaterialStoragePluginClient) InitClient(conn grpc.ClientConnInterface) any { + c.KeyMaterialStorageClient = NewKeyMaterialStorageClient(conn) + return c.KeyMaterialStorageClient +} diff --git a/proto/plugin/key_material_storage/v1/key_material_storage_grpc.pb.go b/proto/plugin/key_material_storage/v1/key_material_storage_grpc.pb.go new file mode 100644 index 0000000..64a0e82 --- /dev/null +++ b/proto/plugin/key_material_storage/v1/key_material_storage_grpc.pb.go @@ -0,0 +1,174 @@ +// Code generated by protoc-gen-go-grpc. DO NOT EDIT. +// versions: +// - protoc-gen-go-grpc v1.6.1 +// - protoc (unknown) +// source: plugin/key_material_storage/v1/key_material_storage.proto + +package key_material_storagev1 + +import ( + context "context" + + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" +) + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +// Requires gRPC-Go v1.64.0 or later. +const _ = grpc.SupportPackageIsVersion9 + +const ( + KeyMaterialStorage_Store_FullMethodName = "/plugin.key_material_storage.v1.KeyMaterialStorage/Store" + KeyMaterialStorage_Load_FullMethodName = "/plugin.key_material_storage.v1.KeyMaterialStorage/Load" +) + +// KeyMaterialStorageClient is the client API for KeyMaterialStorage service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. +// +// KeyMaterialStorage defines the universal interface for persisting and +// retrieving opaque blobs of data, typically wrapped key material. +// This allows Krypton to delegate storage to any backend (DB, Vault, File) +// in a completely generic way. +type KeyMaterialStorageClient interface { + // Store persists a single item. This operation must be idempotent. + Store(ctx context.Context, in *StoreRequest, opts ...grpc.CallOption) (*StoreResponse, error) + // Load retrieves a single item by its unique ID. + Load(ctx context.Context, in *LoadRequest, opts ...grpc.CallOption) (*LoadResponse, error) +} + +type keyMaterialStorageClient struct { + cc grpc.ClientConnInterface +} + +func NewKeyMaterialStorageClient(cc grpc.ClientConnInterface) KeyMaterialStorageClient { + return &keyMaterialStorageClient{cc} +} + +func (c *keyMaterialStorageClient) Store(ctx context.Context, in *StoreRequest, opts ...grpc.CallOption) (*StoreResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(StoreResponse) + err := c.cc.Invoke(ctx, KeyMaterialStorage_Store_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *keyMaterialStorageClient) Load(ctx context.Context, in *LoadRequest, opts ...grpc.CallOption) (*LoadResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(LoadResponse) + err := c.cc.Invoke(ctx, KeyMaterialStorage_Load_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +// KeyMaterialStorageServer is the server API for KeyMaterialStorage service. +// All implementations must embed UnimplementedKeyMaterialStorageServer +// for forward compatibility. +// +// KeyMaterialStorage defines the universal interface for persisting and +// retrieving opaque blobs of data, typically wrapped key material. +// This allows Krypton to delegate storage to any backend (DB, Vault, File) +// in a completely generic way. +type KeyMaterialStorageServer interface { + // Store persists a single item. This operation must be idempotent. + Store(context.Context, *StoreRequest) (*StoreResponse, error) + // Load retrieves a single item by its unique ID. + Load(context.Context, *LoadRequest) (*LoadResponse, error) + mustEmbedUnimplementedKeyMaterialStorageServer() +} + +// UnimplementedKeyMaterialStorageServer must be embedded to have +// forward compatible implementations. +// +// NOTE: this should be embedded by value instead of pointer to avoid a nil +// pointer dereference when methods are called. +type UnimplementedKeyMaterialStorageServer struct{} + +func (UnimplementedKeyMaterialStorageServer) Store(context.Context, *StoreRequest) (*StoreResponse, error) { + return nil, status.Error(codes.Unimplemented, "method Store not implemented") +} +func (UnimplementedKeyMaterialStorageServer) Load(context.Context, *LoadRequest) (*LoadResponse, error) { + return nil, status.Error(codes.Unimplemented, "method Load not implemented") +} +func (UnimplementedKeyMaterialStorageServer) mustEmbedUnimplementedKeyMaterialStorageServer() {} +func (UnimplementedKeyMaterialStorageServer) testEmbeddedByValue() {} + +// UnsafeKeyMaterialStorageServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to KeyMaterialStorageServer will +// result in compilation errors. +type UnsafeKeyMaterialStorageServer interface { + mustEmbedUnimplementedKeyMaterialStorageServer() +} + +func RegisterKeyMaterialStorageServer(s grpc.ServiceRegistrar, srv KeyMaterialStorageServer) { + // If the following call panics, it indicates UnimplementedKeyMaterialStorageServer was + // embedded by pointer and is nil. This will cause panics if an + // unimplemented method is ever invoked, so we test this at initialization + // time to prevent it from happening at runtime later due to I/O. + if t, ok := srv.(interface{ testEmbeddedByValue() }); ok { + t.testEmbeddedByValue() + } + s.RegisterService(&KeyMaterialStorage_ServiceDesc, srv) +} + +func _KeyMaterialStorage_Store_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(StoreRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(KeyMaterialStorageServer).Store(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: KeyMaterialStorage_Store_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(KeyMaterialStorageServer).Store(ctx, req.(*StoreRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _KeyMaterialStorage_Load_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(LoadRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(KeyMaterialStorageServer).Load(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: KeyMaterialStorage_Load_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(KeyMaterialStorageServer).Load(ctx, req.(*LoadRequest)) + } + return interceptor(ctx, in, info, handler) +} + +// KeyMaterialStorage_ServiceDesc is the grpc.ServiceDesc for KeyMaterialStorage service. +// It's only intended for direct use with grpc.RegisterService, +// and not to be introspected or modified (even as a copy) +var KeyMaterialStorage_ServiceDesc = grpc.ServiceDesc{ + ServiceName: "plugin.key_material_storage.v1.KeyMaterialStorage", + HandlerType: (*KeyMaterialStorageServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "Store", + Handler: _KeyMaterialStorage_Store_Handler, + }, + { + MethodName: "Load", + Handler: _KeyMaterialStorage_Load_Handler, + }, + }, + Streams: []grpc.StreamDesc{}, + Metadata: "plugin/key_material_storage/v1/key_material_storage.proto", +} From 917ac4fbf6b3468d4066fcb56c3ca5df122a9cb0 Mon Sep 17 00:00:00 2001 From: Nicolae Nicora Date: Thu, 12 Mar 2026 13:53:20 +0100 Subject: [PATCH 07/19] fix: add KeyMaterialStorage plugin --- .../v1/key_material_storage.pb.go | 223 ++++++++++- .../v1/key_material_storage.pb.validate.go | 345 ++++++++++++++++++ .../v1/key_material_storage.proto | 32 ++ .../v1/key_material_storage_grpc.pb.go | 50 ++- 4 files changed, 629 insertions(+), 21 deletions(-) diff --git a/proto/plugin/key_material_storage/v1/key_material_storage.pb.go b/proto/plugin/key_material_storage/v1/key_material_storage.pb.go index 855190e..b2a0861 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage.pb.go +++ b/proto/plugin/key_material_storage/v1/key_material_storage.pb.go @@ -272,6 +272,170 @@ func (x *LoadResponse) GetKeyMaterial() *KeyMaterial { return nil } +type ListIDsRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + // REQUIRED: The namespace to search in. + Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"` + // OPTIONAL: Filter criteria for listing IDs. + // If not provided, all IDs in the namespace are returned. + Filter *Filter `protobuf:"bytes,2,opt,name=filter,proto3,oneof" json:"filter,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *ListIDsRequest) Reset() { + *x = ListIDsRequest{} + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[5] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *ListIDsRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ListIDsRequest) ProtoMessage() {} + +func (x *ListIDsRequest) ProtoReflect() protoreflect.Message { + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[5] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ListIDsRequest.ProtoReflect.Descriptor instead. +func (*ListIDsRequest) Descriptor() ([]byte, []int) { + return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP(), []int{5} +} + +func (x *ListIDsRequest) GetNamespace() string { + if x != nil { + return x.Namespace + } + return "" +} + +func (x *ListIDsRequest) GetFilter() *Filter { + if x != nil { + return x.Filter + } + return nil +} + +type Filter struct { + state protoimpl.MessageState `protogen:"open.v1"` + // OPTIONAL: Filter IDs that start with this string. + Prefix *string `protobuf:"bytes,1,opt,name=prefix,proto3,oneof" json:"prefix,omitempty"` + // OPTIONAL: Filter IDs that end with this string. + Suffix *string `protobuf:"bytes,2,opt,name=suffix,proto3,oneof" json:"suffix,omitempty"` + // OPTIONAL: Filter IDs that contain this string. + Contains *string `protobuf:"bytes,3,opt,name=contains,proto3,oneof" json:"contains,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *Filter) Reset() { + *x = Filter{} + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[6] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *Filter) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*Filter) ProtoMessage() {} + +func (x *Filter) ProtoReflect() protoreflect.Message { + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[6] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use Filter.ProtoReflect.Descriptor instead. +func (*Filter) Descriptor() ([]byte, []int) { + return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP(), []int{6} +} + +func (x *Filter) GetPrefix() string { + if x != nil && x.Prefix != nil { + return *x.Prefix + } + return "" +} + +func (x *Filter) GetSuffix() string { + if x != nil && x.Suffix != nil { + return *x.Suffix + } + return "" +} + +func (x *Filter) GetContains() string { + if x != nil && x.Contains != nil { + return *x.Contains + } + return "" +} + +type ListIDsResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + // A list of key material IDs that match the request criteria. + // The server may stream multiple responses, each containing a batch of IDs. + Ids []string `protobuf:"bytes,1,rep,name=ids,proto3" json:"ids,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *ListIDsResponse) Reset() { + *x = ListIDsResponse{} + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[7] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *ListIDsResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ListIDsResponse) ProtoMessage() {} + +func (x *ListIDsResponse) ProtoReflect() protoreflect.Message { + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[7] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ListIDsResponse.ProtoReflect.Descriptor instead. +func (*ListIDsResponse) Descriptor() ([]byte, []int) { + return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP(), []int{7} +} + +func (x *ListIDsResponse) GetIds() []string { + if x != nil { + return x.Ids + } + return nil +} + var File_plugin_key_material_storage_v1_key_material_storage_proto protoreflect.FileDescriptor const file_plugin_key_material_storage_v1_key_material_storage_proto_rawDesc = "" + @@ -293,10 +457,25 @@ const file_plugin_key_material_storage_v1_key_material_storage_proto_rawDesc = " "\x02id\x18\x02 \x01(\tB\n" + "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\x02id\"^\n" + "\fLoadResponse\x12N\n" + - "\fkey_material\x18\x01 \x01(\v2+.plugin.key_material_storage.v1.KeyMaterialR\vkeyMaterial2\xdd\x01\n" + + "\fkey_material\x18\x01 \x01(\v2+.plugin.key_material_storage.v1.KeyMaterialR\vkeyMaterial\"\x8a\x01\n" + + "\x0eListIDsRequest\x12(\n" + + "\tnamespace\x18\x01 \x01(\tB\n" + + "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\tnamespace\x12C\n" + + "\x06filter\x18\x02 \x01(\v2&.plugin.key_material_storage.v1.FilterH\x00R\x06filter\x88\x01\x01B\t\n" + + "\a_filter\"\x86\x01\n" + + "\x06Filter\x12\x1b\n" + + "\x06prefix\x18\x01 \x01(\tH\x00R\x06prefix\x88\x01\x01\x12\x1b\n" + + "\x06suffix\x18\x02 \x01(\tH\x01R\x06suffix\x88\x01\x01\x12\x1f\n" + + "\bcontains\x18\x03 \x01(\tH\x02R\bcontains\x88\x01\x01B\t\n" + + "\a_prefixB\t\n" + + "\a_suffixB\v\n" + + "\t_contains\"#\n" + + "\x0fListIDsResponse\x12\x10\n" + + "\x03ids\x18\x01 \x03(\tR\x03ids2\xcb\x02\n" + "\x12KeyMaterialStorage\x12d\n" + "\x05Store\x12,.plugin.key_material_storage.v1.StoreRequest\x1a-.plugin.key_material_storage.v1.StoreResponse\x12a\n" + - "\x04Load\x12+.plugin.key_material_storage.v1.LoadRequest\x1a,.plugin.key_material_storage.v1.LoadResponseB\xaa\x02\n" + + "\x04Load\x12+.plugin.key_material_storage.v1.LoadRequest\x1a,.plugin.key_material_storage.v1.LoadResponse\x12l\n" + + "\aListIDs\x12..plugin.key_material_storage.v1.ListIDsRequest\x1a/.plugin.key_material_storage.v1.ListIDsResponse0\x01B\xaa\x02\n" + "\"com.plugin.key_material_storage.v1B\x17KeyMaterialStorageProtoP\x01ZYgithub.com/openkcm/plugin-sdk/proto/plugin/key_material_storage/v1;key_material_storagev1\xa2\x02\x03PKX\xaa\x02\x1cPlugin.KeyMaterialStorage.V1\xca\x02\x1cPlugin\\KeyMaterialStorage\\V1\xe2\x02(Plugin\\KeyMaterialStorage\\V1\\GPBMetadata\xea\x02\x1ePlugin::KeyMaterialStorage::V1b\x06proto3" var ( @@ -311,26 +490,32 @@ func file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP( return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescData } -var file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes = make([]protoimpl.MessageInfo, 5) +var file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes = make([]protoimpl.MessageInfo, 8) var file_plugin_key_material_storage_v1_key_material_storage_proto_goTypes = []any{ - (*KeyMaterial)(nil), // 0: plugin.key_material_storage.v1.KeyMaterial - (*StoreRequest)(nil), // 1: plugin.key_material_storage.v1.StoreRequest - (*StoreResponse)(nil), // 2: plugin.key_material_storage.v1.StoreResponse - (*LoadRequest)(nil), // 3: plugin.key_material_storage.v1.LoadRequest - (*LoadResponse)(nil), // 4: plugin.key_material_storage.v1.LoadResponse + (*KeyMaterial)(nil), // 0: plugin.key_material_storage.v1.KeyMaterial + (*StoreRequest)(nil), // 1: plugin.key_material_storage.v1.StoreRequest + (*StoreResponse)(nil), // 2: plugin.key_material_storage.v1.StoreResponse + (*LoadRequest)(nil), // 3: plugin.key_material_storage.v1.LoadRequest + (*LoadResponse)(nil), // 4: plugin.key_material_storage.v1.LoadResponse + (*ListIDsRequest)(nil), // 5: plugin.key_material_storage.v1.ListIDsRequest + (*Filter)(nil), // 6: plugin.key_material_storage.v1.Filter + (*ListIDsResponse)(nil), // 7: plugin.key_material_storage.v1.ListIDsResponse } var file_plugin_key_material_storage_v1_key_material_storage_proto_depIdxs = []int32{ 0, // 0: plugin.key_material_storage.v1.StoreRequest.key_material:type_name -> plugin.key_material_storage.v1.KeyMaterial 0, // 1: plugin.key_material_storage.v1.LoadResponse.key_material:type_name -> plugin.key_material_storage.v1.KeyMaterial - 1, // 2: plugin.key_material_storage.v1.KeyMaterialStorage.Store:input_type -> plugin.key_material_storage.v1.StoreRequest - 3, // 3: plugin.key_material_storage.v1.KeyMaterialStorage.Load:input_type -> plugin.key_material_storage.v1.LoadRequest - 2, // 4: plugin.key_material_storage.v1.KeyMaterialStorage.Store:output_type -> plugin.key_material_storage.v1.StoreResponse - 4, // 5: plugin.key_material_storage.v1.KeyMaterialStorage.Load:output_type -> plugin.key_material_storage.v1.LoadResponse - 4, // [4:6] is the sub-list for method output_type - 2, // [2:4] is the sub-list for method input_type - 2, // [2:2] is the sub-list for extension type_name - 2, // [2:2] is the sub-list for extension extendee - 0, // [0:2] is the sub-list for field type_name + 6, // 2: plugin.key_material_storage.v1.ListIDsRequest.filter:type_name -> plugin.key_material_storage.v1.Filter + 1, // 3: plugin.key_material_storage.v1.KeyMaterialStorage.Store:input_type -> plugin.key_material_storage.v1.StoreRequest + 3, // 4: plugin.key_material_storage.v1.KeyMaterialStorage.Load:input_type -> plugin.key_material_storage.v1.LoadRequest + 5, // 5: plugin.key_material_storage.v1.KeyMaterialStorage.ListIDs:input_type -> plugin.key_material_storage.v1.ListIDsRequest + 2, // 6: plugin.key_material_storage.v1.KeyMaterialStorage.Store:output_type -> plugin.key_material_storage.v1.StoreResponse + 4, // 7: plugin.key_material_storage.v1.KeyMaterialStorage.Load:output_type -> plugin.key_material_storage.v1.LoadResponse + 7, // 8: plugin.key_material_storage.v1.KeyMaterialStorage.ListIDs:output_type -> plugin.key_material_storage.v1.ListIDsResponse + 6, // [6:9] is the sub-list for method output_type + 3, // [3:6] is the sub-list for method input_type + 3, // [3:3] is the sub-list for extension type_name + 3, // [3:3] is the sub-list for extension extendee + 0, // [0:3] is the sub-list for field type_name } func init() { file_plugin_key_material_storage_v1_key_material_storage_proto_init() } @@ -338,13 +523,15 @@ func file_plugin_key_material_storage_v1_key_material_storage_proto_init() { if File_plugin_key_material_storage_v1_key_material_storage_proto != nil { return } + file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[5].OneofWrappers = []any{} + file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[6].OneofWrappers = []any{} type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: unsafe.Slice(unsafe.StringData(file_plugin_key_material_storage_v1_key_material_storage_proto_rawDesc), len(file_plugin_key_material_storage_v1_key_material_storage_proto_rawDesc)), NumEnums: 0, - NumMessages: 5, + NumMessages: 8, NumExtensions: 0, NumServices: 1, }, diff --git a/proto/plugin/key_material_storage/v1/key_material_storage.pb.validate.go b/proto/plugin/key_material_storage/v1/key_material_storage.pb.validate.go index c45a9d9..c2199ad 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage.pb.validate.go +++ b/proto/plugin/key_material_storage/v1/key_material_storage.pb.validate.go @@ -598,3 +598,348 @@ var _ interface { Cause() error ErrorName() string } = LoadResponseValidationError{} + +// Validate checks the field values on ListIDsRequest with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *ListIDsRequest) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on ListIDsRequest with the rules defined +// in the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in ListIDsRequestMultiError, +// or nil if none found. +func (m *ListIDsRequest) ValidateAll() error { + return m.validate(true) +} + +func (m *ListIDsRequest) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + // no validation rules for Namespace + + if m.Filter != nil { + + if all { + switch v := interface{}(m.GetFilter()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, ListIDsRequestValidationError{ + field: "Filter", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, ListIDsRequestValidationError{ + field: "Filter", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetFilter()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return ListIDsRequestValidationError{ + field: "Filter", + reason: "embedded message failed validation", + cause: err, + } + } + } + + } + + if len(errors) > 0 { + return ListIDsRequestMultiError(errors) + } + + return nil +} + +// ListIDsRequestMultiError is an error wrapping multiple validation errors +// returned by ListIDsRequest.ValidateAll() if the designated constraints +// aren't met. +type ListIDsRequestMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m ListIDsRequestMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m ListIDsRequestMultiError) AllErrors() []error { return m } + +// ListIDsRequestValidationError is the validation error returned by +// ListIDsRequest.Validate if the designated constraints aren't met. +type ListIDsRequestValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e ListIDsRequestValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e ListIDsRequestValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e ListIDsRequestValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e ListIDsRequestValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e ListIDsRequestValidationError) ErrorName() string { return "ListIDsRequestValidationError" } + +// Error satisfies the builtin error interface +func (e ListIDsRequestValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sListIDsRequest.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = ListIDsRequestValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = ListIDsRequestValidationError{} + +// Validate checks the field values on Filter with the rules defined in the +// proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *Filter) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on Filter with the rules defined in the +// proto definition for this message. If any rules are violated, the result is +// a list of violation errors wrapped in FilterMultiError, or nil if none found. +func (m *Filter) ValidateAll() error { + return m.validate(true) +} + +func (m *Filter) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + if m.Prefix != nil { + // no validation rules for Prefix + } + + if m.Suffix != nil { + // no validation rules for Suffix + } + + if m.Contains != nil { + // no validation rules for Contains + } + + if len(errors) > 0 { + return FilterMultiError(errors) + } + + return nil +} + +// FilterMultiError is an error wrapping multiple validation errors returned by +// Filter.ValidateAll() if the designated constraints aren't met. +type FilterMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m FilterMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m FilterMultiError) AllErrors() []error { return m } + +// FilterValidationError is the validation error returned by Filter.Validate if +// the designated constraints aren't met. +type FilterValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e FilterValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e FilterValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e FilterValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e FilterValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e FilterValidationError) ErrorName() string { return "FilterValidationError" } + +// Error satisfies the builtin error interface +func (e FilterValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sFilter.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = FilterValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = FilterValidationError{} + +// Validate checks the field values on ListIDsResponse with the rules defined +// in the proto definition for this message. If any rules are violated, the +// first error encountered is returned, or nil if there are no violations. +func (m *ListIDsResponse) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on ListIDsResponse with the rules +// defined in the proto definition for this message. If any rules are +// violated, the result is a list of violation errors wrapped in +// ListIDsResponseMultiError, or nil if none found. +func (m *ListIDsResponse) ValidateAll() error { + return m.validate(true) +} + +func (m *ListIDsResponse) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + if len(errors) > 0 { + return ListIDsResponseMultiError(errors) + } + + return nil +} + +// ListIDsResponseMultiError is an error wrapping multiple validation errors +// returned by ListIDsResponse.ValidateAll() if the designated constraints +// aren't met. +type ListIDsResponseMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m ListIDsResponseMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m ListIDsResponseMultiError) AllErrors() []error { return m } + +// ListIDsResponseValidationError is the validation error returned by +// ListIDsResponse.Validate if the designated constraints aren't met. +type ListIDsResponseValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e ListIDsResponseValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e ListIDsResponseValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e ListIDsResponseValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e ListIDsResponseValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e ListIDsResponseValidationError) ErrorName() string { return "ListIDsResponseValidationError" } + +// Error satisfies the builtin error interface +func (e ListIDsResponseValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sListIDsResponse.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = ListIDsResponseValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = ListIDsResponseValidationError{} diff --git a/proto/plugin/key_material_storage/v1/key_material_storage.proto b/proto/plugin/key_material_storage/v1/key_material_storage.proto index 8e0d036..55ba5c1 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage.proto +++ b/proto/plugin/key_material_storage/v1/key_material_storage.proto @@ -14,6 +14,9 @@ service KeyMaterialStorage { // Load retrieves a single item by its unique ID. rpc Load(LoadRequest) returns (LoadResponse); + + // ListIDs streams back all IDs that match a given prefix within a namespace. + rpc ListIDs(ListIDsRequest) returns (stream ListIDsResponse); } // KeyMaterial represents a single unit of stored data. @@ -73,3 +76,32 @@ message LoadResponse { // If the key is not found, the RPC will return a `NOT_FOUND` gRPC error. KeyMaterial key_material = 1; } + +message ListIDsRequest { + // REQUIRED: The namespace to search in. + string namespace = 1 [ + (buf.validate.field).required = true, + (buf.validate.field).string.min_len = 1 + ]; + + // OPTIONAL: Filter criteria for listing IDs. + // If not provided, all IDs in the namespace are returned. + optional Filter filter = 2; +} + +message Filter { + // OPTIONAL: Filter IDs that start with this string. + optional string prefix = 1; + + // OPTIONAL: Filter IDs that end with this string. + optional string suffix = 2; + + // OPTIONAL: Filter IDs that contain this string. + optional string contains = 3; +} + +message ListIDsResponse { + // A list of key material IDs that match the request criteria. + // The server may stream multiple responses, each containing a batch of IDs. + repeated string ids = 1; +} diff --git a/proto/plugin/key_material_storage/v1/key_material_storage_grpc.pb.go b/proto/plugin/key_material_storage/v1/key_material_storage_grpc.pb.go index 64a0e82..1eaafaa 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage_grpc.pb.go +++ b/proto/plugin/key_material_storage/v1/key_material_storage_grpc.pb.go @@ -20,8 +20,9 @@ import ( const _ = grpc.SupportPackageIsVersion9 const ( - KeyMaterialStorage_Store_FullMethodName = "/plugin.key_material_storage.v1.KeyMaterialStorage/Store" - KeyMaterialStorage_Load_FullMethodName = "/plugin.key_material_storage.v1.KeyMaterialStorage/Load" + KeyMaterialStorage_Store_FullMethodName = "/plugin.key_material_storage.v1.KeyMaterialStorage/Store" + KeyMaterialStorage_Load_FullMethodName = "/plugin.key_material_storage.v1.KeyMaterialStorage/Load" + KeyMaterialStorage_ListIDs_FullMethodName = "/plugin.key_material_storage.v1.KeyMaterialStorage/ListIDs" ) // KeyMaterialStorageClient is the client API for KeyMaterialStorage service. @@ -37,6 +38,8 @@ type KeyMaterialStorageClient interface { Store(ctx context.Context, in *StoreRequest, opts ...grpc.CallOption) (*StoreResponse, error) // Load retrieves a single item by its unique ID. Load(ctx context.Context, in *LoadRequest, opts ...grpc.CallOption) (*LoadResponse, error) + // ListIDs streams back all IDs that match a given prefix within a namespace. + ListIDs(ctx context.Context, in *ListIDsRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[ListIDsResponse], error) } type keyMaterialStorageClient struct { @@ -67,6 +70,25 @@ func (c *keyMaterialStorageClient) Load(ctx context.Context, in *LoadRequest, op return out, nil } +func (c *keyMaterialStorageClient) ListIDs(ctx context.Context, in *ListIDsRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[ListIDsResponse], error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + stream, err := c.cc.NewStream(ctx, &KeyMaterialStorage_ServiceDesc.Streams[0], KeyMaterialStorage_ListIDs_FullMethodName, cOpts...) + if err != nil { + return nil, err + } + x := &grpc.GenericClientStream[ListIDsRequest, ListIDsResponse]{ClientStream: stream} + if err := x.ClientStream.SendMsg(in); err != nil { + return nil, err + } + if err := x.ClientStream.CloseSend(); err != nil { + return nil, err + } + return x, nil +} + +// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name. +type KeyMaterialStorage_ListIDsClient = grpc.ServerStreamingClient[ListIDsResponse] + // KeyMaterialStorageServer is the server API for KeyMaterialStorage service. // All implementations must embed UnimplementedKeyMaterialStorageServer // for forward compatibility. @@ -80,6 +102,8 @@ type KeyMaterialStorageServer interface { Store(context.Context, *StoreRequest) (*StoreResponse, error) // Load retrieves a single item by its unique ID. Load(context.Context, *LoadRequest) (*LoadResponse, error) + // ListIDs streams back all IDs that match a given prefix within a namespace. + ListIDs(*ListIDsRequest, grpc.ServerStreamingServer[ListIDsResponse]) error mustEmbedUnimplementedKeyMaterialStorageServer() } @@ -96,6 +120,9 @@ func (UnimplementedKeyMaterialStorageServer) Store(context.Context, *StoreReques func (UnimplementedKeyMaterialStorageServer) Load(context.Context, *LoadRequest) (*LoadResponse, error) { return nil, status.Error(codes.Unimplemented, "method Load not implemented") } +func (UnimplementedKeyMaterialStorageServer) ListIDs(*ListIDsRequest, grpc.ServerStreamingServer[ListIDsResponse]) error { + return status.Error(codes.Unimplemented, "method ListIDs not implemented") +} func (UnimplementedKeyMaterialStorageServer) mustEmbedUnimplementedKeyMaterialStorageServer() {} func (UnimplementedKeyMaterialStorageServer) testEmbeddedByValue() {} @@ -153,6 +180,17 @@ func _KeyMaterialStorage_Load_Handler(srv interface{}, ctx context.Context, dec return interceptor(ctx, in, info, handler) } +func _KeyMaterialStorage_ListIDs_Handler(srv interface{}, stream grpc.ServerStream) error { + m := new(ListIDsRequest) + if err := stream.RecvMsg(m); err != nil { + return err + } + return srv.(KeyMaterialStorageServer).ListIDs(m, &grpc.GenericServerStream[ListIDsRequest, ListIDsResponse]{ServerStream: stream}) +} + +// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name. +type KeyMaterialStorage_ListIDsServer = grpc.ServerStreamingServer[ListIDsResponse] + // KeyMaterialStorage_ServiceDesc is the grpc.ServiceDesc for KeyMaterialStorage service. // It's only intended for direct use with grpc.RegisterService, // and not to be introspected or modified (even as a copy) @@ -169,6 +207,12 @@ var KeyMaterialStorage_ServiceDesc = grpc.ServiceDesc{ Handler: _KeyMaterialStorage_Load_Handler, }, }, - Streams: []grpc.StreamDesc{}, + Streams: []grpc.StreamDesc{ + { + StreamName: "ListIDs", + Handler: _KeyMaterialStorage_ListIDs_Handler, + ServerStreams: true, + }, + }, Metadata: "plugin/key_material_storage/v1/key_material_storage.proto", } From 69d86368b0d2fb69e880cf401ae1653fcae0a80d Mon Sep 17 00:00:00 2001 From: Nicolae Nicora Date: Thu, 12 Mar 2026 17:03:04 +0100 Subject: [PATCH 08/19] add new field algorithm --- .../v1/key_material_storage.pb.go | 18 +++++++++++++++--- .../v1/key_material_storage.pb.validate.go | 2 ++ .../v1/key_material_storage.proto | 7 +++++++ 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/proto/plugin/key_material_storage/v1/key_material_storage.pb.go b/proto/plugin/key_material_storage/v1/key_material_storage.pb.go index b2a0861..5273fdf 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage.pb.go +++ b/proto/plugin/key_material_storage/v1/key_material_storage.pb.go @@ -32,7 +32,10 @@ type KeyMaterial struct { Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` // REQUIRED: The opaque data blob. // This typically contains the encrypted/wrapped key material. - Data []byte `protobuf:"bytes,2,opt,name=data,proto3" json:"data,omitempty"` + Data []byte `protobuf:"bytes,2,opt,name=data,proto3" json:"data,omitempty"` + // REQUIRED: The name of algorithm + // This typically contains the encrypted/wrapped key material. + Algorithm []byte `protobuf:"bytes,3,opt,name=algorithm,proto3" json:"algorithm,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } @@ -81,6 +84,13 @@ func (x *KeyMaterial) GetData() []byte { return nil } +func (x *KeyMaterial) GetAlgorithm() []byte { + if x != nil { + return x.Algorithm + } + return nil +} + type StoreRequest struct { state protoimpl.MessageState `protogen:"open.v1"` // REQUIRED: The namespace for this key material. This provides isolation @@ -440,12 +450,14 @@ var File_plugin_key_material_storage_v1_key_material_storage_proto protoreflect. const file_plugin_key_material_storage_v1_key_material_storage_proto_rawDesc = "" + "\n" + - "9plugin/key_material_storage/v1/key_material_storage.proto\x12\x1eplugin.key_material_storage.v1\x1a\x1bbuf/validate/validate.proto\"I\n" + + "9plugin/key_material_storage/v1/key_material_storage.proto\x12\x1eplugin.key_material_storage.v1\x1a\x1bbuf/validate/validate.proto\"s\n" + "\vKeyMaterial\x12\x1a\n" + "\x02id\x18\x01 \x01(\tB\n" + "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\x02id\x12\x1e\n" + "\x04data\x18\x02 \x01(\fB\n" + - "\xbaH\a\xc8\x01\x01z\x02\x10\x01R\x04data\"\x90\x01\n" + + "\xbaH\a\xc8\x01\x01z\x02\x10\x01R\x04data\x12(\n" + + "\talgorithm\x18\x03 \x01(\fB\n" + + "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\talgorithm\"\x90\x01\n" + "\fStoreRequest\x12(\n" + "\tnamespace\x18\x01 \x01(\tB\n" + "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\tnamespace\x12V\n" + diff --git a/proto/plugin/key_material_storage/v1/key_material_storage.pb.validate.go b/proto/plugin/key_material_storage/v1/key_material_storage.pb.validate.go index c2199ad..c26201c 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage.pb.validate.go +++ b/proto/plugin/key_material_storage/v1/key_material_storage.pb.validate.go @@ -61,6 +61,8 @@ func (m *KeyMaterial) validate(all bool) error { // no validation rules for Data + // no validation rules for Algorithm + if len(errors) > 0 { return KeyMaterialMultiError(errors) } diff --git a/proto/plugin/key_material_storage/v1/key_material_storage.proto b/proto/plugin/key_material_storage/v1/key_material_storage.proto index 55ba5c1..8c9265d 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage.proto +++ b/proto/plugin/key_material_storage/v1/key_material_storage.proto @@ -35,6 +35,13 @@ message KeyMaterial { (buf.validate.field).required = true, (buf.validate.field).bytes.min_len = 1 ]; + + // REQUIRED: The name of algorithm + // This typically contains the encrypted/wrapped key material. + bytes algorithm = 3 [ + (buf.validate.field).required = true, + (buf.validate.field).string.min_len = 1 + ]; } // --- Store RPC Messages --- From 87ae2f98d7bfd0621c89b0857aed199927594f0f Mon Sep 17 00:00:00 2001 From: Nicolae Nicora Date: Thu, 12 Mar 2026 17:05:06 +0100 Subject: [PATCH 09/19] modify --- .../key_material_storage/v1/key_material_storage.pb.go | 8 ++++---- .../key_material_storage/v1/key_material_storage.proto | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/proto/plugin/key_material_storage/v1/key_material_storage.pb.go b/proto/plugin/key_material_storage/v1/key_material_storage.pb.go index 5273fdf..9762b83 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage.pb.go +++ b/proto/plugin/key_material_storage/v1/key_material_storage.pb.go @@ -35,7 +35,7 @@ type KeyMaterial struct { Data []byte `protobuf:"bytes,2,opt,name=data,proto3" json:"data,omitempty"` // REQUIRED: The name of algorithm // This typically contains the encrypted/wrapped key material. - Algorithm []byte `protobuf:"bytes,3,opt,name=algorithm,proto3" json:"algorithm,omitempty"` + Algorithm string `protobuf:"bytes,3,opt,name=algorithm,proto3" json:"algorithm,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } @@ -84,11 +84,11 @@ func (x *KeyMaterial) GetData() []byte { return nil } -func (x *KeyMaterial) GetAlgorithm() []byte { +func (x *KeyMaterial) GetAlgorithm() string { if x != nil { return x.Algorithm } - return nil + return "" } type StoreRequest struct { @@ -456,7 +456,7 @@ const file_plugin_key_material_storage_v1_key_material_storage_proto_rawDesc = " "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\x02id\x12\x1e\n" + "\x04data\x18\x02 \x01(\fB\n" + "\xbaH\a\xc8\x01\x01z\x02\x10\x01R\x04data\x12(\n" + - "\talgorithm\x18\x03 \x01(\fB\n" + + "\talgorithm\x18\x03 \x01(\tB\n" + "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\talgorithm\"\x90\x01\n" + "\fStoreRequest\x12(\n" + "\tnamespace\x18\x01 \x01(\tB\n" + diff --git a/proto/plugin/key_material_storage/v1/key_material_storage.proto b/proto/plugin/key_material_storage/v1/key_material_storage.proto index 8c9265d..2388dc6 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage.proto +++ b/proto/plugin/key_material_storage/v1/key_material_storage.proto @@ -38,7 +38,7 @@ message KeyMaterial { // REQUIRED: The name of algorithm // This typically contains the encrypted/wrapped key material. - bytes algorithm = 3 [ + string algorithm = 3 [ (buf.validate.field).required = true, (buf.validate.field).string.min_len = 1 ]; From cd5a9ea43dcdcf1c14ef44173092ae9233beae65 Mon Sep 17 00:00:00 2001 From: Nicolae Nicora Date: Thu, 12 Mar 2026 17:54:26 +0100 Subject: [PATCH 10/19] modify --- .../v1/key_material_storage.pb.go | 23 ++++++++++++++----- .../v1/key_material_storage.pb.validate.go | 4 ++++ .../v1/key_material_storage.proto | 4 +++- 3 files changed, 24 insertions(+), 7 deletions(-) diff --git a/proto/plugin/key_material_storage/v1/key_material_storage.pb.go b/proto/plugin/key_material_storage/v1/key_material_storage.pb.go index 9762b83..3582214 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage.pb.go +++ b/proto/plugin/key_material_storage/v1/key_material_storage.pb.go @@ -28,16 +28,17 @@ const ( type KeyMaterial struct { state protoimpl.MessageState `protogen:"open.v1"` // REQUIRED: The unique identifier for this item. - // e.g., "L2_01H8XGJWBWBAQ9Z7J6C6XJ6C6X" + // e.g., "L2/01H8XGJWBWBAQ9Z7J6C6XJ6C6X" Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` // REQUIRED: The opaque data blob. // This typically contains the encrypted/wrapped key material. Data []byte `protobuf:"bytes,2,opt,name=data,proto3" json:"data,omitempty"` // REQUIRED: The name of algorithm // This typically contains the encrypted/wrapped key material. - Algorithm string `protobuf:"bytes,3,opt,name=algorithm,proto3" json:"algorithm,omitempty"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache + Algorithm string `protobuf:"bytes,3,opt,name=algorithm,proto3" json:"algorithm,omitempty"` + PreviousVersionId *string `protobuf:"bytes,4,opt,name=previous_version_id,json=previousVersionId,proto3,oneof" json:"previous_version_id,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache } func (x *KeyMaterial) Reset() { @@ -91,6 +92,13 @@ func (x *KeyMaterial) GetAlgorithm() string { return "" } +func (x *KeyMaterial) GetPreviousVersionId() string { + if x != nil && x.PreviousVersionId != nil { + return *x.PreviousVersionId + } + return "" +} + type StoreRequest struct { state protoimpl.MessageState `protogen:"open.v1"` // REQUIRED: The namespace for this key material. This provides isolation @@ -450,14 +458,16 @@ var File_plugin_key_material_storage_v1_key_material_storage_proto protoreflect. const file_plugin_key_material_storage_v1_key_material_storage_proto_rawDesc = "" + "\n" + - "9plugin/key_material_storage/v1/key_material_storage.proto\x12\x1eplugin.key_material_storage.v1\x1a\x1bbuf/validate/validate.proto\"s\n" + + "9plugin/key_material_storage/v1/key_material_storage.proto\x12\x1eplugin.key_material_storage.v1\x1a\x1bbuf/validate/validate.proto\"\xc0\x01\n" + "\vKeyMaterial\x12\x1a\n" + "\x02id\x18\x01 \x01(\tB\n" + "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\x02id\x12\x1e\n" + "\x04data\x18\x02 \x01(\fB\n" + "\xbaH\a\xc8\x01\x01z\x02\x10\x01R\x04data\x12(\n" + "\talgorithm\x18\x03 \x01(\tB\n" + - "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\talgorithm\"\x90\x01\n" + + "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\talgorithm\x123\n" + + "\x13previous_version_id\x18\x04 \x01(\tH\x00R\x11previousVersionId\x88\x01\x01B\x16\n" + + "\x14_previous_version_id\"\x90\x01\n" + "\fStoreRequest\x12(\n" + "\tnamespace\x18\x01 \x01(\tB\n" + "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\tnamespace\x12V\n" + @@ -535,6 +545,7 @@ func file_plugin_key_material_storage_v1_key_material_storage_proto_init() { if File_plugin_key_material_storage_v1_key_material_storage_proto != nil { return } + file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[0].OneofWrappers = []any{} file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[5].OneofWrappers = []any{} file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[6].OneofWrappers = []any{} type x struct{} diff --git a/proto/plugin/key_material_storage/v1/key_material_storage.pb.validate.go b/proto/plugin/key_material_storage/v1/key_material_storage.pb.validate.go index c26201c..8e0a10d 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage.pb.validate.go +++ b/proto/plugin/key_material_storage/v1/key_material_storage.pb.validate.go @@ -63,6 +63,10 @@ func (m *KeyMaterial) validate(all bool) error { // no validation rules for Algorithm + if m.PreviousVersionId != nil { + // no validation rules for PreviousVersionId + } + if len(errors) > 0 { return KeyMaterialMultiError(errors) } diff --git a/proto/plugin/key_material_storage/v1/key_material_storage.proto b/proto/plugin/key_material_storage/v1/key_material_storage.proto index 2388dc6..decf174 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage.proto +++ b/proto/plugin/key_material_storage/v1/key_material_storage.proto @@ -23,7 +23,7 @@ service KeyMaterialStorage { // It is intentionally generic and algorithm-agnostic. message KeyMaterial { // REQUIRED: The unique identifier for this item. - // e.g., "L2_01H8XGJWBWBAQ9Z7J6C6XJ6C6X" + // e.g., "L2/01H8XGJWBWBAQ9Z7J6C6XJ6C6X" string id = 1 [ (buf.validate.field).required = true, (buf.validate.field).string.min_len = 1 @@ -42,6 +42,8 @@ message KeyMaterial { (buf.validate.field).required = true, (buf.validate.field).string.min_len = 1 ]; + + optional string previous_version_id = 4; } // --- Store RPC Messages --- From 9b499a038755031e9db44f965a698470edbe2b69 Mon Sep 17 00:00:00 2001 From: Nicolae Nicora Date: Fri, 13 Mar 2026 23:54:39 +0100 Subject: [PATCH 11/19] modify --- .../cipher_wrapper/v1/cipher_wrapper.pb.go | 191 +++++++++++++----- .../v1/cipher_wrapper.pb.validate.go | 165 +++++++++++++++ .../cipher_wrapper/v1/cipher_wrapper.proto | 24 ++- 3 files changed, 327 insertions(+), 53 deletions(-) diff --git a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go index b23f6ba..7346807 100644 --- a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go +++ b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go @@ -23,17 +23,79 @@ const ( _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) ) +type KeyReference struct { + state protoimpl.MessageState `protogen:"open.v1"` + KeyId string `protobuf:"bytes,1,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"` + Version *string `protobuf:"bytes,2,opt,name=version,proto3,oneof" json:"version,omitempty"` + Properties map[string]string `protobuf:"bytes,3,rep,name=properties,proto3" json:"properties,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *KeyReference) Reset() { + *x = KeyReference{} + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *KeyReference) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*KeyReference) ProtoMessage() {} + +func (x *KeyReference) ProtoReflect() protoreflect.Message { + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use KeyReference.ProtoReflect.Descriptor instead. +func (*KeyReference) Descriptor() ([]byte, []int) { + return file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP(), []int{0} +} + +func (x *KeyReference) GetKeyId() string { + if x != nil { + return x.KeyId + } + return "" +} + +func (x *KeyReference) GetVersion() string { + if x != nil && x.Version != nil { + return *x.Version + } + return "" +} + +func (x *KeyReference) GetProperties() map[string]string { + if x != nil { + return x.Properties + } + return nil +} + // WrapRequest contains the raw key material and the context needed to encrypt it. type WrapRequest struct { state protoimpl.MessageState `protogen:"open.v1"` + // OPTIONAL/REQUIRED: The structured definition of the key to use. + Key *KeyReference `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"` // REQUIRED: The raw cryptographic material to be wrapped. - Plaintext []byte `protobuf:"bytes,1,opt,name=plaintext,proto3" json:"plaintext,omitempty"` + Plaintext []byte `protobuf:"bytes,2,opt,name=plaintext,proto3" json:"plaintext,omitempty"` // OPTIONAL: Standard Additional Authenticated Data (AAD) byte buffer. // Kept in proto because AAD often changes per request (e.g., binding to a specific Tenant ID). - Aad []byte `protobuf:"bytes,2,opt,name=aad,proto3,oneof" json:"aad,omitempty"` + Aad []byte `protobuf:"bytes,3,opt,name=aad,proto3,oneof" json:"aad,omitempty"` // OPTIONAL: Initialization Vector (IV) or Nonce. // Cryptographically dynamic, must remain in proto. - Iv []byte `protobuf:"bytes,3,opt,name=iv,proto3,oneof" json:"iv,omitempty"` + Iv []byte `protobuf:"bytes,4,opt,name=iv,proto3,oneof" json:"iv,omitempty"` // OPTIONAL: Per-request dynamic context (if needed). // Kept as an escape hatch for truly dynamic per-request overrides. DynamicContext map[string]string `protobuf:"bytes,900,rep,name=dynamic_context,json=dynamicContext,proto3" json:"dynamic_context,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` @@ -43,7 +105,7 @@ type WrapRequest struct { func (x *WrapRequest) Reset() { *x = WrapRequest{} - mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[0] + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[1] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -55,7 +117,7 @@ func (x *WrapRequest) String() string { func (*WrapRequest) ProtoMessage() {} func (x *WrapRequest) ProtoReflect() protoreflect.Message { - mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[0] + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[1] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -68,7 +130,14 @@ func (x *WrapRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use WrapRequest.ProtoReflect.Descriptor instead. func (*WrapRequest) Descriptor() ([]byte, []int) { - return file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP(), []int{0} + return file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP(), []int{1} +} + +func (x *WrapRequest) GetKey() *KeyReference { + if x != nil { + return x.Key + } + return nil } func (x *WrapRequest) GetPlaintext() []byte { @@ -116,7 +185,7 @@ type WrapResponse struct { func (x *WrapResponse) Reset() { *x = WrapResponse{} - mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[1] + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[2] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -128,7 +197,7 @@ func (x *WrapResponse) String() string { func (*WrapResponse) ProtoMessage() {} func (x *WrapResponse) ProtoReflect() protoreflect.Message { - mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[1] + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[2] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -141,7 +210,7 @@ func (x *WrapResponse) ProtoReflect() protoreflect.Message { // Deprecated: Use WrapResponse.ProtoReflect.Descriptor instead. func (*WrapResponse) Descriptor() ([]byte, []int) { - return file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP(), []int{1} + return file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP(), []int{2} } func (x *WrapResponse) GetCiphertext() []byte { @@ -169,13 +238,15 @@ func (x *WrapResponse) GetIv() []byte { // originally used during the Wrap operation. type UnwrapRequest struct { state protoimpl.MessageState `protogen:"open.v1"` + // OPTIONAL/REQUIRED: The structured definition of the key to use. + Key *KeyReference `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"` // REQUIRED: The opaque ciphertext retrieved from the CMK persistent storage. - Ciphertext []byte `protobuf:"bytes,1,opt,name=ciphertext,proto3" json:"ciphertext,omitempty"` + Ciphertext []byte `protobuf:"bytes,2,opt,name=ciphertext,proto3" json:"ciphertext,omitempty"` // OPTIONAL: Standard Additional Authenticated Data (AAD) byte buffer. - Aad []byte `protobuf:"bytes,2,opt,name=aad,proto3,oneof" json:"aad,omitempty"` + Aad []byte `protobuf:"bytes,3,opt,name=aad,proto3,oneof" json:"aad,omitempty"` // OPTIONAL: Initialization Vector (IV) or Nonce. // Must be provided if it was returned in the WrapResponse. - Iv []byte `protobuf:"bytes,3,opt,name=iv,proto3,oneof" json:"iv,omitempty"` + Iv []byte `protobuf:"bytes,4,opt,name=iv,proto3,oneof" json:"iv,omitempty"` // OPTIONAL: Per-request dynamic context (if needed). // Kept as an escape hatch for truly dynamic per-request overrides. DynamicContext map[string]string `protobuf:"bytes,900,rep,name=dynamic_context,json=dynamicContext,proto3" json:"dynamic_context,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` @@ -185,7 +256,7 @@ type UnwrapRequest struct { func (x *UnwrapRequest) Reset() { *x = UnwrapRequest{} - mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[2] + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[3] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -197,7 +268,7 @@ func (x *UnwrapRequest) String() string { func (*UnwrapRequest) ProtoMessage() {} func (x *UnwrapRequest) ProtoReflect() protoreflect.Message { - mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[2] + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[3] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -210,7 +281,14 @@ func (x *UnwrapRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use UnwrapRequest.ProtoReflect.Descriptor instead. func (*UnwrapRequest) Descriptor() ([]byte, []int) { - return file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP(), []int{2} + return file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP(), []int{3} +} + +func (x *UnwrapRequest) GetKey() *KeyReference { + if x != nil { + return x.Key + } + return nil } func (x *UnwrapRequest) GetCiphertext() []byte { @@ -252,7 +330,7 @@ type UnwrapResponse struct { func (x *UnwrapResponse) Reset() { *x = UnwrapResponse{} - mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[3] + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[4] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -264,7 +342,7 @@ func (x *UnwrapResponse) String() string { func (*UnwrapResponse) ProtoMessage() {} func (x *UnwrapResponse) ProtoReflect() protoreflect.Message { - mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[3] + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[4] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -277,7 +355,7 @@ func (x *UnwrapResponse) ProtoReflect() protoreflect.Message { // Deprecated: Use UnwrapResponse.ProtoReflect.Descriptor instead. func (*UnwrapResponse) Descriptor() ([]byte, []int) { - return file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP(), []int{3} + return file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP(), []int{4} } func (x *UnwrapResponse) GetPlaintext() []byte { @@ -291,12 +369,24 @@ var File_plugin_cipher_wrapper_v1_cipher_wrapper_proto protoreflect.FileDescript const file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDesc = "" + "\n" + - "-plugin/cipher_wrapper/v1/cipher_wrapper.proto\x12\x18plugin.cipher_wrapper.v1\x1a\x1bbuf/validate/validate.proto\"\x9a\x02\n" + - "\vWrapRequest\x12(\n" + - "\tplaintext\x18\x01 \x01(\fB\n" + + "-plugin/cipher_wrapper/v1/cipher_wrapper.proto\x12\x18plugin.cipher_wrapper.v1\x1a\x1bbuf/validate/validate.proto\"\xe7\x01\n" + + "\fKeyReference\x12\x15\n" + + "\x06key_id\x18\x01 \x01(\tR\x05keyId\x12\x1d\n" + + "\aversion\x18\x02 \x01(\tH\x00R\aversion\x88\x01\x01\x12V\n" + + "\n" + + "properties\x18\x03 \x03(\v26.plugin.cipher_wrapper.v1.KeyReference.PropertiesEntryR\n" + + "properties\x1a=\n" + + "\x0fPropertiesEntry\x12\x10\n" + + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\n" + + "\n" + + "\b_version\"\xdc\x02\n" + + "\vWrapRequest\x12@\n" + + "\x03key\x18\x01 \x01(\v2&.plugin.cipher_wrapper.v1.KeyReferenceB\x06\xbaH\x03\xc8\x01\x01R\x03key\x12(\n" + + "\tplaintext\x18\x02 \x01(\fB\n" + "\xbaH\a\xc8\x01\x01z\x02\x10\x01R\tplaintext\x12\x15\n" + - "\x03aad\x18\x02 \x01(\fH\x00R\x03aad\x88\x01\x01\x12\x13\n" + - "\x02iv\x18\x03 \x01(\fH\x01R\x02iv\x88\x01\x01\x12c\n" + + "\x03aad\x18\x03 \x01(\fH\x00R\x03aad\x88\x01\x01\x12\x13\n" + + "\x02iv\x18\x04 \x01(\fH\x01R\x02iv\x88\x01\x01\x12c\n" + "\x0fdynamic_context\x18\x84\a \x03(\v29.plugin.cipher_wrapper.v1.WrapRequest.DynamicContextEntryR\x0edynamicContext\x1aA\n" + "\x13DynamicContextEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + @@ -310,14 +400,15 @@ const file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDesc = "" + "\x0ekey_version_id\x18\x02 \x01(\tH\x00R\fkeyVersionId\x88\x01\x01\x12\x13\n" + "\x02iv\x18\x03 \x01(\fH\x01R\x02iv\x88\x01\x01B\x11\n" + "\x0f_key_version_idB\x05\n" + - "\x03_iv\"\xa0\x02\n" + - "\rUnwrapRequest\x12*\n" + + "\x03_iv\"\xe2\x02\n" + + "\rUnwrapRequest\x12@\n" + + "\x03key\x18\x01 \x01(\v2&.plugin.cipher_wrapper.v1.KeyReferenceB\x06\xbaH\x03\xc8\x01\x01R\x03key\x12*\n" + "\n" + - "ciphertext\x18\x01 \x01(\fB\n" + + "ciphertext\x18\x02 \x01(\fB\n" + "\xbaH\a\xc8\x01\x01z\x02\x10\x01R\n" + "ciphertext\x12\x15\n" + - "\x03aad\x18\x02 \x01(\fH\x00R\x03aad\x88\x01\x01\x12\x13\n" + - "\x02iv\x18\x03 \x01(\fH\x01R\x02iv\x88\x01\x01\x12e\n" + + "\x03aad\x18\x03 \x01(\fH\x00R\x03aad\x88\x01\x01\x12\x13\n" + + "\x02iv\x18\x04 \x01(\fH\x01R\x02iv\x88\x01\x01\x12e\n" + "\x0fdynamic_context\x18\x84\a \x03(\v2;.plugin.cipher_wrapper.v1.UnwrapRequest.DynamicContextEntryR\x0edynamicContext\x1aA\n" + "\x13DynamicContextEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + @@ -343,27 +434,32 @@ func file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP() []byte { return file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescData } -var file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes = make([]protoimpl.MessageInfo, 6) +var file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes = make([]protoimpl.MessageInfo, 8) var file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_goTypes = []any{ - (*WrapRequest)(nil), // 0: plugin.cipher_wrapper.v1.WrapRequest - (*WrapResponse)(nil), // 1: plugin.cipher_wrapper.v1.WrapResponse - (*UnwrapRequest)(nil), // 2: plugin.cipher_wrapper.v1.UnwrapRequest - (*UnwrapResponse)(nil), // 3: plugin.cipher_wrapper.v1.UnwrapResponse - nil, // 4: plugin.cipher_wrapper.v1.WrapRequest.DynamicContextEntry - nil, // 5: plugin.cipher_wrapper.v1.UnwrapRequest.DynamicContextEntry + (*KeyReference)(nil), // 0: plugin.cipher_wrapper.v1.KeyReference + (*WrapRequest)(nil), // 1: plugin.cipher_wrapper.v1.WrapRequest + (*WrapResponse)(nil), // 2: plugin.cipher_wrapper.v1.WrapResponse + (*UnwrapRequest)(nil), // 3: plugin.cipher_wrapper.v1.UnwrapRequest + (*UnwrapResponse)(nil), // 4: plugin.cipher_wrapper.v1.UnwrapResponse + nil, // 5: plugin.cipher_wrapper.v1.KeyReference.PropertiesEntry + nil, // 6: plugin.cipher_wrapper.v1.WrapRequest.DynamicContextEntry + nil, // 7: plugin.cipher_wrapper.v1.UnwrapRequest.DynamicContextEntry } var file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_depIdxs = []int32{ - 4, // 0: plugin.cipher_wrapper.v1.WrapRequest.dynamic_context:type_name -> plugin.cipher_wrapper.v1.WrapRequest.DynamicContextEntry - 5, // 1: plugin.cipher_wrapper.v1.UnwrapRequest.dynamic_context:type_name -> plugin.cipher_wrapper.v1.UnwrapRequest.DynamicContextEntry - 0, // 2: plugin.cipher_wrapper.v1.CipherWrapper.Wrap:input_type -> plugin.cipher_wrapper.v1.WrapRequest - 2, // 3: plugin.cipher_wrapper.v1.CipherWrapper.Unwrap:input_type -> plugin.cipher_wrapper.v1.UnwrapRequest - 1, // 4: plugin.cipher_wrapper.v1.CipherWrapper.Wrap:output_type -> plugin.cipher_wrapper.v1.WrapResponse - 3, // 5: plugin.cipher_wrapper.v1.CipherWrapper.Unwrap:output_type -> plugin.cipher_wrapper.v1.UnwrapResponse - 4, // [4:6] is the sub-list for method output_type - 2, // [2:4] is the sub-list for method input_type - 2, // [2:2] is the sub-list for extension type_name - 2, // [2:2] is the sub-list for extension extendee - 0, // [0:2] is the sub-list for field type_name + 5, // 0: plugin.cipher_wrapper.v1.KeyReference.properties:type_name -> plugin.cipher_wrapper.v1.KeyReference.PropertiesEntry + 0, // 1: plugin.cipher_wrapper.v1.WrapRequest.key:type_name -> plugin.cipher_wrapper.v1.KeyReference + 6, // 2: plugin.cipher_wrapper.v1.WrapRequest.dynamic_context:type_name -> plugin.cipher_wrapper.v1.WrapRequest.DynamicContextEntry + 0, // 3: plugin.cipher_wrapper.v1.UnwrapRequest.key:type_name -> plugin.cipher_wrapper.v1.KeyReference + 7, // 4: plugin.cipher_wrapper.v1.UnwrapRequest.dynamic_context:type_name -> plugin.cipher_wrapper.v1.UnwrapRequest.DynamicContextEntry + 1, // 5: plugin.cipher_wrapper.v1.CipherWrapper.Wrap:input_type -> plugin.cipher_wrapper.v1.WrapRequest + 3, // 6: plugin.cipher_wrapper.v1.CipherWrapper.Unwrap:input_type -> plugin.cipher_wrapper.v1.UnwrapRequest + 2, // 7: plugin.cipher_wrapper.v1.CipherWrapper.Wrap:output_type -> plugin.cipher_wrapper.v1.WrapResponse + 4, // 8: plugin.cipher_wrapper.v1.CipherWrapper.Unwrap:output_type -> plugin.cipher_wrapper.v1.UnwrapResponse + 7, // [7:9] is the sub-list for method output_type + 5, // [5:7] is the sub-list for method input_type + 5, // [5:5] is the sub-list for extension type_name + 5, // [5:5] is the sub-list for extension extendee + 0, // [0:5] is the sub-list for field type_name } func init() { file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_init() } @@ -374,13 +470,14 @@ func file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_init() { file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[0].OneofWrappers = []any{} file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[1].OneofWrappers = []any{} file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[2].OneofWrappers = []any{} + file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[3].OneofWrappers = []any{} type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: unsafe.Slice(unsafe.StringData(file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDesc), len(file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDesc)), NumEnums: 0, - NumMessages: 6, + NumMessages: 8, NumExtensions: 0, NumServices: 1, }, diff --git a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.validate.go b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.validate.go index a7926e3..88c88c1 100644 --- a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.validate.go +++ b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.validate.go @@ -35,6 +35,113 @@ var ( _ = sort.Sort ) +// Validate checks the field values on KeyReference with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *KeyReference) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on KeyReference with the rules defined +// in the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in KeyReferenceMultiError, or +// nil if none found. +func (m *KeyReference) ValidateAll() error { + return m.validate(true) +} + +func (m *KeyReference) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + // no validation rules for KeyId + + // no validation rules for Properties + + if m.Version != nil { + // no validation rules for Version + } + + if len(errors) > 0 { + return KeyReferenceMultiError(errors) + } + + return nil +} + +// KeyReferenceMultiError is an error wrapping multiple validation errors +// returned by KeyReference.ValidateAll() if the designated constraints aren't met. +type KeyReferenceMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m KeyReferenceMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m KeyReferenceMultiError) AllErrors() []error { return m } + +// KeyReferenceValidationError is the validation error returned by +// KeyReference.Validate if the designated constraints aren't met. +type KeyReferenceValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e KeyReferenceValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e KeyReferenceValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e KeyReferenceValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e KeyReferenceValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e KeyReferenceValidationError) ErrorName() string { return "KeyReferenceValidationError" } + +// Error satisfies the builtin error interface +func (e KeyReferenceValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sKeyReference.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = KeyReferenceValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = KeyReferenceValidationError{} + // Validate checks the field values on WrapRequest with the rules defined in // the proto definition for this message. If any rules are violated, the first // error encountered is returned, or nil if there are no violations. @@ -57,6 +164,35 @@ func (m *WrapRequest) validate(all bool) error { var errors []error + if all { + switch v := interface{}(m.GetKey()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, WrapRequestValidationError{ + field: "Key", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, WrapRequestValidationError{ + field: "Key", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetKey()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return WrapRequestValidationError{ + field: "Key", + reason: "embedded message failed validation", + cause: err, + } + } + } + // no validation rules for Plaintext // no validation rules for DynamicContext @@ -277,6 +413,35 @@ func (m *UnwrapRequest) validate(all bool) error { var errors []error + if all { + switch v := interface{}(m.GetKey()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, UnwrapRequestValidationError{ + field: "Key", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, UnwrapRequestValidationError{ + field: "Key", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetKey()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return UnwrapRequestValidationError{ + field: "Key", + reason: "embedded message failed validation", + cause: err, + } + } + } + // no validation rules for Ciphertext // no validation rules for DynamicContext diff --git a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto index 49b5586..924d620 100644 --- a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto +++ b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto @@ -17,21 +17,30 @@ service CipherWrapper { rpc Unwrap(UnwrapRequest) returns (UnwrapResponse); } +message KeyReference { + string key_id = 1; + optional string version = 2; + map properties = 3; +} + // WrapRequest contains the raw key material and the context needed to encrypt it. message WrapRequest { + // OPTIONAL/REQUIRED: The structured definition of the key to use. + KeyReference key = 1 [(buf.validate.field).required = true]; + // REQUIRED: The raw cryptographic material to be wrapped. - bytes plaintext = 1 [ + bytes plaintext = 2 [ (buf.validate.field).required = true, (buf.validate.field).bytes.min_len = 1 ]; // OPTIONAL: Standard Additional Authenticated Data (AAD) byte buffer. // Kept in proto because AAD often changes per request (e.g., binding to a specific Tenant ID). - optional bytes aad = 2; + optional bytes aad = 3; // OPTIONAL: Initialization Vector (IV) or Nonce. // Cryptographically dynamic, must remain in proto. - optional bytes iv = 3; + optional bytes iv = 4; // OPTIONAL: Per-request dynamic context (if needed). // Kept as an escape hatch for truly dynamic per-request overrides. @@ -55,18 +64,21 @@ message WrapResponse { // UnwrapRequest contains the opaque ciphertext and the exact parameters // originally used during the Wrap operation. message UnwrapRequest { + // OPTIONAL/REQUIRED: The structured definition of the key to use. + KeyReference key = 1 [(buf.validate.field).required = true]; + // REQUIRED: The opaque ciphertext retrieved from the CMK persistent storage. - bytes ciphertext = 1 [ + bytes ciphertext = 2 [ (buf.validate.field).required = true, (buf.validate.field).bytes.min_len = 1 ]; // OPTIONAL: Standard Additional Authenticated Data (AAD) byte buffer. - optional bytes aad = 2; + optional bytes aad = 3; // OPTIONAL: Initialization Vector (IV) or Nonce. // Must be provided if it was returned in the WrapResponse. - optional bytes iv = 3; + optional bytes iv = 4; // OPTIONAL: Per-request dynamic context (if needed). // Kept as an escape hatch for truly dynamic per-request overrides. From 051a3bab18c9b7996329ce351268635c9216df0c Mon Sep 17 00:00:00 2001 From: Nicolae Nicora Date: Sat, 14 Mar 2026 02:13:12 +0100 Subject: [PATCH 12/19] modify --- .../v1/key_material_storage.pb.go | 96 +++++++++++++------ .../v1/key_material_storage.pb.validate.go | 39 ++++++++ .../v1/key_material_storage.proto | 7 ++ 3 files changed, 113 insertions(+), 29 deletions(-) diff --git a/proto/plugin/key_material_storage/v1/key_material_storage.pb.go b/proto/plugin/key_material_storage/v1/key_material_storage.pb.go index 3582214..b6a4efe 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage.pb.go +++ b/proto/plugin/key_material_storage/v1/key_material_storage.pb.go @@ -14,6 +14,7 @@ import ( _ "buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go/buf/validate" protoreflect "google.golang.org/protobuf/reflect/protoreflect" protoimpl "google.golang.org/protobuf/runtime/protoimpl" + timestamppb "google.golang.org/protobuf/types/known/timestamppb" ) const ( @@ -35,8 +36,11 @@ type KeyMaterial struct { Data []byte `protobuf:"bytes,2,opt,name=data,proto3" json:"data,omitempty"` // REQUIRED: The name of algorithm // This typically contains the encrypted/wrapped key material. - Algorithm string `protobuf:"bytes,3,opt,name=algorithm,proto3" json:"algorithm,omitempty"` - PreviousVersionId *string `protobuf:"bytes,4,opt,name=previous_version_id,json=previousVersionId,proto3,oneof" json:"previous_version_id,omitempty"` + Algorithm string `protobuf:"bytes,3,opt,name=algorithm,proto3" json:"algorithm,omitempty"` + PreviousVersionId *string `protobuf:"bytes,4,opt,name=previous_version_id,json=previousVersionId,proto3,oneof" json:"previous_version_id,omitempty"` + Checksum *string `protobuf:"bytes,5,opt,name=checksum,proto3,oneof" json:"checksum,omitempty"` + CreatedAt *timestamppb.Timestamp `protobuf:"bytes,6,opt,name=created_at,json=createdAt,proto3,oneof" json:"created_at,omitempty"` + Tags map[string]string `protobuf:"bytes,100,rep,name=tags,proto3" json:"tags,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } @@ -99,6 +103,27 @@ func (x *KeyMaterial) GetPreviousVersionId() string { return "" } +func (x *KeyMaterial) GetChecksum() string { + if x != nil && x.Checksum != nil { + return *x.Checksum + } + return "" +} + +func (x *KeyMaterial) GetCreatedAt() *timestamppb.Timestamp { + if x != nil { + return x.CreatedAt + } + return nil +} + +func (x *KeyMaterial) GetTags() map[string]string { + if x != nil { + return x.Tags + } + return nil +} + type StoreRequest struct { state protoimpl.MessageState `protogen:"open.v1"` // REQUIRED: The namespace for this key material. This provides isolation @@ -458,7 +483,7 @@ var File_plugin_key_material_storage_v1_key_material_storage_proto protoreflect. const file_plugin_key_material_storage_v1_key_material_storage_proto_rawDesc = "" + "\n" + - "9plugin/key_material_storage/v1/key_material_storage.proto\x12\x1eplugin.key_material_storage.v1\x1a\x1bbuf/validate/validate.proto\"\xc0\x01\n" + + "9plugin/key_material_storage/v1/key_material_storage.proto\x12\x1eplugin.key_material_storage.v1\x1a\x1bbuf/validate/validate.proto\x1a\x1fgoogle/protobuf/timestamp.proto\"\xc1\x03\n" + "\vKeyMaterial\x12\x1a\n" + "\x02id\x18\x01 \x01(\tB\n" + "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\x02id\x12\x1e\n" + @@ -466,8 +491,17 @@ const file_plugin_key_material_storage_v1_key_material_storage_proto_rawDesc = " "\xbaH\a\xc8\x01\x01z\x02\x10\x01R\x04data\x12(\n" + "\talgorithm\x18\x03 \x01(\tB\n" + "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\talgorithm\x123\n" + - "\x13previous_version_id\x18\x04 \x01(\tH\x00R\x11previousVersionId\x88\x01\x01B\x16\n" + - "\x14_previous_version_id\"\x90\x01\n" + + "\x13previous_version_id\x18\x04 \x01(\tH\x00R\x11previousVersionId\x88\x01\x01\x12\x1f\n" + + "\bchecksum\x18\x05 \x01(\tH\x01R\bchecksum\x88\x01\x01\x12>\n" + + "\n" + + "created_at\x18\x06 \x01(\v2\x1a.google.protobuf.TimestampH\x02R\tcreatedAt\x88\x01\x01\x12I\n" + + "\x04tags\x18d \x03(\v25.plugin.key_material_storage.v1.KeyMaterial.TagsEntryR\x04tags\x1a7\n" + + "\tTagsEntry\x12\x10\n" + + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\x16\n" + + "\x14_previous_version_idB\v\n" + + "\t_checksumB\r\n" + + "\v_created_at\"\x90\x01\n" + "\fStoreRequest\x12(\n" + "\tnamespace\x18\x01 \x01(\tB\n" + "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\tnamespace\x12V\n" + @@ -512,32 +546,36 @@ func file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP( return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescData } -var file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes = make([]protoimpl.MessageInfo, 8) +var file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes = make([]protoimpl.MessageInfo, 9) var file_plugin_key_material_storage_v1_key_material_storage_proto_goTypes = []any{ - (*KeyMaterial)(nil), // 0: plugin.key_material_storage.v1.KeyMaterial - (*StoreRequest)(nil), // 1: plugin.key_material_storage.v1.StoreRequest - (*StoreResponse)(nil), // 2: plugin.key_material_storage.v1.StoreResponse - (*LoadRequest)(nil), // 3: plugin.key_material_storage.v1.LoadRequest - (*LoadResponse)(nil), // 4: plugin.key_material_storage.v1.LoadResponse - (*ListIDsRequest)(nil), // 5: plugin.key_material_storage.v1.ListIDsRequest - (*Filter)(nil), // 6: plugin.key_material_storage.v1.Filter - (*ListIDsResponse)(nil), // 7: plugin.key_material_storage.v1.ListIDsResponse + (*KeyMaterial)(nil), // 0: plugin.key_material_storage.v1.KeyMaterial + (*StoreRequest)(nil), // 1: plugin.key_material_storage.v1.StoreRequest + (*StoreResponse)(nil), // 2: plugin.key_material_storage.v1.StoreResponse + (*LoadRequest)(nil), // 3: plugin.key_material_storage.v1.LoadRequest + (*LoadResponse)(nil), // 4: plugin.key_material_storage.v1.LoadResponse + (*ListIDsRequest)(nil), // 5: plugin.key_material_storage.v1.ListIDsRequest + (*Filter)(nil), // 6: plugin.key_material_storage.v1.Filter + (*ListIDsResponse)(nil), // 7: plugin.key_material_storage.v1.ListIDsResponse + nil, // 8: plugin.key_material_storage.v1.KeyMaterial.TagsEntry + (*timestamppb.Timestamp)(nil), // 9: google.protobuf.Timestamp } var file_plugin_key_material_storage_v1_key_material_storage_proto_depIdxs = []int32{ - 0, // 0: plugin.key_material_storage.v1.StoreRequest.key_material:type_name -> plugin.key_material_storage.v1.KeyMaterial - 0, // 1: plugin.key_material_storage.v1.LoadResponse.key_material:type_name -> plugin.key_material_storage.v1.KeyMaterial - 6, // 2: plugin.key_material_storage.v1.ListIDsRequest.filter:type_name -> plugin.key_material_storage.v1.Filter - 1, // 3: plugin.key_material_storage.v1.KeyMaterialStorage.Store:input_type -> plugin.key_material_storage.v1.StoreRequest - 3, // 4: plugin.key_material_storage.v1.KeyMaterialStorage.Load:input_type -> plugin.key_material_storage.v1.LoadRequest - 5, // 5: plugin.key_material_storage.v1.KeyMaterialStorage.ListIDs:input_type -> plugin.key_material_storage.v1.ListIDsRequest - 2, // 6: plugin.key_material_storage.v1.KeyMaterialStorage.Store:output_type -> plugin.key_material_storage.v1.StoreResponse - 4, // 7: plugin.key_material_storage.v1.KeyMaterialStorage.Load:output_type -> plugin.key_material_storage.v1.LoadResponse - 7, // 8: plugin.key_material_storage.v1.KeyMaterialStorage.ListIDs:output_type -> plugin.key_material_storage.v1.ListIDsResponse - 6, // [6:9] is the sub-list for method output_type - 3, // [3:6] is the sub-list for method input_type - 3, // [3:3] is the sub-list for extension type_name - 3, // [3:3] is the sub-list for extension extendee - 0, // [0:3] is the sub-list for field type_name + 9, // 0: plugin.key_material_storage.v1.KeyMaterial.created_at:type_name -> google.protobuf.Timestamp + 8, // 1: plugin.key_material_storage.v1.KeyMaterial.tags:type_name -> plugin.key_material_storage.v1.KeyMaterial.TagsEntry + 0, // 2: plugin.key_material_storage.v1.StoreRequest.key_material:type_name -> plugin.key_material_storage.v1.KeyMaterial + 0, // 3: plugin.key_material_storage.v1.LoadResponse.key_material:type_name -> plugin.key_material_storage.v1.KeyMaterial + 6, // 4: plugin.key_material_storage.v1.ListIDsRequest.filter:type_name -> plugin.key_material_storage.v1.Filter + 1, // 5: plugin.key_material_storage.v1.KeyMaterialStorage.Store:input_type -> plugin.key_material_storage.v1.StoreRequest + 3, // 6: plugin.key_material_storage.v1.KeyMaterialStorage.Load:input_type -> plugin.key_material_storage.v1.LoadRequest + 5, // 7: plugin.key_material_storage.v1.KeyMaterialStorage.ListIDs:input_type -> plugin.key_material_storage.v1.ListIDsRequest + 2, // 8: plugin.key_material_storage.v1.KeyMaterialStorage.Store:output_type -> plugin.key_material_storage.v1.StoreResponse + 4, // 9: plugin.key_material_storage.v1.KeyMaterialStorage.Load:output_type -> plugin.key_material_storage.v1.LoadResponse + 7, // 10: plugin.key_material_storage.v1.KeyMaterialStorage.ListIDs:output_type -> plugin.key_material_storage.v1.ListIDsResponse + 8, // [8:11] is the sub-list for method output_type + 5, // [5:8] is the sub-list for method input_type + 5, // [5:5] is the sub-list for extension type_name + 5, // [5:5] is the sub-list for extension extendee + 0, // [0:5] is the sub-list for field type_name } func init() { file_plugin_key_material_storage_v1_key_material_storage_proto_init() } @@ -554,7 +592,7 @@ func file_plugin_key_material_storage_v1_key_material_storage_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: unsafe.Slice(unsafe.StringData(file_plugin_key_material_storage_v1_key_material_storage_proto_rawDesc), len(file_plugin_key_material_storage_v1_key_material_storage_proto_rawDesc)), NumEnums: 0, - NumMessages: 8, + NumMessages: 9, NumExtensions: 0, NumServices: 1, }, diff --git a/proto/plugin/key_material_storage/v1/key_material_storage.pb.validate.go b/proto/plugin/key_material_storage/v1/key_material_storage.pb.validate.go index 8e0a10d..d0b2702 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage.pb.validate.go +++ b/proto/plugin/key_material_storage/v1/key_material_storage.pb.validate.go @@ -63,10 +63,49 @@ func (m *KeyMaterial) validate(all bool) error { // no validation rules for Algorithm + // no validation rules for Tags + if m.PreviousVersionId != nil { // no validation rules for PreviousVersionId } + if m.Checksum != nil { + // no validation rules for Checksum + } + + if m.CreatedAt != nil { + + if all { + switch v := interface{}(m.GetCreatedAt()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, KeyMaterialValidationError{ + field: "CreatedAt", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, KeyMaterialValidationError{ + field: "CreatedAt", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetCreatedAt()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return KeyMaterialValidationError{ + field: "CreatedAt", + reason: "embedded message failed validation", + cause: err, + } + } + } + + } + if len(errors) > 0 { return KeyMaterialMultiError(errors) } diff --git a/proto/plugin/key_material_storage/v1/key_material_storage.proto b/proto/plugin/key_material_storage/v1/key_material_storage.proto index decf174..f612a1d 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage.proto +++ b/proto/plugin/key_material_storage/v1/key_material_storage.proto @@ -3,6 +3,7 @@ syntax = "proto3"; package plugin.key_material_storage.v1; import "buf/validate/validate.proto"; +import "google/protobuf/timestamp.proto"; // KeyMaterialStorage defines the universal interface for persisting and // retrieving opaque blobs of data, typically wrapped key material. @@ -44,6 +45,12 @@ message KeyMaterial { ]; optional string previous_version_id = 4; + + optional string checksum = 5; + + optional google.protobuf.Timestamp created_at = 6; + + map tags = 100; } // --- Store RPC Messages --- From d3d3204a5c9a04cca3d626e90813995ddc389ce3 Mon Sep 17 00:00:00 2001 From: Nicolae Nicora Date: Sat, 14 Mar 2026 02:18:27 +0100 Subject: [PATCH 13/19] modify --- .../v1/key_material_storage.pb.go | 644 +++++++++---- .../v1/key_material_storage.pb.validate.go | 845 +++++++++++++++--- .../v1/key_material_storage.proto | 140 ++- .../v1/key_material_storage_grpc.pb.go | 50 +- 4 files changed, 1283 insertions(+), 396 deletions(-) diff --git a/proto/plugin/key_material_storage/v1/key_material_storage.pb.go b/proto/plugin/key_material_storage/v1/key_material_storage.pb.go index b6a4efe..d57aa1a 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage.pb.go +++ b/proto/plugin/key_material_storage/v1/key_material_storage.pb.go @@ -25,22 +25,15 @@ const ( ) // KeyMaterial represents a single unit of stored data. -// It is intentionally generic and algorithm-agnostic. type KeyMaterial struct { - state protoimpl.MessageState `protogen:"open.v1"` - // REQUIRED: The unique identifier for this item. - // e.g., "L2/01H8XGJWBWBAQ9Z7J6C6XJ6C6X" - Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` - // REQUIRED: The opaque data blob. - // This typically contains the encrypted/wrapped key material. - Data []byte `protobuf:"bytes,2,opt,name=data,proto3" json:"data,omitempty"` - // REQUIRED: The name of algorithm - // This typically contains the encrypted/wrapped key material. + state protoimpl.MessageState `protogen:"open.v1"` + Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` + Data []byte `protobuf:"bytes,2,opt,name=data,proto3" json:"data,omitempty"` Algorithm string `protobuf:"bytes,3,opt,name=algorithm,proto3" json:"algorithm,omitempty"` PreviousVersionId *string `protobuf:"bytes,4,opt,name=previous_version_id,json=previousVersionId,proto3,oneof" json:"previous_version_id,omitempty"` Checksum *string `protobuf:"bytes,5,opt,name=checksum,proto3,oneof" json:"checksum,omitempty"` - CreatedAt *timestamppb.Timestamp `protobuf:"bytes,6,opt,name=created_at,json=createdAt,proto3,oneof" json:"created_at,omitempty"` - Tags map[string]string `protobuf:"bytes,100,rep,name=tags,proto3" json:"tags,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` + CreatedAt *timestamppb.Timestamp `protobuf:"bytes,6,opt,name=created_at,json=createdAt,proto3" json:"created_at,omitempty"` + Tags map[string]string `protobuf:"bytes,7,rep,name=tags,proto3" json:"tags,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } @@ -124,20 +117,209 @@ func (x *KeyMaterial) GetTags() map[string]string { return nil } -type StoreRequest struct { +type Filter struct { state protoimpl.MessageState `protogen:"open.v1"` - // REQUIRED: The namespace for this key material. This provides isolation - // and can be mapped to a tenant, project, or customer ID. - Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"` - // REQUIRED: The item to be stored. - KeyMaterial *KeyMaterial `protobuf:"bytes,2,opt,name=key_material,json=keyMaterial,proto3" json:"key_material,omitempty"` + Id *Filter_StringMatch `protobuf:"bytes,1,opt,name=id,proto3,oneof" json:"id,omitempty"` + // Filter by cryptographic algorithm (e.g., "AES-256-GCM"). + Algorithm *string `protobuf:"bytes,2,opt,name=algorithm,proto3,oneof" json:"algorithm,omitempty"` + // Filter by metadata tags (e.g., {"env": "prod"}). + // Match is typically performed as "contains all". + Tags map[string]string `protobuf:"bytes,3,rep,name=tags,proto3" json:"tags,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` + CreatedAt *Filter_TimeRange `protobuf:"bytes,4,opt,name=created_at,json=createdAt,proto3,oneof" json:"created_at,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *Filter) Reset() { + *x = Filter{} + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *Filter) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*Filter) ProtoMessage() {} + +func (x *Filter) ProtoReflect() protoreflect.Message { + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use Filter.ProtoReflect.Descriptor instead. +func (*Filter) Descriptor() ([]byte, []int) { + return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP(), []int{1} +} + +func (x *Filter) GetId() *Filter_StringMatch { + if x != nil { + return x.Id + } + return nil +} + +func (x *Filter) GetAlgorithm() string { + if x != nil && x.Algorithm != nil { + return *x.Algorithm + } + return "" +} + +func (x *Filter) GetTags() map[string]string { + if x != nil { + return x.Tags + } + return nil +} + +func (x *Filter) GetCreatedAt() *Filter_TimeRange { + if x != nil { + return x.CreatedAt + } + return nil +} + +type ListIDsRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"` + Filter *Filter `protobuf:"bytes,2,opt,name=filter,proto3,oneof" json:"filter,omitempty"` + // Pagination support + PageSize uint32 `protobuf:"varint,3,opt,name=page_size,json=pageSize,proto3" json:"page_size,omitempty"` + PageToken string `protobuf:"bytes,4,opt,name=page_token,json=pageToken,proto3" json:"page_token,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *ListIDsRequest) Reset() { + *x = ListIDsRequest{} + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *ListIDsRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ListIDsRequest) ProtoMessage() {} + +func (x *ListIDsRequest) ProtoReflect() protoreflect.Message { + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[2] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ListIDsRequest.ProtoReflect.Descriptor instead. +func (*ListIDsRequest) Descriptor() ([]byte, []int) { + return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP(), []int{2} +} + +func (x *ListIDsRequest) GetNamespace() string { + if x != nil { + return x.Namespace + } + return "" +} + +func (x *ListIDsRequest) GetFilter() *Filter { + if x != nil { + return x.Filter + } + return nil +} + +func (x *ListIDsRequest) GetPageSize() uint32 { + if x != nil { + return x.PageSize + } + return 0 +} + +func (x *ListIDsRequest) GetPageToken() string { + if x != nil { + return x.PageToken + } + return "" +} + +type ListIDsResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + Ids []string `protobuf:"bytes,1,rep,name=ids,proto3" json:"ids,omitempty"` + NextPageToken string `protobuf:"bytes,2,opt,name=next_page_token,json=nextPageToken,proto3" json:"next_page_token,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *ListIDsResponse) Reset() { + *x = ListIDsResponse{} + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *ListIDsResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ListIDsResponse) ProtoMessage() {} + +func (x *ListIDsResponse) ProtoReflect() protoreflect.Message { + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[3] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ListIDsResponse.ProtoReflect.Descriptor instead. +func (*ListIDsResponse) Descriptor() ([]byte, []int) { + return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP(), []int{3} +} + +func (x *ListIDsResponse) GetIds() []string { + if x != nil { + return x.Ids + } + return nil +} + +func (x *ListIDsResponse) GetNextPageToken() string { + if x != nil { + return x.NextPageToken + } + return "" +} + +type StoreRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"` + KeyMaterial *KeyMaterial `protobuf:"bytes,2,opt,name=key_material,json=keyMaterial,proto3" json:"key_material,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } func (x *StoreRequest) Reset() { *x = StoreRequest{} - mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[1] + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[4] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -149,7 +331,7 @@ func (x *StoreRequest) String() string { func (*StoreRequest) ProtoMessage() {} func (x *StoreRequest) ProtoReflect() protoreflect.Message { - mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[1] + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[4] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -162,7 +344,7 @@ func (x *StoreRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use StoreRequest.ProtoReflect.Descriptor instead. func (*StoreRequest) Descriptor() ([]byte, []int) { - return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP(), []int{1} + return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP(), []int{4} } func (x *StoreRequest) GetNamespace() string { @@ -187,7 +369,7 @@ type StoreResponse struct { func (x *StoreResponse) Reset() { *x = StoreResponse{} - mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[2] + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[5] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -199,7 +381,7 @@ func (x *StoreResponse) String() string { func (*StoreResponse) ProtoMessage() {} func (x *StoreResponse) ProtoReflect() protoreflect.Message { - mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[2] + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[5] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -212,22 +394,20 @@ func (x *StoreResponse) ProtoReflect() protoreflect.Message { // Deprecated: Use StoreResponse.ProtoReflect.Descriptor instead. func (*StoreResponse) Descriptor() ([]byte, []int) { - return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP(), []int{2} + return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP(), []int{5} } type LoadRequest struct { - state protoimpl.MessageState `protogen:"open.v1"` - // REQUIRED: The namespace for the item. - Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"` - // REQUIRED: The unique ID of the item to retrieve. - Id string `protobuf:"bytes,2,opt,name=id,proto3" json:"id,omitempty"` + state protoimpl.MessageState `protogen:"open.v1"` + Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"` + Id string `protobuf:"bytes,2,opt,name=id,proto3" json:"id,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } func (x *LoadRequest) Reset() { *x = LoadRequest{} - mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[3] + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[6] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -239,7 +419,7 @@ func (x *LoadRequest) String() string { func (*LoadRequest) ProtoMessage() {} func (x *LoadRequest) ProtoReflect() protoreflect.Message { - mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[3] + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[6] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -252,7 +432,7 @@ func (x *LoadRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use LoadRequest.ProtoReflect.Descriptor instead. func (*LoadRequest) Descriptor() ([]byte, []int) { - return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP(), []int{3} + return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP(), []int{6} } func (x *LoadRequest) GetNamespace() string { @@ -270,17 +450,15 @@ func (x *LoadRequest) GetId() string { } type LoadResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` - // The retrieved key material. - // If the key is not found, the RPC will return a `NOT_FOUND` gRPC error. - KeyMaterial *KeyMaterial `protobuf:"bytes,1,opt,name=key_material,json=keyMaterial,proto3" json:"key_material,omitempty"` + state protoimpl.MessageState `protogen:"open.v1"` + KeyMaterial *KeyMaterial `protobuf:"bytes,1,opt,name=key_material,json=keyMaterial,proto3" json:"key_material,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } func (x *LoadResponse) Reset() { *x = LoadResponse{} - mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[4] + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[7] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -292,7 +470,7 @@ func (x *LoadResponse) String() string { func (*LoadResponse) ProtoMessage() {} func (x *LoadResponse) ProtoReflect() protoreflect.Message { - mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[4] + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[7] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -305,7 +483,7 @@ func (x *LoadResponse) ProtoReflect() protoreflect.Message { // Deprecated: Use LoadResponse.ProtoReflect.Descriptor instead. func (*LoadResponse) Descriptor() ([]byte, []int) { - return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP(), []int{4} + return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP(), []int{7} } func (x *LoadResponse) GetKeyMaterial() *KeyMaterial { @@ -315,32 +493,29 @@ func (x *LoadResponse) GetKeyMaterial() *KeyMaterial { return nil } -type ListIDsRequest struct { - state protoimpl.MessageState `protogen:"open.v1"` - // REQUIRED: The namespace to search in. - Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"` - // OPTIONAL: Filter criteria for listing IDs. - // If not provided, all IDs in the namespace are returned. - Filter *Filter `protobuf:"bytes,2,opt,name=filter,proto3,oneof" json:"filter,omitempty"` +type DeleteRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"` + Id string `protobuf:"bytes,2,opt,name=id,proto3" json:"id,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } -func (x *ListIDsRequest) Reset() { - *x = ListIDsRequest{} - mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[5] +func (x *DeleteRequest) Reset() { + *x = DeleteRequest{} + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[8] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } -func (x *ListIDsRequest) String() string { +func (x *DeleteRequest) String() string { return protoimpl.X.MessageStringOf(x) } -func (*ListIDsRequest) ProtoMessage() {} +func (*DeleteRequest) ProtoMessage() {} -func (x *ListIDsRequest) ProtoReflect() protoreflect.Message { - mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[5] +func (x *DeleteRequest) ProtoReflect() protoreflect.Message { + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[8] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -351,52 +526,90 @@ func (x *ListIDsRequest) ProtoReflect() protoreflect.Message { return mi.MessageOf(x) } -// Deprecated: Use ListIDsRequest.ProtoReflect.Descriptor instead. -func (*ListIDsRequest) Descriptor() ([]byte, []int) { - return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP(), []int{5} +// Deprecated: Use DeleteRequest.ProtoReflect.Descriptor instead. +func (*DeleteRequest) Descriptor() ([]byte, []int) { + return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP(), []int{8} } -func (x *ListIDsRequest) GetNamespace() string { +func (x *DeleteRequest) GetNamespace() string { if x != nil { return x.Namespace } return "" } -func (x *ListIDsRequest) GetFilter() *Filter { +func (x *DeleteRequest) GetId() string { if x != nil { - return x.Filter + return x.Id } - return nil + return "" } -type Filter struct { +type DeleteResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *DeleteResponse) Reset() { + *x = DeleteResponse{} + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[9] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *DeleteResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DeleteResponse) ProtoMessage() {} + +func (x *DeleteResponse) ProtoReflect() protoreflect.Message { + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[9] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DeleteResponse.ProtoReflect.Descriptor instead. +func (*DeleteResponse) Descriptor() ([]byte, []int) { + return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP(), []int{9} +} + +// Pattern-based matching for the primary Key ID. +type Filter_StringMatch struct { state protoimpl.MessageState `protogen:"open.v1"` - // OPTIONAL: Filter IDs that start with this string. - Prefix *string `protobuf:"bytes,1,opt,name=prefix,proto3,oneof" json:"prefix,omitempty"` - // OPTIONAL: Filter IDs that end with this string. - Suffix *string `protobuf:"bytes,2,opt,name=suffix,proto3,oneof" json:"suffix,omitempty"` - // OPTIONAL: Filter IDs that contain this string. - Contains *string `protobuf:"bytes,3,opt,name=contains,proto3,oneof" json:"contains,omitempty"` + // Types that are valid to be assigned to Type: + // + // *Filter_StringMatch_Prefix + // *Filter_StringMatch_Suffix + // *Filter_StringMatch_Contains + // *Filter_StringMatch_Exact + Type isFilter_StringMatch_Type `protobuf_oneof:"type"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } -func (x *Filter) Reset() { - *x = Filter{} - mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[6] +func (x *Filter_StringMatch) Reset() { + *x = Filter_StringMatch{} + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[11] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } -func (x *Filter) String() string { +func (x *Filter_StringMatch) String() string { return protoimpl.X.MessageStringOf(x) } -func (*Filter) ProtoMessage() {} +func (*Filter_StringMatch) ProtoMessage() {} -func (x *Filter) ProtoReflect() protoreflect.Message { - mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[6] +func (x *Filter_StringMatch) ProtoReflect() protoreflect.Message { + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[11] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -407,56 +620,106 @@ func (x *Filter) ProtoReflect() protoreflect.Message { return mi.MessageOf(x) } -// Deprecated: Use Filter.ProtoReflect.Descriptor instead. -func (*Filter) Descriptor() ([]byte, []int) { - return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP(), []int{6} +// Deprecated: Use Filter_StringMatch.ProtoReflect.Descriptor instead. +func (*Filter_StringMatch) Descriptor() ([]byte, []int) { + return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP(), []int{1, 0} } -func (x *Filter) GetPrefix() string { - if x != nil && x.Prefix != nil { - return *x.Prefix +func (x *Filter_StringMatch) GetType() isFilter_StringMatch_Type { + if x != nil { + return x.Type + } + return nil +} + +func (x *Filter_StringMatch) GetPrefix() string { + if x != nil { + if x, ok := x.Type.(*Filter_StringMatch_Prefix); ok { + return x.Prefix + } } return "" } -func (x *Filter) GetSuffix() string { - if x != nil && x.Suffix != nil { - return *x.Suffix +func (x *Filter_StringMatch) GetSuffix() string { + if x != nil { + if x, ok := x.Type.(*Filter_StringMatch_Suffix); ok { + return x.Suffix + } } return "" } -func (x *Filter) GetContains() string { - if x != nil && x.Contains != nil { - return *x.Contains +func (x *Filter_StringMatch) GetContains() string { + if x != nil { + if x, ok := x.Type.(*Filter_StringMatch_Contains); ok { + return x.Contains + } } return "" } -type ListIDsResponse struct { - state protoimpl.MessageState `protogen:"open.v1"` - // A list of key material IDs that match the request criteria. - // The server may stream multiple responses, each containing a batch of IDs. - Ids []string `protobuf:"bytes,1,rep,name=ids,proto3" json:"ids,omitempty"` +func (x *Filter_StringMatch) GetExact() string { + if x != nil { + if x, ok := x.Type.(*Filter_StringMatch_Exact); ok { + return x.Exact + } + } + return "" +} + +type isFilter_StringMatch_Type interface { + isFilter_StringMatch_Type() +} + +type Filter_StringMatch_Prefix struct { + Prefix string `protobuf:"bytes,1,opt,name=prefix,proto3,oneof"` +} + +type Filter_StringMatch_Suffix struct { + Suffix string `protobuf:"bytes,2,opt,name=suffix,proto3,oneof"` +} + +type Filter_StringMatch_Contains struct { + Contains string `protobuf:"bytes,3,opt,name=contains,proto3,oneof"` +} + +type Filter_StringMatch_Exact struct { + Exact string `protobuf:"bytes,4,opt,name=exact,proto3,oneof"` +} + +func (*Filter_StringMatch_Prefix) isFilter_StringMatch_Type() {} + +func (*Filter_StringMatch_Suffix) isFilter_StringMatch_Type() {} + +func (*Filter_StringMatch_Contains) isFilter_StringMatch_Type() {} + +func (*Filter_StringMatch_Exact) isFilter_StringMatch_Type() {} + +// Filter by the time the key was created. +type Filter_TimeRange struct { + state protoimpl.MessageState `protogen:"open.v1"` + From *timestamppb.Timestamp `protobuf:"bytes,1,opt,name=from,proto3" json:"from,omitempty"` + To *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=to,proto3" json:"to,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } -func (x *ListIDsResponse) Reset() { - *x = ListIDsResponse{} - mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[7] +func (x *Filter_TimeRange) Reset() { + *x = Filter_TimeRange{} + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[13] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } -func (x *ListIDsResponse) String() string { +func (x *Filter_TimeRange) String() string { return protoimpl.X.MessageStringOf(x) } -func (*ListIDsResponse) ProtoMessage() {} +func (*Filter_TimeRange) ProtoMessage() {} -func (x *ListIDsResponse) ProtoReflect() protoreflect.Message { - mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[7] +func (x *Filter_TimeRange) ProtoReflect() protoreflect.Message { + mi := &file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[13] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -467,14 +730,21 @@ func (x *ListIDsResponse) ProtoReflect() protoreflect.Message { return mi.MessageOf(x) } -// Deprecated: Use ListIDsResponse.ProtoReflect.Descriptor instead. -func (*ListIDsResponse) Descriptor() ([]byte, []int) { - return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP(), []int{7} +// Deprecated: Use Filter_TimeRange.ProtoReflect.Descriptor instead. +func (*Filter_TimeRange) Descriptor() ([]byte, []int) { + return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP(), []int{1, 2} } -func (x *ListIDsResponse) GetIds() []string { +func (x *Filter_TimeRange) GetFrom() *timestamppb.Timestamp { if x != nil { - return x.Ids + return x.From + } + return nil +} + +func (x *Filter_TimeRange) GetTo() *timestamppb.Timestamp { + if x != nil { + return x.To } return nil } @@ -483,54 +753,70 @@ var File_plugin_key_material_storage_v1_key_material_storage_proto protoreflect. const file_plugin_key_material_storage_v1_key_material_storage_proto_rawDesc = "" + "\n" + - "9plugin/key_material_storage/v1/key_material_storage.proto\x12\x1eplugin.key_material_storage.v1\x1a\x1bbuf/validate/validate.proto\x1a\x1fgoogle/protobuf/timestamp.proto\"\xc1\x03\n" + - "\vKeyMaterial\x12\x1a\n" + - "\x02id\x18\x01 \x01(\tB\n" + - "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\x02id\x12\x1e\n" + - "\x04data\x18\x02 \x01(\fB\n" + - "\xbaH\a\xc8\x01\x01z\x02\x10\x01R\x04data\x12(\n" + - "\talgorithm\x18\x03 \x01(\tB\n" + - "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\talgorithm\x123\n" + + "9plugin/key_material_storage/v1/key_material_storage.proto\x12\x1eplugin.key_material_storage.v1\x1a\x1bbuf/validate/validate.proto\x1a\x1fgoogle/protobuf/timestamp.proto\"\xa4\x03\n" + + "\vKeyMaterial\x12\x17\n" + + "\x02id\x18\x01 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\x02id\x12\x1b\n" + + "\x04data\x18\x02 \x01(\fB\a\xbaH\x04z\x02\x10\x01R\x04data\x12%\n" + + "\talgorithm\x18\x03 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\talgorithm\x123\n" + "\x13previous_version_id\x18\x04 \x01(\tH\x00R\x11previousVersionId\x88\x01\x01\x12\x1f\n" + - "\bchecksum\x18\x05 \x01(\tH\x01R\bchecksum\x88\x01\x01\x12>\n" + + "\bchecksum\x18\x05 \x01(\tH\x01R\bchecksum\x88\x01\x01\x129\n" + "\n" + - "created_at\x18\x06 \x01(\v2\x1a.google.protobuf.TimestampH\x02R\tcreatedAt\x88\x01\x01\x12I\n" + - "\x04tags\x18d \x03(\v25.plugin.key_material_storage.v1.KeyMaterial.TagsEntryR\x04tags\x1a7\n" + + "created_at\x18\x06 \x01(\v2\x1a.google.protobuf.TimestampR\tcreatedAt\x12I\n" + + "\x04tags\x18\a \x03(\v25.plugin.key_material_storage.v1.KeyMaterial.TagsEntryR\x04tags\x1a7\n" + "\tTagsEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\x16\n" + "\x14_previous_version_idB\v\n" + - "\t_checksumB\r\n" + - "\v_created_at\"\x90\x01\n" + - "\fStoreRequest\x12(\n" + - "\tnamespace\x18\x01 \x01(\tB\n" + - "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\tnamespace\x12V\n" + + "\t_checksum\"\xd7\x04\n" + + "\x06Filter\x12G\n" + + "\x02id\x18\x01 \x01(\v22.plugin.key_material_storage.v1.Filter.StringMatchH\x00R\x02id\x88\x01\x01\x12!\n" + + "\talgorithm\x18\x02 \x01(\tH\x01R\talgorithm\x88\x01\x01\x12D\n" + + "\x04tags\x18\x03 \x03(\v20.plugin.key_material_storage.v1.Filter.TagsEntryR\x04tags\x12T\n" + + "\n" + + "created_at\x18\x04 \x01(\v20.plugin.key_material_storage.v1.Filter.TimeRangeH\x02R\tcreatedAt\x88\x01\x01\x1a\x7f\n" + + "\vStringMatch\x12\x18\n" + + "\x06prefix\x18\x01 \x01(\tH\x00R\x06prefix\x12\x18\n" + + "\x06suffix\x18\x02 \x01(\tH\x00R\x06suffix\x12\x1c\n" + + "\bcontains\x18\x03 \x01(\tH\x00R\bcontains\x12\x16\n" + + "\x05exact\x18\x04 \x01(\tH\x00R\x05exactB\x06\n" + + "\x04type\x1a7\n" + + "\tTagsEntry\x12\x10\n" + + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\x1ag\n" + + "\tTimeRange\x12.\n" + + "\x04from\x18\x01 \x01(\v2\x1a.google.protobuf.TimestampR\x04from\x12*\n" + + "\x02to\x18\x02 \x01(\v2\x1a.google.protobuf.TimestampR\x02toB\x05\n" + + "\x03_idB\f\n" + + "\n" + + "_algorithmB\r\n" + + "\v_created_at\"\xc3\x01\n" + + "\x0eListIDsRequest\x12%\n" + + "\tnamespace\x18\x01 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\tnamespace\x12C\n" + + "\x06filter\x18\x02 \x01(\v2&.plugin.key_material_storage.v1.FilterH\x00R\x06filter\x88\x01\x01\x12\x1b\n" + + "\tpage_size\x18\x03 \x01(\rR\bpageSize\x12\x1d\n" + + "\n" + + "page_token\x18\x04 \x01(\tR\tpageTokenB\t\n" + + "\a_filter\"K\n" + + "\x0fListIDsResponse\x12\x10\n" + + "\x03ids\x18\x01 \x03(\tR\x03ids\x12&\n" + + "\x0fnext_page_token\x18\x02 \x01(\tR\rnextPageToken\"\x8d\x01\n" + + "\fStoreRequest\x12%\n" + + "\tnamespace\x18\x01 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\tnamespace\x12V\n" + "\fkey_material\x18\x02 \x01(\v2+.plugin.key_material_storage.v1.KeyMaterialB\x06\xbaH\x03\xc8\x01\x01R\vkeyMaterial\"\x0f\n" + - "\rStoreResponse\"S\n" + - "\vLoadRequest\x12(\n" + - "\tnamespace\x18\x01 \x01(\tB\n" + - "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\tnamespace\x12\x1a\n" + - "\x02id\x18\x02 \x01(\tB\n" + - "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\x02id\"^\n" + + "\rStoreResponse\"M\n" + + "\vLoadRequest\x12%\n" + + "\tnamespace\x18\x01 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\tnamespace\x12\x17\n" + + "\x02id\x18\x02 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\x02id\"^\n" + "\fLoadResponse\x12N\n" + - "\fkey_material\x18\x01 \x01(\v2+.plugin.key_material_storage.v1.KeyMaterialR\vkeyMaterial\"\x8a\x01\n" + - "\x0eListIDsRequest\x12(\n" + - "\tnamespace\x18\x01 \x01(\tB\n" + - "\xbaH\a\xc8\x01\x01r\x02\x10\x01R\tnamespace\x12C\n" + - "\x06filter\x18\x02 \x01(\v2&.plugin.key_material_storage.v1.FilterH\x00R\x06filter\x88\x01\x01B\t\n" + - "\a_filter\"\x86\x01\n" + - "\x06Filter\x12\x1b\n" + - "\x06prefix\x18\x01 \x01(\tH\x00R\x06prefix\x88\x01\x01\x12\x1b\n" + - "\x06suffix\x18\x02 \x01(\tH\x01R\x06suffix\x88\x01\x01\x12\x1f\n" + - "\bcontains\x18\x03 \x01(\tH\x02R\bcontains\x88\x01\x01B\t\n" + - "\a_prefixB\t\n" + - "\a_suffixB\v\n" + - "\t_contains\"#\n" + - "\x0fListIDsResponse\x12\x10\n" + - "\x03ids\x18\x01 \x03(\tR\x03ids2\xcb\x02\n" + + "\fkey_material\x18\x01 \x01(\v2+.plugin.key_material_storage.v1.KeyMaterialR\vkeyMaterial\"O\n" + + "\rDeleteRequest\x12%\n" + + "\tnamespace\x18\x01 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\tnamespace\x12\x17\n" + + "\x02id\x18\x02 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\x02id\"\x10\n" + + "\x0eDeleteResponse2\xb4\x03\n" + "\x12KeyMaterialStorage\x12d\n" + "\x05Store\x12,.plugin.key_material_storage.v1.StoreRequest\x1a-.plugin.key_material_storage.v1.StoreResponse\x12a\n" + - "\x04Load\x12+.plugin.key_material_storage.v1.LoadRequest\x1a,.plugin.key_material_storage.v1.LoadResponse\x12l\n" + + "\x04Load\x12+.plugin.key_material_storage.v1.LoadRequest\x1a,.plugin.key_material_storage.v1.LoadResponse\x12g\n" + + "\x06Delete\x12-.plugin.key_material_storage.v1.DeleteRequest\x1a..plugin.key_material_storage.v1.DeleteResponse\x12l\n" + "\aListIDs\x12..plugin.key_material_storage.v1.ListIDsRequest\x1a/.plugin.key_material_storage.v1.ListIDsResponse0\x01B\xaa\x02\n" + "\"com.plugin.key_material_storage.v1B\x17KeyMaterialStorageProtoP\x01ZYgithub.com/openkcm/plugin-sdk/proto/plugin/key_material_storage/v1;key_material_storagev1\xa2\x02\x03PKX\xaa\x02\x1cPlugin.KeyMaterialStorage.V1\xca\x02\x1cPlugin\\KeyMaterialStorage\\V1\xe2\x02(Plugin\\KeyMaterialStorage\\V1\\GPBMetadata\xea\x02\x1ePlugin::KeyMaterialStorage::V1b\x06proto3" @@ -546,36 +832,48 @@ func file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP( return file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescData } -var file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes = make([]protoimpl.MessageInfo, 9) +var file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes = make([]protoimpl.MessageInfo, 14) var file_plugin_key_material_storage_v1_key_material_storage_proto_goTypes = []any{ (*KeyMaterial)(nil), // 0: plugin.key_material_storage.v1.KeyMaterial - (*StoreRequest)(nil), // 1: plugin.key_material_storage.v1.StoreRequest - (*StoreResponse)(nil), // 2: plugin.key_material_storage.v1.StoreResponse - (*LoadRequest)(nil), // 3: plugin.key_material_storage.v1.LoadRequest - (*LoadResponse)(nil), // 4: plugin.key_material_storage.v1.LoadResponse - (*ListIDsRequest)(nil), // 5: plugin.key_material_storage.v1.ListIDsRequest - (*Filter)(nil), // 6: plugin.key_material_storage.v1.Filter - (*ListIDsResponse)(nil), // 7: plugin.key_material_storage.v1.ListIDsResponse - nil, // 8: plugin.key_material_storage.v1.KeyMaterial.TagsEntry - (*timestamppb.Timestamp)(nil), // 9: google.protobuf.Timestamp + (*Filter)(nil), // 1: plugin.key_material_storage.v1.Filter + (*ListIDsRequest)(nil), // 2: plugin.key_material_storage.v1.ListIDsRequest + (*ListIDsResponse)(nil), // 3: plugin.key_material_storage.v1.ListIDsResponse + (*StoreRequest)(nil), // 4: plugin.key_material_storage.v1.StoreRequest + (*StoreResponse)(nil), // 5: plugin.key_material_storage.v1.StoreResponse + (*LoadRequest)(nil), // 6: plugin.key_material_storage.v1.LoadRequest + (*LoadResponse)(nil), // 7: plugin.key_material_storage.v1.LoadResponse + (*DeleteRequest)(nil), // 8: plugin.key_material_storage.v1.DeleteRequest + (*DeleteResponse)(nil), // 9: plugin.key_material_storage.v1.DeleteResponse + nil, // 10: plugin.key_material_storage.v1.KeyMaterial.TagsEntry + (*Filter_StringMatch)(nil), // 11: plugin.key_material_storage.v1.Filter.StringMatch + nil, // 12: plugin.key_material_storage.v1.Filter.TagsEntry + (*Filter_TimeRange)(nil), // 13: plugin.key_material_storage.v1.Filter.TimeRange + (*timestamppb.Timestamp)(nil), // 14: google.protobuf.Timestamp } var file_plugin_key_material_storage_v1_key_material_storage_proto_depIdxs = []int32{ - 9, // 0: plugin.key_material_storage.v1.KeyMaterial.created_at:type_name -> google.protobuf.Timestamp - 8, // 1: plugin.key_material_storage.v1.KeyMaterial.tags:type_name -> plugin.key_material_storage.v1.KeyMaterial.TagsEntry - 0, // 2: plugin.key_material_storage.v1.StoreRequest.key_material:type_name -> plugin.key_material_storage.v1.KeyMaterial - 0, // 3: plugin.key_material_storage.v1.LoadResponse.key_material:type_name -> plugin.key_material_storage.v1.KeyMaterial - 6, // 4: plugin.key_material_storage.v1.ListIDsRequest.filter:type_name -> plugin.key_material_storage.v1.Filter - 1, // 5: plugin.key_material_storage.v1.KeyMaterialStorage.Store:input_type -> plugin.key_material_storage.v1.StoreRequest - 3, // 6: plugin.key_material_storage.v1.KeyMaterialStorage.Load:input_type -> plugin.key_material_storage.v1.LoadRequest - 5, // 7: plugin.key_material_storage.v1.KeyMaterialStorage.ListIDs:input_type -> plugin.key_material_storage.v1.ListIDsRequest - 2, // 8: plugin.key_material_storage.v1.KeyMaterialStorage.Store:output_type -> plugin.key_material_storage.v1.StoreResponse - 4, // 9: plugin.key_material_storage.v1.KeyMaterialStorage.Load:output_type -> plugin.key_material_storage.v1.LoadResponse - 7, // 10: plugin.key_material_storage.v1.KeyMaterialStorage.ListIDs:output_type -> plugin.key_material_storage.v1.ListIDsResponse - 8, // [8:11] is the sub-list for method output_type - 5, // [5:8] is the sub-list for method input_type - 5, // [5:5] is the sub-list for extension type_name - 5, // [5:5] is the sub-list for extension extendee - 0, // [0:5] is the sub-list for field type_name + 14, // 0: plugin.key_material_storage.v1.KeyMaterial.created_at:type_name -> google.protobuf.Timestamp + 10, // 1: plugin.key_material_storage.v1.KeyMaterial.tags:type_name -> plugin.key_material_storage.v1.KeyMaterial.TagsEntry + 11, // 2: plugin.key_material_storage.v1.Filter.id:type_name -> plugin.key_material_storage.v1.Filter.StringMatch + 12, // 3: plugin.key_material_storage.v1.Filter.tags:type_name -> plugin.key_material_storage.v1.Filter.TagsEntry + 13, // 4: plugin.key_material_storage.v1.Filter.created_at:type_name -> plugin.key_material_storage.v1.Filter.TimeRange + 1, // 5: plugin.key_material_storage.v1.ListIDsRequest.filter:type_name -> plugin.key_material_storage.v1.Filter + 0, // 6: plugin.key_material_storage.v1.StoreRequest.key_material:type_name -> plugin.key_material_storage.v1.KeyMaterial + 0, // 7: plugin.key_material_storage.v1.LoadResponse.key_material:type_name -> plugin.key_material_storage.v1.KeyMaterial + 14, // 8: plugin.key_material_storage.v1.Filter.TimeRange.from:type_name -> google.protobuf.Timestamp + 14, // 9: plugin.key_material_storage.v1.Filter.TimeRange.to:type_name -> google.protobuf.Timestamp + 4, // 10: plugin.key_material_storage.v1.KeyMaterialStorage.Store:input_type -> plugin.key_material_storage.v1.StoreRequest + 6, // 11: plugin.key_material_storage.v1.KeyMaterialStorage.Load:input_type -> plugin.key_material_storage.v1.LoadRequest + 8, // 12: plugin.key_material_storage.v1.KeyMaterialStorage.Delete:input_type -> plugin.key_material_storage.v1.DeleteRequest + 2, // 13: plugin.key_material_storage.v1.KeyMaterialStorage.ListIDs:input_type -> plugin.key_material_storage.v1.ListIDsRequest + 5, // 14: plugin.key_material_storage.v1.KeyMaterialStorage.Store:output_type -> plugin.key_material_storage.v1.StoreResponse + 7, // 15: plugin.key_material_storage.v1.KeyMaterialStorage.Load:output_type -> plugin.key_material_storage.v1.LoadResponse + 9, // 16: plugin.key_material_storage.v1.KeyMaterialStorage.Delete:output_type -> plugin.key_material_storage.v1.DeleteResponse + 3, // 17: plugin.key_material_storage.v1.KeyMaterialStorage.ListIDs:output_type -> plugin.key_material_storage.v1.ListIDsResponse + 14, // [14:18] is the sub-list for method output_type + 10, // [10:14] is the sub-list for method input_type + 10, // [10:10] is the sub-list for extension type_name + 10, // [10:10] is the sub-list for extension extendee + 0, // [0:10] is the sub-list for field type_name } func init() { file_plugin_key_material_storage_v1_key_material_storage_proto_init() } @@ -584,15 +882,21 @@ func file_plugin_key_material_storage_v1_key_material_storage_proto_init() { return } file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[0].OneofWrappers = []any{} - file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[5].OneofWrappers = []any{} - file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[6].OneofWrappers = []any{} + file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[1].OneofWrappers = []any{} + file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[2].OneofWrappers = []any{} + file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes[11].OneofWrappers = []any{ + (*Filter_StringMatch_Prefix)(nil), + (*Filter_StringMatch_Suffix)(nil), + (*Filter_StringMatch_Contains)(nil), + (*Filter_StringMatch_Exact)(nil), + } type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: unsafe.Slice(unsafe.StringData(file_plugin_key_material_storage_v1_key_material_storage_proto_rawDesc), len(file_plugin_key_material_storage_v1_key_material_storage_proto_rawDesc)), NumEnums: 0, - NumMessages: 9, + NumMessages: 14, NumExtensions: 0, NumServices: 1, }, diff --git a/proto/plugin/key_material_storage/v1/key_material_storage.pb.validate.go b/proto/plugin/key_material_storage/v1/key_material_storage.pb.validate.go index d0b2702..40394cd 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage.pb.validate.go +++ b/proto/plugin/key_material_storage/v1/key_material_storage.pb.validate.go @@ -63,6 +63,35 @@ func (m *KeyMaterial) validate(all bool) error { // no validation rules for Algorithm + if all { + switch v := interface{}(m.GetCreatedAt()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, KeyMaterialValidationError{ + field: "CreatedAt", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, KeyMaterialValidationError{ + field: "CreatedAt", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetCreatedAt()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return KeyMaterialValidationError{ + field: "CreatedAt", + reason: "embedded message failed validation", + cause: err, + } + } + } + // no validation rules for Tags if m.PreviousVersionId != nil { @@ -73,13 +102,150 @@ func (m *KeyMaterial) validate(all bool) error { // no validation rules for Checksum } + if len(errors) > 0 { + return KeyMaterialMultiError(errors) + } + + return nil +} + +// KeyMaterialMultiError is an error wrapping multiple validation errors +// returned by KeyMaterial.ValidateAll() if the designated constraints aren't met. +type KeyMaterialMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m KeyMaterialMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m KeyMaterialMultiError) AllErrors() []error { return m } + +// KeyMaterialValidationError is the validation error returned by +// KeyMaterial.Validate if the designated constraints aren't met. +type KeyMaterialValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e KeyMaterialValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e KeyMaterialValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e KeyMaterialValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e KeyMaterialValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e KeyMaterialValidationError) ErrorName() string { return "KeyMaterialValidationError" } + +// Error satisfies the builtin error interface +func (e KeyMaterialValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sKeyMaterial.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = KeyMaterialValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = KeyMaterialValidationError{} + +// Validate checks the field values on Filter with the rules defined in the +// proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *Filter) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on Filter with the rules defined in the +// proto definition for this message. If any rules are violated, the result is +// a list of violation errors wrapped in FilterMultiError, or nil if none found. +func (m *Filter) ValidateAll() error { + return m.validate(true) +} + +func (m *Filter) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + // no validation rules for Tags + + if m.Id != nil { + + if all { + switch v := interface{}(m.GetId()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, FilterValidationError{ + field: "Id", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, FilterValidationError{ + field: "Id", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetId()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return FilterValidationError{ + field: "Id", + reason: "embedded message failed validation", + cause: err, + } + } + } + + } + + if m.Algorithm != nil { + // no validation rules for Algorithm + } + if m.CreatedAt != nil { if all { switch v := interface{}(m.GetCreatedAt()).(type) { case interface{ ValidateAll() error }: if err := v.ValidateAll(); err != nil { - errors = append(errors, KeyMaterialValidationError{ + errors = append(errors, FilterValidationError{ field: "CreatedAt", reason: "embedded message failed validation", cause: err, @@ -87,7 +253,7 @@ func (m *KeyMaterial) validate(all bool) error { } case interface{ Validate() error }: if err := v.Validate(); err != nil { - errors = append(errors, KeyMaterialValidationError{ + errors = append(errors, FilterValidationError{ field: "CreatedAt", reason: "embedded message failed validation", cause: err, @@ -96,7 +262,7 @@ func (m *KeyMaterial) validate(all bool) error { } } else if v, ok := interface{}(m.GetCreatedAt()).(interface{ Validate() error }); ok { if err := v.Validate(); err != nil { - return KeyMaterialValidationError{ + return FilterValidationError{ field: "CreatedAt", reason: "embedded message failed validation", cause: err, @@ -107,18 +273,18 @@ func (m *KeyMaterial) validate(all bool) error { } if len(errors) > 0 { - return KeyMaterialMultiError(errors) + return FilterMultiError(errors) } return nil } -// KeyMaterialMultiError is an error wrapping multiple validation errors -// returned by KeyMaterial.ValidateAll() if the designated constraints aren't met. -type KeyMaterialMultiError []error +// FilterMultiError is an error wrapping multiple validation errors returned by +// Filter.ValidateAll() if the designated constraints aren't met. +type FilterMultiError []error // Error returns a concatenation of all the error messages it wraps. -func (m KeyMaterialMultiError) Error() string { +func (m FilterMultiError) Error() string { msgs := make([]string, 0, len(m)) for _, err := range m { msgs = append(msgs, err.Error()) @@ -127,11 +293,11 @@ func (m KeyMaterialMultiError) Error() string { } // AllErrors returns a list of validation violation errors. -func (m KeyMaterialMultiError) AllErrors() []error { return m } +func (m FilterMultiError) AllErrors() []error { return m } -// KeyMaterialValidationError is the validation error returned by -// KeyMaterial.Validate if the designated constraints aren't met. -type KeyMaterialValidationError struct { +// FilterValidationError is the validation error returned by Filter.Validate if +// the designated constraints aren't met. +type FilterValidationError struct { field string reason string cause error @@ -139,22 +305,263 @@ type KeyMaterialValidationError struct { } // Field function returns field value. -func (e KeyMaterialValidationError) Field() string { return e.field } +func (e FilterValidationError) Field() string { return e.field } // Reason function returns reason value. -func (e KeyMaterialValidationError) Reason() string { return e.reason } +func (e FilterValidationError) Reason() string { return e.reason } // Cause function returns cause value. -func (e KeyMaterialValidationError) Cause() error { return e.cause } +func (e FilterValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e FilterValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e FilterValidationError) ErrorName() string { return "FilterValidationError" } + +// Error satisfies the builtin error interface +func (e FilterValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sFilter.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = FilterValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = FilterValidationError{} + +// Validate checks the field values on ListIDsRequest with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *ListIDsRequest) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on ListIDsRequest with the rules defined +// in the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in ListIDsRequestMultiError, +// or nil if none found. +func (m *ListIDsRequest) ValidateAll() error { + return m.validate(true) +} + +func (m *ListIDsRequest) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + // no validation rules for Namespace + + // no validation rules for PageSize + + // no validation rules for PageToken + + if m.Filter != nil { + + if all { + switch v := interface{}(m.GetFilter()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, ListIDsRequestValidationError{ + field: "Filter", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, ListIDsRequestValidationError{ + field: "Filter", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetFilter()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return ListIDsRequestValidationError{ + field: "Filter", + reason: "embedded message failed validation", + cause: err, + } + } + } + + } + + if len(errors) > 0 { + return ListIDsRequestMultiError(errors) + } + + return nil +} + +// ListIDsRequestMultiError is an error wrapping multiple validation errors +// returned by ListIDsRequest.ValidateAll() if the designated constraints +// aren't met. +type ListIDsRequestMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m ListIDsRequestMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m ListIDsRequestMultiError) AllErrors() []error { return m } + +// ListIDsRequestValidationError is the validation error returned by +// ListIDsRequest.Validate if the designated constraints aren't met. +type ListIDsRequestValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e ListIDsRequestValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e ListIDsRequestValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e ListIDsRequestValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e ListIDsRequestValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e ListIDsRequestValidationError) ErrorName() string { return "ListIDsRequestValidationError" } + +// Error satisfies the builtin error interface +func (e ListIDsRequestValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sListIDsRequest.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = ListIDsRequestValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = ListIDsRequestValidationError{} + +// Validate checks the field values on ListIDsResponse with the rules defined +// in the proto definition for this message. If any rules are violated, the +// first error encountered is returned, or nil if there are no violations. +func (m *ListIDsResponse) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on ListIDsResponse with the rules +// defined in the proto definition for this message. If any rules are +// violated, the result is a list of violation errors wrapped in +// ListIDsResponseMultiError, or nil if none found. +func (m *ListIDsResponse) ValidateAll() error { + return m.validate(true) +} + +func (m *ListIDsResponse) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + // no validation rules for NextPageToken + + if len(errors) > 0 { + return ListIDsResponseMultiError(errors) + } + + return nil +} + +// ListIDsResponseMultiError is an error wrapping multiple validation errors +// returned by ListIDsResponse.ValidateAll() if the designated constraints +// aren't met. +type ListIDsResponseMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m ListIDsResponseMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m ListIDsResponseMultiError) AllErrors() []error { return m } + +// ListIDsResponseValidationError is the validation error returned by +// ListIDsResponse.Validate if the designated constraints aren't met. +type ListIDsResponseValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e ListIDsResponseValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e ListIDsResponseValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e ListIDsResponseValidationError) Cause() error { return e.cause } // Key function returns key value. -func (e KeyMaterialValidationError) Key() bool { return e.key } +func (e ListIDsResponseValidationError) Key() bool { return e.key } // ErrorName returns error name. -func (e KeyMaterialValidationError) ErrorName() string { return "KeyMaterialValidationError" } +func (e ListIDsResponseValidationError) ErrorName() string { return "ListIDsResponseValidationError" } // Error satisfies the builtin error interface -func (e KeyMaterialValidationError) Error() string { +func (e ListIDsResponseValidationError) Error() string { cause := "" if e.cause != nil { cause = fmt.Sprintf(" | caused by: %v", e.cause) @@ -166,14 +573,14 @@ func (e KeyMaterialValidationError) Error() string { } return fmt.Sprintf( - "invalid %sKeyMaterial.%s: %s%s", + "invalid %sListIDsResponse.%s: %s%s", key, e.field, e.reason, cause) } -var _ error = KeyMaterialValidationError{} +var _ error = ListIDsResponseValidationError{} var _ interface { Field() string @@ -181,7 +588,7 @@ var _ interface { Key() bool Cause() error ErrorName() string -} = KeyMaterialValidationError{} +} = ListIDsResponseValidationError{} // Validate checks the field values on StoreRequest with the rules defined in // the proto definition for this message. If any rules are violated, the first @@ -644,22 +1051,22 @@ var _ interface { ErrorName() string } = LoadResponseValidationError{} -// Validate checks the field values on ListIDsRequest with the rules defined in +// Validate checks the field values on DeleteRequest with the rules defined in // the proto definition for this message. If any rules are violated, the first // error encountered is returned, or nil if there are no violations. -func (m *ListIDsRequest) Validate() error { +func (m *DeleteRequest) Validate() error { return m.validate(false) } -// ValidateAll checks the field values on ListIDsRequest with the rules defined +// ValidateAll checks the field values on DeleteRequest with the rules defined // in the proto definition for this message. If any rules are violated, the -// result is a list of violation errors wrapped in ListIDsRequestMultiError, -// or nil if none found. -func (m *ListIDsRequest) ValidateAll() error { +// result is a list of violation errors wrapped in DeleteRequestMultiError, or +// nil if none found. +func (m *DeleteRequest) ValidateAll() error { return m.validate(true) } -func (m *ListIDsRequest) validate(all bool) error { +func (m *DeleteRequest) validate(all bool) error { if m == nil { return nil } @@ -668,53 +1075,22 @@ func (m *ListIDsRequest) validate(all bool) error { // no validation rules for Namespace - if m.Filter != nil { - - if all { - switch v := interface{}(m.GetFilter()).(type) { - case interface{ ValidateAll() error }: - if err := v.ValidateAll(); err != nil { - errors = append(errors, ListIDsRequestValidationError{ - field: "Filter", - reason: "embedded message failed validation", - cause: err, - }) - } - case interface{ Validate() error }: - if err := v.Validate(); err != nil { - errors = append(errors, ListIDsRequestValidationError{ - field: "Filter", - reason: "embedded message failed validation", - cause: err, - }) - } - } - } else if v, ok := interface{}(m.GetFilter()).(interface{ Validate() error }); ok { - if err := v.Validate(); err != nil { - return ListIDsRequestValidationError{ - field: "Filter", - reason: "embedded message failed validation", - cause: err, - } - } - } - - } + // no validation rules for Id if len(errors) > 0 { - return ListIDsRequestMultiError(errors) + return DeleteRequestMultiError(errors) } return nil } -// ListIDsRequestMultiError is an error wrapping multiple validation errors -// returned by ListIDsRequest.ValidateAll() if the designated constraints +// DeleteRequestMultiError is an error wrapping multiple validation errors +// returned by DeleteRequest.ValidateAll() if the designated constraints // aren't met. -type ListIDsRequestMultiError []error +type DeleteRequestMultiError []error // Error returns a concatenation of all the error messages it wraps. -func (m ListIDsRequestMultiError) Error() string { +func (m DeleteRequestMultiError) Error() string { msgs := make([]string, 0, len(m)) for _, err := range m { msgs = append(msgs, err.Error()) @@ -723,11 +1099,11 @@ func (m ListIDsRequestMultiError) Error() string { } // AllErrors returns a list of validation violation errors. -func (m ListIDsRequestMultiError) AllErrors() []error { return m } +func (m DeleteRequestMultiError) AllErrors() []error { return m } -// ListIDsRequestValidationError is the validation error returned by -// ListIDsRequest.Validate if the designated constraints aren't met. -type ListIDsRequestValidationError struct { +// DeleteRequestValidationError is the validation error returned by +// DeleteRequest.Validate if the designated constraints aren't met. +type DeleteRequestValidationError struct { field string reason string cause error @@ -735,22 +1111,22 @@ type ListIDsRequestValidationError struct { } // Field function returns field value. -func (e ListIDsRequestValidationError) Field() string { return e.field } +func (e DeleteRequestValidationError) Field() string { return e.field } // Reason function returns reason value. -func (e ListIDsRequestValidationError) Reason() string { return e.reason } +func (e DeleteRequestValidationError) Reason() string { return e.reason } // Cause function returns cause value. -func (e ListIDsRequestValidationError) Cause() error { return e.cause } +func (e DeleteRequestValidationError) Cause() error { return e.cause } // Key function returns key value. -func (e ListIDsRequestValidationError) Key() bool { return e.key } +func (e DeleteRequestValidationError) Key() bool { return e.key } // ErrorName returns error name. -func (e ListIDsRequestValidationError) ErrorName() string { return "ListIDsRequestValidationError" } +func (e DeleteRequestValidationError) ErrorName() string { return "DeleteRequestValidationError" } // Error satisfies the builtin error interface -func (e ListIDsRequestValidationError) Error() string { +func (e DeleteRequestValidationError) Error() string { cause := "" if e.cause != nil { cause = fmt.Sprintf(" | caused by: %v", e.cause) @@ -762,14 +1138,14 @@ func (e ListIDsRequestValidationError) Error() string { } return fmt.Sprintf( - "invalid %sListIDsRequest.%s: %s%s", + "invalid %sDeleteRequest.%s: %s%s", key, e.field, e.reason, cause) } -var _ error = ListIDsRequestValidationError{} +var _ error = DeleteRequestValidationError{} var _ interface { Field() string @@ -777,54 +1153,197 @@ var _ interface { Key() bool Cause() error ErrorName() string -} = ListIDsRequestValidationError{} +} = DeleteRequestValidationError{} -// Validate checks the field values on Filter with the rules defined in the -// proto definition for this message. If any rules are violated, the first +// Validate checks the field values on DeleteResponse with the rules defined in +// the proto definition for this message. If any rules are violated, the first // error encountered is returned, or nil if there are no violations. -func (m *Filter) Validate() error { +func (m *DeleteResponse) Validate() error { return m.validate(false) } -// ValidateAll checks the field values on Filter with the rules defined in the -// proto definition for this message. If any rules are violated, the result is -// a list of violation errors wrapped in FilterMultiError, or nil if none found. -func (m *Filter) ValidateAll() error { +// ValidateAll checks the field values on DeleteResponse with the rules defined +// in the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in DeleteResponseMultiError, +// or nil if none found. +func (m *DeleteResponse) ValidateAll() error { return m.validate(true) } -func (m *Filter) validate(all bool) error { +func (m *DeleteResponse) validate(all bool) error { if m == nil { return nil } var errors []error - if m.Prefix != nil { - // no validation rules for Prefix + if len(errors) > 0 { + return DeleteResponseMultiError(errors) } - if m.Suffix != nil { - // no validation rules for Suffix + return nil +} + +// DeleteResponseMultiError is an error wrapping multiple validation errors +// returned by DeleteResponse.ValidateAll() if the designated constraints +// aren't met. +type DeleteResponseMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m DeleteResponseMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m DeleteResponseMultiError) AllErrors() []error { return m } + +// DeleteResponseValidationError is the validation error returned by +// DeleteResponse.Validate if the designated constraints aren't met. +type DeleteResponseValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e DeleteResponseValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e DeleteResponseValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e DeleteResponseValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e DeleteResponseValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e DeleteResponseValidationError) ErrorName() string { return "DeleteResponseValidationError" } + +// Error satisfies the builtin error interface +func (e DeleteResponseValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sDeleteResponse.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = DeleteResponseValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = DeleteResponseValidationError{} + +// Validate checks the field values on Filter_StringMatch with the rules +// defined in the proto definition for this message. If any rules are +// violated, the first error encountered is returned, or nil if there are no violations. +func (m *Filter_StringMatch) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on Filter_StringMatch with the rules +// defined in the proto definition for this message. If any rules are +// violated, the result is a list of violation errors wrapped in +// Filter_StringMatchMultiError, or nil if none found. +func (m *Filter_StringMatch) ValidateAll() error { + return m.validate(true) +} + +func (m *Filter_StringMatch) validate(all bool) error { + if m == nil { + return nil } - if m.Contains != nil { + var errors []error + + switch v := m.Type.(type) { + case *Filter_StringMatch_Prefix: + if v == nil { + err := Filter_StringMatchValidationError{ + field: "Type", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + // no validation rules for Prefix + case *Filter_StringMatch_Suffix: + if v == nil { + err := Filter_StringMatchValidationError{ + field: "Type", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + // no validation rules for Suffix + case *Filter_StringMatch_Contains: + if v == nil { + err := Filter_StringMatchValidationError{ + field: "Type", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } // no validation rules for Contains + case *Filter_StringMatch_Exact: + if v == nil { + err := Filter_StringMatchValidationError{ + field: "Type", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + // no validation rules for Exact + default: + _ = v // ensures v is used } if len(errors) > 0 { - return FilterMultiError(errors) + return Filter_StringMatchMultiError(errors) } return nil } -// FilterMultiError is an error wrapping multiple validation errors returned by -// Filter.ValidateAll() if the designated constraints aren't met. -type FilterMultiError []error +// Filter_StringMatchMultiError is an error wrapping multiple validation errors +// returned by Filter_StringMatch.ValidateAll() if the designated constraints +// aren't met. +type Filter_StringMatchMultiError []error // Error returns a concatenation of all the error messages it wraps. -func (m FilterMultiError) Error() string { +func (m Filter_StringMatchMultiError) Error() string { msgs := make([]string, 0, len(m)) for _, err := range m { msgs = append(msgs, err.Error()) @@ -833,11 +1352,11 @@ func (m FilterMultiError) Error() string { } // AllErrors returns a list of validation violation errors. -func (m FilterMultiError) AllErrors() []error { return m } +func (m Filter_StringMatchMultiError) AllErrors() []error { return m } -// FilterValidationError is the validation error returned by Filter.Validate if -// the designated constraints aren't met. -type FilterValidationError struct { +// Filter_StringMatchValidationError is the validation error returned by +// Filter_StringMatch.Validate if the designated constraints aren't met. +type Filter_StringMatchValidationError struct { field string reason string cause error @@ -845,22 +1364,24 @@ type FilterValidationError struct { } // Field function returns field value. -func (e FilterValidationError) Field() string { return e.field } +func (e Filter_StringMatchValidationError) Field() string { return e.field } // Reason function returns reason value. -func (e FilterValidationError) Reason() string { return e.reason } +func (e Filter_StringMatchValidationError) Reason() string { return e.reason } // Cause function returns cause value. -func (e FilterValidationError) Cause() error { return e.cause } +func (e Filter_StringMatchValidationError) Cause() error { return e.cause } // Key function returns key value. -func (e FilterValidationError) Key() bool { return e.key } +func (e Filter_StringMatchValidationError) Key() bool { return e.key } // ErrorName returns error name. -func (e FilterValidationError) ErrorName() string { return "FilterValidationError" } +func (e Filter_StringMatchValidationError) ErrorName() string { + return "Filter_StringMatchValidationError" +} // Error satisfies the builtin error interface -func (e FilterValidationError) Error() string { +func (e Filter_StringMatchValidationError) Error() string { cause := "" if e.cause != nil { cause = fmt.Sprintf(" | caused by: %v", e.cause) @@ -872,14 +1393,14 @@ func (e FilterValidationError) Error() string { } return fmt.Sprintf( - "invalid %sFilter.%s: %s%s", + "invalid %sFilter_StringMatch.%s: %s%s", key, e.field, e.reason, cause) } -var _ error = FilterValidationError{} +var _ error = Filter_StringMatchValidationError{} var _ interface { Field() string @@ -887,44 +1408,102 @@ var _ interface { Key() bool Cause() error ErrorName() string -} = FilterValidationError{} +} = Filter_StringMatchValidationError{} -// Validate checks the field values on ListIDsResponse with the rules defined +// Validate checks the field values on Filter_TimeRange with the rules defined // in the proto definition for this message. If any rules are violated, the // first error encountered is returned, or nil if there are no violations. -func (m *ListIDsResponse) Validate() error { +func (m *Filter_TimeRange) Validate() error { return m.validate(false) } -// ValidateAll checks the field values on ListIDsResponse with the rules +// ValidateAll checks the field values on Filter_TimeRange with the rules // defined in the proto definition for this message. If any rules are // violated, the result is a list of violation errors wrapped in -// ListIDsResponseMultiError, or nil if none found. -func (m *ListIDsResponse) ValidateAll() error { +// Filter_TimeRangeMultiError, or nil if none found. +func (m *Filter_TimeRange) ValidateAll() error { return m.validate(true) } -func (m *ListIDsResponse) validate(all bool) error { +func (m *Filter_TimeRange) validate(all bool) error { if m == nil { return nil } var errors []error + if all { + switch v := interface{}(m.GetFrom()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, Filter_TimeRangeValidationError{ + field: "From", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, Filter_TimeRangeValidationError{ + field: "From", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetFrom()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return Filter_TimeRangeValidationError{ + field: "From", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if all { + switch v := interface{}(m.GetTo()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, Filter_TimeRangeValidationError{ + field: "To", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, Filter_TimeRangeValidationError{ + field: "To", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetTo()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return Filter_TimeRangeValidationError{ + field: "To", + reason: "embedded message failed validation", + cause: err, + } + } + } + if len(errors) > 0 { - return ListIDsResponseMultiError(errors) + return Filter_TimeRangeMultiError(errors) } return nil } -// ListIDsResponseMultiError is an error wrapping multiple validation errors -// returned by ListIDsResponse.ValidateAll() if the designated constraints +// Filter_TimeRangeMultiError is an error wrapping multiple validation errors +// returned by Filter_TimeRange.ValidateAll() if the designated constraints // aren't met. -type ListIDsResponseMultiError []error +type Filter_TimeRangeMultiError []error // Error returns a concatenation of all the error messages it wraps. -func (m ListIDsResponseMultiError) Error() string { +func (m Filter_TimeRangeMultiError) Error() string { msgs := make([]string, 0, len(m)) for _, err := range m { msgs = append(msgs, err.Error()) @@ -933,11 +1512,11 @@ func (m ListIDsResponseMultiError) Error() string { } // AllErrors returns a list of validation violation errors. -func (m ListIDsResponseMultiError) AllErrors() []error { return m } +func (m Filter_TimeRangeMultiError) AllErrors() []error { return m } -// ListIDsResponseValidationError is the validation error returned by -// ListIDsResponse.Validate if the designated constraints aren't met. -type ListIDsResponseValidationError struct { +// Filter_TimeRangeValidationError is the validation error returned by +// Filter_TimeRange.Validate if the designated constraints aren't met. +type Filter_TimeRangeValidationError struct { field string reason string cause error @@ -945,22 +1524,22 @@ type ListIDsResponseValidationError struct { } // Field function returns field value. -func (e ListIDsResponseValidationError) Field() string { return e.field } +func (e Filter_TimeRangeValidationError) Field() string { return e.field } // Reason function returns reason value. -func (e ListIDsResponseValidationError) Reason() string { return e.reason } +func (e Filter_TimeRangeValidationError) Reason() string { return e.reason } // Cause function returns cause value. -func (e ListIDsResponseValidationError) Cause() error { return e.cause } +func (e Filter_TimeRangeValidationError) Cause() error { return e.cause } // Key function returns key value. -func (e ListIDsResponseValidationError) Key() bool { return e.key } +func (e Filter_TimeRangeValidationError) Key() bool { return e.key } // ErrorName returns error name. -func (e ListIDsResponseValidationError) ErrorName() string { return "ListIDsResponseValidationError" } +func (e Filter_TimeRangeValidationError) ErrorName() string { return "Filter_TimeRangeValidationError" } // Error satisfies the builtin error interface -func (e ListIDsResponseValidationError) Error() string { +func (e Filter_TimeRangeValidationError) Error() string { cause := "" if e.cause != nil { cause = fmt.Sprintf(" | caused by: %v", e.cause) @@ -972,14 +1551,14 @@ func (e ListIDsResponseValidationError) Error() string { } return fmt.Sprintf( - "invalid %sListIDsResponse.%s: %s%s", + "invalid %sFilter_TimeRange.%s: %s%s", key, e.field, e.reason, cause) } -var _ error = ListIDsResponseValidationError{} +var _ error = Filter_TimeRangeValidationError{} var _ interface { Field() string @@ -987,4 +1566,4 @@ var _ interface { Key() bool Cause() error ErrorName() string -} = ListIDsResponseValidationError{} +} = Filter_TimeRangeValidationError{} diff --git a/proto/plugin/key_material_storage/v1/key_material_storage.proto b/proto/plugin/key_material_storage/v1/key_material_storage.proto index f612a1d..1ce3d51 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage.proto +++ b/proto/plugin/key_material_storage/v1/key_material_storage.proto @@ -7,117 +7,91 @@ import "google/protobuf/timestamp.proto"; // KeyMaterialStorage defines the universal interface for persisting and // retrieving opaque blobs of data, typically wrapped key material. -// This allows Krypton to delegate storage to any backend (DB, Vault, File) -// in a completely generic way. service KeyMaterialStorage { - // Store persists a single item. This operation must be idempotent. rpc Store(StoreRequest) returns (StoreResponse); - - // Load retrieves a single item by its unique ID. rpc Load(LoadRequest) returns (LoadResponse); + rpc Delete(DeleteRequest) returns (DeleteResponse); - // ListIDs streams back all IDs that match a given prefix within a namespace. + // ListIDs returns batches of IDs matching the criteria. rpc ListIDs(ListIDsRequest) returns (stream ListIDsResponse); } // KeyMaterial represents a single unit of stored data. -// It is intentionally generic and algorithm-agnostic. message KeyMaterial { - // REQUIRED: The unique identifier for this item. - // e.g., "L2/01H8XGJWBWBAQ9Z7J6C6XJ6C6X" - string id = 1 [ - (buf.validate.field).required = true, - (buf.validate.field).string.min_len = 1 - ]; - - // REQUIRED: The opaque data blob. - // This typically contains the encrypted/wrapped key material. - bytes data = 2 [ - (buf.validate.field).required = true, - (buf.validate.field).bytes.min_len = 1 - ]; - - // REQUIRED: The name of algorithm - // This typically contains the encrypted/wrapped key material. - string algorithm = 3 [ - (buf.validate.field).required = true, - (buf.validate.field).string.min_len = 1 - ]; + string id = 1 [(buf.validate.field).string.min_len = 1]; + bytes data = 2 [(buf.validate.field).bytes.min_len = 1]; + string algorithm = 3 [(buf.validate.field).string.min_len = 1]; optional string previous_version_id = 4; - optional string checksum = 5; + google.protobuf.Timestamp created_at = 6; + map tags = 7; +} - optional google.protobuf.Timestamp created_at = 6; +// --- Filter Refactor --- - map tags = 100; +message Filter { + // Pattern-based matching for the primary Key ID. + message StringMatch { + oneof type { + string prefix = 1; + string suffix = 2; + string contains = 3; + string exact = 4; + } + } + optional StringMatch id = 1; + + // Filter by cryptographic algorithm (e.g., "AES-256-GCM"). + optional string algorithm = 2; + + // Filter by metadata tags (e.g., {"env": "prod"}). + // Match is typically performed as "contains all". + map tags = 3; + + // Filter by the time the key was created. + message TimeRange { + google.protobuf.Timestamp from = 1; + google.protobuf.Timestamp to = 2; + } + optional TimeRange created_at = 4; } -// --- Store RPC Messages --- +// --- RPC Messages --- -message StoreRequest { - // REQUIRED: The namespace for this key material. This provides isolation - // and can be mapped to a tenant, project, or customer ID. - string namespace = 1 [ - (buf.validate.field).required = true, - (buf.validate.field).string.min_len = 1 - ]; - - // REQUIRED: The item to be stored. - KeyMaterial key_material = 2 [(buf.validate.field).required = true]; +message ListIDsRequest { + string namespace = 1 [(buf.validate.field).string.min_len = 1]; + optional Filter filter = 2; + + // Pagination support + uint32 page_size = 3; + string page_token = 4; } -message StoreResponse { - // This response is empty on success. Errors are communicated via gRPC status codes. +message ListIDsResponse { + repeated string ids = 1; + string next_page_token = 2; } -// --- Load RPC Messages --- +message StoreRequest { + string namespace = 1 [(buf.validate.field).string.min_len = 1]; + KeyMaterial key_material = 2 [(buf.validate.field).required = true]; +} + +message StoreResponse {} message LoadRequest { - // REQUIRED: The namespace for the item. - string namespace = 1 [ - (buf.validate.field).required = true, - (buf.validate.field).string.min_len = 1 - ]; - - // REQUIRED: The unique ID of the item to retrieve. - string id = 2 [ - (buf.validate.field).required = true, - (buf.validate.field).string.min_len = 1 - ]; + string namespace = 1 [(buf.validate.field).string.min_len = 1]; + string id = 2 [(buf.validate.field).string.min_len = 1]; } message LoadResponse { - // The retrieved key material. - // If the key is not found, the RPC will return a `NOT_FOUND` gRPC error. KeyMaterial key_material = 1; } -message ListIDsRequest { - // REQUIRED: The namespace to search in. - string namespace = 1 [ - (buf.validate.field).required = true, - (buf.validate.field).string.min_len = 1 - ]; - - // OPTIONAL: Filter criteria for listing IDs. - // If not provided, all IDs in the namespace are returned. - optional Filter filter = 2; -} - -message Filter { - // OPTIONAL: Filter IDs that start with this string. - optional string prefix = 1; - - // OPTIONAL: Filter IDs that end with this string. - optional string suffix = 2; - - // OPTIONAL: Filter IDs that contain this string. - optional string contains = 3; +message DeleteRequest { + string namespace = 1 [(buf.validate.field).string.min_len = 1]; + string id = 2 [(buf.validate.field).string.min_len = 1]; } -message ListIDsResponse { - // A list of key material IDs that match the request criteria. - // The server may stream multiple responses, each containing a batch of IDs. - repeated string ids = 1; -} +message DeleteResponse {} diff --git a/proto/plugin/key_material_storage/v1/key_material_storage_grpc.pb.go b/proto/plugin/key_material_storage/v1/key_material_storage_grpc.pb.go index 1eaafaa..eb7193e 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage_grpc.pb.go +++ b/proto/plugin/key_material_storage/v1/key_material_storage_grpc.pb.go @@ -22,6 +22,7 @@ const _ = grpc.SupportPackageIsVersion9 const ( KeyMaterialStorage_Store_FullMethodName = "/plugin.key_material_storage.v1.KeyMaterialStorage/Store" KeyMaterialStorage_Load_FullMethodName = "/plugin.key_material_storage.v1.KeyMaterialStorage/Load" + KeyMaterialStorage_Delete_FullMethodName = "/plugin.key_material_storage.v1.KeyMaterialStorage/Delete" KeyMaterialStorage_ListIDs_FullMethodName = "/plugin.key_material_storage.v1.KeyMaterialStorage/ListIDs" ) @@ -31,14 +32,11 @@ const ( // // KeyMaterialStorage defines the universal interface for persisting and // retrieving opaque blobs of data, typically wrapped key material. -// This allows Krypton to delegate storage to any backend (DB, Vault, File) -// in a completely generic way. type KeyMaterialStorageClient interface { - // Store persists a single item. This operation must be idempotent. Store(ctx context.Context, in *StoreRequest, opts ...grpc.CallOption) (*StoreResponse, error) - // Load retrieves a single item by its unique ID. Load(ctx context.Context, in *LoadRequest, opts ...grpc.CallOption) (*LoadResponse, error) - // ListIDs streams back all IDs that match a given prefix within a namespace. + Delete(ctx context.Context, in *DeleteRequest, opts ...grpc.CallOption) (*DeleteResponse, error) + // ListIDs returns batches of IDs matching the criteria. ListIDs(ctx context.Context, in *ListIDsRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[ListIDsResponse], error) } @@ -70,6 +68,16 @@ func (c *keyMaterialStorageClient) Load(ctx context.Context, in *LoadRequest, op return out, nil } +func (c *keyMaterialStorageClient) Delete(ctx context.Context, in *DeleteRequest, opts ...grpc.CallOption) (*DeleteResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(DeleteResponse) + err := c.cc.Invoke(ctx, KeyMaterialStorage_Delete_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + func (c *keyMaterialStorageClient) ListIDs(ctx context.Context, in *ListIDsRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[ListIDsResponse], error) { cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) stream, err := c.cc.NewStream(ctx, &KeyMaterialStorage_ServiceDesc.Streams[0], KeyMaterialStorage_ListIDs_FullMethodName, cOpts...) @@ -95,14 +103,11 @@ type KeyMaterialStorage_ListIDsClient = grpc.ServerStreamingClient[ListIDsRespon // // KeyMaterialStorage defines the universal interface for persisting and // retrieving opaque blobs of data, typically wrapped key material. -// This allows Krypton to delegate storage to any backend (DB, Vault, File) -// in a completely generic way. type KeyMaterialStorageServer interface { - // Store persists a single item. This operation must be idempotent. Store(context.Context, *StoreRequest) (*StoreResponse, error) - // Load retrieves a single item by its unique ID. Load(context.Context, *LoadRequest) (*LoadResponse, error) - // ListIDs streams back all IDs that match a given prefix within a namespace. + Delete(context.Context, *DeleteRequest) (*DeleteResponse, error) + // ListIDs returns batches of IDs matching the criteria. ListIDs(*ListIDsRequest, grpc.ServerStreamingServer[ListIDsResponse]) error mustEmbedUnimplementedKeyMaterialStorageServer() } @@ -120,6 +125,9 @@ func (UnimplementedKeyMaterialStorageServer) Store(context.Context, *StoreReques func (UnimplementedKeyMaterialStorageServer) Load(context.Context, *LoadRequest) (*LoadResponse, error) { return nil, status.Error(codes.Unimplemented, "method Load not implemented") } +func (UnimplementedKeyMaterialStorageServer) Delete(context.Context, *DeleteRequest) (*DeleteResponse, error) { + return nil, status.Error(codes.Unimplemented, "method Delete not implemented") +} func (UnimplementedKeyMaterialStorageServer) ListIDs(*ListIDsRequest, grpc.ServerStreamingServer[ListIDsResponse]) error { return status.Error(codes.Unimplemented, "method ListIDs not implemented") } @@ -180,6 +188,24 @@ func _KeyMaterialStorage_Load_Handler(srv interface{}, ctx context.Context, dec return interceptor(ctx, in, info, handler) } +func _KeyMaterialStorage_Delete_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(DeleteRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(KeyMaterialStorageServer).Delete(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: KeyMaterialStorage_Delete_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(KeyMaterialStorageServer).Delete(ctx, req.(*DeleteRequest)) + } + return interceptor(ctx, in, info, handler) +} + func _KeyMaterialStorage_ListIDs_Handler(srv interface{}, stream grpc.ServerStream) error { m := new(ListIDsRequest) if err := stream.RecvMsg(m); err != nil { @@ -206,6 +232,10 @@ var KeyMaterialStorage_ServiceDesc = grpc.ServiceDesc{ MethodName: "Load", Handler: _KeyMaterialStorage_Load_Handler, }, + { + MethodName: "Delete", + Handler: _KeyMaterialStorage_Delete_Handler, + }, }, Streams: []grpc.StreamDesc{ { From 77b72d4bf95fc8d603259c45b41480a3786403ea Mon Sep 17 00:00:00 2001 From: Nicolae Nicora Date: Fri, 15 May 2026 16:49:33 +0200 Subject: [PATCH 14/19] modify --- buf.lock | 4 +- proto/plugin/llm/v1/llm.pb.go | 438 ++++++++++++++ proto/plugin/llm/v1/llm.pb.validate.go | 724 +++++++++++++++++++++++ proto/plugin/llm/v1/llm.proto | 54 ++ proto/plugin/llm/v1/llm_ext_plugin.pb.go | 56 ++ proto/plugin/llm/v1/llm_grpc.pb.go | 176 ++++++ 6 files changed, 1450 insertions(+), 2 deletions(-) create mode 100644 proto/plugin/llm/v1/llm.pb.go create mode 100644 proto/plugin/llm/v1/llm.pb.validate.go create mode 100644 proto/plugin/llm/v1/llm.proto create mode 100644 proto/plugin/llm/v1/llm_ext_plugin.pb.go create mode 100644 proto/plugin/llm/v1/llm_grpc.pb.go diff --git a/buf.lock b/buf.lock index d15a117..709ae02 100644 --- a/buf.lock +++ b/buf.lock @@ -2,5 +2,5 @@ version: v2 deps: - name: buf.build/bufbuild/protovalidate - commit: 80ab13bee0bf4272b6161a72bf7034e0 - digest: b5:1aa6a965be5d02d64e1d81954fa2e78ef9d1e33a0c30f92bc2626039006a94deb3a5b05f14ed8893f5c3ffce444ac008f7e968188ad225c4c29c813aa5f2daa1 + commit: 50325440f8f24053b047484a6bf60b76 + digest: b5:74cb6f5c0853c3c10aafc701614194bbd63326bdb8ef4068214454b8894b03ba4113e04b3a33a8321cdf05336e37db4dc14a5e2495db8462566914f36086ba31 diff --git a/proto/plugin/llm/v1/llm.pb.go b/proto/plugin/llm/v1/llm.pb.go new file mode 100644 index 0000000..297015f --- /dev/null +++ b/proto/plugin/llm/v1/llm.pb.go @@ -0,0 +1,438 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.36.11 +// protoc (unknown) +// source: plugin/llm/v1/llm.proto + +package llmv1 + +import ( + reflect "reflect" + sync "sync" + unsafe "unsafe" + + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// FindingSummary is a single rule-engine finding passed to the LLM for enrichment. +// Only aggregate metrics are included — never key material or key IDs. +type FindingSummary struct { + state protoimpl.MessageState `protogen:"open.v1"` + Category string `protobuf:"bytes,1,opt,name=category,proto3" json:"category,omitempty"` + Severity string `protobuf:"bytes,2,opt,name=severity,proto3" json:"severity,omitempty"` + Title string `protobuf:"bytes,3,opt,name=title,proto3" json:"title,omitempty"` + Description string `protobuf:"bytes,4,opt,name=description,proto3" json:"description,omitempty"` + // aggregate_metadata contains counts and names only (e.g. algorithm="AES-256", count="12"). + AggregateMetadata map[string]string `protobuf:"bytes,5,rep,name=aggregate_metadata,json=aggregateMetadata,proto3" json:"aggregate_metadata,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *FindingSummary) Reset() { + *x = FindingSummary{} + mi := &file_plugin_llm_v1_llm_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *FindingSummary) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*FindingSummary) ProtoMessage() {} + +func (x *FindingSummary) ProtoReflect() protoreflect.Message { + mi := &file_plugin_llm_v1_llm_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use FindingSummary.ProtoReflect.Descriptor instead. +func (*FindingSummary) Descriptor() ([]byte, []int) { + return file_plugin_llm_v1_llm_proto_rawDescGZIP(), []int{0} +} + +func (x *FindingSummary) GetCategory() string { + if x != nil { + return x.Category + } + return "" +} + +func (x *FindingSummary) GetSeverity() string { + if x != nil { + return x.Severity + } + return "" +} + +func (x *FindingSummary) GetTitle() string { + if x != nil { + return x.Title + } + return "" +} + +func (x *FindingSummary) GetDescription() string { + if x != nil { + return x.Description + } + return "" +} + +func (x *FindingSummary) GetAggregateMetadata() map[string]string { + if x != nil { + return x.AggregateMetadata + } + return nil +} + +// EnrichedFinding contains LLM-enhanced descriptions for a single finding. +type EnrichedFinding struct { + state protoimpl.MessageState `protogen:"open.v1"` + EnrichedDescription string `protobuf:"bytes,1,opt,name=enriched_description,json=enrichedDescription,proto3" json:"enriched_description,omitempty"` + EnrichedRemediation string `protobuf:"bytes,2,opt,name=enriched_remediation,json=enrichedRemediation,proto3" json:"enriched_remediation,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *EnrichedFinding) Reset() { + *x = EnrichedFinding{} + mi := &file_plugin_llm_v1_llm_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *EnrichedFinding) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*EnrichedFinding) ProtoMessage() {} + +func (x *EnrichedFinding) ProtoReflect() protoreflect.Message { + mi := &file_plugin_llm_v1_llm_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use EnrichedFinding.ProtoReflect.Descriptor instead. +func (*EnrichedFinding) Descriptor() ([]byte, []int) { + return file_plugin_llm_v1_llm_proto_rawDescGZIP(), []int{1} +} + +func (x *EnrichedFinding) GetEnrichedDescription() string { + if x != nil { + return x.EnrichedDescription + } + return "" +} + +func (x *EnrichedFinding) GetEnrichedRemediation() string { + if x != nil { + return x.EnrichedRemediation + } + return "" +} + +type EnrichRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + Findings []*FindingSummary `protobuf:"bytes,1,rep,name=findings,proto3" json:"findings,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *EnrichRequest) Reset() { + *x = EnrichRequest{} + mi := &file_plugin_llm_v1_llm_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *EnrichRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*EnrichRequest) ProtoMessage() {} + +func (x *EnrichRequest) ProtoReflect() protoreflect.Message { + mi := &file_plugin_llm_v1_llm_proto_msgTypes[2] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use EnrichRequest.ProtoReflect.Descriptor instead. +func (*EnrichRequest) Descriptor() ([]byte, []int) { + return file_plugin_llm_v1_llm_proto_rawDescGZIP(), []int{2} +} + +func (x *EnrichRequest) GetFindings() []*FindingSummary { + if x != nil { + return x.Findings + } + return nil +} + +type EnrichResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + Enriched []*EnrichedFinding `protobuf:"bytes,1,rep,name=enriched,proto3" json:"enriched,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *EnrichResponse) Reset() { + *x = EnrichResponse{} + mi := &file_plugin_llm_v1_llm_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *EnrichResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*EnrichResponse) ProtoMessage() {} + +func (x *EnrichResponse) ProtoReflect() protoreflect.Message { + mi := &file_plugin_llm_v1_llm_proto_msgTypes[3] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use EnrichResponse.ProtoReflect.Descriptor instead. +func (*EnrichResponse) Descriptor() ([]byte, []int) { + return file_plugin_llm_v1_llm_proto_rawDescGZIP(), []int{3} +} + +func (x *EnrichResponse) GetEnriched() []*EnrichedFinding { + if x != nil { + return x.Enriched + } + return nil +} + +// AnswerRequest carries a free-form question and aggregate context signals. +// context_signals must contain only counts and names — never key material. +type AnswerRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + Question string `protobuf:"bytes,1,opt,name=question,proto3" json:"question,omitempty"` + ContextSignals map[string]string `protobuf:"bytes,2,rep,name=context_signals,json=contextSignals,proto3" json:"context_signals,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *AnswerRequest) Reset() { + *x = AnswerRequest{} + mi := &file_plugin_llm_v1_llm_proto_msgTypes[4] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *AnswerRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*AnswerRequest) ProtoMessage() {} + +func (x *AnswerRequest) ProtoReflect() protoreflect.Message { + mi := &file_plugin_llm_v1_llm_proto_msgTypes[4] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use AnswerRequest.ProtoReflect.Descriptor instead. +func (*AnswerRequest) Descriptor() ([]byte, []int) { + return file_plugin_llm_v1_llm_proto_rawDescGZIP(), []int{4} +} + +func (x *AnswerRequest) GetQuestion() string { + if x != nil { + return x.Question + } + return "" +} + +func (x *AnswerRequest) GetContextSignals() map[string]string { + if x != nil { + return x.ContextSignals + } + return nil +} + +type AnswerResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + Answer string `protobuf:"bytes,1,opt,name=answer,proto3" json:"answer,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *AnswerResponse) Reset() { + *x = AnswerResponse{} + mi := &file_plugin_llm_v1_llm_proto_msgTypes[5] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *AnswerResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*AnswerResponse) ProtoMessage() {} + +func (x *AnswerResponse) ProtoReflect() protoreflect.Message { + mi := &file_plugin_llm_v1_llm_proto_msgTypes[5] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use AnswerResponse.ProtoReflect.Descriptor instead. +func (*AnswerResponse) Descriptor() ([]byte, []int) { + return file_plugin_llm_v1_llm_proto_rawDescGZIP(), []int{5} +} + +func (x *AnswerResponse) GetAnswer() string { + if x != nil { + return x.Answer + } + return "" +} + +var File_plugin_llm_v1_llm_proto protoreflect.FileDescriptor + +const file_plugin_llm_v1_llm_proto_rawDesc = "" + + "\n" + + "\x17plugin/llm/v1/llm.proto\x12\rplugin.llm.v1\"\xab\x02\n" + + "\x0eFindingSummary\x12\x1a\n" + + "\bcategory\x18\x01 \x01(\tR\bcategory\x12\x1a\n" + + "\bseverity\x18\x02 \x01(\tR\bseverity\x12\x14\n" + + "\x05title\x18\x03 \x01(\tR\x05title\x12 \n" + + "\vdescription\x18\x04 \x01(\tR\vdescription\x12c\n" + + "\x12aggregate_metadata\x18\x05 \x03(\v24.plugin.llm.v1.FindingSummary.AggregateMetadataEntryR\x11aggregateMetadata\x1aD\n" + + "\x16AggregateMetadataEntry\x12\x10\n" + + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"w\n" + + "\x0fEnrichedFinding\x121\n" + + "\x14enriched_description\x18\x01 \x01(\tR\x13enrichedDescription\x121\n" + + "\x14enriched_remediation\x18\x02 \x01(\tR\x13enrichedRemediation\"J\n" + + "\rEnrichRequest\x129\n" + + "\bfindings\x18\x01 \x03(\v2\x1d.plugin.llm.v1.FindingSummaryR\bfindings\"L\n" + + "\x0eEnrichResponse\x12:\n" + + "\benriched\x18\x01 \x03(\v2\x1e.plugin.llm.v1.EnrichedFindingR\benriched\"\xc9\x01\n" + + "\rAnswerRequest\x12\x1a\n" + + "\bquestion\x18\x01 \x01(\tR\bquestion\x12Y\n" + + "\x0fcontext_signals\x18\x02 \x03(\v20.plugin.llm.v1.AnswerRequest.ContextSignalsEntryR\x0econtextSignals\x1aA\n" + + "\x13ContextSignalsEntry\x12\x10\n" + + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"(\n" + + "\x0eAnswerResponse\x12\x16\n" + + "\x06answer\x18\x01 \x01(\tR\x06answer2\x93\x01\n" + + "\x03LLM\x12E\n" + + "\x06Enrich\x12\x1c.plugin.llm.v1.EnrichRequest\x1a\x1d.plugin.llm.v1.EnrichResponse\x12E\n" + + "\x06Answer\x12\x1c.plugin.llm.v1.AnswerRequest\x1a\x1d.plugin.llm.v1.AnswerResponseB\xac\x01\n" + + "\x11com.plugin.llm.v1B\bLlmProtoP\x01Z7github.com/openkcm/plugin-sdk/proto/plugin/llm/v1;llmv1\xa2\x02\x03PLX\xaa\x02\rPlugin.Llm.V1\xca\x02\rPlugin\\Llm\\V1\xe2\x02\x19Plugin\\Llm\\V1\\GPBMetadata\xea\x02\x0fPlugin::Llm::V1b\x06proto3" + +var ( + file_plugin_llm_v1_llm_proto_rawDescOnce sync.Once + file_plugin_llm_v1_llm_proto_rawDescData []byte +) + +func file_plugin_llm_v1_llm_proto_rawDescGZIP() []byte { + file_plugin_llm_v1_llm_proto_rawDescOnce.Do(func() { + file_plugin_llm_v1_llm_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_plugin_llm_v1_llm_proto_rawDesc), len(file_plugin_llm_v1_llm_proto_rawDesc))) + }) + return file_plugin_llm_v1_llm_proto_rawDescData +} + +var file_plugin_llm_v1_llm_proto_msgTypes = make([]protoimpl.MessageInfo, 8) +var file_plugin_llm_v1_llm_proto_goTypes = []any{ + (*FindingSummary)(nil), // 0: plugin.llm.v1.FindingSummary + (*EnrichedFinding)(nil), // 1: plugin.llm.v1.EnrichedFinding + (*EnrichRequest)(nil), // 2: plugin.llm.v1.EnrichRequest + (*EnrichResponse)(nil), // 3: plugin.llm.v1.EnrichResponse + (*AnswerRequest)(nil), // 4: plugin.llm.v1.AnswerRequest + (*AnswerResponse)(nil), // 5: plugin.llm.v1.AnswerResponse + nil, // 6: plugin.llm.v1.FindingSummary.AggregateMetadataEntry + nil, // 7: plugin.llm.v1.AnswerRequest.ContextSignalsEntry +} +var file_plugin_llm_v1_llm_proto_depIdxs = []int32{ + 6, // 0: plugin.llm.v1.FindingSummary.aggregate_metadata:type_name -> plugin.llm.v1.FindingSummary.AggregateMetadataEntry + 0, // 1: plugin.llm.v1.EnrichRequest.findings:type_name -> plugin.llm.v1.FindingSummary + 1, // 2: plugin.llm.v1.EnrichResponse.enriched:type_name -> plugin.llm.v1.EnrichedFinding + 7, // 3: plugin.llm.v1.AnswerRequest.context_signals:type_name -> plugin.llm.v1.AnswerRequest.ContextSignalsEntry + 2, // 4: plugin.llm.v1.LLM.Enrich:input_type -> plugin.llm.v1.EnrichRequest + 4, // 5: plugin.llm.v1.LLM.Answer:input_type -> plugin.llm.v1.AnswerRequest + 3, // 6: plugin.llm.v1.LLM.Enrich:output_type -> plugin.llm.v1.EnrichResponse + 5, // 7: plugin.llm.v1.LLM.Answer:output_type -> plugin.llm.v1.AnswerResponse + 6, // [6:8] is the sub-list for method output_type + 4, // [4:6] is the sub-list for method input_type + 4, // [4:4] is the sub-list for extension type_name + 4, // [4:4] is the sub-list for extension extendee + 0, // [0:4] is the sub-list for field type_name +} + +func init() { file_plugin_llm_v1_llm_proto_init() } +func file_plugin_llm_v1_llm_proto_init() { + if File_plugin_llm_v1_llm_proto != nil { + return + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: unsafe.Slice(unsafe.StringData(file_plugin_llm_v1_llm_proto_rawDesc), len(file_plugin_llm_v1_llm_proto_rawDesc)), + NumEnums: 0, + NumMessages: 8, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_plugin_llm_v1_llm_proto_goTypes, + DependencyIndexes: file_plugin_llm_v1_llm_proto_depIdxs, + MessageInfos: file_plugin_llm_v1_llm_proto_msgTypes, + }.Build() + File_plugin_llm_v1_llm_proto = out.File + file_plugin_llm_v1_llm_proto_goTypes = nil + file_plugin_llm_v1_llm_proto_depIdxs = nil +} diff --git a/proto/plugin/llm/v1/llm.pb.validate.go b/proto/plugin/llm/v1/llm.pb.validate.go new file mode 100644 index 0000000..bfe21ac --- /dev/null +++ b/proto/plugin/llm/v1/llm.pb.validate.go @@ -0,0 +1,724 @@ +// Code generated by protoc-gen-validate. DO NOT EDIT. +// source: plugin/llm/v1/llm.proto + +package llmv1 + +import ( + "bytes" + "errors" + "fmt" + "net" + "net/mail" + "net/url" + "regexp" + "sort" + "strings" + "time" + "unicode/utf8" + + "google.golang.org/protobuf/types/known/anypb" +) + +// ensure the imports are used +var ( + _ = bytes.MinRead + _ = errors.New("") + _ = fmt.Print + _ = utf8.UTFMax + _ = (*regexp.Regexp)(nil) + _ = (*strings.Reader)(nil) + _ = net.IPv4len + _ = time.Duration(0) + _ = (*url.URL)(nil) + _ = (*mail.Address)(nil) + _ = anypb.Any{} + _ = sort.Sort +) + +// Validate checks the field values on FindingSummary with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *FindingSummary) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on FindingSummary with the rules defined +// in the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in FindingSummaryMultiError, +// or nil if none found. +func (m *FindingSummary) ValidateAll() error { + return m.validate(true) +} + +func (m *FindingSummary) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + // no validation rules for Category + + // no validation rules for Severity + + // no validation rules for Title + + // no validation rules for Description + + // no validation rules for AggregateMetadata + + if len(errors) > 0 { + return FindingSummaryMultiError(errors) + } + + return nil +} + +// FindingSummaryMultiError is an error wrapping multiple validation errors +// returned by FindingSummary.ValidateAll() if the designated constraints +// aren't met. +type FindingSummaryMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m FindingSummaryMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m FindingSummaryMultiError) AllErrors() []error { return m } + +// FindingSummaryValidationError is the validation error returned by +// FindingSummary.Validate if the designated constraints aren't met. +type FindingSummaryValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e FindingSummaryValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e FindingSummaryValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e FindingSummaryValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e FindingSummaryValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e FindingSummaryValidationError) ErrorName() string { return "FindingSummaryValidationError" } + +// Error satisfies the builtin error interface +func (e FindingSummaryValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sFindingSummary.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = FindingSummaryValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = FindingSummaryValidationError{} + +// Validate checks the field values on EnrichedFinding with the rules defined +// in the proto definition for this message. If any rules are violated, the +// first error encountered is returned, or nil if there are no violations. +func (m *EnrichedFinding) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on EnrichedFinding with the rules +// defined in the proto definition for this message. If any rules are +// violated, the result is a list of violation errors wrapped in +// EnrichedFindingMultiError, or nil if none found. +func (m *EnrichedFinding) ValidateAll() error { + return m.validate(true) +} + +func (m *EnrichedFinding) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + // no validation rules for EnrichedDescription + + // no validation rules for EnrichedRemediation + + if len(errors) > 0 { + return EnrichedFindingMultiError(errors) + } + + return nil +} + +// EnrichedFindingMultiError is an error wrapping multiple validation errors +// returned by EnrichedFinding.ValidateAll() if the designated constraints +// aren't met. +type EnrichedFindingMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m EnrichedFindingMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m EnrichedFindingMultiError) AllErrors() []error { return m } + +// EnrichedFindingValidationError is the validation error returned by +// EnrichedFinding.Validate if the designated constraints aren't met. +type EnrichedFindingValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e EnrichedFindingValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e EnrichedFindingValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e EnrichedFindingValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e EnrichedFindingValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e EnrichedFindingValidationError) ErrorName() string { return "EnrichedFindingValidationError" } + +// Error satisfies the builtin error interface +func (e EnrichedFindingValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sEnrichedFinding.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = EnrichedFindingValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = EnrichedFindingValidationError{} + +// Validate checks the field values on EnrichRequest with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *EnrichRequest) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on EnrichRequest with the rules defined +// in the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in EnrichRequestMultiError, or +// nil if none found. +func (m *EnrichRequest) ValidateAll() error { + return m.validate(true) +} + +func (m *EnrichRequest) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + for idx, item := range m.GetFindings() { + _, _ = idx, item + + if all { + switch v := interface{}(item).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, EnrichRequestValidationError{ + field: fmt.Sprintf("Findings[%v]", idx), + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, EnrichRequestValidationError{ + field: fmt.Sprintf("Findings[%v]", idx), + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(item).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return EnrichRequestValidationError{ + field: fmt.Sprintf("Findings[%v]", idx), + reason: "embedded message failed validation", + cause: err, + } + } + } + + } + + if len(errors) > 0 { + return EnrichRequestMultiError(errors) + } + + return nil +} + +// EnrichRequestMultiError is an error wrapping multiple validation errors +// returned by EnrichRequest.ValidateAll() if the designated constraints +// aren't met. +type EnrichRequestMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m EnrichRequestMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m EnrichRequestMultiError) AllErrors() []error { return m } + +// EnrichRequestValidationError is the validation error returned by +// EnrichRequest.Validate if the designated constraints aren't met. +type EnrichRequestValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e EnrichRequestValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e EnrichRequestValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e EnrichRequestValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e EnrichRequestValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e EnrichRequestValidationError) ErrorName() string { return "EnrichRequestValidationError" } + +// Error satisfies the builtin error interface +func (e EnrichRequestValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sEnrichRequest.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = EnrichRequestValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = EnrichRequestValidationError{} + +// Validate checks the field values on EnrichResponse with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *EnrichResponse) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on EnrichResponse with the rules defined +// in the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in EnrichResponseMultiError, +// or nil if none found. +func (m *EnrichResponse) ValidateAll() error { + return m.validate(true) +} + +func (m *EnrichResponse) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + for idx, item := range m.GetEnriched() { + _, _ = idx, item + + if all { + switch v := interface{}(item).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, EnrichResponseValidationError{ + field: fmt.Sprintf("Enriched[%v]", idx), + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, EnrichResponseValidationError{ + field: fmt.Sprintf("Enriched[%v]", idx), + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(item).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return EnrichResponseValidationError{ + field: fmt.Sprintf("Enriched[%v]", idx), + reason: "embedded message failed validation", + cause: err, + } + } + } + + } + + if len(errors) > 0 { + return EnrichResponseMultiError(errors) + } + + return nil +} + +// EnrichResponseMultiError is an error wrapping multiple validation errors +// returned by EnrichResponse.ValidateAll() if the designated constraints +// aren't met. +type EnrichResponseMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m EnrichResponseMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m EnrichResponseMultiError) AllErrors() []error { return m } + +// EnrichResponseValidationError is the validation error returned by +// EnrichResponse.Validate if the designated constraints aren't met. +type EnrichResponseValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e EnrichResponseValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e EnrichResponseValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e EnrichResponseValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e EnrichResponseValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e EnrichResponseValidationError) ErrorName() string { return "EnrichResponseValidationError" } + +// Error satisfies the builtin error interface +func (e EnrichResponseValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sEnrichResponse.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = EnrichResponseValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = EnrichResponseValidationError{} + +// Validate checks the field values on AnswerRequest with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *AnswerRequest) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on AnswerRequest with the rules defined +// in the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in AnswerRequestMultiError, or +// nil if none found. +func (m *AnswerRequest) ValidateAll() error { + return m.validate(true) +} + +func (m *AnswerRequest) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + // no validation rules for Question + + // no validation rules for ContextSignals + + if len(errors) > 0 { + return AnswerRequestMultiError(errors) + } + + return nil +} + +// AnswerRequestMultiError is an error wrapping multiple validation errors +// returned by AnswerRequest.ValidateAll() if the designated constraints +// aren't met. +type AnswerRequestMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m AnswerRequestMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m AnswerRequestMultiError) AllErrors() []error { return m } + +// AnswerRequestValidationError is the validation error returned by +// AnswerRequest.Validate if the designated constraints aren't met. +type AnswerRequestValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e AnswerRequestValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e AnswerRequestValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e AnswerRequestValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e AnswerRequestValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e AnswerRequestValidationError) ErrorName() string { return "AnswerRequestValidationError" } + +// Error satisfies the builtin error interface +func (e AnswerRequestValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sAnswerRequest.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = AnswerRequestValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = AnswerRequestValidationError{} + +// Validate checks the field values on AnswerResponse with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *AnswerResponse) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on AnswerResponse with the rules defined +// in the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in AnswerResponseMultiError, +// or nil if none found. +func (m *AnswerResponse) ValidateAll() error { + return m.validate(true) +} + +func (m *AnswerResponse) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + // no validation rules for Answer + + if len(errors) > 0 { + return AnswerResponseMultiError(errors) + } + + return nil +} + +// AnswerResponseMultiError is an error wrapping multiple validation errors +// returned by AnswerResponse.ValidateAll() if the designated constraints +// aren't met. +type AnswerResponseMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m AnswerResponseMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m AnswerResponseMultiError) AllErrors() []error { return m } + +// AnswerResponseValidationError is the validation error returned by +// AnswerResponse.Validate if the designated constraints aren't met. +type AnswerResponseValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e AnswerResponseValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e AnswerResponseValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e AnswerResponseValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e AnswerResponseValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e AnswerResponseValidationError) ErrorName() string { return "AnswerResponseValidationError" } + +// Error satisfies the builtin error interface +func (e AnswerResponseValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sAnswerResponse.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = AnswerResponseValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = AnswerResponseValidationError{} diff --git a/proto/plugin/llm/v1/llm.proto b/proto/plugin/llm/v1/llm.proto new file mode 100644 index 0000000..a4d28a4 --- /dev/null +++ b/proto/plugin/llm/v1/llm.proto @@ -0,0 +1,54 @@ +syntax = "proto3"; + +package plugin.llm.v1; + +option go_package = "github.com/nnicora/krypton/proto/plugin/llm/v1;llmv1"; + +// LLM is the plugin interface for AI language-model backends used by the +// Advisor module. Only aggregate, privacy-safe statistics are ever transmitted — +// no key material, no key IDs, and no principal names. +service LLM { + // Enrich takes rule-engine findings (plain text, no sensitive data) and + // returns enriched descriptions and remediation steps. + rpc Enrich(EnrichRequest) returns (EnrichResponse); + + // Answer responds to a free-form question about key posture using only the + // supplied aggregate signals — no key material, no key IDs, no principal names. + rpc Answer(AnswerRequest) returns (AnswerResponse); +} + +// FindingSummary is a single rule-engine finding passed to the LLM for enrichment. +// Only aggregate metrics are included — never key material or key IDs. +message FindingSummary { + string category = 1; + string severity = 2; + string title = 3; + string description = 4; + // aggregate_metadata contains counts and names only (e.g. algorithm="AES-256", count="12"). + map aggregate_metadata = 5; +} + +// EnrichedFinding contains LLM-enhanced descriptions for a single finding. +message EnrichedFinding { + string enriched_description = 1; + string enriched_remediation = 2; +} + +message EnrichRequest { + repeated FindingSummary findings = 1; +} + +message EnrichResponse { + repeated EnrichedFinding enriched = 1; +} + +// AnswerRequest carries a free-form question and aggregate context signals. +// context_signals must contain only counts and names — never key material. +message AnswerRequest { + string question = 1; + map context_signals = 2; +} + +message AnswerResponse { + string answer = 1; +} diff --git a/proto/plugin/llm/v1/llm_ext_plugin.pb.go b/proto/plugin/llm/v1/llm_ext_plugin.pb.go new file mode 100644 index 0000000..867144f --- /dev/null +++ b/proto/plugin/llm/v1/llm_ext_plugin.pb.go @@ -0,0 +1,56 @@ +// Code generated by protoc-gen-go-extension. DO NOT EDIT. + +package llmv1 + +import ( + grpc "google.golang.org/grpc" + + api "github.com/openkcm/plugin-sdk/api" +) + +const ( + Type = "LLM" + GRPCServiceFullName = "plugin.llm.v1.LLM" +) + +func LLMPluginServer(server LLMServer) api.PluginServer { + return lLMPluginServer{LLMServer: server} +} + +type lLMPluginServer struct { + LLMServer +} + +func (s lLMPluginServer) Type() string { + return Type +} + +func (s lLMPluginServer) GRPCServiceName() string { + return GRPCServiceFullName +} + +func (s lLMPluginServer) RegisterServer(server *grpc.Server) any { + RegisterLLMServer(server, s.LLMServer) + return s.LLMServer +} + +type LLMPluginClient struct { + LLMClient +} + +func (s LLMPluginClient) Type() string { + return Type +} + +func (c *LLMPluginClient) IsInitialized() bool { + return c.LLMClient != nil +} + +func (c *LLMPluginClient) GRPCServiceName() string { + return GRPCServiceFullName +} + +func (c *LLMPluginClient) InitClient(conn grpc.ClientConnInterface) any { + c.LLMClient = NewLLMClient(conn) + return c.LLMClient +} diff --git a/proto/plugin/llm/v1/llm_grpc.pb.go b/proto/plugin/llm/v1/llm_grpc.pb.go new file mode 100644 index 0000000..e10fb70 --- /dev/null +++ b/proto/plugin/llm/v1/llm_grpc.pb.go @@ -0,0 +1,176 @@ +// Code generated by protoc-gen-go-grpc. DO NOT EDIT. +// versions: +// - protoc-gen-go-grpc v1.6.1 +// - protoc (unknown) +// source: plugin/llm/v1/llm.proto + +package llmv1 + +import ( + context "context" + + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" +) + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +// Requires gRPC-Go v1.64.0 or later. +const _ = grpc.SupportPackageIsVersion9 + +const ( + LLM_Enrich_FullMethodName = "/plugin.llm.v1.LLM/Enrich" + LLM_Answer_FullMethodName = "/plugin.llm.v1.LLM/Answer" +) + +// LLMClient is the client API for LLM service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. +// +// LLM is the plugin interface for AI language-model backends used by the +// Advisor module. Only aggregate, privacy-safe statistics are ever transmitted — +// no key material, no key IDs, and no principal names. +type LLMClient interface { + // Enrich takes rule-engine findings (plain text, no sensitive data) and + // returns enriched descriptions and remediation steps. + Enrich(ctx context.Context, in *EnrichRequest, opts ...grpc.CallOption) (*EnrichResponse, error) + // Answer responds to a free-form question about key posture using only the + // supplied aggregate signals — no key material, no key IDs, no principal names. + Answer(ctx context.Context, in *AnswerRequest, opts ...grpc.CallOption) (*AnswerResponse, error) +} + +type lLMClient struct { + cc grpc.ClientConnInterface +} + +func NewLLMClient(cc grpc.ClientConnInterface) LLMClient { + return &lLMClient{cc} +} + +func (c *lLMClient) Enrich(ctx context.Context, in *EnrichRequest, opts ...grpc.CallOption) (*EnrichResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(EnrichResponse) + err := c.cc.Invoke(ctx, LLM_Enrich_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *lLMClient) Answer(ctx context.Context, in *AnswerRequest, opts ...grpc.CallOption) (*AnswerResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(AnswerResponse) + err := c.cc.Invoke(ctx, LLM_Answer_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +// LLMServer is the server API for LLM service. +// All implementations must embed UnimplementedLLMServer +// for forward compatibility. +// +// LLM is the plugin interface for AI language-model backends used by the +// Advisor module. Only aggregate, privacy-safe statistics are ever transmitted — +// no key material, no key IDs, and no principal names. +type LLMServer interface { + // Enrich takes rule-engine findings (plain text, no sensitive data) and + // returns enriched descriptions and remediation steps. + Enrich(context.Context, *EnrichRequest) (*EnrichResponse, error) + // Answer responds to a free-form question about key posture using only the + // supplied aggregate signals — no key material, no key IDs, no principal names. + Answer(context.Context, *AnswerRequest) (*AnswerResponse, error) + mustEmbedUnimplementedLLMServer() +} + +// UnimplementedLLMServer must be embedded to have +// forward compatible implementations. +// +// NOTE: this should be embedded by value instead of pointer to avoid a nil +// pointer dereference when methods are called. +type UnimplementedLLMServer struct{} + +func (UnimplementedLLMServer) Enrich(context.Context, *EnrichRequest) (*EnrichResponse, error) { + return nil, status.Error(codes.Unimplemented, "method Enrich not implemented") +} +func (UnimplementedLLMServer) Answer(context.Context, *AnswerRequest) (*AnswerResponse, error) { + return nil, status.Error(codes.Unimplemented, "method Answer not implemented") +} +func (UnimplementedLLMServer) mustEmbedUnimplementedLLMServer() {} +func (UnimplementedLLMServer) testEmbeddedByValue() {} + +// UnsafeLLMServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to LLMServer will +// result in compilation errors. +type UnsafeLLMServer interface { + mustEmbedUnimplementedLLMServer() +} + +func RegisterLLMServer(s grpc.ServiceRegistrar, srv LLMServer) { + // If the following call panics, it indicates UnimplementedLLMServer was + // embedded by pointer and is nil. This will cause panics if an + // unimplemented method is ever invoked, so we test this at initialization + // time to prevent it from happening at runtime later due to I/O. + if t, ok := srv.(interface{ testEmbeddedByValue() }); ok { + t.testEmbeddedByValue() + } + s.RegisterService(&LLM_ServiceDesc, srv) +} + +func _LLM_Enrich_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(EnrichRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(LLMServer).Enrich(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: LLM_Enrich_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(LLMServer).Enrich(ctx, req.(*EnrichRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _LLM_Answer_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(AnswerRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(LLMServer).Answer(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: LLM_Answer_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(LLMServer).Answer(ctx, req.(*AnswerRequest)) + } + return interceptor(ctx, in, info, handler) +} + +// LLM_ServiceDesc is the grpc.ServiceDesc for LLM service. +// It's only intended for direct use with grpc.RegisterService, +// and not to be introspected or modified (even as a copy) +var LLM_ServiceDesc = grpc.ServiceDesc{ + ServiceName: "plugin.llm.v1.LLM", + HandlerType: (*LLMServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "Enrich", + Handler: _LLM_Enrich_Handler, + }, + { + MethodName: "Answer", + Handler: _LLM_Answer_Handler, + }, + }, + Streams: []grpc.StreamDesc{}, + Metadata: "plugin/llm/v1/llm.proto", +} From 76881f2bff19f6b1dc78d48f211f33b4b83cf8bd Mon Sep 17 00:00:00 2001 From: Nicolae Nicora Date: Fri, 15 May 2026 17:25:45 +0200 Subject: [PATCH 15/19] modify --- cmd/protoc-gen-go-extension/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/protoc-gen-go-extension/main.go b/cmd/protoc-gen-go-extension/main.go index 33dd7a6..da6e412 100644 --- a/cmd/protoc-gen-go-extension/main.go +++ b/cmd/protoc-gen-go-extension/main.go @@ -99,7 +99,7 @@ func generateServiceBridges(g *protogen.GeneratedFile, serviceName, serviceFullN g.P() g.P("const (") if isPlugin { - g.P(" Type = ", strconv.Quote(serviceName)) + g.P(" Type = ", strconv.Quote(strings.TrimSuffix(serviceName, "Service"))) } g.P(" GRPCServiceFullName = ", strconv.Quote(serviceFullName)) g.P(")") From 10d178a1efe30c22afa9570a8c9260e21154071e Mon Sep 17 00:00:00 2001 From: Nicolae Nicora Date: Wed, 20 May 2026 12:41:10 +0200 Subject: [PATCH 16/19] modify --- .../v1/certificate_issuer_ext_plugin.pb.go | 2 +- .../cipher_wrapper/v1/cipher_wrapper.pb.go | 70 +- .../cipher_wrapper/v1/cipher_wrapper.proto | 2 +- .../v1/cipher_wrapper_ext_plugin.pb.go | 2 +- .../v1/cipher_wrapper_grpc.pb.go | 6 +- .../v1/identity_management_ext_plugin.pb.go | 2 +- .../v1/key_material_storage.pb.go | 114 +- .../v1/key_material_storage.proto | 2 +- .../v1/key_material_storage_ext_plugin.pb.go | 2 +- .../v1/key_material_storage_grpc.pb.go | 10 +- proto/plugin/llm/v1/llm.pb.go | 62 +- proto/plugin/llm/v1/llm.proto | 4 +- proto/plugin/llm/v1/llm_ext_plugin.pb.go | 2 +- proto/plugin/llm/v1/llm_grpc.pb.go | 6 +- .../v1/notification_ext_plugin.pb.go | 2 +- proto/plugin/reconciler/v1/ast.pb.go | 2226 ++++++++ proto/plugin/reconciler/v1/ast.pb.validate.go | 4835 +++++++++++++++++ proto/plugin/reconciler/v1/ast.proto | 273 + proto/plugin/reconciler/v1/reconciler.pb.go | 226 + .../reconciler/v1/reconciler.pb.validate.go | 250 + proto/plugin/reconciler/v1/reconciler.proto | 49 + .../reconciler/v1/reconciler_ext_plugin.pb.go | 56 + .../reconciler/v1/reconciler_grpc.pb.go | 138 + .../v1/systeminformation_ext_plugin.pb.go | 2 +- proto/plugin/test/v1/test_ext_plugin.pb.go | 2 +- 25 files changed, 8199 insertions(+), 146 deletions(-) create mode 100644 proto/plugin/reconciler/v1/ast.pb.go create mode 100644 proto/plugin/reconciler/v1/ast.pb.validate.go create mode 100644 proto/plugin/reconciler/v1/ast.proto create mode 100644 proto/plugin/reconciler/v1/reconciler.pb.go create mode 100644 proto/plugin/reconciler/v1/reconciler.pb.validate.go create mode 100644 proto/plugin/reconciler/v1/reconciler.proto create mode 100644 proto/plugin/reconciler/v1/reconciler_ext_plugin.pb.go create mode 100644 proto/plugin/reconciler/v1/reconciler_grpc.pb.go diff --git a/proto/plugin/certificate_issuer/v1/certificate_issuer_ext_plugin.pb.go b/proto/plugin/certificate_issuer/v1/certificate_issuer_ext_plugin.pb.go index dfe9e3a..7d0d285 100644 --- a/proto/plugin/certificate_issuer/v1/certificate_issuer_ext_plugin.pb.go +++ b/proto/plugin/certificate_issuer/v1/certificate_issuer_ext_plugin.pb.go @@ -9,7 +9,7 @@ import ( ) const ( - Type = "CertificateIssuerService" + Type = "CertificateIssuer" GRPCServiceFullName = "plugin.certificate_issuer.v1.CertificateIssuerService" ) diff --git a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go index 7346807..5381580 100644 --- a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go +++ b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go @@ -369,25 +369,25 @@ var File_plugin_cipher_wrapper_v1_cipher_wrapper_proto protoreflect.FileDescript const file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDesc = "" + "\n" + - "-plugin/cipher_wrapper/v1/cipher_wrapper.proto\x12\x18plugin.cipher_wrapper.v1\x1a\x1bbuf/validate/validate.proto\"\xe7\x01\n" + + "-plugin/cipher_wrapper/v1/cipher_wrapper.proto\x12\x19krypton.cipher_wrapper.v1\x1a\x1bbuf/validate/validate.proto\"\xe8\x01\n" + "\fKeyReference\x12\x15\n" + "\x06key_id\x18\x01 \x01(\tR\x05keyId\x12\x1d\n" + - "\aversion\x18\x02 \x01(\tH\x00R\aversion\x88\x01\x01\x12V\n" + + "\aversion\x18\x02 \x01(\tH\x00R\aversion\x88\x01\x01\x12W\n" + "\n" + - "properties\x18\x03 \x03(\v26.plugin.cipher_wrapper.v1.KeyReference.PropertiesEntryR\n" + + "properties\x18\x03 \x03(\v27.krypton.cipher_wrapper.v1.KeyReference.PropertiesEntryR\n" + "properties\x1a=\n" + "\x0fPropertiesEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\n" + "\n" + - "\b_version\"\xdc\x02\n" + - "\vWrapRequest\x12@\n" + - "\x03key\x18\x01 \x01(\v2&.plugin.cipher_wrapper.v1.KeyReferenceB\x06\xbaH\x03\xc8\x01\x01R\x03key\x12(\n" + + "\b_version\"\xde\x02\n" + + "\vWrapRequest\x12A\n" + + "\x03key\x18\x01 \x01(\v2'.krypton.cipher_wrapper.v1.KeyReferenceB\x06\xbaH\x03\xc8\x01\x01R\x03key\x12(\n" + "\tplaintext\x18\x02 \x01(\fB\n" + "\xbaH\a\xc8\x01\x01z\x02\x10\x01R\tplaintext\x12\x15\n" + "\x03aad\x18\x03 \x01(\fH\x00R\x03aad\x88\x01\x01\x12\x13\n" + - "\x02iv\x18\x04 \x01(\fH\x01R\x02iv\x88\x01\x01\x12c\n" + - "\x0fdynamic_context\x18\x84\a \x03(\v29.plugin.cipher_wrapper.v1.WrapRequest.DynamicContextEntryR\x0edynamicContext\x1aA\n" + + "\x02iv\x18\x04 \x01(\fH\x01R\x02iv\x88\x01\x01\x12d\n" + + "\x0fdynamic_context\x18\x84\a \x03(\v2:.krypton.cipher_wrapper.v1.WrapRequest.DynamicContextEntryR\x0edynamicContext\x1aA\n" + "\x13DynamicContextEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\x06\n" + @@ -400,27 +400,27 @@ const file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDesc = "" + "\x0ekey_version_id\x18\x02 \x01(\tH\x00R\fkeyVersionId\x88\x01\x01\x12\x13\n" + "\x02iv\x18\x03 \x01(\fH\x01R\x02iv\x88\x01\x01B\x11\n" + "\x0f_key_version_idB\x05\n" + - "\x03_iv\"\xe2\x02\n" + - "\rUnwrapRequest\x12@\n" + - "\x03key\x18\x01 \x01(\v2&.plugin.cipher_wrapper.v1.KeyReferenceB\x06\xbaH\x03\xc8\x01\x01R\x03key\x12*\n" + + "\x03_iv\"\xe4\x02\n" + + "\rUnwrapRequest\x12A\n" + + "\x03key\x18\x01 \x01(\v2'.krypton.cipher_wrapper.v1.KeyReferenceB\x06\xbaH\x03\xc8\x01\x01R\x03key\x12*\n" + "\n" + "ciphertext\x18\x02 \x01(\fB\n" + "\xbaH\a\xc8\x01\x01z\x02\x10\x01R\n" + "ciphertext\x12\x15\n" + "\x03aad\x18\x03 \x01(\fH\x00R\x03aad\x88\x01\x01\x12\x13\n" + - "\x02iv\x18\x04 \x01(\fH\x01R\x02iv\x88\x01\x01\x12e\n" + - "\x0fdynamic_context\x18\x84\a \x03(\v2;.plugin.cipher_wrapper.v1.UnwrapRequest.DynamicContextEntryR\x0edynamicContext\x1aA\n" + + "\x02iv\x18\x04 \x01(\fH\x01R\x02iv\x88\x01\x01\x12f\n" + + "\x0fdynamic_context\x18\x84\a \x03(\v2<.krypton.cipher_wrapper.v1.UnwrapRequest.DynamicContextEntryR\x0edynamicContext\x1aA\n" + "\x13DynamicContextEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\x06\n" + "\x04_aadB\x05\n" + "\x03_iv\".\n" + "\x0eUnwrapResponse\x12\x1c\n" + - "\tplaintext\x18\x01 \x01(\fR\tplaintext2\xc3\x01\n" + - "\rCipherWrapper\x12U\n" + - "\x04Wrap\x12%.plugin.cipher_wrapper.v1.WrapRequest\x1a&.plugin.cipher_wrapper.v1.WrapResponse\x12[\n" + - "\x06Unwrap\x12'.plugin.cipher_wrapper.v1.UnwrapRequest\x1a(.plugin.cipher_wrapper.v1.UnwrapResponseB\xff\x01\n" + - "\x1ccom.plugin.cipher_wrapper.v1B\x12CipherWrapperProtoP\x01ZMgithub.com/openkcm/plugin-sdk/proto/plugin/cipher_wrapper/v1;cipher_wrapperv1\xa2\x02\x03PCX\xaa\x02\x17Plugin.CipherWrapper.V1\xca\x02\x17Plugin\\CipherWrapper\\V1\xe2\x02#Plugin\\CipherWrapper\\V1\\GPBMetadata\xea\x02\x19Plugin::CipherWrapper::V1b\x06proto3" + "\tplaintext\x18\x01 \x01(\fR\tplaintext2\xc7\x01\n" + + "\rCipherWrapper\x12W\n" + + "\x04Wrap\x12&.krypton.cipher_wrapper.v1.WrapRequest\x1a'.krypton.cipher_wrapper.v1.WrapResponse\x12]\n" + + "\x06Unwrap\x12(.krypton.cipher_wrapper.v1.UnwrapRequest\x1a).krypton.cipher_wrapper.v1.UnwrapResponseB\x84\x02\n" + + "\x1dcom.krypton.cipher_wrapper.v1B\x12CipherWrapperProtoP\x01ZMgithub.com/openkcm/plugin-sdk/proto/plugin/cipher_wrapper/v1;cipher_wrapperv1\xa2\x02\x03KCX\xaa\x02\x18Krypton.CipherWrapper.V1\xca\x02\x18Krypton\\CipherWrapper\\V1\xe2\x02$Krypton\\CipherWrapper\\V1\\GPBMetadata\xea\x02\x1aKrypton::CipherWrapper::V1b\x06proto3" var ( file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescOnce sync.Once @@ -436,25 +436,25 @@ func file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP() []byte { var file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes = make([]protoimpl.MessageInfo, 8) var file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_goTypes = []any{ - (*KeyReference)(nil), // 0: plugin.cipher_wrapper.v1.KeyReference - (*WrapRequest)(nil), // 1: plugin.cipher_wrapper.v1.WrapRequest - (*WrapResponse)(nil), // 2: plugin.cipher_wrapper.v1.WrapResponse - (*UnwrapRequest)(nil), // 3: plugin.cipher_wrapper.v1.UnwrapRequest - (*UnwrapResponse)(nil), // 4: plugin.cipher_wrapper.v1.UnwrapResponse - nil, // 5: plugin.cipher_wrapper.v1.KeyReference.PropertiesEntry - nil, // 6: plugin.cipher_wrapper.v1.WrapRequest.DynamicContextEntry - nil, // 7: plugin.cipher_wrapper.v1.UnwrapRequest.DynamicContextEntry + (*KeyReference)(nil), // 0: krypton.cipher_wrapper.v1.KeyReference + (*WrapRequest)(nil), // 1: krypton.cipher_wrapper.v1.WrapRequest + (*WrapResponse)(nil), // 2: krypton.cipher_wrapper.v1.WrapResponse + (*UnwrapRequest)(nil), // 3: krypton.cipher_wrapper.v1.UnwrapRequest + (*UnwrapResponse)(nil), // 4: krypton.cipher_wrapper.v1.UnwrapResponse + nil, // 5: krypton.cipher_wrapper.v1.KeyReference.PropertiesEntry + nil, // 6: krypton.cipher_wrapper.v1.WrapRequest.DynamicContextEntry + nil, // 7: krypton.cipher_wrapper.v1.UnwrapRequest.DynamicContextEntry } var file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_depIdxs = []int32{ - 5, // 0: plugin.cipher_wrapper.v1.KeyReference.properties:type_name -> plugin.cipher_wrapper.v1.KeyReference.PropertiesEntry - 0, // 1: plugin.cipher_wrapper.v1.WrapRequest.key:type_name -> plugin.cipher_wrapper.v1.KeyReference - 6, // 2: plugin.cipher_wrapper.v1.WrapRequest.dynamic_context:type_name -> plugin.cipher_wrapper.v1.WrapRequest.DynamicContextEntry - 0, // 3: plugin.cipher_wrapper.v1.UnwrapRequest.key:type_name -> plugin.cipher_wrapper.v1.KeyReference - 7, // 4: plugin.cipher_wrapper.v1.UnwrapRequest.dynamic_context:type_name -> plugin.cipher_wrapper.v1.UnwrapRequest.DynamicContextEntry - 1, // 5: plugin.cipher_wrapper.v1.CipherWrapper.Wrap:input_type -> plugin.cipher_wrapper.v1.WrapRequest - 3, // 6: plugin.cipher_wrapper.v1.CipherWrapper.Unwrap:input_type -> plugin.cipher_wrapper.v1.UnwrapRequest - 2, // 7: plugin.cipher_wrapper.v1.CipherWrapper.Wrap:output_type -> plugin.cipher_wrapper.v1.WrapResponse - 4, // 8: plugin.cipher_wrapper.v1.CipherWrapper.Unwrap:output_type -> plugin.cipher_wrapper.v1.UnwrapResponse + 5, // 0: krypton.cipher_wrapper.v1.KeyReference.properties:type_name -> krypton.cipher_wrapper.v1.KeyReference.PropertiesEntry + 0, // 1: krypton.cipher_wrapper.v1.WrapRequest.key:type_name -> krypton.cipher_wrapper.v1.KeyReference + 6, // 2: krypton.cipher_wrapper.v1.WrapRequest.dynamic_context:type_name -> krypton.cipher_wrapper.v1.WrapRequest.DynamicContextEntry + 0, // 3: krypton.cipher_wrapper.v1.UnwrapRequest.key:type_name -> krypton.cipher_wrapper.v1.KeyReference + 7, // 4: krypton.cipher_wrapper.v1.UnwrapRequest.dynamic_context:type_name -> krypton.cipher_wrapper.v1.UnwrapRequest.DynamicContextEntry + 1, // 5: krypton.cipher_wrapper.v1.CipherWrapper.Wrap:input_type -> krypton.cipher_wrapper.v1.WrapRequest + 3, // 6: krypton.cipher_wrapper.v1.CipherWrapper.Unwrap:input_type -> krypton.cipher_wrapper.v1.UnwrapRequest + 2, // 7: krypton.cipher_wrapper.v1.CipherWrapper.Wrap:output_type -> krypton.cipher_wrapper.v1.WrapResponse + 4, // 8: krypton.cipher_wrapper.v1.CipherWrapper.Unwrap:output_type -> krypton.cipher_wrapper.v1.UnwrapResponse 7, // [7:9] is the sub-list for method output_type 5, // [5:7] is the sub-list for method input_type 5, // [5:5] is the sub-list for extension type_name diff --git a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto index 924d620..2e7b9dc 100644 --- a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto +++ b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto @@ -1,6 +1,6 @@ syntax = "proto3"; -package plugin.cipher_wrapper.v1; +package krypton.cipher_wrapper.v1; import "buf/validate/validate.proto"; diff --git a/proto/plugin/cipher_wrapper/v1/cipher_wrapper_ext_plugin.pb.go b/proto/plugin/cipher_wrapper/v1/cipher_wrapper_ext_plugin.pb.go index eebbf6a..ff7cecb 100644 --- a/proto/plugin/cipher_wrapper/v1/cipher_wrapper_ext_plugin.pb.go +++ b/proto/plugin/cipher_wrapper/v1/cipher_wrapper_ext_plugin.pb.go @@ -10,7 +10,7 @@ import ( const ( Type = "CipherWrapper" - GRPCServiceFullName = "plugin.cipher_wrapper.v1.CipherWrapper" + GRPCServiceFullName = "krypton.cipher_wrapper.v1.CipherWrapper" ) func CipherWrapperPluginServer(server CipherWrapperServer) api.PluginServer { diff --git a/proto/plugin/cipher_wrapper/v1/cipher_wrapper_grpc.pb.go b/proto/plugin/cipher_wrapper/v1/cipher_wrapper_grpc.pb.go index 197aeba..7f804a9 100644 --- a/proto/plugin/cipher_wrapper/v1/cipher_wrapper_grpc.pb.go +++ b/proto/plugin/cipher_wrapper/v1/cipher_wrapper_grpc.pb.go @@ -20,8 +20,8 @@ import ( const _ = grpc.SupportPackageIsVersion9 const ( - CipherWrapper_Wrap_FullMethodName = "/plugin.cipher_wrapper.v1.CipherWrapper/Wrap" - CipherWrapper_Unwrap_FullMethodName = "/plugin.cipher_wrapper.v1.CipherWrapper/Unwrap" + CipherWrapper_Wrap_FullMethodName = "/krypton.cipher_wrapper.v1.CipherWrapper/Wrap" + CipherWrapper_Unwrap_FullMethodName = "/krypton.cipher_wrapper.v1.CipherWrapper/Unwrap" ) // CipherWrapperClient is the client API for CipherWrapper service. @@ -159,7 +159,7 @@ func _CipherWrapper_Unwrap_Handler(srv interface{}, ctx context.Context, dec fun // It's only intended for direct use with grpc.RegisterService, // and not to be introspected or modified (even as a copy) var CipherWrapper_ServiceDesc = grpc.ServiceDesc{ - ServiceName: "plugin.cipher_wrapper.v1.CipherWrapper", + ServiceName: "krypton.cipher_wrapper.v1.CipherWrapper", HandlerType: (*CipherWrapperServer)(nil), Methods: []grpc.MethodDesc{ { diff --git a/proto/plugin/identity_management/v1/identity_management_ext_plugin.pb.go b/proto/plugin/identity_management/v1/identity_management_ext_plugin.pb.go index a047d65..ecd0fc7 100644 --- a/proto/plugin/identity_management/v1/identity_management_ext_plugin.pb.go +++ b/proto/plugin/identity_management/v1/identity_management_ext_plugin.pb.go @@ -9,7 +9,7 @@ import ( ) const ( - Type = "IdentityManagementService" + Type = "IdentityManagement" GRPCServiceFullName = "plugin.identity_management.v1.IdentityManagementService" ) diff --git a/proto/plugin/key_material_storage/v1/key_material_storage.pb.go b/proto/plugin/key_material_storage/v1/key_material_storage.pb.go index d57aa1a..efaf7ac 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage.pb.go +++ b/proto/plugin/key_material_storage/v1/key_material_storage.pb.go @@ -753,7 +753,7 @@ var File_plugin_key_material_storage_v1_key_material_storage_proto protoreflect. const file_plugin_key_material_storage_v1_key_material_storage_proto_rawDesc = "" + "\n" + - "9plugin/key_material_storage/v1/key_material_storage.proto\x12\x1eplugin.key_material_storage.v1\x1a\x1bbuf/validate/validate.proto\x1a\x1fgoogle/protobuf/timestamp.proto\"\xa4\x03\n" + + "9plugin/key_material_storage/v1/key_material_storage.proto\x12\x1fkrypton.key_material_storage.v1\x1a\x1bbuf/validate/validate.proto\x1a\x1fgoogle/protobuf/timestamp.proto\"\xa5\x03\n" + "\vKeyMaterial\x12\x17\n" + "\x02id\x18\x01 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\x02id\x12\x1b\n" + "\x04data\x18\x02 \x01(\fB\a\xbaH\x04z\x02\x10\x01R\x04data\x12%\n" + @@ -761,19 +761,19 @@ const file_plugin_key_material_storage_v1_key_material_storage_proto_rawDesc = " "\x13previous_version_id\x18\x04 \x01(\tH\x00R\x11previousVersionId\x88\x01\x01\x12\x1f\n" + "\bchecksum\x18\x05 \x01(\tH\x01R\bchecksum\x88\x01\x01\x129\n" + "\n" + - "created_at\x18\x06 \x01(\v2\x1a.google.protobuf.TimestampR\tcreatedAt\x12I\n" + - "\x04tags\x18\a \x03(\v25.plugin.key_material_storage.v1.KeyMaterial.TagsEntryR\x04tags\x1a7\n" + + "created_at\x18\x06 \x01(\v2\x1a.google.protobuf.TimestampR\tcreatedAt\x12J\n" + + "\x04tags\x18\a \x03(\v26.krypton.key_material_storage.v1.KeyMaterial.TagsEntryR\x04tags\x1a7\n" + "\tTagsEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\x16\n" + "\x14_previous_version_idB\v\n" + - "\t_checksum\"\xd7\x04\n" + - "\x06Filter\x12G\n" + - "\x02id\x18\x01 \x01(\v22.plugin.key_material_storage.v1.Filter.StringMatchH\x00R\x02id\x88\x01\x01\x12!\n" + - "\talgorithm\x18\x02 \x01(\tH\x01R\talgorithm\x88\x01\x01\x12D\n" + - "\x04tags\x18\x03 \x03(\v20.plugin.key_material_storage.v1.Filter.TagsEntryR\x04tags\x12T\n" + + "\t_checksum\"\xda\x04\n" + + "\x06Filter\x12H\n" + + "\x02id\x18\x01 \x01(\v23.krypton.key_material_storage.v1.Filter.StringMatchH\x00R\x02id\x88\x01\x01\x12!\n" + + "\talgorithm\x18\x02 \x01(\tH\x01R\talgorithm\x88\x01\x01\x12E\n" + + "\x04tags\x18\x03 \x03(\v21.krypton.key_material_storage.v1.Filter.TagsEntryR\x04tags\x12U\n" + "\n" + - "created_at\x18\x04 \x01(\v20.plugin.key_material_storage.v1.Filter.TimeRangeH\x02R\tcreatedAt\x88\x01\x01\x1a\x7f\n" + + "created_at\x18\x04 \x01(\v21.krypton.key_material_storage.v1.Filter.TimeRangeH\x02R\tcreatedAt\x88\x01\x01\x1a\x7f\n" + "\vStringMatch\x12\x18\n" + "\x06prefix\x18\x01 \x01(\tH\x00R\x06prefix\x12\x18\n" + "\x06suffix\x18\x02 \x01(\tH\x00R\x06suffix\x12\x1c\n" + @@ -789,36 +789,36 @@ const file_plugin_key_material_storage_v1_key_material_storage_proto_rawDesc = " "\x03_idB\f\n" + "\n" + "_algorithmB\r\n" + - "\v_created_at\"\xc3\x01\n" + + "\v_created_at\"\xc4\x01\n" + "\x0eListIDsRequest\x12%\n" + - "\tnamespace\x18\x01 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\tnamespace\x12C\n" + - "\x06filter\x18\x02 \x01(\v2&.plugin.key_material_storage.v1.FilterH\x00R\x06filter\x88\x01\x01\x12\x1b\n" + + "\tnamespace\x18\x01 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\tnamespace\x12D\n" + + "\x06filter\x18\x02 \x01(\v2'.krypton.key_material_storage.v1.FilterH\x00R\x06filter\x88\x01\x01\x12\x1b\n" + "\tpage_size\x18\x03 \x01(\rR\bpageSize\x12\x1d\n" + "\n" + "page_token\x18\x04 \x01(\tR\tpageTokenB\t\n" + "\a_filter\"K\n" + "\x0fListIDsResponse\x12\x10\n" + "\x03ids\x18\x01 \x03(\tR\x03ids\x12&\n" + - "\x0fnext_page_token\x18\x02 \x01(\tR\rnextPageToken\"\x8d\x01\n" + + "\x0fnext_page_token\x18\x02 \x01(\tR\rnextPageToken\"\x8e\x01\n" + "\fStoreRequest\x12%\n" + - "\tnamespace\x18\x01 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\tnamespace\x12V\n" + - "\fkey_material\x18\x02 \x01(\v2+.plugin.key_material_storage.v1.KeyMaterialB\x06\xbaH\x03\xc8\x01\x01R\vkeyMaterial\"\x0f\n" + + "\tnamespace\x18\x01 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\tnamespace\x12W\n" + + "\fkey_material\x18\x02 \x01(\v2,.krypton.key_material_storage.v1.KeyMaterialB\x06\xbaH\x03\xc8\x01\x01R\vkeyMaterial\"\x0f\n" + "\rStoreResponse\"M\n" + "\vLoadRequest\x12%\n" + "\tnamespace\x18\x01 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\tnamespace\x12\x17\n" + - "\x02id\x18\x02 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\x02id\"^\n" + - "\fLoadResponse\x12N\n" + - "\fkey_material\x18\x01 \x01(\v2+.plugin.key_material_storage.v1.KeyMaterialR\vkeyMaterial\"O\n" + + "\x02id\x18\x02 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\x02id\"_\n" + + "\fLoadResponse\x12O\n" + + "\fkey_material\x18\x01 \x01(\v2,.krypton.key_material_storage.v1.KeyMaterialR\vkeyMaterial\"O\n" + "\rDeleteRequest\x12%\n" + "\tnamespace\x18\x01 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\tnamespace\x12\x17\n" + "\x02id\x18\x02 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\x02id\"\x10\n" + - "\x0eDeleteResponse2\xb4\x03\n" + - "\x12KeyMaterialStorage\x12d\n" + - "\x05Store\x12,.plugin.key_material_storage.v1.StoreRequest\x1a-.plugin.key_material_storage.v1.StoreResponse\x12a\n" + - "\x04Load\x12+.plugin.key_material_storage.v1.LoadRequest\x1a,.plugin.key_material_storage.v1.LoadResponse\x12g\n" + - "\x06Delete\x12-.plugin.key_material_storage.v1.DeleteRequest\x1a..plugin.key_material_storage.v1.DeleteResponse\x12l\n" + - "\aListIDs\x12..plugin.key_material_storage.v1.ListIDsRequest\x1a/.plugin.key_material_storage.v1.ListIDsResponse0\x01B\xaa\x02\n" + - "\"com.plugin.key_material_storage.v1B\x17KeyMaterialStorageProtoP\x01ZYgithub.com/openkcm/plugin-sdk/proto/plugin/key_material_storage/v1;key_material_storagev1\xa2\x02\x03PKX\xaa\x02\x1cPlugin.KeyMaterialStorage.V1\xca\x02\x1cPlugin\\KeyMaterialStorage\\V1\xe2\x02(Plugin\\KeyMaterialStorage\\V1\\GPBMetadata\xea\x02\x1ePlugin::KeyMaterialStorage::V1b\x06proto3" + "\x0eDeleteResponse2\xbc\x03\n" + + "\x12KeyMaterialStorage\x12f\n" + + "\x05Store\x12-.krypton.key_material_storage.v1.StoreRequest\x1a..krypton.key_material_storage.v1.StoreResponse\x12c\n" + + "\x04Load\x12,.krypton.key_material_storage.v1.LoadRequest\x1a-.krypton.key_material_storage.v1.LoadResponse\x12i\n" + + "\x06Delete\x12..krypton.key_material_storage.v1.DeleteRequest\x1a/.krypton.key_material_storage.v1.DeleteResponse\x12n\n" + + "\aListIDs\x12/.krypton.key_material_storage.v1.ListIDsRequest\x1a0.krypton.key_material_storage.v1.ListIDsResponse0\x01B\xaf\x02\n" + + "#com.krypton.key_material_storage.v1B\x17KeyMaterialStorageProtoP\x01ZYgithub.com/openkcm/plugin-sdk/proto/plugin/key_material_storage/v1;key_material_storagev1\xa2\x02\x03KKX\xaa\x02\x1dKrypton.KeyMaterialStorage.V1\xca\x02\x1dKrypton\\KeyMaterialStorage\\V1\xe2\x02)Krypton\\KeyMaterialStorage\\V1\\GPBMetadata\xea\x02\x1fKrypton::KeyMaterialStorage::V1b\x06proto3" var ( file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescOnce sync.Once @@ -834,41 +834,41 @@ func file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP( var file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes = make([]protoimpl.MessageInfo, 14) var file_plugin_key_material_storage_v1_key_material_storage_proto_goTypes = []any{ - (*KeyMaterial)(nil), // 0: plugin.key_material_storage.v1.KeyMaterial - (*Filter)(nil), // 1: plugin.key_material_storage.v1.Filter - (*ListIDsRequest)(nil), // 2: plugin.key_material_storage.v1.ListIDsRequest - (*ListIDsResponse)(nil), // 3: plugin.key_material_storage.v1.ListIDsResponse - (*StoreRequest)(nil), // 4: plugin.key_material_storage.v1.StoreRequest - (*StoreResponse)(nil), // 5: plugin.key_material_storage.v1.StoreResponse - (*LoadRequest)(nil), // 6: plugin.key_material_storage.v1.LoadRequest - (*LoadResponse)(nil), // 7: plugin.key_material_storage.v1.LoadResponse - (*DeleteRequest)(nil), // 8: plugin.key_material_storage.v1.DeleteRequest - (*DeleteResponse)(nil), // 9: plugin.key_material_storage.v1.DeleteResponse - nil, // 10: plugin.key_material_storage.v1.KeyMaterial.TagsEntry - (*Filter_StringMatch)(nil), // 11: plugin.key_material_storage.v1.Filter.StringMatch - nil, // 12: plugin.key_material_storage.v1.Filter.TagsEntry - (*Filter_TimeRange)(nil), // 13: plugin.key_material_storage.v1.Filter.TimeRange + (*KeyMaterial)(nil), // 0: krypton.key_material_storage.v1.KeyMaterial + (*Filter)(nil), // 1: krypton.key_material_storage.v1.Filter + (*ListIDsRequest)(nil), // 2: krypton.key_material_storage.v1.ListIDsRequest + (*ListIDsResponse)(nil), // 3: krypton.key_material_storage.v1.ListIDsResponse + (*StoreRequest)(nil), // 4: krypton.key_material_storage.v1.StoreRequest + (*StoreResponse)(nil), // 5: krypton.key_material_storage.v1.StoreResponse + (*LoadRequest)(nil), // 6: krypton.key_material_storage.v1.LoadRequest + (*LoadResponse)(nil), // 7: krypton.key_material_storage.v1.LoadResponse + (*DeleteRequest)(nil), // 8: krypton.key_material_storage.v1.DeleteRequest + (*DeleteResponse)(nil), // 9: krypton.key_material_storage.v1.DeleteResponse + nil, // 10: krypton.key_material_storage.v1.KeyMaterial.TagsEntry + (*Filter_StringMatch)(nil), // 11: krypton.key_material_storage.v1.Filter.StringMatch + nil, // 12: krypton.key_material_storage.v1.Filter.TagsEntry + (*Filter_TimeRange)(nil), // 13: krypton.key_material_storage.v1.Filter.TimeRange (*timestamppb.Timestamp)(nil), // 14: google.protobuf.Timestamp } var file_plugin_key_material_storage_v1_key_material_storage_proto_depIdxs = []int32{ - 14, // 0: plugin.key_material_storage.v1.KeyMaterial.created_at:type_name -> google.protobuf.Timestamp - 10, // 1: plugin.key_material_storage.v1.KeyMaterial.tags:type_name -> plugin.key_material_storage.v1.KeyMaterial.TagsEntry - 11, // 2: plugin.key_material_storage.v1.Filter.id:type_name -> plugin.key_material_storage.v1.Filter.StringMatch - 12, // 3: plugin.key_material_storage.v1.Filter.tags:type_name -> plugin.key_material_storage.v1.Filter.TagsEntry - 13, // 4: plugin.key_material_storage.v1.Filter.created_at:type_name -> plugin.key_material_storage.v1.Filter.TimeRange - 1, // 5: plugin.key_material_storage.v1.ListIDsRequest.filter:type_name -> plugin.key_material_storage.v1.Filter - 0, // 6: plugin.key_material_storage.v1.StoreRequest.key_material:type_name -> plugin.key_material_storage.v1.KeyMaterial - 0, // 7: plugin.key_material_storage.v1.LoadResponse.key_material:type_name -> plugin.key_material_storage.v1.KeyMaterial - 14, // 8: plugin.key_material_storage.v1.Filter.TimeRange.from:type_name -> google.protobuf.Timestamp - 14, // 9: plugin.key_material_storage.v1.Filter.TimeRange.to:type_name -> google.protobuf.Timestamp - 4, // 10: plugin.key_material_storage.v1.KeyMaterialStorage.Store:input_type -> plugin.key_material_storage.v1.StoreRequest - 6, // 11: plugin.key_material_storage.v1.KeyMaterialStorage.Load:input_type -> plugin.key_material_storage.v1.LoadRequest - 8, // 12: plugin.key_material_storage.v1.KeyMaterialStorage.Delete:input_type -> plugin.key_material_storage.v1.DeleteRequest - 2, // 13: plugin.key_material_storage.v1.KeyMaterialStorage.ListIDs:input_type -> plugin.key_material_storage.v1.ListIDsRequest - 5, // 14: plugin.key_material_storage.v1.KeyMaterialStorage.Store:output_type -> plugin.key_material_storage.v1.StoreResponse - 7, // 15: plugin.key_material_storage.v1.KeyMaterialStorage.Load:output_type -> plugin.key_material_storage.v1.LoadResponse - 9, // 16: plugin.key_material_storage.v1.KeyMaterialStorage.Delete:output_type -> plugin.key_material_storage.v1.DeleteResponse - 3, // 17: plugin.key_material_storage.v1.KeyMaterialStorage.ListIDs:output_type -> plugin.key_material_storage.v1.ListIDsResponse + 14, // 0: krypton.key_material_storage.v1.KeyMaterial.created_at:type_name -> google.protobuf.Timestamp + 10, // 1: krypton.key_material_storage.v1.KeyMaterial.tags:type_name -> krypton.key_material_storage.v1.KeyMaterial.TagsEntry + 11, // 2: krypton.key_material_storage.v1.Filter.id:type_name -> krypton.key_material_storage.v1.Filter.StringMatch + 12, // 3: krypton.key_material_storage.v1.Filter.tags:type_name -> krypton.key_material_storage.v1.Filter.TagsEntry + 13, // 4: krypton.key_material_storage.v1.Filter.created_at:type_name -> krypton.key_material_storage.v1.Filter.TimeRange + 1, // 5: krypton.key_material_storage.v1.ListIDsRequest.filter:type_name -> krypton.key_material_storage.v1.Filter + 0, // 6: krypton.key_material_storage.v1.StoreRequest.key_material:type_name -> krypton.key_material_storage.v1.KeyMaterial + 0, // 7: krypton.key_material_storage.v1.LoadResponse.key_material:type_name -> krypton.key_material_storage.v1.KeyMaterial + 14, // 8: krypton.key_material_storage.v1.Filter.TimeRange.from:type_name -> google.protobuf.Timestamp + 14, // 9: krypton.key_material_storage.v1.Filter.TimeRange.to:type_name -> google.protobuf.Timestamp + 4, // 10: krypton.key_material_storage.v1.KeyMaterialStorage.Store:input_type -> krypton.key_material_storage.v1.StoreRequest + 6, // 11: krypton.key_material_storage.v1.KeyMaterialStorage.Load:input_type -> krypton.key_material_storage.v1.LoadRequest + 8, // 12: krypton.key_material_storage.v1.KeyMaterialStorage.Delete:input_type -> krypton.key_material_storage.v1.DeleteRequest + 2, // 13: krypton.key_material_storage.v1.KeyMaterialStorage.ListIDs:input_type -> krypton.key_material_storage.v1.ListIDsRequest + 5, // 14: krypton.key_material_storage.v1.KeyMaterialStorage.Store:output_type -> krypton.key_material_storage.v1.StoreResponse + 7, // 15: krypton.key_material_storage.v1.KeyMaterialStorage.Load:output_type -> krypton.key_material_storage.v1.LoadResponse + 9, // 16: krypton.key_material_storage.v1.KeyMaterialStorage.Delete:output_type -> krypton.key_material_storage.v1.DeleteResponse + 3, // 17: krypton.key_material_storage.v1.KeyMaterialStorage.ListIDs:output_type -> krypton.key_material_storage.v1.ListIDsResponse 14, // [14:18] is the sub-list for method output_type 10, // [10:14] is the sub-list for method input_type 10, // [10:10] is the sub-list for extension type_name diff --git a/proto/plugin/key_material_storage/v1/key_material_storage.proto b/proto/plugin/key_material_storage/v1/key_material_storage.proto index 1ce3d51..f91cd0f 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage.proto +++ b/proto/plugin/key_material_storage/v1/key_material_storage.proto @@ -1,6 +1,6 @@ syntax = "proto3"; -package plugin.key_material_storage.v1; +package krypton.key_material_storage.v1; import "buf/validate/validate.proto"; import "google/protobuf/timestamp.proto"; diff --git a/proto/plugin/key_material_storage/v1/key_material_storage_ext_plugin.pb.go b/proto/plugin/key_material_storage/v1/key_material_storage_ext_plugin.pb.go index 9f108c7..b8aa587 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage_ext_plugin.pb.go +++ b/proto/plugin/key_material_storage/v1/key_material_storage_ext_plugin.pb.go @@ -10,7 +10,7 @@ import ( const ( Type = "KeyMaterialStorage" - GRPCServiceFullName = "plugin.key_material_storage.v1.KeyMaterialStorage" + GRPCServiceFullName = "krypton.key_material_storage.v1.KeyMaterialStorage" ) func KeyMaterialStoragePluginServer(server KeyMaterialStorageServer) api.PluginServer { diff --git a/proto/plugin/key_material_storage/v1/key_material_storage_grpc.pb.go b/proto/plugin/key_material_storage/v1/key_material_storage_grpc.pb.go index eb7193e..ec594a0 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage_grpc.pb.go +++ b/proto/plugin/key_material_storage/v1/key_material_storage_grpc.pb.go @@ -20,10 +20,10 @@ import ( const _ = grpc.SupportPackageIsVersion9 const ( - KeyMaterialStorage_Store_FullMethodName = "/plugin.key_material_storage.v1.KeyMaterialStorage/Store" - KeyMaterialStorage_Load_FullMethodName = "/plugin.key_material_storage.v1.KeyMaterialStorage/Load" - KeyMaterialStorage_Delete_FullMethodName = "/plugin.key_material_storage.v1.KeyMaterialStorage/Delete" - KeyMaterialStorage_ListIDs_FullMethodName = "/plugin.key_material_storage.v1.KeyMaterialStorage/ListIDs" + KeyMaterialStorage_Store_FullMethodName = "/krypton.key_material_storage.v1.KeyMaterialStorage/Store" + KeyMaterialStorage_Load_FullMethodName = "/krypton.key_material_storage.v1.KeyMaterialStorage/Load" + KeyMaterialStorage_Delete_FullMethodName = "/krypton.key_material_storage.v1.KeyMaterialStorage/Delete" + KeyMaterialStorage_ListIDs_FullMethodName = "/krypton.key_material_storage.v1.KeyMaterialStorage/ListIDs" ) // KeyMaterialStorageClient is the client API for KeyMaterialStorage service. @@ -221,7 +221,7 @@ type KeyMaterialStorage_ListIDsServer = grpc.ServerStreamingServer[ListIDsRespon // It's only intended for direct use with grpc.RegisterService, // and not to be introspected or modified (even as a copy) var KeyMaterialStorage_ServiceDesc = grpc.ServiceDesc{ - ServiceName: "plugin.key_material_storage.v1.KeyMaterialStorage", + ServiceName: "krypton.key_material_storage.v1.KeyMaterialStorage", HandlerType: (*KeyMaterialStorageServer)(nil), Methods: []grpc.MethodDesc{ { diff --git a/proto/plugin/llm/v1/llm.pb.go b/proto/plugin/llm/v1/llm.pb.go index 297015f..d067a63 100644 --- a/proto/plugin/llm/v1/llm.pb.go +++ b/proto/plugin/llm/v1/llm.pb.go @@ -344,35 +344,35 @@ var File_plugin_llm_v1_llm_proto protoreflect.FileDescriptor const file_plugin_llm_v1_llm_proto_rawDesc = "" + "\n" + - "\x17plugin/llm/v1/llm.proto\x12\rplugin.llm.v1\"\xab\x02\n" + + "\x17plugin/llm/v1/llm.proto\x12\x0ekrypton.llm.v1\"\xac\x02\n" + "\x0eFindingSummary\x12\x1a\n" + "\bcategory\x18\x01 \x01(\tR\bcategory\x12\x1a\n" + "\bseverity\x18\x02 \x01(\tR\bseverity\x12\x14\n" + "\x05title\x18\x03 \x01(\tR\x05title\x12 \n" + - "\vdescription\x18\x04 \x01(\tR\vdescription\x12c\n" + - "\x12aggregate_metadata\x18\x05 \x03(\v24.plugin.llm.v1.FindingSummary.AggregateMetadataEntryR\x11aggregateMetadata\x1aD\n" + + "\vdescription\x18\x04 \x01(\tR\vdescription\x12d\n" + + "\x12aggregate_metadata\x18\x05 \x03(\v25.krypton.llm.v1.FindingSummary.AggregateMetadataEntryR\x11aggregateMetadata\x1aD\n" + "\x16AggregateMetadataEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"w\n" + "\x0fEnrichedFinding\x121\n" + "\x14enriched_description\x18\x01 \x01(\tR\x13enrichedDescription\x121\n" + - "\x14enriched_remediation\x18\x02 \x01(\tR\x13enrichedRemediation\"J\n" + - "\rEnrichRequest\x129\n" + - "\bfindings\x18\x01 \x03(\v2\x1d.plugin.llm.v1.FindingSummaryR\bfindings\"L\n" + - "\x0eEnrichResponse\x12:\n" + - "\benriched\x18\x01 \x03(\v2\x1e.plugin.llm.v1.EnrichedFindingR\benriched\"\xc9\x01\n" + + "\x14enriched_remediation\x18\x02 \x01(\tR\x13enrichedRemediation\"K\n" + + "\rEnrichRequest\x12:\n" + + "\bfindings\x18\x01 \x03(\v2\x1e.krypton.llm.v1.FindingSummaryR\bfindings\"M\n" + + "\x0eEnrichResponse\x12;\n" + + "\benriched\x18\x01 \x03(\v2\x1f.krypton.llm.v1.EnrichedFindingR\benriched\"\xca\x01\n" + "\rAnswerRequest\x12\x1a\n" + - "\bquestion\x18\x01 \x01(\tR\bquestion\x12Y\n" + - "\x0fcontext_signals\x18\x02 \x03(\v20.plugin.llm.v1.AnswerRequest.ContextSignalsEntryR\x0econtextSignals\x1aA\n" + + "\bquestion\x18\x01 \x01(\tR\bquestion\x12Z\n" + + "\x0fcontext_signals\x18\x02 \x03(\v21.krypton.llm.v1.AnswerRequest.ContextSignalsEntryR\x0econtextSignals\x1aA\n" + "\x13ContextSignalsEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"(\n" + "\x0eAnswerResponse\x12\x16\n" + - "\x06answer\x18\x01 \x01(\tR\x06answer2\x93\x01\n" + - "\x03LLM\x12E\n" + - "\x06Enrich\x12\x1c.plugin.llm.v1.EnrichRequest\x1a\x1d.plugin.llm.v1.EnrichResponse\x12E\n" + - "\x06Answer\x12\x1c.plugin.llm.v1.AnswerRequest\x1a\x1d.plugin.llm.v1.AnswerResponseB\xac\x01\n" + - "\x11com.plugin.llm.v1B\bLlmProtoP\x01Z7github.com/openkcm/plugin-sdk/proto/plugin/llm/v1;llmv1\xa2\x02\x03PLX\xaa\x02\rPlugin.Llm.V1\xca\x02\rPlugin\\Llm\\V1\xe2\x02\x19Plugin\\Llm\\V1\\GPBMetadata\xea\x02\x0fPlugin::Llm::V1b\x06proto3" + "\x06answer\x18\x01 \x01(\tR\x06answer2\x97\x01\n" + + "\x03LLM\x12G\n" + + "\x06Enrich\x12\x1d.krypton.llm.v1.EnrichRequest\x1a\x1e.krypton.llm.v1.EnrichResponse\x12G\n" + + "\x06Answer\x12\x1d.krypton.llm.v1.AnswerRequest\x1a\x1e.krypton.llm.v1.AnswerResponseB\xb1\x01\n" + + "\x12com.krypton.llm.v1B\bLlmProtoP\x01Z7github.com/openkcm/plugin-sdk/proto/plugin/llm/v1;llmv1\xa2\x02\x03KLX\xaa\x02\x0eKrypton.Llm.V1\xca\x02\x0eKrypton\\Llm\\V1\xe2\x02\x1aKrypton\\Llm\\V1\\GPBMetadata\xea\x02\x10Krypton::Llm::V1b\x06proto3" var ( file_plugin_llm_v1_llm_proto_rawDescOnce sync.Once @@ -388,24 +388,24 @@ func file_plugin_llm_v1_llm_proto_rawDescGZIP() []byte { var file_plugin_llm_v1_llm_proto_msgTypes = make([]protoimpl.MessageInfo, 8) var file_plugin_llm_v1_llm_proto_goTypes = []any{ - (*FindingSummary)(nil), // 0: plugin.llm.v1.FindingSummary - (*EnrichedFinding)(nil), // 1: plugin.llm.v1.EnrichedFinding - (*EnrichRequest)(nil), // 2: plugin.llm.v1.EnrichRequest - (*EnrichResponse)(nil), // 3: plugin.llm.v1.EnrichResponse - (*AnswerRequest)(nil), // 4: plugin.llm.v1.AnswerRequest - (*AnswerResponse)(nil), // 5: plugin.llm.v1.AnswerResponse - nil, // 6: plugin.llm.v1.FindingSummary.AggregateMetadataEntry - nil, // 7: plugin.llm.v1.AnswerRequest.ContextSignalsEntry + (*FindingSummary)(nil), // 0: krypton.llm.v1.FindingSummary + (*EnrichedFinding)(nil), // 1: krypton.llm.v1.EnrichedFinding + (*EnrichRequest)(nil), // 2: krypton.llm.v1.EnrichRequest + (*EnrichResponse)(nil), // 3: krypton.llm.v1.EnrichResponse + (*AnswerRequest)(nil), // 4: krypton.llm.v1.AnswerRequest + (*AnswerResponse)(nil), // 5: krypton.llm.v1.AnswerResponse + nil, // 6: krypton.llm.v1.FindingSummary.AggregateMetadataEntry + nil, // 7: krypton.llm.v1.AnswerRequest.ContextSignalsEntry } var file_plugin_llm_v1_llm_proto_depIdxs = []int32{ - 6, // 0: plugin.llm.v1.FindingSummary.aggregate_metadata:type_name -> plugin.llm.v1.FindingSummary.AggregateMetadataEntry - 0, // 1: plugin.llm.v1.EnrichRequest.findings:type_name -> plugin.llm.v1.FindingSummary - 1, // 2: plugin.llm.v1.EnrichResponse.enriched:type_name -> plugin.llm.v1.EnrichedFinding - 7, // 3: plugin.llm.v1.AnswerRequest.context_signals:type_name -> plugin.llm.v1.AnswerRequest.ContextSignalsEntry - 2, // 4: plugin.llm.v1.LLM.Enrich:input_type -> plugin.llm.v1.EnrichRequest - 4, // 5: plugin.llm.v1.LLM.Answer:input_type -> plugin.llm.v1.AnswerRequest - 3, // 6: plugin.llm.v1.LLM.Enrich:output_type -> plugin.llm.v1.EnrichResponse - 5, // 7: plugin.llm.v1.LLM.Answer:output_type -> plugin.llm.v1.AnswerResponse + 6, // 0: krypton.llm.v1.FindingSummary.aggregate_metadata:type_name -> krypton.llm.v1.FindingSummary.AggregateMetadataEntry + 0, // 1: krypton.llm.v1.EnrichRequest.findings:type_name -> krypton.llm.v1.FindingSummary + 1, // 2: krypton.llm.v1.EnrichResponse.enriched:type_name -> krypton.llm.v1.EnrichedFinding + 7, // 3: krypton.llm.v1.AnswerRequest.context_signals:type_name -> krypton.llm.v1.AnswerRequest.ContextSignalsEntry + 2, // 4: krypton.llm.v1.LLM.Enrich:input_type -> krypton.llm.v1.EnrichRequest + 4, // 5: krypton.llm.v1.LLM.Answer:input_type -> krypton.llm.v1.AnswerRequest + 3, // 6: krypton.llm.v1.LLM.Enrich:output_type -> krypton.llm.v1.EnrichResponse + 5, // 7: krypton.llm.v1.LLM.Answer:output_type -> krypton.llm.v1.AnswerResponse 6, // [6:8] is the sub-list for method output_type 4, // [4:6] is the sub-list for method input_type 4, // [4:4] is the sub-list for extension type_name diff --git a/proto/plugin/llm/v1/llm.proto b/proto/plugin/llm/v1/llm.proto index a4d28a4..d6eb963 100644 --- a/proto/plugin/llm/v1/llm.proto +++ b/proto/plugin/llm/v1/llm.proto @@ -1,8 +1,8 @@ syntax = "proto3"; -package plugin.llm.v1; +package krypton.llm.v1; -option go_package = "github.com/nnicora/krypton/proto/plugin/llm/v1;llmv1"; +option go_package = "github.com/openkcm/krypton/proto/plugin/llm/v1;llmv1"; // LLM is the plugin interface for AI language-model backends used by the // Advisor module. Only aggregate, privacy-safe statistics are ever transmitted — diff --git a/proto/plugin/llm/v1/llm_ext_plugin.pb.go b/proto/plugin/llm/v1/llm_ext_plugin.pb.go index 867144f..82c06ed 100644 --- a/proto/plugin/llm/v1/llm_ext_plugin.pb.go +++ b/proto/plugin/llm/v1/llm_ext_plugin.pb.go @@ -10,7 +10,7 @@ import ( const ( Type = "LLM" - GRPCServiceFullName = "plugin.llm.v1.LLM" + GRPCServiceFullName = "krypton.llm.v1.LLM" ) func LLMPluginServer(server LLMServer) api.PluginServer { diff --git a/proto/plugin/llm/v1/llm_grpc.pb.go b/proto/plugin/llm/v1/llm_grpc.pb.go index e10fb70..ca4467d 100644 --- a/proto/plugin/llm/v1/llm_grpc.pb.go +++ b/proto/plugin/llm/v1/llm_grpc.pb.go @@ -20,8 +20,8 @@ import ( const _ = grpc.SupportPackageIsVersion9 const ( - LLM_Enrich_FullMethodName = "/plugin.llm.v1.LLM/Enrich" - LLM_Answer_FullMethodName = "/plugin.llm.v1.LLM/Answer" + LLM_Enrich_FullMethodName = "/krypton.llm.v1.LLM/Enrich" + LLM_Answer_FullMethodName = "/krypton.llm.v1.LLM/Answer" ) // LLMClient is the client API for LLM service. @@ -159,7 +159,7 @@ func _LLM_Answer_Handler(srv interface{}, ctx context.Context, dec func(interfac // It's only intended for direct use with grpc.RegisterService, // and not to be introspected or modified (even as a copy) var LLM_ServiceDesc = grpc.ServiceDesc{ - ServiceName: "plugin.llm.v1.LLM", + ServiceName: "krypton.llm.v1.LLM", HandlerType: (*LLMServer)(nil), Methods: []grpc.MethodDesc{ { diff --git a/proto/plugin/notification/v1/notification_ext_plugin.pb.go b/proto/plugin/notification/v1/notification_ext_plugin.pb.go index dd6783a..5e56ebd 100644 --- a/proto/plugin/notification/v1/notification_ext_plugin.pb.go +++ b/proto/plugin/notification/v1/notification_ext_plugin.pb.go @@ -9,7 +9,7 @@ import ( ) const ( - Type = "NotificationService" + Type = "Notification" GRPCServiceFullName = "plugin.notification.v1.NotificationService" ) diff --git a/proto/plugin/reconciler/v1/ast.pb.go b/proto/plugin/reconciler/v1/ast.pb.go new file mode 100644 index 0000000..92ade50 --- /dev/null +++ b/proto/plugin/reconciler/v1/ast.pb.go @@ -0,0 +1,2226 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.36.11 +// protoc (unknown) +// source: plugin/reconciler/v1/ast.proto + +package reconcilerv1 + +import ( + reflect "reflect" + sync "sync" + unsafe "unsafe" + + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + structpb "google.golang.org/protobuf/types/known/structpb" + timestamppb "google.golang.org/protobuf/types/known/timestamppb" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// ExecutionPlan is the root of the AST returned by a plugin's Reconcile call. +// It describes every operation Krypton core must execute to drive the custom +// resource to its desired state. Core is the sole executor — the plugin never +// touches keys, state, or the database directly. +type ExecutionPlan struct { + state protoimpl.MessageState `protogen:"open.v1"` + // plan_id identifies this plan for tracing. Recommended: echo the operation ID. + PlanId string `protobuf:"bytes,1,opt,name=plan_id,json=planId,proto3" json:"plan_id,omitempty"` + // root is the root node of the execution tree. + Root *ASTNode `protobuf:"bytes,2,opt,name=root,proto3" json:"root,omitempty"` + // bindings are pre-declared variables available to every node in the plan. + // Use them to pass tenant_id, api_group, external IDs, or any other values + // the plugin resolved during planning and wants to thread through execution. + Bindings map[string]string `protobuf:"bytes,3,rep,name=bindings,proto3" json:"bindings,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *ExecutionPlan) Reset() { + *x = ExecutionPlan{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *ExecutionPlan) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ExecutionPlan) ProtoMessage() {} + +func (x *ExecutionPlan) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ExecutionPlan.ProtoReflect.Descriptor instead. +func (*ExecutionPlan) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{0} +} + +func (x *ExecutionPlan) GetPlanId() string { + if x != nil { + return x.PlanId + } + return "" +} + +func (x *ExecutionPlan) GetRoot() *ASTNode { + if x != nil { + return x.Root + } + return nil +} + +func (x *ExecutionPlan) GetBindings() map[string]string { + if x != nil { + return x.Bindings + } + return nil +} + +type ASTNode struct { + state protoimpl.MessageState `protogen:"open.v1"` + // node_id is an optional stable identifier used for checkpoint persistence. + // When set, the executor stores progress so retries resume from here. + // Must be stable across retries (use a semantic name, not a random UUID). + NodeId string `protobuf:"bytes,1,opt,name=node_id,json=nodeId,proto3" json:"node_id,omitempty"` + // label is a human-readable description surfaced in logs and audit events. + Label string `protobuf:"bytes,2,opt,name=label,proto3" json:"label,omitempty"` + // result_var, when non-empty, binds the primary string output of this node + // (typically a provisioned key ID) into the execution state so downstream + // nodes can reference it via ValueRef.var_ref. + ResultVar string `protobuf:"bytes,3,opt,name=result_var,json=resultVar,proto3" json:"result_var,omitempty"` + // Types that are valid to be assigned to Node: + // + // *ASTNode_Sequence + // *ASTNode_Parallel + // *ASTNode_Conditional + // *ASTNode_TryCatch + // *ASTNode_Checkpoint + // *ASTNode_Assert + // *ASTNode_KeySync + // *ASTNode_KeyDelete + // *ASTNode_KeyTransition + // *ASTNode_KeyRotate + // *ASTNode_KeySchedule + // *ASTNode_CredentialSync + // *ASTNode_CredentialDelete + // *ASTNode_Bind + // *ASTNode_Emit + Node isASTNode_Node `protobuf_oneof:"node"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *ASTNode) Reset() { + *x = ASTNode{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *ASTNode) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ASTNode) ProtoMessage() {} + +func (x *ASTNode) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ASTNode.ProtoReflect.Descriptor instead. +func (*ASTNode) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{1} +} + +func (x *ASTNode) GetNodeId() string { + if x != nil { + return x.NodeId + } + return "" +} + +func (x *ASTNode) GetLabel() string { + if x != nil { + return x.Label + } + return "" +} + +func (x *ASTNode) GetResultVar() string { + if x != nil { + return x.ResultVar + } + return "" +} + +func (x *ASTNode) GetNode() isASTNode_Node { + if x != nil { + return x.Node + } + return nil +} + +func (x *ASTNode) GetSequence() *SequenceNode { + if x != nil { + if x, ok := x.Node.(*ASTNode_Sequence); ok { + return x.Sequence + } + } + return nil +} + +func (x *ASTNode) GetParallel() *ParallelNode { + if x != nil { + if x, ok := x.Node.(*ASTNode_Parallel); ok { + return x.Parallel + } + } + return nil +} + +func (x *ASTNode) GetConditional() *ConditionalNode { + if x != nil { + if x, ok := x.Node.(*ASTNode_Conditional); ok { + return x.Conditional + } + } + return nil +} + +func (x *ASTNode) GetTryCatch() *TryCatchNode { + if x != nil { + if x, ok := x.Node.(*ASTNode_TryCatch); ok { + return x.TryCatch + } + } + return nil +} + +func (x *ASTNode) GetCheckpoint() *CheckpointNode { + if x != nil { + if x, ok := x.Node.(*ASTNode_Checkpoint); ok { + return x.Checkpoint + } + } + return nil +} + +func (x *ASTNode) GetAssert() *AssertNode { + if x != nil { + if x, ok := x.Node.(*ASTNode_Assert); ok { + return x.Assert + } + } + return nil +} + +func (x *ASTNode) GetKeySync() *KeySyncNode { + if x != nil { + if x, ok := x.Node.(*ASTNode_KeySync); ok { + return x.KeySync + } + } + return nil +} + +func (x *ASTNode) GetKeyDelete() *KeyDeleteNode { + if x != nil { + if x, ok := x.Node.(*ASTNode_KeyDelete); ok { + return x.KeyDelete + } + } + return nil +} + +func (x *ASTNode) GetKeyTransition() *KeyTransitionNode { + if x != nil { + if x, ok := x.Node.(*ASTNode_KeyTransition); ok { + return x.KeyTransition + } + } + return nil +} + +func (x *ASTNode) GetKeyRotate() *KeyRotateNode { + if x != nil { + if x, ok := x.Node.(*ASTNode_KeyRotate); ok { + return x.KeyRotate + } + } + return nil +} + +func (x *ASTNode) GetKeySchedule() *KeyScheduleNode { + if x != nil { + if x, ok := x.Node.(*ASTNode_KeySchedule); ok { + return x.KeySchedule + } + } + return nil +} + +func (x *ASTNode) GetCredentialSync() *CredentialSyncNode { + if x != nil { + if x, ok := x.Node.(*ASTNode_CredentialSync); ok { + return x.CredentialSync + } + } + return nil +} + +func (x *ASTNode) GetCredentialDelete() *CredentialDeleteNode { + if x != nil { + if x, ok := x.Node.(*ASTNode_CredentialDelete); ok { + return x.CredentialDelete + } + } + return nil +} + +func (x *ASTNode) GetBind() *BindNode { + if x != nil { + if x, ok := x.Node.(*ASTNode_Bind); ok { + return x.Bind + } + } + return nil +} + +func (x *ASTNode) GetEmit() *EmitNode { + if x != nil { + if x, ok := x.Node.(*ASTNode_Emit); ok { + return x.Emit + } + } + return nil +} + +type isASTNode_Node interface { + isASTNode_Node() +} + +type ASTNode_Sequence struct { + // ── Control flow ────────────────────────────────────────── + Sequence *SequenceNode `protobuf:"bytes,10,opt,name=sequence,proto3,oneof"` +} + +type ASTNode_Parallel struct { + Parallel *ParallelNode `protobuf:"bytes,11,opt,name=parallel,proto3,oneof"` +} + +type ASTNode_Conditional struct { + Conditional *ConditionalNode `protobuf:"bytes,12,opt,name=conditional,proto3,oneof"` +} + +type ASTNode_TryCatch struct { + TryCatch *TryCatchNode `protobuf:"bytes,13,opt,name=try_catch,json=tryCatch,proto3,oneof"` +} + +type ASTNode_Checkpoint struct { + // ── Checkpoint ──────────────────────────────────────────── + // Persists progress at this point; uses node_id as the checkpoint name. + Checkpoint *CheckpointNode `protobuf:"bytes,14,opt,name=checkpoint,proto3,oneof"` +} + +type ASTNode_Assert struct { + // ── Assertions / pre-conditions ─────────────────────────── + // Fails the plan with error_message if the predicate is false. + Assert *AssertNode `protobuf:"bytes,20,opt,name=assert,proto3,oneof"` +} + +type ASTNode_KeySync struct { + // ── Key lifecycle ───────────────────────────────────────── + KeySync *KeySyncNode `protobuf:"bytes,30,opt,name=key_sync,json=keySync,proto3,oneof"` // create or idempotently update +} + +type ASTNode_KeyDelete struct { + KeyDelete *KeyDeleteNode `protobuf:"bytes,31,opt,name=key_delete,json=keyDelete,proto3,oneof"` // destroy key material +} + +type ASTNode_KeyTransition struct { + KeyTransition *KeyTransitionNode `protobuf:"bytes,32,opt,name=key_transition,json=keyTransition,proto3,oneof"` // explicit lifecycle state change +} + +type ASTNode_KeyRotate struct { + KeyRotate *KeyRotateNode `protobuf:"bytes,33,opt,name=key_rotate,json=keyRotate,proto3,oneof"` // generate new key material (forced rotation) +} + +type ASTNode_KeySchedule struct { + KeySchedule *KeyScheduleNode `protobuf:"bytes,34,opt,name=key_schedule,json=keySchedule,proto3,oneof"` // set expiry / scheduled transition +} + +type ASTNode_CredentialSync struct { + // ── Credential lifecycle ─────────────────────────────────── + CredentialSync *CredentialSyncNode `protobuf:"bytes,40,opt,name=credential_sync,json=credentialSync,proto3,oneof"` +} + +type ASTNode_CredentialDelete struct { + CredentialDelete *CredentialDeleteNode `protobuf:"bytes,41,opt,name=credential_delete,json=credentialDelete,proto3,oneof"` +} + +type ASTNode_Bind struct { + // ── Utility ─────────────────────────────────────────────── + Bind *BindNode `protobuf:"bytes,60,opt,name=bind,proto3,oneof"` // set a variable in execution state +} + +type ASTNode_Emit struct { + Emit *EmitNode `protobuf:"bytes,61,opt,name=emit,proto3,oneof"` // write a custom audit event +} + +func (*ASTNode_Sequence) isASTNode_Node() {} + +func (*ASTNode_Parallel) isASTNode_Node() {} + +func (*ASTNode_Conditional) isASTNode_Node() {} + +func (*ASTNode_TryCatch) isASTNode_Node() {} + +func (*ASTNode_Checkpoint) isASTNode_Node() {} + +func (*ASTNode_Assert) isASTNode_Node() {} + +func (*ASTNode_KeySync) isASTNode_Node() {} + +func (*ASTNode_KeyDelete) isASTNode_Node() {} + +func (*ASTNode_KeyTransition) isASTNode_Node() {} + +func (*ASTNode_KeyRotate) isASTNode_Node() {} + +func (*ASTNode_KeySchedule) isASTNode_Node() {} + +func (*ASTNode_CredentialSync) isASTNode_Node() {} + +func (*ASTNode_CredentialDelete) isASTNode_Node() {} + +func (*ASTNode_Bind) isASTNode_Node() {} + +func (*ASTNode_Emit) isASTNode_Node() {} + +// SequenceNode runs steps in order; the first error aborts the remainder +// and triggers rollback of already-executed steps (same as Pipeline). +type SequenceNode struct { + state protoimpl.MessageState `protogen:"open.v1"` + Steps []*ASTNode `protobuf:"bytes,1,rep,name=steps,proto3" json:"steps,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *SequenceNode) Reset() { + *x = SequenceNode{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *SequenceNode) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*SequenceNode) ProtoMessage() {} + +func (x *SequenceNode) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[2] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use SequenceNode.ProtoReflect.Descriptor instead. +func (*SequenceNode) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{2} +} + +func (x *SequenceNode) GetSteps() []*ASTNode { + if x != nil { + return x.Steps + } + return nil +} + +// ParallelNode fans steps out concurrently. +// When fail_fast = true a single error cancels the remaining goroutines. +type ParallelNode struct { + state protoimpl.MessageState `protogen:"open.v1"` + Steps []*ASTNode `protobuf:"bytes,1,rep,name=steps,proto3" json:"steps,omitempty"` + FailFast bool `protobuf:"varint,2,opt,name=fail_fast,json=failFast,proto3" json:"fail_fast,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *ParallelNode) Reset() { + *x = ParallelNode{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *ParallelNode) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ParallelNode) ProtoMessage() {} + +func (x *ParallelNode) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[3] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ParallelNode.ProtoReflect.Descriptor instead. +func (*ParallelNode) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{3} +} + +func (x *ParallelNode) GetSteps() []*ASTNode { + if x != nil { + return x.Steps + } + return nil +} + +func (x *ParallelNode) GetFailFast() bool { + if x != nil { + return x.FailFast + } + return false +} + +// ConditionalNode evaluates a runtime predicate and executes exactly one branch. +type ConditionalNode struct { + state protoimpl.MessageState `protogen:"open.v1"` + Condition *Predicate `protobuf:"bytes,1,opt,name=condition,proto3" json:"condition,omitempty"` + ThenNode *ASTNode `protobuf:"bytes,2,opt,name=then_node,json=thenNode,proto3" json:"then_node,omitempty"` + ElseNode *ASTNode `protobuf:"bytes,3,opt,name=else_node,json=elseNode,proto3" json:"else_node,omitempty"` // optional — omit for pure guard + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *ConditionalNode) Reset() { + *x = ConditionalNode{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[4] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *ConditionalNode) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ConditionalNode) ProtoMessage() {} + +func (x *ConditionalNode) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[4] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ConditionalNode.ProtoReflect.Descriptor instead. +func (*ConditionalNode) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{4} +} + +func (x *ConditionalNode) GetCondition() *Predicate { + if x != nil { + return x.Condition + } + return nil +} + +func (x *ConditionalNode) GetThenNode() *ASTNode { + if x != nil { + return x.ThenNode + } + return nil +} + +func (x *ConditionalNode) GetElseNode() *ASTNode { + if x != nil { + return x.ElseNode + } + return nil +} + +// TryCatchNode executes try_node; on any error executes catch_node instead. +// Useful for compensating transactions and optional / best-effort steps. +type TryCatchNode struct { + state protoimpl.MessageState `protogen:"open.v1"` + TryNode *ASTNode `protobuf:"bytes,1,opt,name=try_node,json=tryNode,proto3" json:"try_node,omitempty"` + CatchNode *ASTNode `protobuf:"bytes,2,opt,name=catch_node,json=catchNode,proto3" json:"catch_node,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *TryCatchNode) Reset() { + *x = TryCatchNode{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[5] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *TryCatchNode) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*TryCatchNode) ProtoMessage() {} + +func (x *TryCatchNode) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[5] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use TryCatchNode.ProtoReflect.Descriptor instead. +func (*TryCatchNode) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{5} +} + +func (x *TryCatchNode) GetTryNode() *ASTNode { + if x != nil { + return x.TryNode + } + return nil +} + +func (x *TryCatchNode) GetCatchNode() *ASTNode { + if x != nil { + return x.CatchNode + } + return nil +} + +// CheckpointNode persists the current execution position so retries skip +// completed steps. Uses the parent ASTNode.node_id as the checkpoint name. +type CheckpointNode struct { + state protoimpl.MessageState `protogen:"open.v1"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *CheckpointNode) Reset() { + *x = CheckpointNode{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[6] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *CheckpointNode) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*CheckpointNode) ProtoMessage() {} + +func (x *CheckpointNode) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[6] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use CheckpointNode.ProtoReflect.Descriptor instead. +func (*CheckpointNode) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{6} +} + +type AssertNode struct { + state protoimpl.MessageState `protogen:"open.v1"` + Condition *Predicate `protobuf:"bytes,1,opt,name=condition,proto3" json:"condition,omitempty"` + ErrorMessage string `protobuf:"bytes,2,opt,name=error_message,json=errorMessage,proto3" json:"error_message,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *AssertNode) Reset() { + *x = AssertNode{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[7] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *AssertNode) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*AssertNode) ProtoMessage() {} + +func (x *AssertNode) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[7] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use AssertNode.ProtoReflect.Descriptor instead. +func (*AssertNode) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{7} +} + +func (x *AssertNode) GetCondition() *Predicate { + if x != nil { + return x.Condition + } + return nil +} + +func (x *AssertNode) GetErrorMessage() string { + if x != nil { + return x.ErrorMessage + } + return "" +} + +// Predicate is a composable boolean expression resolved against live Krypton +// state at execution time. Core owns all state reads; the plugin only declares +// what must be true. +type Predicate struct { + state protoimpl.MessageState `protogen:"open.v1"` + // Types that are valid to be assigned to Expr: + // + // *Predicate_KeyExists + // *Predicate_KeyState + // *Predicate_TenantActive + // *Predicate_CredentialExists + // *Predicate_And + // *Predicate_Or + // *Predicate_Not + Expr isPredicate_Expr `protobuf_oneof:"expr"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *Predicate) Reset() { + *x = Predicate{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[8] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *Predicate) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*Predicate) ProtoMessage() {} + +func (x *Predicate) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[8] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use Predicate.ProtoReflect.Descriptor instead. +func (*Predicate) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{8} +} + +func (x *Predicate) GetExpr() isPredicate_Expr { + if x != nil { + return x.Expr + } + return nil +} + +func (x *Predicate) GetKeyExists() *KeyExistsPredicate { + if x != nil { + if x, ok := x.Expr.(*Predicate_KeyExists); ok { + return x.KeyExists + } + } + return nil +} + +func (x *Predicate) GetKeyState() *KeyStatePredicate { + if x != nil { + if x, ok := x.Expr.(*Predicate_KeyState); ok { + return x.KeyState + } + } + return nil +} + +func (x *Predicate) GetTenantActive() *TenantActivePredicate { + if x != nil { + if x, ok := x.Expr.(*Predicate_TenantActive); ok { + return x.TenantActive + } + } + return nil +} + +func (x *Predicate) GetCredentialExists() *CredentialExistsPredicate { + if x != nil { + if x, ok := x.Expr.(*Predicate_CredentialExists); ok { + return x.CredentialExists + } + } + return nil +} + +func (x *Predicate) GetAnd() *AndPredicate { + if x != nil { + if x, ok := x.Expr.(*Predicate_And); ok { + return x.And + } + } + return nil +} + +func (x *Predicate) GetOr() *OrPredicate { + if x != nil { + if x, ok := x.Expr.(*Predicate_Or); ok { + return x.Or + } + } + return nil +} + +func (x *Predicate) GetNot() *NotPredicate { + if x != nil { + if x, ok := x.Expr.(*Predicate_Not); ok { + return x.Not + } + } + return nil +} + +type isPredicate_Expr interface { + isPredicate_Expr() +} + +type Predicate_KeyExists struct { + KeyExists *KeyExistsPredicate `protobuf:"bytes,1,opt,name=key_exists,json=keyExists,proto3,oneof"` +} + +type Predicate_KeyState struct { + KeyState *KeyStatePredicate `protobuf:"bytes,2,opt,name=key_state,json=keyState,proto3,oneof"` +} + +type Predicate_TenantActive struct { + TenantActive *TenantActivePredicate `protobuf:"bytes,3,opt,name=tenant_active,json=tenantActive,proto3,oneof"` +} + +type Predicate_CredentialExists struct { + CredentialExists *CredentialExistsPredicate `protobuf:"bytes,4,opt,name=credential_exists,json=credentialExists,proto3,oneof"` +} + +type Predicate_And struct { + // Logical combinators + And *AndPredicate `protobuf:"bytes,10,opt,name=and,proto3,oneof"` +} + +type Predicate_Or struct { + Or *OrPredicate `protobuf:"bytes,11,opt,name=or,proto3,oneof"` +} + +type Predicate_Not struct { + Not *NotPredicate `protobuf:"bytes,12,opt,name=not,proto3,oneof"` +} + +func (*Predicate_KeyExists) isPredicate_Expr() {} + +func (*Predicate_KeyState) isPredicate_Expr() {} + +func (*Predicate_TenantActive) isPredicate_Expr() {} + +func (*Predicate_CredentialExists) isPredicate_Expr() {} + +func (*Predicate_And) isPredicate_Expr() {} + +func (*Predicate_Or) isPredicate_Expr() {} + +func (*Predicate_Not) isPredicate_Expr() {} + +type KeyExistsPredicate struct { + state protoimpl.MessageState `protogen:"open.v1"` + Tier *ValueRef `protobuf:"bytes,1,opt,name=tier,proto3" json:"tier,omitempty"` + KeyName *ValueRef `protobuf:"bytes,2,opt,name=key_name,json=keyName,proto3" json:"key_name,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *KeyExistsPredicate) Reset() { + *x = KeyExistsPredicate{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[9] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *KeyExistsPredicate) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*KeyExistsPredicate) ProtoMessage() {} + +func (x *KeyExistsPredicate) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[9] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use KeyExistsPredicate.ProtoReflect.Descriptor instead. +func (*KeyExistsPredicate) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{9} +} + +func (x *KeyExistsPredicate) GetTier() *ValueRef { + if x != nil { + return x.Tier + } + return nil +} + +func (x *KeyExistsPredicate) GetKeyName() *ValueRef { + if x != nil { + return x.KeyName + } + return nil +} + +type KeyStatePredicate struct { + state protoimpl.MessageState `protogen:"open.v1"` + Tier *ValueRef `protobuf:"bytes,1,opt,name=tier,proto3" json:"tier,omitempty"` + KeyName *ValueRef `protobuf:"bytes,2,opt,name=key_name,json=keyName,proto3" json:"key_name,omitempty"` + // allowed_states is an OR list — matches if the key is in ANY of these states. + // Valid values: PRE_ACTIVATION, ACTIVE, SUSPENDED, DEACTIVATED, COMPROMISED, + // + // PENDING_DESTROYING, DESTROYED. + AllowedStates []string `protobuf:"bytes,3,rep,name=allowed_states,json=allowedStates,proto3" json:"allowed_states,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *KeyStatePredicate) Reset() { + *x = KeyStatePredicate{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[10] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *KeyStatePredicate) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*KeyStatePredicate) ProtoMessage() {} + +func (x *KeyStatePredicate) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[10] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use KeyStatePredicate.ProtoReflect.Descriptor instead. +func (*KeyStatePredicate) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{10} +} + +func (x *KeyStatePredicate) GetTier() *ValueRef { + if x != nil { + return x.Tier + } + return nil +} + +func (x *KeyStatePredicate) GetKeyName() *ValueRef { + if x != nil { + return x.KeyName + } + return nil +} + +func (x *KeyStatePredicate) GetAllowedStates() []string { + if x != nil { + return x.AllowedStates + } + return nil +} + +type TenantActivePredicate struct { + state protoimpl.MessageState `protogen:"open.v1"` + TenantId *ValueRef `protobuf:"bytes,1,opt,name=tenant_id,json=tenantId,proto3" json:"tenant_id,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *TenantActivePredicate) Reset() { + *x = TenantActivePredicate{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[11] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *TenantActivePredicate) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*TenantActivePredicate) ProtoMessage() {} + +func (x *TenantActivePredicate) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[11] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use TenantActivePredicate.ProtoReflect.Descriptor instead. +func (*TenantActivePredicate) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{11} +} + +func (x *TenantActivePredicate) GetTenantId() *ValueRef { + if x != nil { + return x.TenantId + } + return nil +} + +type CredentialExistsPredicate struct { + state protoimpl.MessageState `protogen:"open.v1"` + Name *ValueRef `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *CredentialExistsPredicate) Reset() { + *x = CredentialExistsPredicate{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[12] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *CredentialExistsPredicate) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*CredentialExistsPredicate) ProtoMessage() {} + +func (x *CredentialExistsPredicate) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[12] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use CredentialExistsPredicate.ProtoReflect.Descriptor instead. +func (*CredentialExistsPredicate) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{12} +} + +func (x *CredentialExistsPredicate) GetName() *ValueRef { + if x != nil { + return x.Name + } + return nil +} + +type AndPredicate struct { + state protoimpl.MessageState `protogen:"open.v1"` + Terms []*Predicate `protobuf:"bytes,1,rep,name=terms,proto3" json:"terms,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *AndPredicate) Reset() { + *x = AndPredicate{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[13] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *AndPredicate) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*AndPredicate) ProtoMessage() {} + +func (x *AndPredicate) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[13] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use AndPredicate.ProtoReflect.Descriptor instead. +func (*AndPredicate) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{13} +} + +func (x *AndPredicate) GetTerms() []*Predicate { + if x != nil { + return x.Terms + } + return nil +} + +type OrPredicate struct { + state protoimpl.MessageState `protogen:"open.v1"` + Terms []*Predicate `protobuf:"bytes,1,rep,name=terms,proto3" json:"terms,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *OrPredicate) Reset() { + *x = OrPredicate{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[14] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *OrPredicate) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*OrPredicate) ProtoMessage() {} + +func (x *OrPredicate) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[14] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use OrPredicate.ProtoReflect.Descriptor instead. +func (*OrPredicate) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{14} +} + +func (x *OrPredicate) GetTerms() []*Predicate { + if x != nil { + return x.Terms + } + return nil +} + +type NotPredicate struct { + state protoimpl.MessageState `protogen:"open.v1"` + Term *Predicate `protobuf:"bytes,1,opt,name=term,proto3" json:"term,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *NotPredicate) Reset() { + *x = NotPredicate{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[15] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *NotPredicate) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*NotPredicate) ProtoMessage() {} + +func (x *NotPredicate) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[15] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use NotPredicate.ProtoReflect.Descriptor instead. +func (*NotPredicate) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{15} +} + +func (x *NotPredicate) GetTerm() *Predicate { + if x != nil { + return x.Term + } + return nil +} + +// ValueRef resolves to a string at runtime. +// Use literal for constants known at plan time. +// Use var_ref to read a value set by a previous node's result_var or by +// ExecutionPlan.bindings. +type ValueRef struct { + state protoimpl.MessageState `protogen:"open.v1"` + // Types that are valid to be assigned to Kind: + // + // *ValueRef_Literal + // *ValueRef_VarRef + Kind isValueRef_Kind `protobuf_oneof:"kind"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *ValueRef) Reset() { + *x = ValueRef{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[16] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *ValueRef) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ValueRef) ProtoMessage() {} + +func (x *ValueRef) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[16] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ValueRef.ProtoReflect.Descriptor instead. +func (*ValueRef) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{16} +} + +func (x *ValueRef) GetKind() isValueRef_Kind { + if x != nil { + return x.Kind + } + return nil +} + +func (x *ValueRef) GetLiteral() string { + if x != nil { + if x, ok := x.Kind.(*ValueRef_Literal); ok { + return x.Literal + } + } + return "" +} + +func (x *ValueRef) GetVarRef() string { + if x != nil { + if x, ok := x.Kind.(*ValueRef_VarRef); ok { + return x.VarRef + } + } + return "" +} + +type isValueRef_Kind interface { + isValueRef_Kind() +} + +type ValueRef_Literal struct { + Literal string `protobuf:"bytes,1,opt,name=literal,proto3,oneof"` +} + +type ValueRef_VarRef struct { + VarRef string `protobuf:"bytes,2,opt,name=var_ref,json=varRef,proto3,oneof"` +} + +func (*ValueRef_Literal) isValueRef_Kind() {} + +func (*ValueRef_VarRef) isValueRef_Kind() {} + +// KeySyncNode provisions a key at the given tier, or is a no-op if the key +// already exists (idempotent). Core wraps the key under parent_key using the +// configured tier hierarchy. On success, result_var receives the key ULID. +type KeySyncNode struct { + state protoimpl.MessageState `protogen:"open.v1"` + // tier is the Krypton tier name as declared in key-hierarchy config, + // e.g. "l2-domain", "l3-service", "l4-data". + Tier *ValueRef `protobuf:"bytes,1,opt,name=tier,proto3" json:"tier,omitempty"` + // key_name is the logical name scoped to the tenant. + KeyName *ValueRef `protobuf:"bytes,2,opt,name=key_name,json=keyName,proto3" json:"key_name,omitempty"` + // parent_key is the name of the wrapping key one tier above. + // Required for all tiers except L1 root keys. + ParentKey *ValueRef `protobuf:"bytes,3,opt,name=parent_key,json=parentKey,proto3" json:"parent_key,omitempty"` + // schedule, when set, is applied immediately after provisioning. + Schedule *KeyScheduleSpec `protobuf:"bytes,4,opt,name=schedule,proto3" json:"schedule,omitempty"` + // metadata is attached to the key record after successful provisioning. + Metadata map[string]string `protobuf:"bytes,5,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *KeySyncNode) Reset() { + *x = KeySyncNode{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[17] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *KeySyncNode) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*KeySyncNode) ProtoMessage() {} + +func (x *KeySyncNode) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[17] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use KeySyncNode.ProtoReflect.Descriptor instead. +func (*KeySyncNode) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{17} +} + +func (x *KeySyncNode) GetTier() *ValueRef { + if x != nil { + return x.Tier + } + return nil +} + +func (x *KeySyncNode) GetKeyName() *ValueRef { + if x != nil { + return x.KeyName + } + return nil +} + +func (x *KeySyncNode) GetParentKey() *ValueRef { + if x != nil { + return x.ParentKey + } + return nil +} + +func (x *KeySyncNode) GetSchedule() *KeyScheduleSpec { + if x != nil { + return x.Schedule + } + return nil +} + +func (x *KeySyncNode) GetMetadata() map[string]string { + if x != nil { + return x.Metadata + } + return nil +} + +// KeyDeleteNode destroys key material and all version lineages. +// Core enforces that no child keys exist before allowing deletion. +type KeyDeleteNode struct { + state protoimpl.MessageState `protogen:"open.v1"` + Tier *ValueRef `protobuf:"bytes,1,opt,name=tier,proto3" json:"tier,omitempty"` + KeyName *ValueRef `protobuf:"bytes,2,opt,name=key_name,json=keyName,proto3" json:"key_name,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *KeyDeleteNode) Reset() { + *x = KeyDeleteNode{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[18] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *KeyDeleteNode) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*KeyDeleteNode) ProtoMessage() {} + +func (x *KeyDeleteNode) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[18] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use KeyDeleteNode.ProtoReflect.Descriptor instead. +func (*KeyDeleteNode) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{18} +} + +func (x *KeyDeleteNode) GetTier() *ValueRef { + if x != nil { + return x.Tier + } + return nil +} + +func (x *KeyDeleteNode) GetKeyName() *ValueRef { + if x != nil { + return x.KeyName + } + return nil +} + +// KeyTransitionNode explicitly moves a key to a target lifecycle state. +// Valid target_state values: PRE_ACTIVATION, ACTIVE, SUSPENDED, DEACTIVATED, +// +// COMPROMISED, PENDING_DESTROYING, DESTROYED. +type KeyTransitionNode struct { + state protoimpl.MessageState `protogen:"open.v1"` + Tier *ValueRef `protobuf:"bytes,1,opt,name=tier,proto3" json:"tier,omitempty"` + KeyName *ValueRef `protobuf:"bytes,2,opt,name=key_name,json=keyName,proto3" json:"key_name,omitempty"` + TargetState string `protobuf:"bytes,3,opt,name=target_state,json=targetState,proto3" json:"target_state,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *KeyTransitionNode) Reset() { + *x = KeyTransitionNode{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[19] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *KeyTransitionNode) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*KeyTransitionNode) ProtoMessage() {} + +func (x *KeyTransitionNode) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[19] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use KeyTransitionNode.ProtoReflect.Descriptor instead. +func (*KeyTransitionNode) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{19} +} + +func (x *KeyTransitionNode) GetTier() *ValueRef { + if x != nil { + return x.Tier + } + return nil +} + +func (x *KeyTransitionNode) GetKeyName() *ValueRef { + if x != nil { + return x.KeyName + } + return nil +} + +func (x *KeyTransitionNode) GetTargetState() string { + if x != nil { + return x.TargetState + } + return "" +} + +// KeyRotateNode generates new key material under the same logical key name +// (forced rotation — bypasses the idempotency guard in ProvisionKey). +// On success, result_var receives the new key ULID. +type KeyRotateNode struct { + state protoimpl.MessageState `protogen:"open.v1"` + Tier *ValueRef `protobuf:"bytes,1,opt,name=tier,proto3" json:"tier,omitempty"` + KeyName *ValueRef `protobuf:"bytes,2,opt,name=key_name,json=keyName,proto3" json:"key_name,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *KeyRotateNode) Reset() { + *x = KeyRotateNode{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[20] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *KeyRotateNode) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*KeyRotateNode) ProtoMessage() {} + +func (x *KeyRotateNode) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[20] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use KeyRotateNode.ProtoReflect.Descriptor instead. +func (*KeyRotateNode) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{20} +} + +func (x *KeyRotateNode) GetTier() *ValueRef { + if x != nil { + return x.Tier + } + return nil +} + +func (x *KeyRotateNode) GetKeyName() *ValueRef { + if x != nil { + return x.KeyName + } + return nil +} + +// KeyScheduleNode updates the scheduled lifecycle transition for an existing key. +type KeyScheduleNode struct { + state protoimpl.MessageState `protogen:"open.v1"` + Tier *ValueRef `protobuf:"bytes,1,opt,name=tier,proto3" json:"tier,omitempty"` + KeyName *ValueRef `protobuf:"bytes,2,opt,name=key_name,json=keyName,proto3" json:"key_name,omitempty"` + Schedule *KeyScheduleSpec `protobuf:"bytes,3,opt,name=schedule,proto3" json:"schedule,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *KeyScheduleNode) Reset() { + *x = KeyScheduleNode{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[21] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *KeyScheduleNode) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*KeyScheduleNode) ProtoMessage() {} + +func (x *KeyScheduleNode) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[21] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use KeyScheduleNode.ProtoReflect.Descriptor instead. +func (*KeyScheduleNode) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{21} +} + +func (x *KeyScheduleNode) GetTier() *ValueRef { + if x != nil { + return x.Tier + } + return nil +} + +func (x *KeyScheduleNode) GetKeyName() *ValueRef { + if x != nil { + return x.KeyName + } + return nil +} + +func (x *KeyScheduleNode) GetSchedule() *KeyScheduleSpec { + if x != nil { + return x.Schedule + } + return nil +} + +// KeyScheduleSpec carries timing parameters for a scheduled state transition. +// All fields are optional — set only the ones you need. +type KeyScheduleSpec struct { + state protoimpl.MessageState `protogen:"open.v1"` + ExpiresAt *timestamppb.Timestamp `protobuf:"bytes,1,opt,name=expires_at,json=expiresAt,proto3,oneof" json:"expires_at,omitempty"` + ScheduledTransitionAt *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=scheduled_transition_at,json=scheduledTransitionAt,proto3,oneof" json:"scheduled_transition_at,omitempty"` + // transition_to is the target KeyState when scheduled_transition_at fires. + TransitionTo *string `protobuf:"bytes,3,opt,name=transition_to,json=transitionTo,proto3,oneof" json:"transition_to,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *KeyScheduleSpec) Reset() { + *x = KeyScheduleSpec{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[22] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *KeyScheduleSpec) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*KeyScheduleSpec) ProtoMessage() {} + +func (x *KeyScheduleSpec) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[22] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use KeyScheduleSpec.ProtoReflect.Descriptor instead. +func (*KeyScheduleSpec) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{22} +} + +func (x *KeyScheduleSpec) GetExpiresAt() *timestamppb.Timestamp { + if x != nil { + return x.ExpiresAt + } + return nil +} + +func (x *KeyScheduleSpec) GetScheduledTransitionAt() *timestamppb.Timestamp { + if x != nil { + return x.ScheduledTransitionAt + } + return nil +} + +func (x *KeyScheduleSpec) GetTransitionTo() string { + if x != nil && x.TransitionTo != nil { + return *x.TransitionTo + } + return "" +} + +// CredentialSyncNode creates or updates a credential. +// spec is the full credential payload; core encrypts it using the tenant keyring. +type CredentialSyncNode struct { + state protoimpl.MessageState `protogen:"open.v1"` + Name *ValueRef `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` + Type *ValueRef `protobuf:"bytes,2,opt,name=type,proto3" json:"type,omitempty"` + Spec *structpb.Struct `protobuf:"bytes,3,opt,name=spec,proto3" json:"spec,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *CredentialSyncNode) Reset() { + *x = CredentialSyncNode{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[23] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *CredentialSyncNode) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*CredentialSyncNode) ProtoMessage() {} + +func (x *CredentialSyncNode) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[23] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use CredentialSyncNode.ProtoReflect.Descriptor instead. +func (*CredentialSyncNode) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{23} +} + +func (x *CredentialSyncNode) GetName() *ValueRef { + if x != nil { + return x.Name + } + return nil +} + +func (x *CredentialSyncNode) GetType() *ValueRef { + if x != nil { + return x.Type + } + return nil +} + +func (x *CredentialSyncNode) GetSpec() *structpb.Struct { + if x != nil { + return x.Spec + } + return nil +} + +// CredentialDeleteNode removes a credential record. +type CredentialDeleteNode struct { + state protoimpl.MessageState `protogen:"open.v1"` + Name *ValueRef `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *CredentialDeleteNode) Reset() { + *x = CredentialDeleteNode{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[24] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *CredentialDeleteNode) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*CredentialDeleteNode) ProtoMessage() {} + +func (x *CredentialDeleteNode) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[24] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use CredentialDeleteNode.ProtoReflect.Descriptor instead. +func (*CredentialDeleteNode) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{24} +} + +func (x *CredentialDeleteNode) GetName() *ValueRef { + if x != nil { + return x.Name + } + return nil +} + +// BindNode sets a named variable in the execution state. +// Useful for deriving values from existing bindings before referencing them. +type BindNode struct { + state protoimpl.MessageState `protogen:"open.v1"` + VarName string `protobuf:"bytes,1,opt,name=var_name,json=varName,proto3" json:"var_name,omitempty"` + Value *ValueRef `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *BindNode) Reset() { + *x = BindNode{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[25] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *BindNode) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*BindNode) ProtoMessage() {} + +func (x *BindNode) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[25] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use BindNode.ProtoReflect.Descriptor instead. +func (*BindNode) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{25} +} + +func (x *BindNode) GetVarName() string { + if x != nil { + return x.VarName + } + return "" +} + +func (x *BindNode) GetValue() *ValueRef { + if x != nil { + return x.Value + } + return nil +} + +// EmitNode writes a structured event to Krypton's audit trail. +type EmitNode struct { + state protoimpl.MessageState `protogen:"open.v1"` + EventType string `protobuf:"bytes,1,opt,name=event_type,json=eventType,proto3" json:"event_type,omitempty"` + Attributes map[string]string `protobuf:"bytes,2,rep,name=attributes,proto3" json:"attributes,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *EmitNode) Reset() { + *x = EmitNode{} + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[26] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *EmitNode) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*EmitNode) ProtoMessage() {} + +func (x *EmitNode) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[26] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use EmitNode.ProtoReflect.Descriptor instead. +func (*EmitNode) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{26} +} + +func (x *EmitNode) GetEventType() string { + if x != nil { + return x.EventType + } + return "" +} + +func (x *EmitNode) GetAttributes() map[string]string { + if x != nil { + return x.Attributes + } + return nil +} + +var File_plugin_reconciler_v1_ast_proto protoreflect.FileDescriptor + +const file_plugin_reconciler_v1_ast_proto_rawDesc = "" + + "\n" + + "\x1eplugin/reconciler/v1/ast.proto\x12\x15krypton.reconciler.v1\x1a\x1cgoogle/protobuf/struct.proto\x1a\x1fgoogle/protobuf/timestamp.proto\"\xe9\x01\n" + + "\rExecutionPlan\x12\x17\n" + + "\aplan_id\x18\x01 \x01(\tR\x06planId\x122\n" + + "\x04root\x18\x02 \x01(\v2\x1e.krypton.reconciler.v1.ASTNodeR\x04root\x12N\n" + + "\bbindings\x18\x03 \x03(\v22.krypton.reconciler.v1.ExecutionPlan.BindingsEntryR\bbindings\x1a;\n" + + "\rBindingsEntry\x12\x10\n" + + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"\x8a\t\n" + + "\aASTNode\x12\x17\n" + + "\anode_id\x18\x01 \x01(\tR\x06nodeId\x12\x14\n" + + "\x05label\x18\x02 \x01(\tR\x05label\x12\x1d\n" + + "\n" + + "result_var\x18\x03 \x01(\tR\tresultVar\x12A\n" + + "\bsequence\x18\n" + + " \x01(\v2#.krypton.reconciler.v1.SequenceNodeH\x00R\bsequence\x12A\n" + + "\bparallel\x18\v \x01(\v2#.krypton.reconciler.v1.ParallelNodeH\x00R\bparallel\x12J\n" + + "\vconditional\x18\f \x01(\v2&.krypton.reconciler.v1.ConditionalNodeH\x00R\vconditional\x12B\n" + + "\ttry_catch\x18\r \x01(\v2#.krypton.reconciler.v1.TryCatchNodeH\x00R\btryCatch\x12G\n" + + "\n" + + "checkpoint\x18\x0e \x01(\v2%.krypton.reconciler.v1.CheckpointNodeH\x00R\n" + + "checkpoint\x12;\n" + + "\x06assert\x18\x14 \x01(\v2!.krypton.reconciler.v1.AssertNodeH\x00R\x06assert\x12?\n" + + "\bkey_sync\x18\x1e \x01(\v2\".krypton.reconciler.v1.KeySyncNodeH\x00R\akeySync\x12E\n" + + "\n" + + "key_delete\x18\x1f \x01(\v2$.krypton.reconciler.v1.KeyDeleteNodeH\x00R\tkeyDelete\x12Q\n" + + "\x0ekey_transition\x18 \x01(\v2(.krypton.reconciler.v1.KeyTransitionNodeH\x00R\rkeyTransition\x12E\n" + + "\n" + + "key_rotate\x18! \x01(\v2$.krypton.reconciler.v1.KeyRotateNodeH\x00R\tkeyRotate\x12K\n" + + "\fkey_schedule\x18\" \x01(\v2&.krypton.reconciler.v1.KeyScheduleNodeH\x00R\vkeySchedule\x12T\n" + + "\x0fcredential_sync\x18( \x01(\v2).krypton.reconciler.v1.CredentialSyncNodeH\x00R\x0ecredentialSync\x12Z\n" + + "\x11credential_delete\x18) \x01(\v2+.krypton.reconciler.v1.CredentialDeleteNodeH\x00R\x10credentialDelete\x125\n" + + "\x04bind\x18< \x01(\v2\x1f.krypton.reconciler.v1.BindNodeH\x00R\x04bind\x125\n" + + "\x04emit\x18= \x01(\v2\x1f.krypton.reconciler.v1.EmitNodeH\x00R\x04emitB\x06\n" + + "\x04node\"D\n" + + "\fSequenceNode\x124\n" + + "\x05steps\x18\x01 \x03(\v2\x1e.krypton.reconciler.v1.ASTNodeR\x05steps\"a\n" + + "\fParallelNode\x124\n" + + "\x05steps\x18\x01 \x03(\v2\x1e.krypton.reconciler.v1.ASTNodeR\x05steps\x12\x1b\n" + + "\tfail_fast\x18\x02 \x01(\bR\bfailFast\"\xcb\x01\n" + + "\x0fConditionalNode\x12>\n" + + "\tcondition\x18\x01 \x01(\v2 .krypton.reconciler.v1.PredicateR\tcondition\x12;\n" + + "\tthen_node\x18\x02 \x01(\v2\x1e.krypton.reconciler.v1.ASTNodeR\bthenNode\x12;\n" + + "\telse_node\x18\x03 \x01(\v2\x1e.krypton.reconciler.v1.ASTNodeR\belseNode\"\x88\x01\n" + + "\fTryCatchNode\x129\n" + + "\btry_node\x18\x01 \x01(\v2\x1e.krypton.reconciler.v1.ASTNodeR\atryNode\x12=\n" + + "\n" + + "catch_node\x18\x02 \x01(\v2\x1e.krypton.reconciler.v1.ASTNodeR\tcatchNode\"\x10\n" + + "\x0eCheckpointNode\"q\n" + + "\n" + + "AssertNode\x12>\n" + + "\tcondition\x18\x01 \x01(\v2 .krypton.reconciler.v1.PredicateR\tcondition\x12#\n" + + "\rerror_message\x18\x02 \x01(\tR\ferrorMessage\"\x86\x04\n" + + "\tPredicate\x12J\n" + + "\n" + + "key_exists\x18\x01 \x01(\v2).krypton.reconciler.v1.KeyExistsPredicateH\x00R\tkeyExists\x12G\n" + + "\tkey_state\x18\x02 \x01(\v2(.krypton.reconciler.v1.KeyStatePredicateH\x00R\bkeyState\x12S\n" + + "\rtenant_active\x18\x03 \x01(\v2,.krypton.reconciler.v1.TenantActivePredicateH\x00R\ftenantActive\x12_\n" + + "\x11credential_exists\x18\x04 \x01(\v20.krypton.reconciler.v1.CredentialExistsPredicateH\x00R\x10credentialExists\x127\n" + + "\x03and\x18\n" + + " \x01(\v2#.krypton.reconciler.v1.AndPredicateH\x00R\x03and\x124\n" + + "\x02or\x18\v \x01(\v2\".krypton.reconciler.v1.OrPredicateH\x00R\x02or\x127\n" + + "\x03not\x18\f \x01(\v2#.krypton.reconciler.v1.NotPredicateH\x00R\x03notB\x06\n" + + "\x04expr\"\x85\x01\n" + + "\x12KeyExistsPredicate\x123\n" + + "\x04tier\x18\x01 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\x04tier\x12:\n" + + "\bkey_name\x18\x02 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\akeyName\"\xab\x01\n" + + "\x11KeyStatePredicate\x123\n" + + "\x04tier\x18\x01 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\x04tier\x12:\n" + + "\bkey_name\x18\x02 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\akeyName\x12%\n" + + "\x0eallowed_states\x18\x03 \x03(\tR\rallowedStates\"U\n" + + "\x15TenantActivePredicate\x12<\n" + + "\ttenant_id\x18\x01 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\btenantId\"P\n" + + "\x19CredentialExistsPredicate\x123\n" + + "\x04name\x18\x01 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\x04name\"F\n" + + "\fAndPredicate\x126\n" + + "\x05terms\x18\x01 \x03(\v2 .krypton.reconciler.v1.PredicateR\x05terms\"E\n" + + "\vOrPredicate\x126\n" + + "\x05terms\x18\x01 \x03(\v2 .krypton.reconciler.v1.PredicateR\x05terms\"D\n" + + "\fNotPredicate\x124\n" + + "\x04term\x18\x01 \x01(\v2 .krypton.reconciler.v1.PredicateR\x04term\"I\n" + + "\bValueRef\x12\x1a\n" + + "\aliteral\x18\x01 \x01(\tH\x00R\aliteral\x12\x19\n" + + "\avar_ref\x18\x02 \x01(\tH\x00R\x06varRefB\x06\n" + + "\x04kind\"\x8d\x03\n" + + "\vKeySyncNode\x123\n" + + "\x04tier\x18\x01 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\x04tier\x12:\n" + + "\bkey_name\x18\x02 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\akeyName\x12>\n" + + "\n" + + "parent_key\x18\x03 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\tparentKey\x12B\n" + + "\bschedule\x18\x04 \x01(\v2&.krypton.reconciler.v1.KeyScheduleSpecR\bschedule\x12L\n" + + "\bmetadata\x18\x05 \x03(\v20.krypton.reconciler.v1.KeySyncNode.MetadataEntryR\bmetadata\x1a;\n" + + "\rMetadataEntry\x12\x10\n" + + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"\x80\x01\n" + + "\rKeyDeleteNode\x123\n" + + "\x04tier\x18\x01 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\x04tier\x12:\n" + + "\bkey_name\x18\x02 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\akeyName\"\xa7\x01\n" + + "\x11KeyTransitionNode\x123\n" + + "\x04tier\x18\x01 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\x04tier\x12:\n" + + "\bkey_name\x18\x02 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\akeyName\x12!\n" + + "\ftarget_state\x18\x03 \x01(\tR\vtargetState\"\x80\x01\n" + + "\rKeyRotateNode\x123\n" + + "\x04tier\x18\x01 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\x04tier\x12:\n" + + "\bkey_name\x18\x02 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\akeyName\"\xc6\x01\n" + + "\x0fKeyScheduleNode\x123\n" + + "\x04tier\x18\x01 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\x04tier\x12:\n" + + "\bkey_name\x18\x02 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\akeyName\x12B\n" + + "\bschedule\x18\x03 \x01(\v2&.krypton.reconciler.v1.KeyScheduleSpecR\bschedule\"\x91\x02\n" + + "\x0fKeyScheduleSpec\x12>\n" + + "\n" + + "expires_at\x18\x01 \x01(\v2\x1a.google.protobuf.TimestampH\x00R\texpiresAt\x88\x01\x01\x12W\n" + + "\x17scheduled_transition_at\x18\x02 \x01(\v2\x1a.google.protobuf.TimestampH\x01R\x15scheduledTransitionAt\x88\x01\x01\x12(\n" + + "\rtransition_to\x18\x03 \x01(\tH\x02R\ftransitionTo\x88\x01\x01B\r\n" + + "\v_expires_atB\x1a\n" + + "\x18_scheduled_transition_atB\x10\n" + + "\x0e_transition_to\"\xab\x01\n" + + "\x12CredentialSyncNode\x123\n" + + "\x04name\x18\x01 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\x04name\x123\n" + + "\x04type\x18\x02 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\x04type\x12+\n" + + "\x04spec\x18\x03 \x01(\v2\x17.google.protobuf.StructR\x04spec\"K\n" + + "\x14CredentialDeleteNode\x123\n" + + "\x04name\x18\x01 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\x04name\"\\\n" + + "\bBindNode\x12\x19\n" + + "\bvar_name\x18\x01 \x01(\tR\avarName\x125\n" + + "\x05value\x18\x02 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\x05value\"\xb9\x01\n" + + "\bEmitNode\x12\x1d\n" + + "\n" + + "event_type\x18\x01 \x01(\tR\teventType\x12O\n" + + "\n" + + "attributes\x18\x02 \x03(\v2/.krypton.reconciler.v1.EmitNode.AttributesEntryR\n" + + "attributes\x1a=\n" + + "\x0fAttributesEntry\x12\x10\n" + + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\xe2\x01\n" + + "\x19com.krypton.reconciler.v1B\bAstProtoP\x01ZEgithub.com/openkcm/plugin-sdk/proto/plugin/reconciler/v1;reconcilerv1\xa2\x02\x03KRX\xaa\x02\x15Krypton.Reconciler.V1\xca\x02\x15Krypton\\Reconciler\\V1\xe2\x02!Krypton\\Reconciler\\V1\\GPBMetadata\xea\x02\x17Krypton::Reconciler::V1b\x06proto3" + +var ( + file_plugin_reconciler_v1_ast_proto_rawDescOnce sync.Once + file_plugin_reconciler_v1_ast_proto_rawDescData []byte +) + +func file_plugin_reconciler_v1_ast_proto_rawDescGZIP() []byte { + file_plugin_reconciler_v1_ast_proto_rawDescOnce.Do(func() { + file_plugin_reconciler_v1_ast_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_plugin_reconciler_v1_ast_proto_rawDesc), len(file_plugin_reconciler_v1_ast_proto_rawDesc))) + }) + return file_plugin_reconciler_v1_ast_proto_rawDescData +} + +var file_plugin_reconciler_v1_ast_proto_msgTypes = make([]protoimpl.MessageInfo, 30) +var file_plugin_reconciler_v1_ast_proto_goTypes = []any{ + (*ExecutionPlan)(nil), // 0: krypton.reconciler.v1.ExecutionPlan + (*ASTNode)(nil), // 1: krypton.reconciler.v1.ASTNode + (*SequenceNode)(nil), // 2: krypton.reconciler.v1.SequenceNode + (*ParallelNode)(nil), // 3: krypton.reconciler.v1.ParallelNode + (*ConditionalNode)(nil), // 4: krypton.reconciler.v1.ConditionalNode + (*TryCatchNode)(nil), // 5: krypton.reconciler.v1.TryCatchNode + (*CheckpointNode)(nil), // 6: krypton.reconciler.v1.CheckpointNode + (*AssertNode)(nil), // 7: krypton.reconciler.v1.AssertNode + (*Predicate)(nil), // 8: krypton.reconciler.v1.Predicate + (*KeyExistsPredicate)(nil), // 9: krypton.reconciler.v1.KeyExistsPredicate + (*KeyStatePredicate)(nil), // 10: krypton.reconciler.v1.KeyStatePredicate + (*TenantActivePredicate)(nil), // 11: krypton.reconciler.v1.TenantActivePredicate + (*CredentialExistsPredicate)(nil), // 12: krypton.reconciler.v1.CredentialExistsPredicate + (*AndPredicate)(nil), // 13: krypton.reconciler.v1.AndPredicate + (*OrPredicate)(nil), // 14: krypton.reconciler.v1.OrPredicate + (*NotPredicate)(nil), // 15: krypton.reconciler.v1.NotPredicate + (*ValueRef)(nil), // 16: krypton.reconciler.v1.ValueRef + (*KeySyncNode)(nil), // 17: krypton.reconciler.v1.KeySyncNode + (*KeyDeleteNode)(nil), // 18: krypton.reconciler.v1.KeyDeleteNode + (*KeyTransitionNode)(nil), // 19: krypton.reconciler.v1.KeyTransitionNode + (*KeyRotateNode)(nil), // 20: krypton.reconciler.v1.KeyRotateNode + (*KeyScheduleNode)(nil), // 21: krypton.reconciler.v1.KeyScheduleNode + (*KeyScheduleSpec)(nil), // 22: krypton.reconciler.v1.KeyScheduleSpec + (*CredentialSyncNode)(nil), // 23: krypton.reconciler.v1.CredentialSyncNode + (*CredentialDeleteNode)(nil), // 24: krypton.reconciler.v1.CredentialDeleteNode + (*BindNode)(nil), // 25: krypton.reconciler.v1.BindNode + (*EmitNode)(nil), // 26: krypton.reconciler.v1.EmitNode + nil, // 27: krypton.reconciler.v1.ExecutionPlan.BindingsEntry + nil, // 28: krypton.reconciler.v1.KeySyncNode.MetadataEntry + nil, // 29: krypton.reconciler.v1.EmitNode.AttributesEntry + (*timestamppb.Timestamp)(nil), // 30: google.protobuf.Timestamp + (*structpb.Struct)(nil), // 31: google.protobuf.Struct +} +var file_plugin_reconciler_v1_ast_proto_depIdxs = []int32{ + 1, // 0: krypton.reconciler.v1.ExecutionPlan.root:type_name -> krypton.reconciler.v1.ASTNode + 27, // 1: krypton.reconciler.v1.ExecutionPlan.bindings:type_name -> krypton.reconciler.v1.ExecutionPlan.BindingsEntry + 2, // 2: krypton.reconciler.v1.ASTNode.sequence:type_name -> krypton.reconciler.v1.SequenceNode + 3, // 3: krypton.reconciler.v1.ASTNode.parallel:type_name -> krypton.reconciler.v1.ParallelNode + 4, // 4: krypton.reconciler.v1.ASTNode.conditional:type_name -> krypton.reconciler.v1.ConditionalNode + 5, // 5: krypton.reconciler.v1.ASTNode.try_catch:type_name -> krypton.reconciler.v1.TryCatchNode + 6, // 6: krypton.reconciler.v1.ASTNode.checkpoint:type_name -> krypton.reconciler.v1.CheckpointNode + 7, // 7: krypton.reconciler.v1.ASTNode.assert:type_name -> krypton.reconciler.v1.AssertNode + 17, // 8: krypton.reconciler.v1.ASTNode.key_sync:type_name -> krypton.reconciler.v1.KeySyncNode + 18, // 9: krypton.reconciler.v1.ASTNode.key_delete:type_name -> krypton.reconciler.v1.KeyDeleteNode + 19, // 10: krypton.reconciler.v1.ASTNode.key_transition:type_name -> krypton.reconciler.v1.KeyTransitionNode + 20, // 11: krypton.reconciler.v1.ASTNode.key_rotate:type_name -> krypton.reconciler.v1.KeyRotateNode + 21, // 12: krypton.reconciler.v1.ASTNode.key_schedule:type_name -> krypton.reconciler.v1.KeyScheduleNode + 23, // 13: krypton.reconciler.v1.ASTNode.credential_sync:type_name -> krypton.reconciler.v1.CredentialSyncNode + 24, // 14: krypton.reconciler.v1.ASTNode.credential_delete:type_name -> krypton.reconciler.v1.CredentialDeleteNode + 25, // 15: krypton.reconciler.v1.ASTNode.bind:type_name -> krypton.reconciler.v1.BindNode + 26, // 16: krypton.reconciler.v1.ASTNode.emit:type_name -> krypton.reconciler.v1.EmitNode + 1, // 17: krypton.reconciler.v1.SequenceNode.steps:type_name -> krypton.reconciler.v1.ASTNode + 1, // 18: krypton.reconciler.v1.ParallelNode.steps:type_name -> krypton.reconciler.v1.ASTNode + 8, // 19: krypton.reconciler.v1.ConditionalNode.condition:type_name -> krypton.reconciler.v1.Predicate + 1, // 20: krypton.reconciler.v1.ConditionalNode.then_node:type_name -> krypton.reconciler.v1.ASTNode + 1, // 21: krypton.reconciler.v1.ConditionalNode.else_node:type_name -> krypton.reconciler.v1.ASTNode + 1, // 22: krypton.reconciler.v1.TryCatchNode.try_node:type_name -> krypton.reconciler.v1.ASTNode + 1, // 23: krypton.reconciler.v1.TryCatchNode.catch_node:type_name -> krypton.reconciler.v1.ASTNode + 8, // 24: krypton.reconciler.v1.AssertNode.condition:type_name -> krypton.reconciler.v1.Predicate + 9, // 25: krypton.reconciler.v1.Predicate.key_exists:type_name -> krypton.reconciler.v1.KeyExistsPredicate + 10, // 26: krypton.reconciler.v1.Predicate.key_state:type_name -> krypton.reconciler.v1.KeyStatePredicate + 11, // 27: krypton.reconciler.v1.Predicate.tenant_active:type_name -> krypton.reconciler.v1.TenantActivePredicate + 12, // 28: krypton.reconciler.v1.Predicate.credential_exists:type_name -> krypton.reconciler.v1.CredentialExistsPredicate + 13, // 29: krypton.reconciler.v1.Predicate.and:type_name -> krypton.reconciler.v1.AndPredicate + 14, // 30: krypton.reconciler.v1.Predicate.or:type_name -> krypton.reconciler.v1.OrPredicate + 15, // 31: krypton.reconciler.v1.Predicate.not:type_name -> krypton.reconciler.v1.NotPredicate + 16, // 32: krypton.reconciler.v1.KeyExistsPredicate.tier:type_name -> krypton.reconciler.v1.ValueRef + 16, // 33: krypton.reconciler.v1.KeyExistsPredicate.key_name:type_name -> krypton.reconciler.v1.ValueRef + 16, // 34: krypton.reconciler.v1.KeyStatePredicate.tier:type_name -> krypton.reconciler.v1.ValueRef + 16, // 35: krypton.reconciler.v1.KeyStatePredicate.key_name:type_name -> krypton.reconciler.v1.ValueRef + 16, // 36: krypton.reconciler.v1.TenantActivePredicate.tenant_id:type_name -> krypton.reconciler.v1.ValueRef + 16, // 37: krypton.reconciler.v1.CredentialExistsPredicate.name:type_name -> krypton.reconciler.v1.ValueRef + 8, // 38: krypton.reconciler.v1.AndPredicate.terms:type_name -> krypton.reconciler.v1.Predicate + 8, // 39: krypton.reconciler.v1.OrPredicate.terms:type_name -> krypton.reconciler.v1.Predicate + 8, // 40: krypton.reconciler.v1.NotPredicate.term:type_name -> krypton.reconciler.v1.Predicate + 16, // 41: krypton.reconciler.v1.KeySyncNode.tier:type_name -> krypton.reconciler.v1.ValueRef + 16, // 42: krypton.reconciler.v1.KeySyncNode.key_name:type_name -> krypton.reconciler.v1.ValueRef + 16, // 43: krypton.reconciler.v1.KeySyncNode.parent_key:type_name -> krypton.reconciler.v1.ValueRef + 22, // 44: krypton.reconciler.v1.KeySyncNode.schedule:type_name -> krypton.reconciler.v1.KeyScheduleSpec + 28, // 45: krypton.reconciler.v1.KeySyncNode.metadata:type_name -> krypton.reconciler.v1.KeySyncNode.MetadataEntry + 16, // 46: krypton.reconciler.v1.KeyDeleteNode.tier:type_name -> krypton.reconciler.v1.ValueRef + 16, // 47: krypton.reconciler.v1.KeyDeleteNode.key_name:type_name -> krypton.reconciler.v1.ValueRef + 16, // 48: krypton.reconciler.v1.KeyTransitionNode.tier:type_name -> krypton.reconciler.v1.ValueRef + 16, // 49: krypton.reconciler.v1.KeyTransitionNode.key_name:type_name -> krypton.reconciler.v1.ValueRef + 16, // 50: krypton.reconciler.v1.KeyRotateNode.tier:type_name -> krypton.reconciler.v1.ValueRef + 16, // 51: krypton.reconciler.v1.KeyRotateNode.key_name:type_name -> krypton.reconciler.v1.ValueRef + 16, // 52: krypton.reconciler.v1.KeyScheduleNode.tier:type_name -> krypton.reconciler.v1.ValueRef + 16, // 53: krypton.reconciler.v1.KeyScheduleNode.key_name:type_name -> krypton.reconciler.v1.ValueRef + 22, // 54: krypton.reconciler.v1.KeyScheduleNode.schedule:type_name -> krypton.reconciler.v1.KeyScheduleSpec + 30, // 55: krypton.reconciler.v1.KeyScheduleSpec.expires_at:type_name -> google.protobuf.Timestamp + 30, // 56: krypton.reconciler.v1.KeyScheduleSpec.scheduled_transition_at:type_name -> google.protobuf.Timestamp + 16, // 57: krypton.reconciler.v1.CredentialSyncNode.name:type_name -> krypton.reconciler.v1.ValueRef + 16, // 58: krypton.reconciler.v1.CredentialSyncNode.type:type_name -> krypton.reconciler.v1.ValueRef + 31, // 59: krypton.reconciler.v1.CredentialSyncNode.spec:type_name -> google.protobuf.Struct + 16, // 60: krypton.reconciler.v1.CredentialDeleteNode.name:type_name -> krypton.reconciler.v1.ValueRef + 16, // 61: krypton.reconciler.v1.BindNode.value:type_name -> krypton.reconciler.v1.ValueRef + 29, // 62: krypton.reconciler.v1.EmitNode.attributes:type_name -> krypton.reconciler.v1.EmitNode.AttributesEntry + 63, // [63:63] is the sub-list for method output_type + 63, // [63:63] is the sub-list for method input_type + 63, // [63:63] is the sub-list for extension type_name + 63, // [63:63] is the sub-list for extension extendee + 0, // [0:63] is the sub-list for field type_name +} + +func init() { file_plugin_reconciler_v1_ast_proto_init() } +func file_plugin_reconciler_v1_ast_proto_init() { + if File_plugin_reconciler_v1_ast_proto != nil { + return + } + file_plugin_reconciler_v1_ast_proto_msgTypes[1].OneofWrappers = []any{ + (*ASTNode_Sequence)(nil), + (*ASTNode_Parallel)(nil), + (*ASTNode_Conditional)(nil), + (*ASTNode_TryCatch)(nil), + (*ASTNode_Checkpoint)(nil), + (*ASTNode_Assert)(nil), + (*ASTNode_KeySync)(nil), + (*ASTNode_KeyDelete)(nil), + (*ASTNode_KeyTransition)(nil), + (*ASTNode_KeyRotate)(nil), + (*ASTNode_KeySchedule)(nil), + (*ASTNode_CredentialSync)(nil), + (*ASTNode_CredentialDelete)(nil), + (*ASTNode_Bind)(nil), + (*ASTNode_Emit)(nil), + } + file_plugin_reconciler_v1_ast_proto_msgTypes[8].OneofWrappers = []any{ + (*Predicate_KeyExists)(nil), + (*Predicate_KeyState)(nil), + (*Predicate_TenantActive)(nil), + (*Predicate_CredentialExists)(nil), + (*Predicate_And)(nil), + (*Predicate_Or)(nil), + (*Predicate_Not)(nil), + } + file_plugin_reconciler_v1_ast_proto_msgTypes[16].OneofWrappers = []any{ + (*ValueRef_Literal)(nil), + (*ValueRef_VarRef)(nil), + } + file_plugin_reconciler_v1_ast_proto_msgTypes[22].OneofWrappers = []any{} + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: unsafe.Slice(unsafe.StringData(file_plugin_reconciler_v1_ast_proto_rawDesc), len(file_plugin_reconciler_v1_ast_proto_rawDesc)), + NumEnums: 0, + NumMessages: 30, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_plugin_reconciler_v1_ast_proto_goTypes, + DependencyIndexes: file_plugin_reconciler_v1_ast_proto_depIdxs, + MessageInfos: file_plugin_reconciler_v1_ast_proto_msgTypes, + }.Build() + File_plugin_reconciler_v1_ast_proto = out.File + file_plugin_reconciler_v1_ast_proto_goTypes = nil + file_plugin_reconciler_v1_ast_proto_depIdxs = nil +} diff --git a/proto/plugin/reconciler/v1/ast.pb.validate.go b/proto/plugin/reconciler/v1/ast.pb.validate.go new file mode 100644 index 0000000..ec0d8f9 --- /dev/null +++ b/proto/plugin/reconciler/v1/ast.pb.validate.go @@ -0,0 +1,4835 @@ +// Code generated by protoc-gen-validate. DO NOT EDIT. +// source: plugin/reconciler/v1/ast.proto + +package reconcilerv1 + +import ( + "bytes" + "errors" + "fmt" + "net" + "net/mail" + "net/url" + "regexp" + "sort" + "strings" + "time" + "unicode/utf8" + + "google.golang.org/protobuf/types/known/anypb" +) + +// ensure the imports are used +var ( + _ = bytes.MinRead + _ = errors.New("") + _ = fmt.Print + _ = utf8.UTFMax + _ = (*regexp.Regexp)(nil) + _ = (*strings.Reader)(nil) + _ = net.IPv4len + _ = time.Duration(0) + _ = (*url.URL)(nil) + _ = (*mail.Address)(nil) + _ = anypb.Any{} + _ = sort.Sort +) + +// Validate checks the field values on ExecutionPlan with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *ExecutionPlan) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on ExecutionPlan with the rules defined +// in the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in ExecutionPlanMultiError, or +// nil if none found. +func (m *ExecutionPlan) ValidateAll() error { + return m.validate(true) +} + +func (m *ExecutionPlan) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + // no validation rules for PlanId + + if all { + switch v := interface{}(m.GetRoot()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, ExecutionPlanValidationError{ + field: "Root", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, ExecutionPlanValidationError{ + field: "Root", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetRoot()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return ExecutionPlanValidationError{ + field: "Root", + reason: "embedded message failed validation", + cause: err, + } + } + } + + // no validation rules for Bindings + + if len(errors) > 0 { + return ExecutionPlanMultiError(errors) + } + + return nil +} + +// ExecutionPlanMultiError is an error wrapping multiple validation errors +// returned by ExecutionPlan.ValidateAll() if the designated constraints +// aren't met. +type ExecutionPlanMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m ExecutionPlanMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m ExecutionPlanMultiError) AllErrors() []error { return m } + +// ExecutionPlanValidationError is the validation error returned by +// ExecutionPlan.Validate if the designated constraints aren't met. +type ExecutionPlanValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e ExecutionPlanValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e ExecutionPlanValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e ExecutionPlanValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e ExecutionPlanValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e ExecutionPlanValidationError) ErrorName() string { return "ExecutionPlanValidationError" } + +// Error satisfies the builtin error interface +func (e ExecutionPlanValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sExecutionPlan.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = ExecutionPlanValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = ExecutionPlanValidationError{} + +// Validate checks the field values on ASTNode with the rules defined in the +// proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *ASTNode) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on ASTNode with the rules defined in the +// proto definition for this message. If any rules are violated, the result is +// a list of violation errors wrapped in ASTNodeMultiError, or nil if none found. +func (m *ASTNode) ValidateAll() error { + return m.validate(true) +} + +func (m *ASTNode) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + // no validation rules for NodeId + + // no validation rules for Label + + // no validation rules for ResultVar + + switch v := m.Node.(type) { + case *ASTNode_Sequence: + if v == nil { + err := ASTNodeValidationError{ + field: "Node", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + + if all { + switch v := interface{}(m.GetSequence()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "Sequence", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "Sequence", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetSequence()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return ASTNodeValidationError{ + field: "Sequence", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *ASTNode_Parallel: + if v == nil { + err := ASTNodeValidationError{ + field: "Node", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + + if all { + switch v := interface{}(m.GetParallel()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "Parallel", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "Parallel", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetParallel()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return ASTNodeValidationError{ + field: "Parallel", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *ASTNode_Conditional: + if v == nil { + err := ASTNodeValidationError{ + field: "Node", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + + if all { + switch v := interface{}(m.GetConditional()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "Conditional", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "Conditional", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetConditional()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return ASTNodeValidationError{ + field: "Conditional", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *ASTNode_TryCatch: + if v == nil { + err := ASTNodeValidationError{ + field: "Node", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + + if all { + switch v := interface{}(m.GetTryCatch()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "TryCatch", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "TryCatch", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetTryCatch()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return ASTNodeValidationError{ + field: "TryCatch", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *ASTNode_Checkpoint: + if v == nil { + err := ASTNodeValidationError{ + field: "Node", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + + if all { + switch v := interface{}(m.GetCheckpoint()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "Checkpoint", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "Checkpoint", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetCheckpoint()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return ASTNodeValidationError{ + field: "Checkpoint", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *ASTNode_Assert: + if v == nil { + err := ASTNodeValidationError{ + field: "Node", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + + if all { + switch v := interface{}(m.GetAssert()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "Assert", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "Assert", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetAssert()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return ASTNodeValidationError{ + field: "Assert", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *ASTNode_KeySync: + if v == nil { + err := ASTNodeValidationError{ + field: "Node", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + + if all { + switch v := interface{}(m.GetKeySync()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "KeySync", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "KeySync", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetKeySync()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return ASTNodeValidationError{ + field: "KeySync", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *ASTNode_KeyDelete: + if v == nil { + err := ASTNodeValidationError{ + field: "Node", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + + if all { + switch v := interface{}(m.GetKeyDelete()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "KeyDelete", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "KeyDelete", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetKeyDelete()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return ASTNodeValidationError{ + field: "KeyDelete", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *ASTNode_KeyTransition: + if v == nil { + err := ASTNodeValidationError{ + field: "Node", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + + if all { + switch v := interface{}(m.GetKeyTransition()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "KeyTransition", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "KeyTransition", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetKeyTransition()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return ASTNodeValidationError{ + field: "KeyTransition", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *ASTNode_KeyRotate: + if v == nil { + err := ASTNodeValidationError{ + field: "Node", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + + if all { + switch v := interface{}(m.GetKeyRotate()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "KeyRotate", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "KeyRotate", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetKeyRotate()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return ASTNodeValidationError{ + field: "KeyRotate", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *ASTNode_KeySchedule: + if v == nil { + err := ASTNodeValidationError{ + field: "Node", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + + if all { + switch v := interface{}(m.GetKeySchedule()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "KeySchedule", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "KeySchedule", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetKeySchedule()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return ASTNodeValidationError{ + field: "KeySchedule", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *ASTNode_CredentialSync: + if v == nil { + err := ASTNodeValidationError{ + field: "Node", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + + if all { + switch v := interface{}(m.GetCredentialSync()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "CredentialSync", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "CredentialSync", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetCredentialSync()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return ASTNodeValidationError{ + field: "CredentialSync", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *ASTNode_CredentialDelete: + if v == nil { + err := ASTNodeValidationError{ + field: "Node", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + + if all { + switch v := interface{}(m.GetCredentialDelete()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "CredentialDelete", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "CredentialDelete", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetCredentialDelete()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return ASTNodeValidationError{ + field: "CredentialDelete", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *ASTNode_Bind: + if v == nil { + err := ASTNodeValidationError{ + field: "Node", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + + if all { + switch v := interface{}(m.GetBind()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "Bind", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "Bind", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetBind()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return ASTNodeValidationError{ + field: "Bind", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *ASTNode_Emit: + if v == nil { + err := ASTNodeValidationError{ + field: "Node", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + + if all { + switch v := interface{}(m.GetEmit()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "Emit", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, ASTNodeValidationError{ + field: "Emit", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetEmit()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return ASTNodeValidationError{ + field: "Emit", + reason: "embedded message failed validation", + cause: err, + } + } + } + + default: + _ = v // ensures v is used + } + + if len(errors) > 0 { + return ASTNodeMultiError(errors) + } + + return nil +} + +// ASTNodeMultiError is an error wrapping multiple validation errors returned +// by ASTNode.ValidateAll() if the designated constraints aren't met. +type ASTNodeMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m ASTNodeMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m ASTNodeMultiError) AllErrors() []error { return m } + +// ASTNodeValidationError is the validation error returned by ASTNode.Validate +// if the designated constraints aren't met. +type ASTNodeValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e ASTNodeValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e ASTNodeValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e ASTNodeValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e ASTNodeValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e ASTNodeValidationError) ErrorName() string { return "ASTNodeValidationError" } + +// Error satisfies the builtin error interface +func (e ASTNodeValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sASTNode.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = ASTNodeValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = ASTNodeValidationError{} + +// Validate checks the field values on SequenceNode with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *SequenceNode) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on SequenceNode with the rules defined +// in the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in SequenceNodeMultiError, or +// nil if none found. +func (m *SequenceNode) ValidateAll() error { + return m.validate(true) +} + +func (m *SequenceNode) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + for idx, item := range m.GetSteps() { + _, _ = idx, item + + if all { + switch v := interface{}(item).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, SequenceNodeValidationError{ + field: fmt.Sprintf("Steps[%v]", idx), + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, SequenceNodeValidationError{ + field: fmt.Sprintf("Steps[%v]", idx), + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(item).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return SequenceNodeValidationError{ + field: fmt.Sprintf("Steps[%v]", idx), + reason: "embedded message failed validation", + cause: err, + } + } + } + + } + + if len(errors) > 0 { + return SequenceNodeMultiError(errors) + } + + return nil +} + +// SequenceNodeMultiError is an error wrapping multiple validation errors +// returned by SequenceNode.ValidateAll() if the designated constraints aren't met. +type SequenceNodeMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m SequenceNodeMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m SequenceNodeMultiError) AllErrors() []error { return m } + +// SequenceNodeValidationError is the validation error returned by +// SequenceNode.Validate if the designated constraints aren't met. +type SequenceNodeValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e SequenceNodeValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e SequenceNodeValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e SequenceNodeValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e SequenceNodeValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e SequenceNodeValidationError) ErrorName() string { return "SequenceNodeValidationError" } + +// Error satisfies the builtin error interface +func (e SequenceNodeValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sSequenceNode.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = SequenceNodeValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = SequenceNodeValidationError{} + +// Validate checks the field values on ParallelNode with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *ParallelNode) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on ParallelNode with the rules defined +// in the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in ParallelNodeMultiError, or +// nil if none found. +func (m *ParallelNode) ValidateAll() error { + return m.validate(true) +} + +func (m *ParallelNode) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + for idx, item := range m.GetSteps() { + _, _ = idx, item + + if all { + switch v := interface{}(item).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, ParallelNodeValidationError{ + field: fmt.Sprintf("Steps[%v]", idx), + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, ParallelNodeValidationError{ + field: fmt.Sprintf("Steps[%v]", idx), + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(item).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return ParallelNodeValidationError{ + field: fmt.Sprintf("Steps[%v]", idx), + reason: "embedded message failed validation", + cause: err, + } + } + } + + } + + // no validation rules for FailFast + + if len(errors) > 0 { + return ParallelNodeMultiError(errors) + } + + return nil +} + +// ParallelNodeMultiError is an error wrapping multiple validation errors +// returned by ParallelNode.ValidateAll() if the designated constraints aren't met. +type ParallelNodeMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m ParallelNodeMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m ParallelNodeMultiError) AllErrors() []error { return m } + +// ParallelNodeValidationError is the validation error returned by +// ParallelNode.Validate if the designated constraints aren't met. +type ParallelNodeValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e ParallelNodeValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e ParallelNodeValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e ParallelNodeValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e ParallelNodeValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e ParallelNodeValidationError) ErrorName() string { return "ParallelNodeValidationError" } + +// Error satisfies the builtin error interface +func (e ParallelNodeValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sParallelNode.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = ParallelNodeValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = ParallelNodeValidationError{} + +// Validate checks the field values on ConditionalNode with the rules defined +// in the proto definition for this message. If any rules are violated, the +// first error encountered is returned, or nil if there are no violations. +func (m *ConditionalNode) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on ConditionalNode with the rules +// defined in the proto definition for this message. If any rules are +// violated, the result is a list of violation errors wrapped in +// ConditionalNodeMultiError, or nil if none found. +func (m *ConditionalNode) ValidateAll() error { + return m.validate(true) +} + +func (m *ConditionalNode) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + if all { + switch v := interface{}(m.GetCondition()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, ConditionalNodeValidationError{ + field: "Condition", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, ConditionalNodeValidationError{ + field: "Condition", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetCondition()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return ConditionalNodeValidationError{ + field: "Condition", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if all { + switch v := interface{}(m.GetThenNode()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, ConditionalNodeValidationError{ + field: "ThenNode", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, ConditionalNodeValidationError{ + field: "ThenNode", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetThenNode()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return ConditionalNodeValidationError{ + field: "ThenNode", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if all { + switch v := interface{}(m.GetElseNode()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, ConditionalNodeValidationError{ + field: "ElseNode", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, ConditionalNodeValidationError{ + field: "ElseNode", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetElseNode()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return ConditionalNodeValidationError{ + field: "ElseNode", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if len(errors) > 0 { + return ConditionalNodeMultiError(errors) + } + + return nil +} + +// ConditionalNodeMultiError is an error wrapping multiple validation errors +// returned by ConditionalNode.ValidateAll() if the designated constraints +// aren't met. +type ConditionalNodeMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m ConditionalNodeMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m ConditionalNodeMultiError) AllErrors() []error { return m } + +// ConditionalNodeValidationError is the validation error returned by +// ConditionalNode.Validate if the designated constraints aren't met. +type ConditionalNodeValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e ConditionalNodeValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e ConditionalNodeValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e ConditionalNodeValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e ConditionalNodeValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e ConditionalNodeValidationError) ErrorName() string { return "ConditionalNodeValidationError" } + +// Error satisfies the builtin error interface +func (e ConditionalNodeValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sConditionalNode.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = ConditionalNodeValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = ConditionalNodeValidationError{} + +// Validate checks the field values on TryCatchNode with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *TryCatchNode) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on TryCatchNode with the rules defined +// in the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in TryCatchNodeMultiError, or +// nil if none found. +func (m *TryCatchNode) ValidateAll() error { + return m.validate(true) +} + +func (m *TryCatchNode) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + if all { + switch v := interface{}(m.GetTryNode()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, TryCatchNodeValidationError{ + field: "TryNode", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, TryCatchNodeValidationError{ + field: "TryNode", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetTryNode()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return TryCatchNodeValidationError{ + field: "TryNode", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if all { + switch v := interface{}(m.GetCatchNode()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, TryCatchNodeValidationError{ + field: "CatchNode", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, TryCatchNodeValidationError{ + field: "CatchNode", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetCatchNode()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return TryCatchNodeValidationError{ + field: "CatchNode", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if len(errors) > 0 { + return TryCatchNodeMultiError(errors) + } + + return nil +} + +// TryCatchNodeMultiError is an error wrapping multiple validation errors +// returned by TryCatchNode.ValidateAll() if the designated constraints aren't met. +type TryCatchNodeMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m TryCatchNodeMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m TryCatchNodeMultiError) AllErrors() []error { return m } + +// TryCatchNodeValidationError is the validation error returned by +// TryCatchNode.Validate if the designated constraints aren't met. +type TryCatchNodeValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e TryCatchNodeValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e TryCatchNodeValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e TryCatchNodeValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e TryCatchNodeValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e TryCatchNodeValidationError) ErrorName() string { return "TryCatchNodeValidationError" } + +// Error satisfies the builtin error interface +func (e TryCatchNodeValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sTryCatchNode.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = TryCatchNodeValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = TryCatchNodeValidationError{} + +// Validate checks the field values on CheckpointNode with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *CheckpointNode) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on CheckpointNode with the rules defined +// in the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in CheckpointNodeMultiError, +// or nil if none found. +func (m *CheckpointNode) ValidateAll() error { + return m.validate(true) +} + +func (m *CheckpointNode) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + if len(errors) > 0 { + return CheckpointNodeMultiError(errors) + } + + return nil +} + +// CheckpointNodeMultiError is an error wrapping multiple validation errors +// returned by CheckpointNode.ValidateAll() if the designated constraints +// aren't met. +type CheckpointNodeMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m CheckpointNodeMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m CheckpointNodeMultiError) AllErrors() []error { return m } + +// CheckpointNodeValidationError is the validation error returned by +// CheckpointNode.Validate if the designated constraints aren't met. +type CheckpointNodeValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e CheckpointNodeValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e CheckpointNodeValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e CheckpointNodeValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e CheckpointNodeValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e CheckpointNodeValidationError) ErrorName() string { return "CheckpointNodeValidationError" } + +// Error satisfies the builtin error interface +func (e CheckpointNodeValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sCheckpointNode.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = CheckpointNodeValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = CheckpointNodeValidationError{} + +// Validate checks the field values on AssertNode with the rules defined in the +// proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *AssertNode) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on AssertNode with the rules defined in +// the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in AssertNodeMultiError, or +// nil if none found. +func (m *AssertNode) ValidateAll() error { + return m.validate(true) +} + +func (m *AssertNode) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + if all { + switch v := interface{}(m.GetCondition()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, AssertNodeValidationError{ + field: "Condition", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, AssertNodeValidationError{ + field: "Condition", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetCondition()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return AssertNodeValidationError{ + field: "Condition", + reason: "embedded message failed validation", + cause: err, + } + } + } + + // no validation rules for ErrorMessage + + if len(errors) > 0 { + return AssertNodeMultiError(errors) + } + + return nil +} + +// AssertNodeMultiError is an error wrapping multiple validation errors +// returned by AssertNode.ValidateAll() if the designated constraints aren't met. +type AssertNodeMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m AssertNodeMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m AssertNodeMultiError) AllErrors() []error { return m } + +// AssertNodeValidationError is the validation error returned by +// AssertNode.Validate if the designated constraints aren't met. +type AssertNodeValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e AssertNodeValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e AssertNodeValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e AssertNodeValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e AssertNodeValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e AssertNodeValidationError) ErrorName() string { return "AssertNodeValidationError" } + +// Error satisfies the builtin error interface +func (e AssertNodeValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sAssertNode.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = AssertNodeValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = AssertNodeValidationError{} + +// Validate checks the field values on Predicate with the rules defined in the +// proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *Predicate) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on Predicate with the rules defined in +// the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in PredicateMultiError, or nil +// if none found. +func (m *Predicate) ValidateAll() error { + return m.validate(true) +} + +func (m *Predicate) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + switch v := m.Expr.(type) { + case *Predicate_KeyExists: + if v == nil { + err := PredicateValidationError{ + field: "Expr", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + + if all { + switch v := interface{}(m.GetKeyExists()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, PredicateValidationError{ + field: "KeyExists", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, PredicateValidationError{ + field: "KeyExists", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetKeyExists()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return PredicateValidationError{ + field: "KeyExists", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *Predicate_KeyState: + if v == nil { + err := PredicateValidationError{ + field: "Expr", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + + if all { + switch v := interface{}(m.GetKeyState()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, PredicateValidationError{ + field: "KeyState", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, PredicateValidationError{ + field: "KeyState", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetKeyState()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return PredicateValidationError{ + field: "KeyState", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *Predicate_TenantActive: + if v == nil { + err := PredicateValidationError{ + field: "Expr", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + + if all { + switch v := interface{}(m.GetTenantActive()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, PredicateValidationError{ + field: "TenantActive", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, PredicateValidationError{ + field: "TenantActive", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetTenantActive()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return PredicateValidationError{ + field: "TenantActive", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *Predicate_CredentialExists: + if v == nil { + err := PredicateValidationError{ + field: "Expr", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + + if all { + switch v := interface{}(m.GetCredentialExists()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, PredicateValidationError{ + field: "CredentialExists", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, PredicateValidationError{ + field: "CredentialExists", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetCredentialExists()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return PredicateValidationError{ + field: "CredentialExists", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *Predicate_And: + if v == nil { + err := PredicateValidationError{ + field: "Expr", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + + if all { + switch v := interface{}(m.GetAnd()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, PredicateValidationError{ + field: "And", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, PredicateValidationError{ + field: "And", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetAnd()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return PredicateValidationError{ + field: "And", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *Predicate_Or: + if v == nil { + err := PredicateValidationError{ + field: "Expr", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + + if all { + switch v := interface{}(m.GetOr()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, PredicateValidationError{ + field: "Or", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, PredicateValidationError{ + field: "Or", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetOr()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return PredicateValidationError{ + field: "Or", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *Predicate_Not: + if v == nil { + err := PredicateValidationError{ + field: "Expr", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + + if all { + switch v := interface{}(m.GetNot()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, PredicateValidationError{ + field: "Not", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, PredicateValidationError{ + field: "Not", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetNot()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return PredicateValidationError{ + field: "Not", + reason: "embedded message failed validation", + cause: err, + } + } + } + + default: + _ = v // ensures v is used + } + + if len(errors) > 0 { + return PredicateMultiError(errors) + } + + return nil +} + +// PredicateMultiError is an error wrapping multiple validation errors returned +// by Predicate.ValidateAll() if the designated constraints aren't met. +type PredicateMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m PredicateMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m PredicateMultiError) AllErrors() []error { return m } + +// PredicateValidationError is the validation error returned by +// Predicate.Validate if the designated constraints aren't met. +type PredicateValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e PredicateValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e PredicateValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e PredicateValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e PredicateValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e PredicateValidationError) ErrorName() string { return "PredicateValidationError" } + +// Error satisfies the builtin error interface +func (e PredicateValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sPredicate.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = PredicateValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = PredicateValidationError{} + +// Validate checks the field values on KeyExistsPredicate with the rules +// defined in the proto definition for this message. If any rules are +// violated, the first error encountered is returned, or nil if there are no violations. +func (m *KeyExistsPredicate) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on KeyExistsPredicate with the rules +// defined in the proto definition for this message. If any rules are +// violated, the result is a list of violation errors wrapped in +// KeyExistsPredicateMultiError, or nil if none found. +func (m *KeyExistsPredicate) ValidateAll() error { + return m.validate(true) +} + +func (m *KeyExistsPredicate) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + if all { + switch v := interface{}(m.GetTier()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, KeyExistsPredicateValidationError{ + field: "Tier", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, KeyExistsPredicateValidationError{ + field: "Tier", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetTier()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return KeyExistsPredicateValidationError{ + field: "Tier", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if all { + switch v := interface{}(m.GetKeyName()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, KeyExistsPredicateValidationError{ + field: "KeyName", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, KeyExistsPredicateValidationError{ + field: "KeyName", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetKeyName()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return KeyExistsPredicateValidationError{ + field: "KeyName", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if len(errors) > 0 { + return KeyExistsPredicateMultiError(errors) + } + + return nil +} + +// KeyExistsPredicateMultiError is an error wrapping multiple validation errors +// returned by KeyExistsPredicate.ValidateAll() if the designated constraints +// aren't met. +type KeyExistsPredicateMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m KeyExistsPredicateMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m KeyExistsPredicateMultiError) AllErrors() []error { return m } + +// KeyExistsPredicateValidationError is the validation error returned by +// KeyExistsPredicate.Validate if the designated constraints aren't met. +type KeyExistsPredicateValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e KeyExistsPredicateValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e KeyExistsPredicateValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e KeyExistsPredicateValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e KeyExistsPredicateValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e KeyExistsPredicateValidationError) ErrorName() string { + return "KeyExistsPredicateValidationError" +} + +// Error satisfies the builtin error interface +func (e KeyExistsPredicateValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sKeyExistsPredicate.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = KeyExistsPredicateValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = KeyExistsPredicateValidationError{} + +// Validate checks the field values on KeyStatePredicate with the rules defined +// in the proto definition for this message. If any rules are violated, the +// first error encountered is returned, or nil if there are no violations. +func (m *KeyStatePredicate) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on KeyStatePredicate with the rules +// defined in the proto definition for this message. If any rules are +// violated, the result is a list of violation errors wrapped in +// KeyStatePredicateMultiError, or nil if none found. +func (m *KeyStatePredicate) ValidateAll() error { + return m.validate(true) +} + +func (m *KeyStatePredicate) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + if all { + switch v := interface{}(m.GetTier()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, KeyStatePredicateValidationError{ + field: "Tier", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, KeyStatePredicateValidationError{ + field: "Tier", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetTier()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return KeyStatePredicateValidationError{ + field: "Tier", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if all { + switch v := interface{}(m.GetKeyName()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, KeyStatePredicateValidationError{ + field: "KeyName", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, KeyStatePredicateValidationError{ + field: "KeyName", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetKeyName()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return KeyStatePredicateValidationError{ + field: "KeyName", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if len(errors) > 0 { + return KeyStatePredicateMultiError(errors) + } + + return nil +} + +// KeyStatePredicateMultiError is an error wrapping multiple validation errors +// returned by KeyStatePredicate.ValidateAll() if the designated constraints +// aren't met. +type KeyStatePredicateMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m KeyStatePredicateMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m KeyStatePredicateMultiError) AllErrors() []error { return m } + +// KeyStatePredicateValidationError is the validation error returned by +// KeyStatePredicate.Validate if the designated constraints aren't met. +type KeyStatePredicateValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e KeyStatePredicateValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e KeyStatePredicateValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e KeyStatePredicateValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e KeyStatePredicateValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e KeyStatePredicateValidationError) ErrorName() string { + return "KeyStatePredicateValidationError" +} + +// Error satisfies the builtin error interface +func (e KeyStatePredicateValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sKeyStatePredicate.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = KeyStatePredicateValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = KeyStatePredicateValidationError{} + +// Validate checks the field values on TenantActivePredicate with the rules +// defined in the proto definition for this message. If any rules are +// violated, the first error encountered is returned, or nil if there are no violations. +func (m *TenantActivePredicate) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on TenantActivePredicate with the rules +// defined in the proto definition for this message. If any rules are +// violated, the result is a list of violation errors wrapped in +// TenantActivePredicateMultiError, or nil if none found. +func (m *TenantActivePredicate) ValidateAll() error { + return m.validate(true) +} + +func (m *TenantActivePredicate) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + if all { + switch v := interface{}(m.GetTenantId()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, TenantActivePredicateValidationError{ + field: "TenantId", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, TenantActivePredicateValidationError{ + field: "TenantId", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetTenantId()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return TenantActivePredicateValidationError{ + field: "TenantId", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if len(errors) > 0 { + return TenantActivePredicateMultiError(errors) + } + + return nil +} + +// TenantActivePredicateMultiError is an error wrapping multiple validation +// errors returned by TenantActivePredicate.ValidateAll() if the designated +// constraints aren't met. +type TenantActivePredicateMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m TenantActivePredicateMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m TenantActivePredicateMultiError) AllErrors() []error { return m } + +// TenantActivePredicateValidationError is the validation error returned by +// TenantActivePredicate.Validate if the designated constraints aren't met. +type TenantActivePredicateValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e TenantActivePredicateValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e TenantActivePredicateValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e TenantActivePredicateValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e TenantActivePredicateValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e TenantActivePredicateValidationError) ErrorName() string { + return "TenantActivePredicateValidationError" +} + +// Error satisfies the builtin error interface +func (e TenantActivePredicateValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sTenantActivePredicate.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = TenantActivePredicateValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = TenantActivePredicateValidationError{} + +// Validate checks the field values on CredentialExistsPredicate with the rules +// defined in the proto definition for this message. If any rules are +// violated, the first error encountered is returned, or nil if there are no violations. +func (m *CredentialExistsPredicate) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on CredentialExistsPredicate with the +// rules defined in the proto definition for this message. If any rules are +// violated, the result is a list of violation errors wrapped in +// CredentialExistsPredicateMultiError, or nil if none found. +func (m *CredentialExistsPredicate) ValidateAll() error { + return m.validate(true) +} + +func (m *CredentialExistsPredicate) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + if all { + switch v := interface{}(m.GetName()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, CredentialExistsPredicateValidationError{ + field: "Name", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, CredentialExistsPredicateValidationError{ + field: "Name", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetName()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return CredentialExistsPredicateValidationError{ + field: "Name", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if len(errors) > 0 { + return CredentialExistsPredicateMultiError(errors) + } + + return nil +} + +// CredentialExistsPredicateMultiError is an error wrapping multiple validation +// errors returned by CredentialExistsPredicate.ValidateAll() if the +// designated constraints aren't met. +type CredentialExistsPredicateMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m CredentialExistsPredicateMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m CredentialExistsPredicateMultiError) AllErrors() []error { return m } + +// CredentialExistsPredicateValidationError is the validation error returned by +// CredentialExistsPredicate.Validate if the designated constraints aren't met. +type CredentialExistsPredicateValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e CredentialExistsPredicateValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e CredentialExistsPredicateValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e CredentialExistsPredicateValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e CredentialExistsPredicateValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e CredentialExistsPredicateValidationError) ErrorName() string { + return "CredentialExistsPredicateValidationError" +} + +// Error satisfies the builtin error interface +func (e CredentialExistsPredicateValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sCredentialExistsPredicate.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = CredentialExistsPredicateValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = CredentialExistsPredicateValidationError{} + +// Validate checks the field values on AndPredicate with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *AndPredicate) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on AndPredicate with the rules defined +// in the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in AndPredicateMultiError, or +// nil if none found. +func (m *AndPredicate) ValidateAll() error { + return m.validate(true) +} + +func (m *AndPredicate) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + for idx, item := range m.GetTerms() { + _, _ = idx, item + + if all { + switch v := interface{}(item).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, AndPredicateValidationError{ + field: fmt.Sprintf("Terms[%v]", idx), + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, AndPredicateValidationError{ + field: fmt.Sprintf("Terms[%v]", idx), + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(item).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return AndPredicateValidationError{ + field: fmt.Sprintf("Terms[%v]", idx), + reason: "embedded message failed validation", + cause: err, + } + } + } + + } + + if len(errors) > 0 { + return AndPredicateMultiError(errors) + } + + return nil +} + +// AndPredicateMultiError is an error wrapping multiple validation errors +// returned by AndPredicate.ValidateAll() if the designated constraints aren't met. +type AndPredicateMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m AndPredicateMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m AndPredicateMultiError) AllErrors() []error { return m } + +// AndPredicateValidationError is the validation error returned by +// AndPredicate.Validate if the designated constraints aren't met. +type AndPredicateValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e AndPredicateValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e AndPredicateValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e AndPredicateValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e AndPredicateValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e AndPredicateValidationError) ErrorName() string { return "AndPredicateValidationError" } + +// Error satisfies the builtin error interface +func (e AndPredicateValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sAndPredicate.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = AndPredicateValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = AndPredicateValidationError{} + +// Validate checks the field values on OrPredicate with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *OrPredicate) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on OrPredicate with the rules defined in +// the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in OrPredicateMultiError, or +// nil if none found. +func (m *OrPredicate) ValidateAll() error { + return m.validate(true) +} + +func (m *OrPredicate) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + for idx, item := range m.GetTerms() { + _, _ = idx, item + + if all { + switch v := interface{}(item).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, OrPredicateValidationError{ + field: fmt.Sprintf("Terms[%v]", idx), + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, OrPredicateValidationError{ + field: fmt.Sprintf("Terms[%v]", idx), + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(item).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return OrPredicateValidationError{ + field: fmt.Sprintf("Terms[%v]", idx), + reason: "embedded message failed validation", + cause: err, + } + } + } + + } + + if len(errors) > 0 { + return OrPredicateMultiError(errors) + } + + return nil +} + +// OrPredicateMultiError is an error wrapping multiple validation errors +// returned by OrPredicate.ValidateAll() if the designated constraints aren't met. +type OrPredicateMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m OrPredicateMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m OrPredicateMultiError) AllErrors() []error { return m } + +// OrPredicateValidationError is the validation error returned by +// OrPredicate.Validate if the designated constraints aren't met. +type OrPredicateValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e OrPredicateValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e OrPredicateValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e OrPredicateValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e OrPredicateValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e OrPredicateValidationError) ErrorName() string { return "OrPredicateValidationError" } + +// Error satisfies the builtin error interface +func (e OrPredicateValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sOrPredicate.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = OrPredicateValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = OrPredicateValidationError{} + +// Validate checks the field values on NotPredicate with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *NotPredicate) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on NotPredicate with the rules defined +// in the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in NotPredicateMultiError, or +// nil if none found. +func (m *NotPredicate) ValidateAll() error { + return m.validate(true) +} + +func (m *NotPredicate) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + if all { + switch v := interface{}(m.GetTerm()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, NotPredicateValidationError{ + field: "Term", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, NotPredicateValidationError{ + field: "Term", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetTerm()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return NotPredicateValidationError{ + field: "Term", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if len(errors) > 0 { + return NotPredicateMultiError(errors) + } + + return nil +} + +// NotPredicateMultiError is an error wrapping multiple validation errors +// returned by NotPredicate.ValidateAll() if the designated constraints aren't met. +type NotPredicateMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m NotPredicateMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m NotPredicateMultiError) AllErrors() []error { return m } + +// NotPredicateValidationError is the validation error returned by +// NotPredicate.Validate if the designated constraints aren't met. +type NotPredicateValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e NotPredicateValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e NotPredicateValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e NotPredicateValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e NotPredicateValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e NotPredicateValidationError) ErrorName() string { return "NotPredicateValidationError" } + +// Error satisfies the builtin error interface +func (e NotPredicateValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sNotPredicate.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = NotPredicateValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = NotPredicateValidationError{} + +// Validate checks the field values on ValueRef with the rules defined in the +// proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *ValueRef) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on ValueRef with the rules defined in +// the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in ValueRefMultiError, or nil +// if none found. +func (m *ValueRef) ValidateAll() error { + return m.validate(true) +} + +func (m *ValueRef) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + switch v := m.Kind.(type) { + case *ValueRef_Literal: + if v == nil { + err := ValueRefValidationError{ + field: "Kind", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + // no validation rules for Literal + case *ValueRef_VarRef: + if v == nil { + err := ValueRefValidationError{ + field: "Kind", + reason: "oneof value cannot be a typed-nil", + } + if !all { + return err + } + errors = append(errors, err) + } + // no validation rules for VarRef + default: + _ = v // ensures v is used + } + + if len(errors) > 0 { + return ValueRefMultiError(errors) + } + + return nil +} + +// ValueRefMultiError is an error wrapping multiple validation errors returned +// by ValueRef.ValidateAll() if the designated constraints aren't met. +type ValueRefMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m ValueRefMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m ValueRefMultiError) AllErrors() []error { return m } + +// ValueRefValidationError is the validation error returned by +// ValueRef.Validate if the designated constraints aren't met. +type ValueRefValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e ValueRefValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e ValueRefValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e ValueRefValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e ValueRefValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e ValueRefValidationError) ErrorName() string { return "ValueRefValidationError" } + +// Error satisfies the builtin error interface +func (e ValueRefValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sValueRef.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = ValueRefValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = ValueRefValidationError{} + +// Validate checks the field values on KeySyncNode with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *KeySyncNode) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on KeySyncNode with the rules defined in +// the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in KeySyncNodeMultiError, or +// nil if none found. +func (m *KeySyncNode) ValidateAll() error { + return m.validate(true) +} + +func (m *KeySyncNode) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + if all { + switch v := interface{}(m.GetTier()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, KeySyncNodeValidationError{ + field: "Tier", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, KeySyncNodeValidationError{ + field: "Tier", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetTier()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return KeySyncNodeValidationError{ + field: "Tier", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if all { + switch v := interface{}(m.GetKeyName()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, KeySyncNodeValidationError{ + field: "KeyName", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, KeySyncNodeValidationError{ + field: "KeyName", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetKeyName()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return KeySyncNodeValidationError{ + field: "KeyName", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if all { + switch v := interface{}(m.GetParentKey()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, KeySyncNodeValidationError{ + field: "ParentKey", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, KeySyncNodeValidationError{ + field: "ParentKey", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetParentKey()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return KeySyncNodeValidationError{ + field: "ParentKey", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if all { + switch v := interface{}(m.GetSchedule()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, KeySyncNodeValidationError{ + field: "Schedule", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, KeySyncNodeValidationError{ + field: "Schedule", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetSchedule()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return KeySyncNodeValidationError{ + field: "Schedule", + reason: "embedded message failed validation", + cause: err, + } + } + } + + // no validation rules for Metadata + + if len(errors) > 0 { + return KeySyncNodeMultiError(errors) + } + + return nil +} + +// KeySyncNodeMultiError is an error wrapping multiple validation errors +// returned by KeySyncNode.ValidateAll() if the designated constraints aren't met. +type KeySyncNodeMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m KeySyncNodeMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m KeySyncNodeMultiError) AllErrors() []error { return m } + +// KeySyncNodeValidationError is the validation error returned by +// KeySyncNode.Validate if the designated constraints aren't met. +type KeySyncNodeValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e KeySyncNodeValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e KeySyncNodeValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e KeySyncNodeValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e KeySyncNodeValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e KeySyncNodeValidationError) ErrorName() string { return "KeySyncNodeValidationError" } + +// Error satisfies the builtin error interface +func (e KeySyncNodeValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sKeySyncNode.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = KeySyncNodeValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = KeySyncNodeValidationError{} + +// Validate checks the field values on KeyDeleteNode with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *KeyDeleteNode) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on KeyDeleteNode with the rules defined +// in the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in KeyDeleteNodeMultiError, or +// nil if none found. +func (m *KeyDeleteNode) ValidateAll() error { + return m.validate(true) +} + +func (m *KeyDeleteNode) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + if all { + switch v := interface{}(m.GetTier()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, KeyDeleteNodeValidationError{ + field: "Tier", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, KeyDeleteNodeValidationError{ + field: "Tier", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetTier()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return KeyDeleteNodeValidationError{ + field: "Tier", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if all { + switch v := interface{}(m.GetKeyName()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, KeyDeleteNodeValidationError{ + field: "KeyName", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, KeyDeleteNodeValidationError{ + field: "KeyName", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetKeyName()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return KeyDeleteNodeValidationError{ + field: "KeyName", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if len(errors) > 0 { + return KeyDeleteNodeMultiError(errors) + } + + return nil +} + +// KeyDeleteNodeMultiError is an error wrapping multiple validation errors +// returned by KeyDeleteNode.ValidateAll() if the designated constraints +// aren't met. +type KeyDeleteNodeMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m KeyDeleteNodeMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m KeyDeleteNodeMultiError) AllErrors() []error { return m } + +// KeyDeleteNodeValidationError is the validation error returned by +// KeyDeleteNode.Validate if the designated constraints aren't met. +type KeyDeleteNodeValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e KeyDeleteNodeValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e KeyDeleteNodeValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e KeyDeleteNodeValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e KeyDeleteNodeValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e KeyDeleteNodeValidationError) ErrorName() string { return "KeyDeleteNodeValidationError" } + +// Error satisfies the builtin error interface +func (e KeyDeleteNodeValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sKeyDeleteNode.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = KeyDeleteNodeValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = KeyDeleteNodeValidationError{} + +// Validate checks the field values on KeyTransitionNode with the rules defined +// in the proto definition for this message. If any rules are violated, the +// first error encountered is returned, or nil if there are no violations. +func (m *KeyTransitionNode) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on KeyTransitionNode with the rules +// defined in the proto definition for this message. If any rules are +// violated, the result is a list of violation errors wrapped in +// KeyTransitionNodeMultiError, or nil if none found. +func (m *KeyTransitionNode) ValidateAll() error { + return m.validate(true) +} + +func (m *KeyTransitionNode) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + if all { + switch v := interface{}(m.GetTier()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, KeyTransitionNodeValidationError{ + field: "Tier", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, KeyTransitionNodeValidationError{ + field: "Tier", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetTier()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return KeyTransitionNodeValidationError{ + field: "Tier", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if all { + switch v := interface{}(m.GetKeyName()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, KeyTransitionNodeValidationError{ + field: "KeyName", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, KeyTransitionNodeValidationError{ + field: "KeyName", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetKeyName()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return KeyTransitionNodeValidationError{ + field: "KeyName", + reason: "embedded message failed validation", + cause: err, + } + } + } + + // no validation rules for TargetState + + if len(errors) > 0 { + return KeyTransitionNodeMultiError(errors) + } + + return nil +} + +// KeyTransitionNodeMultiError is an error wrapping multiple validation errors +// returned by KeyTransitionNode.ValidateAll() if the designated constraints +// aren't met. +type KeyTransitionNodeMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m KeyTransitionNodeMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m KeyTransitionNodeMultiError) AllErrors() []error { return m } + +// KeyTransitionNodeValidationError is the validation error returned by +// KeyTransitionNode.Validate if the designated constraints aren't met. +type KeyTransitionNodeValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e KeyTransitionNodeValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e KeyTransitionNodeValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e KeyTransitionNodeValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e KeyTransitionNodeValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e KeyTransitionNodeValidationError) ErrorName() string { + return "KeyTransitionNodeValidationError" +} + +// Error satisfies the builtin error interface +func (e KeyTransitionNodeValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sKeyTransitionNode.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = KeyTransitionNodeValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = KeyTransitionNodeValidationError{} + +// Validate checks the field values on KeyRotateNode with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *KeyRotateNode) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on KeyRotateNode with the rules defined +// in the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in KeyRotateNodeMultiError, or +// nil if none found. +func (m *KeyRotateNode) ValidateAll() error { + return m.validate(true) +} + +func (m *KeyRotateNode) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + if all { + switch v := interface{}(m.GetTier()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, KeyRotateNodeValidationError{ + field: "Tier", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, KeyRotateNodeValidationError{ + field: "Tier", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetTier()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return KeyRotateNodeValidationError{ + field: "Tier", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if all { + switch v := interface{}(m.GetKeyName()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, KeyRotateNodeValidationError{ + field: "KeyName", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, KeyRotateNodeValidationError{ + field: "KeyName", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetKeyName()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return KeyRotateNodeValidationError{ + field: "KeyName", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if len(errors) > 0 { + return KeyRotateNodeMultiError(errors) + } + + return nil +} + +// KeyRotateNodeMultiError is an error wrapping multiple validation errors +// returned by KeyRotateNode.ValidateAll() if the designated constraints +// aren't met. +type KeyRotateNodeMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m KeyRotateNodeMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m KeyRotateNodeMultiError) AllErrors() []error { return m } + +// KeyRotateNodeValidationError is the validation error returned by +// KeyRotateNode.Validate if the designated constraints aren't met. +type KeyRotateNodeValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e KeyRotateNodeValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e KeyRotateNodeValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e KeyRotateNodeValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e KeyRotateNodeValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e KeyRotateNodeValidationError) ErrorName() string { return "KeyRotateNodeValidationError" } + +// Error satisfies the builtin error interface +func (e KeyRotateNodeValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sKeyRotateNode.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = KeyRotateNodeValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = KeyRotateNodeValidationError{} + +// Validate checks the field values on KeyScheduleNode with the rules defined +// in the proto definition for this message. If any rules are violated, the +// first error encountered is returned, or nil if there are no violations. +func (m *KeyScheduleNode) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on KeyScheduleNode with the rules +// defined in the proto definition for this message. If any rules are +// violated, the result is a list of violation errors wrapped in +// KeyScheduleNodeMultiError, or nil if none found. +func (m *KeyScheduleNode) ValidateAll() error { + return m.validate(true) +} + +func (m *KeyScheduleNode) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + if all { + switch v := interface{}(m.GetTier()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, KeyScheduleNodeValidationError{ + field: "Tier", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, KeyScheduleNodeValidationError{ + field: "Tier", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetTier()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return KeyScheduleNodeValidationError{ + field: "Tier", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if all { + switch v := interface{}(m.GetKeyName()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, KeyScheduleNodeValidationError{ + field: "KeyName", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, KeyScheduleNodeValidationError{ + field: "KeyName", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetKeyName()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return KeyScheduleNodeValidationError{ + field: "KeyName", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if all { + switch v := interface{}(m.GetSchedule()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, KeyScheduleNodeValidationError{ + field: "Schedule", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, KeyScheduleNodeValidationError{ + field: "Schedule", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetSchedule()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return KeyScheduleNodeValidationError{ + field: "Schedule", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if len(errors) > 0 { + return KeyScheduleNodeMultiError(errors) + } + + return nil +} + +// KeyScheduleNodeMultiError is an error wrapping multiple validation errors +// returned by KeyScheduleNode.ValidateAll() if the designated constraints +// aren't met. +type KeyScheduleNodeMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m KeyScheduleNodeMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m KeyScheduleNodeMultiError) AllErrors() []error { return m } + +// KeyScheduleNodeValidationError is the validation error returned by +// KeyScheduleNode.Validate if the designated constraints aren't met. +type KeyScheduleNodeValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e KeyScheduleNodeValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e KeyScheduleNodeValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e KeyScheduleNodeValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e KeyScheduleNodeValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e KeyScheduleNodeValidationError) ErrorName() string { return "KeyScheduleNodeValidationError" } + +// Error satisfies the builtin error interface +func (e KeyScheduleNodeValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sKeyScheduleNode.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = KeyScheduleNodeValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = KeyScheduleNodeValidationError{} + +// Validate checks the field values on KeyScheduleSpec with the rules defined +// in the proto definition for this message. If any rules are violated, the +// first error encountered is returned, or nil if there are no violations. +func (m *KeyScheduleSpec) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on KeyScheduleSpec with the rules +// defined in the proto definition for this message. If any rules are +// violated, the result is a list of violation errors wrapped in +// KeyScheduleSpecMultiError, or nil if none found. +func (m *KeyScheduleSpec) ValidateAll() error { + return m.validate(true) +} + +func (m *KeyScheduleSpec) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + if m.ExpiresAt != nil { + + if all { + switch v := interface{}(m.GetExpiresAt()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, KeyScheduleSpecValidationError{ + field: "ExpiresAt", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, KeyScheduleSpecValidationError{ + field: "ExpiresAt", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetExpiresAt()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return KeyScheduleSpecValidationError{ + field: "ExpiresAt", + reason: "embedded message failed validation", + cause: err, + } + } + } + + } + + if m.ScheduledTransitionAt != nil { + + if all { + switch v := interface{}(m.GetScheduledTransitionAt()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, KeyScheduleSpecValidationError{ + field: "ScheduledTransitionAt", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, KeyScheduleSpecValidationError{ + field: "ScheduledTransitionAt", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetScheduledTransitionAt()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return KeyScheduleSpecValidationError{ + field: "ScheduledTransitionAt", + reason: "embedded message failed validation", + cause: err, + } + } + } + + } + + if m.TransitionTo != nil { + // no validation rules for TransitionTo + } + + if len(errors) > 0 { + return KeyScheduleSpecMultiError(errors) + } + + return nil +} + +// KeyScheduleSpecMultiError is an error wrapping multiple validation errors +// returned by KeyScheduleSpec.ValidateAll() if the designated constraints +// aren't met. +type KeyScheduleSpecMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m KeyScheduleSpecMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m KeyScheduleSpecMultiError) AllErrors() []error { return m } + +// KeyScheduleSpecValidationError is the validation error returned by +// KeyScheduleSpec.Validate if the designated constraints aren't met. +type KeyScheduleSpecValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e KeyScheduleSpecValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e KeyScheduleSpecValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e KeyScheduleSpecValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e KeyScheduleSpecValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e KeyScheduleSpecValidationError) ErrorName() string { return "KeyScheduleSpecValidationError" } + +// Error satisfies the builtin error interface +func (e KeyScheduleSpecValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sKeyScheduleSpec.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = KeyScheduleSpecValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = KeyScheduleSpecValidationError{} + +// Validate checks the field values on CredentialSyncNode with the rules +// defined in the proto definition for this message. If any rules are +// violated, the first error encountered is returned, or nil if there are no violations. +func (m *CredentialSyncNode) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on CredentialSyncNode with the rules +// defined in the proto definition for this message. If any rules are +// violated, the result is a list of violation errors wrapped in +// CredentialSyncNodeMultiError, or nil if none found. +func (m *CredentialSyncNode) ValidateAll() error { + return m.validate(true) +} + +func (m *CredentialSyncNode) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + if all { + switch v := interface{}(m.GetName()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, CredentialSyncNodeValidationError{ + field: "Name", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, CredentialSyncNodeValidationError{ + field: "Name", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetName()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return CredentialSyncNodeValidationError{ + field: "Name", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if all { + switch v := interface{}(m.GetType()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, CredentialSyncNodeValidationError{ + field: "Type", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, CredentialSyncNodeValidationError{ + field: "Type", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetType()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return CredentialSyncNodeValidationError{ + field: "Type", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if all { + switch v := interface{}(m.GetSpec()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, CredentialSyncNodeValidationError{ + field: "Spec", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, CredentialSyncNodeValidationError{ + field: "Spec", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetSpec()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return CredentialSyncNodeValidationError{ + field: "Spec", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if len(errors) > 0 { + return CredentialSyncNodeMultiError(errors) + } + + return nil +} + +// CredentialSyncNodeMultiError is an error wrapping multiple validation errors +// returned by CredentialSyncNode.ValidateAll() if the designated constraints +// aren't met. +type CredentialSyncNodeMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m CredentialSyncNodeMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m CredentialSyncNodeMultiError) AllErrors() []error { return m } + +// CredentialSyncNodeValidationError is the validation error returned by +// CredentialSyncNode.Validate if the designated constraints aren't met. +type CredentialSyncNodeValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e CredentialSyncNodeValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e CredentialSyncNodeValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e CredentialSyncNodeValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e CredentialSyncNodeValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e CredentialSyncNodeValidationError) ErrorName() string { + return "CredentialSyncNodeValidationError" +} + +// Error satisfies the builtin error interface +func (e CredentialSyncNodeValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sCredentialSyncNode.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = CredentialSyncNodeValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = CredentialSyncNodeValidationError{} + +// Validate checks the field values on CredentialDeleteNode with the rules +// defined in the proto definition for this message. If any rules are +// violated, the first error encountered is returned, or nil if there are no violations. +func (m *CredentialDeleteNode) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on CredentialDeleteNode with the rules +// defined in the proto definition for this message. If any rules are +// violated, the result is a list of violation errors wrapped in +// CredentialDeleteNodeMultiError, or nil if none found. +func (m *CredentialDeleteNode) ValidateAll() error { + return m.validate(true) +} + +func (m *CredentialDeleteNode) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + if all { + switch v := interface{}(m.GetName()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, CredentialDeleteNodeValidationError{ + field: "Name", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, CredentialDeleteNodeValidationError{ + field: "Name", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetName()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return CredentialDeleteNodeValidationError{ + field: "Name", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if len(errors) > 0 { + return CredentialDeleteNodeMultiError(errors) + } + + return nil +} + +// CredentialDeleteNodeMultiError is an error wrapping multiple validation +// errors returned by CredentialDeleteNode.ValidateAll() if the designated +// constraints aren't met. +type CredentialDeleteNodeMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m CredentialDeleteNodeMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m CredentialDeleteNodeMultiError) AllErrors() []error { return m } + +// CredentialDeleteNodeValidationError is the validation error returned by +// CredentialDeleteNode.Validate if the designated constraints aren't met. +type CredentialDeleteNodeValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e CredentialDeleteNodeValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e CredentialDeleteNodeValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e CredentialDeleteNodeValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e CredentialDeleteNodeValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e CredentialDeleteNodeValidationError) ErrorName() string { + return "CredentialDeleteNodeValidationError" +} + +// Error satisfies the builtin error interface +func (e CredentialDeleteNodeValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sCredentialDeleteNode.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = CredentialDeleteNodeValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = CredentialDeleteNodeValidationError{} + +// Validate checks the field values on BindNode with the rules defined in the +// proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *BindNode) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on BindNode with the rules defined in +// the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in BindNodeMultiError, or nil +// if none found. +func (m *BindNode) ValidateAll() error { + return m.validate(true) +} + +func (m *BindNode) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + // no validation rules for VarName + + if all { + switch v := interface{}(m.GetValue()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, BindNodeValidationError{ + field: "Value", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, BindNodeValidationError{ + field: "Value", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetValue()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return BindNodeValidationError{ + field: "Value", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if len(errors) > 0 { + return BindNodeMultiError(errors) + } + + return nil +} + +// BindNodeMultiError is an error wrapping multiple validation errors returned +// by BindNode.ValidateAll() if the designated constraints aren't met. +type BindNodeMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m BindNodeMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m BindNodeMultiError) AllErrors() []error { return m } + +// BindNodeValidationError is the validation error returned by +// BindNode.Validate if the designated constraints aren't met. +type BindNodeValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e BindNodeValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e BindNodeValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e BindNodeValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e BindNodeValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e BindNodeValidationError) ErrorName() string { return "BindNodeValidationError" } + +// Error satisfies the builtin error interface +func (e BindNodeValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sBindNode.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = BindNodeValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = BindNodeValidationError{} + +// Validate checks the field values on EmitNode with the rules defined in the +// proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *EmitNode) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on EmitNode with the rules defined in +// the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in EmitNodeMultiError, or nil +// if none found. +func (m *EmitNode) ValidateAll() error { + return m.validate(true) +} + +func (m *EmitNode) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + // no validation rules for EventType + + // no validation rules for Attributes + + if len(errors) > 0 { + return EmitNodeMultiError(errors) + } + + return nil +} + +// EmitNodeMultiError is an error wrapping multiple validation errors returned +// by EmitNode.ValidateAll() if the designated constraints aren't met. +type EmitNodeMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m EmitNodeMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m EmitNodeMultiError) AllErrors() []error { return m } + +// EmitNodeValidationError is the validation error returned by +// EmitNode.Validate if the designated constraints aren't met. +type EmitNodeValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e EmitNodeValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e EmitNodeValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e EmitNodeValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e EmitNodeValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e EmitNodeValidationError) ErrorName() string { return "EmitNodeValidationError" } + +// Error satisfies the builtin error interface +func (e EmitNodeValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sEmitNode.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = EmitNodeValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = EmitNodeValidationError{} diff --git a/proto/plugin/reconciler/v1/ast.proto b/proto/plugin/reconciler/v1/ast.proto new file mode 100644 index 0000000..03942a9 --- /dev/null +++ b/proto/plugin/reconciler/v1/ast.proto @@ -0,0 +1,273 @@ +syntax = "proto3"; + +package krypton.reconciler.v1; + +import "google/protobuf/struct.proto"; +import "google/protobuf/timestamp.proto"; + +option go_package = "github.com/openkcm/krypton/proto/plugin/reconciler/v1;reconcilerv1"; + +// ExecutionPlan is the root of the AST returned by a plugin's Reconcile call. +// It describes every operation Krypton core must execute to drive the custom +// resource to its desired state. Core is the sole executor — the plugin never +// touches keys, state, or the database directly. +message ExecutionPlan { + // plan_id identifies this plan for tracing. Recommended: echo the operation ID. + string plan_id = 1; + + // root is the root node of the execution tree. + ASTNode root = 2; + + // bindings are pre-declared variables available to every node in the plan. + // Use them to pass tenant_id, api_group, external IDs, or any other values + // the plugin resolved during planning and wants to thread through execution. + map bindings = 3; +} + +// ───────────────────────────────────────────────────────────── +// Core node type — every element of the AST is an ASTNode. +// ───────────────────────────────────────────────────────────── + +message ASTNode { + // node_id is an optional stable identifier used for checkpoint persistence. + // When set, the executor stores progress so retries resume from here. + // Must be stable across retries (use a semantic name, not a random UUID). + string node_id = 1; + + // label is a human-readable description surfaced in logs and audit events. + string label = 2; + + // result_var, when non-empty, binds the primary string output of this node + // (typically a provisioned key ID) into the execution state so downstream + // nodes can reference it via ValueRef.var_ref. + string result_var = 3; + + oneof node { + // ── Control flow ────────────────────────────────────────── + SequenceNode sequence = 10; + ParallelNode parallel = 11; + ConditionalNode conditional = 12; + TryCatchNode try_catch = 13; + + // ── Checkpoint ──────────────────────────────────────────── + // Persists progress at this point; uses node_id as the checkpoint name. + CheckpointNode checkpoint = 14; + + // ── Assertions / pre-conditions ─────────────────────────── + // Fails the plan with error_message if the predicate is false. + AssertNode assert = 20; + + // ── Key lifecycle ───────────────────────────────────────── + KeySyncNode key_sync = 30; // create or idempotently update + KeyDeleteNode key_delete = 31; // destroy key material + KeyTransitionNode key_transition = 32; // explicit lifecycle state change + KeyRotateNode key_rotate = 33; // generate new key material (forced rotation) + KeyScheduleNode key_schedule = 34; // set expiry / scheduled transition + + // ── Credential lifecycle ─────────────────────────────────── + CredentialSyncNode credential_sync = 40; + CredentialDeleteNode credential_delete = 41; + + // ── Utility ─────────────────────────────────────────────── + BindNode bind = 60; // set a variable in execution state + EmitNode emit = 61; // write a custom audit event + } +} + +// ───────────────────────────────────────────────────────────── +// Control flow +// ───────────────────────────────────────────────────────────── + +// SequenceNode runs steps in order; the first error aborts the remainder +// and triggers rollback of already-executed steps (same as Pipeline). +message SequenceNode { + repeated ASTNode steps = 1; +} + +// ParallelNode fans steps out concurrently. +// When fail_fast = true a single error cancels the remaining goroutines. +message ParallelNode { + repeated ASTNode steps = 1; + bool fail_fast = 2; +} + +// ConditionalNode evaluates a runtime predicate and executes exactly one branch. +message ConditionalNode { + Predicate condition = 1; + ASTNode then_node = 2; + ASTNode else_node = 3; // optional — omit for pure guard +} + +// TryCatchNode executes try_node; on any error executes catch_node instead. +// Useful for compensating transactions and optional / best-effort steps. +message TryCatchNode { + ASTNode try_node = 1; + ASTNode catch_node = 2; +} + +// CheckpointNode persists the current execution position so retries skip +// completed steps. Uses the parent ASTNode.node_id as the checkpoint name. +message CheckpointNode {} + +// ───────────────────────────────────────────────────────────── +// Assertions +// ───────────────────────────────────────────────────────────── + +message AssertNode { + Predicate condition = 1; + string error_message = 2; +} + +// Predicate is a composable boolean expression resolved against live Krypton +// state at execution time. Core owns all state reads; the plugin only declares +// what must be true. +message Predicate { + oneof expr { + KeyExistsPredicate key_exists = 1; + KeyStatePredicate key_state = 2; + TenantActivePredicate tenant_active = 3; + CredentialExistsPredicate credential_exists = 4; + + // Logical combinators + AndPredicate and = 10; + OrPredicate or = 11; + NotPredicate not = 12; + } +} + +message KeyExistsPredicate { + ValueRef tier = 1; + ValueRef key_name = 2; +} + +message KeyStatePredicate { + ValueRef tier = 1; + ValueRef key_name = 2; + // allowed_states is an OR list — matches if the key is in ANY of these states. + // Valid values: PRE_ACTIVATION, ACTIVE, SUSPENDED, DEACTIVATED, COMPROMISED, + // PENDING_DESTROYING, DESTROYED. + repeated string allowed_states = 3; +} + +message TenantActivePredicate { + ValueRef tenant_id = 1; +} + +message CredentialExistsPredicate { + ValueRef name = 1; +} + +message AndPredicate { repeated Predicate terms = 1; } +message OrPredicate { repeated Predicate terms = 1; } +message NotPredicate { Predicate term = 1; } + +// ───────────────────────────────────────────────────────────── +// Value references +// ───────────────────────────────────────────────────────────── + +// ValueRef resolves to a string at runtime. +// Use literal for constants known at plan time. +// Use var_ref to read a value set by a previous node's result_var or by +// ExecutionPlan.bindings. +message ValueRef { + oneof kind { + string literal = 1; + string var_ref = 2; + } +} + +// ───────────────────────────────────────────────────────────── +// Key lifecycle nodes +// ───────────────────────────────────────────────────────────── + +// KeySyncNode provisions a key at the given tier, or is a no-op if the key +// already exists (idempotent). Core wraps the key under parent_key using the +// configured tier hierarchy. On success, result_var receives the key ULID. +message KeySyncNode { + // tier is the Krypton tier name as declared in key-hierarchy config, + // e.g. "l2-domain", "l3-service", "l4-data". + ValueRef tier = 1; + // key_name is the logical name scoped to the tenant. + ValueRef key_name = 2; + // parent_key is the name of the wrapping key one tier above. + // Required for all tiers except L1 root keys. + ValueRef parent_key = 3; + // schedule, when set, is applied immediately after provisioning. + KeyScheduleSpec schedule = 4; + // metadata is attached to the key record after successful provisioning. + map metadata = 5; +} + +// KeyDeleteNode destroys key material and all version lineages. +// Core enforces that no child keys exist before allowing deletion. +message KeyDeleteNode { + ValueRef tier = 1; + ValueRef key_name = 2; +} + +// KeyTransitionNode explicitly moves a key to a target lifecycle state. +// Valid target_state values: PRE_ACTIVATION, ACTIVE, SUSPENDED, DEACTIVATED, +// COMPROMISED, PENDING_DESTROYING, DESTROYED. +message KeyTransitionNode { + ValueRef tier = 1; + ValueRef key_name = 2; + string target_state = 3; +} + +// KeyRotateNode generates new key material under the same logical key name +// (forced rotation — bypasses the idempotency guard in ProvisionKey). +// On success, result_var receives the new key ULID. +message KeyRotateNode { + ValueRef tier = 1; + ValueRef key_name = 2; +} + +// KeyScheduleNode updates the scheduled lifecycle transition for an existing key. +message KeyScheduleNode { + ValueRef tier = 1; + ValueRef key_name = 2; + KeyScheduleSpec schedule = 3; +} + +// KeyScheduleSpec carries timing parameters for a scheduled state transition. +// All fields are optional — set only the ones you need. +message KeyScheduleSpec { + optional google.protobuf.Timestamp expires_at = 1; + optional google.protobuf.Timestamp scheduled_transition_at = 2; + // transition_to is the target KeyState when scheduled_transition_at fires. + optional string transition_to = 3; +} + +// ───────────────────────────────────────────────────────────── +// Credential lifecycle nodes +// ───────────────────────────────────────────────────────────── + +// CredentialSyncNode creates or updates a credential. +// spec is the full credential payload; core encrypts it using the tenant keyring. +message CredentialSyncNode { + ValueRef name = 1; + ValueRef type = 2; + google.protobuf.Struct spec = 3; +} + +// CredentialDeleteNode removes a credential record. +message CredentialDeleteNode { + ValueRef name = 1; +} + +// ───────────────────────────────────────────────────────────── +// Utility nodes +// ───────────────────────────────────────────────────────────── + +// BindNode sets a named variable in the execution state. +// Useful for deriving values from existing bindings before referencing them. +message BindNode { + string var_name = 1; + ValueRef value = 2; +} + +// EmitNode writes a structured event to Krypton's audit trail. +message EmitNode { + string event_type = 1; + map attributes = 2; +} diff --git a/proto/plugin/reconciler/v1/reconciler.pb.go b/proto/plugin/reconciler/v1/reconciler.pb.go new file mode 100644 index 0000000..0cb2ef3 --- /dev/null +++ b/proto/plugin/reconciler/v1/reconciler.pb.go @@ -0,0 +1,226 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.36.11 +// protoc (unknown) +// source: plugin/reconciler/v1/reconciler.proto + +package reconcilerv1 + +import ( + reflect "reflect" + sync "sync" + unsafe "unsafe" + + _ "buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go/buf/validate" + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// ReconcileRequest carries everything the plugin needs to plan operations for +// this resource. resource_payload is opaque to core and decoded only by the plugin. +type ReconcileRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + // api_group identifies the resource type family, e.g. "mycompany.kms/v1". + ApiGroup string `protobuf:"bytes,2,opt,name=api_group,json=apiGroup,proto3" json:"api_group,omitempty"` + // resource_payload is the JSON-encoded extension_key Struct from the original + // SyncResourceRequest. Core passes it unchanged; the plugin owns the schema. + ResourcePayload []byte `protobuf:"bytes,3,opt,name=resource_payload,json=resourcePayload,proto3" json:"resource_payload,omitempty"` + // action is the operation requested: "SYNC" or "DELETE". + Action string `protobuf:"bytes,4,opt,name=action,proto3" json:"action,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *ReconcileRequest) Reset() { + *x = ReconcileRequest{} + mi := &file_plugin_reconciler_v1_reconciler_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *ReconcileRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ReconcileRequest) ProtoMessage() {} + +func (x *ReconcileRequest) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_reconciler_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ReconcileRequest.ProtoReflect.Descriptor instead. +func (*ReconcileRequest) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_reconciler_proto_rawDescGZIP(), []int{0} +} + +func (x *ReconcileRequest) GetApiGroup() string { + if x != nil { + return x.ApiGroup + } + return "" +} + +func (x *ReconcileRequest) GetResourcePayload() []byte { + if x != nil { + return x.ResourcePayload + } + return nil +} + +func (x *ReconcileRequest) GetAction() string { + if x != nil { + return x.Action + } + return "" +} + +// ReconcileResponse is returned by the plugin and contains the execution plan. +// Core decodes execution_plan as a JSON-encoded ast.ExecutionPlan and executes it. +type ReconcileResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + // error_message non-empty means planning failed. + // transient_error = true → worker requeues up to max retries. + // transient_error = false → worker marks operation as terminally failed. + ErrorMessage string `protobuf:"bytes,1,opt,name=error_message,json=errorMessage,proto3" json:"error_message,omitempty"` + TransientError bool `protobuf:"varint,2,opt,name=transient_error,json=transientError,proto3" json:"transient_error,omitempty"` + // execution_plan is a JSON-encoded ast.ExecutionPlan (see + // internal/modules/resource-reconciler/controller/ast). Empty means no-op. + ExecutionPlan []byte `protobuf:"bytes,3,opt,name=execution_plan,json=executionPlan,proto3" json:"execution_plan,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *ReconcileResponse) Reset() { + *x = ReconcileResponse{} + mi := &file_plugin_reconciler_v1_reconciler_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *ReconcileResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ReconcileResponse) ProtoMessage() {} + +func (x *ReconcileResponse) ProtoReflect() protoreflect.Message { + mi := &file_plugin_reconciler_v1_reconciler_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ReconcileResponse.ProtoReflect.Descriptor instead. +func (*ReconcileResponse) Descriptor() ([]byte, []int) { + return file_plugin_reconciler_v1_reconciler_proto_rawDescGZIP(), []int{1} +} + +func (x *ReconcileResponse) GetErrorMessage() string { + if x != nil { + return x.ErrorMessage + } + return "" +} + +func (x *ReconcileResponse) GetTransientError() bool { + if x != nil { + return x.TransientError + } + return false +} + +func (x *ReconcileResponse) GetExecutionPlan() []byte { + if x != nil { + return x.ExecutionPlan + } + return nil +} + +var File_plugin_reconciler_v1_reconciler_proto protoreflect.FileDescriptor + +const file_plugin_reconciler_v1_reconciler_proto_rawDesc = "" + + "\n" + + "%plugin/reconciler/v1/reconciler.proto\x12\x15krypton.reconciler.v1\x1a\x1bbuf/validate/validate.proto\"\x90\x01\n" + + "\x10ReconcileRequest\x12#\n" + + "\tapi_group\x18\x02 \x01(\tB\x06\xbaH\x03\xc8\x01\x01R\bapiGroup\x121\n" + + "\x10resource_payload\x18\x03 \x01(\fB\x06\xbaH\x03\xc8\x01\x01R\x0fresourcePayload\x12\x1e\n" + + "\x06action\x18\x04 \x01(\tB\x06\xbaH\x03\xc8\x01\x01R\x06actionJ\x04\b\x01\x10\x02\"\x88\x01\n" + + "\x11ReconcileResponse\x12#\n" + + "\rerror_message\x18\x01 \x01(\tR\ferrorMessage\x12'\n" + + "\x0ftransient_error\x18\x02 \x01(\bR\x0etransientError\x12%\n" + + "\x0eexecution_plan\x18\x03 \x01(\fR\rexecutionPlan2l\n" + + "\n" + + "Reconciler\x12^\n" + + "\tReconcile\x12'.krypton.reconciler.v1.ReconcileRequest\x1a(.krypton.reconciler.v1.ReconcileResponseB\xe9\x01\n" + + "\x19com.krypton.reconciler.v1B\x0fReconcilerProtoP\x01ZEgithub.com/openkcm/plugin-sdk/proto/plugin/reconciler/v1;reconcilerv1\xa2\x02\x03KRX\xaa\x02\x15Krypton.Reconciler.V1\xca\x02\x15Krypton\\Reconciler\\V1\xe2\x02!Krypton\\Reconciler\\V1\\GPBMetadata\xea\x02\x17Krypton::Reconciler::V1b\x06proto3" + +var ( + file_plugin_reconciler_v1_reconciler_proto_rawDescOnce sync.Once + file_plugin_reconciler_v1_reconciler_proto_rawDescData []byte +) + +func file_plugin_reconciler_v1_reconciler_proto_rawDescGZIP() []byte { + file_plugin_reconciler_v1_reconciler_proto_rawDescOnce.Do(func() { + file_plugin_reconciler_v1_reconciler_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_plugin_reconciler_v1_reconciler_proto_rawDesc), len(file_plugin_reconciler_v1_reconciler_proto_rawDesc))) + }) + return file_plugin_reconciler_v1_reconciler_proto_rawDescData +} + +var file_plugin_reconciler_v1_reconciler_proto_msgTypes = make([]protoimpl.MessageInfo, 2) +var file_plugin_reconciler_v1_reconciler_proto_goTypes = []any{ + (*ReconcileRequest)(nil), // 0: krypton.reconciler.v1.ReconcileRequest + (*ReconcileResponse)(nil), // 1: krypton.reconciler.v1.ReconcileResponse +} +var file_plugin_reconciler_v1_reconciler_proto_depIdxs = []int32{ + 0, // 0: krypton.reconciler.v1.Reconciler.Reconcile:input_type -> krypton.reconciler.v1.ReconcileRequest + 1, // 1: krypton.reconciler.v1.Reconciler.Reconcile:output_type -> krypton.reconciler.v1.ReconcileResponse + 1, // [1:2] is the sub-list for method output_type + 0, // [0:1] is the sub-list for method input_type + 0, // [0:0] is the sub-list for extension type_name + 0, // [0:0] is the sub-list for extension extendee + 0, // [0:0] is the sub-list for field type_name +} + +func init() { file_plugin_reconciler_v1_reconciler_proto_init() } +func file_plugin_reconciler_v1_reconciler_proto_init() { + if File_plugin_reconciler_v1_reconciler_proto != nil { + return + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: unsafe.Slice(unsafe.StringData(file_plugin_reconciler_v1_reconciler_proto_rawDesc), len(file_plugin_reconciler_v1_reconciler_proto_rawDesc)), + NumEnums: 0, + NumMessages: 2, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_plugin_reconciler_v1_reconciler_proto_goTypes, + DependencyIndexes: file_plugin_reconciler_v1_reconciler_proto_depIdxs, + MessageInfos: file_plugin_reconciler_v1_reconciler_proto_msgTypes, + }.Build() + File_plugin_reconciler_v1_reconciler_proto = out.File + file_plugin_reconciler_v1_reconciler_proto_goTypes = nil + file_plugin_reconciler_v1_reconciler_proto_depIdxs = nil +} diff --git a/proto/plugin/reconciler/v1/reconciler.pb.validate.go b/proto/plugin/reconciler/v1/reconciler.pb.validate.go new file mode 100644 index 0000000..fac080e --- /dev/null +++ b/proto/plugin/reconciler/v1/reconciler.pb.validate.go @@ -0,0 +1,250 @@ +// Code generated by protoc-gen-validate. DO NOT EDIT. +// source: plugin/reconciler/v1/reconciler.proto + +package reconcilerv1 + +import ( + "bytes" + "errors" + "fmt" + "net" + "net/mail" + "net/url" + "regexp" + "sort" + "strings" + "time" + "unicode/utf8" + + "google.golang.org/protobuf/types/known/anypb" +) + +// ensure the imports are used +var ( + _ = bytes.MinRead + _ = errors.New("") + _ = fmt.Print + _ = utf8.UTFMax + _ = (*regexp.Regexp)(nil) + _ = (*strings.Reader)(nil) + _ = net.IPv4len + _ = time.Duration(0) + _ = (*url.URL)(nil) + _ = (*mail.Address)(nil) + _ = anypb.Any{} + _ = sort.Sort +) + +// Validate checks the field values on ReconcileRequest with the rules defined +// in the proto definition for this message. If any rules are violated, the +// first error encountered is returned, or nil if there are no violations. +func (m *ReconcileRequest) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on ReconcileRequest with the rules +// defined in the proto definition for this message. If any rules are +// violated, the result is a list of violation errors wrapped in +// ReconcileRequestMultiError, or nil if none found. +func (m *ReconcileRequest) ValidateAll() error { + return m.validate(true) +} + +func (m *ReconcileRequest) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + // no validation rules for ApiGroup + + // no validation rules for ResourcePayload + + // no validation rules for Action + + if len(errors) > 0 { + return ReconcileRequestMultiError(errors) + } + + return nil +} + +// ReconcileRequestMultiError is an error wrapping multiple validation errors +// returned by ReconcileRequest.ValidateAll() if the designated constraints +// aren't met. +type ReconcileRequestMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m ReconcileRequestMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m ReconcileRequestMultiError) AllErrors() []error { return m } + +// ReconcileRequestValidationError is the validation error returned by +// ReconcileRequest.Validate if the designated constraints aren't met. +type ReconcileRequestValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e ReconcileRequestValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e ReconcileRequestValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e ReconcileRequestValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e ReconcileRequestValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e ReconcileRequestValidationError) ErrorName() string { return "ReconcileRequestValidationError" } + +// Error satisfies the builtin error interface +func (e ReconcileRequestValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sReconcileRequest.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = ReconcileRequestValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = ReconcileRequestValidationError{} + +// Validate checks the field values on ReconcileResponse with the rules defined +// in the proto definition for this message. If any rules are violated, the +// first error encountered is returned, or nil if there are no violations. +func (m *ReconcileResponse) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on ReconcileResponse with the rules +// defined in the proto definition for this message. If any rules are +// violated, the result is a list of violation errors wrapped in +// ReconcileResponseMultiError, or nil if none found. +func (m *ReconcileResponse) ValidateAll() error { + return m.validate(true) +} + +func (m *ReconcileResponse) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + // no validation rules for ErrorMessage + + // no validation rules for TransientError + + // no validation rules for ExecutionPlan + + if len(errors) > 0 { + return ReconcileResponseMultiError(errors) + } + + return nil +} + +// ReconcileResponseMultiError is an error wrapping multiple validation errors +// returned by ReconcileResponse.ValidateAll() if the designated constraints +// aren't met. +type ReconcileResponseMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m ReconcileResponseMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m ReconcileResponseMultiError) AllErrors() []error { return m } + +// ReconcileResponseValidationError is the validation error returned by +// ReconcileResponse.Validate if the designated constraints aren't met. +type ReconcileResponseValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e ReconcileResponseValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e ReconcileResponseValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e ReconcileResponseValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e ReconcileResponseValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e ReconcileResponseValidationError) ErrorName() string { + return "ReconcileResponseValidationError" +} + +// Error satisfies the builtin error interface +func (e ReconcileResponseValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sReconcileResponse.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = ReconcileResponseValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = ReconcileResponseValidationError{} diff --git a/proto/plugin/reconciler/v1/reconciler.proto b/proto/plugin/reconciler/v1/reconciler.proto new file mode 100644 index 0000000..1fab7f2 --- /dev/null +++ b/proto/plugin/reconciler/v1/reconciler.proto @@ -0,0 +1,49 @@ +syntax = "proto3"; + +package krypton.reconciler.v1; + +import "buf/validate/validate.proto"; + +option go_package = "github.com/openkcm/krypton/proto/plugin/reconciler/v1;reconcilerv1"; + +// Reconciler is the gRPC contract between Krypton core and an external +// reconciler plugin. Core is the client; the plugin binary is the server. +// +// The plugin receives the raw extension payload for a custom resource kind +// and returns an ExecutionPlan (AST) describing every key operation Krypton +// must perform. The plugin never touches keys or state directly — it only +// declares intent via the JSON-encoded AST. Core is the sole executor. +service Reconciler { + rpc Reconcile(ReconcileRequest) returns (ReconcileResponse); +} + +// ReconcileRequest carries everything the plugin needs to plan operations for +// this resource. resource_payload is opaque to core and decoded only by the plugin. +message ReconcileRequest { + reserved 1; + + // api_group identifies the resource type family, e.g. "mycompany.kms/v1". + string api_group = 2 [(buf.validate.field).required = true]; + + // resource_payload is the JSON-encoded extension_key Struct from the original + // SyncResourceRequest. Core passes it unchanged; the plugin owns the schema. + bytes resource_payload = 3 [(buf.validate.field).required = true]; + + // action is the operation requested: "SYNC" or "DELETE". + string action = 4 [(buf.validate.field).required = true]; +} + +// ReconcileResponse is returned by the plugin and contains the execution plan. +// Core decodes execution_plan as a JSON-encoded ast.ExecutionPlan and executes it. +message ReconcileResponse { + // error_message non-empty means planning failed. + // transient_error = true → worker requeues up to max retries. + // transient_error = false → worker marks operation as terminally failed. + string error_message = 1; + bool transient_error = 2; + + // execution_plan is a JSON-encoded ast.ExecutionPlan (see + // internal/modules/resource-reconciler/controller/ast). Empty means no-op. + bytes execution_plan = 3; +} + diff --git a/proto/plugin/reconciler/v1/reconciler_ext_plugin.pb.go b/proto/plugin/reconciler/v1/reconciler_ext_plugin.pb.go new file mode 100644 index 0000000..0156472 --- /dev/null +++ b/proto/plugin/reconciler/v1/reconciler_ext_plugin.pb.go @@ -0,0 +1,56 @@ +// Code generated by protoc-gen-go-extension. DO NOT EDIT. + +package reconcilerv1 + +import ( + grpc "google.golang.org/grpc" + + api "github.com/openkcm/plugin-sdk/api" +) + +const ( + Type = "Reconciler" + GRPCServiceFullName = "krypton.reconciler.v1.Reconciler" +) + +func ReconcilerPluginServer(server ReconcilerServer) api.PluginServer { + return reconcilerPluginServer{ReconcilerServer: server} +} + +type reconcilerPluginServer struct { + ReconcilerServer +} + +func (s reconcilerPluginServer) Type() string { + return Type +} + +func (s reconcilerPluginServer) GRPCServiceName() string { + return GRPCServiceFullName +} + +func (s reconcilerPluginServer) RegisterServer(server *grpc.Server) any { + RegisterReconcilerServer(server, s.ReconcilerServer) + return s.ReconcilerServer +} + +type ReconcilerPluginClient struct { + ReconcilerClient +} + +func (s ReconcilerPluginClient) Type() string { + return Type +} + +func (c *ReconcilerPluginClient) IsInitialized() bool { + return c.ReconcilerClient != nil +} + +func (c *ReconcilerPluginClient) GRPCServiceName() string { + return GRPCServiceFullName +} + +func (c *ReconcilerPluginClient) InitClient(conn grpc.ClientConnInterface) any { + c.ReconcilerClient = NewReconcilerClient(conn) + return c.ReconcilerClient +} diff --git a/proto/plugin/reconciler/v1/reconciler_grpc.pb.go b/proto/plugin/reconciler/v1/reconciler_grpc.pb.go new file mode 100644 index 0000000..79018ae --- /dev/null +++ b/proto/plugin/reconciler/v1/reconciler_grpc.pb.go @@ -0,0 +1,138 @@ +// Code generated by protoc-gen-go-grpc. DO NOT EDIT. +// versions: +// - protoc-gen-go-grpc v1.6.1 +// - protoc (unknown) +// source: plugin/reconciler/v1/reconciler.proto + +package reconcilerv1 + +import ( + context "context" + + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" +) + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +// Requires gRPC-Go v1.64.0 or later. +const _ = grpc.SupportPackageIsVersion9 + +const ( + Reconciler_Reconcile_FullMethodName = "/krypton.reconciler.v1.Reconciler/Reconcile" +) + +// ReconcilerClient is the client API for Reconciler service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. +// +// Reconciler is the gRPC contract between Krypton core and an external +// reconciler plugin. Core is the client; the plugin binary is the server. +// +// The plugin receives the raw extension payload for a custom resource kind +// and returns an ExecutionPlan (AST) describing every key operation Krypton +// must perform. The plugin never touches keys or state directly — it only +// declares intent via the JSON-encoded AST. Core is the sole executor. +type ReconcilerClient interface { + Reconcile(ctx context.Context, in *ReconcileRequest, opts ...grpc.CallOption) (*ReconcileResponse, error) +} + +type reconcilerClient struct { + cc grpc.ClientConnInterface +} + +func NewReconcilerClient(cc grpc.ClientConnInterface) ReconcilerClient { + return &reconcilerClient{cc} +} + +func (c *reconcilerClient) Reconcile(ctx context.Context, in *ReconcileRequest, opts ...grpc.CallOption) (*ReconcileResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(ReconcileResponse) + err := c.cc.Invoke(ctx, Reconciler_Reconcile_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +// ReconcilerServer is the server API for Reconciler service. +// All implementations must embed UnimplementedReconcilerServer +// for forward compatibility. +// +// Reconciler is the gRPC contract between Krypton core and an external +// reconciler plugin. Core is the client; the plugin binary is the server. +// +// The plugin receives the raw extension payload for a custom resource kind +// and returns an ExecutionPlan (AST) describing every key operation Krypton +// must perform. The plugin never touches keys or state directly — it only +// declares intent via the JSON-encoded AST. Core is the sole executor. +type ReconcilerServer interface { + Reconcile(context.Context, *ReconcileRequest) (*ReconcileResponse, error) + mustEmbedUnimplementedReconcilerServer() +} + +// UnimplementedReconcilerServer must be embedded to have +// forward compatible implementations. +// +// NOTE: this should be embedded by value instead of pointer to avoid a nil +// pointer dereference when methods are called. +type UnimplementedReconcilerServer struct{} + +func (UnimplementedReconcilerServer) Reconcile(context.Context, *ReconcileRequest) (*ReconcileResponse, error) { + return nil, status.Error(codes.Unimplemented, "method Reconcile not implemented") +} +func (UnimplementedReconcilerServer) mustEmbedUnimplementedReconcilerServer() {} +func (UnimplementedReconcilerServer) testEmbeddedByValue() {} + +// UnsafeReconcilerServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to ReconcilerServer will +// result in compilation errors. +type UnsafeReconcilerServer interface { + mustEmbedUnimplementedReconcilerServer() +} + +func RegisterReconcilerServer(s grpc.ServiceRegistrar, srv ReconcilerServer) { + // If the following call panics, it indicates UnimplementedReconcilerServer was + // embedded by pointer and is nil. This will cause panics if an + // unimplemented method is ever invoked, so we test this at initialization + // time to prevent it from happening at runtime later due to I/O. + if t, ok := srv.(interface{ testEmbeddedByValue() }); ok { + t.testEmbeddedByValue() + } + s.RegisterService(&Reconciler_ServiceDesc, srv) +} + +func _Reconciler_Reconcile_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(ReconcileRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(ReconcilerServer).Reconcile(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: Reconciler_Reconcile_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(ReconcilerServer).Reconcile(ctx, req.(*ReconcileRequest)) + } + return interceptor(ctx, in, info, handler) +} + +// Reconciler_ServiceDesc is the grpc.ServiceDesc for Reconciler service. +// It's only intended for direct use with grpc.RegisterService, +// and not to be introspected or modified (even as a copy) +var Reconciler_ServiceDesc = grpc.ServiceDesc{ + ServiceName: "krypton.reconciler.v1.Reconciler", + HandlerType: (*ReconcilerServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "Reconcile", + Handler: _Reconciler_Reconcile_Handler, + }, + }, + Streams: []grpc.StreamDesc{}, + Metadata: "plugin/reconciler/v1/reconciler.proto", +} diff --git a/proto/plugin/systeminformation/v1/systeminformation_ext_plugin.pb.go b/proto/plugin/systeminformation/v1/systeminformation_ext_plugin.pb.go index b2cb7a4..ed262bd 100644 --- a/proto/plugin/systeminformation/v1/systeminformation_ext_plugin.pb.go +++ b/proto/plugin/systeminformation/v1/systeminformation_ext_plugin.pb.go @@ -9,7 +9,7 @@ import ( ) const ( - Type = "SystemInformationService" + Type = "SystemInformation" GRPCServiceFullName = "plugin.systeminformation.v1.SystemInformationService" ) diff --git a/proto/plugin/test/v1/test_ext_plugin.pb.go b/proto/plugin/test/v1/test_ext_plugin.pb.go index c51e1b9..bac0b2f 100644 --- a/proto/plugin/test/v1/test_ext_plugin.pb.go +++ b/proto/plugin/test/v1/test_ext_plugin.pb.go @@ -9,7 +9,7 @@ import ( ) const ( - Type = "TestService" + Type = "Test" GRPCServiceFullName = "plugin.test.v1.TestService" ) From 3c4a6be3704969157fb2b57574b7bc266860d191 Mon Sep 17 00:00:00 2001 From: Nicolae Nicora Date: Wed, 20 May 2026 13:26:19 +0200 Subject: [PATCH 17/19] modify --- proto/plugin/reconciler/v1/reconciler.pb.go | 32 +++++++++++++++---- .../reconciler/v1/reconciler.pb.validate.go | 4 +++ proto/plugin/reconciler/v1/reconciler.proto | 12 ++++--- 3 files changed, 36 insertions(+), 12 deletions(-) diff --git a/proto/plugin/reconciler/v1/reconciler.pb.go b/proto/plugin/reconciler/v1/reconciler.pb.go index 0cb2ef3..903b94a 100644 --- a/proto/plugin/reconciler/v1/reconciler.pb.go +++ b/proto/plugin/reconciler/v1/reconciler.pb.go @@ -28,12 +28,14 @@ const ( type ReconcileRequest struct { state protoimpl.MessageState `protogen:"open.v1"` // api_group identifies the resource type family, e.g. "mycompany.kms/v1". - ApiGroup string `protobuf:"bytes,2,opt,name=api_group,json=apiGroup,proto3" json:"api_group,omitempty"` + ApiGroup string `protobuf:"bytes,1,opt,name=api_group,json=apiGroup,proto3" json:"api_group,omitempty"` + Kind string `protobuf:"bytes,2,opt,name=kind,proto3" json:"kind,omitempty"` + Name string `protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"` // resource_payload is the JSON-encoded extension_key Struct from the original // SyncResourceRequest. Core passes it unchanged; the plugin owns the schema. - ResourcePayload []byte `protobuf:"bytes,3,opt,name=resource_payload,json=resourcePayload,proto3" json:"resource_payload,omitempty"` + ResourcePayload []byte `protobuf:"bytes,4,opt,name=resource_payload,json=resourcePayload,proto3" json:"resource_payload,omitempty"` // action is the operation requested: "SYNC" or "DELETE". - Action string `protobuf:"bytes,4,opt,name=action,proto3" json:"action,omitempty"` + Action string `protobuf:"bytes,5,opt,name=action,proto3" json:"action,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } @@ -75,6 +77,20 @@ func (x *ReconcileRequest) GetApiGroup() string { return "" } +func (x *ReconcileRequest) GetKind() string { + if x != nil { + return x.Kind + } + return "" +} + +func (x *ReconcileRequest) GetName() string { + if x != nil { + return x.Name + } + return "" +} + func (x *ReconcileRequest) GetResourcePayload() []byte { if x != nil { return x.ResourcePayload @@ -160,11 +176,13 @@ var File_plugin_reconciler_v1_reconciler_proto protoreflect.FileDescriptor const file_plugin_reconciler_v1_reconciler_proto_rawDesc = "" + "\n" + - "%plugin/reconciler/v1/reconciler.proto\x12\x15krypton.reconciler.v1\x1a\x1bbuf/validate/validate.proto\"\x90\x01\n" + + "%plugin/reconciler/v1/reconciler.proto\x12\x15krypton.reconciler.v1\x1a\x1bbuf/validate/validate.proto\"\xc2\x01\n" + "\x10ReconcileRequest\x12#\n" + - "\tapi_group\x18\x02 \x01(\tB\x06\xbaH\x03\xc8\x01\x01R\bapiGroup\x121\n" + - "\x10resource_payload\x18\x03 \x01(\fB\x06\xbaH\x03\xc8\x01\x01R\x0fresourcePayload\x12\x1e\n" + - "\x06action\x18\x04 \x01(\tB\x06\xbaH\x03\xc8\x01\x01R\x06actionJ\x04\b\x01\x10\x02\"\x88\x01\n" + + "\tapi_group\x18\x01 \x01(\tB\x06\xbaH\x03\xc8\x01\x01R\bapiGroup\x12\x1a\n" + + "\x04kind\x18\x02 \x01(\tB\x06\xbaH\x03\xc8\x01\x01R\x04kind\x12\x1a\n" + + "\x04name\x18\x03 \x01(\tB\x06\xbaH\x03\xc8\x01\x01R\x04name\x121\n" + + "\x10resource_payload\x18\x04 \x01(\fB\x06\xbaH\x03\xc8\x01\x01R\x0fresourcePayload\x12\x1e\n" + + "\x06action\x18\x05 \x01(\tB\x06\xbaH\x03\xc8\x01\x01R\x06action\"\x88\x01\n" + "\x11ReconcileResponse\x12#\n" + "\rerror_message\x18\x01 \x01(\tR\ferrorMessage\x12'\n" + "\x0ftransient_error\x18\x02 \x01(\bR\x0etransientError\x12%\n" + diff --git a/proto/plugin/reconciler/v1/reconciler.pb.validate.go b/proto/plugin/reconciler/v1/reconciler.pb.validate.go index fac080e..17b68f1 100644 --- a/proto/plugin/reconciler/v1/reconciler.pb.validate.go +++ b/proto/plugin/reconciler/v1/reconciler.pb.validate.go @@ -59,6 +59,10 @@ func (m *ReconcileRequest) validate(all bool) error { // no validation rules for ApiGroup + // no validation rules for Kind + + // no validation rules for Name + // no validation rules for ResourcePayload // no validation rules for Action diff --git a/proto/plugin/reconciler/v1/reconciler.proto b/proto/plugin/reconciler/v1/reconciler.proto index 1fab7f2..1e10d1d 100644 --- a/proto/plugin/reconciler/v1/reconciler.proto +++ b/proto/plugin/reconciler/v1/reconciler.proto @@ -20,17 +20,19 @@ service Reconciler { // ReconcileRequest carries everything the plugin needs to plan operations for // this resource. resource_payload is opaque to core and decoded only by the plugin. message ReconcileRequest { - reserved 1; - // api_group identifies the resource type family, e.g. "mycompany.kms/v1". - string api_group = 2 [(buf.validate.field).required = true]; + string api_group = 1 [(buf.validate.field).required = true]; + + string kind = 2 [(buf.validate.field).required = true]; + + string name = 3 [(buf.validate.field).required = true]; // resource_payload is the JSON-encoded extension_key Struct from the original // SyncResourceRequest. Core passes it unchanged; the plugin owns the schema. - bytes resource_payload = 3 [(buf.validate.field).required = true]; + bytes resource_payload = 4 [(buf.validate.field).required = true]; // action is the operation requested: "SYNC" or "DELETE". - string action = 4 [(buf.validate.field).required = true]; + string action = 5 [(buf.validate.field).required = true]; } // ReconcileResponse is returned by the plugin and contains the execution plan. From ac8210d85bc28adc099b9b3c8a477f9445758077 Mon Sep 17 00:00:00 2001 From: Nicolae Nicora Date: Wed, 20 May 2026 14:11:27 +0200 Subject: [PATCH 18/19] modify --- .../cipher_wrapper/v1/cipher_wrapper.pb.go | 70 +- .../cipher_wrapper/v1/cipher_wrapper.proto | 2 +- .../v1/cipher_wrapper_ext_plugin.pb.go | 2 +- .../v1/cipher_wrapper_grpc.pb.go | 6 +- .../v1/key_material_storage.pb.go | 114 ++-- .../v1/key_material_storage.proto | 2 +- .../v1/key_material_storage_ext_plugin.pb.go | 2 +- .../v1/key_material_storage_grpc.pb.go | 10 +- proto/plugin/llm/v1/llm.pb.go | 62 +- proto/plugin/llm/v1/llm.proto | 4 +- proto/plugin/llm/v1/llm_ext_plugin.pb.go | 2 +- proto/plugin/llm/v1/llm_grpc.pb.go | 6 +- .../{reconciler => resources}/v1/ast.pb.go | 605 +++++++++--------- .../v1/ast.pb.validate.go | 2 +- .../{reconciler => resources}/v1/ast.proto | 4 +- .../v1/reconciler.pb.go | 74 +-- .../v1/reconciler.pb.validate.go | 2 +- .../v1/reconciler.proto | 3 +- .../v1/reconciler_ext_plugin.pb.go | 2 +- .../v1/reconciler_grpc.pb.go | 8 +- 20 files changed, 489 insertions(+), 493 deletions(-) rename proto/plugin/{reconciler => resources}/v1/ast.pb.go (67%) rename proto/plugin/{reconciler => resources}/v1/ast.pb.validate.go (99%) rename proto/plugin/{reconciler => resources}/v1/ast.proto (98%) rename proto/plugin/{reconciler => resources}/v1/reconciler.pb.go (65%) rename proto/plugin/{reconciler => resources}/v1/reconciler.pb.validate.go (99%) rename proto/plugin/{reconciler => resources}/v1/reconciler.proto (94%) rename proto/plugin/{reconciler => resources}/v1/reconciler_ext_plugin.pb.go (94%) rename proto/plugin/{reconciler => resources}/v1/reconciler_grpc.pb.go (95%) diff --git a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go index 5381580..094f23d 100644 --- a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go +++ b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go @@ -369,25 +369,25 @@ var File_plugin_cipher_wrapper_v1_cipher_wrapper_proto protoreflect.FileDescript const file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDesc = "" + "\n" + - "-plugin/cipher_wrapper/v1/cipher_wrapper.proto\x12\x19krypton.cipher_wrapper.v1\x1a\x1bbuf/validate/validate.proto\"\xe8\x01\n" + + "-plugin/cipher_wrapper/v1/cipher_wrapper.proto\x12 krypton.plugin.cipher_wrapper.v1\x1a\x1bbuf/validate/validate.proto\"\xef\x01\n" + "\fKeyReference\x12\x15\n" + "\x06key_id\x18\x01 \x01(\tR\x05keyId\x12\x1d\n" + - "\aversion\x18\x02 \x01(\tH\x00R\aversion\x88\x01\x01\x12W\n" + + "\aversion\x18\x02 \x01(\tH\x00R\aversion\x88\x01\x01\x12^\n" + "\n" + - "properties\x18\x03 \x03(\v27.krypton.cipher_wrapper.v1.KeyReference.PropertiesEntryR\n" + + "properties\x18\x03 \x03(\v2>.krypton.plugin.cipher_wrapper.v1.KeyReference.PropertiesEntryR\n" + "properties\x1a=\n" + "\x0fPropertiesEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\n" + "\n" + - "\b_version\"\xde\x02\n" + - "\vWrapRequest\x12A\n" + - "\x03key\x18\x01 \x01(\v2'.krypton.cipher_wrapper.v1.KeyReferenceB\x06\xbaH\x03\xc8\x01\x01R\x03key\x12(\n" + + "\b_version\"\xec\x02\n" + + "\vWrapRequest\x12H\n" + + "\x03key\x18\x01 \x01(\v2..krypton.plugin.cipher_wrapper.v1.KeyReferenceB\x06\xbaH\x03\xc8\x01\x01R\x03key\x12(\n" + "\tplaintext\x18\x02 \x01(\fB\n" + "\xbaH\a\xc8\x01\x01z\x02\x10\x01R\tplaintext\x12\x15\n" + "\x03aad\x18\x03 \x01(\fH\x00R\x03aad\x88\x01\x01\x12\x13\n" + - "\x02iv\x18\x04 \x01(\fH\x01R\x02iv\x88\x01\x01\x12d\n" + - "\x0fdynamic_context\x18\x84\a \x03(\v2:.krypton.cipher_wrapper.v1.WrapRequest.DynamicContextEntryR\x0edynamicContext\x1aA\n" + + "\x02iv\x18\x04 \x01(\fH\x01R\x02iv\x88\x01\x01\x12k\n" + + "\x0fdynamic_context\x18\x84\a \x03(\v2A.krypton.plugin.cipher_wrapper.v1.WrapRequest.DynamicContextEntryR\x0edynamicContext\x1aA\n" + "\x13DynamicContextEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\x06\n" + @@ -400,27 +400,27 @@ const file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDesc = "" + "\x0ekey_version_id\x18\x02 \x01(\tH\x00R\fkeyVersionId\x88\x01\x01\x12\x13\n" + "\x02iv\x18\x03 \x01(\fH\x01R\x02iv\x88\x01\x01B\x11\n" + "\x0f_key_version_idB\x05\n" + - "\x03_iv\"\xe4\x02\n" + - "\rUnwrapRequest\x12A\n" + - "\x03key\x18\x01 \x01(\v2'.krypton.cipher_wrapper.v1.KeyReferenceB\x06\xbaH\x03\xc8\x01\x01R\x03key\x12*\n" + + "\x03_iv\"\xf2\x02\n" + + "\rUnwrapRequest\x12H\n" + + "\x03key\x18\x01 \x01(\v2..krypton.plugin.cipher_wrapper.v1.KeyReferenceB\x06\xbaH\x03\xc8\x01\x01R\x03key\x12*\n" + "\n" + "ciphertext\x18\x02 \x01(\fB\n" + "\xbaH\a\xc8\x01\x01z\x02\x10\x01R\n" + "ciphertext\x12\x15\n" + "\x03aad\x18\x03 \x01(\fH\x00R\x03aad\x88\x01\x01\x12\x13\n" + - "\x02iv\x18\x04 \x01(\fH\x01R\x02iv\x88\x01\x01\x12f\n" + - "\x0fdynamic_context\x18\x84\a \x03(\v2<.krypton.cipher_wrapper.v1.UnwrapRequest.DynamicContextEntryR\x0edynamicContext\x1aA\n" + + "\x02iv\x18\x04 \x01(\fH\x01R\x02iv\x88\x01\x01\x12m\n" + + "\x0fdynamic_context\x18\x84\a \x03(\v2C.krypton.plugin.cipher_wrapper.v1.UnwrapRequest.DynamicContextEntryR\x0edynamicContext\x1aA\n" + "\x13DynamicContextEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\x06\n" + "\x04_aadB\x05\n" + "\x03_iv\".\n" + "\x0eUnwrapResponse\x12\x1c\n" + - "\tplaintext\x18\x01 \x01(\fR\tplaintext2\xc7\x01\n" + - "\rCipherWrapper\x12W\n" + - "\x04Wrap\x12&.krypton.cipher_wrapper.v1.WrapRequest\x1a'.krypton.cipher_wrapper.v1.WrapResponse\x12]\n" + - "\x06Unwrap\x12(.krypton.cipher_wrapper.v1.UnwrapRequest\x1a).krypton.cipher_wrapper.v1.UnwrapResponseB\x84\x02\n" + - "\x1dcom.krypton.cipher_wrapper.v1B\x12CipherWrapperProtoP\x01ZMgithub.com/openkcm/plugin-sdk/proto/plugin/cipher_wrapper/v1;cipher_wrapperv1\xa2\x02\x03KCX\xaa\x02\x18Krypton.CipherWrapper.V1\xca\x02\x18Krypton\\CipherWrapper\\V1\xe2\x02$Krypton\\CipherWrapper\\V1\\GPBMetadata\xea\x02\x1aKrypton::CipherWrapper::V1b\x06proto3" + "\tplaintext\x18\x01 \x01(\fR\tplaintext2\xe3\x01\n" + + "\rCipherWrapper\x12e\n" + + "\x04Wrap\x12-.krypton.plugin.cipher_wrapper.v1.WrapRequest\x1a..krypton.plugin.cipher_wrapper.v1.WrapResponse\x12k\n" + + "\x06Unwrap\x12/.krypton.plugin.cipher_wrapper.v1.UnwrapRequest\x1a0.krypton.plugin.cipher_wrapper.v1.UnwrapResponseB\xa8\x02\n" + + "$com.krypton.plugin.cipher_wrapper.v1B\x12CipherWrapperProtoP\x01ZMgithub.com/openkcm/plugin-sdk/proto/plugin/cipher_wrapper/v1;cipher_wrapperv1\xa2\x02\x03KPC\xaa\x02\x1fKrypton.Plugin.CipherWrapper.V1\xca\x02\x1fKrypton\\Plugin\\CipherWrapper\\V1\xe2\x02+Krypton\\Plugin\\CipherWrapper\\V1\\GPBMetadata\xea\x02\"Krypton::Plugin::CipherWrapper::V1b\x06proto3" var ( file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescOnce sync.Once @@ -436,25 +436,25 @@ func file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP() []byte { var file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes = make([]protoimpl.MessageInfo, 8) var file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_goTypes = []any{ - (*KeyReference)(nil), // 0: krypton.cipher_wrapper.v1.KeyReference - (*WrapRequest)(nil), // 1: krypton.cipher_wrapper.v1.WrapRequest - (*WrapResponse)(nil), // 2: krypton.cipher_wrapper.v1.WrapResponse - (*UnwrapRequest)(nil), // 3: krypton.cipher_wrapper.v1.UnwrapRequest - (*UnwrapResponse)(nil), // 4: krypton.cipher_wrapper.v1.UnwrapResponse - nil, // 5: krypton.cipher_wrapper.v1.KeyReference.PropertiesEntry - nil, // 6: krypton.cipher_wrapper.v1.WrapRequest.DynamicContextEntry - nil, // 7: krypton.cipher_wrapper.v1.UnwrapRequest.DynamicContextEntry + (*KeyReference)(nil), // 0: krypton.plugin.cipher_wrapper.v1.KeyReference + (*WrapRequest)(nil), // 1: krypton.plugin.cipher_wrapper.v1.WrapRequest + (*WrapResponse)(nil), // 2: krypton.plugin.cipher_wrapper.v1.WrapResponse + (*UnwrapRequest)(nil), // 3: krypton.plugin.cipher_wrapper.v1.UnwrapRequest + (*UnwrapResponse)(nil), // 4: krypton.plugin.cipher_wrapper.v1.UnwrapResponse + nil, // 5: krypton.plugin.cipher_wrapper.v1.KeyReference.PropertiesEntry + nil, // 6: krypton.plugin.cipher_wrapper.v1.WrapRequest.DynamicContextEntry + nil, // 7: krypton.plugin.cipher_wrapper.v1.UnwrapRequest.DynamicContextEntry } var file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_depIdxs = []int32{ - 5, // 0: krypton.cipher_wrapper.v1.KeyReference.properties:type_name -> krypton.cipher_wrapper.v1.KeyReference.PropertiesEntry - 0, // 1: krypton.cipher_wrapper.v1.WrapRequest.key:type_name -> krypton.cipher_wrapper.v1.KeyReference - 6, // 2: krypton.cipher_wrapper.v1.WrapRequest.dynamic_context:type_name -> krypton.cipher_wrapper.v1.WrapRequest.DynamicContextEntry - 0, // 3: krypton.cipher_wrapper.v1.UnwrapRequest.key:type_name -> krypton.cipher_wrapper.v1.KeyReference - 7, // 4: krypton.cipher_wrapper.v1.UnwrapRequest.dynamic_context:type_name -> krypton.cipher_wrapper.v1.UnwrapRequest.DynamicContextEntry - 1, // 5: krypton.cipher_wrapper.v1.CipherWrapper.Wrap:input_type -> krypton.cipher_wrapper.v1.WrapRequest - 3, // 6: krypton.cipher_wrapper.v1.CipherWrapper.Unwrap:input_type -> krypton.cipher_wrapper.v1.UnwrapRequest - 2, // 7: krypton.cipher_wrapper.v1.CipherWrapper.Wrap:output_type -> krypton.cipher_wrapper.v1.WrapResponse - 4, // 8: krypton.cipher_wrapper.v1.CipherWrapper.Unwrap:output_type -> krypton.cipher_wrapper.v1.UnwrapResponse + 5, // 0: krypton.plugin.cipher_wrapper.v1.KeyReference.properties:type_name -> krypton.plugin.cipher_wrapper.v1.KeyReference.PropertiesEntry + 0, // 1: krypton.plugin.cipher_wrapper.v1.WrapRequest.key:type_name -> krypton.plugin.cipher_wrapper.v1.KeyReference + 6, // 2: krypton.plugin.cipher_wrapper.v1.WrapRequest.dynamic_context:type_name -> krypton.plugin.cipher_wrapper.v1.WrapRequest.DynamicContextEntry + 0, // 3: krypton.plugin.cipher_wrapper.v1.UnwrapRequest.key:type_name -> krypton.plugin.cipher_wrapper.v1.KeyReference + 7, // 4: krypton.plugin.cipher_wrapper.v1.UnwrapRequest.dynamic_context:type_name -> krypton.plugin.cipher_wrapper.v1.UnwrapRequest.DynamicContextEntry + 1, // 5: krypton.plugin.cipher_wrapper.v1.CipherWrapper.Wrap:input_type -> krypton.plugin.cipher_wrapper.v1.WrapRequest + 3, // 6: krypton.plugin.cipher_wrapper.v1.CipherWrapper.Unwrap:input_type -> krypton.plugin.cipher_wrapper.v1.UnwrapRequest + 2, // 7: krypton.plugin.cipher_wrapper.v1.CipherWrapper.Wrap:output_type -> krypton.plugin.cipher_wrapper.v1.WrapResponse + 4, // 8: krypton.plugin.cipher_wrapper.v1.CipherWrapper.Unwrap:output_type -> krypton.plugin.cipher_wrapper.v1.UnwrapResponse 7, // [7:9] is the sub-list for method output_type 5, // [5:7] is the sub-list for method input_type 5, // [5:5] is the sub-list for extension type_name diff --git a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto index 2e7b9dc..cff1318 100644 --- a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto +++ b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto @@ -1,6 +1,6 @@ syntax = "proto3"; -package krypton.cipher_wrapper.v1; +package krypton.plugin.cipher_wrapper.v1; import "buf/validate/validate.proto"; diff --git a/proto/plugin/cipher_wrapper/v1/cipher_wrapper_ext_plugin.pb.go b/proto/plugin/cipher_wrapper/v1/cipher_wrapper_ext_plugin.pb.go index ff7cecb..62dc7bc 100644 --- a/proto/plugin/cipher_wrapper/v1/cipher_wrapper_ext_plugin.pb.go +++ b/proto/plugin/cipher_wrapper/v1/cipher_wrapper_ext_plugin.pb.go @@ -10,7 +10,7 @@ import ( const ( Type = "CipherWrapper" - GRPCServiceFullName = "krypton.cipher_wrapper.v1.CipherWrapper" + GRPCServiceFullName = "krypton.plugin.cipher_wrapper.v1.CipherWrapper" ) func CipherWrapperPluginServer(server CipherWrapperServer) api.PluginServer { diff --git a/proto/plugin/cipher_wrapper/v1/cipher_wrapper_grpc.pb.go b/proto/plugin/cipher_wrapper/v1/cipher_wrapper_grpc.pb.go index 7f804a9..f805cd3 100644 --- a/proto/plugin/cipher_wrapper/v1/cipher_wrapper_grpc.pb.go +++ b/proto/plugin/cipher_wrapper/v1/cipher_wrapper_grpc.pb.go @@ -20,8 +20,8 @@ import ( const _ = grpc.SupportPackageIsVersion9 const ( - CipherWrapper_Wrap_FullMethodName = "/krypton.cipher_wrapper.v1.CipherWrapper/Wrap" - CipherWrapper_Unwrap_FullMethodName = "/krypton.cipher_wrapper.v1.CipherWrapper/Unwrap" + CipherWrapper_Wrap_FullMethodName = "/krypton.plugin.cipher_wrapper.v1.CipherWrapper/Wrap" + CipherWrapper_Unwrap_FullMethodName = "/krypton.plugin.cipher_wrapper.v1.CipherWrapper/Unwrap" ) // CipherWrapperClient is the client API for CipherWrapper service. @@ -159,7 +159,7 @@ func _CipherWrapper_Unwrap_Handler(srv interface{}, ctx context.Context, dec fun // It's only intended for direct use with grpc.RegisterService, // and not to be introspected or modified (even as a copy) var CipherWrapper_ServiceDesc = grpc.ServiceDesc{ - ServiceName: "krypton.cipher_wrapper.v1.CipherWrapper", + ServiceName: "krypton.plugin.cipher_wrapper.v1.CipherWrapper", HandlerType: (*CipherWrapperServer)(nil), Methods: []grpc.MethodDesc{ { diff --git a/proto/plugin/key_material_storage/v1/key_material_storage.pb.go b/proto/plugin/key_material_storage/v1/key_material_storage.pb.go index efaf7ac..b7c0445 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage.pb.go +++ b/proto/plugin/key_material_storage/v1/key_material_storage.pb.go @@ -753,7 +753,7 @@ var File_plugin_key_material_storage_v1_key_material_storage_proto protoreflect. const file_plugin_key_material_storage_v1_key_material_storage_proto_rawDesc = "" + "\n" + - "9plugin/key_material_storage/v1/key_material_storage.proto\x12\x1fkrypton.key_material_storage.v1\x1a\x1bbuf/validate/validate.proto\x1a\x1fgoogle/protobuf/timestamp.proto\"\xa5\x03\n" + + "9plugin/key_material_storage/v1/key_material_storage.proto\x12&krypton.plugin.key_material_storage.v1\x1a\x1bbuf/validate/validate.proto\x1a\x1fgoogle/protobuf/timestamp.proto\"\xac\x03\n" + "\vKeyMaterial\x12\x17\n" + "\x02id\x18\x01 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\x02id\x12\x1b\n" + "\x04data\x18\x02 \x01(\fB\a\xbaH\x04z\x02\x10\x01R\x04data\x12%\n" + @@ -761,19 +761,19 @@ const file_plugin_key_material_storage_v1_key_material_storage_proto_rawDesc = " "\x13previous_version_id\x18\x04 \x01(\tH\x00R\x11previousVersionId\x88\x01\x01\x12\x1f\n" + "\bchecksum\x18\x05 \x01(\tH\x01R\bchecksum\x88\x01\x01\x129\n" + "\n" + - "created_at\x18\x06 \x01(\v2\x1a.google.protobuf.TimestampR\tcreatedAt\x12J\n" + - "\x04tags\x18\a \x03(\v26.krypton.key_material_storage.v1.KeyMaterial.TagsEntryR\x04tags\x1a7\n" + + "created_at\x18\x06 \x01(\v2\x1a.google.protobuf.TimestampR\tcreatedAt\x12Q\n" + + "\x04tags\x18\a \x03(\v2=.krypton.plugin.key_material_storage.v1.KeyMaterial.TagsEntryR\x04tags\x1a7\n" + "\tTagsEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\x16\n" + "\x14_previous_version_idB\v\n" + - "\t_checksum\"\xda\x04\n" + - "\x06Filter\x12H\n" + - "\x02id\x18\x01 \x01(\v23.krypton.key_material_storage.v1.Filter.StringMatchH\x00R\x02id\x88\x01\x01\x12!\n" + - "\talgorithm\x18\x02 \x01(\tH\x01R\talgorithm\x88\x01\x01\x12E\n" + - "\x04tags\x18\x03 \x03(\v21.krypton.key_material_storage.v1.Filter.TagsEntryR\x04tags\x12U\n" + + "\t_checksum\"\xef\x04\n" + + "\x06Filter\x12O\n" + + "\x02id\x18\x01 \x01(\v2:.krypton.plugin.key_material_storage.v1.Filter.StringMatchH\x00R\x02id\x88\x01\x01\x12!\n" + + "\talgorithm\x18\x02 \x01(\tH\x01R\talgorithm\x88\x01\x01\x12L\n" + + "\x04tags\x18\x03 \x03(\v28.krypton.plugin.key_material_storage.v1.Filter.TagsEntryR\x04tags\x12\\\n" + "\n" + - "created_at\x18\x04 \x01(\v21.krypton.key_material_storage.v1.Filter.TimeRangeH\x02R\tcreatedAt\x88\x01\x01\x1a\x7f\n" + + "created_at\x18\x04 \x01(\v28.krypton.plugin.key_material_storage.v1.Filter.TimeRangeH\x02R\tcreatedAt\x88\x01\x01\x1a\x7f\n" + "\vStringMatch\x12\x18\n" + "\x06prefix\x18\x01 \x01(\tH\x00R\x06prefix\x12\x18\n" + "\x06suffix\x18\x02 \x01(\tH\x00R\x06suffix\x12\x1c\n" + @@ -789,36 +789,36 @@ const file_plugin_key_material_storage_v1_key_material_storage_proto_rawDesc = " "\x03_idB\f\n" + "\n" + "_algorithmB\r\n" + - "\v_created_at\"\xc4\x01\n" + + "\v_created_at\"\xcb\x01\n" + "\x0eListIDsRequest\x12%\n" + - "\tnamespace\x18\x01 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\tnamespace\x12D\n" + - "\x06filter\x18\x02 \x01(\v2'.krypton.key_material_storage.v1.FilterH\x00R\x06filter\x88\x01\x01\x12\x1b\n" + + "\tnamespace\x18\x01 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\tnamespace\x12K\n" + + "\x06filter\x18\x02 \x01(\v2..krypton.plugin.key_material_storage.v1.FilterH\x00R\x06filter\x88\x01\x01\x12\x1b\n" + "\tpage_size\x18\x03 \x01(\rR\bpageSize\x12\x1d\n" + "\n" + "page_token\x18\x04 \x01(\tR\tpageTokenB\t\n" + "\a_filter\"K\n" + "\x0fListIDsResponse\x12\x10\n" + "\x03ids\x18\x01 \x03(\tR\x03ids\x12&\n" + - "\x0fnext_page_token\x18\x02 \x01(\tR\rnextPageToken\"\x8e\x01\n" + + "\x0fnext_page_token\x18\x02 \x01(\tR\rnextPageToken\"\x95\x01\n" + "\fStoreRequest\x12%\n" + - "\tnamespace\x18\x01 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\tnamespace\x12W\n" + - "\fkey_material\x18\x02 \x01(\v2,.krypton.key_material_storage.v1.KeyMaterialB\x06\xbaH\x03\xc8\x01\x01R\vkeyMaterial\"\x0f\n" + + "\tnamespace\x18\x01 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\tnamespace\x12^\n" + + "\fkey_material\x18\x02 \x01(\v23.krypton.plugin.key_material_storage.v1.KeyMaterialB\x06\xbaH\x03\xc8\x01\x01R\vkeyMaterial\"\x0f\n" + "\rStoreResponse\"M\n" + "\vLoadRequest\x12%\n" + "\tnamespace\x18\x01 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\tnamespace\x12\x17\n" + - "\x02id\x18\x02 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\x02id\"_\n" + - "\fLoadResponse\x12O\n" + - "\fkey_material\x18\x01 \x01(\v2,.krypton.key_material_storage.v1.KeyMaterialR\vkeyMaterial\"O\n" + + "\x02id\x18\x02 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\x02id\"f\n" + + "\fLoadResponse\x12V\n" + + "\fkey_material\x18\x01 \x01(\v23.krypton.plugin.key_material_storage.v1.KeyMaterialR\vkeyMaterial\"O\n" + "\rDeleteRequest\x12%\n" + "\tnamespace\x18\x01 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\tnamespace\x12\x17\n" + "\x02id\x18\x02 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\x02id\"\x10\n" + - "\x0eDeleteResponse2\xbc\x03\n" + - "\x12KeyMaterialStorage\x12f\n" + - "\x05Store\x12-.krypton.key_material_storage.v1.StoreRequest\x1a..krypton.key_material_storage.v1.StoreResponse\x12c\n" + - "\x04Load\x12,.krypton.key_material_storage.v1.LoadRequest\x1a-.krypton.key_material_storage.v1.LoadResponse\x12i\n" + - "\x06Delete\x12..krypton.key_material_storage.v1.DeleteRequest\x1a/.krypton.key_material_storage.v1.DeleteResponse\x12n\n" + - "\aListIDs\x12/.krypton.key_material_storage.v1.ListIDsRequest\x1a0.krypton.key_material_storage.v1.ListIDsResponse0\x01B\xaf\x02\n" + - "#com.krypton.key_material_storage.v1B\x17KeyMaterialStorageProtoP\x01ZYgithub.com/openkcm/plugin-sdk/proto/plugin/key_material_storage/v1;key_material_storagev1\xa2\x02\x03KKX\xaa\x02\x1dKrypton.KeyMaterialStorage.V1\xca\x02\x1dKrypton\\KeyMaterialStorage\\V1\xe2\x02)Krypton\\KeyMaterialStorage\\V1\\GPBMetadata\xea\x02\x1fKrypton::KeyMaterialStorage::V1b\x06proto3" + "\x0eDeleteResponse2\xf4\x03\n" + + "\x12KeyMaterialStorage\x12t\n" + + "\x05Store\x124.krypton.plugin.key_material_storage.v1.StoreRequest\x1a5.krypton.plugin.key_material_storage.v1.StoreResponse\x12q\n" + + "\x04Load\x123.krypton.plugin.key_material_storage.v1.LoadRequest\x1a4.krypton.plugin.key_material_storage.v1.LoadResponse\x12w\n" + + "\x06Delete\x125.krypton.plugin.key_material_storage.v1.DeleteRequest\x1a6.krypton.plugin.key_material_storage.v1.DeleteResponse\x12|\n" + + "\aListIDs\x126.krypton.plugin.key_material_storage.v1.ListIDsRequest\x1a7.krypton.plugin.key_material_storage.v1.ListIDsResponse0\x01B\xd3\x02\n" + + "*com.krypton.plugin.key_material_storage.v1B\x17KeyMaterialStorageProtoP\x01ZYgithub.com/openkcm/plugin-sdk/proto/plugin/key_material_storage/v1;key_material_storagev1\xa2\x02\x03KPK\xaa\x02$Krypton.Plugin.KeyMaterialStorage.V1\xca\x02$Krypton\\Plugin\\KeyMaterialStorage\\V1\xe2\x020Krypton\\Plugin\\KeyMaterialStorage\\V1\\GPBMetadata\xea\x02'Krypton::Plugin::KeyMaterialStorage::V1b\x06proto3" var ( file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescOnce sync.Once @@ -834,41 +834,41 @@ func file_plugin_key_material_storage_v1_key_material_storage_proto_rawDescGZIP( var file_plugin_key_material_storage_v1_key_material_storage_proto_msgTypes = make([]protoimpl.MessageInfo, 14) var file_plugin_key_material_storage_v1_key_material_storage_proto_goTypes = []any{ - (*KeyMaterial)(nil), // 0: krypton.key_material_storage.v1.KeyMaterial - (*Filter)(nil), // 1: krypton.key_material_storage.v1.Filter - (*ListIDsRequest)(nil), // 2: krypton.key_material_storage.v1.ListIDsRequest - (*ListIDsResponse)(nil), // 3: krypton.key_material_storage.v1.ListIDsResponse - (*StoreRequest)(nil), // 4: krypton.key_material_storage.v1.StoreRequest - (*StoreResponse)(nil), // 5: krypton.key_material_storage.v1.StoreResponse - (*LoadRequest)(nil), // 6: krypton.key_material_storage.v1.LoadRequest - (*LoadResponse)(nil), // 7: krypton.key_material_storage.v1.LoadResponse - (*DeleteRequest)(nil), // 8: krypton.key_material_storage.v1.DeleteRequest - (*DeleteResponse)(nil), // 9: krypton.key_material_storage.v1.DeleteResponse - nil, // 10: krypton.key_material_storage.v1.KeyMaterial.TagsEntry - (*Filter_StringMatch)(nil), // 11: krypton.key_material_storage.v1.Filter.StringMatch - nil, // 12: krypton.key_material_storage.v1.Filter.TagsEntry - (*Filter_TimeRange)(nil), // 13: krypton.key_material_storage.v1.Filter.TimeRange + (*KeyMaterial)(nil), // 0: krypton.plugin.key_material_storage.v1.KeyMaterial + (*Filter)(nil), // 1: krypton.plugin.key_material_storage.v1.Filter + (*ListIDsRequest)(nil), // 2: krypton.plugin.key_material_storage.v1.ListIDsRequest + (*ListIDsResponse)(nil), // 3: krypton.plugin.key_material_storage.v1.ListIDsResponse + (*StoreRequest)(nil), // 4: krypton.plugin.key_material_storage.v1.StoreRequest + (*StoreResponse)(nil), // 5: krypton.plugin.key_material_storage.v1.StoreResponse + (*LoadRequest)(nil), // 6: krypton.plugin.key_material_storage.v1.LoadRequest + (*LoadResponse)(nil), // 7: krypton.plugin.key_material_storage.v1.LoadResponse + (*DeleteRequest)(nil), // 8: krypton.plugin.key_material_storage.v1.DeleteRequest + (*DeleteResponse)(nil), // 9: krypton.plugin.key_material_storage.v1.DeleteResponse + nil, // 10: krypton.plugin.key_material_storage.v1.KeyMaterial.TagsEntry + (*Filter_StringMatch)(nil), // 11: krypton.plugin.key_material_storage.v1.Filter.StringMatch + nil, // 12: krypton.plugin.key_material_storage.v1.Filter.TagsEntry + (*Filter_TimeRange)(nil), // 13: krypton.plugin.key_material_storage.v1.Filter.TimeRange (*timestamppb.Timestamp)(nil), // 14: google.protobuf.Timestamp } var file_plugin_key_material_storage_v1_key_material_storage_proto_depIdxs = []int32{ - 14, // 0: krypton.key_material_storage.v1.KeyMaterial.created_at:type_name -> google.protobuf.Timestamp - 10, // 1: krypton.key_material_storage.v1.KeyMaterial.tags:type_name -> krypton.key_material_storage.v1.KeyMaterial.TagsEntry - 11, // 2: krypton.key_material_storage.v1.Filter.id:type_name -> krypton.key_material_storage.v1.Filter.StringMatch - 12, // 3: krypton.key_material_storage.v1.Filter.tags:type_name -> krypton.key_material_storage.v1.Filter.TagsEntry - 13, // 4: krypton.key_material_storage.v1.Filter.created_at:type_name -> krypton.key_material_storage.v1.Filter.TimeRange - 1, // 5: krypton.key_material_storage.v1.ListIDsRequest.filter:type_name -> krypton.key_material_storage.v1.Filter - 0, // 6: krypton.key_material_storage.v1.StoreRequest.key_material:type_name -> krypton.key_material_storage.v1.KeyMaterial - 0, // 7: krypton.key_material_storage.v1.LoadResponse.key_material:type_name -> krypton.key_material_storage.v1.KeyMaterial - 14, // 8: krypton.key_material_storage.v1.Filter.TimeRange.from:type_name -> google.protobuf.Timestamp - 14, // 9: krypton.key_material_storage.v1.Filter.TimeRange.to:type_name -> google.protobuf.Timestamp - 4, // 10: krypton.key_material_storage.v1.KeyMaterialStorage.Store:input_type -> krypton.key_material_storage.v1.StoreRequest - 6, // 11: krypton.key_material_storage.v1.KeyMaterialStorage.Load:input_type -> krypton.key_material_storage.v1.LoadRequest - 8, // 12: krypton.key_material_storage.v1.KeyMaterialStorage.Delete:input_type -> krypton.key_material_storage.v1.DeleteRequest - 2, // 13: krypton.key_material_storage.v1.KeyMaterialStorage.ListIDs:input_type -> krypton.key_material_storage.v1.ListIDsRequest - 5, // 14: krypton.key_material_storage.v1.KeyMaterialStorage.Store:output_type -> krypton.key_material_storage.v1.StoreResponse - 7, // 15: krypton.key_material_storage.v1.KeyMaterialStorage.Load:output_type -> krypton.key_material_storage.v1.LoadResponse - 9, // 16: krypton.key_material_storage.v1.KeyMaterialStorage.Delete:output_type -> krypton.key_material_storage.v1.DeleteResponse - 3, // 17: krypton.key_material_storage.v1.KeyMaterialStorage.ListIDs:output_type -> krypton.key_material_storage.v1.ListIDsResponse + 14, // 0: krypton.plugin.key_material_storage.v1.KeyMaterial.created_at:type_name -> google.protobuf.Timestamp + 10, // 1: krypton.plugin.key_material_storage.v1.KeyMaterial.tags:type_name -> krypton.plugin.key_material_storage.v1.KeyMaterial.TagsEntry + 11, // 2: krypton.plugin.key_material_storage.v1.Filter.id:type_name -> krypton.plugin.key_material_storage.v1.Filter.StringMatch + 12, // 3: krypton.plugin.key_material_storage.v1.Filter.tags:type_name -> krypton.plugin.key_material_storage.v1.Filter.TagsEntry + 13, // 4: krypton.plugin.key_material_storage.v1.Filter.created_at:type_name -> krypton.plugin.key_material_storage.v1.Filter.TimeRange + 1, // 5: krypton.plugin.key_material_storage.v1.ListIDsRequest.filter:type_name -> krypton.plugin.key_material_storage.v1.Filter + 0, // 6: krypton.plugin.key_material_storage.v1.StoreRequest.key_material:type_name -> krypton.plugin.key_material_storage.v1.KeyMaterial + 0, // 7: krypton.plugin.key_material_storage.v1.LoadResponse.key_material:type_name -> krypton.plugin.key_material_storage.v1.KeyMaterial + 14, // 8: krypton.plugin.key_material_storage.v1.Filter.TimeRange.from:type_name -> google.protobuf.Timestamp + 14, // 9: krypton.plugin.key_material_storage.v1.Filter.TimeRange.to:type_name -> google.protobuf.Timestamp + 4, // 10: krypton.plugin.key_material_storage.v1.KeyMaterialStorage.Store:input_type -> krypton.plugin.key_material_storage.v1.StoreRequest + 6, // 11: krypton.plugin.key_material_storage.v1.KeyMaterialStorage.Load:input_type -> krypton.plugin.key_material_storage.v1.LoadRequest + 8, // 12: krypton.plugin.key_material_storage.v1.KeyMaterialStorage.Delete:input_type -> krypton.plugin.key_material_storage.v1.DeleteRequest + 2, // 13: krypton.plugin.key_material_storage.v1.KeyMaterialStorage.ListIDs:input_type -> krypton.plugin.key_material_storage.v1.ListIDsRequest + 5, // 14: krypton.plugin.key_material_storage.v1.KeyMaterialStorage.Store:output_type -> krypton.plugin.key_material_storage.v1.StoreResponse + 7, // 15: krypton.plugin.key_material_storage.v1.KeyMaterialStorage.Load:output_type -> krypton.plugin.key_material_storage.v1.LoadResponse + 9, // 16: krypton.plugin.key_material_storage.v1.KeyMaterialStorage.Delete:output_type -> krypton.plugin.key_material_storage.v1.DeleteResponse + 3, // 17: krypton.plugin.key_material_storage.v1.KeyMaterialStorage.ListIDs:output_type -> krypton.plugin.key_material_storage.v1.ListIDsResponse 14, // [14:18] is the sub-list for method output_type 10, // [10:14] is the sub-list for method input_type 10, // [10:10] is the sub-list for extension type_name diff --git a/proto/plugin/key_material_storage/v1/key_material_storage.proto b/proto/plugin/key_material_storage/v1/key_material_storage.proto index f91cd0f..786f0a7 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage.proto +++ b/proto/plugin/key_material_storage/v1/key_material_storage.proto @@ -1,6 +1,6 @@ syntax = "proto3"; -package krypton.key_material_storage.v1; +package krypton.plugin.key_material_storage.v1; import "buf/validate/validate.proto"; import "google/protobuf/timestamp.proto"; diff --git a/proto/plugin/key_material_storage/v1/key_material_storage_ext_plugin.pb.go b/proto/plugin/key_material_storage/v1/key_material_storage_ext_plugin.pb.go index b8aa587..fbb9f20 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage_ext_plugin.pb.go +++ b/proto/plugin/key_material_storage/v1/key_material_storage_ext_plugin.pb.go @@ -10,7 +10,7 @@ import ( const ( Type = "KeyMaterialStorage" - GRPCServiceFullName = "krypton.key_material_storage.v1.KeyMaterialStorage" + GRPCServiceFullName = "krypton.plugin.key_material_storage.v1.KeyMaterialStorage" ) func KeyMaterialStoragePluginServer(server KeyMaterialStorageServer) api.PluginServer { diff --git a/proto/plugin/key_material_storage/v1/key_material_storage_grpc.pb.go b/proto/plugin/key_material_storage/v1/key_material_storage_grpc.pb.go index ec594a0..064b571 100644 --- a/proto/plugin/key_material_storage/v1/key_material_storage_grpc.pb.go +++ b/proto/plugin/key_material_storage/v1/key_material_storage_grpc.pb.go @@ -20,10 +20,10 @@ import ( const _ = grpc.SupportPackageIsVersion9 const ( - KeyMaterialStorage_Store_FullMethodName = "/krypton.key_material_storage.v1.KeyMaterialStorage/Store" - KeyMaterialStorage_Load_FullMethodName = "/krypton.key_material_storage.v1.KeyMaterialStorage/Load" - KeyMaterialStorage_Delete_FullMethodName = "/krypton.key_material_storage.v1.KeyMaterialStorage/Delete" - KeyMaterialStorage_ListIDs_FullMethodName = "/krypton.key_material_storage.v1.KeyMaterialStorage/ListIDs" + KeyMaterialStorage_Store_FullMethodName = "/krypton.plugin.key_material_storage.v1.KeyMaterialStorage/Store" + KeyMaterialStorage_Load_FullMethodName = "/krypton.plugin.key_material_storage.v1.KeyMaterialStorage/Load" + KeyMaterialStorage_Delete_FullMethodName = "/krypton.plugin.key_material_storage.v1.KeyMaterialStorage/Delete" + KeyMaterialStorage_ListIDs_FullMethodName = "/krypton.plugin.key_material_storage.v1.KeyMaterialStorage/ListIDs" ) // KeyMaterialStorageClient is the client API for KeyMaterialStorage service. @@ -221,7 +221,7 @@ type KeyMaterialStorage_ListIDsServer = grpc.ServerStreamingServer[ListIDsRespon // It's only intended for direct use with grpc.RegisterService, // and not to be introspected or modified (even as a copy) var KeyMaterialStorage_ServiceDesc = grpc.ServiceDesc{ - ServiceName: "krypton.key_material_storage.v1.KeyMaterialStorage", + ServiceName: "krypton.plugin.key_material_storage.v1.KeyMaterialStorage", HandlerType: (*KeyMaterialStorageServer)(nil), Methods: []grpc.MethodDesc{ { diff --git a/proto/plugin/llm/v1/llm.pb.go b/proto/plugin/llm/v1/llm.pb.go index d067a63..084794d 100644 --- a/proto/plugin/llm/v1/llm.pb.go +++ b/proto/plugin/llm/v1/llm.pb.go @@ -344,35 +344,35 @@ var File_plugin_llm_v1_llm_proto protoreflect.FileDescriptor const file_plugin_llm_v1_llm_proto_rawDesc = "" + "\n" + - "\x17plugin/llm/v1/llm.proto\x12\x0ekrypton.llm.v1\"\xac\x02\n" + + "\x17plugin/llm/v1/llm.proto\x12\x15krypton.plugin.llm.v1\"\xb3\x02\n" + "\x0eFindingSummary\x12\x1a\n" + "\bcategory\x18\x01 \x01(\tR\bcategory\x12\x1a\n" + "\bseverity\x18\x02 \x01(\tR\bseverity\x12\x14\n" + "\x05title\x18\x03 \x01(\tR\x05title\x12 \n" + - "\vdescription\x18\x04 \x01(\tR\vdescription\x12d\n" + - "\x12aggregate_metadata\x18\x05 \x03(\v25.krypton.llm.v1.FindingSummary.AggregateMetadataEntryR\x11aggregateMetadata\x1aD\n" + + "\vdescription\x18\x04 \x01(\tR\vdescription\x12k\n" + + "\x12aggregate_metadata\x18\x05 \x03(\v2<.krypton.plugin.llm.v1.FindingSummary.AggregateMetadataEntryR\x11aggregateMetadata\x1aD\n" + "\x16AggregateMetadataEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"w\n" + "\x0fEnrichedFinding\x121\n" + "\x14enriched_description\x18\x01 \x01(\tR\x13enrichedDescription\x121\n" + - "\x14enriched_remediation\x18\x02 \x01(\tR\x13enrichedRemediation\"K\n" + - "\rEnrichRequest\x12:\n" + - "\bfindings\x18\x01 \x03(\v2\x1e.krypton.llm.v1.FindingSummaryR\bfindings\"M\n" + - "\x0eEnrichResponse\x12;\n" + - "\benriched\x18\x01 \x03(\v2\x1f.krypton.llm.v1.EnrichedFindingR\benriched\"\xca\x01\n" + + "\x14enriched_remediation\x18\x02 \x01(\tR\x13enrichedRemediation\"R\n" + + "\rEnrichRequest\x12A\n" + + "\bfindings\x18\x01 \x03(\v2%.krypton.plugin.llm.v1.FindingSummaryR\bfindings\"T\n" + + "\x0eEnrichResponse\x12B\n" + + "\benriched\x18\x01 \x03(\v2&.krypton.plugin.llm.v1.EnrichedFindingR\benriched\"\xd1\x01\n" + "\rAnswerRequest\x12\x1a\n" + - "\bquestion\x18\x01 \x01(\tR\bquestion\x12Z\n" + - "\x0fcontext_signals\x18\x02 \x03(\v21.krypton.llm.v1.AnswerRequest.ContextSignalsEntryR\x0econtextSignals\x1aA\n" + + "\bquestion\x18\x01 \x01(\tR\bquestion\x12a\n" + + "\x0fcontext_signals\x18\x02 \x03(\v28.krypton.plugin.llm.v1.AnswerRequest.ContextSignalsEntryR\x0econtextSignals\x1aA\n" + "\x13ContextSignalsEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"(\n" + "\x0eAnswerResponse\x12\x16\n" + - "\x06answer\x18\x01 \x01(\tR\x06answer2\x97\x01\n" + - "\x03LLM\x12G\n" + - "\x06Enrich\x12\x1d.krypton.llm.v1.EnrichRequest\x1a\x1e.krypton.llm.v1.EnrichResponse\x12G\n" + - "\x06Answer\x12\x1d.krypton.llm.v1.AnswerRequest\x1a\x1e.krypton.llm.v1.AnswerResponseB\xb1\x01\n" + - "\x12com.krypton.llm.v1B\bLlmProtoP\x01Z7github.com/openkcm/plugin-sdk/proto/plugin/llm/v1;llmv1\xa2\x02\x03KLX\xaa\x02\x0eKrypton.Llm.V1\xca\x02\x0eKrypton\\Llm\\V1\xe2\x02\x1aKrypton\\Llm\\V1\\GPBMetadata\xea\x02\x10Krypton::Llm::V1b\x06proto3" + "\x06answer\x18\x01 \x01(\tR\x06answer2\xb3\x01\n" + + "\x03LLM\x12U\n" + + "\x06Enrich\x12$.krypton.plugin.llm.v1.EnrichRequest\x1a%.krypton.plugin.llm.v1.EnrichResponse\x12U\n" + + "\x06Answer\x12$.krypton.plugin.llm.v1.AnswerRequest\x1a%.krypton.plugin.llm.v1.AnswerResponseB\xd5\x01\n" + + "\x19com.krypton.plugin.llm.v1B\bLlmProtoP\x01Z7github.com/openkcm/plugin-sdk/proto/plugin/llm/v1;llmv1\xa2\x02\x03KPL\xaa\x02\x15Krypton.Plugin.Llm.V1\xca\x02\x15Krypton\\Plugin\\Llm\\V1\xe2\x02!Krypton\\Plugin\\Llm\\V1\\GPBMetadata\xea\x02\x18Krypton::Plugin::Llm::V1b\x06proto3" var ( file_plugin_llm_v1_llm_proto_rawDescOnce sync.Once @@ -388,24 +388,24 @@ func file_plugin_llm_v1_llm_proto_rawDescGZIP() []byte { var file_plugin_llm_v1_llm_proto_msgTypes = make([]protoimpl.MessageInfo, 8) var file_plugin_llm_v1_llm_proto_goTypes = []any{ - (*FindingSummary)(nil), // 0: krypton.llm.v1.FindingSummary - (*EnrichedFinding)(nil), // 1: krypton.llm.v1.EnrichedFinding - (*EnrichRequest)(nil), // 2: krypton.llm.v1.EnrichRequest - (*EnrichResponse)(nil), // 3: krypton.llm.v1.EnrichResponse - (*AnswerRequest)(nil), // 4: krypton.llm.v1.AnswerRequest - (*AnswerResponse)(nil), // 5: krypton.llm.v1.AnswerResponse - nil, // 6: krypton.llm.v1.FindingSummary.AggregateMetadataEntry - nil, // 7: krypton.llm.v1.AnswerRequest.ContextSignalsEntry + (*FindingSummary)(nil), // 0: krypton.plugin.llm.v1.FindingSummary + (*EnrichedFinding)(nil), // 1: krypton.plugin.llm.v1.EnrichedFinding + (*EnrichRequest)(nil), // 2: krypton.plugin.llm.v1.EnrichRequest + (*EnrichResponse)(nil), // 3: krypton.plugin.llm.v1.EnrichResponse + (*AnswerRequest)(nil), // 4: krypton.plugin.llm.v1.AnswerRequest + (*AnswerResponse)(nil), // 5: krypton.plugin.llm.v1.AnswerResponse + nil, // 6: krypton.plugin.llm.v1.FindingSummary.AggregateMetadataEntry + nil, // 7: krypton.plugin.llm.v1.AnswerRequest.ContextSignalsEntry } var file_plugin_llm_v1_llm_proto_depIdxs = []int32{ - 6, // 0: krypton.llm.v1.FindingSummary.aggregate_metadata:type_name -> krypton.llm.v1.FindingSummary.AggregateMetadataEntry - 0, // 1: krypton.llm.v1.EnrichRequest.findings:type_name -> krypton.llm.v1.FindingSummary - 1, // 2: krypton.llm.v1.EnrichResponse.enriched:type_name -> krypton.llm.v1.EnrichedFinding - 7, // 3: krypton.llm.v1.AnswerRequest.context_signals:type_name -> krypton.llm.v1.AnswerRequest.ContextSignalsEntry - 2, // 4: krypton.llm.v1.LLM.Enrich:input_type -> krypton.llm.v1.EnrichRequest - 4, // 5: krypton.llm.v1.LLM.Answer:input_type -> krypton.llm.v1.AnswerRequest - 3, // 6: krypton.llm.v1.LLM.Enrich:output_type -> krypton.llm.v1.EnrichResponse - 5, // 7: krypton.llm.v1.LLM.Answer:output_type -> krypton.llm.v1.AnswerResponse + 6, // 0: krypton.plugin.llm.v1.FindingSummary.aggregate_metadata:type_name -> krypton.plugin.llm.v1.FindingSummary.AggregateMetadataEntry + 0, // 1: krypton.plugin.llm.v1.EnrichRequest.findings:type_name -> krypton.plugin.llm.v1.FindingSummary + 1, // 2: krypton.plugin.llm.v1.EnrichResponse.enriched:type_name -> krypton.plugin.llm.v1.EnrichedFinding + 7, // 3: krypton.plugin.llm.v1.AnswerRequest.context_signals:type_name -> krypton.plugin.llm.v1.AnswerRequest.ContextSignalsEntry + 2, // 4: krypton.plugin.llm.v1.LLM.Enrich:input_type -> krypton.plugin.llm.v1.EnrichRequest + 4, // 5: krypton.plugin.llm.v1.LLM.Answer:input_type -> krypton.plugin.llm.v1.AnswerRequest + 3, // 6: krypton.plugin.llm.v1.LLM.Enrich:output_type -> krypton.plugin.llm.v1.EnrichResponse + 5, // 7: krypton.plugin.llm.v1.LLM.Answer:output_type -> krypton.plugin.llm.v1.AnswerResponse 6, // [6:8] is the sub-list for method output_type 4, // [4:6] is the sub-list for method input_type 4, // [4:4] is the sub-list for extension type_name diff --git a/proto/plugin/llm/v1/llm.proto b/proto/plugin/llm/v1/llm.proto index d6eb963..2d8d46b 100644 --- a/proto/plugin/llm/v1/llm.proto +++ b/proto/plugin/llm/v1/llm.proto @@ -1,8 +1,6 @@ syntax = "proto3"; -package krypton.llm.v1; - -option go_package = "github.com/openkcm/krypton/proto/plugin/llm/v1;llmv1"; +package krypton.plugin.llm.v1; // LLM is the plugin interface for AI language-model backends used by the // Advisor module. Only aggregate, privacy-safe statistics are ever transmitted — diff --git a/proto/plugin/llm/v1/llm_ext_plugin.pb.go b/proto/plugin/llm/v1/llm_ext_plugin.pb.go index 82c06ed..45daed2 100644 --- a/proto/plugin/llm/v1/llm_ext_plugin.pb.go +++ b/proto/plugin/llm/v1/llm_ext_plugin.pb.go @@ -10,7 +10,7 @@ import ( const ( Type = "LLM" - GRPCServiceFullName = "krypton.llm.v1.LLM" + GRPCServiceFullName = "krypton.plugin.llm.v1.LLM" ) func LLMPluginServer(server LLMServer) api.PluginServer { diff --git a/proto/plugin/llm/v1/llm_grpc.pb.go b/proto/plugin/llm/v1/llm_grpc.pb.go index ca4467d..70ce9a4 100644 --- a/proto/plugin/llm/v1/llm_grpc.pb.go +++ b/proto/plugin/llm/v1/llm_grpc.pb.go @@ -20,8 +20,8 @@ import ( const _ = grpc.SupportPackageIsVersion9 const ( - LLM_Enrich_FullMethodName = "/krypton.llm.v1.LLM/Enrich" - LLM_Answer_FullMethodName = "/krypton.llm.v1.LLM/Answer" + LLM_Enrich_FullMethodName = "/krypton.plugin.llm.v1.LLM/Enrich" + LLM_Answer_FullMethodName = "/krypton.plugin.llm.v1.LLM/Answer" ) // LLMClient is the client API for LLM service. @@ -159,7 +159,7 @@ func _LLM_Answer_Handler(srv interface{}, ctx context.Context, dec func(interfac // It's only intended for direct use with grpc.RegisterService, // and not to be introspected or modified (even as a copy) var LLM_ServiceDesc = grpc.ServiceDesc{ - ServiceName: "krypton.llm.v1.LLM", + ServiceName: "krypton.plugin.llm.v1.LLM", HandlerType: (*LLMServer)(nil), Methods: []grpc.MethodDesc{ { diff --git a/proto/plugin/reconciler/v1/ast.pb.go b/proto/plugin/resources/v1/ast.pb.go similarity index 67% rename from proto/plugin/reconciler/v1/ast.pb.go rename to proto/plugin/resources/v1/ast.pb.go index 92ade50..d3fb9a8 100644 --- a/proto/plugin/reconciler/v1/ast.pb.go +++ b/proto/plugin/resources/v1/ast.pb.go @@ -2,7 +2,7 @@ // versions: // protoc-gen-go v1.36.11 // protoc (unknown) -// source: plugin/reconciler/v1/ast.proto +// source: plugin/resources/v1/ast.proto package reconcilerv1 @@ -44,7 +44,7 @@ type ExecutionPlan struct { func (x *ExecutionPlan) Reset() { *x = ExecutionPlan{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[0] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[0] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -56,7 +56,7 @@ func (x *ExecutionPlan) String() string { func (*ExecutionPlan) ProtoMessage() {} func (x *ExecutionPlan) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[0] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[0] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -69,7 +69,7 @@ func (x *ExecutionPlan) ProtoReflect() protoreflect.Message { // Deprecated: Use ExecutionPlan.ProtoReflect.Descriptor instead. func (*ExecutionPlan) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{0} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{0} } func (x *ExecutionPlan) GetPlanId() string { @@ -129,7 +129,7 @@ type ASTNode struct { func (x *ASTNode) Reset() { *x = ASTNode{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[1] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[1] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -141,7 +141,7 @@ func (x *ASTNode) String() string { func (*ASTNode) ProtoMessage() {} func (x *ASTNode) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[1] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[1] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -154,7 +154,7 @@ func (x *ASTNode) ProtoReflect() protoreflect.Message { // Deprecated: Use ASTNode.ProtoReflect.Descriptor instead. func (*ASTNode) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{1} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{1} } func (x *ASTNode) GetNodeId() string { @@ -433,7 +433,7 @@ type SequenceNode struct { func (x *SequenceNode) Reset() { *x = SequenceNode{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[2] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[2] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -445,7 +445,7 @@ func (x *SequenceNode) String() string { func (*SequenceNode) ProtoMessage() {} func (x *SequenceNode) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[2] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[2] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -458,7 +458,7 @@ func (x *SequenceNode) ProtoReflect() protoreflect.Message { // Deprecated: Use SequenceNode.ProtoReflect.Descriptor instead. func (*SequenceNode) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{2} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{2} } func (x *SequenceNode) GetSteps() []*ASTNode { @@ -480,7 +480,7 @@ type ParallelNode struct { func (x *ParallelNode) Reset() { *x = ParallelNode{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[3] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[3] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -492,7 +492,7 @@ func (x *ParallelNode) String() string { func (*ParallelNode) ProtoMessage() {} func (x *ParallelNode) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[3] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[3] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -505,7 +505,7 @@ func (x *ParallelNode) ProtoReflect() protoreflect.Message { // Deprecated: Use ParallelNode.ProtoReflect.Descriptor instead. func (*ParallelNode) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{3} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{3} } func (x *ParallelNode) GetSteps() []*ASTNode { @@ -534,7 +534,7 @@ type ConditionalNode struct { func (x *ConditionalNode) Reset() { *x = ConditionalNode{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[4] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[4] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -546,7 +546,7 @@ func (x *ConditionalNode) String() string { func (*ConditionalNode) ProtoMessage() {} func (x *ConditionalNode) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[4] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[4] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -559,7 +559,7 @@ func (x *ConditionalNode) ProtoReflect() protoreflect.Message { // Deprecated: Use ConditionalNode.ProtoReflect.Descriptor instead. func (*ConditionalNode) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{4} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{4} } func (x *ConditionalNode) GetCondition() *Predicate { @@ -595,7 +595,7 @@ type TryCatchNode struct { func (x *TryCatchNode) Reset() { *x = TryCatchNode{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[5] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[5] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -607,7 +607,7 @@ func (x *TryCatchNode) String() string { func (*TryCatchNode) ProtoMessage() {} func (x *TryCatchNode) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[5] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[5] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -620,7 +620,7 @@ func (x *TryCatchNode) ProtoReflect() protoreflect.Message { // Deprecated: Use TryCatchNode.ProtoReflect.Descriptor instead. func (*TryCatchNode) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{5} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{5} } func (x *TryCatchNode) GetTryNode() *ASTNode { @@ -647,7 +647,7 @@ type CheckpointNode struct { func (x *CheckpointNode) Reset() { *x = CheckpointNode{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[6] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[6] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -659,7 +659,7 @@ func (x *CheckpointNode) String() string { func (*CheckpointNode) ProtoMessage() {} func (x *CheckpointNode) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[6] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[6] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -672,7 +672,7 @@ func (x *CheckpointNode) ProtoReflect() protoreflect.Message { // Deprecated: Use CheckpointNode.ProtoReflect.Descriptor instead. func (*CheckpointNode) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{6} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{6} } type AssertNode struct { @@ -685,7 +685,7 @@ type AssertNode struct { func (x *AssertNode) Reset() { *x = AssertNode{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[7] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[7] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -697,7 +697,7 @@ func (x *AssertNode) String() string { func (*AssertNode) ProtoMessage() {} func (x *AssertNode) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[7] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[7] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -710,7 +710,7 @@ func (x *AssertNode) ProtoReflect() protoreflect.Message { // Deprecated: Use AssertNode.ProtoReflect.Descriptor instead. func (*AssertNode) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{7} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{7} } func (x *AssertNode) GetCondition() *Predicate { @@ -748,7 +748,7 @@ type Predicate struct { func (x *Predicate) Reset() { *x = Predicate{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[8] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[8] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -760,7 +760,7 @@ func (x *Predicate) String() string { func (*Predicate) ProtoMessage() {} func (x *Predicate) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[8] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[8] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -773,7 +773,7 @@ func (x *Predicate) ProtoReflect() protoreflect.Message { // Deprecated: Use Predicate.ProtoReflect.Descriptor instead. func (*Predicate) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{8} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{8} } func (x *Predicate) GetExpr() isPredicate_Expr { @@ -903,7 +903,7 @@ type KeyExistsPredicate struct { func (x *KeyExistsPredicate) Reset() { *x = KeyExistsPredicate{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[9] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[9] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -915,7 +915,7 @@ func (x *KeyExistsPredicate) String() string { func (*KeyExistsPredicate) ProtoMessage() {} func (x *KeyExistsPredicate) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[9] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[9] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -928,7 +928,7 @@ func (x *KeyExistsPredicate) ProtoReflect() protoreflect.Message { // Deprecated: Use KeyExistsPredicate.ProtoReflect.Descriptor instead. func (*KeyExistsPredicate) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{9} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{9} } func (x *KeyExistsPredicate) GetTier() *ValueRef { @@ -960,7 +960,7 @@ type KeyStatePredicate struct { func (x *KeyStatePredicate) Reset() { *x = KeyStatePredicate{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[10] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[10] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -972,7 +972,7 @@ func (x *KeyStatePredicate) String() string { func (*KeyStatePredicate) ProtoMessage() {} func (x *KeyStatePredicate) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[10] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[10] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -985,7 +985,7 @@ func (x *KeyStatePredicate) ProtoReflect() protoreflect.Message { // Deprecated: Use KeyStatePredicate.ProtoReflect.Descriptor instead. func (*KeyStatePredicate) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{10} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{10} } func (x *KeyStatePredicate) GetTier() *ValueRef { @@ -1018,7 +1018,7 @@ type TenantActivePredicate struct { func (x *TenantActivePredicate) Reset() { *x = TenantActivePredicate{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[11] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[11] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1030,7 +1030,7 @@ func (x *TenantActivePredicate) String() string { func (*TenantActivePredicate) ProtoMessage() {} func (x *TenantActivePredicate) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[11] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[11] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1043,7 +1043,7 @@ func (x *TenantActivePredicate) ProtoReflect() protoreflect.Message { // Deprecated: Use TenantActivePredicate.ProtoReflect.Descriptor instead. func (*TenantActivePredicate) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{11} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{11} } func (x *TenantActivePredicate) GetTenantId() *ValueRef { @@ -1062,7 +1062,7 @@ type CredentialExistsPredicate struct { func (x *CredentialExistsPredicate) Reset() { *x = CredentialExistsPredicate{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[12] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[12] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1074,7 +1074,7 @@ func (x *CredentialExistsPredicate) String() string { func (*CredentialExistsPredicate) ProtoMessage() {} func (x *CredentialExistsPredicate) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[12] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[12] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1087,7 +1087,7 @@ func (x *CredentialExistsPredicate) ProtoReflect() protoreflect.Message { // Deprecated: Use CredentialExistsPredicate.ProtoReflect.Descriptor instead. func (*CredentialExistsPredicate) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{12} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{12} } func (x *CredentialExistsPredicate) GetName() *ValueRef { @@ -1106,7 +1106,7 @@ type AndPredicate struct { func (x *AndPredicate) Reset() { *x = AndPredicate{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[13] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[13] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1118,7 +1118,7 @@ func (x *AndPredicate) String() string { func (*AndPredicate) ProtoMessage() {} func (x *AndPredicate) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[13] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[13] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1131,7 +1131,7 @@ func (x *AndPredicate) ProtoReflect() protoreflect.Message { // Deprecated: Use AndPredicate.ProtoReflect.Descriptor instead. func (*AndPredicate) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{13} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{13} } func (x *AndPredicate) GetTerms() []*Predicate { @@ -1150,7 +1150,7 @@ type OrPredicate struct { func (x *OrPredicate) Reset() { *x = OrPredicate{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[14] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[14] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1162,7 +1162,7 @@ func (x *OrPredicate) String() string { func (*OrPredicate) ProtoMessage() {} func (x *OrPredicate) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[14] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[14] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1175,7 +1175,7 @@ func (x *OrPredicate) ProtoReflect() protoreflect.Message { // Deprecated: Use OrPredicate.ProtoReflect.Descriptor instead. func (*OrPredicate) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{14} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{14} } func (x *OrPredicate) GetTerms() []*Predicate { @@ -1194,7 +1194,7 @@ type NotPredicate struct { func (x *NotPredicate) Reset() { *x = NotPredicate{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[15] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[15] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1206,7 +1206,7 @@ func (x *NotPredicate) String() string { func (*NotPredicate) ProtoMessage() {} func (x *NotPredicate) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[15] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[15] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1219,7 +1219,7 @@ func (x *NotPredicate) ProtoReflect() protoreflect.Message { // Deprecated: Use NotPredicate.ProtoReflect.Descriptor instead. func (*NotPredicate) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{15} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{15} } func (x *NotPredicate) GetTerm() *Predicate { @@ -1246,7 +1246,7 @@ type ValueRef struct { func (x *ValueRef) Reset() { *x = ValueRef{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[16] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[16] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1258,7 +1258,7 @@ func (x *ValueRef) String() string { func (*ValueRef) ProtoMessage() {} func (x *ValueRef) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[16] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[16] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1271,7 +1271,7 @@ func (x *ValueRef) ProtoReflect() protoreflect.Message { // Deprecated: Use ValueRef.ProtoReflect.Descriptor instead. func (*ValueRef) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{16} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{16} } func (x *ValueRef) GetKind() isValueRef_Kind { @@ -1338,7 +1338,7 @@ type KeySyncNode struct { func (x *KeySyncNode) Reset() { *x = KeySyncNode{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[17] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[17] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1350,7 +1350,7 @@ func (x *KeySyncNode) String() string { func (*KeySyncNode) ProtoMessage() {} func (x *KeySyncNode) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[17] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[17] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1363,7 +1363,7 @@ func (x *KeySyncNode) ProtoReflect() protoreflect.Message { // Deprecated: Use KeySyncNode.ProtoReflect.Descriptor instead. func (*KeySyncNode) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{17} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{17} } func (x *KeySyncNode) GetTier() *ValueRef { @@ -1413,7 +1413,7 @@ type KeyDeleteNode struct { func (x *KeyDeleteNode) Reset() { *x = KeyDeleteNode{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[18] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[18] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1425,7 +1425,7 @@ func (x *KeyDeleteNode) String() string { func (*KeyDeleteNode) ProtoMessage() {} func (x *KeyDeleteNode) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[18] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[18] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1438,7 +1438,7 @@ func (x *KeyDeleteNode) ProtoReflect() protoreflect.Message { // Deprecated: Use KeyDeleteNode.ProtoReflect.Descriptor instead. func (*KeyDeleteNode) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{18} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{18} } func (x *KeyDeleteNode) GetTier() *ValueRef { @@ -1470,7 +1470,7 @@ type KeyTransitionNode struct { func (x *KeyTransitionNode) Reset() { *x = KeyTransitionNode{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[19] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[19] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1482,7 +1482,7 @@ func (x *KeyTransitionNode) String() string { func (*KeyTransitionNode) ProtoMessage() {} func (x *KeyTransitionNode) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[19] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[19] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1495,7 +1495,7 @@ func (x *KeyTransitionNode) ProtoReflect() protoreflect.Message { // Deprecated: Use KeyTransitionNode.ProtoReflect.Descriptor instead. func (*KeyTransitionNode) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{19} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{19} } func (x *KeyTransitionNode) GetTier() *ValueRef { @@ -1532,7 +1532,7 @@ type KeyRotateNode struct { func (x *KeyRotateNode) Reset() { *x = KeyRotateNode{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[20] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[20] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1544,7 +1544,7 @@ func (x *KeyRotateNode) String() string { func (*KeyRotateNode) ProtoMessage() {} func (x *KeyRotateNode) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[20] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[20] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1557,7 +1557,7 @@ func (x *KeyRotateNode) ProtoReflect() protoreflect.Message { // Deprecated: Use KeyRotateNode.ProtoReflect.Descriptor instead. func (*KeyRotateNode) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{20} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{20} } func (x *KeyRotateNode) GetTier() *ValueRef { @@ -1586,7 +1586,7 @@ type KeyScheduleNode struct { func (x *KeyScheduleNode) Reset() { *x = KeyScheduleNode{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[21] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[21] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1598,7 +1598,7 @@ func (x *KeyScheduleNode) String() string { func (*KeyScheduleNode) ProtoMessage() {} func (x *KeyScheduleNode) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[21] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[21] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1611,7 +1611,7 @@ func (x *KeyScheduleNode) ProtoReflect() protoreflect.Message { // Deprecated: Use KeyScheduleNode.ProtoReflect.Descriptor instead. func (*KeyScheduleNode) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{21} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{21} } func (x *KeyScheduleNode) GetTier() *ValueRef { @@ -1649,7 +1649,7 @@ type KeyScheduleSpec struct { func (x *KeyScheduleSpec) Reset() { *x = KeyScheduleSpec{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[22] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[22] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1661,7 +1661,7 @@ func (x *KeyScheduleSpec) String() string { func (*KeyScheduleSpec) ProtoMessage() {} func (x *KeyScheduleSpec) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[22] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[22] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1674,7 +1674,7 @@ func (x *KeyScheduleSpec) ProtoReflect() protoreflect.Message { // Deprecated: Use KeyScheduleSpec.ProtoReflect.Descriptor instead. func (*KeyScheduleSpec) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{22} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{22} } func (x *KeyScheduleSpec) GetExpiresAt() *timestamppb.Timestamp { @@ -1711,7 +1711,7 @@ type CredentialSyncNode struct { func (x *CredentialSyncNode) Reset() { *x = CredentialSyncNode{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[23] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[23] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1723,7 +1723,7 @@ func (x *CredentialSyncNode) String() string { func (*CredentialSyncNode) ProtoMessage() {} func (x *CredentialSyncNode) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[23] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[23] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1736,7 +1736,7 @@ func (x *CredentialSyncNode) ProtoReflect() protoreflect.Message { // Deprecated: Use CredentialSyncNode.ProtoReflect.Descriptor instead. func (*CredentialSyncNode) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{23} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{23} } func (x *CredentialSyncNode) GetName() *ValueRef { @@ -1770,7 +1770,7 @@ type CredentialDeleteNode struct { func (x *CredentialDeleteNode) Reset() { *x = CredentialDeleteNode{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[24] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[24] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1782,7 +1782,7 @@ func (x *CredentialDeleteNode) String() string { func (*CredentialDeleteNode) ProtoMessage() {} func (x *CredentialDeleteNode) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[24] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[24] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1795,7 +1795,7 @@ func (x *CredentialDeleteNode) ProtoReflect() protoreflect.Message { // Deprecated: Use CredentialDeleteNode.ProtoReflect.Descriptor instead. func (*CredentialDeleteNode) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{24} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{24} } func (x *CredentialDeleteNode) GetName() *ValueRef { @@ -1817,7 +1817,7 @@ type BindNode struct { func (x *BindNode) Reset() { *x = BindNode{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[25] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[25] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1829,7 +1829,7 @@ func (x *BindNode) String() string { func (*BindNode) ProtoMessage() {} func (x *BindNode) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[25] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[25] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1842,7 +1842,7 @@ func (x *BindNode) ProtoReflect() protoreflect.Message { // Deprecated: Use BindNode.ProtoReflect.Descriptor instead. func (*BindNode) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{25} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{25} } func (x *BindNode) GetVarName() string { @@ -1870,7 +1870,7 @@ type EmitNode struct { func (x *EmitNode) Reset() { *x = EmitNode{} - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[26] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[26] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1882,7 +1882,7 @@ func (x *EmitNode) String() string { func (*EmitNode) ProtoMessage() {} func (x *EmitNode) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_ast_proto_msgTypes[26] + mi := &file_plugin_resources_v1_ast_proto_msgTypes[26] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1895,7 +1895,7 @@ func (x *EmitNode) ProtoReflect() protoreflect.Message { // Deprecated: Use EmitNode.ProtoReflect.Descriptor instead. func (*EmitNode) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_ast_proto_rawDescGZIP(), []int{26} + return file_plugin_resources_v1_ast_proto_rawDescGZIP(), []int{26} } func (x *EmitNode) GetEventType() string { @@ -1912,118 +1912,119 @@ func (x *EmitNode) GetAttributes() map[string]string { return nil } -var File_plugin_reconciler_v1_ast_proto protoreflect.FileDescriptor +var File_plugin_resources_v1_ast_proto protoreflect.FileDescriptor -const file_plugin_reconciler_v1_ast_proto_rawDesc = "" + +const file_plugin_resources_v1_ast_proto_rawDesc = "" + "\n" + - "\x1eplugin/reconciler/v1/ast.proto\x12\x15krypton.reconciler.v1\x1a\x1cgoogle/protobuf/struct.proto\x1a\x1fgoogle/protobuf/timestamp.proto\"\xe9\x01\n" + + "\x1dplugin/resources/v1/ast.proto\x12\x1fkrypton.resources.reconciler.v1\x1a\x1cgoogle/protobuf/struct.proto\x1a\x1fgoogle/protobuf/timestamp.proto\"\xfd\x01\n" + "\rExecutionPlan\x12\x17\n" + - "\aplan_id\x18\x01 \x01(\tR\x06planId\x122\n" + - "\x04root\x18\x02 \x01(\v2\x1e.krypton.reconciler.v1.ASTNodeR\x04root\x12N\n" + - "\bbindings\x18\x03 \x03(\v22.krypton.reconciler.v1.ExecutionPlan.BindingsEntryR\bbindings\x1a;\n" + + "\aplan_id\x18\x01 \x01(\tR\x06planId\x12<\n" + + "\x04root\x18\x02 \x01(\v2(.krypton.resources.reconciler.v1.ASTNodeR\x04root\x12X\n" + + "\bbindings\x18\x03 \x03(\v2<.krypton.resources.reconciler.v1.ExecutionPlan.BindingsEntryR\bbindings\x1a;\n" + "\rBindingsEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + - "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"\x8a\t\n" + + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"\xa0\n" + + "\n" + "\aASTNode\x12\x17\n" + "\anode_id\x18\x01 \x01(\tR\x06nodeId\x12\x14\n" + "\x05label\x18\x02 \x01(\tR\x05label\x12\x1d\n" + "\n" + - "result_var\x18\x03 \x01(\tR\tresultVar\x12A\n" + + "result_var\x18\x03 \x01(\tR\tresultVar\x12K\n" + "\bsequence\x18\n" + - " \x01(\v2#.krypton.reconciler.v1.SequenceNodeH\x00R\bsequence\x12A\n" + - "\bparallel\x18\v \x01(\v2#.krypton.reconciler.v1.ParallelNodeH\x00R\bparallel\x12J\n" + - "\vconditional\x18\f \x01(\v2&.krypton.reconciler.v1.ConditionalNodeH\x00R\vconditional\x12B\n" + - "\ttry_catch\x18\r \x01(\v2#.krypton.reconciler.v1.TryCatchNodeH\x00R\btryCatch\x12G\n" + + " \x01(\v2-.krypton.resources.reconciler.v1.SequenceNodeH\x00R\bsequence\x12K\n" + + "\bparallel\x18\v \x01(\v2-.krypton.resources.reconciler.v1.ParallelNodeH\x00R\bparallel\x12T\n" + + "\vconditional\x18\f \x01(\v20.krypton.resources.reconciler.v1.ConditionalNodeH\x00R\vconditional\x12L\n" + + "\ttry_catch\x18\r \x01(\v2-.krypton.resources.reconciler.v1.TryCatchNodeH\x00R\btryCatch\x12Q\n" + "\n" + - "checkpoint\x18\x0e \x01(\v2%.krypton.reconciler.v1.CheckpointNodeH\x00R\n" + - "checkpoint\x12;\n" + - "\x06assert\x18\x14 \x01(\v2!.krypton.reconciler.v1.AssertNodeH\x00R\x06assert\x12?\n" + - "\bkey_sync\x18\x1e \x01(\v2\".krypton.reconciler.v1.KeySyncNodeH\x00R\akeySync\x12E\n" + + "checkpoint\x18\x0e \x01(\v2/.krypton.resources.reconciler.v1.CheckpointNodeH\x00R\n" + + "checkpoint\x12E\n" + + "\x06assert\x18\x14 \x01(\v2+.krypton.resources.reconciler.v1.AssertNodeH\x00R\x06assert\x12I\n" + + "\bkey_sync\x18\x1e \x01(\v2,.krypton.resources.reconciler.v1.KeySyncNodeH\x00R\akeySync\x12O\n" + "\n" + - "key_delete\x18\x1f \x01(\v2$.krypton.reconciler.v1.KeyDeleteNodeH\x00R\tkeyDelete\x12Q\n" + - "\x0ekey_transition\x18 \x01(\v2(.krypton.reconciler.v1.KeyTransitionNodeH\x00R\rkeyTransition\x12E\n" + + "key_delete\x18\x1f \x01(\v2..krypton.resources.reconciler.v1.KeyDeleteNodeH\x00R\tkeyDelete\x12[\n" + + "\x0ekey_transition\x18 \x01(\v22.krypton.resources.reconciler.v1.KeyTransitionNodeH\x00R\rkeyTransition\x12O\n" + "\n" + - "key_rotate\x18! \x01(\v2$.krypton.reconciler.v1.KeyRotateNodeH\x00R\tkeyRotate\x12K\n" + - "\fkey_schedule\x18\" \x01(\v2&.krypton.reconciler.v1.KeyScheduleNodeH\x00R\vkeySchedule\x12T\n" + - "\x0fcredential_sync\x18( \x01(\v2).krypton.reconciler.v1.CredentialSyncNodeH\x00R\x0ecredentialSync\x12Z\n" + - "\x11credential_delete\x18) \x01(\v2+.krypton.reconciler.v1.CredentialDeleteNodeH\x00R\x10credentialDelete\x125\n" + - "\x04bind\x18< \x01(\v2\x1f.krypton.reconciler.v1.BindNodeH\x00R\x04bind\x125\n" + - "\x04emit\x18= \x01(\v2\x1f.krypton.reconciler.v1.EmitNodeH\x00R\x04emitB\x06\n" + - "\x04node\"D\n" + - "\fSequenceNode\x124\n" + - "\x05steps\x18\x01 \x03(\v2\x1e.krypton.reconciler.v1.ASTNodeR\x05steps\"a\n" + - "\fParallelNode\x124\n" + - "\x05steps\x18\x01 \x03(\v2\x1e.krypton.reconciler.v1.ASTNodeR\x05steps\x12\x1b\n" + - "\tfail_fast\x18\x02 \x01(\bR\bfailFast\"\xcb\x01\n" + - "\x0fConditionalNode\x12>\n" + - "\tcondition\x18\x01 \x01(\v2 .krypton.reconciler.v1.PredicateR\tcondition\x12;\n" + - "\tthen_node\x18\x02 \x01(\v2\x1e.krypton.reconciler.v1.ASTNodeR\bthenNode\x12;\n" + - "\telse_node\x18\x03 \x01(\v2\x1e.krypton.reconciler.v1.ASTNodeR\belseNode\"\x88\x01\n" + - "\fTryCatchNode\x129\n" + - "\btry_node\x18\x01 \x01(\v2\x1e.krypton.reconciler.v1.ASTNodeR\atryNode\x12=\n" + + "key_rotate\x18! \x01(\v2..krypton.resources.reconciler.v1.KeyRotateNodeH\x00R\tkeyRotate\x12U\n" + + "\fkey_schedule\x18\" \x01(\v20.krypton.resources.reconciler.v1.KeyScheduleNodeH\x00R\vkeySchedule\x12^\n" + + "\x0fcredential_sync\x18( \x01(\v23.krypton.resources.reconciler.v1.CredentialSyncNodeH\x00R\x0ecredentialSync\x12d\n" + + "\x11credential_delete\x18) \x01(\v25.krypton.resources.reconciler.v1.CredentialDeleteNodeH\x00R\x10credentialDelete\x12?\n" + + "\x04bind\x18< \x01(\v2).krypton.resources.reconciler.v1.BindNodeH\x00R\x04bind\x12?\n" + + "\x04emit\x18= \x01(\v2).krypton.resources.reconciler.v1.EmitNodeH\x00R\x04emitB\x06\n" + + "\x04node\"N\n" + + "\fSequenceNode\x12>\n" + + "\x05steps\x18\x01 \x03(\v2(.krypton.resources.reconciler.v1.ASTNodeR\x05steps\"k\n" + + "\fParallelNode\x12>\n" + + "\x05steps\x18\x01 \x03(\v2(.krypton.resources.reconciler.v1.ASTNodeR\x05steps\x12\x1b\n" + + "\tfail_fast\x18\x02 \x01(\bR\bfailFast\"\xe9\x01\n" + + "\x0fConditionalNode\x12H\n" + + "\tcondition\x18\x01 \x01(\v2*.krypton.resources.reconciler.v1.PredicateR\tcondition\x12E\n" + + "\tthen_node\x18\x02 \x01(\v2(.krypton.resources.reconciler.v1.ASTNodeR\bthenNode\x12E\n" + + "\telse_node\x18\x03 \x01(\v2(.krypton.resources.reconciler.v1.ASTNodeR\belseNode\"\x9c\x01\n" + + "\fTryCatchNode\x12C\n" + + "\btry_node\x18\x01 \x01(\v2(.krypton.resources.reconciler.v1.ASTNodeR\atryNode\x12G\n" + "\n" + - "catch_node\x18\x02 \x01(\v2\x1e.krypton.reconciler.v1.ASTNodeR\tcatchNode\"\x10\n" + - "\x0eCheckpointNode\"q\n" + + "catch_node\x18\x02 \x01(\v2(.krypton.resources.reconciler.v1.ASTNodeR\tcatchNode\"\x10\n" + + "\x0eCheckpointNode\"{\n" + "\n" + - "AssertNode\x12>\n" + - "\tcondition\x18\x01 \x01(\v2 .krypton.reconciler.v1.PredicateR\tcondition\x12#\n" + - "\rerror_message\x18\x02 \x01(\tR\ferrorMessage\"\x86\x04\n" + - "\tPredicate\x12J\n" + + "AssertNode\x12H\n" + + "\tcondition\x18\x01 \x01(\v2*.krypton.resources.reconciler.v1.PredicateR\tcondition\x12#\n" + + "\rerror_message\x18\x02 \x01(\tR\ferrorMessage\"\xcc\x04\n" + + "\tPredicate\x12T\n" + "\n" + - "key_exists\x18\x01 \x01(\v2).krypton.reconciler.v1.KeyExistsPredicateH\x00R\tkeyExists\x12G\n" + - "\tkey_state\x18\x02 \x01(\v2(.krypton.reconciler.v1.KeyStatePredicateH\x00R\bkeyState\x12S\n" + - "\rtenant_active\x18\x03 \x01(\v2,.krypton.reconciler.v1.TenantActivePredicateH\x00R\ftenantActive\x12_\n" + - "\x11credential_exists\x18\x04 \x01(\v20.krypton.reconciler.v1.CredentialExistsPredicateH\x00R\x10credentialExists\x127\n" + + "key_exists\x18\x01 \x01(\v23.krypton.resources.reconciler.v1.KeyExistsPredicateH\x00R\tkeyExists\x12Q\n" + + "\tkey_state\x18\x02 \x01(\v22.krypton.resources.reconciler.v1.KeyStatePredicateH\x00R\bkeyState\x12]\n" + + "\rtenant_active\x18\x03 \x01(\v26.krypton.resources.reconciler.v1.TenantActivePredicateH\x00R\ftenantActive\x12i\n" + + "\x11credential_exists\x18\x04 \x01(\v2:.krypton.resources.reconciler.v1.CredentialExistsPredicateH\x00R\x10credentialExists\x12A\n" + "\x03and\x18\n" + - " \x01(\v2#.krypton.reconciler.v1.AndPredicateH\x00R\x03and\x124\n" + - "\x02or\x18\v \x01(\v2\".krypton.reconciler.v1.OrPredicateH\x00R\x02or\x127\n" + - "\x03not\x18\f \x01(\v2#.krypton.reconciler.v1.NotPredicateH\x00R\x03notB\x06\n" + - "\x04expr\"\x85\x01\n" + - "\x12KeyExistsPredicate\x123\n" + - "\x04tier\x18\x01 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\x04tier\x12:\n" + - "\bkey_name\x18\x02 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\akeyName\"\xab\x01\n" + - "\x11KeyStatePredicate\x123\n" + - "\x04tier\x18\x01 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\x04tier\x12:\n" + - "\bkey_name\x18\x02 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\akeyName\x12%\n" + - "\x0eallowed_states\x18\x03 \x03(\tR\rallowedStates\"U\n" + - "\x15TenantActivePredicate\x12<\n" + - "\ttenant_id\x18\x01 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\btenantId\"P\n" + - "\x19CredentialExistsPredicate\x123\n" + - "\x04name\x18\x01 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\x04name\"F\n" + - "\fAndPredicate\x126\n" + - "\x05terms\x18\x01 \x03(\v2 .krypton.reconciler.v1.PredicateR\x05terms\"E\n" + - "\vOrPredicate\x126\n" + - "\x05terms\x18\x01 \x03(\v2 .krypton.reconciler.v1.PredicateR\x05terms\"D\n" + - "\fNotPredicate\x124\n" + - "\x04term\x18\x01 \x01(\v2 .krypton.reconciler.v1.PredicateR\x04term\"I\n" + + " \x01(\v2-.krypton.resources.reconciler.v1.AndPredicateH\x00R\x03and\x12>\n" + + "\x02or\x18\v \x01(\v2,.krypton.resources.reconciler.v1.OrPredicateH\x00R\x02or\x12A\n" + + "\x03not\x18\f \x01(\v2-.krypton.resources.reconciler.v1.NotPredicateH\x00R\x03notB\x06\n" + + "\x04expr\"\x99\x01\n" + + "\x12KeyExistsPredicate\x12=\n" + + "\x04tier\x18\x01 \x01(\v2).krypton.resources.reconciler.v1.ValueRefR\x04tier\x12D\n" + + "\bkey_name\x18\x02 \x01(\v2).krypton.resources.reconciler.v1.ValueRefR\akeyName\"\xbf\x01\n" + + "\x11KeyStatePredicate\x12=\n" + + "\x04tier\x18\x01 \x01(\v2).krypton.resources.reconciler.v1.ValueRefR\x04tier\x12D\n" + + "\bkey_name\x18\x02 \x01(\v2).krypton.resources.reconciler.v1.ValueRefR\akeyName\x12%\n" + + "\x0eallowed_states\x18\x03 \x03(\tR\rallowedStates\"_\n" + + "\x15TenantActivePredicate\x12F\n" + + "\ttenant_id\x18\x01 \x01(\v2).krypton.resources.reconciler.v1.ValueRefR\btenantId\"Z\n" + + "\x19CredentialExistsPredicate\x12=\n" + + "\x04name\x18\x01 \x01(\v2).krypton.resources.reconciler.v1.ValueRefR\x04name\"P\n" + + "\fAndPredicate\x12@\n" + + "\x05terms\x18\x01 \x03(\v2*.krypton.resources.reconciler.v1.PredicateR\x05terms\"O\n" + + "\vOrPredicate\x12@\n" + + "\x05terms\x18\x01 \x03(\v2*.krypton.resources.reconciler.v1.PredicateR\x05terms\"N\n" + + "\fNotPredicate\x12>\n" + + "\x04term\x18\x01 \x01(\v2*.krypton.resources.reconciler.v1.PredicateR\x04term\"I\n" + "\bValueRef\x12\x1a\n" + "\aliteral\x18\x01 \x01(\tH\x00R\aliteral\x12\x19\n" + "\avar_ref\x18\x02 \x01(\tH\x00R\x06varRefB\x06\n" + - "\x04kind\"\x8d\x03\n" + - "\vKeySyncNode\x123\n" + - "\x04tier\x18\x01 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\x04tier\x12:\n" + - "\bkey_name\x18\x02 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\akeyName\x12>\n" + + "\x04kind\"\xbf\x03\n" + + "\vKeySyncNode\x12=\n" + + "\x04tier\x18\x01 \x01(\v2).krypton.resources.reconciler.v1.ValueRefR\x04tier\x12D\n" + + "\bkey_name\x18\x02 \x01(\v2).krypton.resources.reconciler.v1.ValueRefR\akeyName\x12H\n" + "\n" + - "parent_key\x18\x03 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\tparentKey\x12B\n" + - "\bschedule\x18\x04 \x01(\v2&.krypton.reconciler.v1.KeyScheduleSpecR\bschedule\x12L\n" + - "\bmetadata\x18\x05 \x03(\v20.krypton.reconciler.v1.KeySyncNode.MetadataEntryR\bmetadata\x1a;\n" + + "parent_key\x18\x03 \x01(\v2).krypton.resources.reconciler.v1.ValueRefR\tparentKey\x12L\n" + + "\bschedule\x18\x04 \x01(\v20.krypton.resources.reconciler.v1.KeyScheduleSpecR\bschedule\x12V\n" + + "\bmetadata\x18\x05 \x03(\v2:.krypton.resources.reconciler.v1.KeySyncNode.MetadataEntryR\bmetadata\x1a;\n" + "\rMetadataEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + - "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"\x80\x01\n" + - "\rKeyDeleteNode\x123\n" + - "\x04tier\x18\x01 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\x04tier\x12:\n" + - "\bkey_name\x18\x02 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\akeyName\"\xa7\x01\n" + - "\x11KeyTransitionNode\x123\n" + - "\x04tier\x18\x01 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\x04tier\x12:\n" + - "\bkey_name\x18\x02 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\akeyName\x12!\n" + - "\ftarget_state\x18\x03 \x01(\tR\vtargetState\"\x80\x01\n" + - "\rKeyRotateNode\x123\n" + - "\x04tier\x18\x01 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\x04tier\x12:\n" + - "\bkey_name\x18\x02 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\akeyName\"\xc6\x01\n" + - "\x0fKeyScheduleNode\x123\n" + - "\x04tier\x18\x01 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\x04tier\x12:\n" + - "\bkey_name\x18\x02 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\akeyName\x12B\n" + - "\bschedule\x18\x03 \x01(\v2&.krypton.reconciler.v1.KeyScheduleSpecR\bschedule\"\x91\x02\n" + + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"\x94\x01\n" + + "\rKeyDeleteNode\x12=\n" + + "\x04tier\x18\x01 \x01(\v2).krypton.resources.reconciler.v1.ValueRefR\x04tier\x12D\n" + + "\bkey_name\x18\x02 \x01(\v2).krypton.resources.reconciler.v1.ValueRefR\akeyName\"\xbb\x01\n" + + "\x11KeyTransitionNode\x12=\n" + + "\x04tier\x18\x01 \x01(\v2).krypton.resources.reconciler.v1.ValueRefR\x04tier\x12D\n" + + "\bkey_name\x18\x02 \x01(\v2).krypton.resources.reconciler.v1.ValueRefR\akeyName\x12!\n" + + "\ftarget_state\x18\x03 \x01(\tR\vtargetState\"\x94\x01\n" + + "\rKeyRotateNode\x12=\n" + + "\x04tier\x18\x01 \x01(\v2).krypton.resources.reconciler.v1.ValueRefR\x04tier\x12D\n" + + "\bkey_name\x18\x02 \x01(\v2).krypton.resources.reconciler.v1.ValueRefR\akeyName\"\xe4\x01\n" + + "\x0fKeyScheduleNode\x12=\n" + + "\x04tier\x18\x01 \x01(\v2).krypton.resources.reconciler.v1.ValueRefR\x04tier\x12D\n" + + "\bkey_name\x18\x02 \x01(\v2).krypton.resources.reconciler.v1.ValueRefR\akeyName\x12L\n" + + "\bschedule\x18\x03 \x01(\v20.krypton.resources.reconciler.v1.KeyScheduleSpecR\bschedule\"\x91\x02\n" + "\x0fKeyScheduleSpec\x12>\n" + "\n" + "expires_at\x18\x01 \x01(\v2\x1a.google.protobuf.TimestampH\x00R\texpiresAt\x88\x01\x01\x12W\n" + @@ -2031,138 +2032,138 @@ const file_plugin_reconciler_v1_ast_proto_rawDesc = "" + "\rtransition_to\x18\x03 \x01(\tH\x02R\ftransitionTo\x88\x01\x01B\r\n" + "\v_expires_atB\x1a\n" + "\x18_scheduled_transition_atB\x10\n" + - "\x0e_transition_to\"\xab\x01\n" + - "\x12CredentialSyncNode\x123\n" + - "\x04name\x18\x01 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\x04name\x123\n" + - "\x04type\x18\x02 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\x04type\x12+\n" + - "\x04spec\x18\x03 \x01(\v2\x17.google.protobuf.StructR\x04spec\"K\n" + - "\x14CredentialDeleteNode\x123\n" + - "\x04name\x18\x01 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\x04name\"\\\n" + + "\x0e_transition_to\"\xbf\x01\n" + + "\x12CredentialSyncNode\x12=\n" + + "\x04name\x18\x01 \x01(\v2).krypton.resources.reconciler.v1.ValueRefR\x04name\x12=\n" + + "\x04type\x18\x02 \x01(\v2).krypton.resources.reconciler.v1.ValueRefR\x04type\x12+\n" + + "\x04spec\x18\x03 \x01(\v2\x17.google.protobuf.StructR\x04spec\"U\n" + + "\x14CredentialDeleteNode\x12=\n" + + "\x04name\x18\x01 \x01(\v2).krypton.resources.reconciler.v1.ValueRefR\x04name\"f\n" + "\bBindNode\x12\x19\n" + - "\bvar_name\x18\x01 \x01(\tR\avarName\x125\n" + - "\x05value\x18\x02 \x01(\v2\x1f.krypton.reconciler.v1.ValueRefR\x05value\"\xb9\x01\n" + + "\bvar_name\x18\x01 \x01(\tR\avarName\x12?\n" + + "\x05value\x18\x02 \x01(\v2).krypton.resources.reconciler.v1.ValueRefR\x05value\"\xc3\x01\n" + "\bEmitNode\x12\x1d\n" + "\n" + - "event_type\x18\x01 \x01(\tR\teventType\x12O\n" + + "event_type\x18\x01 \x01(\tR\teventType\x12Y\n" + "\n" + - "attributes\x18\x02 \x03(\v2/.krypton.reconciler.v1.EmitNode.AttributesEntryR\n" + + "attributes\x18\x02 \x03(\v29.krypton.resources.reconciler.v1.EmitNode.AttributesEntryR\n" + "attributes\x1a=\n" + "\x0fAttributesEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + - "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\xe2\x01\n" + - "\x19com.krypton.reconciler.v1B\bAstProtoP\x01ZEgithub.com/openkcm/plugin-sdk/proto/plugin/reconciler/v1;reconcilerv1\xa2\x02\x03KRX\xaa\x02\x15Krypton.Reconciler.V1\xca\x02\x15Krypton\\Reconciler\\V1\xe2\x02!Krypton\\Reconciler\\V1\\GPBMetadata\xea\x02\x17Krypton::Reconciler::V1b\x06proto3" + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\x94\x02\n" + + "#com.krypton.resources.reconciler.v1B\bAstProtoP\x01ZDgithub.com/openkcm/plugin-sdk/proto/plugin/resources/v1;reconcilerv1\xa2\x02\x03KRR\xaa\x02\x1fKrypton.Resources.Reconciler.V1\xca\x02\x1fKrypton\\Resources\\Reconciler\\V1\xe2\x02+Krypton\\Resources\\Reconciler\\V1\\GPBMetadata\xea\x02\"Krypton::Resources::Reconciler::V1b\x06proto3" var ( - file_plugin_reconciler_v1_ast_proto_rawDescOnce sync.Once - file_plugin_reconciler_v1_ast_proto_rawDescData []byte + file_plugin_resources_v1_ast_proto_rawDescOnce sync.Once + file_plugin_resources_v1_ast_proto_rawDescData []byte ) -func file_plugin_reconciler_v1_ast_proto_rawDescGZIP() []byte { - file_plugin_reconciler_v1_ast_proto_rawDescOnce.Do(func() { - file_plugin_reconciler_v1_ast_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_plugin_reconciler_v1_ast_proto_rawDesc), len(file_plugin_reconciler_v1_ast_proto_rawDesc))) +func file_plugin_resources_v1_ast_proto_rawDescGZIP() []byte { + file_plugin_resources_v1_ast_proto_rawDescOnce.Do(func() { + file_plugin_resources_v1_ast_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_plugin_resources_v1_ast_proto_rawDesc), len(file_plugin_resources_v1_ast_proto_rawDesc))) }) - return file_plugin_reconciler_v1_ast_proto_rawDescData -} - -var file_plugin_reconciler_v1_ast_proto_msgTypes = make([]protoimpl.MessageInfo, 30) -var file_plugin_reconciler_v1_ast_proto_goTypes = []any{ - (*ExecutionPlan)(nil), // 0: krypton.reconciler.v1.ExecutionPlan - (*ASTNode)(nil), // 1: krypton.reconciler.v1.ASTNode - (*SequenceNode)(nil), // 2: krypton.reconciler.v1.SequenceNode - (*ParallelNode)(nil), // 3: krypton.reconciler.v1.ParallelNode - (*ConditionalNode)(nil), // 4: krypton.reconciler.v1.ConditionalNode - (*TryCatchNode)(nil), // 5: krypton.reconciler.v1.TryCatchNode - (*CheckpointNode)(nil), // 6: krypton.reconciler.v1.CheckpointNode - (*AssertNode)(nil), // 7: krypton.reconciler.v1.AssertNode - (*Predicate)(nil), // 8: krypton.reconciler.v1.Predicate - (*KeyExistsPredicate)(nil), // 9: krypton.reconciler.v1.KeyExistsPredicate - (*KeyStatePredicate)(nil), // 10: krypton.reconciler.v1.KeyStatePredicate - (*TenantActivePredicate)(nil), // 11: krypton.reconciler.v1.TenantActivePredicate - (*CredentialExistsPredicate)(nil), // 12: krypton.reconciler.v1.CredentialExistsPredicate - (*AndPredicate)(nil), // 13: krypton.reconciler.v1.AndPredicate - (*OrPredicate)(nil), // 14: krypton.reconciler.v1.OrPredicate - (*NotPredicate)(nil), // 15: krypton.reconciler.v1.NotPredicate - (*ValueRef)(nil), // 16: krypton.reconciler.v1.ValueRef - (*KeySyncNode)(nil), // 17: krypton.reconciler.v1.KeySyncNode - (*KeyDeleteNode)(nil), // 18: krypton.reconciler.v1.KeyDeleteNode - (*KeyTransitionNode)(nil), // 19: krypton.reconciler.v1.KeyTransitionNode - (*KeyRotateNode)(nil), // 20: krypton.reconciler.v1.KeyRotateNode - (*KeyScheduleNode)(nil), // 21: krypton.reconciler.v1.KeyScheduleNode - (*KeyScheduleSpec)(nil), // 22: krypton.reconciler.v1.KeyScheduleSpec - (*CredentialSyncNode)(nil), // 23: krypton.reconciler.v1.CredentialSyncNode - (*CredentialDeleteNode)(nil), // 24: krypton.reconciler.v1.CredentialDeleteNode - (*BindNode)(nil), // 25: krypton.reconciler.v1.BindNode - (*EmitNode)(nil), // 26: krypton.reconciler.v1.EmitNode - nil, // 27: krypton.reconciler.v1.ExecutionPlan.BindingsEntry - nil, // 28: krypton.reconciler.v1.KeySyncNode.MetadataEntry - nil, // 29: krypton.reconciler.v1.EmitNode.AttributesEntry + return file_plugin_resources_v1_ast_proto_rawDescData +} + +var file_plugin_resources_v1_ast_proto_msgTypes = make([]protoimpl.MessageInfo, 30) +var file_plugin_resources_v1_ast_proto_goTypes = []any{ + (*ExecutionPlan)(nil), // 0: krypton.resources.reconciler.v1.ExecutionPlan + (*ASTNode)(nil), // 1: krypton.resources.reconciler.v1.ASTNode + (*SequenceNode)(nil), // 2: krypton.resources.reconciler.v1.SequenceNode + (*ParallelNode)(nil), // 3: krypton.resources.reconciler.v1.ParallelNode + (*ConditionalNode)(nil), // 4: krypton.resources.reconciler.v1.ConditionalNode + (*TryCatchNode)(nil), // 5: krypton.resources.reconciler.v1.TryCatchNode + (*CheckpointNode)(nil), // 6: krypton.resources.reconciler.v1.CheckpointNode + (*AssertNode)(nil), // 7: krypton.resources.reconciler.v1.AssertNode + (*Predicate)(nil), // 8: krypton.resources.reconciler.v1.Predicate + (*KeyExistsPredicate)(nil), // 9: krypton.resources.reconciler.v1.KeyExistsPredicate + (*KeyStatePredicate)(nil), // 10: krypton.resources.reconciler.v1.KeyStatePredicate + (*TenantActivePredicate)(nil), // 11: krypton.resources.reconciler.v1.TenantActivePredicate + (*CredentialExistsPredicate)(nil), // 12: krypton.resources.reconciler.v1.CredentialExistsPredicate + (*AndPredicate)(nil), // 13: krypton.resources.reconciler.v1.AndPredicate + (*OrPredicate)(nil), // 14: krypton.resources.reconciler.v1.OrPredicate + (*NotPredicate)(nil), // 15: krypton.resources.reconciler.v1.NotPredicate + (*ValueRef)(nil), // 16: krypton.resources.reconciler.v1.ValueRef + (*KeySyncNode)(nil), // 17: krypton.resources.reconciler.v1.KeySyncNode + (*KeyDeleteNode)(nil), // 18: krypton.resources.reconciler.v1.KeyDeleteNode + (*KeyTransitionNode)(nil), // 19: krypton.resources.reconciler.v1.KeyTransitionNode + (*KeyRotateNode)(nil), // 20: krypton.resources.reconciler.v1.KeyRotateNode + (*KeyScheduleNode)(nil), // 21: krypton.resources.reconciler.v1.KeyScheduleNode + (*KeyScheduleSpec)(nil), // 22: krypton.resources.reconciler.v1.KeyScheduleSpec + (*CredentialSyncNode)(nil), // 23: krypton.resources.reconciler.v1.CredentialSyncNode + (*CredentialDeleteNode)(nil), // 24: krypton.resources.reconciler.v1.CredentialDeleteNode + (*BindNode)(nil), // 25: krypton.resources.reconciler.v1.BindNode + (*EmitNode)(nil), // 26: krypton.resources.reconciler.v1.EmitNode + nil, // 27: krypton.resources.reconciler.v1.ExecutionPlan.BindingsEntry + nil, // 28: krypton.resources.reconciler.v1.KeySyncNode.MetadataEntry + nil, // 29: krypton.resources.reconciler.v1.EmitNode.AttributesEntry (*timestamppb.Timestamp)(nil), // 30: google.protobuf.Timestamp (*structpb.Struct)(nil), // 31: google.protobuf.Struct } -var file_plugin_reconciler_v1_ast_proto_depIdxs = []int32{ - 1, // 0: krypton.reconciler.v1.ExecutionPlan.root:type_name -> krypton.reconciler.v1.ASTNode - 27, // 1: krypton.reconciler.v1.ExecutionPlan.bindings:type_name -> krypton.reconciler.v1.ExecutionPlan.BindingsEntry - 2, // 2: krypton.reconciler.v1.ASTNode.sequence:type_name -> krypton.reconciler.v1.SequenceNode - 3, // 3: krypton.reconciler.v1.ASTNode.parallel:type_name -> krypton.reconciler.v1.ParallelNode - 4, // 4: krypton.reconciler.v1.ASTNode.conditional:type_name -> krypton.reconciler.v1.ConditionalNode - 5, // 5: krypton.reconciler.v1.ASTNode.try_catch:type_name -> krypton.reconciler.v1.TryCatchNode - 6, // 6: krypton.reconciler.v1.ASTNode.checkpoint:type_name -> krypton.reconciler.v1.CheckpointNode - 7, // 7: krypton.reconciler.v1.ASTNode.assert:type_name -> krypton.reconciler.v1.AssertNode - 17, // 8: krypton.reconciler.v1.ASTNode.key_sync:type_name -> krypton.reconciler.v1.KeySyncNode - 18, // 9: krypton.reconciler.v1.ASTNode.key_delete:type_name -> krypton.reconciler.v1.KeyDeleteNode - 19, // 10: krypton.reconciler.v1.ASTNode.key_transition:type_name -> krypton.reconciler.v1.KeyTransitionNode - 20, // 11: krypton.reconciler.v1.ASTNode.key_rotate:type_name -> krypton.reconciler.v1.KeyRotateNode - 21, // 12: krypton.reconciler.v1.ASTNode.key_schedule:type_name -> krypton.reconciler.v1.KeyScheduleNode - 23, // 13: krypton.reconciler.v1.ASTNode.credential_sync:type_name -> krypton.reconciler.v1.CredentialSyncNode - 24, // 14: krypton.reconciler.v1.ASTNode.credential_delete:type_name -> krypton.reconciler.v1.CredentialDeleteNode - 25, // 15: krypton.reconciler.v1.ASTNode.bind:type_name -> krypton.reconciler.v1.BindNode - 26, // 16: krypton.reconciler.v1.ASTNode.emit:type_name -> krypton.reconciler.v1.EmitNode - 1, // 17: krypton.reconciler.v1.SequenceNode.steps:type_name -> krypton.reconciler.v1.ASTNode - 1, // 18: krypton.reconciler.v1.ParallelNode.steps:type_name -> krypton.reconciler.v1.ASTNode - 8, // 19: krypton.reconciler.v1.ConditionalNode.condition:type_name -> krypton.reconciler.v1.Predicate - 1, // 20: krypton.reconciler.v1.ConditionalNode.then_node:type_name -> krypton.reconciler.v1.ASTNode - 1, // 21: krypton.reconciler.v1.ConditionalNode.else_node:type_name -> krypton.reconciler.v1.ASTNode - 1, // 22: krypton.reconciler.v1.TryCatchNode.try_node:type_name -> krypton.reconciler.v1.ASTNode - 1, // 23: krypton.reconciler.v1.TryCatchNode.catch_node:type_name -> krypton.reconciler.v1.ASTNode - 8, // 24: krypton.reconciler.v1.AssertNode.condition:type_name -> krypton.reconciler.v1.Predicate - 9, // 25: krypton.reconciler.v1.Predicate.key_exists:type_name -> krypton.reconciler.v1.KeyExistsPredicate - 10, // 26: krypton.reconciler.v1.Predicate.key_state:type_name -> krypton.reconciler.v1.KeyStatePredicate - 11, // 27: krypton.reconciler.v1.Predicate.tenant_active:type_name -> krypton.reconciler.v1.TenantActivePredicate - 12, // 28: krypton.reconciler.v1.Predicate.credential_exists:type_name -> krypton.reconciler.v1.CredentialExistsPredicate - 13, // 29: krypton.reconciler.v1.Predicate.and:type_name -> krypton.reconciler.v1.AndPredicate - 14, // 30: krypton.reconciler.v1.Predicate.or:type_name -> krypton.reconciler.v1.OrPredicate - 15, // 31: krypton.reconciler.v1.Predicate.not:type_name -> krypton.reconciler.v1.NotPredicate - 16, // 32: krypton.reconciler.v1.KeyExistsPredicate.tier:type_name -> krypton.reconciler.v1.ValueRef - 16, // 33: krypton.reconciler.v1.KeyExistsPredicate.key_name:type_name -> krypton.reconciler.v1.ValueRef - 16, // 34: krypton.reconciler.v1.KeyStatePredicate.tier:type_name -> krypton.reconciler.v1.ValueRef - 16, // 35: krypton.reconciler.v1.KeyStatePredicate.key_name:type_name -> krypton.reconciler.v1.ValueRef - 16, // 36: krypton.reconciler.v1.TenantActivePredicate.tenant_id:type_name -> krypton.reconciler.v1.ValueRef - 16, // 37: krypton.reconciler.v1.CredentialExistsPredicate.name:type_name -> krypton.reconciler.v1.ValueRef - 8, // 38: krypton.reconciler.v1.AndPredicate.terms:type_name -> krypton.reconciler.v1.Predicate - 8, // 39: krypton.reconciler.v1.OrPredicate.terms:type_name -> krypton.reconciler.v1.Predicate - 8, // 40: krypton.reconciler.v1.NotPredicate.term:type_name -> krypton.reconciler.v1.Predicate - 16, // 41: krypton.reconciler.v1.KeySyncNode.tier:type_name -> krypton.reconciler.v1.ValueRef - 16, // 42: krypton.reconciler.v1.KeySyncNode.key_name:type_name -> krypton.reconciler.v1.ValueRef - 16, // 43: krypton.reconciler.v1.KeySyncNode.parent_key:type_name -> krypton.reconciler.v1.ValueRef - 22, // 44: krypton.reconciler.v1.KeySyncNode.schedule:type_name -> krypton.reconciler.v1.KeyScheduleSpec - 28, // 45: krypton.reconciler.v1.KeySyncNode.metadata:type_name -> krypton.reconciler.v1.KeySyncNode.MetadataEntry - 16, // 46: krypton.reconciler.v1.KeyDeleteNode.tier:type_name -> krypton.reconciler.v1.ValueRef - 16, // 47: krypton.reconciler.v1.KeyDeleteNode.key_name:type_name -> krypton.reconciler.v1.ValueRef - 16, // 48: krypton.reconciler.v1.KeyTransitionNode.tier:type_name -> krypton.reconciler.v1.ValueRef - 16, // 49: krypton.reconciler.v1.KeyTransitionNode.key_name:type_name -> krypton.reconciler.v1.ValueRef - 16, // 50: krypton.reconciler.v1.KeyRotateNode.tier:type_name -> krypton.reconciler.v1.ValueRef - 16, // 51: krypton.reconciler.v1.KeyRotateNode.key_name:type_name -> krypton.reconciler.v1.ValueRef - 16, // 52: krypton.reconciler.v1.KeyScheduleNode.tier:type_name -> krypton.reconciler.v1.ValueRef - 16, // 53: krypton.reconciler.v1.KeyScheduleNode.key_name:type_name -> krypton.reconciler.v1.ValueRef - 22, // 54: krypton.reconciler.v1.KeyScheduleNode.schedule:type_name -> krypton.reconciler.v1.KeyScheduleSpec - 30, // 55: krypton.reconciler.v1.KeyScheduleSpec.expires_at:type_name -> google.protobuf.Timestamp - 30, // 56: krypton.reconciler.v1.KeyScheduleSpec.scheduled_transition_at:type_name -> google.protobuf.Timestamp - 16, // 57: krypton.reconciler.v1.CredentialSyncNode.name:type_name -> krypton.reconciler.v1.ValueRef - 16, // 58: krypton.reconciler.v1.CredentialSyncNode.type:type_name -> krypton.reconciler.v1.ValueRef - 31, // 59: krypton.reconciler.v1.CredentialSyncNode.spec:type_name -> google.protobuf.Struct - 16, // 60: krypton.reconciler.v1.CredentialDeleteNode.name:type_name -> krypton.reconciler.v1.ValueRef - 16, // 61: krypton.reconciler.v1.BindNode.value:type_name -> krypton.reconciler.v1.ValueRef - 29, // 62: krypton.reconciler.v1.EmitNode.attributes:type_name -> krypton.reconciler.v1.EmitNode.AttributesEntry +var file_plugin_resources_v1_ast_proto_depIdxs = []int32{ + 1, // 0: krypton.resources.reconciler.v1.ExecutionPlan.root:type_name -> krypton.resources.reconciler.v1.ASTNode + 27, // 1: krypton.resources.reconciler.v1.ExecutionPlan.bindings:type_name -> krypton.resources.reconciler.v1.ExecutionPlan.BindingsEntry + 2, // 2: krypton.resources.reconciler.v1.ASTNode.sequence:type_name -> krypton.resources.reconciler.v1.SequenceNode + 3, // 3: krypton.resources.reconciler.v1.ASTNode.parallel:type_name -> krypton.resources.reconciler.v1.ParallelNode + 4, // 4: krypton.resources.reconciler.v1.ASTNode.conditional:type_name -> krypton.resources.reconciler.v1.ConditionalNode + 5, // 5: krypton.resources.reconciler.v1.ASTNode.try_catch:type_name -> krypton.resources.reconciler.v1.TryCatchNode + 6, // 6: krypton.resources.reconciler.v1.ASTNode.checkpoint:type_name -> krypton.resources.reconciler.v1.CheckpointNode + 7, // 7: krypton.resources.reconciler.v1.ASTNode.assert:type_name -> krypton.resources.reconciler.v1.AssertNode + 17, // 8: krypton.resources.reconciler.v1.ASTNode.key_sync:type_name -> krypton.resources.reconciler.v1.KeySyncNode + 18, // 9: krypton.resources.reconciler.v1.ASTNode.key_delete:type_name -> krypton.resources.reconciler.v1.KeyDeleteNode + 19, // 10: krypton.resources.reconciler.v1.ASTNode.key_transition:type_name -> krypton.resources.reconciler.v1.KeyTransitionNode + 20, // 11: krypton.resources.reconciler.v1.ASTNode.key_rotate:type_name -> krypton.resources.reconciler.v1.KeyRotateNode + 21, // 12: krypton.resources.reconciler.v1.ASTNode.key_schedule:type_name -> krypton.resources.reconciler.v1.KeyScheduleNode + 23, // 13: krypton.resources.reconciler.v1.ASTNode.credential_sync:type_name -> krypton.resources.reconciler.v1.CredentialSyncNode + 24, // 14: krypton.resources.reconciler.v1.ASTNode.credential_delete:type_name -> krypton.resources.reconciler.v1.CredentialDeleteNode + 25, // 15: krypton.resources.reconciler.v1.ASTNode.bind:type_name -> krypton.resources.reconciler.v1.BindNode + 26, // 16: krypton.resources.reconciler.v1.ASTNode.emit:type_name -> krypton.resources.reconciler.v1.EmitNode + 1, // 17: krypton.resources.reconciler.v1.SequenceNode.steps:type_name -> krypton.resources.reconciler.v1.ASTNode + 1, // 18: krypton.resources.reconciler.v1.ParallelNode.steps:type_name -> krypton.resources.reconciler.v1.ASTNode + 8, // 19: krypton.resources.reconciler.v1.ConditionalNode.condition:type_name -> krypton.resources.reconciler.v1.Predicate + 1, // 20: krypton.resources.reconciler.v1.ConditionalNode.then_node:type_name -> krypton.resources.reconciler.v1.ASTNode + 1, // 21: krypton.resources.reconciler.v1.ConditionalNode.else_node:type_name -> krypton.resources.reconciler.v1.ASTNode + 1, // 22: krypton.resources.reconciler.v1.TryCatchNode.try_node:type_name -> krypton.resources.reconciler.v1.ASTNode + 1, // 23: krypton.resources.reconciler.v1.TryCatchNode.catch_node:type_name -> krypton.resources.reconciler.v1.ASTNode + 8, // 24: krypton.resources.reconciler.v1.AssertNode.condition:type_name -> krypton.resources.reconciler.v1.Predicate + 9, // 25: krypton.resources.reconciler.v1.Predicate.key_exists:type_name -> krypton.resources.reconciler.v1.KeyExistsPredicate + 10, // 26: krypton.resources.reconciler.v1.Predicate.key_state:type_name -> krypton.resources.reconciler.v1.KeyStatePredicate + 11, // 27: krypton.resources.reconciler.v1.Predicate.tenant_active:type_name -> krypton.resources.reconciler.v1.TenantActivePredicate + 12, // 28: krypton.resources.reconciler.v1.Predicate.credential_exists:type_name -> krypton.resources.reconciler.v1.CredentialExistsPredicate + 13, // 29: krypton.resources.reconciler.v1.Predicate.and:type_name -> krypton.resources.reconciler.v1.AndPredicate + 14, // 30: krypton.resources.reconciler.v1.Predicate.or:type_name -> krypton.resources.reconciler.v1.OrPredicate + 15, // 31: krypton.resources.reconciler.v1.Predicate.not:type_name -> krypton.resources.reconciler.v1.NotPredicate + 16, // 32: krypton.resources.reconciler.v1.KeyExistsPredicate.tier:type_name -> krypton.resources.reconciler.v1.ValueRef + 16, // 33: krypton.resources.reconciler.v1.KeyExistsPredicate.key_name:type_name -> krypton.resources.reconciler.v1.ValueRef + 16, // 34: krypton.resources.reconciler.v1.KeyStatePredicate.tier:type_name -> krypton.resources.reconciler.v1.ValueRef + 16, // 35: krypton.resources.reconciler.v1.KeyStatePredicate.key_name:type_name -> krypton.resources.reconciler.v1.ValueRef + 16, // 36: krypton.resources.reconciler.v1.TenantActivePredicate.tenant_id:type_name -> krypton.resources.reconciler.v1.ValueRef + 16, // 37: krypton.resources.reconciler.v1.CredentialExistsPredicate.name:type_name -> krypton.resources.reconciler.v1.ValueRef + 8, // 38: krypton.resources.reconciler.v1.AndPredicate.terms:type_name -> krypton.resources.reconciler.v1.Predicate + 8, // 39: krypton.resources.reconciler.v1.OrPredicate.terms:type_name -> krypton.resources.reconciler.v1.Predicate + 8, // 40: krypton.resources.reconciler.v1.NotPredicate.term:type_name -> krypton.resources.reconciler.v1.Predicate + 16, // 41: krypton.resources.reconciler.v1.KeySyncNode.tier:type_name -> krypton.resources.reconciler.v1.ValueRef + 16, // 42: krypton.resources.reconciler.v1.KeySyncNode.key_name:type_name -> krypton.resources.reconciler.v1.ValueRef + 16, // 43: krypton.resources.reconciler.v1.KeySyncNode.parent_key:type_name -> krypton.resources.reconciler.v1.ValueRef + 22, // 44: krypton.resources.reconciler.v1.KeySyncNode.schedule:type_name -> krypton.resources.reconciler.v1.KeyScheduleSpec + 28, // 45: krypton.resources.reconciler.v1.KeySyncNode.metadata:type_name -> krypton.resources.reconciler.v1.KeySyncNode.MetadataEntry + 16, // 46: krypton.resources.reconciler.v1.KeyDeleteNode.tier:type_name -> krypton.resources.reconciler.v1.ValueRef + 16, // 47: krypton.resources.reconciler.v1.KeyDeleteNode.key_name:type_name -> krypton.resources.reconciler.v1.ValueRef + 16, // 48: krypton.resources.reconciler.v1.KeyTransitionNode.tier:type_name -> krypton.resources.reconciler.v1.ValueRef + 16, // 49: krypton.resources.reconciler.v1.KeyTransitionNode.key_name:type_name -> krypton.resources.reconciler.v1.ValueRef + 16, // 50: krypton.resources.reconciler.v1.KeyRotateNode.tier:type_name -> krypton.resources.reconciler.v1.ValueRef + 16, // 51: krypton.resources.reconciler.v1.KeyRotateNode.key_name:type_name -> krypton.resources.reconciler.v1.ValueRef + 16, // 52: krypton.resources.reconciler.v1.KeyScheduleNode.tier:type_name -> krypton.resources.reconciler.v1.ValueRef + 16, // 53: krypton.resources.reconciler.v1.KeyScheduleNode.key_name:type_name -> krypton.resources.reconciler.v1.ValueRef + 22, // 54: krypton.resources.reconciler.v1.KeyScheduleNode.schedule:type_name -> krypton.resources.reconciler.v1.KeyScheduleSpec + 30, // 55: krypton.resources.reconciler.v1.KeyScheduleSpec.expires_at:type_name -> google.protobuf.Timestamp + 30, // 56: krypton.resources.reconciler.v1.KeyScheduleSpec.scheduled_transition_at:type_name -> google.protobuf.Timestamp + 16, // 57: krypton.resources.reconciler.v1.CredentialSyncNode.name:type_name -> krypton.resources.reconciler.v1.ValueRef + 16, // 58: krypton.resources.reconciler.v1.CredentialSyncNode.type:type_name -> krypton.resources.reconciler.v1.ValueRef + 31, // 59: krypton.resources.reconciler.v1.CredentialSyncNode.spec:type_name -> google.protobuf.Struct + 16, // 60: krypton.resources.reconciler.v1.CredentialDeleteNode.name:type_name -> krypton.resources.reconciler.v1.ValueRef + 16, // 61: krypton.resources.reconciler.v1.BindNode.value:type_name -> krypton.resources.reconciler.v1.ValueRef + 29, // 62: krypton.resources.reconciler.v1.EmitNode.attributes:type_name -> krypton.resources.reconciler.v1.EmitNode.AttributesEntry 63, // [63:63] is the sub-list for method output_type 63, // [63:63] is the sub-list for method input_type 63, // [63:63] is the sub-list for extension type_name @@ -2170,12 +2171,12 @@ var file_plugin_reconciler_v1_ast_proto_depIdxs = []int32{ 0, // [0:63] is the sub-list for field type_name } -func init() { file_plugin_reconciler_v1_ast_proto_init() } -func file_plugin_reconciler_v1_ast_proto_init() { - if File_plugin_reconciler_v1_ast_proto != nil { +func init() { file_plugin_resources_v1_ast_proto_init() } +func file_plugin_resources_v1_ast_proto_init() { + if File_plugin_resources_v1_ast_proto != nil { return } - file_plugin_reconciler_v1_ast_proto_msgTypes[1].OneofWrappers = []any{ + file_plugin_resources_v1_ast_proto_msgTypes[1].OneofWrappers = []any{ (*ASTNode_Sequence)(nil), (*ASTNode_Parallel)(nil), (*ASTNode_Conditional)(nil), @@ -2192,7 +2193,7 @@ func file_plugin_reconciler_v1_ast_proto_init() { (*ASTNode_Bind)(nil), (*ASTNode_Emit)(nil), } - file_plugin_reconciler_v1_ast_proto_msgTypes[8].OneofWrappers = []any{ + file_plugin_resources_v1_ast_proto_msgTypes[8].OneofWrappers = []any{ (*Predicate_KeyExists)(nil), (*Predicate_KeyState)(nil), (*Predicate_TenantActive)(nil), @@ -2201,26 +2202,26 @@ func file_plugin_reconciler_v1_ast_proto_init() { (*Predicate_Or)(nil), (*Predicate_Not)(nil), } - file_plugin_reconciler_v1_ast_proto_msgTypes[16].OneofWrappers = []any{ + file_plugin_resources_v1_ast_proto_msgTypes[16].OneofWrappers = []any{ (*ValueRef_Literal)(nil), (*ValueRef_VarRef)(nil), } - file_plugin_reconciler_v1_ast_proto_msgTypes[22].OneofWrappers = []any{} + file_plugin_resources_v1_ast_proto_msgTypes[22].OneofWrappers = []any{} type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: unsafe.Slice(unsafe.StringData(file_plugin_reconciler_v1_ast_proto_rawDesc), len(file_plugin_reconciler_v1_ast_proto_rawDesc)), + RawDescriptor: unsafe.Slice(unsafe.StringData(file_plugin_resources_v1_ast_proto_rawDesc), len(file_plugin_resources_v1_ast_proto_rawDesc)), NumEnums: 0, NumMessages: 30, NumExtensions: 0, NumServices: 0, }, - GoTypes: file_plugin_reconciler_v1_ast_proto_goTypes, - DependencyIndexes: file_plugin_reconciler_v1_ast_proto_depIdxs, - MessageInfos: file_plugin_reconciler_v1_ast_proto_msgTypes, + GoTypes: file_plugin_resources_v1_ast_proto_goTypes, + DependencyIndexes: file_plugin_resources_v1_ast_proto_depIdxs, + MessageInfos: file_plugin_resources_v1_ast_proto_msgTypes, }.Build() - File_plugin_reconciler_v1_ast_proto = out.File - file_plugin_reconciler_v1_ast_proto_goTypes = nil - file_plugin_reconciler_v1_ast_proto_depIdxs = nil + File_plugin_resources_v1_ast_proto = out.File + file_plugin_resources_v1_ast_proto_goTypes = nil + file_plugin_resources_v1_ast_proto_depIdxs = nil } diff --git a/proto/plugin/reconciler/v1/ast.pb.validate.go b/proto/plugin/resources/v1/ast.pb.validate.go similarity index 99% rename from proto/plugin/reconciler/v1/ast.pb.validate.go rename to proto/plugin/resources/v1/ast.pb.validate.go index ec0d8f9..7d873d4 100644 --- a/proto/plugin/reconciler/v1/ast.pb.validate.go +++ b/proto/plugin/resources/v1/ast.pb.validate.go @@ -1,5 +1,5 @@ // Code generated by protoc-gen-validate. DO NOT EDIT. -// source: plugin/reconciler/v1/ast.proto +// source: plugin/resources/v1/ast.proto package reconcilerv1 diff --git a/proto/plugin/reconciler/v1/ast.proto b/proto/plugin/resources/v1/ast.proto similarity index 98% rename from proto/plugin/reconciler/v1/ast.proto rename to proto/plugin/resources/v1/ast.proto index 03942a9..876c7e5 100644 --- a/proto/plugin/reconciler/v1/ast.proto +++ b/proto/plugin/resources/v1/ast.proto @@ -1,12 +1,10 @@ syntax = "proto3"; -package krypton.reconciler.v1; +package krypton.resources.reconciler.v1; import "google/protobuf/struct.proto"; import "google/protobuf/timestamp.proto"; -option go_package = "github.com/openkcm/krypton/proto/plugin/reconciler/v1;reconcilerv1"; - // ExecutionPlan is the root of the AST returned by a plugin's Reconcile call. // It describes every operation Krypton core must execute to drive the custom // resource to its desired state. Core is the sole executor — the plugin never diff --git a/proto/plugin/reconciler/v1/reconciler.pb.go b/proto/plugin/resources/v1/reconciler.pb.go similarity index 65% rename from proto/plugin/reconciler/v1/reconciler.pb.go rename to proto/plugin/resources/v1/reconciler.pb.go index 903b94a..abac27b 100644 --- a/proto/plugin/reconciler/v1/reconciler.pb.go +++ b/proto/plugin/resources/v1/reconciler.pb.go @@ -2,7 +2,7 @@ // versions: // protoc-gen-go v1.36.11 // protoc (unknown) -// source: plugin/reconciler/v1/reconciler.proto +// source: plugin/resources/v1/reconciler.proto package reconcilerv1 @@ -42,7 +42,7 @@ type ReconcileRequest struct { func (x *ReconcileRequest) Reset() { *x = ReconcileRequest{} - mi := &file_plugin_reconciler_v1_reconciler_proto_msgTypes[0] + mi := &file_plugin_resources_v1_reconciler_proto_msgTypes[0] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -54,7 +54,7 @@ func (x *ReconcileRequest) String() string { func (*ReconcileRequest) ProtoMessage() {} func (x *ReconcileRequest) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_reconciler_proto_msgTypes[0] + mi := &file_plugin_resources_v1_reconciler_proto_msgTypes[0] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -67,7 +67,7 @@ func (x *ReconcileRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use ReconcileRequest.ProtoReflect.Descriptor instead. func (*ReconcileRequest) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_reconciler_proto_rawDescGZIP(), []int{0} + return file_plugin_resources_v1_reconciler_proto_rawDescGZIP(), []int{0} } func (x *ReconcileRequest) GetApiGroup() string { @@ -123,7 +123,7 @@ type ReconcileResponse struct { func (x *ReconcileResponse) Reset() { *x = ReconcileResponse{} - mi := &file_plugin_reconciler_v1_reconciler_proto_msgTypes[1] + mi := &file_plugin_resources_v1_reconciler_proto_msgTypes[1] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -135,7 +135,7 @@ func (x *ReconcileResponse) String() string { func (*ReconcileResponse) ProtoMessage() {} func (x *ReconcileResponse) ProtoReflect() protoreflect.Message { - mi := &file_plugin_reconciler_v1_reconciler_proto_msgTypes[1] + mi := &file_plugin_resources_v1_reconciler_proto_msgTypes[1] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -148,7 +148,7 @@ func (x *ReconcileResponse) ProtoReflect() protoreflect.Message { // Deprecated: Use ReconcileResponse.ProtoReflect.Descriptor instead. func (*ReconcileResponse) Descriptor() ([]byte, []int) { - return file_plugin_reconciler_v1_reconciler_proto_rawDescGZIP(), []int{1} + return file_plugin_resources_v1_reconciler_proto_rawDescGZIP(), []int{1} } func (x *ReconcileResponse) GetErrorMessage() string { @@ -172,11 +172,11 @@ func (x *ReconcileResponse) GetExecutionPlan() []byte { return nil } -var File_plugin_reconciler_v1_reconciler_proto protoreflect.FileDescriptor +var File_plugin_resources_v1_reconciler_proto protoreflect.FileDescriptor -const file_plugin_reconciler_v1_reconciler_proto_rawDesc = "" + +const file_plugin_resources_v1_reconciler_proto_rawDesc = "" + "\n" + - "%plugin/reconciler/v1/reconciler.proto\x12\x15krypton.reconciler.v1\x1a\x1bbuf/validate/validate.proto\"\xc2\x01\n" + + "$plugin/resources/v1/reconciler.proto\x12\x1fkrypton.resources.reconciler.v1\x1a\x1bbuf/validate/validate.proto\"\xc2\x01\n" + "\x10ReconcileRequest\x12#\n" + "\tapi_group\x18\x01 \x01(\tB\x06\xbaH\x03\xc8\x01\x01R\bapiGroup\x12\x1a\n" + "\x04kind\x18\x02 \x01(\tB\x06\xbaH\x03\xc8\x01\x01R\x04kind\x12\x1a\n" + @@ -186,32 +186,32 @@ const file_plugin_reconciler_v1_reconciler_proto_rawDesc = "" + "\x11ReconcileResponse\x12#\n" + "\rerror_message\x18\x01 \x01(\tR\ferrorMessage\x12'\n" + "\x0ftransient_error\x18\x02 \x01(\bR\x0etransientError\x12%\n" + - "\x0eexecution_plan\x18\x03 \x01(\fR\rexecutionPlan2l\n" + + "\x0eexecution_plan\x18\x03 \x01(\fR\rexecutionPlan2\x80\x01\n" + "\n" + - "Reconciler\x12^\n" + - "\tReconcile\x12'.krypton.reconciler.v1.ReconcileRequest\x1a(.krypton.reconciler.v1.ReconcileResponseB\xe9\x01\n" + - "\x19com.krypton.reconciler.v1B\x0fReconcilerProtoP\x01ZEgithub.com/openkcm/plugin-sdk/proto/plugin/reconciler/v1;reconcilerv1\xa2\x02\x03KRX\xaa\x02\x15Krypton.Reconciler.V1\xca\x02\x15Krypton\\Reconciler\\V1\xe2\x02!Krypton\\Reconciler\\V1\\GPBMetadata\xea\x02\x17Krypton::Reconciler::V1b\x06proto3" + "Reconciler\x12r\n" + + "\tReconcile\x121.krypton.resources.reconciler.v1.ReconcileRequest\x1a2.krypton.resources.reconciler.v1.ReconcileResponseB\x9b\x02\n" + + "#com.krypton.resources.reconciler.v1B\x0fReconcilerProtoP\x01ZDgithub.com/openkcm/plugin-sdk/proto/plugin/resources/v1;reconcilerv1\xa2\x02\x03KRR\xaa\x02\x1fKrypton.Resources.Reconciler.V1\xca\x02\x1fKrypton\\Resources\\Reconciler\\V1\xe2\x02+Krypton\\Resources\\Reconciler\\V1\\GPBMetadata\xea\x02\"Krypton::Resources::Reconciler::V1b\x06proto3" var ( - file_plugin_reconciler_v1_reconciler_proto_rawDescOnce sync.Once - file_plugin_reconciler_v1_reconciler_proto_rawDescData []byte + file_plugin_resources_v1_reconciler_proto_rawDescOnce sync.Once + file_plugin_resources_v1_reconciler_proto_rawDescData []byte ) -func file_plugin_reconciler_v1_reconciler_proto_rawDescGZIP() []byte { - file_plugin_reconciler_v1_reconciler_proto_rawDescOnce.Do(func() { - file_plugin_reconciler_v1_reconciler_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_plugin_reconciler_v1_reconciler_proto_rawDesc), len(file_plugin_reconciler_v1_reconciler_proto_rawDesc))) +func file_plugin_resources_v1_reconciler_proto_rawDescGZIP() []byte { + file_plugin_resources_v1_reconciler_proto_rawDescOnce.Do(func() { + file_plugin_resources_v1_reconciler_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_plugin_resources_v1_reconciler_proto_rawDesc), len(file_plugin_resources_v1_reconciler_proto_rawDesc))) }) - return file_plugin_reconciler_v1_reconciler_proto_rawDescData + return file_plugin_resources_v1_reconciler_proto_rawDescData } -var file_plugin_reconciler_v1_reconciler_proto_msgTypes = make([]protoimpl.MessageInfo, 2) -var file_plugin_reconciler_v1_reconciler_proto_goTypes = []any{ - (*ReconcileRequest)(nil), // 0: krypton.reconciler.v1.ReconcileRequest - (*ReconcileResponse)(nil), // 1: krypton.reconciler.v1.ReconcileResponse +var file_plugin_resources_v1_reconciler_proto_msgTypes = make([]protoimpl.MessageInfo, 2) +var file_plugin_resources_v1_reconciler_proto_goTypes = []any{ + (*ReconcileRequest)(nil), // 0: krypton.resources.reconciler.v1.ReconcileRequest + (*ReconcileResponse)(nil), // 1: krypton.resources.reconciler.v1.ReconcileResponse } -var file_plugin_reconciler_v1_reconciler_proto_depIdxs = []int32{ - 0, // 0: krypton.reconciler.v1.Reconciler.Reconcile:input_type -> krypton.reconciler.v1.ReconcileRequest - 1, // 1: krypton.reconciler.v1.Reconciler.Reconcile:output_type -> krypton.reconciler.v1.ReconcileResponse +var file_plugin_resources_v1_reconciler_proto_depIdxs = []int32{ + 0, // 0: krypton.resources.reconciler.v1.Reconciler.Reconcile:input_type -> krypton.resources.reconciler.v1.ReconcileRequest + 1, // 1: krypton.resources.reconciler.v1.Reconciler.Reconcile:output_type -> krypton.resources.reconciler.v1.ReconcileResponse 1, // [1:2] is the sub-list for method output_type 0, // [0:1] is the sub-list for method input_type 0, // [0:0] is the sub-list for extension type_name @@ -219,26 +219,26 @@ var file_plugin_reconciler_v1_reconciler_proto_depIdxs = []int32{ 0, // [0:0] is the sub-list for field type_name } -func init() { file_plugin_reconciler_v1_reconciler_proto_init() } -func file_plugin_reconciler_v1_reconciler_proto_init() { - if File_plugin_reconciler_v1_reconciler_proto != nil { +func init() { file_plugin_resources_v1_reconciler_proto_init() } +func file_plugin_resources_v1_reconciler_proto_init() { + if File_plugin_resources_v1_reconciler_proto != nil { return } type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: unsafe.Slice(unsafe.StringData(file_plugin_reconciler_v1_reconciler_proto_rawDesc), len(file_plugin_reconciler_v1_reconciler_proto_rawDesc)), + RawDescriptor: unsafe.Slice(unsafe.StringData(file_plugin_resources_v1_reconciler_proto_rawDesc), len(file_plugin_resources_v1_reconciler_proto_rawDesc)), NumEnums: 0, NumMessages: 2, NumExtensions: 0, NumServices: 1, }, - GoTypes: file_plugin_reconciler_v1_reconciler_proto_goTypes, - DependencyIndexes: file_plugin_reconciler_v1_reconciler_proto_depIdxs, - MessageInfos: file_plugin_reconciler_v1_reconciler_proto_msgTypes, + GoTypes: file_plugin_resources_v1_reconciler_proto_goTypes, + DependencyIndexes: file_plugin_resources_v1_reconciler_proto_depIdxs, + MessageInfos: file_plugin_resources_v1_reconciler_proto_msgTypes, }.Build() - File_plugin_reconciler_v1_reconciler_proto = out.File - file_plugin_reconciler_v1_reconciler_proto_goTypes = nil - file_plugin_reconciler_v1_reconciler_proto_depIdxs = nil + File_plugin_resources_v1_reconciler_proto = out.File + file_plugin_resources_v1_reconciler_proto_goTypes = nil + file_plugin_resources_v1_reconciler_proto_depIdxs = nil } diff --git a/proto/plugin/reconciler/v1/reconciler.pb.validate.go b/proto/plugin/resources/v1/reconciler.pb.validate.go similarity index 99% rename from proto/plugin/reconciler/v1/reconciler.pb.validate.go rename to proto/plugin/resources/v1/reconciler.pb.validate.go index 17b68f1..882a210 100644 --- a/proto/plugin/reconciler/v1/reconciler.pb.validate.go +++ b/proto/plugin/resources/v1/reconciler.pb.validate.go @@ -1,5 +1,5 @@ // Code generated by protoc-gen-validate. DO NOT EDIT. -// source: plugin/reconciler/v1/reconciler.proto +// source: plugin/resources/v1/reconciler.proto package reconcilerv1 diff --git a/proto/plugin/reconciler/v1/reconciler.proto b/proto/plugin/resources/v1/reconciler.proto similarity index 94% rename from proto/plugin/reconciler/v1/reconciler.proto rename to proto/plugin/resources/v1/reconciler.proto index 1e10d1d..636bdd4 100644 --- a/proto/plugin/reconciler/v1/reconciler.proto +++ b/proto/plugin/resources/v1/reconciler.proto @@ -1,10 +1,9 @@ syntax = "proto3"; -package krypton.reconciler.v1; +package krypton.resources.reconciler.v1; import "buf/validate/validate.proto"; -option go_package = "github.com/openkcm/krypton/proto/plugin/reconciler/v1;reconcilerv1"; // Reconciler is the gRPC contract between Krypton core and an external // reconciler plugin. Core is the client; the plugin binary is the server. diff --git a/proto/plugin/reconciler/v1/reconciler_ext_plugin.pb.go b/proto/plugin/resources/v1/reconciler_ext_plugin.pb.go similarity index 94% rename from proto/plugin/reconciler/v1/reconciler_ext_plugin.pb.go rename to proto/plugin/resources/v1/reconciler_ext_plugin.pb.go index 0156472..351d4ae 100644 --- a/proto/plugin/reconciler/v1/reconciler_ext_plugin.pb.go +++ b/proto/plugin/resources/v1/reconciler_ext_plugin.pb.go @@ -10,7 +10,7 @@ import ( const ( Type = "Reconciler" - GRPCServiceFullName = "krypton.reconciler.v1.Reconciler" + GRPCServiceFullName = "krypton.resources.reconciler.v1.Reconciler" ) func ReconcilerPluginServer(server ReconcilerServer) api.PluginServer { diff --git a/proto/plugin/reconciler/v1/reconciler_grpc.pb.go b/proto/plugin/resources/v1/reconciler_grpc.pb.go similarity index 95% rename from proto/plugin/reconciler/v1/reconciler_grpc.pb.go rename to proto/plugin/resources/v1/reconciler_grpc.pb.go index 79018ae..9a6c02e 100644 --- a/proto/plugin/reconciler/v1/reconciler_grpc.pb.go +++ b/proto/plugin/resources/v1/reconciler_grpc.pb.go @@ -2,7 +2,7 @@ // versions: // - protoc-gen-go-grpc v1.6.1 // - protoc (unknown) -// source: plugin/reconciler/v1/reconciler.proto +// source: plugin/resources/v1/reconciler.proto package reconcilerv1 @@ -20,7 +20,7 @@ import ( const _ = grpc.SupportPackageIsVersion9 const ( - Reconciler_Reconcile_FullMethodName = "/krypton.reconciler.v1.Reconciler/Reconcile" + Reconciler_Reconcile_FullMethodName = "/krypton.resources.reconciler.v1.Reconciler/Reconcile" ) // ReconcilerClient is the client API for Reconciler service. @@ -125,7 +125,7 @@ func _Reconciler_Reconcile_Handler(srv interface{}, ctx context.Context, dec fun // It's only intended for direct use with grpc.RegisterService, // and not to be introspected or modified (even as a copy) var Reconciler_ServiceDesc = grpc.ServiceDesc{ - ServiceName: "krypton.reconciler.v1.Reconciler", + ServiceName: "krypton.resources.reconciler.v1.Reconciler", HandlerType: (*ReconcilerServer)(nil), Methods: []grpc.MethodDesc{ { @@ -134,5 +134,5 @@ var Reconciler_ServiceDesc = grpc.ServiceDesc{ }, }, Streams: []grpc.StreamDesc{}, - Metadata: "plugin/reconciler/v1/reconciler.proto", + Metadata: "plugin/resources/v1/reconciler.proto", } From d89500199dcd09fcd934dfa59df3b02c43c0c199 Mon Sep 17 00:00:00 2001 From: Nicolae Nicora Date: Thu, 21 May 2026 17:15:55 +0200 Subject: [PATCH 19/19] modify --- .../cipher_wrapper/v1/cipher_wrapper.pb.go | 280 ++++++++++-------- .../v1/cipher_wrapper.pb.validate.go | 184 +++++++++++- .../cipher_wrapper/v1/cipher_wrapper.proto | 69 ++--- 3 files changed, 356 insertions(+), 177 deletions(-) diff --git a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go index 094f23d..864f0b0 100644 --- a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go +++ b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.go @@ -23,11 +23,22 @@ const ( _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) ) +// KeyReference identifies a specific key within an external KMS provider and +// carries all routing config the plugin needs to reach it — address, engine path, +// namespace, region, project, etc. — so no out-of-band registration is required. type KeyReference struct { - state protoimpl.MessageState `protogen:"open.v1"` - KeyId string `protobuf:"bytes,1,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"` - Version *string `protobuf:"bytes,2,opt,name=version,proto3,oneof" json:"version,omitempty"` - Properties map[string]string `protobuf:"bytes,3,rep,name=properties,proto3" json:"properties,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` + state protoimpl.MessageState `protogen:"open.v1"` + // Primary external identifier: ARN, Vault transit path, Azure key URI, + // GCP resource name, PKCS#11 label. + KeyId string `protobuf:"bytes,1,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"` + // Logical Krypton name — for providers that distinguish path from logical name + // and for audit log correlation. + KeyName *string `protobuf:"bytes,2,opt,name=key_name,json=keyName,proto3,oneof" json:"key_name,omitempty"` + // Specific version (for versioned providers: AWS KMS, Azure Key Vault). + Version *string `protobuf:"bytes,3,opt,name=version,proto3,oneof" json:"version,omitempty"` + // Provider-specific routing: address, engine_path, namespace, region, project_id … + // Always flat key-value — KMS addressing never needs nested structure. + Properties map[string]string `protobuf:"bytes,4,rep,name=properties,proto3" json:"properties,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } @@ -69,6 +80,13 @@ func (x *KeyReference) GetKeyId() string { return "" } +func (x *KeyReference) GetKeyName() string { + if x != nil && x.KeyName != nil { + return *x.KeyName + } + return "" +} + func (x *KeyReference) GetVersion() string { if x != nil && x.Version != nil { return *x.Version @@ -83,7 +101,63 @@ func (x *KeyReference) GetProperties() map[string]string { return nil } -// WrapRequest contains the raw key material and the context needed to encrypt it. +// EncryptedData pairs the ciphertext with the IV used during encryption. +// Kept together so storage and retrieval are always atomic — a ciphertext +// without its IV is unrecoverable. +type EncryptedData struct { + state protoimpl.MessageState `protogen:"open.v1"` + Ciphertext []byte `protobuf:"bytes,1,opt,name=ciphertext,proto3" json:"ciphertext,omitempty"` + // OPTIONAL: Initialization Vector (IV) or Nonce. + // Must be provided if it was returned in the WrapResponse. + Iv []byte `protobuf:"bytes,2,opt,name=iv,proto3,oneof" json:"iv,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *EncryptedData) Reset() { + *x = EncryptedData{} + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *EncryptedData) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*EncryptedData) ProtoMessage() {} + +func (x *EncryptedData) ProtoReflect() protoreflect.Message { + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use EncryptedData.ProtoReflect.Descriptor instead. +func (*EncryptedData) Descriptor() ([]byte, []int) { + return file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP(), []int{1} +} + +func (x *EncryptedData) GetCiphertext() []byte { + if x != nil { + return x.Ciphertext + } + return nil +} + +func (x *EncryptedData) GetIv() []byte { + if x != nil { + return x.Iv + } + return nil +} + type WrapRequest struct { state protoimpl.MessageState `protogen:"open.v1"` // OPTIONAL/REQUIRED: The structured definition of the key to use. @@ -93,19 +167,16 @@ type WrapRequest struct { // OPTIONAL: Standard Additional Authenticated Data (AAD) byte buffer. // Kept in proto because AAD often changes per request (e.g., binding to a specific Tenant ID). Aad []byte `protobuf:"bytes,3,opt,name=aad,proto3,oneof" json:"aad,omitempty"` - // OPTIONAL: Initialization Vector (IV) or Nonce. - // Cryptographically dynamic, must remain in proto. - Iv []byte `protobuf:"bytes,4,opt,name=iv,proto3,oneof" json:"iv,omitempty"` - // OPTIONAL: Per-request dynamic context (if needed). - // Kept as an escape hatch for truly dynamic per-request overrides. - DynamicContext map[string]string `protobuf:"bytes,900,rep,name=dynamic_context,json=dynamicContext,proto3" json:"dynamic_context,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache + // IV hint: only set when the CMK engine is dictating the IV to the HSM + // (deterministic-IV hardware modes). Left unset for all software KMS providers. + IvHint []byte `protobuf:"bytes,4,opt,name=iv_hint,json=ivHint,proto3,oneof" json:"iv_hint,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache } func (x *WrapRequest) Reset() { *x = WrapRequest{} - mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[1] + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[2] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -117,7 +188,7 @@ func (x *WrapRequest) String() string { func (*WrapRequest) ProtoMessage() {} func (x *WrapRequest) ProtoReflect() protoreflect.Message { - mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[1] + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[2] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -130,7 +201,7 @@ func (x *WrapRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use WrapRequest.ProtoReflect.Descriptor instead. func (*WrapRequest) Descriptor() ([]byte, []int) { - return file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP(), []int{1} + return file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP(), []int{2} } func (x *WrapRequest) GetKey() *KeyReference { @@ -154,16 +225,9 @@ func (x *WrapRequest) GetAad() []byte { return nil } -func (x *WrapRequest) GetIv() []byte { +func (x *WrapRequest) GetIvHint() []byte { if x != nil { - return x.Iv - } - return nil -} - -func (x *WrapRequest) GetDynamicContext() map[string]string { - if x != nil { - return x.DynamicContext + return x.IvHint } return nil } @@ -172,20 +236,17 @@ func (x *WrapRequest) GetDynamicContext() map[string]string { type WrapResponse struct { state protoimpl.MessageState `protogen:"open.v1"` // REQUIRED: The opaque, vendor-specific ciphertext. - Ciphertext []byte `protobuf:"bytes,1,opt,name=ciphertext,proto3" json:"ciphertext,omitempty"` + EncryptedData *EncryptedData `protobuf:"bytes,1,opt,name=encrypted_data,json=encryptedData,proto3" json:"encrypted_data,omitempty"` // OPTIONAL: The exact key version ID used during the operation. // Some providers (like HSMs) do not have a concept of version IDs. - KeyVersionId *string `protobuf:"bytes,2,opt,name=key_version_id,json=keyVersionId,proto3,oneof" json:"key_version_id,omitempty"` - // OPTIONAL: The Initialization Vector generated by the provider. - // Returned only if the provider generated it and CMK needs to store it. - Iv []byte `protobuf:"bytes,3,opt,name=iv,proto3,oneof" json:"iv,omitempty"` + KeyVersionId *string `protobuf:"bytes,2,opt,name=key_version_id,json=keyVersionId,proto3,oneof" json:"key_version_id,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } func (x *WrapResponse) Reset() { *x = WrapResponse{} - mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[2] + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[3] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -197,7 +258,7 @@ func (x *WrapResponse) String() string { func (*WrapResponse) ProtoMessage() {} func (x *WrapResponse) ProtoReflect() protoreflect.Message { - mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[2] + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[3] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -210,12 +271,12 @@ func (x *WrapResponse) ProtoReflect() protoreflect.Message { // Deprecated: Use WrapResponse.ProtoReflect.Descriptor instead. func (*WrapResponse) Descriptor() ([]byte, []int) { - return file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP(), []int{2} + return file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP(), []int{3} } -func (x *WrapResponse) GetCiphertext() []byte { +func (x *WrapResponse) GetEncryptedData() *EncryptedData { if x != nil { - return x.Ciphertext + return x.EncryptedData } return nil } @@ -227,36 +288,21 @@ func (x *WrapResponse) GetKeyVersionId() string { return "" } -func (x *WrapResponse) GetIv() []byte { - if x != nil { - return x.Iv - } - return nil -} - -// UnwrapRequest contains the opaque ciphertext and the exact parameters -// originally used during the Wrap operation. type UnwrapRequest struct { state protoimpl.MessageState `protogen:"open.v1"` - // OPTIONAL/REQUIRED: The structured definition of the key to use. + // REQUIRED: The structured definition of the key to use. Key *KeyReference `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"` // REQUIRED: The opaque ciphertext retrieved from the CMK persistent storage. - Ciphertext []byte `protobuf:"bytes,2,opt,name=ciphertext,proto3" json:"ciphertext,omitempty"` + EncryptedData *EncryptedData `protobuf:"bytes,2,opt,name=encrypted_data,json=encryptedData,proto3" json:"encrypted_data,omitempty"` // OPTIONAL: Standard Additional Authenticated Data (AAD) byte buffer. - Aad []byte `protobuf:"bytes,3,opt,name=aad,proto3,oneof" json:"aad,omitempty"` - // OPTIONAL: Initialization Vector (IV) or Nonce. - // Must be provided if it was returned in the WrapResponse. - Iv []byte `protobuf:"bytes,4,opt,name=iv,proto3,oneof" json:"iv,omitempty"` - // OPTIONAL: Per-request dynamic context (if needed). - // Kept as an escape hatch for truly dynamic per-request overrides. - DynamicContext map[string]string `protobuf:"bytes,900,rep,name=dynamic_context,json=dynamicContext,proto3" json:"dynamic_context,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache + Aad []byte `protobuf:"bytes,3,opt,name=aad,proto3,oneof" json:"aad,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache } func (x *UnwrapRequest) Reset() { *x = UnwrapRequest{} - mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[3] + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[4] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -268,7 +314,7 @@ func (x *UnwrapRequest) String() string { func (*UnwrapRequest) ProtoMessage() {} func (x *UnwrapRequest) ProtoReflect() protoreflect.Message { - mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[3] + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[4] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -281,7 +327,7 @@ func (x *UnwrapRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use UnwrapRequest.ProtoReflect.Descriptor instead. func (*UnwrapRequest) Descriptor() ([]byte, []int) { - return file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP(), []int{3} + return file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP(), []int{4} } func (x *UnwrapRequest) GetKey() *KeyReference { @@ -291,9 +337,9 @@ func (x *UnwrapRequest) GetKey() *KeyReference { return nil } -func (x *UnwrapRequest) GetCiphertext() []byte { +func (x *UnwrapRequest) GetEncryptedData() *EncryptedData { if x != nil { - return x.Ciphertext + return x.EncryptedData } return nil } @@ -305,20 +351,6 @@ func (x *UnwrapRequest) GetAad() []byte { return nil } -func (x *UnwrapRequest) GetIv() []byte { - if x != nil { - return x.Iv - } - return nil -} - -func (x *UnwrapRequest) GetDynamicContext() map[string]string { - if x != nil { - return x.DynamicContext - } - return nil -} - // UnwrapResponse returns the recovered raw cryptographic material. type UnwrapResponse struct { state protoimpl.MessageState `protogen:"open.v1"` @@ -330,7 +362,7 @@ type UnwrapResponse struct { func (x *UnwrapResponse) Reset() { *x = UnwrapResponse{} - mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[4] + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[5] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -342,7 +374,7 @@ func (x *UnwrapResponse) String() string { func (*UnwrapResponse) ProtoMessage() {} func (x *UnwrapResponse) ProtoReflect() protoreflect.Message { - mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[4] + mi := &file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[5] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -355,7 +387,7 @@ func (x *UnwrapResponse) ProtoReflect() protoreflect.Message { // Deprecated: Use UnwrapResponse.ProtoReflect.Descriptor instead. func (*UnwrapResponse) Descriptor() ([]byte, []int) { - return file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP(), []int{4} + return file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP(), []int{5} } func (x *UnwrapResponse) GetPlaintext() []byte { @@ -369,52 +401,44 @@ var File_plugin_cipher_wrapper_v1_cipher_wrapper_proto protoreflect.FileDescript const file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDesc = "" + "\n" + - "-plugin/cipher_wrapper/v1/cipher_wrapper.proto\x12 krypton.plugin.cipher_wrapper.v1\x1a\x1bbuf/validate/validate.proto\"\xef\x01\n" + - "\fKeyReference\x12\x15\n" + - "\x06key_id\x18\x01 \x01(\tR\x05keyId\x12\x1d\n" + - "\aversion\x18\x02 \x01(\tH\x00R\aversion\x88\x01\x01\x12^\n" + + "-plugin/cipher_wrapper/v1/cipher_wrapper.proto\x12 krypton.plugin.cipher_wrapper.v1\x1a\x1bbuf/validate/validate.proto\"\xa5\x02\n" + + "\fKeyReference\x12\x1e\n" + + "\x06key_id\x18\x01 \x01(\tB\a\xbaH\x04r\x02\x10\x01R\x05keyId\x12\x1e\n" + + "\bkey_name\x18\x02 \x01(\tH\x00R\akeyName\x88\x01\x01\x12\x1d\n" + + "\aversion\x18\x03 \x01(\tH\x01R\aversion\x88\x01\x01\x12^\n" + "\n" + - "properties\x18\x03 \x03(\v2>.krypton.plugin.cipher_wrapper.v1.KeyReference.PropertiesEntryR\n" + + "properties\x18\x04 \x03(\v2>.krypton.plugin.cipher_wrapper.v1.KeyReference.PropertiesEntryR\n" + "properties\x1a=\n" + "\x0fPropertiesEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + - "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\n" + + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\v\n" + + "\t_key_nameB\n" + + "\n" + + "\b_version\"T\n" + + "\rEncryptedData\x12'\n" + "\n" + - "\b_version\"\xec\x02\n" + + "ciphertext\x18\x01 \x01(\fB\a\xbaH\x04z\x02\x10\x01R\n" + + "ciphertext\x12\x13\n" + + "\x02iv\x18\x02 \x01(\fH\x00R\x02iv\x88\x01\x01B\x05\n" + + "\x03_iv\"\xca\x01\n" + "\vWrapRequest\x12H\n" + "\x03key\x18\x01 \x01(\v2..krypton.plugin.cipher_wrapper.v1.KeyReferenceB\x06\xbaH\x03\xc8\x01\x01R\x03key\x12(\n" + "\tplaintext\x18\x02 \x01(\fB\n" + "\xbaH\a\xc8\x01\x01z\x02\x10\x01R\tplaintext\x12\x15\n" + - "\x03aad\x18\x03 \x01(\fH\x00R\x03aad\x88\x01\x01\x12\x13\n" + - "\x02iv\x18\x04 \x01(\fH\x01R\x02iv\x88\x01\x01\x12k\n" + - "\x0fdynamic_context\x18\x84\a \x03(\v2A.krypton.plugin.cipher_wrapper.v1.WrapRequest.DynamicContextEntryR\x0edynamicContext\x1aA\n" + - "\x13DynamicContextEntry\x12\x10\n" + - "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + - "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\x06\n" + - "\x04_aadB\x05\n" + - "\x03_iv\"\x88\x01\n" + - "\fWrapResponse\x12\x1e\n" + + "\x03aad\x18\x03 \x01(\fH\x00R\x03aad\x88\x01\x01\x12\x1c\n" + + "\aiv_hint\x18\x04 \x01(\fH\x01R\x06ivHint\x88\x01\x01B\x06\n" + + "\x04_aadB\n" + "\n" + - "ciphertext\x18\x01 \x01(\fR\n" + - "ciphertext\x12)\n" + - "\x0ekey_version_id\x18\x02 \x01(\tH\x00R\fkeyVersionId\x88\x01\x01\x12\x13\n" + - "\x02iv\x18\x03 \x01(\fH\x01R\x02iv\x88\x01\x01B\x11\n" + - "\x0f_key_version_idB\x05\n" + - "\x03_iv\"\xf2\x02\n" + + "\b_iv_hint\"\xa4\x01\n" + + "\fWrapResponse\x12V\n" + + "\x0eencrypted_data\x18\x01 \x01(\v2/.krypton.plugin.cipher_wrapper.v1.EncryptedDataR\rencryptedData\x12)\n" + + "\x0ekey_version_id\x18\x02 \x01(\tH\x00R\fkeyVersionId\x88\x01\x01B\x11\n" + + "\x0f_key_version_id\"\xd8\x01\n" + "\rUnwrapRequest\x12H\n" + - "\x03key\x18\x01 \x01(\v2..krypton.plugin.cipher_wrapper.v1.KeyReferenceB\x06\xbaH\x03\xc8\x01\x01R\x03key\x12*\n" + - "\n" + - "ciphertext\x18\x02 \x01(\fB\n" + - "\xbaH\a\xc8\x01\x01z\x02\x10\x01R\n" + - "ciphertext\x12\x15\n" + - "\x03aad\x18\x03 \x01(\fH\x00R\x03aad\x88\x01\x01\x12\x13\n" + - "\x02iv\x18\x04 \x01(\fH\x01R\x02iv\x88\x01\x01\x12m\n" + - "\x0fdynamic_context\x18\x84\a \x03(\v2C.krypton.plugin.cipher_wrapper.v1.UnwrapRequest.DynamicContextEntryR\x0edynamicContext\x1aA\n" + - "\x13DynamicContextEntry\x12\x10\n" + - "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + - "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\x06\n" + - "\x04_aadB\x05\n" + - "\x03_iv\".\n" + + "\x03key\x18\x01 \x01(\v2..krypton.plugin.cipher_wrapper.v1.KeyReferenceB\x06\xbaH\x03\xc8\x01\x01R\x03key\x12^\n" + + "\x0eencrypted_data\x18\x02 \x01(\v2/.krypton.plugin.cipher_wrapper.v1.EncryptedDataB\x06\xbaH\x03\xc8\x01\x01R\rencryptedData\x12\x15\n" + + "\x03aad\x18\x03 \x01(\fH\x00R\x03aad\x88\x01\x01B\x06\n" + + "\x04_aad\".\n" + "\x0eUnwrapResponse\x12\x1c\n" + "\tplaintext\x18\x01 \x01(\fR\tplaintext2\xe3\x01\n" + "\rCipherWrapper\x12e\n" + @@ -434,27 +458,26 @@ func file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescGZIP() []byte { return file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDescData } -var file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes = make([]protoimpl.MessageInfo, 8) +var file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes = make([]protoimpl.MessageInfo, 7) var file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_goTypes = []any{ (*KeyReference)(nil), // 0: krypton.plugin.cipher_wrapper.v1.KeyReference - (*WrapRequest)(nil), // 1: krypton.plugin.cipher_wrapper.v1.WrapRequest - (*WrapResponse)(nil), // 2: krypton.plugin.cipher_wrapper.v1.WrapResponse - (*UnwrapRequest)(nil), // 3: krypton.plugin.cipher_wrapper.v1.UnwrapRequest - (*UnwrapResponse)(nil), // 4: krypton.plugin.cipher_wrapper.v1.UnwrapResponse - nil, // 5: krypton.plugin.cipher_wrapper.v1.KeyReference.PropertiesEntry - nil, // 6: krypton.plugin.cipher_wrapper.v1.WrapRequest.DynamicContextEntry - nil, // 7: krypton.plugin.cipher_wrapper.v1.UnwrapRequest.DynamicContextEntry + (*EncryptedData)(nil), // 1: krypton.plugin.cipher_wrapper.v1.EncryptedData + (*WrapRequest)(nil), // 2: krypton.plugin.cipher_wrapper.v1.WrapRequest + (*WrapResponse)(nil), // 3: krypton.plugin.cipher_wrapper.v1.WrapResponse + (*UnwrapRequest)(nil), // 4: krypton.plugin.cipher_wrapper.v1.UnwrapRequest + (*UnwrapResponse)(nil), // 5: krypton.plugin.cipher_wrapper.v1.UnwrapResponse + nil, // 6: krypton.plugin.cipher_wrapper.v1.KeyReference.PropertiesEntry } var file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_depIdxs = []int32{ - 5, // 0: krypton.plugin.cipher_wrapper.v1.KeyReference.properties:type_name -> krypton.plugin.cipher_wrapper.v1.KeyReference.PropertiesEntry + 6, // 0: krypton.plugin.cipher_wrapper.v1.KeyReference.properties:type_name -> krypton.plugin.cipher_wrapper.v1.KeyReference.PropertiesEntry 0, // 1: krypton.plugin.cipher_wrapper.v1.WrapRequest.key:type_name -> krypton.plugin.cipher_wrapper.v1.KeyReference - 6, // 2: krypton.plugin.cipher_wrapper.v1.WrapRequest.dynamic_context:type_name -> krypton.plugin.cipher_wrapper.v1.WrapRequest.DynamicContextEntry + 1, // 2: krypton.plugin.cipher_wrapper.v1.WrapResponse.encrypted_data:type_name -> krypton.plugin.cipher_wrapper.v1.EncryptedData 0, // 3: krypton.plugin.cipher_wrapper.v1.UnwrapRequest.key:type_name -> krypton.plugin.cipher_wrapper.v1.KeyReference - 7, // 4: krypton.plugin.cipher_wrapper.v1.UnwrapRequest.dynamic_context:type_name -> krypton.plugin.cipher_wrapper.v1.UnwrapRequest.DynamicContextEntry - 1, // 5: krypton.plugin.cipher_wrapper.v1.CipherWrapper.Wrap:input_type -> krypton.plugin.cipher_wrapper.v1.WrapRequest - 3, // 6: krypton.plugin.cipher_wrapper.v1.CipherWrapper.Unwrap:input_type -> krypton.plugin.cipher_wrapper.v1.UnwrapRequest - 2, // 7: krypton.plugin.cipher_wrapper.v1.CipherWrapper.Wrap:output_type -> krypton.plugin.cipher_wrapper.v1.WrapResponse - 4, // 8: krypton.plugin.cipher_wrapper.v1.CipherWrapper.Unwrap:output_type -> krypton.plugin.cipher_wrapper.v1.UnwrapResponse + 1, // 4: krypton.plugin.cipher_wrapper.v1.UnwrapRequest.encrypted_data:type_name -> krypton.plugin.cipher_wrapper.v1.EncryptedData + 2, // 5: krypton.plugin.cipher_wrapper.v1.CipherWrapper.Wrap:input_type -> krypton.plugin.cipher_wrapper.v1.WrapRequest + 4, // 6: krypton.plugin.cipher_wrapper.v1.CipherWrapper.Unwrap:input_type -> krypton.plugin.cipher_wrapper.v1.UnwrapRequest + 3, // 7: krypton.plugin.cipher_wrapper.v1.CipherWrapper.Wrap:output_type -> krypton.plugin.cipher_wrapper.v1.WrapResponse + 5, // 8: krypton.plugin.cipher_wrapper.v1.CipherWrapper.Unwrap:output_type -> krypton.plugin.cipher_wrapper.v1.UnwrapResponse 7, // [7:9] is the sub-list for method output_type 5, // [5:7] is the sub-list for method input_type 5, // [5:5] is the sub-list for extension type_name @@ -471,13 +494,14 @@ func file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_init() { file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[1].OneofWrappers = []any{} file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[2].OneofWrappers = []any{} file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[3].OneofWrappers = []any{} + file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_msgTypes[4].OneofWrappers = []any{} type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: unsafe.Slice(unsafe.StringData(file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDesc), len(file_plugin_cipher_wrapper_v1_cipher_wrapper_proto_rawDesc)), NumEnums: 0, - NumMessages: 8, + NumMessages: 7, NumExtensions: 0, NumServices: 1, }, diff --git a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.validate.go b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.validate.go index 88c88c1..740744c 100644 --- a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.validate.go +++ b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.pb.validate.go @@ -61,6 +61,10 @@ func (m *KeyReference) validate(all bool) error { // no validation rules for Properties + if m.KeyName != nil { + // no validation rules for KeyName + } + if m.Version != nil { // no validation rules for Version } @@ -142,6 +146,112 @@ var _ interface { ErrorName() string } = KeyReferenceValidationError{} +// Validate checks the field values on EncryptedData with the rules defined in +// the proto definition for this message. If any rules are violated, the first +// error encountered is returned, or nil if there are no violations. +func (m *EncryptedData) Validate() error { + return m.validate(false) +} + +// ValidateAll checks the field values on EncryptedData with the rules defined +// in the proto definition for this message. If any rules are violated, the +// result is a list of violation errors wrapped in EncryptedDataMultiError, or +// nil if none found. +func (m *EncryptedData) ValidateAll() error { + return m.validate(true) +} + +func (m *EncryptedData) validate(all bool) error { + if m == nil { + return nil + } + + var errors []error + + // no validation rules for Ciphertext + + if m.Iv != nil { + // no validation rules for Iv + } + + if len(errors) > 0 { + return EncryptedDataMultiError(errors) + } + + return nil +} + +// EncryptedDataMultiError is an error wrapping multiple validation errors +// returned by EncryptedData.ValidateAll() if the designated constraints +// aren't met. +type EncryptedDataMultiError []error + +// Error returns a concatenation of all the error messages it wraps. +func (m EncryptedDataMultiError) Error() string { + msgs := make([]string, 0, len(m)) + for _, err := range m { + msgs = append(msgs, err.Error()) + } + return strings.Join(msgs, "; ") +} + +// AllErrors returns a list of validation violation errors. +func (m EncryptedDataMultiError) AllErrors() []error { return m } + +// EncryptedDataValidationError is the validation error returned by +// EncryptedData.Validate if the designated constraints aren't met. +type EncryptedDataValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e EncryptedDataValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e EncryptedDataValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e EncryptedDataValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e EncryptedDataValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e EncryptedDataValidationError) ErrorName() string { return "EncryptedDataValidationError" } + +// Error satisfies the builtin error interface +func (e EncryptedDataValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sEncryptedData.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = EncryptedDataValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = EncryptedDataValidationError{} + // Validate checks the field values on WrapRequest with the rules defined in // the proto definition for this message. If any rules are violated, the first // error encountered is returned, or nil if there are no violations. @@ -195,14 +305,12 @@ func (m *WrapRequest) validate(all bool) error { // no validation rules for Plaintext - // no validation rules for DynamicContext - if m.Aad != nil { // no validation rules for Aad } - if m.Iv != nil { - // no validation rules for Iv + if m.IvHint != nil { + // no validation rules for IvHint } if len(errors) > 0 { @@ -304,16 +412,39 @@ func (m *WrapResponse) validate(all bool) error { var errors []error - // no validation rules for Ciphertext + if all { + switch v := interface{}(m.GetEncryptedData()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, WrapResponseValidationError{ + field: "EncryptedData", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, WrapResponseValidationError{ + field: "EncryptedData", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetEncryptedData()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return WrapResponseValidationError{ + field: "EncryptedData", + reason: "embedded message failed validation", + cause: err, + } + } + } if m.KeyVersionId != nil { // no validation rules for KeyVersionId } - if m.Iv != nil { - // no validation rules for Iv - } - if len(errors) > 0 { return WrapResponseMultiError(errors) } @@ -442,18 +573,39 @@ func (m *UnwrapRequest) validate(all bool) error { } } - // no validation rules for Ciphertext - - // no validation rules for DynamicContext + if all { + switch v := interface{}(m.GetEncryptedData()).(type) { + case interface{ ValidateAll() error }: + if err := v.ValidateAll(); err != nil { + errors = append(errors, UnwrapRequestValidationError{ + field: "EncryptedData", + reason: "embedded message failed validation", + cause: err, + }) + } + case interface{ Validate() error }: + if err := v.Validate(); err != nil { + errors = append(errors, UnwrapRequestValidationError{ + field: "EncryptedData", + reason: "embedded message failed validation", + cause: err, + }) + } + } + } else if v, ok := interface{}(m.GetEncryptedData()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return UnwrapRequestValidationError{ + field: "EncryptedData", + reason: "embedded message failed validation", + cause: err, + } + } + } if m.Aad != nil { // no validation rules for Aad } - if m.Iv != nil { - // no validation rules for Iv - } - if len(errors) > 0 { return UnwrapRequestMultiError(errors) } diff --git a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto index cff1318..95a346a 100644 --- a/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto +++ b/proto/plugin/cipher_wrapper/v1/cipher_wrapper.proto @@ -17,13 +17,37 @@ service CipherWrapper { rpc Unwrap(UnwrapRequest) returns (UnwrapResponse); } +// KeyReference identifies a specific key within an external KMS provider and +// carries all routing config the plugin needs to reach it — address, engine path, +// namespace, region, project, etc. — so no out-of-band registration is required. message KeyReference { - string key_id = 1; - optional string version = 2; - map properties = 3; + // Primary external identifier: ARN, Vault transit path, Azure key URI, + // GCP resource name, PKCS#11 label. + string key_id = 1 [(buf.validate.field).string.min_len = 1]; + + // Logical Krypton name — for providers that distinguish path from logical name + // and for audit log correlation. + optional string key_name = 2; + + // Specific version (for versioned providers: AWS KMS, Azure Key Vault). + optional string version = 3; + + // Provider-specific routing: address, engine_path, namespace, region, project_id … + // Always flat key-value — KMS addressing never needs nested structure. + map properties = 4; +} + +// EncryptedData pairs the ciphertext with the IV used during encryption. +// Kept together so storage and retrieval are always atomic — a ciphertext +// without its IV is unrecoverable. +message EncryptedData { + bytes ciphertext = 1 [(buf.validate.field).bytes.min_len = 1]; + + // OPTIONAL: Initialization Vector (IV) or Nonce. + // Must be provided if it was returned in the WrapResponse. + optional bytes iv = 2; } -// WrapRequest contains the raw key material and the context needed to encrypt it. message WrapRequest { // OPTIONAL/REQUIRED: The structured definition of the key to use. KeyReference key = 1 [(buf.validate.field).required = true]; @@ -38,51 +62,30 @@ message WrapRequest { // Kept in proto because AAD often changes per request (e.g., binding to a specific Tenant ID). optional bytes aad = 3; - // OPTIONAL: Initialization Vector (IV) or Nonce. - // Cryptographically dynamic, must remain in proto. - optional bytes iv = 4; - - // OPTIONAL: Per-request dynamic context (if needed). - // Kept as an escape hatch for truly dynamic per-request overrides. - map dynamic_context = 900; + // IV hint: only set when the CMK engine is dictating the IV to the HSM + // (deterministic-IV hardware modes). Left unset for all software KMS providers. + optional bytes iv_hint = 4; } // WrapResponse returns the provider-specific ciphertext and metadata. message WrapResponse { // REQUIRED: The opaque, vendor-specific ciphertext. - bytes ciphertext = 1; + EncryptedData encrypted_data = 1; // OPTIONAL: The exact key version ID used during the operation. // Some providers (like HSMs) do not have a concept of version IDs. optional string key_version_id = 2; - - // OPTIONAL: The Initialization Vector generated by the provider. - // Returned only if the provider generated it and CMK needs to store it. - optional bytes iv = 3; } -// UnwrapRequest contains the opaque ciphertext and the exact parameters -// originally used during the Wrap operation. message UnwrapRequest { - // OPTIONAL/REQUIRED: The structured definition of the key to use. - KeyReference key = 1 [(buf.validate.field).required = true]; + // REQUIRED: The structured definition of the key to use. + KeyReference key = 1 [(buf.validate.field).required = true]; // REQUIRED: The opaque ciphertext retrieved from the CMK persistent storage. - bytes ciphertext = 2 [ - (buf.validate.field).required = true, - (buf.validate.field).bytes.min_len = 1 - ]; + EncryptedData encrypted_data = 2 [(buf.validate.field).required = true]; // OPTIONAL: Standard Additional Authenticated Data (AAD) byte buffer. - optional bytes aad = 3; - - // OPTIONAL: Initialization Vector (IV) or Nonce. - // Must be provided if it was returned in the WrapResponse. - optional bytes iv = 4; - - // OPTIONAL: Per-request dynamic context (if needed). - // Kept as an escape hatch for truly dynamic per-request overrides. - map dynamic_context = 900; + optional bytes aad = 3; } // UnwrapResponse returns the recovered raw cryptographic material.