From c1be8025103c536364ad7d0466a5e38c5e5250d4 Mon Sep 17 00:00:00 2001 From: De Clercq Wentzel <10665586+wentzeld@users.noreply.github.com> Date: Fri, 17 Apr 2026 23:00:59 -0700 Subject: [PATCH 1/2] feat(confidentialhttp): add AuthConfig for pluggable request signing Adds ApiKey, Basic, Bearer, HMAC (SHA256/SigV4/Custom), and OAuth2 (client_credentials, refresh_token) variants on ConfidentialHTTPRequest. Fully backwards-compatible: auth is an optional field; existing workflows with no auth configured behave exactly as before. --- .../confidentialhttp/v1alpha/client.proto | 142 ++++++++++++++++++ cre/go/installer/pkg/embedded_gen.go | 142 ++++++++++++++++++ cre/go/sdk/sdk.pb.go | 2 +- cre/go/tools/generator/cre_metadata.pb.go | 2 +- cre/go/values/pb/values.pb.go | 2 +- 5 files changed, 287 insertions(+), 3 deletions(-) diff --git a/cre/capabilities/networking/confidentialhttp/v1alpha/client.proto b/cre/capabilities/networking/confidentialhttp/v1alpha/client.proto index 9feec6f0..88c02b71 100644 --- a/cre/capabilities/networking/confidentialhttp/v1alpha/client.proto +++ b/cre/capabilities/networking/confidentialhttp/v1alpha/client.proto @@ -60,6 +60,148 @@ message HTTPResponse { message ConfidentialHTTPRequest { repeated SecretIdentifier vault_don_secrets = 1; HTTPRequest request = 2; + // auth, when set, instructs the enclave to sign the outbound request using + // the specified method. Every secret_name referenced inside AuthConfig must + // also appear in vault_don_secrets (enforced by the capability validator). + // When auth is nil, the request is sent with only the headers/body the + // caller provided — preserving the legacy "{{.SECRET_NAME}}" header-template + // behavior. + optional AuthConfig auth = 3; +} + +// AuthConfig selects one of the supported request-signing methods. +// Each variant carries the method-specific parameters and references +// the names of the Vault-DON secrets it needs. +message AuthConfig { + oneof method { + ApiKeyAuth api_key = 1; + BasicAuth basic = 2; + BearerAuth bearer = 3; + HmacAuth hmac = 4; + OAuth2Auth oauth2 = 5; + } +} + +// ApiKeyAuth attaches a secret value to a chosen header. +// Renders as: : +// Example (header_name="x-api-key", secret_name="coingecko", value_prefix=""): +// x-api-key: +message ApiKeyAuth { + string header_name = 1; // required, e.g. "x-api-key", "Authorization" + string secret_name = 2; // required; key into ConfidentialHTTPRequest.vault_don_secrets + string value_prefix = 3; // optional, e.g. "ApiKey ", "Token " +} + +// BasicAuth renders: Authorization: Basic base64(username ":" password). +message BasicAuth { + string username_secret_name = 1; // required + string password_secret_name = 2; // required +} + +// BearerAuth attaches a pre-issued long-lived token. +// Default behavior: Authorization: Bearer +// header_name and value_prefix allow rare overrides (e.g. GitHub's +// "Authorization: token "). +message BearerAuth { + string token_secret_name = 1; // required + string header_name = 2; // optional override, default "Authorization" + string value_prefix = 3; // optional override, default "Bearer " +} + +// HmacAuth groups all HMAC-family signing variants. +message HmacAuth { + oneof variant { + HmacSha256 sha256 = 1; + AwsSigV4 aws_sig_v4 = 2; + HmacCustom custom = 3; + } +} + +// HmacSha256 implements a generic canonical-string HMAC-SHA256 signature. +// Canonical string: method "\n" url "\n" sha256(body) "\n" timestamp +// Signature is attached via signature_header, timestamp via timestamp_header. +message HmacSha256 { + string secret_name = 1; // required shared secret + string signature_header = 2; // default "X-Signature" + string timestamp_header = 3; // default "X-Timestamp" + bool include_query = 4; // if true, include the query string in the canonical url + string encoding = 5; // "hex" (default) or "base64" +} + +// AwsSigV4 implements AWS Signature Version 4. +// Uses github.com/aws/aws-sdk-go-v2/aws/signer/v4 under the hood. +message AwsSigV4 { + string access_key_id_secret_name = 1; // required + string secret_access_key_secret_name = 2; // required + string session_token_secret_name = 3; // optional (for STS creds) + string region = 4; // required, e.g. "us-east-1" + string service = 5; // required, e.g. "execute-api", "s3" + // Signed headers (comma-separated lowercase). Optional; defaults to + // "host;x-amz-date" plus "x-amz-security-token" if session_token_secret_name + // is set. + repeated string signed_headers = 6; + // If true, uses X-Amz-Content-Sha256: UNSIGNED-PAYLOAD (useful for large S3 + // uploads). Default false. + bool unsigned_payload = 7; +} + +// HmacCustom lets workflow authors specify the canonical string via a +// Go text/template string. Available template vars: +// {{.method}} {{.url}} {{.path}} {{.query}} {{.body}} {{.body_sha256}} +// {{.timestamp}} {{.nonce}} {{header "X-Foo"}} +message HmacCustom { + string secret_name = 1; // required + string canonical_template = 2; // required + enum Hash { HASH_SHA256 = 0; HASH_SHA512 = 1; } + Hash hash = 3; + string signature_header = 4; // required + string signature_prefix = 5; // e.g. "HMAC-SHA256 " + string timestamp_header = 6; // optional; if set, timestamp header injected + string nonce_header = 7; // optional; if set, random nonce header injected + string encoding = 8; // "hex" (default) or "base64" +} + +// OAuth2Auth groups headless OAuth 2.0 flows. +// Interactive flows (Authorization Code, PKCE, Device Code) are NOT supported — +// they require browser consent that a headless TEE cannot perform. +message OAuth2Auth { + oneof variant { + OAuth2ClientCredentials client_credentials = 1; + OAuth2RefreshToken refresh_token = 2; + } +} + +// OAuth2ClientCredentials: machine-to-machine grant. +// The enclave POSTs to token_url with client_id/client_secret, caches the +// resulting access_token per (workflow_owner, token_url, client_id, scopes), +// and attaches "Authorization: Bearer " to the outbound request. +message OAuth2ClientCredentials { + string token_url = 1; // required, must be https:// + string client_id_secret_name = 2; // required + string client_secret_secret_name = 3; // required + repeated string scopes = 4; // optional + string audience = 5; // optional (Auth0-style) + // "basic_auth" (default) or "request_body" — where to put client creds + // on the token request. + string client_auth_method = 6; + // Extra form params to send with the token request. + map extra_params = 7; +} + +// OAuth2RefreshToken: the workflow stores a long-lived refresh_token in Vault +// (obtained out-of-band during an interactive consent). The enclave exchanges +// it for an access_token on cache miss. +// +// Important: if the IdP rotates refresh tokens on each exchange, the enclave +// cannot persist the new refresh_token back to Vault. Disable refresh-token +// rotation at the IdP, or prefer client_credentials where possible. +message OAuth2RefreshToken { + string token_url = 1; // required, must be https:// + string refresh_token_secret_name = 2; // required + string client_id_secret_name = 3; // optional (some IdPs require) + string client_secret_secret_name = 4; // optional (some IdPs require) + repeated string scopes = 5; // optional + map extra_params = 6; } service Client { diff --git a/cre/go/installer/pkg/embedded_gen.go b/cre/go/installer/pkg/embedded_gen.go index c52246cd..a475a6ef 100755 --- a/cre/go/installer/pkg/embedded_gen.go +++ b/cre/go/installer/pkg/embedded_gen.go @@ -711,6 +711,148 @@ message HTTPResponse { message ConfidentialHTTPRequest { repeated SecretIdentifier vault_don_secrets = 1; HTTPRequest request = 2; + // auth, when set, instructs the enclave to sign the outbound request using + // the specified method. Every secret_name referenced inside AuthConfig must + // also appear in vault_don_secrets (enforced by the capability validator). + // When auth is nil, the request is sent with only the headers/body the + // caller provided — preserving the legacy "{{.SECRET_NAME}}" header-template + // behavior. + optional AuthConfig auth = 3; +} + +// AuthConfig selects one of the supported request-signing methods. +// Each variant carries the method-specific parameters and references +// the names of the Vault-DON secrets it needs. +message AuthConfig { + oneof method { + ApiKeyAuth api_key = 1; + BasicAuth basic = 2; + BearerAuth bearer = 3; + HmacAuth hmac = 4; + OAuth2Auth oauth2 = 5; + } +} + +// ApiKeyAuth attaches a secret value to a chosen header. +// Renders as: : +// Example (header_name="x-api-key", secret_name="coingecko", value_prefix=""): +// x-api-key: +message ApiKeyAuth { + string header_name = 1; // required, e.g. "x-api-key", "Authorization" + string secret_name = 2; // required; key into ConfidentialHTTPRequest.vault_don_secrets + string value_prefix = 3; // optional, e.g. "ApiKey ", "Token " +} + +// BasicAuth renders: Authorization: Basic base64(username ":" password). +message BasicAuth { + string username_secret_name = 1; // required + string password_secret_name = 2; // required +} + +// BearerAuth attaches a pre-issued long-lived token. +// Default behavior: Authorization: Bearer +// header_name and value_prefix allow rare overrides (e.g. GitHub's +// "Authorization: token "). +message BearerAuth { + string token_secret_name = 1; // required + string header_name = 2; // optional override, default "Authorization" + string value_prefix = 3; // optional override, default "Bearer " +} + +// HmacAuth groups all HMAC-family signing variants. +message HmacAuth { + oneof variant { + HmacSha256 sha256 = 1; + AwsSigV4 aws_sig_v4 = 2; + HmacCustom custom = 3; + } +} + +// HmacSha256 implements a generic canonical-string HMAC-SHA256 signature. +// Canonical string: method "\n" url "\n" sha256(body) "\n" timestamp +// Signature is attached via signature_header, timestamp via timestamp_header. +message HmacSha256 { + string secret_name = 1; // required shared secret + string signature_header = 2; // default "X-Signature" + string timestamp_header = 3; // default "X-Timestamp" + bool include_query = 4; // if true, include the query string in the canonical url + string encoding = 5; // "hex" (default) or "base64" +} + +// AwsSigV4 implements AWS Signature Version 4. +// Uses github.com/aws/aws-sdk-go-v2/aws/signer/v4 under the hood. +message AwsSigV4 { + string access_key_id_secret_name = 1; // required + string secret_access_key_secret_name = 2; // required + string session_token_secret_name = 3; // optional (for STS creds) + string region = 4; // required, e.g. "us-east-1" + string service = 5; // required, e.g. "execute-api", "s3" + // Signed headers (comma-separated lowercase). Optional; defaults to + // "host;x-amz-date" plus "x-amz-security-token" if session_token_secret_name + // is set. + repeated string signed_headers = 6; + // If true, uses X-Amz-Content-Sha256: UNSIGNED-PAYLOAD (useful for large S3 + // uploads). Default false. + bool unsigned_payload = 7; +} + +// HmacCustom lets workflow authors specify the canonical string via a +// Go text/template string. Available template vars: +// {{.method}} {{.url}} {{.path}} {{.query}} {{.body}} {{.body_sha256}} +// {{.timestamp}} {{.nonce}} {{header "X-Foo"}} +message HmacCustom { + string secret_name = 1; // required + string canonical_template = 2; // required + enum Hash { HASH_SHA256 = 0; HASH_SHA512 = 1; } + Hash hash = 3; + string signature_header = 4; // required + string signature_prefix = 5; // e.g. "HMAC-SHA256 " + string timestamp_header = 6; // optional; if set, timestamp header injected + string nonce_header = 7; // optional; if set, random nonce header injected + string encoding = 8; // "hex" (default) or "base64" +} + +// OAuth2Auth groups headless OAuth 2.0 flows. +// Interactive flows (Authorization Code, PKCE, Device Code) are NOT supported — +// they require browser consent that a headless TEE cannot perform. +message OAuth2Auth { + oneof variant { + OAuth2ClientCredentials client_credentials = 1; + OAuth2RefreshToken refresh_token = 2; + } +} + +// OAuth2ClientCredentials: machine-to-machine grant. +// The enclave POSTs to token_url with client_id/client_secret, caches the +// resulting access_token per (workflow_owner, token_url, client_id, scopes), +// and attaches "Authorization: Bearer " to the outbound request. +message OAuth2ClientCredentials { + string token_url = 1; // required, must be https:// + string client_id_secret_name = 2; // required + string client_secret_secret_name = 3; // required + repeated string scopes = 4; // optional + string audience = 5; // optional (Auth0-style) + // "basic_auth" (default) or "request_body" — where to put client creds + // on the token request. + string client_auth_method = 6; + // Extra form params to send with the token request. + map extra_params = 7; +} + +// OAuth2RefreshToken: the workflow stores a long-lived refresh_token in Vault +// (obtained out-of-band during an interactive consent). The enclave exchanges +// it for an access_token on cache miss. +// +// Important: if the IdP rotates refresh tokens on each exchange, the enclave +// cannot persist the new refresh_token back to Vault. Disable refresh-token +// rotation at the IdP, or prefer client_credentials where possible. +message OAuth2RefreshToken { + string token_url = 1; // required, must be https:// + string refresh_token_secret_name = 2; // required + string client_id_secret_name = 3; // optional (some IdPs require) + string client_secret_secret_name = 4; // optional (some IdPs require) + repeated string scopes = 5; // optional + map extra_params = 6; } service Client { diff --git a/cre/go/sdk/sdk.pb.go b/cre/go/sdk/sdk.pb.go index 3ab84306..a5fc1326 100644 --- a/cre/go/sdk/sdk.pb.go +++ b/cre/go/sdk/sdk.pb.go @@ -1,6 +1,6 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.6 +// protoc-gen-go v1.36.11 // protoc v5.29.3 // source: sdk/v1alpha/sdk.proto diff --git a/cre/go/tools/generator/cre_metadata.pb.go b/cre/go/tools/generator/cre_metadata.pb.go index 7026ea3f..c13018c4 100644 --- a/cre/go/tools/generator/cre_metadata.pb.go +++ b/cre/go/tools/generator/cre_metadata.pb.go @@ -1,6 +1,6 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.6 +// protoc-gen-go v1.36.11 // protoc v5.29.3 // source: tools/generator/v1alpha/cre_metadata.proto diff --git a/cre/go/values/pb/values.pb.go b/cre/go/values/pb/values.pb.go index 743cba4c..7e8fcb1e 100644 --- a/cre/go/values/pb/values.pb.go +++ b/cre/go/values/pb/values.pb.go @@ -1,6 +1,6 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.6 +// protoc-gen-go v1.36.11 // protoc v5.29.3 // source: values/v1/values.proto From 42bbf057682bd37e803f712dc4b3489ba20d4891 Mon Sep 17 00:00:00 2001 From: "app-token-issuer-engops[bot]" <144731339+app-token-issuer-engops[bot]@users.noreply.github.com> Date: Mon, 20 Apr 2026 13:39:26 +0000 Subject: [PATCH 2/2] Auto-fix: buf format, gofmt, go generate, go mod tidy --- .../confidentialhttp/v1alpha/client.proto | 93 ++++++++++--------- cre/go/installer/pkg/embedded_gen.go | 93 ++++++++++--------- cre/go/sdk/sdk.pb.go | 2 +- cre/go/tools/generator/cre_metadata.pb.go | 2 +- cre/go/values/pb/values.pb.go | 2 +- 5 files changed, 99 insertions(+), 93 deletions(-) diff --git a/cre/capabilities/networking/confidentialhttp/v1alpha/client.proto b/cre/capabilities/networking/confidentialhttp/v1alpha/client.proto index 88c02b71..ec01a216 100644 --- a/cre/capabilities/networking/confidentialhttp/v1alpha/client.proto +++ b/cre/capabilities/networking/confidentialhttp/v1alpha/client.proto @@ -75,10 +75,10 @@ message ConfidentialHTTPRequest { message AuthConfig { oneof method { ApiKeyAuth api_key = 1; - BasicAuth basic = 2; - BearerAuth bearer = 3; - HmacAuth hmac = 4; - OAuth2Auth oauth2 = 5; + BasicAuth basic = 2; + BearerAuth bearer = 3; + HmacAuth hmac = 4; + OAuth2Auth oauth2 = 5; } } @@ -87,8 +87,8 @@ message AuthConfig { // Example (header_name="x-api-key", secret_name="coingecko", value_prefix=""): // x-api-key: message ApiKeyAuth { - string header_name = 1; // required, e.g. "x-api-key", "Authorization" - string secret_name = 2; // required; key into ConfidentialHTTPRequest.vault_don_secrets + string header_name = 1; // required, e.g. "x-api-key", "Authorization" + string secret_name = 2; // required; key into ConfidentialHTTPRequest.vault_don_secrets string value_prefix = 3; // optional, e.g. "ApiKey ", "Token " } @@ -104,16 +104,16 @@ message BasicAuth { // "Authorization: token "). message BearerAuth { string token_secret_name = 1; // required - string header_name = 2; // optional override, default "Authorization" - string value_prefix = 3; // optional override, default "Bearer " + string header_name = 2; // optional override, default "Authorization" + string value_prefix = 3; // optional override, default "Bearer " } // HmacAuth groups all HMAC-family signing variants. message HmacAuth { oneof variant { - HmacSha256 sha256 = 1; - AwsSigV4 aws_sig_v4 = 2; - HmacCustom custom = 3; + HmacSha256 sha256 = 1; + AwsSigV4 aws_sig_v4 = 2; + HmacCustom custom = 3; } } @@ -121,28 +121,28 @@ message HmacAuth { // Canonical string: method "\n" url "\n" sha256(body) "\n" timestamp // Signature is attached via signature_header, timestamp via timestamp_header. message HmacSha256 { - string secret_name = 1; // required shared secret - string signature_header = 2; // default "X-Signature" - string timestamp_header = 3; // default "X-Timestamp" - bool include_query = 4; // if true, include the query string in the canonical url - string encoding = 5; // "hex" (default) or "base64" + string secret_name = 1; // required shared secret + string signature_header = 2; // default "X-Signature" + string timestamp_header = 3; // default "X-Timestamp" + bool include_query = 4; // if true, include the query string in the canonical url + string encoding = 5; // "hex" (default) or "base64" } // AwsSigV4 implements AWS Signature Version 4. // Uses github.com/aws/aws-sdk-go-v2/aws/signer/v4 under the hood. message AwsSigV4 { - string access_key_id_secret_name = 1; // required + string access_key_id_secret_name = 1; // required string secret_access_key_secret_name = 2; // required - string session_token_secret_name = 3; // optional (for STS creds) - string region = 4; // required, e.g. "us-east-1" - string service = 5; // required, e.g. "execute-api", "s3" + string session_token_secret_name = 3; // optional (for STS creds) + string region = 4; // required, e.g. "us-east-1" + string service = 5; // required, e.g. "execute-api", "s3" // Signed headers (comma-separated lowercase). Optional; defaults to // "host;x-amz-date" plus "x-amz-security-token" if session_token_secret_name // is set. - repeated string signed_headers = 6; + repeated string signed_headers = 6; // If true, uses X-Amz-Content-Sha256: UNSIGNED-PAYLOAD (useful for large S3 // uploads). Default false. - bool unsigned_payload = 7; + bool unsigned_payload = 7; } // HmacCustom lets workflow authors specify the canonical string via a @@ -150,15 +150,18 @@ message AwsSigV4 { // {{.method}} {{.url}} {{.path}} {{.query}} {{.body}} {{.body_sha256}} // {{.timestamp}} {{.nonce}} {{header "X-Foo"}} message HmacCustom { - string secret_name = 1; // required - string canonical_template = 2; // required - enum Hash { HASH_SHA256 = 0; HASH_SHA512 = 1; } - Hash hash = 3; - string signature_header = 4; // required - string signature_prefix = 5; // e.g. "HMAC-SHA256 " - string timestamp_header = 6; // optional; if set, timestamp header injected - string nonce_header = 7; // optional; if set, random nonce header injected - string encoding = 8; // "hex" (default) or "base64" + string secret_name = 1; // required + string canonical_template = 2; // required + enum Hash { + HASH_SHA256 = 0; + HASH_SHA512 = 1; + } + Hash hash = 3; + string signature_header = 4; // required + string signature_prefix = 5; // e.g. "HMAC-SHA256 " + string timestamp_header = 6; // optional; if set, timestamp header injected + string nonce_header = 7; // optional; if set, random nonce header injected + string encoding = 8; // "hex" (default) or "base64" } // OAuth2Auth groups headless OAuth 2.0 flows. @@ -167,7 +170,7 @@ message HmacCustom { message OAuth2Auth { oneof variant { OAuth2ClientCredentials client_credentials = 1; - OAuth2RefreshToken refresh_token = 2; + OAuth2RefreshToken refresh_token = 2; } } @@ -176,16 +179,16 @@ message OAuth2Auth { // resulting access_token per (workflow_owner, token_url, client_id, scopes), // and attaches "Authorization: Bearer " to the outbound request. message OAuth2ClientCredentials { - string token_url = 1; // required, must be https:// - string client_id_secret_name = 2; // required - string client_secret_secret_name = 3; // required - repeated string scopes = 4; // optional - string audience = 5; // optional (Auth0-style) + string token_url = 1; // required, must be https:// + string client_id_secret_name = 2; // required + string client_secret_secret_name = 3; // required + repeated string scopes = 4; // optional + string audience = 5; // optional (Auth0-style) // "basic_auth" (default) or "request_body" — where to put client creds // on the token request. - string client_auth_method = 6; + string client_auth_method = 6; // Extra form params to send with the token request. - map extra_params = 7; + map extra_params = 7; } // OAuth2RefreshToken: the workflow stores a long-lived refresh_token in Vault @@ -196,12 +199,12 @@ message OAuth2ClientCredentials { // cannot persist the new refresh_token back to Vault. Disable refresh-token // rotation at the IdP, or prefer client_credentials where possible. message OAuth2RefreshToken { - string token_url = 1; // required, must be https:// - string refresh_token_secret_name = 2; // required - string client_id_secret_name = 3; // optional (some IdPs require) - string client_secret_secret_name = 4; // optional (some IdPs require) - repeated string scopes = 5; // optional - map extra_params = 6; + string token_url = 1; // required, must be https:// + string refresh_token_secret_name = 2; // required + string client_id_secret_name = 3; // optional (some IdPs require) + string client_secret_secret_name = 4; // optional (some IdPs require) + repeated string scopes = 5; // optional + map extra_params = 6; } service Client { diff --git a/cre/go/installer/pkg/embedded_gen.go b/cre/go/installer/pkg/embedded_gen.go index a475a6ef..8808421e 100755 --- a/cre/go/installer/pkg/embedded_gen.go +++ b/cre/go/installer/pkg/embedded_gen.go @@ -726,10 +726,10 @@ message ConfidentialHTTPRequest { message AuthConfig { oneof method { ApiKeyAuth api_key = 1; - BasicAuth basic = 2; - BearerAuth bearer = 3; - HmacAuth hmac = 4; - OAuth2Auth oauth2 = 5; + BasicAuth basic = 2; + BearerAuth bearer = 3; + HmacAuth hmac = 4; + OAuth2Auth oauth2 = 5; } } @@ -738,8 +738,8 @@ message AuthConfig { // Example (header_name="x-api-key", secret_name="coingecko", value_prefix=""): // x-api-key: message ApiKeyAuth { - string header_name = 1; // required, e.g. "x-api-key", "Authorization" - string secret_name = 2; // required; key into ConfidentialHTTPRequest.vault_don_secrets + string header_name = 1; // required, e.g. "x-api-key", "Authorization" + string secret_name = 2; // required; key into ConfidentialHTTPRequest.vault_don_secrets string value_prefix = 3; // optional, e.g. "ApiKey ", "Token " } @@ -755,16 +755,16 @@ message BasicAuth { // "Authorization: token "). message BearerAuth { string token_secret_name = 1; // required - string header_name = 2; // optional override, default "Authorization" - string value_prefix = 3; // optional override, default "Bearer " + string header_name = 2; // optional override, default "Authorization" + string value_prefix = 3; // optional override, default "Bearer " } // HmacAuth groups all HMAC-family signing variants. message HmacAuth { oneof variant { - HmacSha256 sha256 = 1; - AwsSigV4 aws_sig_v4 = 2; - HmacCustom custom = 3; + HmacSha256 sha256 = 1; + AwsSigV4 aws_sig_v4 = 2; + HmacCustom custom = 3; } } @@ -772,28 +772,28 @@ message HmacAuth { // Canonical string: method "\n" url "\n" sha256(body) "\n" timestamp // Signature is attached via signature_header, timestamp via timestamp_header. message HmacSha256 { - string secret_name = 1; // required shared secret - string signature_header = 2; // default "X-Signature" - string timestamp_header = 3; // default "X-Timestamp" - bool include_query = 4; // if true, include the query string in the canonical url - string encoding = 5; // "hex" (default) or "base64" + string secret_name = 1; // required shared secret + string signature_header = 2; // default "X-Signature" + string timestamp_header = 3; // default "X-Timestamp" + bool include_query = 4; // if true, include the query string in the canonical url + string encoding = 5; // "hex" (default) or "base64" } // AwsSigV4 implements AWS Signature Version 4. // Uses github.com/aws/aws-sdk-go-v2/aws/signer/v4 under the hood. message AwsSigV4 { - string access_key_id_secret_name = 1; // required + string access_key_id_secret_name = 1; // required string secret_access_key_secret_name = 2; // required - string session_token_secret_name = 3; // optional (for STS creds) - string region = 4; // required, e.g. "us-east-1" - string service = 5; // required, e.g. "execute-api", "s3" + string session_token_secret_name = 3; // optional (for STS creds) + string region = 4; // required, e.g. "us-east-1" + string service = 5; // required, e.g. "execute-api", "s3" // Signed headers (comma-separated lowercase). Optional; defaults to // "host;x-amz-date" plus "x-amz-security-token" if session_token_secret_name // is set. - repeated string signed_headers = 6; + repeated string signed_headers = 6; // If true, uses X-Amz-Content-Sha256: UNSIGNED-PAYLOAD (useful for large S3 // uploads). Default false. - bool unsigned_payload = 7; + bool unsigned_payload = 7; } // HmacCustom lets workflow authors specify the canonical string via a @@ -801,15 +801,18 @@ message AwsSigV4 { // {{.method}} {{.url}} {{.path}} {{.query}} {{.body}} {{.body_sha256}} // {{.timestamp}} {{.nonce}} {{header "X-Foo"}} message HmacCustom { - string secret_name = 1; // required - string canonical_template = 2; // required - enum Hash { HASH_SHA256 = 0; HASH_SHA512 = 1; } - Hash hash = 3; - string signature_header = 4; // required - string signature_prefix = 5; // e.g. "HMAC-SHA256 " - string timestamp_header = 6; // optional; if set, timestamp header injected - string nonce_header = 7; // optional; if set, random nonce header injected - string encoding = 8; // "hex" (default) or "base64" + string secret_name = 1; // required + string canonical_template = 2; // required + enum Hash { + HASH_SHA256 = 0; + HASH_SHA512 = 1; + } + Hash hash = 3; + string signature_header = 4; // required + string signature_prefix = 5; // e.g. "HMAC-SHA256 " + string timestamp_header = 6; // optional; if set, timestamp header injected + string nonce_header = 7; // optional; if set, random nonce header injected + string encoding = 8; // "hex" (default) or "base64" } // OAuth2Auth groups headless OAuth 2.0 flows. @@ -818,7 +821,7 @@ message HmacCustom { message OAuth2Auth { oneof variant { OAuth2ClientCredentials client_credentials = 1; - OAuth2RefreshToken refresh_token = 2; + OAuth2RefreshToken refresh_token = 2; } } @@ -827,16 +830,16 @@ message OAuth2Auth { // resulting access_token per (workflow_owner, token_url, client_id, scopes), // and attaches "Authorization: Bearer " to the outbound request. message OAuth2ClientCredentials { - string token_url = 1; // required, must be https:// - string client_id_secret_name = 2; // required - string client_secret_secret_name = 3; // required - repeated string scopes = 4; // optional - string audience = 5; // optional (Auth0-style) + string token_url = 1; // required, must be https:// + string client_id_secret_name = 2; // required + string client_secret_secret_name = 3; // required + repeated string scopes = 4; // optional + string audience = 5; // optional (Auth0-style) // "basic_auth" (default) or "request_body" — where to put client creds // on the token request. - string client_auth_method = 6; + string client_auth_method = 6; // Extra form params to send with the token request. - map extra_params = 7; + map extra_params = 7; } // OAuth2RefreshToken: the workflow stores a long-lived refresh_token in Vault @@ -847,12 +850,12 @@ message OAuth2ClientCredentials { // cannot persist the new refresh_token back to Vault. Disable refresh-token // rotation at the IdP, or prefer client_credentials where possible. message OAuth2RefreshToken { - string token_url = 1; // required, must be https:// - string refresh_token_secret_name = 2; // required - string client_id_secret_name = 3; // optional (some IdPs require) - string client_secret_secret_name = 4; // optional (some IdPs require) - repeated string scopes = 5; // optional - map extra_params = 6; + string token_url = 1; // required, must be https:// + string refresh_token_secret_name = 2; // required + string client_id_secret_name = 3; // optional (some IdPs require) + string client_secret_secret_name = 4; // optional (some IdPs require) + repeated string scopes = 5; // optional + map extra_params = 6; } service Client { diff --git a/cre/go/sdk/sdk.pb.go b/cre/go/sdk/sdk.pb.go index a5fc1326..3ab84306 100644 --- a/cre/go/sdk/sdk.pb.go +++ b/cre/go/sdk/sdk.pb.go @@ -1,6 +1,6 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.11 +// protoc-gen-go v1.36.6 // protoc v5.29.3 // source: sdk/v1alpha/sdk.proto diff --git a/cre/go/tools/generator/cre_metadata.pb.go b/cre/go/tools/generator/cre_metadata.pb.go index c13018c4..7026ea3f 100644 --- a/cre/go/tools/generator/cre_metadata.pb.go +++ b/cre/go/tools/generator/cre_metadata.pb.go @@ -1,6 +1,6 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.11 +// protoc-gen-go v1.36.6 // protoc v5.29.3 // source: tools/generator/v1alpha/cre_metadata.proto diff --git a/cre/go/values/pb/values.pb.go b/cre/go/values/pb/values.pb.go index 7e8fcb1e..743cba4c 100644 --- a/cre/go/values/pb/values.pb.go +++ b/cre/go/values/pb/values.pb.go @@ -1,6 +1,6 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.11 +// protoc-gen-go v1.36.6 // protoc v5.29.3 // source: values/v1/values.proto