From 2bb1581d623ed859e0a183b29620c6c7f5925961 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Johannes=20Gro=C3=9Fmann?= Date: Thu, 16 Jul 2026 16:34:52 +0200 Subject: [PATCH] feat(accesscontrol): add access control API for secret resolution MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add accesscontrol.v1.AccessControlService with a CheckAccess RPC to be called for every GetSecrets request. The request carries the resolver pattern plus the requesting process context (Requester), including platform-specific code-signing info via a oneof: - DarwinSigningInfo: macOS SecCode* identity (team ID, identifier, CD hash) and the raw dynamic status bitmask. - WindowsSigningInfo: Authenticode signature identity, EV flag, mandatory integrity level, and (untrusted) PE version metadata. - LinuxSigningInfo: sigstore Fulcio identity/provenance and Rekor transparency-log inclusion, one entry per signer. The response is a DENY/ALLOW Decision with DENY as the zero value, so an unset, empty, or truncated response denies access — the gate is fail-closed by construction rather than by caller discipline. This requires a buf:lint:ignore for ENUM_ZERO_VALUE_SUFFIX, since the safe default takes precedence over the naming convention. --- .../v1/accesscontrolv1connect/api.connect.go | 114 + x/api/accesscontrol/v1/api.pb.go | 1891 +++++++++++++++++ x/api/accesscontrol/v1/api.proto | 208 ++ 3 files changed, 2213 insertions(+) create mode 100644 x/api/accesscontrol/v1/accesscontrolv1connect/api.connect.go create mode 100644 x/api/accesscontrol/v1/api.pb.go create mode 100644 x/api/accesscontrol/v1/api.proto diff --git a/x/api/accesscontrol/v1/accesscontrolv1connect/api.connect.go b/x/api/accesscontrol/v1/accesscontrolv1connect/api.connect.go new file mode 100644 index 00000000..817ba2cb --- /dev/null +++ b/x/api/accesscontrol/v1/accesscontrolv1connect/api.connect.go @@ -0,0 +1,114 @@ +// Code generated by protoc-gen-connect-go. DO NOT EDIT. +// +// Source: accesscontrol/v1/api.proto + +package accesscontrolv1connect + +import ( + connect "connectrpc.com/connect" + context "context" + errors "errors" + v1 "github.com/docker/secrets-engine/x/api/accesscontrol/v1" + http "net/http" + strings "strings" +) + +// This is a compile-time assertion to ensure that this generated file and the connect package are +// compatible. If you get a compiler error that this constant is not defined, this code was +// generated with a version of connect newer than the one compiled into your binary. You can fix the +// problem by either regenerating this code with an older version of connect or updating the connect +// version compiled into your binary. +const _ = connect.IsAtLeastVersion1_13_0 + +const ( + // AccessControlServiceName is the fully-qualified name of the AccessControlService service. + AccessControlServiceName = "accesscontrol.v1.AccessControlService" +) + +// These constants are the fully-qualified names of the RPCs defined in this package. They're +// exposed at runtime as Spec.Procedure and as the final two segments of the HTTP route. +// +// Note that these are different from the fully-qualified method names used by +// google.golang.org/protobuf/reflect/protoreflect. To convert from these constants to +// reflection-formatted method names, remove the leading slash and convert the remaining slash to a +// period. +const ( + // AccessControlServiceCheckAccessProcedure is the fully-qualified name of the + // AccessControlService's CheckAccess RPC. + AccessControlServiceCheckAccessProcedure = "/accesscontrol.v1.AccessControlService/CheckAccess" +) + +// AccessControlServiceClient is a client for the accesscontrol.v1.AccessControlService service. +type AccessControlServiceClient interface { + // CheckAccess decides whether a requesting process may resolve the + // secrets matched by the query. Called for every GetSecrets request. + CheckAccess(context.Context, *connect.Request[v1.CheckAccessRequest]) (*connect.Response[v1.CheckAccessResponse], error) +} + +// NewAccessControlServiceClient constructs a client for the accesscontrol.v1.AccessControlService +// service. By default, it uses the Connect protocol with the binary Protobuf Codec, asks for +// gzipped responses, and sends uncompressed requests. To use the gRPC or gRPC-Web protocols, supply +// the connect.WithGRPC() or connect.WithGRPCWeb() options. +// +// The URL supplied here should be the base URL for the Connect or gRPC server (for example, +// http://api.acme.com or https://acme.com/grpc). +func NewAccessControlServiceClient(httpClient connect.HTTPClient, baseURL string, opts ...connect.ClientOption) AccessControlServiceClient { + baseURL = strings.TrimRight(baseURL, "/") + accessControlServiceMethods := v1.File_accesscontrol_v1_api_proto.Services().ByName("AccessControlService").Methods() + return &accessControlServiceClient{ + checkAccess: connect.NewClient[v1.CheckAccessRequest, v1.CheckAccessResponse]( + httpClient, + baseURL+AccessControlServiceCheckAccessProcedure, + connect.WithSchema(accessControlServiceMethods.ByName("CheckAccess")), + connect.WithClientOptions(opts...), + ), + } +} + +// accessControlServiceClient implements AccessControlServiceClient. +type accessControlServiceClient struct { + checkAccess *connect.Client[v1.CheckAccessRequest, v1.CheckAccessResponse] +} + +// CheckAccess calls accesscontrol.v1.AccessControlService.CheckAccess. +func (c *accessControlServiceClient) CheckAccess(ctx context.Context, req *connect.Request[v1.CheckAccessRequest]) (*connect.Response[v1.CheckAccessResponse], error) { + return c.checkAccess.CallUnary(ctx, req) +} + +// AccessControlServiceHandler is an implementation of the accesscontrol.v1.AccessControlService +// service. +type AccessControlServiceHandler interface { + // CheckAccess decides whether a requesting process may resolve the + // secrets matched by the query. Called for every GetSecrets request. + CheckAccess(context.Context, *connect.Request[v1.CheckAccessRequest]) (*connect.Response[v1.CheckAccessResponse], error) +} + +// NewAccessControlServiceHandler builds an HTTP handler from the service implementation. It returns +// the path on which to mount the handler and the handler itself. +// +// By default, handlers support the Connect, gRPC, and gRPC-Web protocols with the binary Protobuf +// and JSON codecs. They also support gzip compression. +func NewAccessControlServiceHandler(svc AccessControlServiceHandler, opts ...connect.HandlerOption) (string, http.Handler) { + accessControlServiceMethods := v1.File_accesscontrol_v1_api_proto.Services().ByName("AccessControlService").Methods() + accessControlServiceCheckAccessHandler := connect.NewUnaryHandler( + AccessControlServiceCheckAccessProcedure, + svc.CheckAccess, + connect.WithSchema(accessControlServiceMethods.ByName("CheckAccess")), + connect.WithHandlerOptions(opts...), + ) + return "/accesscontrol.v1.AccessControlService/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + switch r.URL.Path { + case AccessControlServiceCheckAccessProcedure: + accessControlServiceCheckAccessHandler.ServeHTTP(w, r) + default: + http.NotFound(w, r) + } + }) +} + +// UnimplementedAccessControlServiceHandler returns CodeUnimplemented from all methods. +type UnimplementedAccessControlServiceHandler struct{} + +func (UnimplementedAccessControlServiceHandler) CheckAccess(context.Context, *connect.Request[v1.CheckAccessRequest]) (*connect.Response[v1.CheckAccessResponse], error) { + return nil, connect.NewError(connect.CodeUnimplemented, errors.New("accesscontrol.v1.AccessControlService.CheckAccess is not implemented")) +} diff --git a/x/api/accesscontrol/v1/api.pb.go b/x/api/accesscontrol/v1/api.pb.go new file mode 100644 index 00000000..2dce6031 --- /dev/null +++ b/x/api/accesscontrol/v1/api.pb.go @@ -0,0 +1,1891 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.36.7 +// protoc (unknown) +// source: accesscontrol/v1/api.proto + +package accesscontrolv1 + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + timestamppb "google.golang.org/protobuf/types/known/timestamppb" + reflect "reflect" + unsafe "unsafe" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +type Decision int32 + +const ( + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX + Decision_DECISION_DENY Decision = 0 + Decision_DECISION_ALLOW Decision = 1 +) + +// Enum value maps for Decision. +var ( + Decision_name = map[int32]string{ + 0: "DECISION_DENY", + 1: "DECISION_ALLOW", + } + Decision_value = map[string]int32{ + "DECISION_DENY": 0, + "DECISION_ALLOW": 1, + } +) + +func (x Decision) Enum() *Decision { + p := new(Decision) + *p = x + return p +} + +func (x Decision) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (Decision) Descriptor() protoreflect.EnumDescriptor { + return file_accesscontrol_v1_api_proto_enumTypes[0].Descriptor() +} + +func (Decision) Type() protoreflect.EnumType { + return &file_accesscontrol_v1_api_proto_enumTypes[0] +} + +func (x Decision) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// IntegrityLevel is a Windows mandatory integrity level, ordered so higher +// values denote a more privileged context (mirrors winnt.h RIDs). +type WindowsSigningInfo_IntegrityLevel int32 + +const ( + // SECURITY_MANDATORY_UNTRUSTED_RID (0x0000). Also the value used when the + // integrity level could not be determined. + WindowsSigningInfo_INTEGRITY_LEVEL_UNSPECIFIED WindowsSigningInfo_IntegrityLevel = 0 + // SECURITY_MANDATORY_LOW_RID (0x1000), e.g. AppContainer/sandboxed. + WindowsSigningInfo_INTEGRITY_LEVEL_LOW WindowsSigningInfo_IntegrityLevel = 4096 + // SECURITY_MANDATORY_MEDIUM_RID (0x2000), default for standard user procs. + WindowsSigningInfo_INTEGRITY_LEVEL_MEDIUM WindowsSigningInfo_IntegrityLevel = 8192 + // SECURITY_MANDATORY_HIGH_RID (0x3000), e.g. elevated (administrator). + WindowsSigningInfo_INTEGRITY_LEVEL_HIGH WindowsSigningInfo_IntegrityLevel = 12288 + // SECURITY_MANDATORY_SYSTEM_RID (0x4000), e.g. services running as SYSTEM. + WindowsSigningInfo_INTEGRITY_LEVEL_SYSTEM WindowsSigningInfo_IntegrityLevel = 16384 +) + +// Enum value maps for WindowsSigningInfo_IntegrityLevel. +var ( + WindowsSigningInfo_IntegrityLevel_name = map[int32]string{ + 0: "INTEGRITY_LEVEL_UNSPECIFIED", + 4096: "INTEGRITY_LEVEL_LOW", + 8192: "INTEGRITY_LEVEL_MEDIUM", + 12288: "INTEGRITY_LEVEL_HIGH", + 16384: "INTEGRITY_LEVEL_SYSTEM", + } + WindowsSigningInfo_IntegrityLevel_value = map[string]int32{ + "INTEGRITY_LEVEL_UNSPECIFIED": 0, + "INTEGRITY_LEVEL_LOW": 4096, + "INTEGRITY_LEVEL_MEDIUM": 8192, + "INTEGRITY_LEVEL_HIGH": 12288, + "INTEGRITY_LEVEL_SYSTEM": 16384, + } +) + +func (x WindowsSigningInfo_IntegrityLevel) Enum() *WindowsSigningInfo_IntegrityLevel { + p := new(WindowsSigningInfo_IntegrityLevel) + *p = x + return p +} + +func (x WindowsSigningInfo_IntegrityLevel) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (WindowsSigningInfo_IntegrityLevel) Descriptor() protoreflect.EnumDescriptor { + return file_accesscontrol_v1_api_proto_enumTypes[1].Descriptor() +} + +func (WindowsSigningInfo_IntegrityLevel) Type() protoreflect.EnumType { + return &file_accesscontrol_v1_api_proto_enumTypes[1] +} + +func (x WindowsSigningInfo_IntegrityLevel) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +type CheckAccessRequest struct { + state protoimpl.MessageState `protogen:"opaque.v1"` + xxx_hidden_Pattern *string `protobuf:"bytes,1,opt,name=pattern"` + xxx_hidden_Requester *Requester `protobuf:"bytes,2,opt,name=requester"` + XXX_raceDetectHookData protoimpl.RaceDetectHookData + XXX_presence [1]uint32 + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *CheckAccessRequest) Reset() { + *x = CheckAccessRequest{} + mi := &file_accesscontrol_v1_api_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *CheckAccessRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*CheckAccessRequest) ProtoMessage() {} + +func (x *CheckAccessRequest) ProtoReflect() protoreflect.Message { + mi := &file_accesscontrol_v1_api_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +func (x *CheckAccessRequest) GetPattern() string { + if x != nil { + if x.xxx_hidden_Pattern != nil { + return *x.xxx_hidden_Pattern + } + return "" + } + return "" +} + +func (x *CheckAccessRequest) GetRequester() *Requester { + if x != nil { + return x.xxx_hidden_Requester + } + return nil +} + +func (x *CheckAccessRequest) SetPattern(v string) { + x.xxx_hidden_Pattern = &v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 0, 2) +} + +func (x *CheckAccessRequest) SetRequester(v *Requester) { + x.xxx_hidden_Requester = v +} + +func (x *CheckAccessRequest) HasPattern() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 0) +} + +func (x *CheckAccessRequest) HasRequester() bool { + if x == nil { + return false + } + return x.xxx_hidden_Requester != nil +} + +func (x *CheckAccessRequest) ClearPattern() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 0) + x.xxx_hidden_Pattern = nil +} + +func (x *CheckAccessRequest) ClearRequester() { + x.xxx_hidden_Requester = nil +} + +type CheckAccessRequest_builder struct { + _ [0]func() // Prevents comparability and use of unkeyed literals for the builder. + + // What the caller is trying to resolve — mirrors the resolver pattern. + Pattern *string + // Identity/context of the process making the request. + Requester *Requester +} + +func (b0 CheckAccessRequest_builder) Build() *CheckAccessRequest { + m0 := &CheckAccessRequest{} + b, x := &b0, m0 + _, _ = b, x + if b.Pattern != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 0, 2) + x.xxx_hidden_Pattern = b.Pattern + } + x.xxx_hidden_Requester = b.Requester + return m0 +} + +// Requester mirrors runtime procinfo.Details: the verified context of the +// peer process asking for secrets. +type Requester struct { + state protoimpl.MessageState `protogen:"opaque.v1"` + xxx_hidden_Pid int32 `protobuf:"varint,1,opt,name=pid"` + xxx_hidden_Name *string `protobuf:"bytes,2,opt,name=name"` + xxx_hidden_AbsoluteBinaryPath *string `protobuf:"bytes,3,opt,name=absolute_binary_path,json=absoluteBinaryPath"` + xxx_hidden_SignedByDocker bool `protobuf:"varint,4,opt,name=signed_by_docker,json=signedByDocker"` + xxx_hidden_SigningInfo isRequester_SigningInfo `protobuf_oneof:"signing_info"` + XXX_raceDetectHookData protoimpl.RaceDetectHookData + XXX_presence [1]uint32 + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *Requester) Reset() { + *x = Requester{} + mi := &file_accesscontrol_v1_api_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *Requester) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*Requester) ProtoMessage() {} + +func (x *Requester) ProtoReflect() protoreflect.Message { + mi := &file_accesscontrol_v1_api_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +func (x *Requester) GetPid() int32 { + if x != nil { + return x.xxx_hidden_Pid + } + return 0 +} + +func (x *Requester) GetName() string { + if x != nil { + if x.xxx_hidden_Name != nil { + return *x.xxx_hidden_Name + } + return "" + } + return "" +} + +func (x *Requester) GetAbsoluteBinaryPath() string { + if x != nil { + if x.xxx_hidden_AbsoluteBinaryPath != nil { + return *x.xxx_hidden_AbsoluteBinaryPath + } + return "" + } + return "" +} + +func (x *Requester) GetSignedByDocker() bool { + if x != nil { + return x.xxx_hidden_SignedByDocker + } + return false +} + +func (x *Requester) GetDarwin() *DarwinSigningInfo { + if x != nil { + if x, ok := x.xxx_hidden_SigningInfo.(*requester_Darwin); ok { + return x.Darwin + } + } + return nil +} + +func (x *Requester) GetWindows() *WindowsSigningInfo { + if x != nil { + if x, ok := x.xxx_hidden_SigningInfo.(*requester_Windows); ok { + return x.Windows + } + } + return nil +} + +func (x *Requester) GetLinux() *LinuxSigningInfo { + if x != nil { + if x, ok := x.xxx_hidden_SigningInfo.(*requester_Linux); ok { + return x.Linux + } + } + return nil +} + +func (x *Requester) SetPid(v int32) { + x.xxx_hidden_Pid = v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 0, 5) +} + +func (x *Requester) SetName(v string) { + x.xxx_hidden_Name = &v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 1, 5) +} + +func (x *Requester) SetAbsoluteBinaryPath(v string) { + x.xxx_hidden_AbsoluteBinaryPath = &v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 2, 5) +} + +func (x *Requester) SetSignedByDocker(v bool) { + x.xxx_hidden_SignedByDocker = v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 3, 5) +} + +func (x *Requester) SetDarwin(v *DarwinSigningInfo) { + if v == nil { + x.xxx_hidden_SigningInfo = nil + return + } + x.xxx_hidden_SigningInfo = &requester_Darwin{v} +} + +func (x *Requester) SetWindows(v *WindowsSigningInfo) { + if v == nil { + x.xxx_hidden_SigningInfo = nil + return + } + x.xxx_hidden_SigningInfo = &requester_Windows{v} +} + +func (x *Requester) SetLinux(v *LinuxSigningInfo) { + if v == nil { + x.xxx_hidden_SigningInfo = nil + return + } + x.xxx_hidden_SigningInfo = &requester_Linux{v} +} + +func (x *Requester) HasPid() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 0) +} + +func (x *Requester) HasName() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 1) +} + +func (x *Requester) HasAbsoluteBinaryPath() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 2) +} + +func (x *Requester) HasSignedByDocker() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 3) +} + +func (x *Requester) HasSigningInfo() bool { + if x == nil { + return false + } + return x.xxx_hidden_SigningInfo != nil +} + +func (x *Requester) HasDarwin() bool { + if x == nil { + return false + } + _, ok := x.xxx_hidden_SigningInfo.(*requester_Darwin) + return ok +} + +func (x *Requester) HasWindows() bool { + if x == nil { + return false + } + _, ok := x.xxx_hidden_SigningInfo.(*requester_Windows) + return ok +} + +func (x *Requester) HasLinux() bool { + if x == nil { + return false + } + _, ok := x.xxx_hidden_SigningInfo.(*requester_Linux) + return ok +} + +func (x *Requester) ClearPid() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 0) + x.xxx_hidden_Pid = 0 +} + +func (x *Requester) ClearName() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 1) + x.xxx_hidden_Name = nil +} + +func (x *Requester) ClearAbsoluteBinaryPath() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 2) + x.xxx_hidden_AbsoluteBinaryPath = nil +} + +func (x *Requester) ClearSignedByDocker() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 3) + x.xxx_hidden_SignedByDocker = false +} + +func (x *Requester) ClearSigningInfo() { + x.xxx_hidden_SigningInfo = nil +} + +func (x *Requester) ClearDarwin() { + if _, ok := x.xxx_hidden_SigningInfo.(*requester_Darwin); ok { + x.xxx_hidden_SigningInfo = nil + } +} + +func (x *Requester) ClearWindows() { + if _, ok := x.xxx_hidden_SigningInfo.(*requester_Windows); ok { + x.xxx_hidden_SigningInfo = nil + } +} + +func (x *Requester) ClearLinux() { + if _, ok := x.xxx_hidden_SigningInfo.(*requester_Linux); ok { + x.xxx_hidden_SigningInfo = nil + } +} + +const Requester_SigningInfo_not_set_case case_Requester_SigningInfo = 0 +const Requester_Darwin_case case_Requester_SigningInfo = 5 +const Requester_Windows_case case_Requester_SigningInfo = 6 +const Requester_Linux_case case_Requester_SigningInfo = 7 + +func (x *Requester) WhichSigningInfo() case_Requester_SigningInfo { + if x == nil { + return Requester_SigningInfo_not_set_case + } + switch x.xxx_hidden_SigningInfo.(type) { + case *requester_Darwin: + return Requester_Darwin_case + case *requester_Windows: + return Requester_Windows_case + case *requester_Linux: + return Requester_Linux_case + default: + return Requester_SigningInfo_not_set_case + } +} + +type Requester_builder struct { + _ [0]func() // Prevents comparability and use of unkeyed literals for the builder. + + // OS process ID of the caller. + Pid *int32 + // Process name. + Name *string + // Absolute path to the caller's binary on disk. + AbsoluteBinaryPath *string + // True if the binary's signature chains to Docker's signing identity. + SignedByDocker *bool + // Platform-specific signing context, set according to the OS the engine + // is running on. Exactly one variant is populated. + + // Fields of oneof xxx_hidden_SigningInfo: + Darwin *DarwinSigningInfo + Windows *WindowsSigningInfo + Linux *LinuxSigningInfo + // -- end of xxx_hidden_SigningInfo +} + +func (b0 Requester_builder) Build() *Requester { + m0 := &Requester{} + b, x := &b0, m0 + _, _ = b, x + if b.Pid != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 0, 5) + x.xxx_hidden_Pid = *b.Pid + } + if b.Name != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 1, 5) + x.xxx_hidden_Name = b.Name + } + if b.AbsoluteBinaryPath != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 2, 5) + x.xxx_hidden_AbsoluteBinaryPath = b.AbsoluteBinaryPath + } + if b.SignedByDocker != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 3, 5) + x.xxx_hidden_SignedByDocker = *b.SignedByDocker + } + if b.Darwin != nil { + x.xxx_hidden_SigningInfo = &requester_Darwin{b.Darwin} + } + if b.Windows != nil { + x.xxx_hidden_SigningInfo = &requester_Windows{b.Windows} + } + if b.Linux != nil { + x.xxx_hidden_SigningInfo = &requester_Linux{b.Linux} + } + return m0 +} + +type case_Requester_SigningInfo protoreflect.FieldNumber + +func (x case_Requester_SigningInfo) String() string { + md := file_accesscontrol_v1_api_proto_msgTypes[1].Descriptor() + if x == 0 { + return "not set" + } + return protoimpl.X.MessageFieldStringOf(md, protoreflect.FieldNumber(x)) +} + +type isRequester_SigningInfo interface { + isRequester_SigningInfo() +} + +type requester_Darwin struct { + Darwin *DarwinSigningInfo `protobuf:"bytes,5,opt,name=darwin,oneof"` +} + +type requester_Windows struct { + Windows *WindowsSigningInfo `protobuf:"bytes,6,opt,name=windows,oneof"` +} + +type requester_Linux struct { + Linux *LinuxSigningInfo `protobuf:"bytes,7,opt,name=linux,oneof"` +} + +func (*requester_Darwin) isRequester_SigningInfo() {} + +func (*requester_Windows) isRequester_SigningInfo() {} + +func (*requester_Linux) isRequester_SigningInfo() {} + +// DarwinSigningInfo carries macOS code-signing context (Security.framework +// SecCode* APIs) for the requesting process. +type DarwinSigningInfo struct { + state protoimpl.MessageState `protogen:"opaque.v1"` + xxx_hidden_TeamId *string `protobuf:"bytes,1,opt,name=team_id,json=teamId"` + xxx_hidden_Identifier *string `protobuf:"bytes,2,opt,name=identifier"` + xxx_hidden_Organization *string `protobuf:"bytes,3,opt,name=organization"` + xxx_hidden_CommonName *string `protobuf:"bytes,4,opt,name=common_name,json=commonName"` + xxx_hidden_CdHash *string `protobuf:"bytes,5,opt,name=cd_hash,json=cdHash"` + xxx_hidden_Status uint32 `protobuf:"varint,6,opt,name=status"` + XXX_raceDetectHookData protoimpl.RaceDetectHookData + XXX_presence [1]uint32 + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *DarwinSigningInfo) Reset() { + *x = DarwinSigningInfo{} + mi := &file_accesscontrol_v1_api_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *DarwinSigningInfo) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DarwinSigningInfo) ProtoMessage() {} + +func (x *DarwinSigningInfo) ProtoReflect() protoreflect.Message { + mi := &file_accesscontrol_v1_api_proto_msgTypes[2] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +func (x *DarwinSigningInfo) GetTeamId() string { + if x != nil { + if x.xxx_hidden_TeamId != nil { + return *x.xxx_hidden_TeamId + } + return "" + } + return "" +} + +func (x *DarwinSigningInfo) GetIdentifier() string { + if x != nil { + if x.xxx_hidden_Identifier != nil { + return *x.xxx_hidden_Identifier + } + return "" + } + return "" +} + +func (x *DarwinSigningInfo) GetOrganization() string { + if x != nil { + if x.xxx_hidden_Organization != nil { + return *x.xxx_hidden_Organization + } + return "" + } + return "" +} + +func (x *DarwinSigningInfo) GetCommonName() string { + if x != nil { + if x.xxx_hidden_CommonName != nil { + return *x.xxx_hidden_CommonName + } + return "" + } + return "" +} + +func (x *DarwinSigningInfo) GetCdHash() string { + if x != nil { + if x.xxx_hidden_CdHash != nil { + return *x.xxx_hidden_CdHash + } + return "" + } + return "" +} + +func (x *DarwinSigningInfo) GetStatus() uint32 { + if x != nil { + return x.xxx_hidden_Status + } + return 0 +} + +func (x *DarwinSigningInfo) SetTeamId(v string) { + x.xxx_hidden_TeamId = &v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 0, 6) +} + +func (x *DarwinSigningInfo) SetIdentifier(v string) { + x.xxx_hidden_Identifier = &v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 1, 6) +} + +func (x *DarwinSigningInfo) SetOrganization(v string) { + x.xxx_hidden_Organization = &v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 2, 6) +} + +func (x *DarwinSigningInfo) SetCommonName(v string) { + x.xxx_hidden_CommonName = &v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 3, 6) +} + +func (x *DarwinSigningInfo) SetCdHash(v string) { + x.xxx_hidden_CdHash = &v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 4, 6) +} + +func (x *DarwinSigningInfo) SetStatus(v uint32) { + x.xxx_hidden_Status = v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 5, 6) +} + +func (x *DarwinSigningInfo) HasTeamId() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 0) +} + +func (x *DarwinSigningInfo) HasIdentifier() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 1) +} + +func (x *DarwinSigningInfo) HasOrganization() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 2) +} + +func (x *DarwinSigningInfo) HasCommonName() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 3) +} + +func (x *DarwinSigningInfo) HasCdHash() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 4) +} + +func (x *DarwinSigningInfo) HasStatus() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 5) +} + +func (x *DarwinSigningInfo) ClearTeamId() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 0) + x.xxx_hidden_TeamId = nil +} + +func (x *DarwinSigningInfo) ClearIdentifier() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 1) + x.xxx_hidden_Identifier = nil +} + +func (x *DarwinSigningInfo) ClearOrganization() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 2) + x.xxx_hidden_Organization = nil +} + +func (x *DarwinSigningInfo) ClearCommonName() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 3) + x.xxx_hidden_CommonName = nil +} + +func (x *DarwinSigningInfo) ClearCdHash() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 4) + x.xxx_hidden_CdHash = nil +} + +func (x *DarwinSigningInfo) ClearStatus() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 5) + x.xxx_hidden_Status = 0 +} + +type DarwinSigningInfo_builder struct { + _ [0]func() // Prevents comparability and use of unkeyed literals for the builder. + + // Apple-assigned Team Identifier (kSecCodeInfoTeamIdentifier). Apple + // guarantees uniqueness per developer account, so this is a reliable + // trust key. + TeamId *string + // Code-signing identifier (kSecCodeInfoIdentifier), typically the bundle + // ID, e.g. "com.docker.docker". Use to pin a specific application within + // a team. + Identifier *string + // Company name from the leaf certificate subject.O, e.g. "Docker Inc". + // Human-readable but NOT guaranteed unique or immutable — display/logging + // only, never a sole trust key. + Organization *string + // Leaf certificate subject.CN, e.g. + // "Developer ID Application: Docker Inc (9BNSXJN65R)". Contains the company + // name and team ID as embedded display text. + CommonName *string + // Code directory hash (kSecCodeInfoUnique), the exact identity of this + // specific binary build, hex-encoded. Use to pin an exact build. + CdHash *string + // Dynamic code-signing status word (kSecCodeInfoStatus) — the kernel's live + // view of the signature. Raw uint32 bitmask; values are fixed by Apple's + // and preserved verbatim (unknown bits included). + // Known flags: + // + // 0x0000_0001 VALID — dynamically valid; cleared on runtime tamper. + // 0x0000_0100 HARD — kernel refuses to page in invalid pages. + // 0x0000_0200 KILL — process killed if it becomes invalid. + // 0x1000_0000 DEBUGGED — debugger attached; red flag for a secrets peer. + Status *uint32 +} + +func (b0 DarwinSigningInfo_builder) Build() *DarwinSigningInfo { + m0 := &DarwinSigningInfo{} + b, x := &b0, m0 + _, _ = b, x + if b.TeamId != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 0, 6) + x.xxx_hidden_TeamId = b.TeamId + } + if b.Identifier != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 1, 6) + x.xxx_hidden_Identifier = b.Identifier + } + if b.Organization != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 2, 6) + x.xxx_hidden_Organization = b.Organization + } + if b.CommonName != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 3, 6) + x.xxx_hidden_CommonName = b.CommonName + } + if b.CdHash != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 4, 6) + x.xxx_hidden_CdHash = b.CdHash + } + if b.Status != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 5, 6) + x.xxx_hidden_Status = *b.Status + } + return m0 +} + +// WindowsSigningInfo carries Windows Authenticode context for the requesting +// process. Fields fall into three trust tiers: signature-derived (verified by +// WinVerifyTrust), token-derived (OS-enforced runtime properties), and +// corroborating PE version metadata (unsigned, display only). +type WindowsSigningInfo struct { + state protoimpl.MessageState `protogen:"opaque.v1"` + xxx_hidden_TrustedChain bool `protobuf:"varint,1,opt,name=trusted_chain,json=trustedChain"` + xxx_hidden_SubjectOrg *string `protobuf:"bytes,2,opt,name=subject_org,json=subjectOrg"` + xxx_hidden_SubjectCommonName *string `protobuf:"bytes,3,opt,name=subject_common_name,json=subjectCommonName"` + xxx_hidden_Issuer *string `protobuf:"bytes,4,opt,name=issuer"` + xxx_hidden_ThumbprintSha256 *string `protobuf:"bytes,5,opt,name=thumbprint_sha256,json=thumbprintSha256"` + xxx_hidden_IsEv bool `protobuf:"varint,6,opt,name=is_ev,json=isEv"` + xxx_hidden_Integrity WindowsSigningInfo_IntegrityLevel `protobuf:"varint,7,opt,name=integrity,enum=accesscontrol.v1.WindowsSigningInfo_IntegrityLevel"` + xxx_hidden_CompanyName *string `protobuf:"bytes,8,opt,name=company_name,json=companyName"` + xxx_hidden_ProductName *string `protobuf:"bytes,9,opt,name=product_name,json=productName"` + xxx_hidden_FileVersion *string `protobuf:"bytes,10,opt,name=file_version,json=fileVersion"` + XXX_raceDetectHookData protoimpl.RaceDetectHookData + XXX_presence [1]uint32 + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *WindowsSigningInfo) Reset() { + *x = WindowsSigningInfo{} + mi := &file_accesscontrol_v1_api_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *WindowsSigningInfo) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*WindowsSigningInfo) ProtoMessage() {} + +func (x *WindowsSigningInfo) ProtoReflect() protoreflect.Message { + mi := &file_accesscontrol_v1_api_proto_msgTypes[3] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +func (x *WindowsSigningInfo) GetTrustedChain() bool { + if x != nil { + return x.xxx_hidden_TrustedChain + } + return false +} + +func (x *WindowsSigningInfo) GetSubjectOrg() string { + if x != nil { + if x.xxx_hidden_SubjectOrg != nil { + return *x.xxx_hidden_SubjectOrg + } + return "" + } + return "" +} + +func (x *WindowsSigningInfo) GetSubjectCommonName() string { + if x != nil { + if x.xxx_hidden_SubjectCommonName != nil { + return *x.xxx_hidden_SubjectCommonName + } + return "" + } + return "" +} + +func (x *WindowsSigningInfo) GetIssuer() string { + if x != nil { + if x.xxx_hidden_Issuer != nil { + return *x.xxx_hidden_Issuer + } + return "" + } + return "" +} + +func (x *WindowsSigningInfo) GetThumbprintSha256() string { + if x != nil { + if x.xxx_hidden_ThumbprintSha256 != nil { + return *x.xxx_hidden_ThumbprintSha256 + } + return "" + } + return "" +} + +func (x *WindowsSigningInfo) GetIsEv() bool { + if x != nil { + return x.xxx_hidden_IsEv + } + return false +} + +func (x *WindowsSigningInfo) GetIntegrity() WindowsSigningInfo_IntegrityLevel { + if x != nil { + if protoimpl.X.Present(&(x.XXX_presence[0]), 6) { + return x.xxx_hidden_Integrity + } + } + return WindowsSigningInfo_INTEGRITY_LEVEL_UNSPECIFIED +} + +func (x *WindowsSigningInfo) GetCompanyName() string { + if x != nil { + if x.xxx_hidden_CompanyName != nil { + return *x.xxx_hidden_CompanyName + } + return "" + } + return "" +} + +func (x *WindowsSigningInfo) GetProductName() string { + if x != nil { + if x.xxx_hidden_ProductName != nil { + return *x.xxx_hidden_ProductName + } + return "" + } + return "" +} + +func (x *WindowsSigningInfo) GetFileVersion() string { + if x != nil { + if x.xxx_hidden_FileVersion != nil { + return *x.xxx_hidden_FileVersion + } + return "" + } + return "" +} + +func (x *WindowsSigningInfo) SetTrustedChain(v bool) { + x.xxx_hidden_TrustedChain = v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 0, 10) +} + +func (x *WindowsSigningInfo) SetSubjectOrg(v string) { + x.xxx_hidden_SubjectOrg = &v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 1, 10) +} + +func (x *WindowsSigningInfo) SetSubjectCommonName(v string) { + x.xxx_hidden_SubjectCommonName = &v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 2, 10) +} + +func (x *WindowsSigningInfo) SetIssuer(v string) { + x.xxx_hidden_Issuer = &v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 3, 10) +} + +func (x *WindowsSigningInfo) SetThumbprintSha256(v string) { + x.xxx_hidden_ThumbprintSha256 = &v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 4, 10) +} + +func (x *WindowsSigningInfo) SetIsEv(v bool) { + x.xxx_hidden_IsEv = v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 5, 10) +} + +func (x *WindowsSigningInfo) SetIntegrity(v WindowsSigningInfo_IntegrityLevel) { + x.xxx_hidden_Integrity = v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 6, 10) +} + +func (x *WindowsSigningInfo) SetCompanyName(v string) { + x.xxx_hidden_CompanyName = &v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 7, 10) +} + +func (x *WindowsSigningInfo) SetProductName(v string) { + x.xxx_hidden_ProductName = &v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 8, 10) +} + +func (x *WindowsSigningInfo) SetFileVersion(v string) { + x.xxx_hidden_FileVersion = &v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 9, 10) +} + +func (x *WindowsSigningInfo) HasTrustedChain() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 0) +} + +func (x *WindowsSigningInfo) HasSubjectOrg() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 1) +} + +func (x *WindowsSigningInfo) HasSubjectCommonName() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 2) +} + +func (x *WindowsSigningInfo) HasIssuer() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 3) +} + +func (x *WindowsSigningInfo) HasThumbprintSha256() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 4) +} + +func (x *WindowsSigningInfo) HasIsEv() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 5) +} + +func (x *WindowsSigningInfo) HasIntegrity() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 6) +} + +func (x *WindowsSigningInfo) HasCompanyName() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 7) +} + +func (x *WindowsSigningInfo) HasProductName() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 8) +} + +func (x *WindowsSigningInfo) HasFileVersion() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 9) +} + +func (x *WindowsSigningInfo) ClearTrustedChain() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 0) + x.xxx_hidden_TrustedChain = false +} + +func (x *WindowsSigningInfo) ClearSubjectOrg() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 1) + x.xxx_hidden_SubjectOrg = nil +} + +func (x *WindowsSigningInfo) ClearSubjectCommonName() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 2) + x.xxx_hidden_SubjectCommonName = nil +} + +func (x *WindowsSigningInfo) ClearIssuer() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 3) + x.xxx_hidden_Issuer = nil +} + +func (x *WindowsSigningInfo) ClearThumbprintSha256() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 4) + x.xxx_hidden_ThumbprintSha256 = nil +} + +func (x *WindowsSigningInfo) ClearIsEv() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 5) + x.xxx_hidden_IsEv = false +} + +func (x *WindowsSigningInfo) ClearIntegrity() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 6) + x.xxx_hidden_Integrity = WindowsSigningInfo_INTEGRITY_LEVEL_UNSPECIFIED +} + +func (x *WindowsSigningInfo) ClearCompanyName() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 7) + x.xxx_hidden_CompanyName = nil +} + +func (x *WindowsSigningInfo) ClearProductName() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 8) + x.xxx_hidden_ProductName = nil +} + +func (x *WindowsSigningInfo) ClearFileVersion() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 9) + x.xxx_hidden_FileVersion = nil +} + +type WindowsSigningInfo_builder struct { + _ [0]func() // Prevents comparability and use of unkeyed literals for the builder. + + // Whether WinVerifyTrust confirmed the Authenticode signature chains to a + // trusted root and is not revoked. The remaining signature fields are only + // meaningful when true. + TrustedChain *bool + // Signing certificate Subject Organization (O), e.g. "Docker Inc". + SubjectOrg *string + // Signing certificate Subject Common Name (CN). + SubjectCommonName *string + // Common Name of the issuing CA, e.g. the DigiCert / Sectigo code-signing + // intermediate. + Issuer *string + // Hex-encoded SHA-256 hash of the leaf signing certificate. Strongest + // identity pin, but brittle across cert rotation. + ThumbprintSha256 *string + // Whether the signature uses an Extended Validation code-signing certificate + // (hardware-backed key, stricter vetting), detected from the leaf + // certificate's CA/Browser Forum EV policy OID. + IsEv *bool + // Peer process's mandatory integrity level from its access token. Collected + // for logging/diagnostics only; trust is gated on the signature, not + // integrity (the engine itself runs at Medium as a per-user service). + Integrity *WindowsSigningInfo_IntegrityLevel + // --- Corroborating only (PE version resource; NOT trustworthy) --- + // + // From the PE VERSIONINFO resource: unsigned and attacker-controllable, so + // display/logging only — must never gate trust. + CompanyName *string + ProductName *string + FileVersion *string +} + +func (b0 WindowsSigningInfo_builder) Build() *WindowsSigningInfo { + m0 := &WindowsSigningInfo{} + b, x := &b0, m0 + _, _ = b, x + if b.TrustedChain != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 0, 10) + x.xxx_hidden_TrustedChain = *b.TrustedChain + } + if b.SubjectOrg != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 1, 10) + x.xxx_hidden_SubjectOrg = b.SubjectOrg + } + if b.SubjectCommonName != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 2, 10) + x.xxx_hidden_SubjectCommonName = b.SubjectCommonName + } + if b.Issuer != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 3, 10) + x.xxx_hidden_Issuer = b.Issuer + } + if b.ThumbprintSha256 != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 4, 10) + x.xxx_hidden_ThumbprintSha256 = b.ThumbprintSha256 + } + if b.IsEv != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 5, 10) + x.xxx_hidden_IsEv = *b.IsEv + } + if b.Integrity != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 6, 10) + x.xxx_hidden_Integrity = *b.Integrity + } + if b.CompanyName != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 7, 10) + x.xxx_hidden_CompanyName = b.CompanyName + } + if b.ProductName != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 8, 10) + x.xxx_hidden_ProductName = b.ProductName + } + if b.FileVersion != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 9, 10) + x.xxx_hidden_FileVersion = b.FileVersion + } + return m0 +} + +// LinuxSigningInfo carries sigstore (Fulcio/Rekor) signing context for the +// requesting process. A binary may be signed by more than one signer. +type LinuxSigningInfo struct { + state protoimpl.MessageState `protogen:"opaque.v1"` + xxx_hidden_Signers *[]*LinuxSigningInfo_Signer `protobuf:"bytes,1,rep,name=signers"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *LinuxSigningInfo) Reset() { + *x = LinuxSigningInfo{} + mi := &file_accesscontrol_v1_api_proto_msgTypes[4] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *LinuxSigningInfo) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*LinuxSigningInfo) ProtoMessage() {} + +func (x *LinuxSigningInfo) ProtoReflect() protoreflect.Message { + mi := &file_accesscontrol_v1_api_proto_msgTypes[4] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +func (x *LinuxSigningInfo) GetSigners() []*LinuxSigningInfo_Signer { + if x != nil { + if x.xxx_hidden_Signers != nil { + return *x.xxx_hidden_Signers + } + } + return nil +} + +func (x *LinuxSigningInfo) SetSigners(v []*LinuxSigningInfo_Signer) { + x.xxx_hidden_Signers = &v +} + +type LinuxSigningInfo_builder struct { + _ [0]func() // Prevents comparability and use of unkeyed literals for the builder. + + Signers []*LinuxSigningInfo_Signer +} + +func (b0 LinuxSigningInfo_builder) Build() *LinuxSigningInfo { + m0 := &LinuxSigningInfo{} + b, x := &b0, m0 + _, _ = b, x + x.xxx_hidden_Signers = &b.Signers + return m0 +} + +type CheckAccessResponse struct { + state protoimpl.MessageState `protogen:"opaque.v1"` + xxx_hidden_Decision Decision `protobuf:"varint,1,opt,name=decision,enum=accesscontrol.v1.Decision"` + XXX_raceDetectHookData protoimpl.RaceDetectHookData + XXX_presence [1]uint32 + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *CheckAccessResponse) Reset() { + *x = CheckAccessResponse{} + mi := &file_accesscontrol_v1_api_proto_msgTypes[5] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *CheckAccessResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*CheckAccessResponse) ProtoMessage() {} + +func (x *CheckAccessResponse) ProtoReflect() protoreflect.Message { + mi := &file_accesscontrol_v1_api_proto_msgTypes[5] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +func (x *CheckAccessResponse) GetDecision() Decision { + if x != nil { + if protoimpl.X.Present(&(x.XXX_presence[0]), 0) { + return x.xxx_hidden_Decision + } + } + return Decision_DECISION_DENY +} + +func (x *CheckAccessResponse) SetDecision(v Decision) { + x.xxx_hidden_Decision = v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 0, 1) +} + +func (x *CheckAccessResponse) HasDecision() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 0) +} + +func (x *CheckAccessResponse) ClearDecision() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 0) + x.xxx_hidden_Decision = Decision_DECISION_DENY +} + +type CheckAccessResponse_builder struct { + _ [0]func() // Prevents comparability and use of unkeyed literals for the builder. + + Decision *Decision +} + +func (b0 CheckAccessResponse_builder) Build() *CheckAccessResponse { + m0 := &CheckAccessResponse{} + b, x := &b0, m0 + _, _ = b, x + if b.Decision != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 0, 1) + x.xxx_hidden_Decision = *b.Decision + } + return m0 +} + +// Signer is one verified sigstore signature over the binary: the Fulcio +// certificate identity plus its bound provenance and Rekor inclusion. +type LinuxSigningInfo_Signer struct { + state protoimpl.MessageState `protogen:"opaque.v1"` + xxx_hidden_CertIssuer *string `protobuf:"bytes,1,opt,name=cert_issuer,json=certIssuer"` + xxx_hidden_CertIdentity *string `protobuf:"bytes,2,opt,name=cert_identity,json=certIdentity"` + xxx_hidden_SourceRepo *string `protobuf:"bytes,3,opt,name=source_repo,json=sourceRepo"` + xxx_hidden_SourceRef *string `protobuf:"bytes,4,opt,name=source_ref,json=sourceRef"` + xxx_hidden_SourceCommit *string `protobuf:"bytes,5,opt,name=source_commit,json=sourceCommit"` + xxx_hidden_RunnerEnvironment *string `protobuf:"bytes,6,opt,name=runner_environment,json=runnerEnvironment"` + xxx_hidden_BuildTrigger *string `protobuf:"bytes,7,opt,name=build_trigger,json=buildTrigger"` + xxx_hidden_RunInvocationUri *string `protobuf:"bytes,8,opt,name=run_invocation_uri,json=runInvocationUri"` + xxx_hidden_RekorLogIndex int64 `protobuf:"varint,9,opt,name=rekor_log_index,json=rekorLogIndex"` + xxx_hidden_IntegratedTime *timestamppb.Timestamp `protobuf:"bytes,10,opt,name=integrated_time,json=integratedTime"` + XXX_raceDetectHookData protoimpl.RaceDetectHookData + XXX_presence [1]uint32 + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *LinuxSigningInfo_Signer) Reset() { + *x = LinuxSigningInfo_Signer{} + mi := &file_accesscontrol_v1_api_proto_msgTypes[6] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *LinuxSigningInfo_Signer) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*LinuxSigningInfo_Signer) ProtoMessage() {} + +func (x *LinuxSigningInfo_Signer) ProtoReflect() protoreflect.Message { + mi := &file_accesscontrol_v1_api_proto_msgTypes[6] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +func (x *LinuxSigningInfo_Signer) GetCertIssuer() string { + if x != nil { + if x.xxx_hidden_CertIssuer != nil { + return *x.xxx_hidden_CertIssuer + } + return "" + } + return "" +} + +func (x *LinuxSigningInfo_Signer) GetCertIdentity() string { + if x != nil { + if x.xxx_hidden_CertIdentity != nil { + return *x.xxx_hidden_CertIdentity + } + return "" + } + return "" +} + +func (x *LinuxSigningInfo_Signer) GetSourceRepo() string { + if x != nil { + if x.xxx_hidden_SourceRepo != nil { + return *x.xxx_hidden_SourceRepo + } + return "" + } + return "" +} + +func (x *LinuxSigningInfo_Signer) GetSourceRef() string { + if x != nil { + if x.xxx_hidden_SourceRef != nil { + return *x.xxx_hidden_SourceRef + } + return "" + } + return "" +} + +func (x *LinuxSigningInfo_Signer) GetSourceCommit() string { + if x != nil { + if x.xxx_hidden_SourceCommit != nil { + return *x.xxx_hidden_SourceCommit + } + return "" + } + return "" +} + +func (x *LinuxSigningInfo_Signer) GetRunnerEnvironment() string { + if x != nil { + if x.xxx_hidden_RunnerEnvironment != nil { + return *x.xxx_hidden_RunnerEnvironment + } + return "" + } + return "" +} + +func (x *LinuxSigningInfo_Signer) GetBuildTrigger() string { + if x != nil { + if x.xxx_hidden_BuildTrigger != nil { + return *x.xxx_hidden_BuildTrigger + } + return "" + } + return "" +} + +func (x *LinuxSigningInfo_Signer) GetRunInvocationUri() string { + if x != nil { + if x.xxx_hidden_RunInvocationUri != nil { + return *x.xxx_hidden_RunInvocationUri + } + return "" + } + return "" +} + +func (x *LinuxSigningInfo_Signer) GetRekorLogIndex() int64 { + if x != nil { + return x.xxx_hidden_RekorLogIndex + } + return 0 +} + +func (x *LinuxSigningInfo_Signer) GetIntegratedTime() *timestamppb.Timestamp { + if x != nil { + return x.xxx_hidden_IntegratedTime + } + return nil +} + +func (x *LinuxSigningInfo_Signer) SetCertIssuer(v string) { + x.xxx_hidden_CertIssuer = &v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 0, 10) +} + +func (x *LinuxSigningInfo_Signer) SetCertIdentity(v string) { + x.xxx_hidden_CertIdentity = &v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 1, 10) +} + +func (x *LinuxSigningInfo_Signer) SetSourceRepo(v string) { + x.xxx_hidden_SourceRepo = &v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 2, 10) +} + +func (x *LinuxSigningInfo_Signer) SetSourceRef(v string) { + x.xxx_hidden_SourceRef = &v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 3, 10) +} + +func (x *LinuxSigningInfo_Signer) SetSourceCommit(v string) { + x.xxx_hidden_SourceCommit = &v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 4, 10) +} + +func (x *LinuxSigningInfo_Signer) SetRunnerEnvironment(v string) { + x.xxx_hidden_RunnerEnvironment = &v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 5, 10) +} + +func (x *LinuxSigningInfo_Signer) SetBuildTrigger(v string) { + x.xxx_hidden_BuildTrigger = &v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 6, 10) +} + +func (x *LinuxSigningInfo_Signer) SetRunInvocationUri(v string) { + x.xxx_hidden_RunInvocationUri = &v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 7, 10) +} + +func (x *LinuxSigningInfo_Signer) SetRekorLogIndex(v int64) { + x.xxx_hidden_RekorLogIndex = v + protoimpl.X.SetPresent(&(x.XXX_presence[0]), 8, 10) +} + +func (x *LinuxSigningInfo_Signer) SetIntegratedTime(v *timestamppb.Timestamp) { + x.xxx_hidden_IntegratedTime = v +} + +func (x *LinuxSigningInfo_Signer) HasCertIssuer() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 0) +} + +func (x *LinuxSigningInfo_Signer) HasCertIdentity() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 1) +} + +func (x *LinuxSigningInfo_Signer) HasSourceRepo() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 2) +} + +func (x *LinuxSigningInfo_Signer) HasSourceRef() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 3) +} + +func (x *LinuxSigningInfo_Signer) HasSourceCommit() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 4) +} + +func (x *LinuxSigningInfo_Signer) HasRunnerEnvironment() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 5) +} + +func (x *LinuxSigningInfo_Signer) HasBuildTrigger() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 6) +} + +func (x *LinuxSigningInfo_Signer) HasRunInvocationUri() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 7) +} + +func (x *LinuxSigningInfo_Signer) HasRekorLogIndex() bool { + if x == nil { + return false + } + return protoimpl.X.Present(&(x.XXX_presence[0]), 8) +} + +func (x *LinuxSigningInfo_Signer) HasIntegratedTime() bool { + if x == nil { + return false + } + return x.xxx_hidden_IntegratedTime != nil +} + +func (x *LinuxSigningInfo_Signer) ClearCertIssuer() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 0) + x.xxx_hidden_CertIssuer = nil +} + +func (x *LinuxSigningInfo_Signer) ClearCertIdentity() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 1) + x.xxx_hidden_CertIdentity = nil +} + +func (x *LinuxSigningInfo_Signer) ClearSourceRepo() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 2) + x.xxx_hidden_SourceRepo = nil +} + +func (x *LinuxSigningInfo_Signer) ClearSourceRef() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 3) + x.xxx_hidden_SourceRef = nil +} + +func (x *LinuxSigningInfo_Signer) ClearSourceCommit() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 4) + x.xxx_hidden_SourceCommit = nil +} + +func (x *LinuxSigningInfo_Signer) ClearRunnerEnvironment() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 5) + x.xxx_hidden_RunnerEnvironment = nil +} + +func (x *LinuxSigningInfo_Signer) ClearBuildTrigger() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 6) + x.xxx_hidden_BuildTrigger = nil +} + +func (x *LinuxSigningInfo_Signer) ClearRunInvocationUri() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 7) + x.xxx_hidden_RunInvocationUri = nil +} + +func (x *LinuxSigningInfo_Signer) ClearRekorLogIndex() { + protoimpl.X.ClearPresent(&(x.XXX_presence[0]), 8) + x.xxx_hidden_RekorLogIndex = 0 +} + +func (x *LinuxSigningInfo_Signer) ClearIntegratedTime() { + x.xxx_hidden_IntegratedTime = nil +} + +type LinuxSigningInfo_Signer_builder struct { + _ [0]func() // Prevents comparability and use of unkeyed literals for the builder. + + // OIDC issuer embedded in the Fulcio leaf certificate, e.g. + // "https://token.actions.githubusercontent.com". + CertIssuer *string + // Certificate SAN — the signer's workflow identity, e.g. + // ".../sign-release.yml@refs/tags/v0.7.1". + CertIdentity *string + // Source repository URI from the Fulcio GitHub extension, e.g. + // "https://github.com/docker/secrets-engine". + SourceRepo *string + // Git ref that was built, e.g. "refs/tags/v0.7.1". Ties the binary to a + // release tag. + SourceRef *string + // Source commit SHA the binary was built from (Fulcio source-repository + // digest extension). + SourceCommit *string + // "github-hosted" or "self-hosted" (Fulcio extension) — a self-hosted + // runner minting a release signature would be a red flag. + RunnerEnvironment *string + // Event that started the signing workflow, e.g. "release" (Fulcio + // extension). + BuildTrigger *string + // Points at the specific GitHub Actions run that produced the signature + // (Fulcio extension) — for audit/log correlation. + RunInvocationUri *string + // Entry's index in the Rekor transparency log. + RekorLogIndex *int64 + // When the signature was recorded in Rekor. + IntegratedTime *timestamppb.Timestamp +} + +func (b0 LinuxSigningInfo_Signer_builder) Build() *LinuxSigningInfo_Signer { + m0 := &LinuxSigningInfo_Signer{} + b, x := &b0, m0 + _, _ = b, x + if b.CertIssuer != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 0, 10) + x.xxx_hidden_CertIssuer = b.CertIssuer + } + if b.CertIdentity != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 1, 10) + x.xxx_hidden_CertIdentity = b.CertIdentity + } + if b.SourceRepo != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 2, 10) + x.xxx_hidden_SourceRepo = b.SourceRepo + } + if b.SourceRef != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 3, 10) + x.xxx_hidden_SourceRef = b.SourceRef + } + if b.SourceCommit != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 4, 10) + x.xxx_hidden_SourceCommit = b.SourceCommit + } + if b.RunnerEnvironment != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 5, 10) + x.xxx_hidden_RunnerEnvironment = b.RunnerEnvironment + } + if b.BuildTrigger != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 6, 10) + x.xxx_hidden_BuildTrigger = b.BuildTrigger + } + if b.RunInvocationUri != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 7, 10) + x.xxx_hidden_RunInvocationUri = b.RunInvocationUri + } + if b.RekorLogIndex != nil { + protoimpl.X.SetPresentNonAtomic(&(x.XXX_presence[0]), 8, 10) + x.xxx_hidden_RekorLogIndex = *b.RekorLogIndex + } + x.xxx_hidden_IntegratedTime = b.IntegratedTime + return m0 +} + +var File_accesscontrol_v1_api_proto protoreflect.FileDescriptor + +const file_accesscontrol_v1_api_proto_rawDesc = "" + + "\n" + + "\x1aaccesscontrol/v1/api.proto\x12\x10accesscontrol.v1\x1a\x1fgoogle/protobuf/timestamp.proto\"i\n" + + "\x12CheckAccessRequest\x12\x18\n" + + "\apattern\x18\x01 \x01(\tR\apattern\x129\n" + + "\trequester\x18\x02 \x01(\v2\x1b.accesscontrol.v1.RequesterR\trequester\"\xda\x02\n" + + "\tRequester\x12\x10\n" + + "\x03pid\x18\x01 \x01(\x05R\x03pid\x12\x12\n" + + "\x04name\x18\x02 \x01(\tR\x04name\x120\n" + + "\x14absolute_binary_path\x18\x03 \x01(\tR\x12absoluteBinaryPath\x12(\n" + + "\x10signed_by_docker\x18\x04 \x01(\bR\x0esignedByDocker\x12=\n" + + "\x06darwin\x18\x05 \x01(\v2#.accesscontrol.v1.DarwinSigningInfoH\x00R\x06darwin\x12@\n" + + "\awindows\x18\x06 \x01(\v2$.accesscontrol.v1.WindowsSigningInfoH\x00R\awindows\x12:\n" + + "\x05linux\x18\a \x01(\v2\".accesscontrol.v1.LinuxSigningInfoH\x00R\x05linuxB\x0e\n" + + "\fsigning_info\"\xc2\x01\n" + + "\x11DarwinSigningInfo\x12\x17\n" + + "\ateam_id\x18\x01 \x01(\tR\x06teamId\x12\x1e\n" + + "\n" + + "identifier\x18\x02 \x01(\tR\n" + + "identifier\x12\"\n" + + "\forganization\x18\x03 \x01(\tR\forganization\x12\x1f\n" + + "\vcommon_name\x18\x04 \x01(\tR\n" + + "commonName\x12\x17\n" + + "\acd_hash\x18\x05 \x01(\tR\x06cdHash\x12\x16\n" + + "\x06status\x18\x06 \x01(\rR\x06status\"\xc4\x04\n" + + "\x12WindowsSigningInfo\x12#\n" + + "\rtrusted_chain\x18\x01 \x01(\bR\ftrustedChain\x12\x1f\n" + + "\vsubject_org\x18\x02 \x01(\tR\n" + + "subjectOrg\x12.\n" + + "\x13subject_common_name\x18\x03 \x01(\tR\x11subjectCommonName\x12\x16\n" + + "\x06issuer\x18\x04 \x01(\tR\x06issuer\x12+\n" + + "\x11thumbprint_sha256\x18\x05 \x01(\tR\x10thumbprintSha256\x12\x13\n" + + "\x05is_ev\x18\x06 \x01(\bR\x04isEv\x12Q\n" + + "\tintegrity\x18\a \x01(\x0e23.accesscontrol.v1.WindowsSigningInfo.IntegrityLevelR\tintegrity\x12!\n" + + "\fcompany_name\x18\b \x01(\tR\vcompanyName\x12!\n" + + "\fproduct_name\x18\t \x01(\tR\vproductName\x12!\n" + + "\ffile_version\x18\n" + + " \x01(\tR\vfileVersion\"\xa1\x01\n" + + "\x0eIntegrityLevel\x12\x1f\n" + + "\x1bINTEGRITY_LEVEL_UNSPECIFIED\x10\x00\x12\x18\n" + + "\x13INTEGRITY_LEVEL_LOW\x10\x80 \x12\x1b\n" + + "\x16INTEGRITY_LEVEL_MEDIUM\x10\x80@\x12\x19\n" + + "\x14INTEGRITY_LEVEL_HIGH\x10\x80`\x12\x1c\n" + + "\x16INTEGRITY_LEVEL_SYSTEM\x10\x80\x80\x01\"\xfc\x03\n" + + "\x10LinuxSigningInfo\x12C\n" + + "\asigners\x18\x01 \x03(\v2).accesscontrol.v1.LinuxSigningInfo.SignerR\asigners\x1a\xa2\x03\n" + + "\x06Signer\x12\x1f\n" + + "\vcert_issuer\x18\x01 \x01(\tR\n" + + "certIssuer\x12#\n" + + "\rcert_identity\x18\x02 \x01(\tR\fcertIdentity\x12\x1f\n" + + "\vsource_repo\x18\x03 \x01(\tR\n" + + "sourceRepo\x12\x1d\n" + + "\n" + + "source_ref\x18\x04 \x01(\tR\tsourceRef\x12#\n" + + "\rsource_commit\x18\x05 \x01(\tR\fsourceCommit\x12-\n" + + "\x12runner_environment\x18\x06 \x01(\tR\x11runnerEnvironment\x12#\n" + + "\rbuild_trigger\x18\a \x01(\tR\fbuildTrigger\x12,\n" + + "\x12run_invocation_uri\x18\b \x01(\tR\x10runInvocationUri\x12&\n" + + "\x0frekor_log_index\x18\t \x01(\x03R\rrekorLogIndex\x12C\n" + + "\x0fintegrated_time\x18\n" + + " \x01(\v2\x1a.google.protobuf.TimestampR\x0eintegratedTime\"M\n" + + "\x13CheckAccessResponse\x126\n" + + "\bdecision\x18\x01 \x01(\x0e2\x1a.accesscontrol.v1.DecisionR\bdecision*1\n" + + "\bDecision\x12\x11\n" + + "\rDECISION_DENY\x10\x00\x12\x12\n" + + "\x0eDECISION_ALLOW\x10\x012r\n" + + "\x14AccessControlService\x12Z\n" + + "\vCheckAccess\x12$.accesscontrol.v1.CheckAccessRequest\x1a%.accesscontrol.v1.CheckAccessResponseB\xca\x01\n" + + "\x14com.accesscontrol.v1B\bApiProtoP\x01ZGgithub.com/docker/secrets-engine/x/api/accesscontrol/v1;accesscontrolv1\xa2\x02\x03AXX\xaa\x02\x10Accesscontrol.V1\xca\x02\x10Accesscontrol\\V1\xe2\x02\x1cAccesscontrol\\V1\\GPBMetadata\xea\x02\x11Accesscontrol::V1b\beditionsp\xe8\a" + +var file_accesscontrol_v1_api_proto_enumTypes = make([]protoimpl.EnumInfo, 2) +var file_accesscontrol_v1_api_proto_msgTypes = make([]protoimpl.MessageInfo, 7) +var file_accesscontrol_v1_api_proto_goTypes = []any{ + (Decision)(0), // 0: accesscontrol.v1.Decision + (WindowsSigningInfo_IntegrityLevel)(0), // 1: accesscontrol.v1.WindowsSigningInfo.IntegrityLevel + (*CheckAccessRequest)(nil), // 2: accesscontrol.v1.CheckAccessRequest + (*Requester)(nil), // 3: accesscontrol.v1.Requester + (*DarwinSigningInfo)(nil), // 4: accesscontrol.v1.DarwinSigningInfo + (*WindowsSigningInfo)(nil), // 5: accesscontrol.v1.WindowsSigningInfo + (*LinuxSigningInfo)(nil), // 6: accesscontrol.v1.LinuxSigningInfo + (*CheckAccessResponse)(nil), // 7: accesscontrol.v1.CheckAccessResponse + (*LinuxSigningInfo_Signer)(nil), // 8: accesscontrol.v1.LinuxSigningInfo.Signer + (*timestamppb.Timestamp)(nil), // 9: google.protobuf.Timestamp +} +var file_accesscontrol_v1_api_proto_depIdxs = []int32{ + 3, // 0: accesscontrol.v1.CheckAccessRequest.requester:type_name -> accesscontrol.v1.Requester + 4, // 1: accesscontrol.v1.Requester.darwin:type_name -> accesscontrol.v1.DarwinSigningInfo + 5, // 2: accesscontrol.v1.Requester.windows:type_name -> accesscontrol.v1.WindowsSigningInfo + 6, // 3: accesscontrol.v1.Requester.linux:type_name -> accesscontrol.v1.LinuxSigningInfo + 1, // 4: accesscontrol.v1.WindowsSigningInfo.integrity:type_name -> accesscontrol.v1.WindowsSigningInfo.IntegrityLevel + 8, // 5: accesscontrol.v1.LinuxSigningInfo.signers:type_name -> accesscontrol.v1.LinuxSigningInfo.Signer + 0, // 6: accesscontrol.v1.CheckAccessResponse.decision:type_name -> accesscontrol.v1.Decision + 9, // 7: accesscontrol.v1.LinuxSigningInfo.Signer.integrated_time:type_name -> google.protobuf.Timestamp + 2, // 8: accesscontrol.v1.AccessControlService.CheckAccess:input_type -> accesscontrol.v1.CheckAccessRequest + 7, // 9: accesscontrol.v1.AccessControlService.CheckAccess:output_type -> accesscontrol.v1.CheckAccessResponse + 9, // [9:10] is the sub-list for method output_type + 8, // [8:9] is the sub-list for method input_type + 8, // [8:8] is the sub-list for extension type_name + 8, // [8:8] is the sub-list for extension extendee + 0, // [0:8] is the sub-list for field type_name +} + +func init() { file_accesscontrol_v1_api_proto_init() } +func file_accesscontrol_v1_api_proto_init() { + if File_accesscontrol_v1_api_proto != nil { + return + } + file_accesscontrol_v1_api_proto_msgTypes[1].OneofWrappers = []any{ + (*requester_Darwin)(nil), + (*requester_Windows)(nil), + (*requester_Linux)(nil), + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: unsafe.Slice(unsafe.StringData(file_accesscontrol_v1_api_proto_rawDesc), len(file_accesscontrol_v1_api_proto_rawDesc)), + NumEnums: 2, + NumMessages: 7, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_accesscontrol_v1_api_proto_goTypes, + DependencyIndexes: file_accesscontrol_v1_api_proto_depIdxs, + EnumInfos: file_accesscontrol_v1_api_proto_enumTypes, + MessageInfos: file_accesscontrol_v1_api_proto_msgTypes, + }.Build() + File_accesscontrol_v1_api_proto = out.File + file_accesscontrol_v1_api_proto_goTypes = nil + file_accesscontrol_v1_api_proto_depIdxs = nil +} diff --git a/x/api/accesscontrol/v1/api.proto b/x/api/accesscontrol/v1/api.proto new file mode 100644 index 00000000..8432c547 --- /dev/null +++ b/x/api/accesscontrol/v1/api.proto @@ -0,0 +1,208 @@ +// Copyright 2026 Docker, Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +edition = "2023"; + +package accesscontrol.v1; + +import "google/protobuf/timestamp.proto"; + +option go_package = "github.com/docker/secrets-engine/x/api/accesscontrol/v1;accesscontrolv1"; + +service AccessControlService { + // CheckAccess decides whether a requesting process may resolve the + // secrets matched by the query. Called for every GetSecrets request. + rpc CheckAccess(CheckAccessRequest) returns (CheckAccessResponse); +} + +message CheckAccessRequest { + // What the caller is trying to resolve — mirrors the resolver pattern. + string pattern = 1; + + // Identity/context of the process making the request. + Requester requester = 2; +} + +// Requester mirrors runtime procinfo.Details: the verified context of the +// peer process asking for secrets. +message Requester { + // OS process ID of the caller. + int32 pid = 1; + // Process name. + string name = 2; + // Absolute path to the caller's binary on disk. + string absolute_binary_path = 3; + // True if the binary's signature chains to Docker's signing identity. + bool signed_by_docker = 4; + + // Platform-specific signing context, set according to the OS the engine + // is running on. Exactly one variant is populated. + oneof signing_info { + DarwinSigningInfo darwin = 5; + WindowsSigningInfo windows = 6; + LinuxSigningInfo linux = 7; + } +} + +// DarwinSigningInfo carries macOS code-signing context (Security.framework +// SecCode* APIs) for the requesting process. +message DarwinSigningInfo { + // Apple-assigned Team Identifier (kSecCodeInfoTeamIdentifier). Apple + // guarantees uniqueness per developer account, so this is a reliable + // trust key. + string team_id = 1; + // Code-signing identifier (kSecCodeInfoIdentifier), typically the bundle + // ID, e.g. "com.docker.docker". Use to pin a specific application within + // a team. + string identifier = 2; + // Company name from the leaf certificate subject.O, e.g. "Docker Inc". + // Human-readable but NOT guaranteed unique or immutable — display/logging + // only, never a sole trust key. + string organization = 3; + // Leaf certificate subject.CN, e.g. + // "Developer ID Application: Docker Inc (9BNSXJN65R)". Contains the company + // name and team ID as embedded display text. + string common_name = 4; + // Code directory hash (kSecCodeInfoUnique), the exact identity of this + // specific binary build, hex-encoded. Use to pin an exact build. + string cd_hash = 5; + // Dynamic code-signing status word (kSecCodeInfoStatus) — the kernel's live + // view of the signature. Raw uint32 bitmask; values are fixed by Apple's + // and preserved verbatim (unknown bits included). + // Known flags: + // 0x0000_0001 VALID — dynamically valid; cleared on runtime tamper. + // 0x0000_0100 HARD — kernel refuses to page in invalid pages. + // 0x0000_0200 KILL — process killed if it becomes invalid. + // 0x1000_0000 DEBUGGED — debugger attached; red flag for a secrets peer. + uint32 status = 6; +} + +// WindowsSigningInfo carries Windows Authenticode context for the requesting +// process. Fields fall into three trust tiers: signature-derived (verified by +// WinVerifyTrust), token-derived (OS-enforced runtime properties), and +// corroborating PE version metadata (unsigned, display only). +message WindowsSigningInfo { + // --- Signature-derived (verified by WinVerifyTrust) --- + // + // These describe the PE's primary Authenticode signature only; nested + // signatures are not enumerated. Safe because trust is gated on the primary + // signature, and Docker's EV identity lives there. + + // Whether WinVerifyTrust confirmed the Authenticode signature chains to a + // trusted root and is not revoked. The remaining signature fields are only + // meaningful when true. + bool trusted_chain = 1; + // Signing certificate Subject Organization (O), e.g. "Docker Inc". + string subject_org = 2; + // Signing certificate Subject Common Name (CN). + string subject_common_name = 3; + // Common Name of the issuing CA, e.g. the DigiCert / Sectigo code-signing + // intermediate. + string issuer = 4; + // Hex-encoded SHA-256 hash of the leaf signing certificate. Strongest + // identity pin, but brittle across cert rotation. + string thumbprint_sha256 = 5; + // Whether the signature uses an Extended Validation code-signing certificate + // (hardware-backed key, stricter vetting), detected from the leaf + // certificate's CA/Browser Forum EV policy OID. + bool is_ev = 6; + + // --- Token-derived (OS-enforced runtime property; collected, not gated) --- + + // Peer process's mandatory integrity level from its access token. Collected + // for logging/diagnostics only; trust is gated on the signature, not + // integrity (the engine itself runs at Medium as a per-user service). + IntegrityLevel integrity = 7; + + // --- Corroborating only (PE version resource; NOT trustworthy) --- + // + // From the PE VERSIONINFO resource: unsigned and attacker-controllable, so + // display/logging only — must never gate trust. + string company_name = 8; + string product_name = 9; + string file_version = 10; + + // IntegrityLevel is a Windows mandatory integrity level, ordered so higher + // values denote a more privileged context (mirrors winnt.h RIDs). + enum IntegrityLevel { + // SECURITY_MANDATORY_UNTRUSTED_RID (0x0000). Also the value used when the + // integrity level could not be determined. + INTEGRITY_LEVEL_UNSPECIFIED = 0; + // SECURITY_MANDATORY_LOW_RID (0x1000), e.g. AppContainer/sandboxed. + INTEGRITY_LEVEL_LOW = 0x1000; + // SECURITY_MANDATORY_MEDIUM_RID (0x2000), default for standard user procs. + INTEGRITY_LEVEL_MEDIUM = 0x2000; + // SECURITY_MANDATORY_HIGH_RID (0x3000), e.g. elevated (administrator). + INTEGRITY_LEVEL_HIGH = 0x3000; + // SECURITY_MANDATORY_SYSTEM_RID (0x4000), e.g. services running as SYSTEM. + INTEGRITY_LEVEL_SYSTEM = 0x4000; + } +} + +// LinuxSigningInfo carries sigstore (Fulcio/Rekor) signing context for the +// requesting process. A binary may be signed by more than one signer. +message LinuxSigningInfo { + repeated Signer signers = 1; + + // Signer is one verified sigstore signature over the binary: the Fulcio + // certificate identity plus its bound provenance and Rekor inclusion. + message Signer { + // --- Verified identity --- + + // OIDC issuer embedded in the Fulcio leaf certificate, e.g. + // "https://token.actions.githubusercontent.com". + string cert_issuer = 1; + // Certificate SAN — the signer's workflow identity, e.g. + // ".../sign-release.yml@refs/tags/v0.7.1". + string cert_identity = 2; + // Source repository URI from the Fulcio GitHub extension, e.g. + // "https://github.com/docker/secrets-engine". + string source_repo = 3; + + // --- Verified provenance (bound in the cert; diagnostic, not gated) --- + + // Git ref that was built, e.g. "refs/tags/v0.7.1". Ties the binary to a + // release tag. + string source_ref = 4; + // Source commit SHA the binary was built from (Fulcio source-repository + // digest extension). + string source_commit = 5; + // "github-hosted" or "self-hosted" (Fulcio extension) — a self-hosted + // runner minting a release signature would be a red flag. + string runner_environment = 6; + // Event that started the signing workflow, e.g. "release" (Fulcio + // extension). + string build_trigger = 7; + // Points at the specific GitHub Actions run that produced the signature + // (Fulcio extension) — for audit/log correlation. + string run_invocation_uri = 8; + + // --- Transparency log (verified inclusion) --- + + // Entry's index in the Rekor transparency log. + int64 rekor_log_index = 9; + // When the signature was recorded in Rekor. + google.protobuf.Timestamp integrated_time = 10; + } +} + +enum Decision { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX + DECISION_DENY = 0; + DECISION_ALLOW = 1; +} + +message CheckAccessResponse { + Decision decision = 1; +}