update/identityprovider.v1: update identityprov to match arista vendor

Update identityprovider.v1 to be in sync with the current version in arista.git/vendor identityprovider.v1 package. Change-Id: Ia1fee7356de96ef9241dccd4a09525d26fbbef42
aristanetworks · Mar 21, 2024 · bd15647 · bd15647
1 parent 039e223
commit bd15647
Show file tree

Hide file tree

Showing 4 changed files with 1,871 additions and 5 deletions.
diff --git a/arista/identityprovider.v1/identityprovider-changelog.yaml b/arista/identityprovider.v1/identityprovider-changelog.yaml
@@ -7,6 +7,14 @@
 # New entries go on top.
 
 Changes:
+  - date: 2023-08-08
+    description: Add username_attrname to saml
+    version: 1.7.0
+    cvaas: true
+    onprem: true
+  - date: 2023-06-22
+    description: Add roles_claim_name to oauth
+    version: 1.6.0
   - date: 2023-04-07
     description: Add org_attrname to saml
     version: 1.5.0

diff --git a/arista/identityprovider.v1/identityprovider.proto b/arista/identityprovider.v1/identityprovider.proto
@@ -50,11 +50,13 @@ message OAuthConfig {
         // permitted_email_domains are domains of emails that users are allowed to use.
         // This is an optional field. If not set, all domains are accepted by default.
         fmp.RepeatedString permitted_email_domains = 8;
-        // roles_scope_name is the name for a custom scope that includes a custom claim
-        // that holds CloudVision roles in ID Token.
-        // CloudVision appends this value to scope query parameter in the authorization
-        // request URL. This is an optional field. If not set, CloudVision determines that
-        // mapping roles from the provider is disabled.
+        // roles_scope_name is the name for a scope tied to a claim that holds
+        // CloudVision roles in ID Token. CloudVision uses scope values to specify
+        // what access privileges are being requested for id token. CloudVision
+        // appends this value to `scope` query parameter in the authorization request URL.
+        // This is an optional field. If not set, CloudVision determines that
+        // mapping roles from the provider is disabled. If it's set, roles_claim_name
+        // also needs to be set.
         google.protobuf.StringValue roles_scope_name = 9;
         // bearer_token_introspection_endpoint is the provider instrospection endpoint used in
         // Bearer Token based login support for CloudVision. This endpoint will be used to verify
@@ -63,6 +65,12 @@ message OAuthConfig {
         // org, hence only one provider is allowed to have this field set. If not set for any
         // providers, CloudVision determines that Bearer Token based login support is disabled.
         google.protobuf.StringValue bearer_token_introspection_endpoint = 10;
+        // roles_claim_name is the name for a claim that holds CloudVision roles in ID Token.
+        // CloudVision uses this value to look up roles in the ID Token.
+        // This is an optional field. If not set, CloudVision determines that
+        // mapping roles from the provider is disabled. If it's set, roles_scope_name
+        // also needs to be set.
+        google.protobuf.StringValue roles_claim_name = 11;
 }
 
 // SAMLKey contains SAML Provider ID.
@@ -126,4 +134,8 @@ message SAMLConfig {
         // disabled for a given organization using shared Identity Provider if this attribute
         // is not specified.
         google.protobuf.StringValue org_attrname = 10;
+        // username_attrname specifies Attribute name for CloudVision users' username in the
+        // Assertion of SAMLResponse. This is an optional field as long as mapping roles from
+        // provider is not enabled. Once enabled, this field becomes mandatory.
+        google.protobuf.StringValue username_attrname = 11;
 }
diff --git a/arista/identityprovider.v1/services.gen.proto b/arista/identityprovider.v1/services.gen.proto
@@ -18,6 +18,20 @@ import "fmp/deletes.proto";
 import "google/protobuf/timestamp.proto";
 import "google/protobuf/wrappers.proto";
 
+message MetaResponse {
+	// Time holds the timestamp of the last item included in the metadata calculation.
+	google.protobuf.Timestamp time = 1;
+
+	// Operation indicates how the value in this response should be considered.
+	// Under non-subscribe requests, this value should always be INITIAL. In a subscription,
+	// once all initial data is streamed and the client begins to receive modification updates,
+	// you should not see INITIAL again.
+	arista.subscriptions.Operation type = 2;
+
+	// Count is the number of items present under the conditions of the request.
+	google.protobuf.UInt32Value count = 3;
+};
+
 message OAuthConfigRequest {
 	// Key uniquely identifies a OAuthConfig instance to retrieve.
 	// This value must be populated.
@@ -40,6 +54,27 @@ message OAuthConfigResponse {
 	google.protobuf.Timestamp time = 2;
 };
 
+message OAuthConfigSomeRequest {
+	repeated OAuthKey keys = 1;
+
+	// Time indicates the time for which you are interested in the data.
+	// If no time is given, the server will use the time at which it makes the request.
+	google.protobuf.Timestamp time = 2;
+};
+
+message OAuthConfigSomeResponse {
+	// Value is the value requested.
+	// This structure will be fully-populated as it exists in the datastore. If
+	// optional fields were not given at creation, these fields will be empty or
+	// set to default values.
+	OAuthConfig value = 1;
+
+	// Error is an optional field.
+	// It should be filled when there is an error in the GetSome process.
+	google.protobuf.StringValue error = 2;
+	google.protobuf.Timestamp time = 3;
+};
+
 message OAuthConfigStreamRequest {
 	// PartialEqFilter provides a way to server-side filter a GetAll/Subscribe.
 	// This requires all provided fields to be equal to the response.
@@ -136,6 +171,17 @@ message OAuthConfigDeleteResponse {
 	google.protobuf.Timestamp time = 2;
 };
 
+message OAuthConfigDeleteSomeRequest {
+	// key contains a list of OAuthConfig keys to delete
+	repeated OAuthKey keys = 1;
+};
+
+// OAuthConfigDeleteSomeResponse is only sent when there is an error.
+message OAuthConfigDeleteSomeResponse {
+	OAuthKey key = 1;
+	string error = 2;
+};
+
 message OAuthConfigDeleteAllRequest {
 };
 
@@ -152,11 +198,15 @@ message OAuthConfigDeleteAllResponse {
 
 service OAuthConfigService {
 	rpc GetOne (OAuthConfigRequest) returns (OAuthConfigResponse);
+	rpc GetSome (OAuthConfigSomeRequest) returns (stream OAuthConfigSomeResponse);
 	rpc GetAll (OAuthConfigStreamRequest) returns (stream OAuthConfigStreamResponse);
 	rpc Subscribe (OAuthConfigStreamRequest) returns (stream OAuthConfigStreamResponse);
+	rpc GetMeta (OAuthConfigStreamRequest) returns (MetaResponse);
+	rpc SubscribeMeta (OAuthConfigStreamRequest) returns (stream MetaResponse);
 	rpc Set (OAuthConfigSetRequest) returns (OAuthConfigSetResponse);
 	rpc SetSome (OAuthConfigSetSomeRequest) returns (stream OAuthConfigSetSomeResponse);
 	rpc Delete (OAuthConfigDeleteRequest) returns (OAuthConfigDeleteResponse);
+	rpc DeleteSome (OAuthConfigDeleteSomeRequest) returns (stream OAuthConfigDeleteSomeResponse);
 	rpc DeleteAll (OAuthConfigDeleteAllRequest) returns (stream OAuthConfigDeleteAllResponse);
 }
 
@@ -182,6 +232,27 @@ message SAMLConfigResponse {
 	google.protobuf.Timestamp time = 2;
 };
 
+message SAMLConfigSomeRequest {
+	repeated SAMLKey keys = 1;
+
+	// Time indicates the time for which you are interested in the data.
+	// If no time is given, the server will use the time at which it makes the request.
+	google.protobuf.Timestamp time = 2;
+};
+
+message SAMLConfigSomeResponse {
+	// Value is the value requested.
+	// This structure will be fully-populated as it exists in the datastore. If
+	// optional fields were not given at creation, these fields will be empty or
+	// set to default values.
+	SAMLConfig value = 1;
+
+	// Error is an optional field.
+	// It should be filled when there is an error in the GetSome process.
+	google.protobuf.StringValue error = 2;
+	google.protobuf.Timestamp time = 3;
+};
+
 message SAMLConfigStreamRequest {
 	// PartialEqFilter provides a way to server-side filter a GetAll/Subscribe.
 	// This requires all provided fields to be equal to the response.
@@ -278,6 +349,17 @@ message SAMLConfigDeleteResponse {
 	google.protobuf.Timestamp time = 2;
 };
 
+message SAMLConfigDeleteSomeRequest {
+	// key contains a list of SAMLConfig keys to delete
+	repeated SAMLKey keys = 1;
+};
+
+// SAMLConfigDeleteSomeResponse is only sent when there is an error.
+message SAMLConfigDeleteSomeResponse {
+	SAMLKey key = 1;
+	string error = 2;
+};
+
 message SAMLConfigDeleteAllRequest {
 };
 
@@ -294,10 +376,14 @@ message SAMLConfigDeleteAllResponse {
 
 service SAMLConfigService {
 	rpc GetOne (SAMLConfigRequest) returns (SAMLConfigResponse);
+	rpc GetSome (SAMLConfigSomeRequest) returns (stream SAMLConfigSomeResponse);
 	rpc GetAll (SAMLConfigStreamRequest) returns (stream SAMLConfigStreamResponse);
 	rpc Subscribe (SAMLConfigStreamRequest) returns (stream SAMLConfigStreamResponse);
+	rpc GetMeta (SAMLConfigStreamRequest) returns (MetaResponse);
+	rpc SubscribeMeta (SAMLConfigStreamRequest) returns (stream MetaResponse);
 	rpc Set (SAMLConfigSetRequest) returns (SAMLConfigSetResponse);
 	rpc SetSome (SAMLConfigSetSomeRequest) returns (stream SAMLConfigSetSomeResponse);
 	rpc Delete (SAMLConfigDeleteRequest) returns (SAMLConfigDeleteResponse);
+	rpc DeleteSome (SAMLConfigDeleteSomeRequest) returns (stream SAMLConfigDeleteSomeResponse);
 	rpc DeleteAll (SAMLConfigDeleteAllRequest) returns (stream SAMLConfigDeleteAllResponse);
 }