feat: Update AuditLog proto to include all new changes in Audit Logging. Also add a bazel build file.

Google APIs · copybara-github · commit 40292fc8f271 · 2020-07-06T11:33:23.000-07:00
The AuditLog proto is used by Cloud Audit Logging for various types of audit logs generated by various GCP services and written to Cloud Logging. The AuditLog proto is encoded as a google.protobuf.Any message inside the protoPayload field of the LogEntry. An updated proto and bazel build file allows client libraries to decode the Any message when reading logs from the Cloud Logging API.

PiperOrigin-RevId: 319820594
diff --git a/google/cloud/audit/BUILD.bazel b/google/cloud/audit/BUILD.bazel
@@ -0,0 +1,168 @@
+# This file was automatically generated by BuildFileGenerator
+
+# This is an API workspace, having public visibility by default makes perfect sense.
+package(default_visibility = ["//visibility:public"])
+
+##############################################################################
+# Common
+##############################################################################
+load("@rules_proto//proto:defs.bzl", "proto_library")
+
+proto_library(
+    name = "audit_proto",
+    srcs = [
+        "audit_log.proto",
+    ],
+    deps = [
+        "//google/rpc/context:attribute_context_proto",
+        "//google/rpc:status_proto",
+        "@com_google_protobuf//:any_proto",
+        "@com_google_protobuf//:struct_proto",
+    ],
+)
+
+##############################################################################
+# Java
+##############################################################################
+load(
+    "@com_google_googleapis_imports//:imports.bzl",
+    "java_grpc_library",
+    "java_proto_library",
+)
+
+java_proto_library(
+    name = "audit_java_proto",
+    deps = [":audit_proto"],
+)
+
+java_grpc_library(
+    name = "audit_java_grpc",
+    srcs = [":audit_proto"],
+    deps = [":audit_java_proto"],
+)
+
+##############################################################################
+# Go
+##############################################################################
+load(
+    "@com_google_googleapis_imports//:imports.bzl",
+    "go_proto_library",
+)
+
+go_proto_library(
+    name = "audit_go_proto",
+    compilers = ["@io_bazel_rules_go//proto:go_grpc"],
+    importpath = "google.golang.org/genproto/googleapis/cloud/audit",
+    protos = [":audit_proto"],
+    deps = [
+        "//google/rpc/context:attribute_context_go_proto",
+        "//google/rpc:status_go_proto",
+    ],
+)
+
+##############################################################################
+# Python
+##############################################################################
+load(
+    "@com_google_googleapis_imports//:imports.bzl",
+    "moved_proto_library",
+    "py_grpc_library",
+    "py_proto_library",
+)
+
+moved_proto_library(
+    name = "audit_moved_proto",
+    srcs = [":audit_proto"],
+    deps = [
+        "//google/rpc/context:attribute_context_proto",
+        "//google/rpc:status_proto",
+        "@com_google_protobuf//:any_proto",
+        "@com_google_protobuf//:struct_proto",
+    ],
+)
+
+py_proto_library(
+    name = "audit_py_proto",
+    deps = [":audit_moved_proto"],
+)
+
+py_grpc_library(
+    name = "audit_py_grpc",
+    srcs = [":audit_moved_proto"],
+    deps = [":audit_py_proto"],
+)
+
+##############################################################################
+# PHP
+##############################################################################
+load(
+    "@com_google_googleapis_imports//:imports.bzl",
+    "php_grpc_library",
+    "php_proto_library",
+)
+
+php_proto_library(
+    name = "audit_php_proto",
+    deps = [":audit_proto"],
+)
+
+php_grpc_library(
+    name = "audit_php_grpc",
+    srcs = [":audit_proto"],
+    deps = [":audit_php_proto"],
+)
+
+##############################################################################
+# Node.js
+##############################################################################
+load(
+    "@com_google_googleapis_imports//:imports.bzl",
+    "nodejs_gapic_assembly_pkg",
+    "nodejs_gapic_library",
+)
+
+
+##############################################################################
+# Ruby
+##############################################################################
+load(
+    "@com_google_googleapis_imports//:imports.bzl",
+    "ruby_grpc_library",
+    "ruby_proto_library",
+)
+
+ruby_proto_library(
+    name = "audit_ruby_proto",
+    deps = [":audit_proto"],
+)
+
+ruby_grpc_library(
+    name = "audit_ruby_grpc",
+    srcs = [":audit_proto"],
+    deps = [":audit_ruby_proto"],
+)
+
+##############################################################################
+# C#
+##############################################################################
+load(
+    "@com_google_googleapis_imports//:imports.bzl",
+    "csharp_grpc_library",
+    "csharp_proto_library",
+)
+
+csharp_proto_library(
+    name = "audit_csharp_proto",
+    deps = [":audit_proto"],
+)
+
+csharp_grpc_library(
+    name = "audit_csharp_grpc",
+    srcs = [":audit_proto"],
+    deps = [":audit_csharp_proto"],
+)
+
+##############################################################################
+# C++
+##############################################################################
+# Put your C++ code here
diff --git a/google/cloud/audit/audit_log.proto b/google/cloud/audit/audit_log.proto
@@ -1,4 +1,4 @@
-// Copyright 2016 Google Inc.
+// Copyright 2020 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -16,11 +16,12 @@ syntax = "proto3";
 
 package google.cloud.audit;
 
-import "google/api/annotations.proto";
 import "google/protobuf/any.proto";
 import "google/protobuf/struct.proto";
+import "google/rpc/context/attribute_context.proto";
 import "google/rpc/status.proto";
 
+option cc_enable_arenas = true;
 option go_package = "google.golang.org/genproto/googleapis/cloud/audit;audit";
 option java_multiple_files = true;
 option java_outer_classname = "AuditLogProto";
@@ -48,6 +49,18 @@ message AuditLog {
   //     "shelves/SHELF_ID/books/BOOK_ID"
   string resource_name = 11;
 
+  // The resource location information.
+  ResourceLocation resource_location = 20;
+
+  // The resource's original state before mutation. Present only for
+  // operations which have successfully modified the targeted resource(s).
+  // In general, this field should contain all changed fields, except those
+  // that are already been included in `request`, `response`, `metadata` or
+  // `service_data` fields.
+  // When the JSON object represented here has a proto equivalent,
+  // the proto name will be indicated in the `@type` property.
+  google.protobuf.Struct resource_original_state = 19;
+
   // The number of items returned from a List or Query API method,
   // if applicable.
   int64 num_response_items = 12;
@@ -82,22 +95,58 @@ message AuditLog {
   // name will be indicated in the `@type` property.
   google.protobuf.Struct response = 17;
 
+  // Other service-specific data about the request, response, and other
+  // information associated with the current audited event.
+  google.protobuf.Struct metadata = 18;
+
+  // Deprecated, use `metadata` field instead.
   // Other service-specific data about the request, response, and other
   // activities.
   google.protobuf.Any service_data = 15;
 }
 
 // Authentication information for the operation.
 message AuthenticationInfo {
-  // The email address of the authenticated user making the request.
+  // The email address of the authenticated user (or service account on behalf
+  // of third party principal) making the request. For privacy reasons, the
+  // principal email address is redacted for all read-only operations that fail
+  // with a "permission denied" error.
   string principal_email = 1;
+
+  // The authority selector specified by the requestor, if any.
+  // It is not guaranteed that the principal was allowed to use this authority.
+  string authority_selector = 2;
+
+  // The third party identification (if any) of the authenticated user making
+  // the request.
+  // When the JSON object represented here has a proto equivalent, the proto
+  // name will be indicated in the `@type` property.
+  google.protobuf.Struct third_party_principal = 4;
+
+  // The name of the service account key used to create or exchange
+  // credentials for authenticating the service account making the request.
+  // This is a scheme-less URI full resource name. For example:
+  //
+  // "//iam.googleapis.com/projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}"
+  string service_account_key_name = 5;
+
+  // Identity delegation history of an authenticated service account that makes
+  // the request. It contains information on the real authorities that try to
+  // access GCP resources by delegating on a service account. When multiple
+  // authorities present, they are guaranteed to be sorted based on the original
+  // ordering of the identity delegation events.
+  repeated ServiceAccountDelegationInfo service_account_delegation_info = 6;
+
+  // String representation of identity of requesting party.
+  // Populated for both first and third party identities.
+  string principal_subject = 8;
 }
 
 // Authorization information for the operation.
 message AuthorizationInfo {
   // The resource being accessed, as a REST-style string. For example:
   //
-  //     bigquery.googlapis.com/projects/PROJECTID/datasets/DATASETID
+  //     bigquery.googleapis.com/projects/PROJECTID/datasets/DATASETID
   string resource = 1;
 
   // The required IAM permission.
@@ -106,11 +155,27 @@ message AuthorizationInfo {
   // Whether or not authorization for `resource` and `permission`
   // was granted.
   bool granted = 3;
+
+  // Resource attributes used in IAM condition evaluation. This field contains
+  // resource attributes like resource type and resource name.
+  //
+  // To get the whole view of the attributes used in IAM
+  // condition evaluation, the user must also look into
+  // `AuditLog.request_metadata.request_attributes`.
+  google.rpc.context.AttributeContext.Resource resource_attributes = 5;
 }
 
 // Metadata about the request.
 message RequestMetadata {
   // The IP address of the caller.
+  // For caller from internet, this will be public IPv4 or IPv6 address.
+  // For caller from a Compute Engine VM with external IP address, this
+  // will be the VM's external IP address. For caller from a Compute
+  // Engine VM without external IP address, if the VM is in the same
+  // organization (or project) as the accessed resource, `caller_ip` will
+  // be the VM's internal IPv4 address, otherwise the `caller_ip` will be
+  // redacted to "gce-internal-ip".
+  // See https://cloud.google.com/compute/docs/vpc/ for more information.
   string caller_ip = 1;
 
   // The user agent of the caller.
@@ -125,4 +190,81 @@ message RequestMetadata {
   // s~my-project`:
   //     The request was made from the `my-project` App Engine app.
   string caller_supplied_user_agent = 2;
+
+  // The network of the caller.
+  // Set only if the network host project is part of the same GCP organization
+  // (or project) as the accessed resource.
+  // See https://cloud.google.com/compute/docs/vpc/ for more information.
+  // This is a scheme-less URI full resource name. For example:
+  //
+  //     "//compute.googleapis.com/projects/PROJECT_ID/global/networks/NETWORK_ID"
+  string caller_network = 3;
+
+  // Request attributes used in IAM condition evaluation. This field contains
+  // request attributes like request time and access levels associated with
+  // the request.
+  //
+  //
+  // To get the whole view of the attributes used in IAM
+  // condition evaluation, the user must also look into
+  // `AuditLog.authentication_info.resource_attributes`.
+  google.rpc.context.AttributeContext.Request request_attributes = 7;
+
+  // The destination of a network activity, such as accepting a TCP connection.
+  // In a multi hop network activity, the destination represents the receiver of
+  // the last hop. Only two fields are used in this message, Peer.port and
+  // Peer.ip. These fields are optionally populated by those services utilizing
+  // the IAM condition feature.
+  google.rpc.context.AttributeContext.Peer destination_attributes = 8;
+}
+
+// Location information about a resource.
+message ResourceLocation {
+  // The locations of a resource after the execution of the operation.
+  // Requests to create or delete a location based resource must populate
+  // the 'current_locations' field and not the 'original_locations' field.
+  // For example:
+  //
+  //     "europe-west1-a"
+  //     "us-east1"
+  //     "nam3"
+  repeated string current_locations = 1;
+
+  // The locations of a resource prior to the execution of the operation.
+  // Requests that mutate the resource's location must populate both the
+  // 'original_locations' as well as the 'current_locations' fields.
+  // For example:
+  //
+  //     "europe-west1-a"
+  //     "us-east1"
+  //     "nam3"
+  repeated string original_locations = 2;
+}
+
+// Identity delegation history of an authenticated service account.
+message ServiceAccountDelegationInfo {
+  // First party identity principal.
+  message FirstPartyPrincipal {
+    // The email address of a Google account.
+    string principal_email = 1;
+
+    // Metadata about the service that uses the service account.
+    google.protobuf.Struct service_metadata = 2;
+  }
+
+  // Third party identity principal.
+  message ThirdPartyPrincipal {
+    // Metadata about third party identity.
+    google.protobuf.Struct third_party_claims = 1;
+  }
+
+  // Entity that creates credentials for service account and assumes its
+  // identity for authentication.
+  oneof Authority {
+    // First party (Google) identity as the real authority.
+    FirstPartyPrincipal first_party_principal = 1;
+
+    // Third party identity as the real authority.
+    ThirdPartyPrincipal third_party_principal = 2;
+  }
 }
diff --git a/google/cloud/audit/cloudaudit.yaml b/google/cloud/audit/cloudaudit.yaml
@@ -0,0 +1,7 @@
+type: google.api.Service
+config_version: 2
+name: cloudaudit.googleapis.com
+title: Audit Log
+
+types:
+- name: google.cloud.audit.AuditLog
