// Copyright 2021 Lightbend Inc.

// All extension points for Akka Serverless

syntax = "proto3";

package akkaserverless;

option go_package = "github.com/lightbend/akkaserverless-go-sdk/akkaserverless;akkaserverless";
option java_multiple_files = true;
option java_outer_classname = "JwtProto";
option java_package = "com.akkaserverless";

message JwtFieldOptions {
  // Describes how a particular field gets included as a claim in a JWT.
  enum JwtClaimInclude {
    // Don't include this field in the JWT.
    UNSPECIFIED = 0;
    // Include this field in the JWT. The field will be converted to JSON. If it is a message or repeated field,
    // it will not be descended into, but will be included in its JSON form.
    INCLUDE = 1;
    // Extract the value for this field from the JWT. When validating messages, if this field is empty, the value
    // for it will be replaced with the value from the JWT, otherwise, it will be validated against the claim in
    // the JWT. When signing messages, this has exactly the same operation as INCLUDE.
    EXTRACT = 2;
    // Descend into this field, including the claims in the child message as claims in this message. Only valid for
    // non repeated message fields.
    DESCEND = 3;
    // Nest the claims in this field inside an object or array in this claim. Only valid on message fields. If repeated,
    // the claim will contain an array of the claims extracted from each message.
    NEST = 4;
    // Indicates that this field contains a raw set of claims. The type of the field must be a map of strings to
    // json serializable values.
    //
    // When deserializing, whatever value is contained in this field is overwritten - the value is not validated to
    // ensure it matches the incoming claims. Any claims that can't be deserialized to the value type of the map will
    // be ignored. Multiple fields in a message with different value types can be used to capture raw claims of
    // different types.
    //
    // When serializing, the value in this message is used as the claims for the JWT (plus any other claim or raw
    // annotated fields), and the value of the field will be blanked to zero before serialising to protobuf.
    RAW = 5;
  }
  // The inclusion strategy for this field as a claim.
  JwtClaimInclude claim = 1;
  // The name of the claim for this field. Only valid for fields with a claim annotation of INCLUDE or NEST. If not
  // set, the name will be the name of this field.
  string name = 2;
  // Indicates that this field contains a token, either to be validated, or to be written to.
  // If the field is a single string, then the JWT claim for the containing message will be written to it.
  // If the field is a message or repeated field of messages, then this instructs validation and signing to descend
  // into the message or messages, and validate/sign each one according to the annotations present. If no token
  // annotation is present in the child message, an error will be raised.
  bool token = 3;
  // If this token annotated field is a child message of a parent, include the claims from the parent in the token.
  bool include_parent_claims = 4;
  // A list of bearer token claims to include when signing or validating a token annotated field.
  //
  // The most common use case for this will be pinning tokens contained in this message to the subject in the bearer
  // token, to ensure that the tokens in the message can't be used by other subjects.
  //
  // Bearer token claims will only be included if the method is configured to validate the bearer token, otherwise,
  // validation will fail if the claim can't be read.
  repeated string include_bearer_token_claim = 5;
  // If set, then when validating a token, only accept the token if it comes from this issuer, and when signing, set
  // the issuer to this value.
  //
  // This can be used in combination with the issuer field of configuration for JWT secrets, if there is at least one
  // secret that has this issuer set, then only those secrets with that issuer set will be used for validating or
  // signing this token, so you can be sure that the token did come from a particular issuer.
  //
  // If an issuer (iss) claim is extracted from another field, this configuration, if set, will override that.
  repeated string issuer = 6;
  // When signing, set the expires claim to be in this many seconds.
  //
  // If unset or zero, will default to 3600 (1 hour). Set to -1 for no expiry.
  //
  // This configuration will override any expiry (exp) claim extracted from other fields. Leave unset, or set to -1,
  // to allow the expiry to be dynamically set.
  int64 expires_seconds = 7;
}

message JwtMessageOptions {
  // Indicates that the token that this message should be validated against is the bearer token, rather than a token
  // annotated field.
  bool validate_bearer_token = 1;
}

message JwtMethodOptions {
  enum JwtMethodMode {
    // No validation.
    UNSPECIFIED = 0;
    // Validate the bearer token.
    BEARER_TOKEN = 1;
    // Validate/sign a token field in the message against the message fields.
    //
    // If present, the message must have a token annotated field or the message itself must have validate_bearer_token
    // set to true.
    MESSAGE = 2;
  }
  repeated JwtMethodMode validate = 1;
  repeated JwtMethodMode sign = 2;
  // If set, then the token extracted from the bearer token must have this issuer.
  //
  // This can be used in combination with the issuer field of configuration for JWT secrets, if there is at least one
  // secret that has this issuer set, then only those secrets with that issuer set will be used for validating or
  // signing this token, so you can be sure that the token did come from a particular issuer.
  repeated string bearer_token_issuer = 3;
}