syntax = "proto3";

package iam_pb;

option go_package = "github.com/seaweedfs/seaweedfs/weed/pb/iam_pb";
option java_package = "seaweedfs.client";
option java_outer_classname = "IamProto";

//////////////////////////////////////////////////

service SeaweedIdentityAccessManagement {
    // Configuration Management
    rpc GetConfiguration (GetConfigurationRequest) returns (GetConfigurationResponse);
    rpc PutConfiguration (PutConfigurationRequest) returns (PutConfigurationResponse);
    
    // User Management
    rpc CreateUser (CreateUserRequest) returns (CreateUserResponse);
    rpc GetUser (GetUserRequest) returns (GetUserResponse);
    rpc UpdateUser (UpdateUserRequest) returns (UpdateUserResponse);
    rpc DeleteUser (DeleteUserRequest) returns (DeleteUserResponse);
    rpc ListUsers (ListUsersRequest) returns (ListUsersResponse);
    
    // Access Key Management
    rpc CreateAccessKey (CreateAccessKeyRequest) returns (CreateAccessKeyResponse);
    rpc DeleteAccessKey (DeleteAccessKeyRequest) returns (DeleteAccessKeyResponse);
    rpc GetUserByAccessKey (GetUserByAccessKeyRequest) returns (GetUserByAccessKeyResponse);
    
    // Policy Management
    rpc PutPolicy (PutPolicyRequest) returns (PutPolicyResponse);
    rpc GetPolicy (GetPolicyRequest) returns (GetPolicyResponse);
    rpc ListPolicies (ListPoliciesRequest) returns (ListPoliciesResponse);
    rpc DeletePolicy (DeletePolicyRequest) returns (DeletePolicyResponse);

    // Service Account Management
    rpc CreateServiceAccount (CreateServiceAccountRequest) returns (CreateServiceAccountResponse);
    rpc UpdateServiceAccount (UpdateServiceAccountRequest) returns (UpdateServiceAccountResponse);
    rpc DeleteServiceAccount (DeleteServiceAccountRequest) returns (DeleteServiceAccountResponse);
    rpc GetServiceAccount (GetServiceAccountRequest) returns (GetServiceAccountResponse);
    rpc ListServiceAccounts (ListServiceAccountsRequest) returns (ListServiceAccountsResponse);
    rpc GetServiceAccountByAccessKey (GetServiceAccountByAccessKeyRequest) returns (GetServiceAccountByAccessKeyResponse);
}

//////////////////////////////////////////////////
// Configuration Management Messages

message GetConfigurationRequest {
}

message GetConfigurationResponse {
    S3ApiConfiguration configuration = 1;
}

message PutConfigurationRequest {
    S3ApiConfiguration configuration = 1;
}

message PutConfigurationResponse {
}

//////////////////////////////////////////////////
// User Management Messages

message CreateUserRequest {
    Identity identity = 1;
}

message CreateUserResponse {
}

message GetUserRequest {
    string username = 1;
}

message GetUserResponse {
    Identity identity = 1;
}

message UpdateUserRequest {
    string username = 1;
    Identity identity = 2;
}

message UpdateUserResponse {
}

message DeleteUserRequest {
    string username = 1;
}

message DeleteUserResponse {
}

message ListUsersRequest {
}

message ListUsersResponse {
    repeated string usernames = 1;
}

//////////////////////////////////////////////////
// Access Key Management Messages

message CreateAccessKeyRequest {
    string username = 1;
    Credential credential = 2;
}

message CreateAccessKeyResponse {
}

message DeleteAccessKeyRequest {
    string username = 1;
    string access_key = 2;
}

message DeleteAccessKeyResponse {
}

message GetUserByAccessKeyRequest {
    string access_key = 1;
}

message GetUserByAccessKeyResponse {
    Identity identity = 1;
}

message ListAccessKeysRequest {
    string username = 1;
}

message ListAccessKeysResponse {
    repeated Credential access_keys = 1;
}

// User Policy Management Messages
message PutUserPolicyRequest {
    string username = 1;
    string policy_name = 2;
    string policy_document = 3;
}

message PutUserPolicyResponse {
}

message GetUserPolicyRequest {
    string username = 1;
    string policy_name = 2;
}

message GetUserPolicyResponse {
    string username = 1;
    string policy_name = 2;
    string policy_document = 3;
}

message DeleteUserPolicyRequest {
    string username = 1;
    string policy_name = 2;
}

message DeleteUserPolicyResponse {
}

//////////////////////////////////////////////////

message S3ApiConfiguration {
    repeated Identity identities = 1;
    repeated Account accounts = 2;
    repeated ServiceAccount service_accounts = 3;
    repeated Policy policies = 4;
}

message Identity {
    string name = 1;
    repeated Credential credentials = 2;
    repeated string actions = 3;
    Account account = 4;
    bool disabled = 5;  // User status: false = enabled (default), true = disabled
    repeated string service_account_ids = 6;  // IDs of service accounts owned by this user
    repeated string policy_names = 7;
}

message Credential {
    string access_key = 1;
    string secret_key = 2;
    string status = 3;  // Access key status: "Active" or "Inactive"
}

message Account {
    string id = 1;
    string display_name = 2;
    string email_address = 3;
}

// ServiceAccount represents a service account - special credentials for applications.
// Service accounts are linked to a parent user and can have restricted permissions.
message ServiceAccount {
    string id = 1;                     // Unique identifier (e.g., "sa-xxxxx")
    string parent_user = 2;            // Parent identity name
    string description = 3;            // Optional description
    Credential credential = 4;         // Access key/secret for this service account
    repeated string actions = 5;       // Allowed actions (subset of parent)
    int64 expiration = 6;              // Unix timestamp, 0 = no expiration
    bool disabled = 7;                 // Status: false = enabled (default)
    int64 created_at = 8;              // Creation timestamp
    string created_by = 9;             // Who created this service account
}

message PutPolicyRequest {
    string name = 1;
    string content = 2;
}

message PutPolicyResponse {
}

message GetPolicyRequest {
    string name = 1;
}

message GetPolicyResponse {
    string name = 1;
    string content = 2;
}

message ListPoliciesRequest {
}

message ListPoliciesResponse {
    repeated Policy policies = 1;
}

message DeletePolicyRequest {
    string name = 1;
}

message DeletePolicyResponse {
}

message Policy {
    string name = 1;
    string content = 2; // JSON content of the policy
}

//////////////////////////////////////////////////
// Service Account Messages

message CreateServiceAccountRequest {
    ServiceAccount service_account = 1;
}

message CreateServiceAccountResponse {
}

message UpdateServiceAccountRequest {
    string id = 1;
    ServiceAccount service_account = 2;
}

message UpdateServiceAccountResponse {
}

message DeleteServiceAccountRequest {
    string id = 1;
}

message DeleteServiceAccountResponse {
}

message GetServiceAccountRequest {
    string id = 1;
}

message GetServiceAccountResponse {
    ServiceAccount service_account = 1;
}

message ListServiceAccountsRequest {
}

message ListServiceAccountsResponse {
    repeated ServiceAccount service_accounts = 1;
}

message GetServiceAccountByAccessKeyRequest {
    string access_key = 1;
}

message GetServiceAccountByAccessKeyResponse {
    ServiceAccount service_account = 1;
}


//////////////////////////////////////////////////
// S3 IAM Cache Management
// Designed for unidirectional propagation from Filer to S3 Servers


message PutIdentityRequest {
    Identity identity = 1;
}

message PutIdentityResponse {
}

message RemoveIdentityRequest {
    string username = 1;
}

message RemoveIdentityResponse {
}