diff --git a/internal/auth/auth.go b/internal/auth/auth.go index 2cf56e63..d3f07f5b 100644 --- a/internal/auth/auth.go +++ b/internal/auth/auth.go @@ -4,9 +4,9 @@ import ( "context" "errors" "fmt" - "plugin" "ydbcp/internal/config" + "ydbcp/internal/plugin" "ydbcp/internal/util/xlog" "ydbcp/pkg/plugins/auth" @@ -27,30 +27,8 @@ var ( ErrGetAuthToken = errors.New("can't get auth token") ) -func NewAuthProvider(ctx context.Context, cfg config.AuthConfig) (auth.AuthProvider, error) { - xlog.Info(ctx, "Loading auth provider plugin", zap.String("PluginPath", cfg.PluginPath)) - - plug, err := plugin.Open(cfg.PluginPath) - if err != nil { - return nil, fmt.Errorf("can't load auth provider plugin, path %s: %w", cfg.PluginPath, err) - } - symbol, err := plug.Lookup("AuthProvider") - if err != nil { - return nil, fmt.Errorf("can't lookup AuthProvider symbol, plugin path %s: %w", cfg.PluginPath, err) - } - var instance auth.AuthProvider - instance, ok := symbol.(auth.AuthProvider) - if !ok { - return nil, fmt.Errorf("can't cast AuthProvider symbol, plugin path %s", cfg.PluginPath) - } - pluginConfig, err := cfg.ConfigurationString() - if err != nil { - return nil, fmt.Errorf("can't get auth provider configuration: %w", err) - } - if err = instance.Init(ctx, pluginConfig); err != nil { - return nil, fmt.Errorf("can't initialize auth provider plugin: %w", err) - } - return instance, nil +func NewAuthProvider(ctx context.Context, cfg config.PluginConfig) (auth.AuthProvider, error) { + return plugin.Load[auth.AuthProvider](ctx, cfg, "AuthProvider", "auth") } func Authenticate(ctx context.Context, provider auth.AuthProvider) (string, error) { diff --git a/internal/config/config.go b/internal/config/config.go index 331a9638..921345cb 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -45,7 +45,7 @@ type ClientConnectionConfig struct { AllowInsecureEndpoint bool `yaml:"allow_insecure_endpoint" default:"false"` } -type AuthConfig struct { +type PluginConfig struct { PluginPath string `yaml:"plugin_path"` Configuration interface{} `yaml:"configuration"` } @@ -95,7 +95,7 @@ type Config struct { DBConnection YDBConnectionConfig `yaml:"db_connection"` ClientConnection ClientConnectionConfig `yaml:"client_connection"` S3 S3Config `yaml:"s3"` - Auth AuthConfig `yaml:"auth"` + Auth PluginConfig `yaml:"auth"` GRPCServer GRPCServerConfig `yaml:"grpc_server"` MetricsServer MetricsServerConfig `yaml:"metrics_server"` OperationProcessor OperationProcessorConfig `yaml:"operation_processor"` @@ -223,7 +223,7 @@ func (c *S3Config) SecretKey() (string, error) { } -func (c *AuthConfig) ConfigurationString() (string, error) { +func (c *PluginConfig) ConfigurationString() (string, error) { txt, err := yaml.Marshal(c.Configuration) if err != nil { return "", fmt.Errorf("can't marshal Auth.Configuration to YAML: %w", err) diff --git a/internal/kms/kms.go b/internal/kms/kms.go new file mode 100644 index 00000000..3323f7d9 --- /dev/null +++ b/internal/kms/kms.go @@ -0,0 +1,13 @@ +package kms + +import ( + "context" + + "ydbcp/internal/config" + "ydbcp/internal/plugin" + "ydbcp/pkg/plugins/kms" +) + +func NewKmsProvider(ctx context.Context, cfg config.PluginConfig) (kms.KmsProvider, error) { + return plugin.Load[kms.KmsProvider](ctx, cfg, "KmsProvider", "kms") +} diff --git a/internal/kms/mock.go b/internal/kms/mock.go new file mode 100644 index 00000000..aa697144 --- /dev/null +++ b/internal/kms/mock.go @@ -0,0 +1,84 @@ +package kms + +import ( + "context" + "fmt" + + "ydbcp/pkg/plugins/kms" +) + +type MockKmsProvider struct { + keys map[string][]byte +} + +func NewMockKmsProvider(keys map[string][]byte) *MockKmsProvider { + return &MockKmsProvider{ + keys: keys, + } +} + +func (p *MockKmsProvider) Init(_ context.Context, _ string) error { + if p.keys == nil { + p.keys = make(map[string][]byte) + } + return nil +} + +func (p *MockKmsProvider) Close(_ context.Context) error { + p.keys = nil + return nil +} + +func xor(data []byte, key []byte) []byte { + out := make([]byte, len(data)) + for i := range data { + out[i] = data[i] ^ key[i%len(key)] + } + return out +} + +func (p *MockKmsProvider) Encrypt( + _ context.Context, + req *kms.EncryptRequest, +) (*kms.EncryptResponse, error) { + if req == nil { + return nil, fmt.Errorf("mock kms: encrypt request is nil") + } + if len(req.Plaintext) == 0 { + return &kms.EncryptResponse{KeyID: req.KeyID}, nil + } + + key, ok := p.keys[req.KeyID] + if !ok { + return nil, fmt.Errorf("mock kms: key not found") + } + + ciphertext := xor(req.Plaintext, key) + return &kms.EncryptResponse{ + KeyID: req.KeyID, + Ciphertext: ciphertext, + }, nil +} + +func (p *MockKmsProvider) Decrypt( + _ context.Context, + req *kms.DecryptRequest, +) (*kms.DecryptResponse, error) { + if req == nil { + return nil, fmt.Errorf("mock kms: decrypt request is nil") + } + if len(req.Ciphertext) == 0 { + return &kms.DecryptResponse{KeyID: req.KeyID}, nil + } + + key, ok := p.keys[req.KeyID] + if !ok { + return nil, fmt.Errorf("mock kms: key not found") + } + + plaintext := xor(req.Ciphertext, key) + return &kms.DecryptResponse{ + KeyID: req.KeyID, + Plaintext: plaintext, + }, nil +} diff --git a/internal/plugin/plugin.go b/internal/plugin/plugin.go new file mode 100644 index 00000000..c33bc815 --- /dev/null +++ b/internal/plugin/plugin.go @@ -0,0 +1,55 @@ +package plugin + +import ( + "context" + "fmt" + "plugin" + + "ydbcp/internal/config" + "ydbcp/internal/util/xlog" + + "go.uber.org/zap" +) + +type Plugin interface { + Init(ctx context.Context, config string) error +} + +// Load loads a Go plugin, looks up the provided symbol name and initializes it with the +// plugin configuration. The type parameter must be an interface that embeds the Init method. +func Load[T Plugin]( + ctx context.Context, + cfg config.PluginConfig, + symbolName string, + pluginKind string, +) (T, error) { + var zero T + + xlog.Info(ctx, fmt.Sprintf("Loading %s plugin", pluginKind), zap.String("plugin_path", cfg.PluginPath)) + + plug, err := plugin.Open(cfg.PluginPath) + if err != nil { + return zero, fmt.Errorf("can't load %s plugin, path %s: %w", pluginKind, cfg.PluginPath, err) + } + + symbol, err := plug.Lookup(symbolName) + if err != nil { + return zero, fmt.Errorf("can't lookup %s symbol, plugin path %s: %w", symbolName, cfg.PluginPath, err) + } + + instance, ok := symbol.(T) + if !ok { + return zero, fmt.Errorf("can't cast %s symbol, plugin path %s", symbolName, cfg.PluginPath) + } + + pluginConfig, err := cfg.ConfigurationString() + if err != nil { + return zero, fmt.Errorf("can't get %s plugin configuration: %w", pluginKind, err) + } + + if err = instance.Init(ctx, pluginConfig); err != nil { + return zero, fmt.Errorf("can't initialize %s plugin: %w", pluginKind, err) + } + + return instance, nil +} diff --git a/internal/util/tls_setup/tls_setup.go b/internal/util/tls_setup/tls_setup.go index 1ddc6c2d..eed1a378 100644 --- a/internal/util/tls_setup/tls_setup.go +++ b/internal/util/tls_setup/tls_setup.go @@ -5,17 +5,53 @@ import ( "crypto/x509" "errors" "fmt" + "os" + "google.golang.org/grpc" "google.golang.org/grpc/credentials" - "os" ) -func LoadTLSCredentials(RootCAPath *string, withInsecure bool) (grpc.DialOption, error) { +func LoadTLSCredentials(rootCAPath *string, withInsecure bool) (grpc.DialOption, error) { + tlsConfig, err := buildTLSConfig(rootCAPath, withInsecure) + if err != nil { + return nil, err + } + return grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)), nil +} + +func LoadMTLSCredentials( + rootCAPath *string, + clientCertPath *string, + clientKeyPath *string, + withInsecure bool, +) (grpc.DialOption, error) { + if clientCertPath == nil || len(*clientCertPath) == 0 { + return nil, fmt.Errorf("client certificate path is required for mTLS") + } + if clientKeyPath == nil || len(*clientKeyPath) == 0 { + return nil, fmt.Errorf("client key path is required for mTLS") + } + + tlsConfig, err := buildTLSConfig(rootCAPath, withInsecure) + if err != nil { + return nil, err + } + + cert, err := tls.LoadX509KeyPair(*clientCertPath, *clientKeyPath) + if err != nil { + return nil, fmt.Errorf("failed to load client certificate/key: %w", err) + } + tlsConfig.Certificates = []tls.Certificate{cert} + + return grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)), nil +} + +func buildTLSConfig(rootCAPath *string, withInsecure bool) (*tls.Config, error) { var certPool *x509.CertPool - if RootCAPath != nil && len(*RootCAPath) > 0 { - caBundle, err := os.ReadFile(*RootCAPath) + if rootCAPath != nil && len(*rootCAPath) > 0 { + caBundle, err := os.ReadFile(*rootCAPath) if err != nil { - return nil, fmt.Errorf("unable to read root ca bundle from file %s: %w", *RootCAPath, err) + return nil, fmt.Errorf("unable to read root ca bundle from file %s: %w", *rootCAPath, err) } certPool = x509.NewCertPool() if ok := certPool.AppendCertsFromPEM(caBundle); !ok { @@ -36,5 +72,5 @@ func LoadTLSCredentials(RootCAPath *string, withInsecure bool) (grpc.DialOption, if withInsecure { tlsConfig.InsecureSkipVerify = true } - return grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)), nil + return tlsConfig, nil } diff --git a/pkg/plugins/kms/kms.go b/pkg/plugins/kms/kms.go new file mode 100644 index 00000000..a206970e --- /dev/null +++ b/pkg/plugins/kms/kms.go @@ -0,0 +1,32 @@ +package kms + +import "context" + +type EncryptRequest struct { + KeyID string + Plaintext []byte +} + +type EncryptResponse struct { + KeyID string + Ciphertext []byte +} + +type DecryptRequest struct { + KeyID string + Ciphertext []byte +} + +type DecryptResponse struct { + KeyID string + Plaintext []byte +} + +// KmsProvider is an interface that KMS plugins must implement. +type KmsProvider interface { + Init(ctx context.Context, config string) error + Close(ctx context.Context) error + + Encrypt(ctx context.Context, req *EncryptRequest) (*EncryptResponse, error) + Decrypt(ctx context.Context, req *DecryptRequest) (*DecryptResponse, error) +} diff --git a/plugins/kms_nebius/kms_nebius.go b/plugins/kms_nebius/kms_nebius.go new file mode 100644 index 00000000..2a1bf597 --- /dev/null +++ b/plugins/kms_nebius/kms_nebius.go @@ -0,0 +1,127 @@ +package main + +import ( + "context" + "fmt" + + "ydbcp/internal/util/tls_setup" + "ydbcp/internal/util/xlog" + "ydbcp/pkg/plugins/kms" + pb "ydbcp/plugins/kms_nebius/proto" + + "go.uber.org/zap" + "google.golang.org/grpc" + "gopkg.in/yaml.v3" +) + +type kmsProviderNebius struct { + config pluginConfig +} + +type pluginConfig struct { + CryptoServiceEndpoint string `yaml:"crypto_service_endpoint"` + Insecure bool `yaml:"insecure" default:"false"` + RootCAPath string `yaml:"root_ca_path"` + ClientKeyPath string `yaml:"client_key_path"` + ClientCertificatePath string `yaml:"client_certificate_path"` +} + +func (p *kmsProviderNebius) Init(ctx context.Context, rawConfig string) error { + xlog.Info(ctx, "KmsNebiusProvider initialization started", zap.String("config", rawConfig)) + if err := yaml.Unmarshal([]byte(rawConfig), &p.config); err != nil { + xlog.Error(ctx, "Unable to parse configuration", zap.Error(err)) + return fmt.Errorf("kms: unable to parse configuration: %w", err) + } + if len(p.config.CryptoServiceEndpoint) == 0 { + return fmt.Errorf("kms: crypto service endpoint is required in configuration") + } + if len(p.config.RootCAPath) == 0 { + return fmt.Errorf("kms: root ca path is required in configuration") + } + if len(p.config.ClientKeyPath) == 0 { + return fmt.Errorf("kms: client key path is required in configuration") + } + if len(p.config.ClientCertificatePath) == 0 { + return fmt.Errorf("kms: client certificate path is required in configuration") + } + + xlog.Info(ctx, "KmsNebiusProvider was initialized successfully") + return nil +} + +func (p *kmsProviderNebius) Close(ctx context.Context) error { + xlog.Info(ctx, "KmsNebiusProvider was closed") + return nil +} + +func (p *kmsProviderNebius) Encrypt(ctx context.Context, req *kms.EncryptRequest) (*kms.EncryptResponse, error) { + if req == nil { + return nil, fmt.Errorf("kms: encryption request is nil") + } + if len(req.KeyID) == 0 { + return nil, fmt.Errorf("kms: key id is required in encryption request") + } + + tlsOption, err := tls_setup.LoadMTLSCredentials(&p.config.RootCAPath, &p.config.ClientCertificatePath, &p.config.ClientKeyPath, p.config.Insecure) + if err != nil { + return nil, err + } + + grpcClient, err := grpc.NewClient("dns:"+p.config.CryptoServiceEndpoint, tlsOption) // TODO: do we need dns prefix? + if err != nil { + return nil, err + } + defer grpcClient.Close() + + client := pb.NewSymmetricCryptoServiceClient(grpcClient) + resp, err := client.Encrypt(ctx, &pb.SymmetricEncryptRequest{ + KeyId: req.KeyID, + Plaintext: req.Plaintext, + }) + if err != nil { + return nil, fmt.Errorf("kms: encryption was failed: %w", err) + } + + return &kms.EncryptResponse{ + KeyID: resp.GetKeyId(), + Ciphertext: resp.GetCiphertext(), + }, nil +} + +func (p *kmsProviderNebius) Decrypt(ctx context.Context, req *kms.DecryptRequest) (*kms.DecryptResponse, error) { + if req == nil { + return nil, fmt.Errorf("kms: decryption request is nil") + } + if len(req.KeyID) == 0 { + return nil, fmt.Errorf("kms: key id is required in decryption request") + } + + tlsOption, err := tls_setup.LoadTLSCredentials(&p.config.RootCAPath, p.config.Insecure) + if err != nil { + return nil, err + } + + grpcClient, err := grpc.NewClient("dns:"+p.config.CryptoServiceEndpoint, tlsOption) // TODO: do we need dns prefix? + if err != nil { + return nil, err + } + defer grpcClient.Close() + + client := pb.NewSymmetricCryptoServiceClient(grpcClient) + resp, err := client.Decrypt(ctx, &pb.SymmetricDecryptRequest{ + KeyId: req.KeyID, + Ciphertext: req.Ciphertext, + }) + if err != nil { + return nil, fmt.Errorf("kms: decryption was failed: %w", err) + } + + return &kms.DecryptResponse{ + KeyID: resp.GetKeyId(), + Plaintext: resp.GetPlaintext(), + }, nil +} + +func main() {} + +var KmsProvider kmsProviderNebius diff --git a/plugins/kms_nebius/proto/nebius/annotations.pb.go b/plugins/kms_nebius/proto/nebius/annotations.pb.go new file mode 100644 index 00000000..464b28e6 --- /dev/null +++ b/plugins/kms_nebius/proto/nebius/annotations.pb.go @@ -0,0 +1,189 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.36.6 +// protoc v6.32.1 +// source: nebius/annotations.proto + +package nebius + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + descriptorpb "google.golang.org/protobuf/types/descriptorpb" + reflect "reflect" + sync "sync" + unsafe "unsafe" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +type RegionRouting struct { + state protoimpl.MessageState `protogen:"open.v1"` + Nid []string `protobuf:"bytes,1,rep,name=nid,proto3" json:"nid,omitempty"` + Strict bool `protobuf:"varint,3,opt,name=strict,proto3" json:"strict,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *RegionRouting) Reset() { + *x = RegionRouting{} + mi := &file_nebius_annotations_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *RegionRouting) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*RegionRouting) ProtoMessage() {} + +func (x *RegionRouting) ProtoReflect() protoreflect.Message { + mi := &file_nebius_annotations_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use RegionRouting.ProtoReflect.Descriptor instead. +func (*RegionRouting) Descriptor() ([]byte, []int) { + return file_nebius_annotations_proto_rawDescGZIP(), []int{0} +} + +func (x *RegionRouting) GetNid() []string { + if x != nil { + return x.Nid + } + return nil +} + +func (x *RegionRouting) GetStrict() bool { + if x != nil { + return x.Strict + } + return false +} + +var file_nebius_annotations_proto_extTypes = []protoimpl.ExtensionInfo{ + { + ExtendedType: (*descriptorpb.ServiceOptions)(nil), + ExtensionType: (*string)(nil), + Field: 1191, + Name: "nebius.api_service_name", + Tag: "bytes,1191,opt,name=api_service_name", + Filename: "nebius/annotations.proto", + }, + { + ExtendedType: (*descriptorpb.MethodOptions)(nil), + ExtensionType: (*RegionRouting)(nil), + Field: 50003, + Name: "nebius.region_routing", + Tag: "bytes,50003,opt,name=region_routing", + Filename: "nebius/annotations.proto", + }, + { + ExtendedType: (*descriptorpb.FieldOptions)(nil), + ExtensionType: (*bool)(nil), + Field: 1192, + Name: "nebius.sensitive", + Tag: "varint,1192,opt,name=sensitive", + Filename: "nebius/annotations.proto", + }, +} + +// Extension fields to descriptorpb.ServiceOptions. +var ( + // optional string api_service_name = 1191; + E_ApiServiceName = &file_nebius_annotations_proto_extTypes[0] +) + +// Extension fields to descriptorpb.MethodOptions. +var ( + // optional nebius.RegionRouting region_routing = 50003; + E_RegionRouting = &file_nebius_annotations_proto_extTypes[1] +) + +// Extension fields to descriptorpb.FieldOptions. +var ( + // optional bool sensitive = 1192; + E_Sensitive = &file_nebius_annotations_proto_extTypes[2] +) + +var File_nebius_annotations_proto protoreflect.FileDescriptor + +const file_nebius_annotations_proto_rawDesc = "" + + "\n" + + "\x18nebius/annotations.proto\x12\x06nebius\x1a google/protobuf/descriptor.proto\"9\n" + + "\rRegionRouting\x12\x10\n" + + "\x03nid\x18\x01 \x03(\tR\x03nid\x12\x16\n" + + "\x06strict\x18\x03 \x01(\bR\x06strict:J\n" + + "\x10api_service_name\x12\x1f.google.protobuf.ServiceOptions\x18\xa7\t \x01(\tR\x0eapiServiceName:^\n" + + "\x0eregion_routing\x12\x1e.google.protobuf.MethodOptions\x18ӆ\x03 \x01(\v2\x15.nebius.RegionRoutingR\rregionRouting:<\n" + + "\tsensitive\x12\x1d.google.protobuf.FieldOptions\x18\xa8\t \x01(\bR\tsensitiveBF\n" + + "\tai.nebiusB\x10AnnotationsProtoP\x01Z%ydbcp/plugins/kms_nebius/proto/nebiusb\x06proto3" + +var ( + file_nebius_annotations_proto_rawDescOnce sync.Once + file_nebius_annotations_proto_rawDescData []byte +) + +func file_nebius_annotations_proto_rawDescGZIP() []byte { + file_nebius_annotations_proto_rawDescOnce.Do(func() { + file_nebius_annotations_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_nebius_annotations_proto_rawDesc), len(file_nebius_annotations_proto_rawDesc))) + }) + return file_nebius_annotations_proto_rawDescData +} + +var file_nebius_annotations_proto_msgTypes = make([]protoimpl.MessageInfo, 1) +var file_nebius_annotations_proto_goTypes = []any{ + (*RegionRouting)(nil), // 0: nebius.RegionRouting + (*descriptorpb.ServiceOptions)(nil), // 1: google.protobuf.ServiceOptions + (*descriptorpb.MethodOptions)(nil), // 2: google.protobuf.MethodOptions + (*descriptorpb.FieldOptions)(nil), // 3: google.protobuf.FieldOptions +} +var file_nebius_annotations_proto_depIdxs = []int32{ + 1, // 0: nebius.api_service_name:extendee -> google.protobuf.ServiceOptions + 2, // 1: nebius.region_routing:extendee -> google.protobuf.MethodOptions + 3, // 2: nebius.sensitive:extendee -> google.protobuf.FieldOptions + 0, // 3: nebius.region_routing:type_name -> nebius.RegionRouting + 4, // [4:4] is the sub-list for method output_type + 4, // [4:4] is the sub-list for method input_type + 3, // [3:4] is the sub-list for extension type_name + 0, // [0:3] is the sub-list for extension extendee + 0, // [0:0] is the sub-list for field type_name +} + +func init() { file_nebius_annotations_proto_init() } +func file_nebius_annotations_proto_init() { + if File_nebius_annotations_proto != nil { + return + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: unsafe.Slice(unsafe.StringData(file_nebius_annotations_proto_rawDesc), len(file_nebius_annotations_proto_rawDesc)), + NumEnums: 0, + NumMessages: 1, + NumExtensions: 3, + NumServices: 0, + }, + GoTypes: file_nebius_annotations_proto_goTypes, + DependencyIndexes: file_nebius_annotations_proto_depIdxs, + MessageInfos: file_nebius_annotations_proto_msgTypes, + ExtensionInfos: file_nebius_annotations_proto_extTypes, + }.Build() + File_nebius_annotations_proto = out.File + file_nebius_annotations_proto_goTypes = nil + file_nebius_annotations_proto_depIdxs = nil +} diff --git a/plugins/kms_nebius/proto/nebius/annotations.proto b/plugins/kms_nebius/proto/nebius/annotations.proto new file mode 100644 index 00000000..eedbbe0b --- /dev/null +++ b/plugins/kms_nebius/proto/nebius/annotations.proto @@ -0,0 +1,28 @@ +syntax = "proto3"; + +package nebius; + +import "google/protobuf/descriptor.proto"; + +option java_multiple_files = true; +option java_outer_classname = "AnnotationsProto"; +option java_package = "ai.nebius"; +option go_package = "ydbcp/plugins/kms_nebius/proto/nebius"; + +extend google.protobuf.ServiceOptions { + string api_service_name = 1191; +} + +extend google.protobuf.MethodOptions { + RegionRouting region_routing = 50003; +} + +extend google.protobuf.FieldOptions { + bool sensitive = 1192; +} + +message RegionRouting { + repeated string nid = 1; + bool strict = 3; +} + diff --git a/plugins/kms_nebius/proto/nebius/audit/annotations.pb.go b/plugins/kms_nebius/proto/nebius/audit/annotations.pb.go new file mode 100644 index 00000000..e7b2b065 --- /dev/null +++ b/plugins/kms_nebius/proto/nebius/audit/annotations.pb.go @@ -0,0 +1,445 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.36.6 +// protoc v6.32.1 +// source: nebius/audit/annotations.proto + +package audit + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + descriptorpb "google.golang.org/protobuf/types/descriptorpb" + reflect "reflect" + sync "sync" + unsafe "unsafe" + common "ydbcp/plugins/kms_nebius/proto/nebius/audit/v1/common" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +type MethodAuditMetadata struct { + state protoimpl.MessageState `protogen:"open.v1"` + // Types that are valid to be assigned to Activities: + // + // *MethodAuditMetadata_ResourceType + // *MethodAuditMetadata_DefaultActivity + Activities isMethodAuditMetadata_Activities `protobuf_oneof:"activities"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *MethodAuditMetadata) Reset() { + *x = MethodAuditMetadata{} + mi := &file_nebius_audit_annotations_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *MethodAuditMetadata) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*MethodAuditMetadata) ProtoMessage() {} + +func (x *MethodAuditMetadata) ProtoReflect() protoreflect.Message { + mi := &file_nebius_audit_annotations_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use MethodAuditMetadata.ProtoReflect.Descriptor instead. +func (*MethodAuditMetadata) Descriptor() ([]byte, []int) { + return file_nebius_audit_annotations_proto_rawDescGZIP(), []int{0} +} + +func (x *MethodAuditMetadata) GetActivities() isMethodAuditMetadata_Activities { + if x != nil { + return x.Activities + } + return nil +} + +func (x *MethodAuditMetadata) GetResourceType() string { + if x != nil { + if x, ok := x.Activities.(*MethodAuditMetadata_ResourceType); ok { + return x.ResourceType + } + } + return "" +} + +func (x *MethodAuditMetadata) GetDefaultActivity() *AuditedActivity { + if x != nil { + if x, ok := x.Activities.(*MethodAuditMetadata_DefaultActivity); ok { + return x.DefaultActivity + } + } + return nil +} + +type isMethodAuditMetadata_Activities interface { + isMethodAuditMetadata_Activities() +} + +type MethodAuditMetadata_ResourceType struct { + ResourceType string `protobuf:"bytes,1,opt,name=resource_type,json=resourceType,proto3,oneof"` +} + +type MethodAuditMetadata_DefaultActivity struct { + DefaultActivity *AuditedActivity `protobuf:"bytes,3,opt,name=default_activity,json=defaultActivity,proto3,oneof"` +} + +func (*MethodAuditMetadata_ResourceType) isMethodAuditMetadata_Activities() {} + +func (*MethodAuditMetadata_DefaultActivity) isMethodAuditMetadata_Activities() {} + +type ServiceAudit struct { + state protoimpl.MessageState `protogen:"open.v1"` + // Types that are valid to be assigned to Decision: + // + // *ServiceAudit_Enabled + Decision isServiceAudit_Decision `protobuf_oneof:"decision"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *ServiceAudit) Reset() { + *x = ServiceAudit{} + mi := &file_nebius_audit_annotations_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *ServiceAudit) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ServiceAudit) ProtoMessage() {} + +func (x *ServiceAudit) ProtoReflect() protoreflect.Message { + mi := &file_nebius_audit_annotations_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ServiceAudit.ProtoReflect.Descriptor instead. +func (*ServiceAudit) Descriptor() ([]byte, []int) { + return file_nebius_audit_annotations_proto_rawDescGZIP(), []int{1} +} + +func (x *ServiceAudit) GetDecision() isServiceAudit_Decision { + if x != nil { + return x.Decision + } + return nil +} + +func (x *ServiceAudit) GetEnabled() bool { + if x != nil { + if x, ok := x.Decision.(*ServiceAudit_Enabled); ok { + return x.Enabled + } + } + return false +} + +type isServiceAudit_Decision interface { + isServiceAudit_Decision() +} + +type ServiceAudit_Enabled struct { + Enabled bool `protobuf:"varint,1,opt,name=enabled,proto3,oneof"` +} + +func (*ServiceAudit_Enabled) isServiceAudit_Decision() {} + +type MethodAudit struct { + state protoimpl.MessageState `protogen:"open.v1"` + // Types that are valid to be assigned to Decision: + // + // *MethodAudit_Enabled + Decision isMethodAudit_Decision `protobuf_oneof:"decision"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *MethodAudit) Reset() { + *x = MethodAudit{} + mi := &file_nebius_audit_annotations_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *MethodAudit) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*MethodAudit) ProtoMessage() {} + +func (x *MethodAudit) ProtoReflect() protoreflect.Message { + mi := &file_nebius_audit_annotations_proto_msgTypes[2] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use MethodAudit.ProtoReflect.Descriptor instead. +func (*MethodAudit) Descriptor() ([]byte, []int) { + return file_nebius_audit_annotations_proto_rawDescGZIP(), []int{2} +} + +func (x *MethodAudit) GetDecision() isMethodAudit_Decision { + if x != nil { + return x.Decision + } + return nil +} + +func (x *MethodAudit) GetEnabled() *MethodAuditMetadata { + if x != nil { + if x, ok := x.Decision.(*MethodAudit_Enabled); ok { + return x.Enabled + } + } + return nil +} + +type isMethodAudit_Decision interface { + isMethodAudit_Decision() +} + +type MethodAudit_Enabled struct { + Enabled *MethodAuditMetadata `protobuf:"bytes,1,opt,name=enabled,proto3,oneof"` +} + +func (*MethodAudit_Enabled) isMethodAudit_Decision() {} + +type AuditedActivity struct { + state protoimpl.MessageState `protogen:"open.v1"` + // Types that are valid to be assigned to Resource: + // + // *AuditedActivity_ResourceType + Resource isAuditedActivity_Resource `protobuf_oneof:"resource"` + Action common.Action `protobuf:"varint,2,opt,name=action,proto3,enum=nebius.audit.v1.common.Action" json:"action,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *AuditedActivity) Reset() { + *x = AuditedActivity{} + mi := &file_nebius_audit_annotations_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *AuditedActivity) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*AuditedActivity) ProtoMessage() {} + +func (x *AuditedActivity) ProtoReflect() protoreflect.Message { + mi := &file_nebius_audit_annotations_proto_msgTypes[3] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use AuditedActivity.ProtoReflect.Descriptor instead. +func (*AuditedActivity) Descriptor() ([]byte, []int) { + return file_nebius_audit_annotations_proto_rawDescGZIP(), []int{3} +} + +func (x *AuditedActivity) GetResource() isAuditedActivity_Resource { + if x != nil { + return x.Resource + } + return nil +} + +func (x *AuditedActivity) GetResourceType() string { + if x != nil { + if x, ok := x.Resource.(*AuditedActivity_ResourceType); ok { + return x.ResourceType + } + } + return "" +} + +func (x *AuditedActivity) GetAction() common.Action { + if x != nil { + return x.Action + } + return common.Action(0) +} + +type isAuditedActivity_Resource interface { + isAuditedActivity_Resource() +} + +type AuditedActivity_ResourceType struct { + ResourceType string `protobuf:"bytes,1,opt,name=resource_type,json=resourceType,proto3,oneof"` +} + +func (*AuditedActivity_ResourceType) isAuditedActivity_Resource() {} + +var file_nebius_audit_annotations_proto_extTypes = []protoimpl.ExtensionInfo{ + { + ExtendedType: (*descriptorpb.ServiceOptions)(nil), + ExtensionType: (*ServiceAudit)(nil), + Field: 50004, + Name: "nebius.audit.service_audit", + Tag: "bytes,50004,opt,name=service_audit", + Filename: "nebius/audit/annotations.proto", + }, + { + ExtendedType: (*descriptorpb.MethodOptions)(nil), + ExtensionType: (*MethodAudit)(nil), + Field: 50002, + Name: "nebius.audit.method_audit", + Tag: "bytes,50002,opt,name=method_audit", + Filename: "nebius/audit/annotations.proto", + }, +} + +// Extension fields to descriptorpb.ServiceOptions. +var ( + // optional nebius.audit.ServiceAudit service_audit = 50004; + E_ServiceAudit = &file_nebius_audit_annotations_proto_extTypes[0] +) + +// Extension fields to descriptorpb.MethodOptions. +var ( + // optional nebius.audit.MethodAudit method_audit = 50002; + E_MethodAudit = &file_nebius_audit_annotations_proto_extTypes[1] +) + +var File_nebius_audit_annotations_proto protoreflect.FileDescriptor + +const file_nebius_audit_annotations_proto_rawDesc = "" + + "\n" + + "\x1enebius/audit/annotations.proto\x12\fnebius.audit\x1a google/protobuf/descriptor.proto\x1a#nebius/audit/v1/common/action.proto\"\x96\x01\n" + + "\x13MethodAuditMetadata\x12%\n" + + "\rresource_type\x18\x01 \x01(\tH\x00R\fresourceType\x12J\n" + + "\x10default_activity\x18\x03 \x01(\v2\x1d.nebius.audit.AuditedActivityH\x00R\x0fdefaultActivityB\f\n" + + "\n" + + "activities\"6\n" + + "\fServiceAudit\x12\x1a\n" + + "\aenabled\x18\x01 \x01(\bH\x00R\aenabledB\n" + + "\n" + + "\bdecision\"X\n" + + "\vMethodAudit\x12=\n" + + "\aenabled\x18\x01 \x01(\v2!.nebius.audit.MethodAuditMetadataH\x00R\aenabledB\n" + + "\n" + + "\bdecision\"|\n" + + "\x0fAuditedActivity\x12%\n" + + "\rresource_type\x18\x01 \x01(\tH\x00R\fresourceType\x126\n" + + "\x06action\x18\x02 \x01(\x0e2\x1e.nebius.audit.v1.common.ActionR\x06actionB\n" + + "\n" + + "\bresource:b\n" + + "\rservice_audit\x12\x1f.google.protobuf.ServiceOptions\x18Ԇ\x03 \x01(\v2\x1a.nebius.audit.ServiceAuditR\fserviceAudit:^\n" + + "\fmethod_audit\x12\x1e.google.protobuf.MethodOptions\x18҆\x03 \x01(\v2\x19.nebius.audit.MethodAuditR\vmethodAuditBR\n" + + "\x0fai.nebius.auditB\x10AnnotationsProtoP\x01Z+ydbcp/plugins/kms_nebius/proto/nebius/auditb\x06proto3" + +var ( + file_nebius_audit_annotations_proto_rawDescOnce sync.Once + file_nebius_audit_annotations_proto_rawDescData []byte +) + +func file_nebius_audit_annotations_proto_rawDescGZIP() []byte { + file_nebius_audit_annotations_proto_rawDescOnce.Do(func() { + file_nebius_audit_annotations_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_nebius_audit_annotations_proto_rawDesc), len(file_nebius_audit_annotations_proto_rawDesc))) + }) + return file_nebius_audit_annotations_proto_rawDescData +} + +var file_nebius_audit_annotations_proto_msgTypes = make([]protoimpl.MessageInfo, 4) +var file_nebius_audit_annotations_proto_goTypes = []any{ + (*MethodAuditMetadata)(nil), // 0: nebius.audit.MethodAuditMetadata + (*ServiceAudit)(nil), // 1: nebius.audit.ServiceAudit + (*MethodAudit)(nil), // 2: nebius.audit.MethodAudit + (*AuditedActivity)(nil), // 3: nebius.audit.AuditedActivity + (common.Action)(0), // 4: nebius.audit.v1.common.Action + (*descriptorpb.ServiceOptions)(nil), // 5: google.protobuf.ServiceOptions + (*descriptorpb.MethodOptions)(nil), // 6: google.protobuf.MethodOptions +} +var file_nebius_audit_annotations_proto_depIdxs = []int32{ + 3, // 0: nebius.audit.MethodAuditMetadata.default_activity:type_name -> nebius.audit.AuditedActivity + 0, // 1: nebius.audit.MethodAudit.enabled:type_name -> nebius.audit.MethodAuditMetadata + 4, // 2: nebius.audit.AuditedActivity.action:type_name -> nebius.audit.v1.common.Action + 5, // 3: nebius.audit.service_audit:extendee -> google.protobuf.ServiceOptions + 6, // 4: nebius.audit.method_audit:extendee -> google.protobuf.MethodOptions + 1, // 5: nebius.audit.service_audit:type_name -> nebius.audit.ServiceAudit + 2, // 6: nebius.audit.method_audit:type_name -> nebius.audit.MethodAudit + 7, // [7:7] is the sub-list for method output_type + 7, // [7:7] is the sub-list for method input_type + 5, // [5:7] is the sub-list for extension type_name + 3, // [3:5] is the sub-list for extension extendee + 0, // [0:3] is the sub-list for field type_name +} + +func init() { file_nebius_audit_annotations_proto_init() } +func file_nebius_audit_annotations_proto_init() { + if File_nebius_audit_annotations_proto != nil { + return + } + file_nebius_audit_annotations_proto_msgTypes[0].OneofWrappers = []any{ + (*MethodAuditMetadata_ResourceType)(nil), + (*MethodAuditMetadata_DefaultActivity)(nil), + } + file_nebius_audit_annotations_proto_msgTypes[1].OneofWrappers = []any{ + (*ServiceAudit_Enabled)(nil), + } + file_nebius_audit_annotations_proto_msgTypes[2].OneofWrappers = []any{ + (*MethodAudit_Enabled)(nil), + } + file_nebius_audit_annotations_proto_msgTypes[3].OneofWrappers = []any{ + (*AuditedActivity_ResourceType)(nil), + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: unsafe.Slice(unsafe.StringData(file_nebius_audit_annotations_proto_rawDesc), len(file_nebius_audit_annotations_proto_rawDesc)), + NumEnums: 0, + NumMessages: 4, + NumExtensions: 2, + NumServices: 0, + }, + GoTypes: file_nebius_audit_annotations_proto_goTypes, + DependencyIndexes: file_nebius_audit_annotations_proto_depIdxs, + MessageInfos: file_nebius_audit_annotations_proto_msgTypes, + ExtensionInfos: file_nebius_audit_annotations_proto_extTypes, + }.Build() + File_nebius_audit_annotations_proto = out.File + file_nebius_audit_annotations_proto_goTypes = nil + file_nebius_audit_annotations_proto_depIdxs = nil +} diff --git a/plugins/kms_nebius/proto/nebius/audit/annotations.proto b/plugins/kms_nebius/proto/nebius/audit/annotations.proto new file mode 100644 index 00000000..9bcf5352 --- /dev/null +++ b/plugins/kms_nebius/proto/nebius/audit/annotations.proto @@ -0,0 +1,45 @@ +syntax = "proto3"; + +package nebius.audit; + +import "google/protobuf/descriptor.proto"; +import "nebius/audit/v1/common/action.proto"; + +option java_multiple_files = true; +option java_outer_classname = "AnnotationsProto"; +option java_package = "ai.nebius.audit"; +option go_package = "ydbcp/plugins/kms_nebius/proto/nebius/audit"; + +extend google.protobuf.ServiceOptions { + ServiceAudit service_audit = 50004; +} + +extend google.protobuf.MethodOptions { + MethodAudit method_audit = 50002; +} + +message MethodAuditMetadata { + oneof activities { + string resource_type = 1; + AuditedActivity default_activity = 3; + } +} + +message ServiceAudit { + oneof decision { + bool enabled = 1; + } +} + +message MethodAudit { + oneof decision { + MethodAuditMetadata enabled = 1; + } +} + +message AuditedActivity { + oneof resource { + string resource_type = 1; + } + nebius.audit.v1.common.Action action = 2; +} diff --git a/plugins/kms_nebius/proto/nebius/audit/v1/common/action.pb.go b/plugins/kms_nebius/proto/nebius/audit/v1/common/action.pb.go new file mode 100644 index 00000000..3b5c88f2 --- /dev/null +++ b/plugins/kms_nebius/proto/nebius/audit/v1/common/action.pb.go @@ -0,0 +1,130 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.36.6 +// protoc v6.32.1 +// source: nebius/audit/v1/common/action.proto + +package common + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" + unsafe "unsafe" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +type Action int32 + +const ( + Action_ACTION_UNSPECIFIED Action = 0 + Action_ENCRYPT Action = 24 + Action_DECRYPT Action = 25 +) + +// Enum value maps for Action. +var ( + Action_name = map[int32]string{ + 0: "ACTION_UNSPECIFIED", + 24: "ENCRYPT", + 25: "DECRYPT", + } + Action_value = map[string]int32{ + "ACTION_UNSPECIFIED": 0, + "ENCRYPT": 24, + "DECRYPT": 25, + } +) + +func (x Action) Enum() *Action { + p := new(Action) + *p = x + return p +} + +func (x Action) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (Action) Descriptor() protoreflect.EnumDescriptor { + return file_nebius_audit_v1_common_action_proto_enumTypes[0].Descriptor() +} + +func (Action) Type() protoreflect.EnumType { + return &file_nebius_audit_v1_common_action_proto_enumTypes[0] +} + +func (x Action) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// Deprecated: Use Action.Descriptor instead. +func (Action) EnumDescriptor() ([]byte, []int) { + return file_nebius_audit_v1_common_action_proto_rawDescGZIP(), []int{0} +} + +var File_nebius_audit_v1_common_action_proto protoreflect.FileDescriptor + +const file_nebius_audit_v1_common_action_proto_rawDesc = "" + + "\n" + + "#nebius/audit/v1/common/action.proto\x12\x16nebius.audit.v1.common*:\n" + + "\x06Action\x12\x16\n" + + "\x12ACTION_UNSPECIFIED\x10\x00\x12\v\n" + + "\aENCRYPT\x10\x18\x12\v\n" + + "\aDECRYPT\x10\x19Ba\n" + + "\x19ai.nebius.audit.v1.commonB\vActionProtoP\x01Z5ydbcp/plugins/kms_nebius/proto/nebius/audit/v1/commonb\x06proto3" + +var ( + file_nebius_audit_v1_common_action_proto_rawDescOnce sync.Once + file_nebius_audit_v1_common_action_proto_rawDescData []byte +) + +func file_nebius_audit_v1_common_action_proto_rawDescGZIP() []byte { + file_nebius_audit_v1_common_action_proto_rawDescOnce.Do(func() { + file_nebius_audit_v1_common_action_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_nebius_audit_v1_common_action_proto_rawDesc), len(file_nebius_audit_v1_common_action_proto_rawDesc))) + }) + return file_nebius_audit_v1_common_action_proto_rawDescData +} + +var file_nebius_audit_v1_common_action_proto_enumTypes = make([]protoimpl.EnumInfo, 1) +var file_nebius_audit_v1_common_action_proto_goTypes = []any{ + (Action)(0), // 0: nebius.audit.v1.common.Action +} +var file_nebius_audit_v1_common_action_proto_depIdxs = []int32{ + 0, // [0:0] is the sub-list for method output_type + 0, // [0:0] is the sub-list for method input_type + 0, // [0:0] is the sub-list for extension type_name + 0, // [0:0] is the sub-list for extension extendee + 0, // [0:0] is the sub-list for field type_name +} + +func init() { file_nebius_audit_v1_common_action_proto_init() } +func file_nebius_audit_v1_common_action_proto_init() { + if File_nebius_audit_v1_common_action_proto != nil { + return + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: unsafe.Slice(unsafe.StringData(file_nebius_audit_v1_common_action_proto_rawDesc), len(file_nebius_audit_v1_common_action_proto_rawDesc)), + NumEnums: 1, + NumMessages: 0, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_nebius_audit_v1_common_action_proto_goTypes, + DependencyIndexes: file_nebius_audit_v1_common_action_proto_depIdxs, + EnumInfos: file_nebius_audit_v1_common_action_proto_enumTypes, + }.Build() + File_nebius_audit_v1_common_action_proto = out.File + file_nebius_audit_v1_common_action_proto_goTypes = nil + file_nebius_audit_v1_common_action_proto_depIdxs = nil +} diff --git a/plugins/kms_nebius/proto/nebius/audit/v1/common/action.proto b/plugins/kms_nebius/proto/nebius/audit/v1/common/action.proto new file mode 100644 index 00000000..81d8951c --- /dev/null +++ b/plugins/kms_nebius/proto/nebius/audit/v1/common/action.proto @@ -0,0 +1,14 @@ +syntax = "proto3"; + +package nebius.audit.v1.common; + +option java_multiple_files = true; +option java_outer_classname = "ActionProto"; +option java_package = "ai.nebius.audit.v1.common"; +option go_package = "ydbcp/plugins/kms_nebius/proto/nebius/audit/v1/common"; + +enum Action { + ACTION_UNSPECIFIED = 0; + ENCRYPT = 24; + DECRYPT = 25; +} diff --git a/plugins/kms_nebius/proto/symmetric_crypto_service.pb.go b/plugins/kms_nebius/proto/symmetric_crypto_service.pb.go new file mode 100644 index 00000000..52c4cf50 --- /dev/null +++ b/plugins/kms_nebius/proto/symmetric_crypto_service.pb.go @@ -0,0 +1,357 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.36.6 +// protoc v6.32.1 +// source: symmetric_crypto_service.proto + +package proto + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" + unsafe "unsafe" + _ "ydbcp/plugins/kms_nebius/proto/nebius" + _ "ydbcp/plugins/kms_nebius/proto/nebius/audit" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +type SymmetricEncryptRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + // ID of the symmetric KMS key to use for encryption. + KeyId string `protobuf:"bytes,1,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"` + // Additional authenticated data (AAD context), optional. + // If specified, this data will be required for decryption with the [SymmetricDecryptRequest]. + // Should be encoded with base64. + AadContext []byte `protobuf:"bytes,2,opt,name=aad_context,json=aadContext,proto3" json:"aad_context,omitempty"` + // Plaintext to be encrypted. + // Should be encoded with base64. + Plaintext []byte `protobuf:"bytes,3,opt,name=plaintext,proto3" json:"plaintext,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *SymmetricEncryptRequest) Reset() { + *x = SymmetricEncryptRequest{} + mi := &file_symmetric_crypto_service_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *SymmetricEncryptRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*SymmetricEncryptRequest) ProtoMessage() {} + +func (x *SymmetricEncryptRequest) ProtoReflect() protoreflect.Message { + mi := &file_symmetric_crypto_service_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use SymmetricEncryptRequest.ProtoReflect.Descriptor instead. +func (*SymmetricEncryptRequest) Descriptor() ([]byte, []int) { + return file_symmetric_crypto_service_proto_rawDescGZIP(), []int{0} +} + +func (x *SymmetricEncryptRequest) GetKeyId() string { + if x != nil { + return x.KeyId + } + return "" +} + +func (x *SymmetricEncryptRequest) GetAadContext() []byte { + if x != nil { + return x.AadContext + } + return nil +} + +func (x *SymmetricEncryptRequest) GetPlaintext() []byte { + if x != nil { + return x.Plaintext + } + return nil +} + +type SymmetricEncryptResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + // ID of the symmetric KMS key that was used for encryption. + KeyId string `protobuf:"bytes,1,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"` + // Resulting ciphertext. + Ciphertext []byte `protobuf:"bytes,2,opt,name=ciphertext,proto3" json:"ciphertext,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *SymmetricEncryptResponse) Reset() { + *x = SymmetricEncryptResponse{} + mi := &file_symmetric_crypto_service_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *SymmetricEncryptResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*SymmetricEncryptResponse) ProtoMessage() {} + +func (x *SymmetricEncryptResponse) ProtoReflect() protoreflect.Message { + mi := &file_symmetric_crypto_service_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use SymmetricEncryptResponse.ProtoReflect.Descriptor instead. +func (*SymmetricEncryptResponse) Descriptor() ([]byte, []int) { + return file_symmetric_crypto_service_proto_rawDescGZIP(), []int{1} +} + +func (x *SymmetricEncryptResponse) GetKeyId() string { + if x != nil { + return x.KeyId + } + return "" +} + +func (x *SymmetricEncryptResponse) GetCiphertext() []byte { + if x != nil { + return x.Ciphertext + } + return nil +} + +type SymmetricDecryptRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + // ID of the symmetric KMS key to use for decryption. + KeyId string `protobuf:"bytes,1,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"` + // Additional authenticated data, must be the same as was provided + // in the corresponding [SymmetricEncryptRequest]. + // Should be encoded with base64. + AadContext []byte `protobuf:"bytes,2,opt,name=aad_context,json=aadContext,proto3" json:"aad_context,omitempty"` + // Ciphertext to be decrypted. + // Should be encoded with base64. + Ciphertext []byte `protobuf:"bytes,3,opt,name=ciphertext,proto3" json:"ciphertext,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *SymmetricDecryptRequest) Reset() { + *x = SymmetricDecryptRequest{} + mi := &file_symmetric_crypto_service_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *SymmetricDecryptRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*SymmetricDecryptRequest) ProtoMessage() {} + +func (x *SymmetricDecryptRequest) ProtoReflect() protoreflect.Message { + mi := &file_symmetric_crypto_service_proto_msgTypes[2] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use SymmetricDecryptRequest.ProtoReflect.Descriptor instead. +func (*SymmetricDecryptRequest) Descriptor() ([]byte, []int) { + return file_symmetric_crypto_service_proto_rawDescGZIP(), []int{2} +} + +func (x *SymmetricDecryptRequest) GetKeyId() string { + if x != nil { + return x.KeyId + } + return "" +} + +func (x *SymmetricDecryptRequest) GetAadContext() []byte { + if x != nil { + return x.AadContext + } + return nil +} + +func (x *SymmetricDecryptRequest) GetCiphertext() []byte { + if x != nil { + return x.Ciphertext + } + return nil +} + +type SymmetricDecryptResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + // ID of the symmetric KMS key that was used for decryption. + KeyId string `protobuf:"bytes,1,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"` + // Decrypted plaintext. + Plaintext []byte `protobuf:"bytes,2,opt,name=plaintext,proto3" json:"plaintext,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *SymmetricDecryptResponse) Reset() { + *x = SymmetricDecryptResponse{} + mi := &file_symmetric_crypto_service_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *SymmetricDecryptResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*SymmetricDecryptResponse) ProtoMessage() {} + +func (x *SymmetricDecryptResponse) ProtoReflect() protoreflect.Message { + mi := &file_symmetric_crypto_service_proto_msgTypes[3] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use SymmetricDecryptResponse.ProtoReflect.Descriptor instead. +func (*SymmetricDecryptResponse) Descriptor() ([]byte, []int) { + return file_symmetric_crypto_service_proto_rawDescGZIP(), []int{3} +} + +func (x *SymmetricDecryptResponse) GetKeyId() string { + if x != nil { + return x.KeyId + } + return "" +} + +func (x *SymmetricDecryptResponse) GetPlaintext() []byte { + if x != nil { + return x.Plaintext + } + return nil +} + +var File_symmetric_crypto_service_proto protoreflect.FileDescriptor + +const file_symmetric_crypto_service_proto_rawDesc = "" + + "\n" + + "\x1esymmetric_crypto_service.proto\x12\rnebius.kms.v1\x1a\x18nebius/annotations.proto\x1a\x1enebius/audit/annotations.proto\"y\n" + + "\x17SymmetricEncryptRequest\x12\x15\n" + + "\x06key_id\x18\x01 \x01(\tR\x05keyId\x12$\n" + + "\vaad_context\x18\x02 \x01(\fB\x03\xc0J\x01R\n" + + "aadContext\x12!\n" + + "\tplaintext\x18\x03 \x01(\fB\x03\xc0J\x01R\tplaintext\"V\n" + + "\x18SymmetricEncryptResponse\x12\x15\n" + + "\x06key_id\x18\x01 \x01(\tR\x05keyId\x12#\n" + + "\n" + + "ciphertext\x18\x02 \x01(\fB\x03\xc0J\x01R\n" + + "ciphertext\"{\n" + + "\x17SymmetricDecryptRequest\x12\x15\n" + + "\x06key_id\x18\x01 \x01(\tR\x05keyId\x12$\n" + + "\vaad_context\x18\x02 \x01(\fB\x03\xc0J\x01R\n" + + "aadContext\x12#\n" + + "\n" + + "ciphertext\x18\x03 \x01(\fB\x03\xc0J\x01R\n" + + "ciphertext\"T\n" + + "\x18SymmetricDecryptResponse\x12\x15\n" + + "\x06key_id\x18\x01 \x01(\tR\x05keyId\x12!\n" + + "\tplaintext\x18\x02 \x01(\fB\x03\xc0J\x01R\tplaintext2\xac\x02\n" + + "\x16SymmetricCryptoService\x12\x7f\n" + + "\aEncrypt\x12&.nebius.kms.v1.SymmetricEncryptRequest\x1a'.nebius.kms.v1.SymmetricEncryptResponse\"#\x92\xb5\x18\x11\n" + + "\x0f\x1a\r\x10\x18\n" + + "\tkmssymkey\x9a\xb5\x18\n" + + "\n" + + "\x06key_id\x18\x01\x12\x7f\n" + + "\aDecrypt\x12&.nebius.kms.v1.SymmetricDecryptRequest\x1a'.nebius.kms.v1.SymmetricDecryptResponse\"#\x92\xb5\x18\x11\n" + + "\x0f\x1a\r\x10\x19\n" + + "\tkmssymkey\x9a\xb5\x18\n" + + "\n" + + "\x06key_id\x18\x01\x1a\x10\xbaJ\adpl.kms\xa2\xb5\x18\x02\b\x01BQ\n" + + "\x10ai.nebius.kms.v1B\x1bSymmetricCryptoServiceProtoP\x01Z\x1eydbcp/plugins/kms_nebius/protob\x06proto3" + +var ( + file_symmetric_crypto_service_proto_rawDescOnce sync.Once + file_symmetric_crypto_service_proto_rawDescData []byte +) + +func file_symmetric_crypto_service_proto_rawDescGZIP() []byte { + file_symmetric_crypto_service_proto_rawDescOnce.Do(func() { + file_symmetric_crypto_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_symmetric_crypto_service_proto_rawDesc), len(file_symmetric_crypto_service_proto_rawDesc))) + }) + return file_symmetric_crypto_service_proto_rawDescData +} + +var file_symmetric_crypto_service_proto_msgTypes = make([]protoimpl.MessageInfo, 4) +var file_symmetric_crypto_service_proto_goTypes = []any{ + (*SymmetricEncryptRequest)(nil), // 0: nebius.kms.v1.SymmetricEncryptRequest + (*SymmetricEncryptResponse)(nil), // 1: nebius.kms.v1.SymmetricEncryptResponse + (*SymmetricDecryptRequest)(nil), // 2: nebius.kms.v1.SymmetricDecryptRequest + (*SymmetricDecryptResponse)(nil), // 3: nebius.kms.v1.SymmetricDecryptResponse +} +var file_symmetric_crypto_service_proto_depIdxs = []int32{ + 0, // 0: nebius.kms.v1.SymmetricCryptoService.Encrypt:input_type -> nebius.kms.v1.SymmetricEncryptRequest + 2, // 1: nebius.kms.v1.SymmetricCryptoService.Decrypt:input_type -> nebius.kms.v1.SymmetricDecryptRequest + 1, // 2: nebius.kms.v1.SymmetricCryptoService.Encrypt:output_type -> nebius.kms.v1.SymmetricEncryptResponse + 3, // 3: nebius.kms.v1.SymmetricCryptoService.Decrypt:output_type -> nebius.kms.v1.SymmetricDecryptResponse + 2, // [2:4] is the sub-list for method output_type + 0, // [0:2] is the sub-list for method input_type + 0, // [0:0] is the sub-list for extension type_name + 0, // [0:0] is the sub-list for extension extendee + 0, // [0:0] is the sub-list for field type_name +} + +func init() { file_symmetric_crypto_service_proto_init() } +func file_symmetric_crypto_service_proto_init() { + if File_symmetric_crypto_service_proto != nil { + return + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: unsafe.Slice(unsafe.StringData(file_symmetric_crypto_service_proto_rawDesc), len(file_symmetric_crypto_service_proto_rawDesc)), + NumEnums: 0, + NumMessages: 4, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_symmetric_crypto_service_proto_goTypes, + DependencyIndexes: file_symmetric_crypto_service_proto_depIdxs, + MessageInfos: file_symmetric_crypto_service_proto_msgTypes, + }.Build() + File_symmetric_crypto_service_proto = out.File + file_symmetric_crypto_service_proto_goTypes = nil + file_symmetric_crypto_service_proto_depIdxs = nil +} diff --git a/plugins/kms_nebius/proto/symmetric_crypto_service.proto b/plugins/kms_nebius/proto/symmetric_crypto_service.proto new file mode 100644 index 00000000..7da076b6 --- /dev/null +++ b/plugins/kms_nebius/proto/symmetric_crypto_service.proto @@ -0,0 +1,80 @@ +syntax = "proto3"; + +package nebius.kms.v1; + +import "nebius/annotations.proto"; +import "nebius/audit/annotations.proto"; + +option java_multiple_files = true; +option java_outer_classname = "SymmetricCryptoServiceProto"; +option java_package = "ai.nebius.kms.v1"; +option go_package = "ydbcp/plugins/kms_nebius/proto"; + +// --- Data plane for KMS symmetric cryptography operations + +// Set of methods that perform symmetric encryption and decryption. +service SymmetricCryptoService { + option (api_service_name) = "dpl.kms"; + option (audit.service_audit).enabled = true; + + // Encrypts given plaintext with the specified key. + rpc Encrypt(SymmetricEncryptRequest) returns (SymmetricEncryptResponse) { + option (region_routing).nid = "key_id"; + option (region_routing).strict = true; + + option (audit.method_audit).enabled.default_activity = {action: ENCRYPT, resource_type: "kmssymkey"}; + } + + // Decrypts the given ciphertext with the specified key. + rpc Decrypt(SymmetricDecryptRequest) returns (SymmetricDecryptResponse) { + option (region_routing).nid = "key_id"; + option (region_routing).strict = true; + + option (audit.method_audit).enabled.default_activity = {action: DECRYPT, resource_type: "kmssymkey"}; + } + +} + +message SymmetricEncryptRequest { + // ID of the symmetric KMS key to use for encryption. + string key_id = 1; + + // Additional authenticated data (AAD context), optional. + // If specified, this data will be required for decryption with the [SymmetricDecryptRequest]. + // Should be encoded with base64. + bytes aad_context = 2 [(nebius.sensitive) = true]; + + // Plaintext to be encrypted. + // Should be encoded with base64. + bytes plaintext = 3 [(nebius.sensitive) = true]; +} + +message SymmetricEncryptResponse { + // ID of the symmetric KMS key that was used for encryption. + string key_id = 1; + + // Resulting ciphertext. + bytes ciphertext = 2 [(nebius.sensitive) = true]; +} + +message SymmetricDecryptRequest { + // ID of the symmetric KMS key to use for decryption. + string key_id = 1; + + // Additional authenticated data, must be the same as was provided + // in the corresponding [SymmetricEncryptRequest]. + // Should be encoded with base64. + bytes aad_context = 2 [(nebius.sensitive) = true]; + + // Ciphertext to be decrypted. + // Should be encoded with base64. + bytes ciphertext = 3 [(nebius.sensitive) = true]; +} + +message SymmetricDecryptResponse { + // ID of the symmetric KMS key that was used for decryption. + string key_id = 1; + + // Decrypted plaintext. + bytes plaintext = 2 [(nebius.sensitive) = true]; +} diff --git a/plugins/kms_nebius/proto/symmetric_crypto_service_grpc.pb.go b/plugins/kms_nebius/proto/symmetric_crypto_service_grpc.pb.go new file mode 100644 index 00000000..e46ecd28 --- /dev/null +++ b/plugins/kms_nebius/proto/symmetric_crypto_service_grpc.pb.go @@ -0,0 +1,168 @@ +// Code generated by protoc-gen-go-grpc. DO NOT EDIT. +// versions: +// - protoc-gen-go-grpc v1.5.1 +// - protoc v6.32.1 +// source: symmetric_crypto_service.proto + +package proto + +import ( + context "context" + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" +) + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +// Requires gRPC-Go v1.64.0 or later. +const _ = grpc.SupportPackageIsVersion9 + +const ( + SymmetricCryptoService_Encrypt_FullMethodName = "/nebius.kms.v1.SymmetricCryptoService/Encrypt" + SymmetricCryptoService_Decrypt_FullMethodName = "/nebius.kms.v1.SymmetricCryptoService/Decrypt" +) + +// SymmetricCryptoServiceClient is the client API for SymmetricCryptoService service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. +// +// Set of methods that perform symmetric encryption and decryption. +type SymmetricCryptoServiceClient interface { + // Encrypts given plaintext with the specified key. + Encrypt(ctx context.Context, in *SymmetricEncryptRequest, opts ...grpc.CallOption) (*SymmetricEncryptResponse, error) + // Decrypts the given ciphertext with the specified key. + Decrypt(ctx context.Context, in *SymmetricDecryptRequest, opts ...grpc.CallOption) (*SymmetricDecryptResponse, error) +} + +type symmetricCryptoServiceClient struct { + cc grpc.ClientConnInterface +} + +func NewSymmetricCryptoServiceClient(cc grpc.ClientConnInterface) SymmetricCryptoServiceClient { + return &symmetricCryptoServiceClient{cc} +} + +func (c *symmetricCryptoServiceClient) Encrypt(ctx context.Context, in *SymmetricEncryptRequest, opts ...grpc.CallOption) (*SymmetricEncryptResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(SymmetricEncryptResponse) + err := c.cc.Invoke(ctx, SymmetricCryptoService_Encrypt_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *symmetricCryptoServiceClient) Decrypt(ctx context.Context, in *SymmetricDecryptRequest, opts ...grpc.CallOption) (*SymmetricDecryptResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(SymmetricDecryptResponse) + err := c.cc.Invoke(ctx, SymmetricCryptoService_Decrypt_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +// SymmetricCryptoServiceServer is the server API for SymmetricCryptoService service. +// All implementations must embed UnimplementedSymmetricCryptoServiceServer +// for forward compatibility. +// +// Set of methods that perform symmetric encryption and decryption. +type SymmetricCryptoServiceServer interface { + // Encrypts given plaintext with the specified key. + Encrypt(context.Context, *SymmetricEncryptRequest) (*SymmetricEncryptResponse, error) + // Decrypts the given ciphertext with the specified key. + Decrypt(context.Context, *SymmetricDecryptRequest) (*SymmetricDecryptResponse, error) + mustEmbedUnimplementedSymmetricCryptoServiceServer() +} + +// UnimplementedSymmetricCryptoServiceServer must be embedded to have +// forward compatible implementations. +// +// NOTE: this should be embedded by value instead of pointer to avoid a nil +// pointer dereference when methods are called. +type UnimplementedSymmetricCryptoServiceServer struct{} + +func (UnimplementedSymmetricCryptoServiceServer) Encrypt(context.Context, *SymmetricEncryptRequest) (*SymmetricEncryptResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method Encrypt not implemented") +} +func (UnimplementedSymmetricCryptoServiceServer) Decrypt(context.Context, *SymmetricDecryptRequest) (*SymmetricDecryptResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method Decrypt not implemented") +} +func (UnimplementedSymmetricCryptoServiceServer) mustEmbedUnimplementedSymmetricCryptoServiceServer() { +} +func (UnimplementedSymmetricCryptoServiceServer) testEmbeddedByValue() {} + +// UnsafeSymmetricCryptoServiceServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to SymmetricCryptoServiceServer will +// result in compilation errors. +type UnsafeSymmetricCryptoServiceServer interface { + mustEmbedUnimplementedSymmetricCryptoServiceServer() +} + +func RegisterSymmetricCryptoServiceServer(s grpc.ServiceRegistrar, srv SymmetricCryptoServiceServer) { + // If the following call pancis, it indicates UnimplementedSymmetricCryptoServiceServer was + // embedded by pointer and is nil. This will cause panics if an + // unimplemented method is ever invoked, so we test this at initialization + // time to prevent it from happening at runtime later due to I/O. + if t, ok := srv.(interface{ testEmbeddedByValue() }); ok { + t.testEmbeddedByValue() + } + s.RegisterService(&SymmetricCryptoService_ServiceDesc, srv) +} + +func _SymmetricCryptoService_Encrypt_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(SymmetricEncryptRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(SymmetricCryptoServiceServer).Encrypt(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: SymmetricCryptoService_Encrypt_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(SymmetricCryptoServiceServer).Encrypt(ctx, req.(*SymmetricEncryptRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _SymmetricCryptoService_Decrypt_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(SymmetricDecryptRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(SymmetricCryptoServiceServer).Decrypt(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: SymmetricCryptoService_Decrypt_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(SymmetricCryptoServiceServer).Decrypt(ctx, req.(*SymmetricDecryptRequest)) + } + return interceptor(ctx, in, info, handler) +} + +// SymmetricCryptoService_ServiceDesc is the grpc.ServiceDesc for SymmetricCryptoService service. +// It's only intended for direct use with grpc.RegisterService, +// and not to be introspected or modified (even as a copy) +var SymmetricCryptoService_ServiceDesc = grpc.ServiceDesc{ + ServiceName: "nebius.kms.v1.SymmetricCryptoService", + HandlerType: (*SymmetricCryptoServiceServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "Encrypt", + Handler: _SymmetricCryptoService_Encrypt_Handler, + }, + { + MethodName: "Decrypt", + Handler: _SymmetricCryptoService_Decrypt_Handler, + }, + }, + Streams: []grpc.StreamDesc{}, + Metadata: "symmetric_crypto_service.proto", +}