go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/provenance/api/snooperpb/v1/report.proto

// Copyright 2022 The LUCI Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package provenance.snooperpb;

option go_package = "go.chromium.org/luci/provenance/api/snooperpb/v1;snooperpb";

import "google/protobuf/empty.proto";
import "google/protobuf/timestamp.proto";
import "go.chromium.org/luci/cipd/api/cipd/v1/repo.proto";

service SelfReport {
    // Interface to report cipd packages admitted on the local machine.
    rpc ReportCipd(ReportCipdRequest) returns (google.protobuf.Empty);

    // Interface to report git repos checked out on the local machine.
    rpc ReportGit(ReportGitRequest) returns (google.protobuf.Empty);

    // Interface to report gcs artifacts downloaded on a local machine.
    rpc ReportGcs(ReportGcsRequest) returns (google.protobuf.Empty);

    // Reports running task's stage. A task is typically a collection of
    // workflows/statements. Some of these statements can be grouped together
    // to define a stage, e.g. when a task is downloading sources/deps, it is
    // known as `FETCH` stage.
    // For details read go/snoopy-design (Google-internal).
    rpc ReportTaskStage(ReportTaskStageRequest) returns (google.protobuf.Empty);

    // Reports a PID to track execution of the process. When implementing the
    // provenance server ensure safeguards to the end point with strict input
    // validation.
    rpc ReportPID(ReportPIDRequest) returns (google.protobuf.Empty);

    // Reports digest of produced artifact from a task.
    rpc ReportArtifactDigest(ReportArtifactDigestRequest) returns (google.protobuf.Empty);
}

// Indicator to task status. This is used to annotate logs when a task starts
// ends or reaches a certain "interesting" stage.
//
// This is crucial to enforce security policies based on current state of the
// task. For example, more restrictive network connections can be applied when a
// task reaches `compile` stage.
//
// Below is a brief rationale behind each steps:
//   * STARTED: provenance of an artifact captures sources that goes into a
//              build. A single compute resource typically outlives a task, in
//              other words, a single machine can run multiple tasks in it's
//              lifetime. Task start indicates the capturing time window began.
//   * FETCH: typically a task depends on a bunch of dependencies that are
//            fetched to set up the environment before compiling the artifact.
//            Fetch indicates that the task is currently installing these deps.
//   * COMPILE: ideally in compile step, there shouldn't be any new fetching.
//   * UPLOAD: after finishing compilation, this step indicates built artifacts
//             are being uploaded to its destination. A single task can have
//             multiple produced artifacts.
//   * UPLOAD_COMPLETE: it indicates all produced artifacts have been uploaded.
//                      This is crucial to closing the capturing time window for
//                      provenance generation.
//   * TEST: often a task runs regression tests after an artifact has been
//           produced. Some times requirements around this tests is an open
//           environment which might not be safe for other task phases. To
//           support effective tests, some policies can be lifted at this stage.
//           (Although it is highly encouraged to schedule tests on a separate
//           machine when possible to minimize risks of cross-contamination).
//   * COMPLETE: complete indicates whether a task execution finished. This is
//               crucial for server to set as this creates a clear boundary
//               between subsequent tasks on a same machine.
enum TaskStage {
    STAGE_UNSPECIFIED = 0;
    STARTED = 1;
    FETCH = 2;
    COMPILE = 3;
    UPLOAD = 4;
    UPLOAD_COMPLETE = 5;
    TEST = 6;
    COMPLETE = 7;
}

// Identifies storage location of a particular artifact. This will be used to
// attach provenance:
//      * GCS: provenance will be uploaded alongside the artifact.
//      * CIPD: provenance will be added to package metadata.
// Currently we support provenance for two types of artifacts (gcs, cipd).
message Artifact {
    // Artifacts stored on CIPD. This defaults to prod instance of CIPD.
    message CIPD {
        // Identifies a hierarchical package. This will be the absolute name
        // of a package (including path).
        string package_name = 1;
        // Unique identifier of an instance of a package.
        string instance_id = 2;
        // CIPD backend host (dev/prod) where the artifact is stored.
        // If not provided, default is CIPD prod host.
        string host = 3;
    }
    oneof kind {
        // Artifacts stored on Google Cloud Storage, e.g. Chrome binaries.
        // Identifier of artifact's storage location, e.g.
        // gs://example-bucket/app/1.2.3.4/mac64/bin.dmg
        string gcs = 1;
        CIPD cipd = 2;
    }
}

message CipdReport {
    // An identifier to map multiple reports to a machine/task. This is
    // going to be the hash(access_token) used by bots to make requests
    // to luci services.
    string requestor_id = 1;

    // CIPD package name requested/installed on the machine.
    string package_name = 2;

    // Unique identifier of the package instance, a.k.a. instance_id.
    string iid = 3;

    // CIPD tags attached to the deployed package.
    repeated cipd.Tag tags = 4;

    // CIPD refs attached to the deployed package.
    repeated cipd.Ref refs = 5;

    // Event timestamp. This is local to the service, not necessarily same as
    // the reflected recorded timestamp on the logs.
    google.protobuf.Timestamp event_ts = 6;
}

message GcsReport {
    // An identifier to map multiple reports to a machine/task. This is
    // going to be a build identifier.
    string requestor_id = 1;

    // GCS URI for the artifact downloaded on the machine.
    string gcs_uri = 2;

    // Digest of the downloaded artifact.
    string digest = 3;

    // Event timestamp. This is local to the service, not necessarily same as
    // the reflected recorded timestamp on the logs.
    google.protobuf.Timestamp event_ts = 4;
}

message GitReport {
    // An identifier to map multiple reports to a machine/task. Reporter do not
    // need to set this. It is used by the server to group reports together and
    // bind them to a single task.
    string requestor_id = 1;

    // Git repository URL.
    string repo = 2;
    // Commit that was fetched for this repo.
    string commit = 3;
    // This is coming from an upstream dependency, although a checkout can be
    // uniquely attributed by a repo and a commit, they don't often produce
    // measurable inputs for security policy.
    // For example, a git repo may have multiple refs/branches and only some of
    // them may have `Code Review` required.
    //
    // To make a security policy decision about a particular commit, sometimes
    // it is useful to know which branch/ref the commit is associated with, note
    // a single commit can be associated with multiple branches, but the highest
    // security policy will always be enforced.
    // Scenario:
    // Git repo: "http://repo.git"
    // Commit  : "deadbeef"
    // Refs    : ["refs/heads/main", "refs/feature/experimental"]
    // In this example, the particular commit belongs to two branches, one does
    // not have mandatory code review (experimental) but the other does.
    //
    // Irrespective of the order of where the commit belonged first, it is
    // certain that the change was reviewed as this was merged to main branch.
    string refs = 4;

    // Event timestamp. This is local to the service, not necessarily same as
    // the reflected recorded timestamp on the logs.
    google.protobuf.Timestamp event_ts = 5;
}

message ReportTaskStageRequest {
    TaskStage task_stage = 1;
    google.protobuf.Timestamp timestamp = 2;

    // Recipe is essentially the entry point for the given task, it can be a
    // `build_rule` or a custom executable (like `luci recipes`) that dictates
    // workflow of a task.
    //
    // (Required) when reporting a task start.
    string recipe = 3;
    // Process ID of the task that self-reports task stages. It is used by the
    // server to periodically check health of running task and assert a close
    // approximation of task end time.
    //
    // Accuracy on task end time estimation can vary between implementations, it
    // directly depends on frequency at which provenance server checks status of
    // reported pid.
    //
    // (Required) when reported a task start.
    int64 pid = 4;
}

message ReportArtifactDigestRequest {
    // SHA256 digest of artifact.
    string digest = 1;

    // Identifies storage location of a particular artifact. This is used
    // by Spike to attach provenance:
    //      * GCS: provenance will be uploaded alongside the artifact.
    //      * CIPD: provenance will be added to package metadata.
    Artifact artifact = 2;

    // If set, identifies that the artifact is an SBOM for other artifacts,
    // identified by SHA256 digest.
    repeated string sbom_subjects = 3;
}

message ReportCipdRequest {
    // cipd_report will consist of package name, instance_id of a cipd package.
    CipdReport cipd_report = 1;
}

message ReportGitRequest {
    // git_report will consist of repo name, git hash of checked out repo.
    GitReport git_report = 1;
}

message ReportGcsRequest {
    // gcs_report will consist of gcs uri, hash of downloaded artifact.
    GcsReport gcs_report = 1;
}

message ReportPIDRequest {
    // Process ID to track execution of a task running. It is used by the
    // server to periodically check health of running task and assert a close
    // approximation of task end time.
    //
    // Accuracy on task end time estimation can vary between implementations, it
    // directly depends on frequency at which provenance server checks status of
    // reported pid.
    int64 pid = 1;
    // Reporter of the pid request. In the client of provenance server, this
    // should be automatically assigned by something similar to Go lang's native
    // os.Executable().
    //
    // This can be used to define an allowlist of reporters for this action.
    string reporter = 2;
}