1// Copyright 2021 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.internal.federatedcompute.v1; 18 19import "google/protobuf/duration.proto"; 20 21option java_package = "com.google.internal.federatedcompute.v1"; 22option java_multiple_files = true; 23option java_outer_classname = "FederatedComputeApi"; 24 25// Information that tells the client where to send the request for the next 26// protocol phase (the immediately following phase only, not any additional 27// subsequent phases). For example, this may point to the frontend to which 28// a StartTaskAssignmentRequest should be sent, but it should not then be used 29// for uploading aggregation results. A ForwardingInfo will always be returned 30// to the client unless the client was not selected to continue with the 31// protocol. 32message ForwardingInfo { 33 // A URI prefix for the next service to send the request for the next protocol 34 // phase to. 35 // 36 // The URI prefix must always start with "https://". 37 // 38 // The URI prefix may end with a trailing '/', but is not required to. During 39 // the construction of the next protocol request, a slash will always be 40 // inserted by the client between this prefix and the request's URI suffix. 41 // 42 // For example, if some protocol response's ForwardingInfo contains the prefix 43 // "https://foo.bar.com" or "https://foo.bar.com/", and if the subsequent 44 // protocol request's URI suffix is "/baz", then the subsequent request's full 45 // URI would be "https://foo.bar.com/baz". 46 string target_uri_prefix = 1; 47 // Request headers that should be included with the next request for the next 48 // protocol phase. Note that these headers should only be applied to protocol 49 // requests (incl. requests to the long running `Operations` service), but not 50 // to any `Resource` fetch requests. 51 map<string, string> extra_request_headers = 2; 52} 53 54// The attestation measurement providing evidence of integrity for a client. 55message AttestationMeasurement { 56 string value = 1; 57} 58 59message ClientVersion { 60 // Version code identifying the client release. 61 string version_code = 1; 62} 63 64message Resource { 65 // A resource can either be downloaded via a URI, or has its data inlined in 66 // in this message itself. 67 oneof resource { 68 // The URI the resource can be downloaded from. Note that 69 // `ForwardingInfo.target_uri_prefix` field generally don't apply to these 70 // URIs. 71 string uri = 1; 72 73 // The inlined data for the resource. This will eventually replace `data`. 74 InlineResource inline_resource = 3; 75 } 76 77 message InlineResource { 78 // The inlined data for the resource. 79 bytes data = 1; 80 81 // The compression used for the inlined data, or unset if the data is 82 // uncompressed. 83 optional ResourceCompressionFormat compression_format = 2; 84 } 85 86 // Stable identifier for this resource, used by the client cache 87 // implementation. If this field is not set, the client should not attempt to 88 // cache the resource referenced by `uri`. Not set for inline_resources. 89 string client_cache_id = 4; 90 91 // The maximum duration for how long the resource should be cached by the 92 // client. Not set if `client_cache_id` is not set. 93 google.protobuf.Duration max_age = 5; 94 95 // The compression used for resource, or unset if the data is 96 // uncompressed. 97 optional ResourceCompressionFormat compression_format = 999; 98 99 reserved 2; 100} 101 102// The client's capabilities for processing Resource messages, such as the 103// compressed file formats supported. 104message ResourceCapabilities { 105 // Compression formats supported for resources downloaded via `Resource.uri`. 106 // All clients are assumed to support uncompressed payloads. 107 repeated ResourceCompressionFormat supported_compression_formats = 1; 108} 109 110// Different file formats that may be used to compress resources. 111enum ResourceCompressionFormat { 112 RESOURCE_COMPRESSION_FORMAT_UNSPECIFIED = 0; 113 // Gzip-compressed data. If data is compressed in this way, then the 114 // "Content-Type" HTTP response header will have a "+gzip" suffix. 115 RESOURCE_COMPRESSION_FORMAT_GZIP = 1; 116} 117 118// Currently empty message which is sent when client (device) is rejected for 119// participation and is not assigned a task. 120// Next id: 1004 121message RejectionInfo { 122 123 RejectionReason.Enum reason = 1001; 124 125 // Metadata for client to take next action. 126 oneof metadata { 127 // Retry after a period of time. 128 RetryWindow retry_window = 1002; 129 130 // The field is used when the RejectionReason is UNAUTHENTICATED. 131 AuthenticationMetadata auth_metadata = 1003; 132 } 133} 134 135// The metadata used to authenticate a device. 136// Next Id: 2 137message AuthenticationMetadata { 138 KeyAttestationAuthMetadata key_attestation_metadata = 1; 139} 140 141// The metadata to authenticate with key attestation. 142// Next Id: 2 143message KeyAttestationAuthMetadata { 144 // The challenge to generate hardware-backed key pairs on device. 145 bytes challenge = 1; 146} 147 148// Next id: 4 149message RejectionReason { 150 enum Enum { 151 // Unknown status. 152 UNKNOWN = 0; 153 154 // There is no available task to join. 155 NO_TASK_AVAILABLE = 1; 156 157 // No permission to do the operation. 158 UNAUTHORIZED = 2; 159 160 // The device is not authenticated to the server. 161 UNAUTHENTICATED = 3; 162 163 // The device version does not match the required versions specified by the server. 164 CLIENT_VERSION_MISMATCH = 4; 165 166 // No active task exists for the given population name. 167 NO_ACTIVE_TASK_EXISTS = 5; 168 } 169} 170 171// A suggestion to the client when to retry the connection to the service next 172// time 173message RetryWindow { 174 // The suggested minimal duration after which the client should 175 // retry. If the client retries earlier, it is likely it will be rejected 176 // again. 177 google.protobuf.Duration delay_min = 1; 178 179 // Required. The suggested maximal duration after which the client should 180 // retry, provided scheduling conditions allow. The client is supposed to make 181 // a best effort to callback in the min..max window, and should avoid 182 // calling before min. If the client calls after max, the likelihood to be 183 // rejected again is higher. 184 google.protobuf.Duration delay_max = 2; 185} 186 187// Information about where to upload data (e.g. aggregation results, client 188// stats). 189message ByteStreamResource { 190 // Information to construct the URI to use for uploading the data. 191 ForwardingInfo data_upload_forwarding_info = 1; 192 // Resource name to which the data should be uploaded. 193 // Clients should use this field as well as the 194 // `ForwardingInfo.target_uri_prefix` to create the upload URL: 195 // {target_uri_prefix}/upload/v1/media/{resource_name} (where 196 // `{resource_name}` should be encoded as a multipath segment, as described 197 // in 198 // https://github.com/googleapis/googleapis/blob/master/google/api/http.proto). 199 string resource_name = 2; 200} 201 202// Copied from //google/rpc/status.proto. 203message Status { 204 // The status code, which should be an enum value of [google.rpc.Code][]. 205 int32 code = 1; 206 207 string message = 2; 208} 209 210enum Code { 211 // Not an error; returned on success. 212 // 213 // HTTP Mapping: 200 OK 214 OK = 0; 215 216 // The operation was cancelled, typically by the caller. 217 // 218 // HTTP Mapping: 499 Client Closed Request 219 CANCELLED = 1; 220 221 // Unknown error. For example, this error may be returned when 222 // a `Status` value received from another address space belongs to 223 // an error space that is not known in this address space. Also 224 // errors raised by APIs that do not return enough error information 225 // may be converted to this error. 226 // 227 // HTTP Mapping: 500 Internal Server Error 228 UNKNOWN = 2; 229 230 // The client specified an invalid argument. Note that this differs 231 // from `FAILED_PRECONDITION`. `INVALID_ARGUMENT` indicates arguments 232 // that are problematic regardless of the state of the system 233 // (e.g., a malformed file name). 234 // 235 // HTTP Mapping: 400 Bad Request 236 INVALID_ARGUMENT = 3; 237 238 // The deadline expired before the operation could complete. For operations 239 // that change the state of the system, this error may be returned 240 // even if the operation has completed successfully. For example, a 241 // successful response from a server could have been delayed long 242 // enough for the deadline to expire. 243 // 244 // HTTP Mapping: 504 Gateway Timeout 245 DEADLINE_EXCEEDED = 4; 246 247 // Some requested entity (e.g., file or directory) was not found. 248 // 249 // Note to server developers: if a request is denied for an entire class 250 // of users, such as gradual feature rollout or undocumented allowlist, 251 // `NOT_FOUND` may be used. If a request is denied for some users within 252 // a class of users, such as user-based access control, `PERMISSION_DENIED` 253 // must be used. 254 // 255 // HTTP Mapping: 404 Not Found 256 NOT_FOUND = 5; 257 258 // The entity that a client attempted to create (e.g., file or directory) 259 // already exists. 260 // 261 // HTTP Mapping: 409 Conflict 262 ALREADY_EXISTS = 6; 263 264 // The caller does not have permission to execute the specified 265 // operation. `PERMISSION_DENIED` must not be used for rejections 266 // caused by exhausting some resource (use `RESOURCE_EXHAUSTED` 267 // instead for those errors). `PERMISSION_DENIED` must not be 268 // used if the caller can not be identified (use `UNAUTHENTICATED` 269 // instead for those errors). This error code does not imply the 270 // request is valid or the requested entity exists or satisfies 271 // other pre-conditions. 272 // 273 // HTTP Mapping: 403 Forbidden 274 PERMISSION_DENIED = 7; 275 276 // The request does not have valid authentication credentials for the 277 // operation. 278 // 279 // HTTP Mapping: 401 Unauthorized 280 UNAUTHENTICATED = 16; 281 282 // Some resource has been exhausted, perhaps a per-user quota, or 283 // perhaps the entire file system is out of space. 284 // 285 // HTTP Mapping: 429 Too Many Requests 286 RESOURCE_EXHAUSTED = 8; 287 288 // The operation was rejected because the system is not in a state 289 // required for the operation's execution. For example, the directory 290 // to be deleted is non-empty, an rmdir operation is applied to 291 // a non-directory, etc. 292 // 293 // Service implementors can use the following guidelines to decide 294 // between `FAILED_PRECONDITION`, `ABORTED`, and `UNAVAILABLE`: 295 // (a) Use `UNAVAILABLE` if the client can retry just the failing call. 296 // (b) Use `ABORTED` if the client should retry at a higher level. For 297 // example, when a client-specified test-and-set fails, indicating the 298 // client should restart a read-modify-write sequence. 299 // (c) Use `FAILED_PRECONDITION` if the client should not retry until 300 // the system state has been explicitly fixed. For example, if an "rmdir" 301 // fails because the directory is non-empty, `FAILED_PRECONDITION` 302 // should be returned since the client should not retry unless 303 // the files are deleted from the directory. 304 // 305 // HTTP Mapping: 400 Bad Request 306 FAILED_PRECONDITION = 9; 307 308 // The operation was aborted, typically due to a concurrency issue such as 309 // a sequencer check failure or transaction abort. 310 // 311 // See the guidelines above for deciding between `FAILED_PRECONDITION`, 312 // `ABORTED`, and `UNAVAILABLE`. 313 // 314 // HTTP Mapping: 409 Conflict 315 ABORTED = 10; 316 317 // The operation was attempted past the valid range. E.g., seeking or 318 // reading past end-of-file. 319 // 320 // Unlike `INVALID_ARGUMENT`, this error indicates a problem that may 321 // be fixed if the system state changes. For example, a 32-bit file 322 // system will generate `INVALID_ARGUMENT` if asked to read at an 323 // offset that is not in the range [0,2^32-1], but it will generate 324 // `OUT_OF_RANGE` if asked to read from an offset past the current 325 // file size. 326 // 327 // There is a fair bit of overlap between `FAILED_PRECONDITION` and 328 // `OUT_OF_RANGE`. We recommend using `OUT_OF_RANGE` (the more specific 329 // error) when it applies so that callers who are iterating through 330 // a space can easily look for an `OUT_OF_RANGE` error to detect when 331 // they are done. 332 // 333 // HTTP Mapping: 400 Bad Request 334 OUT_OF_RANGE = 11; 335 336 // The operation is not implemented or is not supported/enabled in this 337 // service. 338 // 339 // HTTP Mapping: 501 Not Implemented 340 UNIMPLEMENTED = 12; 341 342 // Internal errors. This means that some invariants expected by the 343 // underlying system have been broken. This error code is reserved 344 // for serious errors. 345 // 346 // HTTP Mapping: 500 Internal Server Error 347 INTERNAL = 13; 348 349 // The service is currently unavailable. This is most likely a 350 // transient condition, which can be corrected by retrying with 351 // a backoff. Note that it is not always safe to retry 352 // non-idempotent operations. 353 // 354 // See the guidelines above for deciding between `FAILED_PRECONDITION`, 355 // `ABORTED`, and `UNAVAILABLE`. 356 // 357 // HTTP Mapping: 503 Service Unavailable 358 UNAVAILABLE = 14; 359 360 // Unrecoverable data loss or corruption. 361 // 362 // HTTP Mapping: 500 Internal Server Error 363 DATA_LOSS = 15; 364} 365