Skip to content

Commit

Permalink
OIDC JIT Public API Changes (#611)
Browse files Browse the repository at this point in the history 
* API Doc changes for OIDC JIT provisioning
* JIT Description updates for clarity and consistency
* Restored resource APIs

---------

Co-authored-by: AbiMano4688 <[email protected]>
  • Loading branch information
@jrdevore @AbiMano4688
jrdevore and AbiMano4688 authored Feb 15, 2024
1 parent 1433b54 commit 7ae054e
Show file tree
Hide file tree
Showing 3 changed files with 212 additions and 16 deletions.
89 changes: 75 additions & 14 deletions openapi-specs/cspm/PermissionGroupsMicroService.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,14 +59,28 @@
"url": "https://api.fr.prismacloud.io"
}
],
"tags": [
"security": [
{
"CertAuth": []
},
{
"description": "Permission groups enable you to restrict access to one or more features available on the Prisma Cloud administrative console. Permission group APIs allow you to retrieve, update or delete one or more existing permissions groups. You can also use these APIs to create a custom permission group and then you must attach it to a role and assign the role to a user.",
"name": "Permission Groups"
"ServiceJwt": []
},
{
"UserJwt": []
},
{
"x-redlock-auth": []
}
],
"tags": [
{
"name": "SSO",
"description": "On Prisma Cloud, you can enable single sign-on (SSO) using an Identity Provider (IdP) that supports Security Assertion Markup Language (SAML) or OpenID Connect (OIDC), such as Okta, Microsoft Active Directory Federation Services (ADFS), Azure Active Directory (AD), Google, or OneLogin. You can configure only one IdP for all the cloud accounts that Prisma Cloud monitors. Prisma Cloud System Administrators can use the following APIs to configure tenant SSO."
"description": "On Prisma Cloud, you can enable single sign-on (SSO) using an Identity Provider (IdP) that supports Security Assertion Markup Language (SAML) or OpenID Connect (OIDC), such as Okta, Microsoft Active Directory Federation Services (ADFS), Azure Active Directory (AD), Google, or OneLogin. Prisma Cloud System Administrators can use the following APIs to configure tenant SSO."
},
{
"name": "Permission Groups",
"description": "Permission groups enable you to restrict access to one or more features available on the Prisma Cloud administrative console. Permission group APIs allow you to retrieve, update or delete one or more existing permissions groups. You can also use these APIs to create a custom permission group and then you must attach it to a role and assign the role to a user."
}
],
"paths": {
Expand All @@ -82,7 +96,7 @@
{
"name": "id",
"in": "path",
"description": "PermissionGroupID",
"description": "Permission Group ID",
"required": true,
"schema": {
"type": "string"
Expand Down Expand Up @@ -296,6 +310,16 @@
"summary": "Update SAML Configuration",
"description": "Used by System Admins to update the SAML Configuration for the tenancy",
"operationId": "update-saml-config",
"parameters": [
{
"name": "clientIp",
"in": "header",
"required": false,
"schema": {
"type": "string"
}
}
],
"requestBody": {
"content": {
"application/json": {
Expand Down Expand Up @@ -354,6 +378,16 @@
"summary": "Create SAML Configuration",
"description": "Used by System Admins to create the SAML Configuration for the tenancy",
"operationId": "create-saml-config",
"parameters": [
{
"name": "clientIp",
"in": "header",
"required": false,
"schema": {
"type": "string"
}
}
],
"requestBody": {
"content": {
"application/json": {
Expand Down Expand Up @@ -865,7 +899,7 @@
{
"name": "user_name",
"in": "query",
"description": "User name of the tenant requesting the login URL.",
"description": "User name requesting the login URL.",
"required": false,
"schema": {
"type": "string"
Expand All @@ -874,7 +908,7 @@
{
"name": "prisma_id",
"in": "query",
"description": "PrismaId of the tenant requesting the login URL.",
"description": "Prisma ID for the tenant of the user requesting the login.",
"required": false,
"schema": {
"type": "string"
Expand Down Expand Up @@ -960,7 +994,7 @@
"description": "A mapping of operations and a boolean value representing whether the privilege to perform the operation needs to be granted."
}
},
"description": "Collection of permitted features associated with the role. \n Refer to PermissionGroup API docs to get the entire list of PC features."
"description": "List of Prisma Cloud Features"
},
"PermissionGroupRequest": {
"title": "Model used for permission group",
Expand Down Expand Up @@ -1184,6 +1218,7 @@
"clientId",
"idpAuthUri",
"issuer",
"scopes",
"tokenUri"
],
"type": "object",
Expand All @@ -1194,11 +1229,6 @@
"format": "uuid",
"readOnly": true
},
"clientSecret": {
"type": "string",
"description": "Client ID secret from the Identity Provider(IdP).",
"writeOnly": true
},
"prismaId": {
"type": "integer",
"description": "Prisma ID of the tenant.",
Expand All @@ -1209,10 +1239,25 @@
"type": "string",
"description": "Client ID obtained after Identity Provider(IdP) configuration."
},
"clientSecret": {
"type": "string",
"description": "Secret for the client id",
"writeOnly": true
},
"issuer": {
"type": "string",
"description": "The identifier of the OpenID Connect(OIDC) provider."
},
"scopes": {
"type": "array",
"description": "Identifiers used to specify what access privileges are being requested.",
"example": "[openid, email, profile]",
"items": {
"type": "string",
"description": "Identifiers used to specify what access privileges are being requested.",
"example": "[openid, email, profile]"
}
},
"grantType": {
"type": "string",
"description": "Grant types are a way to specify how a client wants to interact with an Identity Provider(IdP).",
Expand All @@ -1238,7 +1283,7 @@
},
"jwkSetUri": {
"type": "string",
"description": "The URL of the Identity Provider(IdP) JSON Web Key Set document. This document contains signing keys that are used to validate the signatures from the provider."
"description": "The URL of the Identity Provider(IdP) JSON Web Key Set document.This document contains signing keys that are used to validate the signatures from the provider."
},
"endSessionUri": {
"type": "string",
Expand All @@ -1252,6 +1297,22 @@
false
]
},
"isJitEnabled": {
"type": "boolean",
"description": "Is JIT enabled",
"enum": [
true,
false
]
},
"jitRoleClaimName": {
"type": "string",
"description": "Token claim providing the name of Prisma Cloud role for user."
},
"jitDefaultRoleId": {
"type": "string",
"description": "Default Prisma Cloud role to use for JIT when claim is missing or undefined."
},
"pcAuthUri": {
"type": "string",
"description": "Prisma Cloud endpoint URL to begin the authentication flow.",
Expand Down
136 changes: 134 additions & 2 deletions openapi-specs/cspm/ResourceExplorer.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -620,12 +620,55 @@
},
"info": {
"contact": {},
"description": "### Where Do I Find the RRN For My Resource?\n\nWhere Do I Find the RRN For My Resource?\\n\\nYou can find the RRN for a resource in the URL when you \nnavigate to **Data Inventory > {Total Objects} > {Object Name} > {Resource Name}**.\\nThe following is an example of such a URL. The RRN is in the URL query string.\n\n```\nhttps://app.prismacloud.io/investigate/details?resourceId=rrn:aws:storageBucket:us-east-1:123456789012:test-bucket \n``` \n\n### Account Representation\n\nIf the **regionId** and **resourceId** are not in the RRN, then the **cloudType** and **resourceType** fields\nin thr RRN are optional. In this siutation, the RRN identifies an account.\n\n\nFull RRN:\n```\nrrn:::us-west-1:12345678901:i-ABCDEFGH\n```\n\nAbridged RRN:\n``` \nrrn::::12345678901\n```\n",
"description": "### Where Do I Find the RRN For My Resource?\n\nWhere Do I Find the RRN For My Resource?\\n\\nYou can find the RRN for a resource in the URL when you \nnavigate to **Data Inventory > {Total Objects} > {Object Name} > {Resource Name}**.\\nThe following is an example of such a URL. The RRN is in the URL query string.\n\n```\nhttps://app.prismacloud.io/investigate/details?resourceId=rrn:aws:storageBucket:us-east-1:123456789012:test-bucket \n``` \n\n### Account Representation\n\nIf the **regionId** and **resourceId** are not in the RRN, then the **cloudType** and **resourceType** fields\nin thr RRN are optional. In this situation, the RRN identifies an account.\n\n\nFull RRN:\n```\nrrn:::us-west-1:12345678901:i-ABCDEFGH\n```\n\nAbridged RRN:\n``` \nrrn::::12345678901\n```\n",
"title": "Prisma Cloud Resource Explorer API Overview",
"version": "Latest"
},
"openapi": "3.0.0",
"paths": {
"/resource": {
"post": {
"deprecated": true,
"description": "\nReturns detailed information for the resource with the given **rrn**.\n:::info\n **Replacement  Endpoint: [Get Asset](/prisma-cloud/api/cspm/get-asset-details-by-id)**\n:::\n\r\n\r\nGenerally, the data field in the response object contains the raw JSON blob as is received from the \nsource cloud service provider API for the given resource.\n\nOnly the **rrn** parameter in the request body is used for this API. Ignore the **timelineItemId** and \n**findingType** fields for this API.\n\nAn example request body is:\n```\n{\n \"rrn\": \"rrn::storageBucket:us-east-1:123456789012:test-bucket\"\n}\n```\n",
"operationId": "get-resource",
"requestBody": {
"content": {
"application/json; charset=UTF-8": {
"schema": {
"$ref": "#/components/schemas/ResourceExplorerRequest"
}
}
}
},
"responses": {
"200": {
"content": {
"application/json; charset=UTF-8": {
"schema": {
"$ref": "#/components/schemas/ResourceMetaModel"
}
}
},
"description": "successful operation"
},
"400": {
"description": "bad_request / no_results / invalid_parameter_value"
},
"404": {
"description": "not_found"
}
},
"security": [
{
"x-redlock-auth": []
}
],
"summary": "Get Resource",
"tags": [
"Resource Explorer"
]
}
},
"/resource/alert": {
"post": {
"description": "Get a list of alerts associated with a given resource. \r\n\r\nOnly the **rrn** parameter in the request body is used for this API. Ignore the **timelineItemId** and \n**findingType** fields for this API.\n\nAn example request body is:\n```\n{\n \"rrn\": \"rrn::storageBucket:us-east-1:123456789012:test-bucket\"\n}\n```\n",
Expand Down Expand Up @@ -817,6 +860,95 @@
]
}
},
"/resource/timeline": {
"post": {
"deprecated": true,
"description": "\n Returns a timeline of events and alerts for the given resource.\n:::info\n **Replacement  Endpoint: [Get Asset](/prisma-cloud/api/cspm/get-asset-details-by-id)**\n:::\n\n\r\n\r\nOnly the **rrn** parameter in the request body is used for this API. Ignore the **timelineItemId** and \n**findingType** fields for this API.\n\nAn example request body is:\n```json\n{\n \"\"rrn\": \"rrn::instance:us-east-1:i-xxxxxxxxxx\"\n}\n```\n",
"operationId": "get-timeline-for-resource",
"requestBody": {
"content": {
"application/json; charset=UTF-8": {
"schema": {
"$ref": "#/components/schemas/ResourceExplorerRequest"
}
}
}
},
"responses": {
"200": {
"content": {
"application/json; charset=UTF-8": {
"schema": {
"items": {
"$ref": "#/components/schemas/ResourceTimelineItem"
},
"type": "array"
}
}
},
"description": "successful operation"
},
"400": {
"description": "invalid_parameter_value"
},
"404": {
"description": "not_found"
}
},
"security": [
{
"x-redlock-auth": []
}
],
"summary": "Get Resource Timeline",
"tags": [
"Resource Explorer"
]
}
},
"/resource/raw": {
"post": {
"deprecated": true,
"description": "Returns the raw metadata of the configuration of a resource at a given point in time.\n:::info\n **Replacement  Endpoint: [Get Asset](/prisma-cloud/api/cspm/get-asset-details-by-id)**\n:::\n\n\r\n\r\nGenerally, the response object contains the raw JSON blob as is received from the \nsource cloud service provider API.\n\nOnly the **rrn** parameter in the request body is used for this API. Ignore the **findingType** \nfield for this API.\n\nYou can find the **timelineItemId** for your resource from the timeline results that \n[Get Resource Timeline](/prisma-cloud/api/cspm/get-timeline-for-resource)\nreturns.\n\nAn example request body is:\n```json\n{\n \"rrn\": \"rrn::instance:us-east-1:i-xxxxxxxxxx\",\n \"timelineItemId\": \"xxxxxxxxxxxxxx\"\n}\n```\n",
"operationId": "get-resource-raw",
"requestBody": {
"content": {
"application/json; charset=UTF-8": {
"schema": {
"$ref": "#/components/schemas/ResourceExplorerRequest"
}
}
}
},
"responses": {
"200": {
"content": {
"application/json; charset=UTF-8": {
"schema": {
"type": "object"
}
}
},
"description": "successful operation"
},
"400": {
"description": "invalid_parameter_value"
},
"404": {
"description": "not_found"
}
},
"security": [
{
"x-redlock-auth": []
}
],
"summary": "Get Resource (Raw)",
"tags": [
"Resource Explorer"
]
}
},
"/resource/external_integration": {
"post": {
"description": "Returns a list of external ingestion integrations for the specified resource.",
Expand Down Expand Up @@ -909,7 +1041,7 @@
],
"tags": [
{
"description": "### Where Do I Find the RRN For My Resource?\n\nWhere Do I Find the RRN For My Resource?\\n\\nYou can find the RRN for a resource in the URL when you \nnavigate to **Data Inventory > {Total Objects} > {Object Name} > {Resource Name}**.\\nThe following is an example of such a URL. The RRN is in the URL query string.\n\n```\nhttps://app.prismacloud.io/investigate/details?resourceId=rrn:aws:storageBucket:us-east-1:123456789012:test-bucket \n``` \n\n### Account Representation\n\nIf the **regionId** and **resourceId** are not in the RRN, then the **cloudType** and **resourceType** fields\nin thr RRN are optional. In this siutation, the RRN identifies an account.\n\n\nFull RRN:\n```\nrrn:::us-west-1:12345678901:i-ABCDEFGH\n```\n\nAbridged RRN:\n``` \nrrn::::12345678901\n```\n",
"description": "### Where Do I Find the RRN For My Resource?\n\nWhere Do I Find the RRN For My Resource?\\n\\nYou can find the RRN for a resource in the URL when you \nnavigate to **Data Inventory > {Total Objects} > {Object Name} > {Resource Name}**.\\nThe following is an example of such a URL. The RRN is in the URL query string.\n\n```\nhttps://app.prismacloud.io/investigate/details?resourceId=rrn:aws:storageBucket:us-east-1:123456789012:test-bucket \n``` \n\n### Account Representation\n\nIf the **regionId** and **resourceId** are not in the RRN, then the **cloudType** and **resourceType** fields\nin thr RRN are optional. In this situation, the RRN identifies an account.\n\n\nFull RRN:\n```\nrrn:::us-west-1:12345678901:i-ABCDEFGH\n```\n\nAbridged RRN:\n``` \nrrn::::12345678901\n```\n",
"name": "Resource Explorer"
}
]
Expand Down
3 changes: 3 additions & 0 deletions openapi-specs/cspm/consolidated_spec/all_endpoints.csv
View file
Original file line number Diff line number Diff line change
Expand Up @@ -392,10 +392,13 @@
"get","/report/{id}/{lastScheduled}/download","Download Historical Report","download-historical-by-id","Reports","Monolith"
"get","/filter/report/suggest","Get Report Overview Filters and Options","get-report-filters-and-options","Reports","Monolith"
"post","/filter/report/suggest","List Report Overview Filter Autocomplete Suggestions","get-report-posture-filter-options","Reports","Monolith"
"post","/resource","Get Resource","get-resource","Resource Explorer","Monolith"
"post","/resource/alert","Get Alerts for Resource","get-alerts-for-resource","Resource Explorer","Monolith"
"post","/resource/network","Get Resource Network Settings","get-network-for-resource","Resource Explorer","Monolith"
"get","/resource/external_finding","List Host Findings For Alert","get-host-findings-for-alert","Resource Explorer","Monolith"
"post","/resource/external_finding","List Host Findings","get-host-findings","Resource Explorer","Monolith"
"post","/resource/timeline","Get Resource Timeline","get-timeline-for-resource","Resource Explorer","Monolith"
"post","/resource/raw","Get Resource (Raw)","get-resource-raw","Resource Explorer","Monolith"
"post","/resource/external_integration","Get External Ingest Integrations for the resource","get-external-integrations-for-resource","Resource Explorer","Monolith"
"get","/v1/resource_list","Get Resource Lists","get-all-resource-list-for-customer","Resource Lists","Monolith"
"post","/v1/resource_list","Add Resource List","add-resource-list","Resource Lists","Monolith"
Expand Down

0 comments on commit 7ae054e

Please sign in to comment.