rework folder

proto/sso/account.proto

@@ -0,0 +1,147 @@
+syntax = "proto3";
+
+package account.v1;
+
+option go_package = "git.lendry.ru/lendry-erp/proto.git/go;pb";
+
+service AccountService {
+  rpc GetAccount(GetAccountRequest) returns (GetAccountResponse);
+  rpc ChangePassword (ChangePasswordRequest) returns (ChangePasswordResponse);
+  rpc AdminResetPassword (AdminResetPasswordRequest) returns (AdminResetPasswordResponse);
+  rpc CreateUser(CreateUserRequest) returns (CreateUserResponse);
+  rpc DeleteUser(DeleteUserRequest) returns (DeleteUserResponse);
+  rpc ChangeData(ChangeDataRequest) returns (ChangeDataResponse);
+  rpc SetPin (SetPinRequest) returns (SetPinResponse);
+  rpc UnlockPin (UnlockPinRequest) returns (UnlockPinResponse);
+  rpc GetPinStatus (GetPinStatusRequest) returns (GetPinStatusResponse);
+  rpc RemovePin (RemovePinRequest) returns (RemovePinResponse);
+}
+
+message GetAccountRequest {
+  string id = 1;
+}
+
+message GetAccountResponse {
+  string id = 1;
+  string username = 2;
+  string email = 3;
+  string phone = 4;
+  string full_name = 5;
+  bool is_ldap = 6;
+  string status = 7;
+  repeated string roles = 8;
+  string avatar_url = 9;
+  optional string employee_id = 10;
+  string presence = 11;
+  string last_active = 12;
+  string custom_status_text = 13;
+  string custom_status_emoji = 14;
+  string timezone = 15;
+  string language = 16;
+  bool two_fa_enabled = 17;
+  bool has_pin = 18;
+}
+
+message ChangePasswordRequest {
+  string user_id = 1;
+  string old_password = 3;
+  string new_password = 4;
+  optional string code = 5;
+  string session_id = 6;
+}
+
+message ChangePasswordResponse {
+  bool success = 1;
+  string message = 2;
+}
+
+message CreateUserRequest {
+  string username = 1;
+  string password = 2;
+  repeated string roles = 3;
+}
+
+message CreateUserResponse {
+  bool success = 1;
+  string message = 2;
+}
+
+message DeleteUserRequest {
+  string user_id = 1;
+}
+
+message DeleteUserResponse {
+  bool success = 1;
+  string message = 2;
+}
+
+message ChangeDataRequest {
+  string user_id = 1;
+  string session_id = 2;
+  optional string email = 3;
+  optional string phone = 4;
+  optional string full_name = 5;
+  optional string avatar_url = 6;
+  optional string custom_status_text = 7;
+  optional string custom_status_emoji = 8;
+  optional string timezone = 9;
+  optional string language = 10;
+}
+
+message ChangeDataResponse {
+  bool success = 1;
+  string message = 2;
+}
+
+message AdminResetPasswordRequest {
+  string user_id = 1;
+  string new_password = 2;
+}
+
+message AdminResetPasswordResponse {
+  bool success = 1;
+  string message = 2;
+}
+
+message SetPinRequest {
+  string user_id = 1;
+  string session_id = 2;
+  string pin = 3;
+}
+
+message SetPinResponse {
+  bool success = 1;
+  string message = 2;
+}
+
+message UnlockPinRequest {
+  string user_id = 1;
+  string session_id = 2;
+  string pin = 3;
+}
+
+message UnlockPinResponse {
+  bool success = 1;
+  string message = 2;
+}
+
+message GetPinStatusRequest {
+  string user_id = 1;
+  string session_id = 2;
+}
+
+message GetPinStatusResponse {
+  bool has_pin = 1;
+  bool is_locked = 2;
+  string lock_until = 3;
+}
+
+message RemovePinRequest {
+  string pin = 1;
+  string user_id = 2;
+  string session_id=3;
+}
+message RemovePinResponse {
+  bool success = 1;
+  string message = 2;
+}

proto/sso/auth.proto

@@ -0,0 +1,104 @@
+syntax = "proto3";
+
+package auth.v1;
+
+option go_package = "git.lendry.ru/lendry-erp/proto.git/go;pb";
+
+service AuthService {
+    rpc Login (LoginRequest) returns (LoginResponse);
+    rpc Refresh (RefreshRequest) returns (RefreshResponse);
+    rpc VerifyToken (VerifyTokenRequest) returns (VerifyTokenResponse);
+    rpc GetAccountRoleLevel (GetAccountRoleLevelRequest) returns (GetAccountRoleLevelResponse);
+    rpc Logout (LogoutRequest) returns (LogoutResponse);
+    rpc LogoutOther (LogoutRequest) returns (LogoutResponse);
+    rpc GetSessions(GetSessionRequest) returns (GetSessionsResponse);
+    rpc TerminateSession(TerminateSessionRequest) returns (TerminateSessionResponse);
+    
+}
+
+message LoginRequest {
+  string username = 1;
+  string password = 2;
+}
+
+message LoginResponse {
+  string access_token = 1;
+  string refresh_token = 2;
+  string status = 3;
+  bool need2fa = 4;
+  optional string temp_token = 5;
+  optional string message = 6;
+  optional string error_code = 7;
+}
+
+message RefreshRequest {
+  string refresh_token = 1;
+}
+
+message RefreshResponse {
+  string access_token = 1;
+  string refresh_token = 2;
+}
+
+message LogoutRequest {
+  string user_id = 1;
+  string session_id = 2;
+}
+
+message LogoutResponse {
+  bool success = 1;
+  string message = 2;
+}
+
+message VerifyTokenRequest {
+  string token = 1;
+}
+
+message VerifyTokenResponse {
+  bool is_valid = 1;
+  optional string error_message = 2;
+  optional string id = 3;
+  optional string username = 4;
+  optional int32 role_level = 5;
+  repeated string permissions = 6;
+  optional string session_id = 7;
+  optional bool requires_pin = 8;
+}
+
+message GetAccountRoleLevelRequest {
+  string account_id = 1;
+}
+
+message GetAccountRoleLevelResponse {
+  bool found = 1;
+  int32 role_level = 2;
+}
+
+message GetSessionRequest {
+  string user_id = 1;
+  string current_session_id = 2;
+}
+
+message SessionItem {
+  string id = 1; // Здесь будет лежать захэшированный ID
+  string ip_address = 2;
+  string user_agent = 3;
+  int64 last_activity = 4; // Unix timestamp в миллисекундах
+  bool is_current = 5; // Флаг текущей сессии
+}
+
+message GetSessionsResponse {
+  repeated SessionItem sessions = 1;
+}
+
+message TerminateSessionRequest {
+  string user_id = 1;
+  string target_hash = 2; // Хэш сессии, которую нужно убить
+}
+
+message TerminateSessionResponse {
+  bool success = 1;
+  string message = 2;
+}
+
+

proto/sso/ldap-auth.proto

@@ -0,0 +1,26 @@
+syntax = "proto3";
+
+package ldap_auth.v1;
+
+option go_package = "git.lendry.ru/lendry-erp/proto.git/go;pb";
+
+import "ldap.proto";
+
+
+service LdapAuthService {
+  rpc VerifyUser (VerifyRequest) returns (VerifyResponse);
+
+}
+
+// --- Авторизация ---
+message VerifyRequest {
+  string username = 1;
+  string password = 2;
+}
+
+message VerifyResponse {
+  bool success = 1;
+  string error_message = 2;
+  ldap.v1.UserData user = 3; // Отдаем полные данные при успешном входе
+}
+

proto/sso/ldap.proto

@@ -0,0 +1,95 @@
+syntax = "proto3";
+
+package ldap.v1;
+
+option go_package = "git.lendry.ru/lendry-erp/proto.git/go;pb";
+
+service LdapService {
+  // Управление Пользователями (Bind системного аккаунта) ---
+  rpc GetUsers (EmptyRequest) returns (UserListResponse);
+  rpc CreateUser (CreateUserRequest) returns (StatusResponse);
+  rpc UpdateUser (UpdateUserRequest) returns (StatusResponse);
+  rpc ChangePassword (ChangePasswordRequest) returns (StatusResponse);
+  rpc ToggleUserStatus (ToggleStatusRequest) returns (StatusResponse);
+
+  // Управление Группами ---
+  rpc GetGroups (EmptyRequest) returns (GroupListResponse);
+  rpc AddUserToGroup (GroupMemberRequest) returns (StatusResponse);
+  rpc RemoveUserFromGroup (GroupMemberRequest) returns (StatusResponse);
+}
+
+// ==========================================
+// БАЗОВЫЕ И ПЕРЕИСПОЛЬЗУЕМЫЕ СТРУКТУРЫ
+// ==========================================
+message EmptyRequest {}
+
+// Стандартный ответ для мутаций (создание, обновление, удаление)
+message StatusResponse {
+  bool success = 1;
+  string error_message = 2;
+}
+
+// Полная модель пользователя
+message UserData {
+  string dn = 1; // Полный путь в AD (Distinguished Name)
+  string username = 2; // Логин (sAMAccountName)
+  string display_name = 3; // ФИО (displayName)
+  string email = 4; // Почта (mail)
+  string description = 5; // Описание/Должность (description)
+  bytes avatar = 6; // Аватарка в байтах (thumbnailPhoto)
+  repeated string groups = 7; // Список групп
+  bool is_active = 8; // Статус аккаунта
+  string phone = 9;
+}
+
+// Модель группы
+message GroupData {
+  string dn = 1;
+  string name = 2; // Короткое имя группы (cn)
+}
+
+// --- Списки ---
+message UserListResponse {
+  bool success = 1;
+  string error_message = 2;
+  repeated UserData users = 3;
+}
+
+message GroupListResponse {
+  bool success = 1;
+  string error_message = 2;
+  repeated GroupData groups = 3;
+}
+
+// --- Управление профилем ---
+message CreateUserRequest {
+  string username = 1;
+  string full_name = 2;
+  string password = 3;
+  optional string email = 4; // Сразу при создании можно задать почту
+}
+
+// Запрос на обновление. Используем optional для частичного обновления.
+message UpdateUserRequest {
+  string username = 1; // Обязательное поле: кого обновляем
+  optional string display_name = 2; // Новое ФИО (повлечет Rename CN)
+  optional string email = 3;        // Новая почта
+  optional string description = 4;  // Новое описание
+  optional bytes avatar = 5;        // Новая аватарка (бинарник картинки)
+}
+
+message ChangePasswordRequest {
+  string username = 1;
+  string new_password = 2;
+}
+
+message ToggleStatusRequest {
+  string username = 1;
+  bool set_active = 2; // true - включить (512), false - отключить (514)
+}
+
+// --- Управление членством в группах ---
+message GroupMemberRequest {
+  string username = 1; // Логин пользователя
+  string group_dn = 2; // Полный путь группы (в которую добавляем / из которой удаляем)
+}

proto/sso/rbac.proto

@@ -0,0 +1,48 @@
+syntax = "proto3";
+
+package rbac.v1;
+
+option go_package = "git.lendry.ru/lendry-erp/proto.git/go;pb";
+
+
+
+service RbacService {
+  rpc GetAllPermissions (GetAllPermissionsRequest) returns (GetAllPermissionsResponse);
+  rpc GetAllRoles(GetAllRolesRequest) returns (GetAllRolesResponse);
+}
+
+message GetAllPermissionsRequest {
+    string user_id = 1;
+    string session_id=2;
+}
+
+message GetAllPermissionsResponse {
+    repeated Permission permissions = 1;
+}
+
+message Permission {
+    string id = 1;
+    string code = 2;
+    string description = 3;
+    string module = 4;
+    repeated string roles = 5;
+}
+
+message GetAllRolesRequest {
+    string user_id = 1;
+    string session_id=2;
+}
+
+message GetAllRolesResponse {
+    repeated Roles roles = 1;
+}
+
+message Roles {
+    string id = 1;
+    string name = 2;
+    int32 level = 3;
+    repeated string permissions = 4;
+    repeated string ldap_mapping = 5;
+    repeated string accounts = 6;
+}
+

proto/sso/twofa.proto

@@ -0,0 +1,110 @@
+syntax = "proto3";
+
+package twofa.v1;
+
+option go_package = "git.lendry.ru/lendry-erp/proto.git/go;pb";
+
+service TwoFaService {
+    rpc Verify2Fa (Verify2FaRequest) returns (Verify2FaResponse);
+    rpc GetTwoFaStatus (GetTwoFaStatusRequest) returns (GetTwoFaStatusResponse);
+    rpc StartTotpEnrollment (AuthenticatedAccessRequest) returns (StartTotpEnrollmentResponse);
+    rpc ConfirmTotpErollment (ConfirmTotpEnrollmentRequest) returns (ConfirmTotpEnrollmentResponse);
+    rpc CancelTotpEnrollment (AuthenticatedAccessRequest) returns (CancelTotpEnrollmentResponse);
+    rpc DisableTotp (DisableTotpRequest) returns (DisableTotpResponse);
+    rpc StartTelegramEnrollment (AuthenticatedAccessRequest) returns (StartTelegramEnrollmentResponse);
+    rpc ConfirmTelegramEnrollment (ConfirmTelegramEnrollmentRequest) returns (ConfirmTelegramEnrollmentResponse);
+    rpc DisableTelegram(DisableTelegramRequest) returns (DisableTelegramResponse);
+}
+
+message Verify2FaRequest {
+    string temp_token = 1;
+    optional string totp_code = 2;  
+    optional string telegram_code = 3;
+}
+
+message Verify2FaResponse {
+  string access_token = 1;
+  string status = 3;
+  string message = 4;
+  repeated string reserve_codes = 5;
+}
+
+message AuthenticatedAccessRequest {
+  string access_token = 1;
+}
+
+message GetTwoFaStatusRequest {
+  string access_token = 1;
+}
+
+message GetTwoFaStatusResponse {
+  bool totp_enabled = 1;
+  bool telegram_enabled = 2;
+  bool totp_enrollment_pending = 3;
+  bool telegram_enrollment_pending = 4;
+}
+
+message StartTotpEnrollmentResponse {
+  string secret_base32 = 1;
+  string otpauth_uri = 2;
+  string issuer = 3;
+  string account_label = 4;
+}
+
+message ConfirmTotpEnrollmentRequest {
+  string access_token = 1;
+  string totp_code = 2;
+}
+
+message ConfirmTotpEnrollmentResponse {
+  string status = 1;
+  string message = 2;
+  repeated string reserve_codes = 3;
+}
+
+message CancelTotpEnrollmentResponse {
+  string status = 1;
+  string message = 2;
+}
+
+message DisableTotpRequest {
+  string access_token = 1;
+  string password = 2;
+  optional string totp_code = 3;
+}
+
+message DisableTotpResponse {
+  string status = 1;
+  string message = 2;
+}
+
+message StartTelegramEnrollmentResponse {
+  string enrollment_token = 1;
+  string deep_link = 2;
+  string bot_username = 3;
+  string expires_at_iso = 4;
+}
+
+message ConfirmTelegramEnrollmentRequest {
+  string access_token = 1;
+  string enrollment_token = 2;
+  string otp_code = 3;  
+}
+
+message ConfirmTelegramEnrollmentResponse {
+  string status = 1;
+  string message = 2;
+  repeated string reserve_codes=3;
+}
+
+message DisableTelegramRequest {
+  string access_token = 1;
+  string password = 2;
+  optional string telegram_otp_code = 3;
+}
+
+message DisableTelegramResponse {
+  string status = 1;
+  string message = 2;
+}
+