Documentation ¶
Overview ¶
Package admin contains The Token Server Administrative and Config API.
Services defined here are used by service administrators.
Index ¶
- func FileDescriptorSet() *descriptor.FileDescriptorSet
- func RegisterAdminServer(s prpc.Registrar, srv AdminServer)
- func RegisterCertificateAuthoritiesServer(s prpc.Registrar, srv CertificateAuthoritiesServer)
- type AdminClient
- type AdminServer
- type CRLStatus
- func (*CRLStatus) Descriptor() ([]byte, []int)
- func (m *CRLStatus) GetLastFetchEtag() string
- func (m *CRLStatus) GetLastFetchTime() *timestamp.Timestamp
- func (m *CRLStatus) GetLastUpdateTime() *timestamp.Timestamp
- func (m *CRLStatus) GetRevokedCertsCount() int64
- func (*CRLStatus) ProtoMessage()
- func (m *CRLStatus) Reset()
- func (m *CRLStatus) String() string
- func (m *CRLStatus) XXX_DiscardUnknown()
- func (m *CRLStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *CRLStatus) XXX_Merge(src proto.Message)
- func (m *CRLStatus) XXX_Size() int
- func (m *CRLStatus) XXX_Unmarshal(b []byte) error
- type CertificateAuthoritiesClient
- type CertificateAuthoritiesServer
- type CertificateAuthorityConfig
- func (*CertificateAuthorityConfig) Descriptor() ([]byte, []int)
- func (m *CertificateAuthorityConfig) GetCertPath() string
- func (m *CertificateAuthorityConfig) GetCn() string
- func (m *CertificateAuthorityConfig) GetCrlUrl() string
- func (m *CertificateAuthorityConfig) GetKnownDomains() []*DomainConfig
- func (m *CertificateAuthorityConfig) GetOauthScopes() []string
- func (m *CertificateAuthorityConfig) GetUniqueId() int64
- func (m *CertificateAuthorityConfig) GetUseOauth() bool
- func (*CertificateAuthorityConfig) ProtoMessage()
- func (m *CertificateAuthorityConfig) Reset()
- func (m *CertificateAuthorityConfig) String() string
- func (m *CertificateAuthorityConfig) XXX_DiscardUnknown()
- func (m *CertificateAuthorityConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *CertificateAuthorityConfig) XXX_Merge(src proto.Message)
- func (m *CertificateAuthorityConfig) XXX_Size() int
- func (m *CertificateAuthorityConfig) XXX_Unmarshal(b []byte) error
- type CheckCertificateRequest
- func (*CheckCertificateRequest) Descriptor() ([]byte, []int)
- func (m *CheckCertificateRequest) GetCertPem() string
- func (*CheckCertificateRequest) ProtoMessage()
- func (m *CheckCertificateRequest) Reset()
- func (m *CheckCertificateRequest) String() string
- func (m *CheckCertificateRequest) XXX_DiscardUnknown()
- func (m *CheckCertificateRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *CheckCertificateRequest) XXX_Merge(src proto.Message)
- func (m *CheckCertificateRequest) XXX_Size() int
- func (m *CheckCertificateRequest) XXX_Unmarshal(b []byte) error
- type CheckCertificateResponse
- func (*CheckCertificateResponse) Descriptor() ([]byte, []int)
- func (m *CheckCertificateResponse) GetInvalidReason() string
- func (m *CheckCertificateResponse) GetIsValid() bool
- func (*CheckCertificateResponse) ProtoMessage()
- func (m *CheckCertificateResponse) Reset()
- func (m *CheckCertificateResponse) String() string
- func (m *CheckCertificateResponse) XXX_DiscardUnknown()
- func (m *CheckCertificateResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *CheckCertificateResponse) XXX_Merge(src proto.Message)
- func (m *CheckCertificateResponse) XXX_Size() int
- func (m *CheckCertificateResponse) XXX_Unmarshal(b []byte) error
- type DecoratedAdmin
- func (s *DecoratedAdmin) ImportCAConfigs(c context.Context, req *empty.Empty) (rsp *ImportedConfigs, err error)
- func (s *DecoratedAdmin) ImportDelegationConfigs(c context.Context, req *empty.Empty) (rsp *ImportedConfigs, err error)
- func (s *DecoratedAdmin) ImportServiceAccountsConfigs(c context.Context, req *empty.Empty) (rsp *ImportedConfigs, err error)
- func (s *DecoratedAdmin) InspectDelegationToken(c context.Context, req *InspectDelegationTokenRequest) (rsp *InspectDelegationTokenResponse, err error)
- func (s *DecoratedAdmin) InspectMachineToken(c context.Context, req *InspectMachineTokenRequest) (rsp *InspectMachineTokenResponse, err error)
- func (s *DecoratedAdmin) InspectOAuthTokenGrant(c context.Context, req *InspectOAuthTokenGrantRequest) (rsp *InspectOAuthTokenGrantResponse, err error)
- type DecoratedCertificateAuthorities
- func (s *DecoratedCertificateAuthorities) CheckCertificate(c context.Context, req *CheckCertificateRequest) (rsp *CheckCertificateResponse, err error)
- func (s *DecoratedCertificateAuthorities) FetchCRL(c context.Context, req *FetchCRLRequest) (rsp *FetchCRLResponse, err error)
- func (s *DecoratedCertificateAuthorities) GetCAStatus(c context.Context, req *GetCAStatusRequest) (rsp *GetCAStatusResponse, err error)
- func (s *DecoratedCertificateAuthorities) IsRevokedCert(c context.Context, req *IsRevokedCertRequest) (rsp *IsRevokedCertResponse, err error)
- func (s *DecoratedCertificateAuthorities) ListCAs(c context.Context, req *empty.Empty) (rsp *ListCAsResponse, err error)
- type DelegationPermissions
- func (*DelegationPermissions) Descriptor() ([]byte, []int)
- func (m *DelegationPermissions) GetRules() []*DelegationRule
- func (*DelegationPermissions) ProtoMessage()
- func (m *DelegationPermissions) Reset()
- func (m *DelegationPermissions) String() string
- func (m *DelegationPermissions) XXX_DiscardUnknown()
- func (m *DelegationPermissions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *DelegationPermissions) XXX_Merge(src proto.Message)
- func (m *DelegationPermissions) XXX_Size() int
- func (m *DelegationPermissions) XXX_Unmarshal(b []byte) error
- type DelegationRule
- func (*DelegationRule) Descriptor() ([]byte, []int)
- func (m *DelegationRule) GetAllowedAudience() []string
- func (m *DelegationRule) GetAllowedToImpersonate() []string
- func (m *DelegationRule) GetMaxValidityDuration() int64
- func (m *DelegationRule) GetName() string
- func (m *DelegationRule) GetOwner() []string
- func (m *DelegationRule) GetRequestor() []string
- func (m *DelegationRule) GetTargetService() []string
- func (*DelegationRule) ProtoMessage()
- func (m *DelegationRule) Reset()
- func (m *DelegationRule) String() string
- func (m *DelegationRule) XXX_DiscardUnknown()
- func (m *DelegationRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *DelegationRule) XXX_Merge(src proto.Message)
- func (m *DelegationRule) XXX_Size() int
- func (m *DelegationRule) XXX_Unmarshal(b []byte) error
- type DomainConfig
- func (*DomainConfig) Descriptor() ([]byte, []int)
- func (m *DomainConfig) GetDomain() []string
- func (m *DomainConfig) GetMachineTokenLifetime() int64
- func (*DomainConfig) ProtoMessage()
- func (m *DomainConfig) Reset()
- func (m *DomainConfig) String() string
- func (m *DomainConfig) XXX_DiscardUnknown()
- func (m *DomainConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *DomainConfig) XXX_Merge(src proto.Message)
- func (m *DomainConfig) XXX_Size() int
- func (m *DomainConfig) XXX_Unmarshal(b []byte) error
- type FetchCRLRequest
- func (*FetchCRLRequest) Descriptor() ([]byte, []int)
- func (m *FetchCRLRequest) GetCn() string
- func (m *FetchCRLRequest) GetForce() bool
- func (*FetchCRLRequest) ProtoMessage()
- func (m *FetchCRLRequest) Reset()
- func (m *FetchCRLRequest) String() string
- func (m *FetchCRLRequest) XXX_DiscardUnknown()
- func (m *FetchCRLRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *FetchCRLRequest) XXX_Merge(src proto.Message)
- func (m *FetchCRLRequest) XXX_Size() int
- func (m *FetchCRLRequest) XXX_Unmarshal(b []byte) error
- type FetchCRLResponse
- func (*FetchCRLResponse) Descriptor() ([]byte, []int)
- func (m *FetchCRLResponse) GetCrlStatus() *CRLStatus
- func (*FetchCRLResponse) ProtoMessage()
- func (m *FetchCRLResponse) Reset()
- func (m *FetchCRLResponse) String() string
- func (m *FetchCRLResponse) XXX_DiscardUnknown()
- func (m *FetchCRLResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *FetchCRLResponse) XXX_Merge(src proto.Message)
- func (m *FetchCRLResponse) XXX_Size() int
- func (m *FetchCRLResponse) XXX_Unmarshal(b []byte) error
- type GetCAStatusRequest
- func (*GetCAStatusRequest) Descriptor() ([]byte, []int)
- func (m *GetCAStatusRequest) GetCn() string
- func (*GetCAStatusRequest) ProtoMessage()
- func (m *GetCAStatusRequest) Reset()
- func (m *GetCAStatusRequest) String() string
- func (m *GetCAStatusRequest) XXX_DiscardUnknown()
- func (m *GetCAStatusRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *GetCAStatusRequest) XXX_Merge(src proto.Message)
- func (m *GetCAStatusRequest) XXX_Size() int
- func (m *GetCAStatusRequest) XXX_Unmarshal(b []byte) error
- type GetCAStatusResponse
- func (*GetCAStatusResponse) Descriptor() ([]byte, []int)
- func (m *GetCAStatusResponse) GetAddedRev() string
- func (m *GetCAStatusResponse) GetCert() string
- func (m *GetCAStatusResponse) GetConfig() *CertificateAuthorityConfig
- func (m *GetCAStatusResponse) GetCrlStatus() *CRLStatus
- func (m *GetCAStatusResponse) GetReady() bool
- func (m *GetCAStatusResponse) GetRemoved() bool
- func (m *GetCAStatusResponse) GetRemovedRev() string
- func (m *GetCAStatusResponse) GetUpdatedRev() string
- func (*GetCAStatusResponse) ProtoMessage()
- func (m *GetCAStatusResponse) Reset()
- func (m *GetCAStatusResponse) String() string
- func (m *GetCAStatusResponse) XXX_DiscardUnknown()
- func (m *GetCAStatusResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *GetCAStatusResponse) XXX_Merge(src proto.Message)
- func (m *GetCAStatusResponse) XXX_Size() int
- func (m *GetCAStatusResponse) XXX_Unmarshal(b []byte) error
- type ImportedConfigs
- func (*ImportedConfigs) Descriptor() ([]byte, []int)
- func (m *ImportedConfigs) GetRevision() string
- func (*ImportedConfigs) ProtoMessage()
- func (m *ImportedConfigs) Reset()
- func (m *ImportedConfigs) String() string
- func (m *ImportedConfigs) XXX_DiscardUnknown()
- func (m *ImportedConfigs) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *ImportedConfigs) XXX_Merge(src proto.Message)
- func (m *ImportedConfigs) XXX_Size() int
- func (m *ImportedConfigs) XXX_Unmarshal(b []byte) error
- type InspectDelegationTokenRequest
- func (*InspectDelegationTokenRequest) Descriptor() ([]byte, []int)
- func (m *InspectDelegationTokenRequest) GetToken() string
- func (*InspectDelegationTokenRequest) ProtoMessage()
- func (m *InspectDelegationTokenRequest) Reset()
- func (m *InspectDelegationTokenRequest) String() string
- func (m *InspectDelegationTokenRequest) XXX_DiscardUnknown()
- func (m *InspectDelegationTokenRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *InspectDelegationTokenRequest) XXX_Merge(src proto.Message)
- func (m *InspectDelegationTokenRequest) XXX_Size() int
- func (m *InspectDelegationTokenRequest) XXX_Unmarshal(b []byte) error
- type InspectDelegationTokenResponse
- func (*InspectDelegationTokenResponse) Descriptor() ([]byte, []int)
- func (m *InspectDelegationTokenResponse) GetEnvelope() *messages.DelegationToken
- func (m *InspectDelegationTokenResponse) GetInvalidityReason() string
- func (m *InspectDelegationTokenResponse) GetNonExpired() bool
- func (m *InspectDelegationTokenResponse) GetSigned() bool
- func (m *InspectDelegationTokenResponse) GetSubtoken() *messages.Subtoken
- func (m *InspectDelegationTokenResponse) GetValid() bool
- func (*InspectDelegationTokenResponse) ProtoMessage()
- func (m *InspectDelegationTokenResponse) Reset()
- func (m *InspectDelegationTokenResponse) String() string
- func (m *InspectDelegationTokenResponse) XXX_DiscardUnknown()
- func (m *InspectDelegationTokenResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *InspectDelegationTokenResponse) XXX_Merge(src proto.Message)
- func (m *InspectDelegationTokenResponse) XXX_Size() int
- func (m *InspectDelegationTokenResponse) XXX_Unmarshal(b []byte) error
- type InspectMachineTokenRequest
- func (*InspectMachineTokenRequest) Descriptor() ([]byte, []int)
- func (m *InspectMachineTokenRequest) GetToken() string
- func (m *InspectMachineTokenRequest) GetTokenType() api.MachineTokenType
- func (*InspectMachineTokenRequest) ProtoMessage()
- func (m *InspectMachineTokenRequest) Reset()
- func (m *InspectMachineTokenRequest) String() string
- func (m *InspectMachineTokenRequest) XXX_DiscardUnknown()
- func (m *InspectMachineTokenRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *InspectMachineTokenRequest) XXX_Merge(src proto.Message)
- func (m *InspectMachineTokenRequest) XXX_Size() int
- func (m *InspectMachineTokenRequest) XXX_Unmarshal(b []byte) error
- type InspectMachineTokenResponse
- func (*InspectMachineTokenResponse) Descriptor() ([]byte, []int)
- func (m *InspectMachineTokenResponse) GetCertCaName() string
- func (m *InspectMachineTokenResponse) GetInvalidityReason() string
- func (m *InspectMachineTokenResponse) GetLuciMachineToken() *api.MachineTokenBody
- func (m *InspectMachineTokenResponse) GetNonExpired() bool
- func (m *InspectMachineTokenResponse) GetNonRevoked() bool
- func (m *InspectMachineTokenResponse) GetSigned() bool
- func (m *InspectMachineTokenResponse) GetSigningKeyId() string
- func (m *InspectMachineTokenResponse) GetTokenType() isInspectMachineTokenResponse_TokenType
- func (m *InspectMachineTokenResponse) GetValid() bool
- func (*InspectMachineTokenResponse) ProtoMessage()
- func (m *InspectMachineTokenResponse) Reset()
- func (m *InspectMachineTokenResponse) String() string
- func (m *InspectMachineTokenResponse) XXX_DiscardUnknown()
- func (m *InspectMachineTokenResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *InspectMachineTokenResponse) XXX_Merge(src proto.Message)
- func (*InspectMachineTokenResponse) XXX_OneofFuncs() (func(msg proto.Message, b *proto.Buffer) error, ...)
- func (m *InspectMachineTokenResponse) XXX_Size() int
- func (m *InspectMachineTokenResponse) XXX_Unmarshal(b []byte) error
- type InspectMachineTokenResponse_LuciMachineToken
- type InspectOAuthTokenGrantRequest
- func (*InspectOAuthTokenGrantRequest) Descriptor() ([]byte, []int)
- func (m *InspectOAuthTokenGrantRequest) GetToken() string
- func (*InspectOAuthTokenGrantRequest) ProtoMessage()
- func (m *InspectOAuthTokenGrantRequest) Reset()
- func (m *InspectOAuthTokenGrantRequest) String() string
- func (m *InspectOAuthTokenGrantRequest) XXX_DiscardUnknown()
- func (m *InspectOAuthTokenGrantRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *InspectOAuthTokenGrantRequest) XXX_Merge(src proto.Message)
- func (m *InspectOAuthTokenGrantRequest) XXX_Size() int
- func (m *InspectOAuthTokenGrantRequest) XXX_Unmarshal(b []byte) error
- type InspectOAuthTokenGrantResponse
- func (*InspectOAuthTokenGrantResponse) Descriptor() ([]byte, []int)
- func (m *InspectOAuthTokenGrantResponse) GetAllowedByRules() bool
- func (m *InspectOAuthTokenGrantResponse) GetInvalidityReason() string
- func (m *InspectOAuthTokenGrantResponse) GetMatchingRule() *ServiceAccountRule
- func (m *InspectOAuthTokenGrantResponse) GetNonExpired() bool
- func (m *InspectOAuthTokenGrantResponse) GetSigned() bool
- func (m *InspectOAuthTokenGrantResponse) GetSigningKeyId() string
- func (m *InspectOAuthTokenGrantResponse) GetTokenBody() *api.OAuthTokenGrantBody
- func (m *InspectOAuthTokenGrantResponse) GetValid() bool
- func (*InspectOAuthTokenGrantResponse) ProtoMessage()
- func (m *InspectOAuthTokenGrantResponse) Reset()
- func (m *InspectOAuthTokenGrantResponse) String() string
- func (m *InspectOAuthTokenGrantResponse) XXX_DiscardUnknown()
- func (m *InspectOAuthTokenGrantResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *InspectOAuthTokenGrantResponse) XXX_Merge(src proto.Message)
- func (m *InspectOAuthTokenGrantResponse) XXX_Size() int
- func (m *InspectOAuthTokenGrantResponse) XXX_Unmarshal(b []byte) error
- type IsRevokedCertRequest
- func (*IsRevokedCertRequest) Descriptor() ([]byte, []int)
- func (m *IsRevokedCertRequest) GetCa() string
- func (m *IsRevokedCertRequest) GetSn() string
- func (*IsRevokedCertRequest) ProtoMessage()
- func (m *IsRevokedCertRequest) Reset()
- func (m *IsRevokedCertRequest) String() string
- func (m *IsRevokedCertRequest) XXX_DiscardUnknown()
- func (m *IsRevokedCertRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *IsRevokedCertRequest) XXX_Merge(src proto.Message)
- func (m *IsRevokedCertRequest) XXX_Size() int
- func (m *IsRevokedCertRequest) XXX_Unmarshal(b []byte) error
- type IsRevokedCertResponse
- func (*IsRevokedCertResponse) Descriptor() ([]byte, []int)
- func (m *IsRevokedCertResponse) GetRevoked() bool
- func (*IsRevokedCertResponse) ProtoMessage()
- func (m *IsRevokedCertResponse) Reset()
- func (m *IsRevokedCertResponse) String() string
- func (m *IsRevokedCertResponse) XXX_DiscardUnknown()
- func (m *IsRevokedCertResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *IsRevokedCertResponse) XXX_Merge(src proto.Message)
- func (m *IsRevokedCertResponse) XXX_Size() int
- func (m *IsRevokedCertResponse) XXX_Unmarshal(b []byte) error
- type ListCAsResponse
- func (*ListCAsResponse) Descriptor() ([]byte, []int)
- func (m *ListCAsResponse) GetCn() []string
- func (*ListCAsResponse) ProtoMessage()
- func (m *ListCAsResponse) Reset()
- func (m *ListCAsResponse) String() string
- func (m *ListCAsResponse) XXX_DiscardUnknown()
- func (m *ListCAsResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *ListCAsResponse) XXX_Merge(src proto.Message)
- func (m *ListCAsResponse) XXX_Size() int
- func (m *ListCAsResponse) XXX_Unmarshal(b []byte) error
- type ServiceAccountRule
- func (*ServiceAccountRule) Descriptor() ([]byte, []int)
- func (m *ServiceAccountRule) GetAllowedScope() []string
- func (m *ServiceAccountRule) GetEndUser() []string
- func (m *ServiceAccountRule) GetMaxGrantValidityDuration() int64
- func (m *ServiceAccountRule) GetName() string
- func (m *ServiceAccountRule) GetOwner() []string
- func (m *ServiceAccountRule) GetProxy() []string
- func (m *ServiceAccountRule) GetServiceAccount() []string
- func (m *ServiceAccountRule) GetServiceAccountGroup() []string
- func (m *ServiceAccountRule) GetTrustedProxy() []string
- func (*ServiceAccountRule) ProtoMessage()
- func (m *ServiceAccountRule) Reset()
- func (m *ServiceAccountRule) String() string
- func (m *ServiceAccountRule) XXX_DiscardUnknown()
- func (m *ServiceAccountRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *ServiceAccountRule) XXX_Merge(src proto.Message)
- func (m *ServiceAccountRule) XXX_Size() int
- func (m *ServiceAccountRule) XXX_Unmarshal(b []byte) error
- type ServiceAccountRuleDefaults
- func (*ServiceAccountRuleDefaults) Descriptor() ([]byte, []int)
- func (m *ServiceAccountRuleDefaults) GetAllowedScope() []string
- func (m *ServiceAccountRuleDefaults) GetMaxGrantValidityDuration() int64
- func (*ServiceAccountRuleDefaults) ProtoMessage()
- func (m *ServiceAccountRuleDefaults) Reset()
- func (m *ServiceAccountRuleDefaults) String() string
- func (m *ServiceAccountRuleDefaults) XXX_DiscardUnknown()
- func (m *ServiceAccountRuleDefaults) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *ServiceAccountRuleDefaults) XXX_Merge(src proto.Message)
- func (m *ServiceAccountRuleDefaults) XXX_Size() int
- func (m *ServiceAccountRuleDefaults) XXX_Unmarshal(b []byte) error
- type ServiceAccountsPermissions
- func (*ServiceAccountsPermissions) Descriptor() ([]byte, []int)
- func (m *ServiceAccountsPermissions) GetDefaults() *ServiceAccountRuleDefaults
- func (m *ServiceAccountsPermissions) GetRules() []*ServiceAccountRule
- func (*ServiceAccountsPermissions) ProtoMessage()
- func (m *ServiceAccountsPermissions) Reset()
- func (m *ServiceAccountsPermissions) String() string
- func (m *ServiceAccountsPermissions) XXX_DiscardUnknown()
- func (m *ServiceAccountsPermissions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *ServiceAccountsPermissions) XXX_Merge(src proto.Message)
- func (m *ServiceAccountsPermissions) XXX_Size() int
- func (m *ServiceAccountsPermissions) XXX_Unmarshal(b []byte) error
- type TokenServerConfig
- func (*TokenServerConfig) Descriptor() ([]byte, []int)
- func (m *TokenServerConfig) GetCertificateAuthority() []*CertificateAuthorityConfig
- func (*TokenServerConfig) ProtoMessage()
- func (m *TokenServerConfig) Reset()
- func (m *TokenServerConfig) String() string
- func (m *TokenServerConfig) XXX_DiscardUnknown()
- func (m *TokenServerConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *TokenServerConfig) XXX_Merge(src proto.Message)
- func (m *TokenServerConfig) XXX_Size() int
- func (m *TokenServerConfig) XXX_Unmarshal(b []byte) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func FileDescriptorSet ¶
func FileDescriptorSet() *descriptor.FileDescriptorSet
FileDescriptorSet returns a descriptor set for this proto package, which includes all defined services, and all transitive dependencies.
Will not return nil.
Do NOT modify the returned descriptor.
func RegisterAdminServer ¶
func RegisterAdminServer(s prpc.Registrar, srv AdminServer)
func RegisterCertificateAuthoritiesServer ¶
func RegisterCertificateAuthoritiesServer(s prpc.Registrar, srv CertificateAuthoritiesServer)
Types ¶
type AdminClient ¶
type AdminClient interface { // ImportCAConfigs makes the server read 'tokenserver.cfg'. ImportCAConfigs(ctx context.Context, in *empty.Empty, opts ...grpc.CallOption) (*ImportedConfigs, error) // ImportDelegationConfigs makes the server read 'delegation.cfg'. ImportDelegationConfigs(ctx context.Context, in *empty.Empty, opts ...grpc.CallOption) (*ImportedConfigs, error) // ImportServiceAccountsConfigs makes the server read 'service_accounts.cfg'. ImportServiceAccountsConfigs(ctx context.Context, in *empty.Empty, opts ...grpc.CallOption) (*ImportedConfigs, error) // InspectMachineToken decodes a machine token and verifies it is valid. // // It verifies the token was signed by a private key of the token server and // checks token's expiration time and revocation status. // // It tries to give as much information about the token and its status as // possible (e.g. it checks for revocation status even if token is already // expired). // // Administrators can use this call to debug issues with tokens. // // Returns: // InspectMachineTokenResponse for tokens of supported kind. // grpc.InvalidArgument error for unsupported token kind. // grpc.Internal error for transient errors. InspectMachineToken(ctx context.Context, in *InspectMachineTokenRequest, opts ...grpc.CallOption) (*InspectMachineTokenResponse, error) // InspectDelegationToken decodes a delegation token and verifies it is valid. // // It verifies the token was signed by a private key of the token server and // checks token's expiration time. // // It tries to give as much information about the token and its status as // possible (e.g. attempts to decode the body even if the signing key has been // rotated already). // // Administrators can use this call to debug issues with tokens. // // Returns: // InspectDelegationTokenResponse for tokens of supported kind. // grpc.InvalidArgument error for unsupported token kind. // grpc.Internal error for transient errors. InspectDelegationToken(ctx context.Context, in *InspectDelegationTokenRequest, opts ...grpc.CallOption) (*InspectDelegationTokenResponse, error) // InspectOAuthTokenGrant decodes OAuth token grant and verifies it is valid. // // It verifies the token was signed by a private key of the token server and // checks token's expiration time. // // It tries to give as much information about the token and its status as // possible (e.g. attempts to decode the body even if the signing key has been // rotated already). // // Administrators can use this call to debug issues with tokens. // // Returns: // InspectOAuthTokenGrantResponse for tokens of supported kind. // grpc.InvalidArgument error for unsupported token kind. // grpc.Internal error for transient errors. InspectOAuthTokenGrant(ctx context.Context, in *InspectOAuthTokenGrantRequest, opts ...grpc.CallOption) (*InspectOAuthTokenGrantResponse, error) }
AdminClient is the client API for Admin service.
For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
func NewAdminClient ¶
func NewAdminClient(cc *grpc.ClientConn) AdminClient
func NewAdminPRPCClient ¶
func NewAdminPRPCClient(client *prpc.Client) AdminClient
type AdminServer ¶
type AdminServer interface { // ImportCAConfigs makes the server read 'tokenserver.cfg'. ImportCAConfigs(context.Context, *empty.Empty) (*ImportedConfigs, error) // ImportDelegationConfigs makes the server read 'delegation.cfg'. ImportDelegationConfigs(context.Context, *empty.Empty) (*ImportedConfigs, error) // ImportServiceAccountsConfigs makes the server read 'service_accounts.cfg'. ImportServiceAccountsConfigs(context.Context, *empty.Empty) (*ImportedConfigs, error) // InspectMachineToken decodes a machine token and verifies it is valid. // // It verifies the token was signed by a private key of the token server and // checks token's expiration time and revocation status. // // It tries to give as much information about the token and its status as // possible (e.g. it checks for revocation status even if token is already // expired). // // Administrators can use this call to debug issues with tokens. // // Returns: // InspectMachineTokenResponse for tokens of supported kind. // grpc.InvalidArgument error for unsupported token kind. // grpc.Internal error for transient errors. InspectMachineToken(context.Context, *InspectMachineTokenRequest) (*InspectMachineTokenResponse, error) // InspectDelegationToken decodes a delegation token and verifies it is valid. // // It verifies the token was signed by a private key of the token server and // checks token's expiration time. // // It tries to give as much information about the token and its status as // possible (e.g. attempts to decode the body even if the signing key has been // rotated already). // // Administrators can use this call to debug issues with tokens. // // Returns: // InspectDelegationTokenResponse for tokens of supported kind. // grpc.InvalidArgument error for unsupported token kind. // grpc.Internal error for transient errors. InspectDelegationToken(context.Context, *InspectDelegationTokenRequest) (*InspectDelegationTokenResponse, error) // InspectOAuthTokenGrant decodes OAuth token grant and verifies it is valid. // // It verifies the token was signed by a private key of the token server and // checks token's expiration time. // // It tries to give as much information about the token and its status as // possible (e.g. attempts to decode the body even if the signing key has been // rotated already). // // Administrators can use this call to debug issues with tokens. // // Returns: // InspectOAuthTokenGrantResponse for tokens of supported kind. // grpc.InvalidArgument error for unsupported token kind. // grpc.Internal error for transient errors. InspectOAuthTokenGrant(context.Context, *InspectOAuthTokenGrantRequest) (*InspectOAuthTokenGrantResponse, error) }
AdminServer is the server API for Admin service.
type CRLStatus ¶
type CRLStatus struct { LastUpdateTime *timestamp.Timestamp `protobuf:"bytes,1,opt,name=last_update_time,json=lastUpdateTime,proto3" json:"last_update_time,omitempty"` LastFetchTime *timestamp.Timestamp `protobuf:"bytes,2,opt,name=last_fetch_time,json=lastFetchTime,proto3" json:"last_fetch_time,omitempty"` LastFetchEtag string `protobuf:"bytes,3,opt,name=last_fetch_etag,json=lastFetchEtag,proto3" json:"last_fetch_etag,omitempty"` RevokedCertsCount int64 `protobuf:"varint,4,opt,name=revoked_certs_count,json=revokedCertsCount,proto3" json:"revoked_certs_count,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
CRLStatus describes the latest known state of imported CRL.
func (*CRLStatus) Descriptor ¶
func (*CRLStatus) GetLastFetchEtag ¶
func (*CRLStatus) GetLastFetchTime ¶
func (*CRLStatus) GetLastUpdateTime ¶
func (*CRLStatus) GetRevokedCertsCount ¶
func (*CRLStatus) ProtoMessage ¶
func (*CRLStatus) ProtoMessage()
func (*CRLStatus) XXX_DiscardUnknown ¶
func (m *CRLStatus) XXX_DiscardUnknown()
func (*CRLStatus) XXX_Marshal ¶
func (*CRLStatus) XXX_Unmarshal ¶
type CertificateAuthoritiesClient ¶
type CertificateAuthoritiesClient interface { // FetchCRL makes the server fetch a CRL for some CA. FetchCRL(ctx context.Context, in *FetchCRLRequest, opts ...grpc.CallOption) (*FetchCRLResponse, error) // ListCAs returns a list of Common Names of registered CAs. ListCAs(ctx context.Context, in *empty.Empty, opts ...grpc.CallOption) (*ListCAsResponse, error) // GetCAStatus returns configuration of some CA defined in the config. GetCAStatus(ctx context.Context, in *GetCAStatusRequest, opts ...grpc.CallOption) (*GetCAStatusResponse, error) // IsRevokedCert says whether a certificate serial number is in the CRL. IsRevokedCert(ctx context.Context, in *IsRevokedCertRequest, opts ...grpc.CallOption) (*IsRevokedCertResponse, error) // CheckCertificate says whether a certificate is valid or not. CheckCertificate(ctx context.Context, in *CheckCertificateRequest, opts ...grpc.CallOption) (*CheckCertificateResponse, error) }
CertificateAuthoritiesClient is the client API for CertificateAuthorities service.
For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
func NewCertificateAuthoritiesClient ¶
func NewCertificateAuthoritiesClient(cc *grpc.ClientConn) CertificateAuthoritiesClient
func NewCertificateAuthoritiesPRPCClient ¶
func NewCertificateAuthoritiesPRPCClient(client *prpc.Client) CertificateAuthoritiesClient
type CertificateAuthoritiesServer ¶
type CertificateAuthoritiesServer interface { // FetchCRL makes the server fetch a CRL for some CA. FetchCRL(context.Context, *FetchCRLRequest) (*FetchCRLResponse, error) // ListCAs returns a list of Common Names of registered CAs. ListCAs(context.Context, *empty.Empty) (*ListCAsResponse, error) // GetCAStatus returns configuration of some CA defined in the config. GetCAStatus(context.Context, *GetCAStatusRequest) (*GetCAStatusResponse, error) // IsRevokedCert says whether a certificate serial number is in the CRL. IsRevokedCert(context.Context, *IsRevokedCertRequest) (*IsRevokedCertResponse, error) // CheckCertificate says whether a certificate is valid or not. CheckCertificate(context.Context, *CheckCertificateRequest) (*CheckCertificateResponse, error) }
CertificateAuthoritiesServer is the server API for CertificateAuthorities service.
type CertificateAuthorityConfig ¶
type CertificateAuthorityConfig struct { UniqueId int64 `protobuf:"varint,6,opt,name=unique_id,json=uniqueId,proto3" json:"unique_id,omitempty"` Cn string `protobuf:"bytes,1,opt,name=cn,proto3" json:"cn,omitempty"` CertPath string `protobuf:"bytes,2,opt,name=cert_path,json=certPath,proto3" json:"cert_path,omitempty"` CrlUrl string `protobuf:"bytes,3,opt,name=crl_url,json=crlUrl,proto3" json:"crl_url,omitempty"` UseOauth bool `protobuf:"varint,4,opt,name=use_oauth,json=useOauth,proto3" json:"use_oauth,omitempty"` OauthScopes []string `protobuf:"bytes,7,rep,name=oauth_scopes,json=oauthScopes,proto3" json:"oauth_scopes,omitempty"` // KnownDomains describes parameters to use for each particular domain. KnownDomains []*DomainConfig `protobuf:"bytes,5,rep,name=known_domains,json=knownDomains,proto3" json:"known_domains,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
CertificateAuthorityConfig defines a single CA we trust.
Such CA issues certificates for nodes that use The Token Service. Each node has a private key and certificate with Common Name set to the FQDN of this node, e.g. "CN=slave43-c1.c.chromecompute.google.com.internal".
The Token Server uses this CN to derive an identity string for a machine. It splits FQDN into a hostname ("slave43-c1") and a domain name ("c.chromecompute.google.com.internal"), searches for a domain name in "known_domains" set, and, if it is present, uses parameters described there for generating a token that contains machine's FQDN and certificate serial number (among other things, see MachineTokenBody in machine_token.proto).
func (*CertificateAuthorityConfig) Descriptor ¶
func (*CertificateAuthorityConfig) Descriptor() ([]byte, []int)
func (*CertificateAuthorityConfig) GetCertPath ¶
func (m *CertificateAuthorityConfig) GetCertPath() string
func (*CertificateAuthorityConfig) GetCn ¶
func (m *CertificateAuthorityConfig) GetCn() string
func (*CertificateAuthorityConfig) GetCrlUrl ¶
func (m *CertificateAuthorityConfig) GetCrlUrl() string
func (*CertificateAuthorityConfig) GetKnownDomains ¶
func (m *CertificateAuthorityConfig) GetKnownDomains() []*DomainConfig
func (*CertificateAuthorityConfig) GetOauthScopes ¶
func (m *CertificateAuthorityConfig) GetOauthScopes() []string
func (*CertificateAuthorityConfig) GetUniqueId ¶
func (m *CertificateAuthorityConfig) GetUniqueId() int64
func (*CertificateAuthorityConfig) GetUseOauth ¶
func (m *CertificateAuthorityConfig) GetUseOauth() bool
func (*CertificateAuthorityConfig) ProtoMessage ¶
func (*CertificateAuthorityConfig) ProtoMessage()
func (*CertificateAuthorityConfig) Reset ¶
func (m *CertificateAuthorityConfig) Reset()
func (*CertificateAuthorityConfig) String ¶
func (m *CertificateAuthorityConfig) String() string
func (*CertificateAuthorityConfig) XXX_DiscardUnknown ¶
func (m *CertificateAuthorityConfig) XXX_DiscardUnknown()
func (*CertificateAuthorityConfig) XXX_Marshal ¶
func (m *CertificateAuthorityConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*CertificateAuthorityConfig) XXX_Merge ¶
func (m *CertificateAuthorityConfig) XXX_Merge(src proto.Message)
func (*CertificateAuthorityConfig) XXX_Size ¶
func (m *CertificateAuthorityConfig) XXX_Size() int
func (*CertificateAuthorityConfig) XXX_Unmarshal ¶
func (m *CertificateAuthorityConfig) XXX_Unmarshal(b []byte) error
type CheckCertificateRequest ¶
type CheckCertificateRequest struct { CertPem string `protobuf:"bytes,1,opt,name=cert_pem,json=certPem,proto3" json:"cert_pem,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
CheckCertificateRequest contains a pem encoded certificate to check.
func (*CheckCertificateRequest) Descriptor ¶
func (*CheckCertificateRequest) Descriptor() ([]byte, []int)
func (*CheckCertificateRequest) GetCertPem ¶
func (m *CheckCertificateRequest) GetCertPem() string
func (*CheckCertificateRequest) ProtoMessage ¶
func (*CheckCertificateRequest) ProtoMessage()
func (*CheckCertificateRequest) Reset ¶
func (m *CheckCertificateRequest) Reset()
func (*CheckCertificateRequest) String ¶
func (m *CheckCertificateRequest) String() string
func (*CheckCertificateRequest) XXX_DiscardUnknown ¶
func (m *CheckCertificateRequest) XXX_DiscardUnknown()
func (*CheckCertificateRequest) XXX_Marshal ¶
func (m *CheckCertificateRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*CheckCertificateRequest) XXX_Merge ¶
func (m *CheckCertificateRequest) XXX_Merge(src proto.Message)
func (*CheckCertificateRequest) XXX_Size ¶
func (m *CheckCertificateRequest) XXX_Size() int
func (*CheckCertificateRequest) XXX_Unmarshal ¶
func (m *CheckCertificateRequest) XXX_Unmarshal(b []byte) error
type CheckCertificateResponse ¶
type CheckCertificateResponse struct { IsValid bool `protobuf:"varint,1,opt,name=is_valid,json=isValid,proto3" json:"is_valid,omitempty"` InvalidReason string `protobuf:"bytes,2,opt,name=invalid_reason,json=invalidReason,proto3" json:"invalid_reason,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
CheckCertificateResponse is returned by CheckCertificate.
func (*CheckCertificateResponse) Descriptor ¶
func (*CheckCertificateResponse) Descriptor() ([]byte, []int)
func (*CheckCertificateResponse) GetInvalidReason ¶
func (m *CheckCertificateResponse) GetInvalidReason() string
func (*CheckCertificateResponse) GetIsValid ¶
func (m *CheckCertificateResponse) GetIsValid() bool
func (*CheckCertificateResponse) ProtoMessage ¶
func (*CheckCertificateResponse) ProtoMessage()
func (*CheckCertificateResponse) Reset ¶
func (m *CheckCertificateResponse) Reset()
func (*CheckCertificateResponse) String ¶
func (m *CheckCertificateResponse) String() string
func (*CheckCertificateResponse) XXX_DiscardUnknown ¶
func (m *CheckCertificateResponse) XXX_DiscardUnknown()
func (*CheckCertificateResponse) XXX_Marshal ¶
func (m *CheckCertificateResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*CheckCertificateResponse) XXX_Merge ¶
func (m *CheckCertificateResponse) XXX_Merge(src proto.Message)
func (*CheckCertificateResponse) XXX_Size ¶
func (m *CheckCertificateResponse) XXX_Size() int
func (*CheckCertificateResponse) XXX_Unmarshal ¶
func (m *CheckCertificateResponse) XXX_Unmarshal(b []byte) error
type DecoratedAdmin ¶
type DecoratedAdmin struct { // Service is the service to decorate. Service AdminServer // Prelude is called for each method before forwarding the call to Service. // If Prelude returns an error, then the call is skipped and the error is // processed via the Postlude (if one is defined), or it is returned directly. Prelude func(c context.Context, methodName string, req proto.Message) (context.Context, error) // Postlude is called for each method after Service has processed the call, or // after the Prelude has returned an error. This takes the the Service's // response proto (which may be nil) and/or any error. The decorated // service will return the response (possibly mutated) and error that Postlude // returns. Postlude func(c context.Context, methodName string, rsp proto.Message, err error) error }
func (*DecoratedAdmin) ImportCAConfigs ¶
func (s *DecoratedAdmin) ImportCAConfigs(c context.Context, req *empty.Empty) (rsp *ImportedConfigs, err error)
func (*DecoratedAdmin) ImportDelegationConfigs ¶
func (s *DecoratedAdmin) ImportDelegationConfigs(c context.Context, req *empty.Empty) (rsp *ImportedConfigs, err error)
func (*DecoratedAdmin) ImportServiceAccountsConfigs ¶
func (s *DecoratedAdmin) ImportServiceAccountsConfigs(c context.Context, req *empty.Empty) (rsp *ImportedConfigs, err error)
func (*DecoratedAdmin) InspectDelegationToken ¶
func (s *DecoratedAdmin) InspectDelegationToken(c context.Context, req *InspectDelegationTokenRequest) (rsp *InspectDelegationTokenResponse, err error)
func (*DecoratedAdmin) InspectMachineToken ¶
func (s *DecoratedAdmin) InspectMachineToken(c context.Context, req *InspectMachineTokenRequest) (rsp *InspectMachineTokenResponse, err error)
func (*DecoratedAdmin) InspectOAuthTokenGrant ¶
func (s *DecoratedAdmin) InspectOAuthTokenGrant(c context.Context, req *InspectOAuthTokenGrantRequest) (rsp *InspectOAuthTokenGrantResponse, err error)
type DecoratedCertificateAuthorities ¶
type DecoratedCertificateAuthorities struct { // Service is the service to decorate. Service CertificateAuthoritiesServer // Prelude is called for each method before forwarding the call to Service. // If Prelude returns an error, then the call is skipped and the error is // processed via the Postlude (if one is defined), or it is returned directly. Prelude func(c context.Context, methodName string, req proto.Message) (context.Context, error) // Postlude is called for each method after Service has processed the call, or // after the Prelude has returned an error. This takes the the Service's // response proto (which may be nil) and/or any error. The decorated // service will return the response (possibly mutated) and error that Postlude // returns. Postlude func(c context.Context, methodName string, rsp proto.Message, err error) error }
func (*DecoratedCertificateAuthorities) CheckCertificate ¶
func (s *DecoratedCertificateAuthorities) CheckCertificate(c context.Context, req *CheckCertificateRequest) (rsp *CheckCertificateResponse, err error)
func (*DecoratedCertificateAuthorities) FetchCRL ¶
func (s *DecoratedCertificateAuthorities) FetchCRL(c context.Context, req *FetchCRLRequest) (rsp *FetchCRLResponse, err error)
func (*DecoratedCertificateAuthorities) GetCAStatus ¶
func (s *DecoratedCertificateAuthorities) GetCAStatus(c context.Context, req *GetCAStatusRequest) (rsp *GetCAStatusResponse, err error)
func (*DecoratedCertificateAuthorities) IsRevokedCert ¶
func (s *DecoratedCertificateAuthorities) IsRevokedCert(c context.Context, req *IsRevokedCertRequest) (rsp *IsRevokedCertResponse, err error)
func (*DecoratedCertificateAuthorities) ListCAs ¶
func (s *DecoratedCertificateAuthorities) ListCAs(c context.Context, req *empty.Empty) (rsp *ListCAsResponse, err error)
type DelegationPermissions ¶
type DelegationPermissions struct { // Rules specify what calls to MintDelegationToken are allowed. // // Rules are evaluated independently. One and only one rule should match the // request to allow the operation. If none rules or more than one rule match, // the request will be denied. // // See DelegationRule comments for more details. Rules []*DelegationRule `protobuf:"bytes,1,rep,name=rules,proto3" json:"rules,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
DelegationPermissions is read from delegation.cfg in luci-config.
func (*DelegationPermissions) Descriptor ¶
func (*DelegationPermissions) Descriptor() ([]byte, []int)
func (*DelegationPermissions) GetRules ¶
func (m *DelegationPermissions) GetRules() []*DelegationRule
func (*DelegationPermissions) ProtoMessage ¶
func (*DelegationPermissions) ProtoMessage()
func (*DelegationPermissions) Reset ¶
func (m *DelegationPermissions) Reset()
func (*DelegationPermissions) String ¶
func (m *DelegationPermissions) String() string
func (*DelegationPermissions) XXX_DiscardUnknown ¶
func (m *DelegationPermissions) XXX_DiscardUnknown()
func (*DelegationPermissions) XXX_Marshal ¶
func (m *DelegationPermissions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*DelegationPermissions) XXX_Merge ¶
func (m *DelegationPermissions) XXX_Merge(src proto.Message)
func (*DelegationPermissions) XXX_Size ¶
func (m *DelegationPermissions) XXX_Size() int
func (*DelegationPermissions) XXX_Unmarshal ¶
func (m *DelegationPermissions) XXX_Unmarshal(b []byte) error
type DelegationRule ¶
type DelegationRule struct { // A descriptive name of this rule, for the audit log. Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` // Email of developers that own this rule, to know who to contact. Owner []string `protobuf:"bytes,2,rep,name=owner,proto3" json:"owner,omitempty"` // A set of callers to which this rule applies. // // Matched against verified credentials of a caller of MintDelegationToken. // // Each element is either: // * An identity string ("user:<email>"). // * A group reference ("group:<name>"). // // The groups specified here are expanded when MintDelegationTokenRequest is // evaluated. Requestor []string `protobuf:"bytes,3,rep,name=requestor,proto3" json:"requestor,omitempty"` // Identities that are allowed to be delegated/impersonated by the requestor. // // Matched against 'delegated_identity' field of MintDelegationTokenRequest. // // Each element is either: // * An identity string ("user:<email>"). // * A group reference ("group:<name>"). // * A special identifier "REQUESTOR" that is substituted by the requestor // identity when evaluating the rule. // // "REQUESTOR" allows one to generate tokens that delegate their own identity // to some target audience. // // The groups specified here are expanded when MintDelegationTokenRequest is // evaluated. AllowedToImpersonate []string `protobuf:"bytes,4,rep,name=allowed_to_impersonate,json=allowedToImpersonate,proto3" json:"allowed_to_impersonate,omitempty"` // A set of identities that should be able to use the new token. // // Matched against 'audience' field of MintDelegationTokenRequest. // // Each element is either: // * An identity string ("user:<email>"). // * A group reference ("group:<name>"). // * A special identifier "REQUESTOR" that is substituted by the requestor // identity when evaluating the rule. // * A special token "*" that means "any bearer can use the new token, // including anonymous". // // "REQUESTOR" is typically used here for rules that allow requestors to // impersonate someone else. The corresponding tokens have the requestor as // the only allowed audience. // // The groups specified here are NOT expanded when MintDelegationTokenRequest // is evaluated. To match the rule, MintDelegationTokenRequest must specify // subset of 'allowed_audience' groups explicitly in 'audience' field. AllowedAudience []string `protobuf:"bytes,5,rep,name=allowed_audience,json=allowedAudience,proto3" json:"allowed_audience,omitempty"` // A set of services that should be able to accept the new token. // // Matched against 'services' field of MintDelegationTokenRequest. // // Each element is either: // * A service identity string ("service:<id>"). // * A special token "*" that mean "any LUCI service should accept the // token". TargetService []string `protobuf:"bytes,6,rep,name=target_service,json=targetService,proto3" json:"target_service,omitempty"` // Maximum allowed validity duration (sec) of minted delegation tokens. // // Default is 12 hours. MaxValidityDuration int64 `protobuf:"varint,7,opt,name=max_validity_duration,json=maxValidityDuration,proto3" json:"max_validity_duration,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
DelegationRule describes a single allowed case of using delegation tokens.
An incoming MintDelegationTokenRequest is basically a tuple of:
- 'requestor_id' - an identity of whoever makes the request.
- 'delegated_identity' - an identity to delegate.
- 'audience' - a set of identities that will be able to use the token.
- 'services' - a set of services that should accept the token.
A request matches a rule iff:
- 'requestor_id' is in 'requestor' set.
- 'delegated_identity' is in 'allowed_to_impersonate' set.
- 'audience' is a subset of 'allowed_audience' set.
- 'services' is a subset of 'target_service' set.
The presence of a matching rule permits to mint the token. The rule also provides an upper bound on allowed validity_duration, and the rule's name is logged in the audit trail.
func (*DelegationRule) Descriptor ¶
func (*DelegationRule) Descriptor() ([]byte, []int)
func (*DelegationRule) GetAllowedAudience ¶
func (m *DelegationRule) GetAllowedAudience() []string
func (*DelegationRule) GetAllowedToImpersonate ¶
func (m *DelegationRule) GetAllowedToImpersonate() []string
func (*DelegationRule) GetMaxValidityDuration ¶
func (m *DelegationRule) GetMaxValidityDuration() int64
func (*DelegationRule) GetName ¶
func (m *DelegationRule) GetName() string
func (*DelegationRule) GetOwner ¶
func (m *DelegationRule) GetOwner() []string
func (*DelegationRule) GetRequestor ¶
func (m *DelegationRule) GetRequestor() []string
func (*DelegationRule) GetTargetService ¶
func (m *DelegationRule) GetTargetService() []string
func (*DelegationRule) ProtoMessage ¶
func (*DelegationRule) ProtoMessage()
func (*DelegationRule) Reset ¶
func (m *DelegationRule) Reset()
func (*DelegationRule) String ¶
func (m *DelegationRule) String() string
func (*DelegationRule) XXX_DiscardUnknown ¶
func (m *DelegationRule) XXX_DiscardUnknown()
func (*DelegationRule) XXX_Marshal ¶
func (m *DelegationRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*DelegationRule) XXX_Merge ¶
func (m *DelegationRule) XXX_Merge(src proto.Message)
func (*DelegationRule) XXX_Size ¶
func (m *DelegationRule) XXX_Size() int
func (*DelegationRule) XXX_Unmarshal ¶
func (m *DelegationRule) XXX_Unmarshal(b []byte) error
type DomainConfig ¶
type DomainConfig struct { // Domain is domain names of hosts this config applies to. // // Machines that reside in a subdomain of given domain are also considered // part of it, e.g. both FQDNs "host.example.com" and "host.abc.example.com" // match domain "example.com". Domain []string `protobuf:"bytes,1,rep,name=domain,proto3" json:"domain,omitempty"` // MachineTokenLifetime is how long generated machine tokens live, in seconds. // // If 0, machine tokens are not allowed. MachineTokenLifetime int64 `protobuf:"varint,5,opt,name=machine_token_lifetime,json=machineTokenLifetime,proto3" json:"machine_token_lifetime,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
DomainConfig is used inside CertificateAuthorityConfig.
func (*DomainConfig) Descriptor ¶
func (*DomainConfig) Descriptor() ([]byte, []int)
func (*DomainConfig) GetDomain ¶
func (m *DomainConfig) GetDomain() []string
func (*DomainConfig) GetMachineTokenLifetime ¶
func (m *DomainConfig) GetMachineTokenLifetime() int64
func (*DomainConfig) ProtoMessage ¶
func (*DomainConfig) ProtoMessage()
func (*DomainConfig) Reset ¶
func (m *DomainConfig) Reset()
func (*DomainConfig) String ¶
func (m *DomainConfig) String() string
func (*DomainConfig) XXX_DiscardUnknown ¶
func (m *DomainConfig) XXX_DiscardUnknown()
func (*DomainConfig) XXX_Marshal ¶
func (m *DomainConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*DomainConfig) XXX_Merge ¶
func (m *DomainConfig) XXX_Merge(src proto.Message)
func (*DomainConfig) XXX_Size ¶
func (m *DomainConfig) XXX_Size() int
func (*DomainConfig) XXX_Unmarshal ¶
func (m *DomainConfig) XXX_Unmarshal(b []byte) error
type FetchCRLRequest ¶
type FetchCRLRequest struct { Cn string `protobuf:"bytes,1,opt,name=cn,proto3" json:"cn,omitempty"` Force bool `protobuf:"varint,2,opt,name=force,proto3" json:"force,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
FetchCRLRequest identifies a name of CA to fetch CRL for.
func (*FetchCRLRequest) Descriptor ¶
func (*FetchCRLRequest) Descriptor() ([]byte, []int)
func (*FetchCRLRequest) GetCn ¶
func (m *FetchCRLRequest) GetCn() string
func (*FetchCRLRequest) GetForce ¶
func (m *FetchCRLRequest) GetForce() bool
func (*FetchCRLRequest) ProtoMessage ¶
func (*FetchCRLRequest) ProtoMessage()
func (*FetchCRLRequest) Reset ¶
func (m *FetchCRLRequest) Reset()
func (*FetchCRLRequest) String ¶
func (m *FetchCRLRequest) String() string
func (*FetchCRLRequest) XXX_DiscardUnknown ¶
func (m *FetchCRLRequest) XXX_DiscardUnknown()
func (*FetchCRLRequest) XXX_Marshal ¶
func (m *FetchCRLRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*FetchCRLRequest) XXX_Merge ¶
func (m *FetchCRLRequest) XXX_Merge(src proto.Message)
func (*FetchCRLRequest) XXX_Size ¶
func (m *FetchCRLRequest) XXX_Size() int
func (*FetchCRLRequest) XXX_Unmarshal ¶
func (m *FetchCRLRequest) XXX_Unmarshal(b []byte) error
type FetchCRLResponse ¶
type FetchCRLResponse struct { CrlStatus *CRLStatus `protobuf:"bytes,1,opt,name=crl_status,json=crlStatus,proto3" json:"crl_status,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
FetchCRLResponse is returned by FetchCRL.
func (*FetchCRLResponse) Descriptor ¶
func (*FetchCRLResponse) Descriptor() ([]byte, []int)
func (*FetchCRLResponse) GetCrlStatus ¶
func (m *FetchCRLResponse) GetCrlStatus() *CRLStatus
func (*FetchCRLResponse) ProtoMessage ¶
func (*FetchCRLResponse) ProtoMessage()
func (*FetchCRLResponse) Reset ¶
func (m *FetchCRLResponse) Reset()
func (*FetchCRLResponse) String ¶
func (m *FetchCRLResponse) String() string
func (*FetchCRLResponse) XXX_DiscardUnknown ¶
func (m *FetchCRLResponse) XXX_DiscardUnknown()
func (*FetchCRLResponse) XXX_Marshal ¶
func (m *FetchCRLResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*FetchCRLResponse) XXX_Merge ¶
func (m *FetchCRLResponse) XXX_Merge(src proto.Message)
func (*FetchCRLResponse) XXX_Size ¶
func (m *FetchCRLResponse) XXX_Size() int
func (*FetchCRLResponse) XXX_Unmarshal ¶
func (m *FetchCRLResponse) XXX_Unmarshal(b []byte) error
type GetCAStatusRequest ¶
type GetCAStatusRequest struct { Cn string `protobuf:"bytes,1,opt,name=cn,proto3" json:"cn,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
GetCAStatusRequest identifies a name of CA to fetch.
func (*GetCAStatusRequest) Descriptor ¶
func (*GetCAStatusRequest) Descriptor() ([]byte, []int)
func (*GetCAStatusRequest) GetCn ¶
func (m *GetCAStatusRequest) GetCn() string
func (*GetCAStatusRequest) ProtoMessage ¶
func (*GetCAStatusRequest) ProtoMessage()
func (*GetCAStatusRequest) Reset ¶
func (m *GetCAStatusRequest) Reset()
func (*GetCAStatusRequest) String ¶
func (m *GetCAStatusRequest) String() string
func (*GetCAStatusRequest) XXX_DiscardUnknown ¶
func (m *GetCAStatusRequest) XXX_DiscardUnknown()
func (*GetCAStatusRequest) XXX_Marshal ¶
func (m *GetCAStatusRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*GetCAStatusRequest) XXX_Merge ¶
func (m *GetCAStatusRequest) XXX_Merge(src proto.Message)
func (*GetCAStatusRequest) XXX_Size ¶
func (m *GetCAStatusRequest) XXX_Size() int
func (*GetCAStatusRequest) XXX_Unmarshal ¶
func (m *GetCAStatusRequest) XXX_Unmarshal(b []byte) error
type GetCAStatusResponse ¶
type GetCAStatusResponse struct { Config *CertificateAuthorityConfig `protobuf:"bytes,1,opt,name=config,proto3" json:"config,omitempty"` Cert string `protobuf:"bytes,2,opt,name=cert,proto3" json:"cert,omitempty"` Removed bool `protobuf:"varint,3,opt,name=removed,proto3" json:"removed,omitempty"` Ready bool `protobuf:"varint,4,opt,name=ready,proto3" json:"ready,omitempty"` AddedRev string `protobuf:"bytes,5,opt,name=added_rev,json=addedRev,proto3" json:"added_rev,omitempty"` UpdatedRev string `protobuf:"bytes,6,opt,name=updated_rev,json=updatedRev,proto3" json:"updated_rev,omitempty"` RemovedRev string `protobuf:"bytes,7,opt,name=removed_rev,json=removedRev,proto3" json:"removed_rev,omitempty"` CrlStatus *CRLStatus `protobuf:"bytes,8,opt,name=crl_status,json=crlStatus,proto3" json:"crl_status,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
GetCAStatusResponse is returned by GetCAStatus method.
If requested CA doesn't exist, all fields are empty.
func (*GetCAStatusResponse) Descriptor ¶
func (*GetCAStatusResponse) Descriptor() ([]byte, []int)
func (*GetCAStatusResponse) GetAddedRev ¶
func (m *GetCAStatusResponse) GetAddedRev() string
func (*GetCAStatusResponse) GetCert ¶
func (m *GetCAStatusResponse) GetCert() string
func (*GetCAStatusResponse) GetConfig ¶
func (m *GetCAStatusResponse) GetConfig() *CertificateAuthorityConfig
func (*GetCAStatusResponse) GetCrlStatus ¶
func (m *GetCAStatusResponse) GetCrlStatus() *CRLStatus
func (*GetCAStatusResponse) GetReady ¶
func (m *GetCAStatusResponse) GetReady() bool
func (*GetCAStatusResponse) GetRemoved ¶
func (m *GetCAStatusResponse) GetRemoved() bool
func (*GetCAStatusResponse) GetRemovedRev ¶
func (m *GetCAStatusResponse) GetRemovedRev() string
func (*GetCAStatusResponse) GetUpdatedRev ¶
func (m *GetCAStatusResponse) GetUpdatedRev() string
func (*GetCAStatusResponse) ProtoMessage ¶
func (*GetCAStatusResponse) ProtoMessage()
func (*GetCAStatusResponse) Reset ¶
func (m *GetCAStatusResponse) Reset()
func (*GetCAStatusResponse) String ¶
func (m *GetCAStatusResponse) String() string
func (*GetCAStatusResponse) XXX_DiscardUnknown ¶
func (m *GetCAStatusResponse) XXX_DiscardUnknown()
func (*GetCAStatusResponse) XXX_Marshal ¶
func (m *GetCAStatusResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*GetCAStatusResponse) XXX_Merge ¶
func (m *GetCAStatusResponse) XXX_Merge(src proto.Message)
func (*GetCAStatusResponse) XXX_Size ¶
func (m *GetCAStatusResponse) XXX_Size() int
func (*GetCAStatusResponse) XXX_Unmarshal ¶
func (m *GetCAStatusResponse) XXX_Unmarshal(b []byte) error
type ImportedConfigs ¶
type ImportedConfigs struct { // The revision of the configs that are now in the datastore. // // It's either the imported revision, if configs change, or a previously known // revision, if configs at HEAD are same. Revision string `protobuf:"bytes,1,opt,name=revision,proto3" json:"revision,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
ImportedConfigs is returned by Import<something>Configs methods on success.
func (*ImportedConfigs) Descriptor ¶
func (*ImportedConfigs) Descriptor() ([]byte, []int)
func (*ImportedConfigs) GetRevision ¶
func (m *ImportedConfigs) GetRevision() string
func (*ImportedConfigs) ProtoMessage ¶
func (*ImportedConfigs) ProtoMessage()
func (*ImportedConfigs) Reset ¶
func (m *ImportedConfigs) Reset()
func (*ImportedConfigs) String ¶
func (m *ImportedConfigs) String() string
func (*ImportedConfigs) XXX_DiscardUnknown ¶
func (m *ImportedConfigs) XXX_DiscardUnknown()
func (*ImportedConfigs) XXX_Marshal ¶
func (m *ImportedConfigs) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*ImportedConfigs) XXX_Merge ¶
func (m *ImportedConfigs) XXX_Merge(src proto.Message)
func (*ImportedConfigs) XXX_Size ¶
func (m *ImportedConfigs) XXX_Size() int
func (*ImportedConfigs) XXX_Unmarshal ¶
func (m *ImportedConfigs) XXX_Unmarshal(b []byte) error
type InspectDelegationTokenRequest ¶
type InspectDelegationTokenRequest struct { // The token body. Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
InspectDelegationTokenRequest is body of InspectDelegationToken RPC call.
func (*InspectDelegationTokenRequest) Descriptor ¶
func (*InspectDelegationTokenRequest) Descriptor() ([]byte, []int)
func (*InspectDelegationTokenRequest) GetToken ¶
func (m *InspectDelegationTokenRequest) GetToken() string
func (*InspectDelegationTokenRequest) ProtoMessage ¶
func (*InspectDelegationTokenRequest) ProtoMessage()
func (*InspectDelegationTokenRequest) Reset ¶
func (m *InspectDelegationTokenRequest) Reset()
func (*InspectDelegationTokenRequest) String ¶
func (m *InspectDelegationTokenRequest) String() string
func (*InspectDelegationTokenRequest) XXX_DiscardUnknown ¶
func (m *InspectDelegationTokenRequest) XXX_DiscardUnknown()
func (*InspectDelegationTokenRequest) XXX_Marshal ¶
func (m *InspectDelegationTokenRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*InspectDelegationTokenRequest) XXX_Merge ¶
func (m *InspectDelegationTokenRequest) XXX_Merge(src proto.Message)
func (*InspectDelegationTokenRequest) XXX_Size ¶
func (m *InspectDelegationTokenRequest) XXX_Size() int
func (*InspectDelegationTokenRequest) XXX_Unmarshal ¶
func (m *InspectDelegationTokenRequest) XXX_Unmarshal(b []byte) error
type InspectDelegationTokenResponse ¶
type InspectDelegationTokenResponse struct { // True if the token is valid. // // A token is valid if its signature is correct and it hasn't expired yet. Valid bool `protobuf:"varint,1,opt,name=valid,proto3" json:"valid,omitempty"` // Human readable summary of why token is invalid. // // Summarizes the rest of the fields of this struct. Set only if 'valid' is // false. InvalidityReason string `protobuf:"bytes,2,opt,name=invalidity_reason,json=invalidityReason,proto3" json:"invalidity_reason,omitempty"` // True if the token signature was verified. // // It means the token was generated by the token server and its body is not // a garbage. Note that a token can be correctly signed, but invalid (if it // has expired). // // If 'signed' is false, the fields below may (or may not) be a garbage. // // The token server uses private keys managed by Google Cloud Platform, they // are constantly being rotated and "old" signatures become invalid over time // (when corresponding keys are rotated out of existence). // // If 'signed' is false, use the rest of the response only as FYI, possibly // invalid or even maliciously constructed. Signed bool `protobuf:"varint,3,opt,name=signed,proto3" json:"signed,omitempty"` // True if the token signature was verified and token hasn't expired yet. // // We use "non_" prefix to make default 'false' value safer. NonExpired bool `protobuf:"varint,4,opt,name=non_expired,json=nonExpired,proto3" json:"non_expired,omitempty"` // The deserialized token envelope. // // May be empty if token was malformed and couldn't be deserialized. Envelope *messages.DelegationToken `protobuf:"bytes,5,opt,name=envelope,proto3" json:"envelope,omitempty"` // The deserialized token body (deserialized 'envelope.serialized_subtoken'). // // May be empty if token was malformed and couldn't be deserialized. Subtoken *messages.Subtoken `protobuf:"bytes,6,opt,name=subtoken,proto3" json:"subtoken,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
InspectDelegationTokenResponse is return value of InspectDelegationToken RPC.
func (*InspectDelegationTokenResponse) Descriptor ¶
func (*InspectDelegationTokenResponse) Descriptor() ([]byte, []int)
func (*InspectDelegationTokenResponse) GetEnvelope ¶
func (m *InspectDelegationTokenResponse) GetEnvelope() *messages.DelegationToken
func (*InspectDelegationTokenResponse) GetInvalidityReason ¶
func (m *InspectDelegationTokenResponse) GetInvalidityReason() string
func (*InspectDelegationTokenResponse) GetNonExpired ¶
func (m *InspectDelegationTokenResponse) GetNonExpired() bool
func (*InspectDelegationTokenResponse) GetSigned ¶
func (m *InspectDelegationTokenResponse) GetSigned() bool
func (*InspectDelegationTokenResponse) GetSubtoken ¶
func (m *InspectDelegationTokenResponse) GetSubtoken() *messages.Subtoken
func (*InspectDelegationTokenResponse) GetValid ¶
func (m *InspectDelegationTokenResponse) GetValid() bool
func (*InspectDelegationTokenResponse) ProtoMessage ¶
func (*InspectDelegationTokenResponse) ProtoMessage()
func (*InspectDelegationTokenResponse) Reset ¶
func (m *InspectDelegationTokenResponse) Reset()
func (*InspectDelegationTokenResponse) String ¶
func (m *InspectDelegationTokenResponse) String() string
func (*InspectDelegationTokenResponse) XXX_DiscardUnknown ¶
func (m *InspectDelegationTokenResponse) XXX_DiscardUnknown()
func (*InspectDelegationTokenResponse) XXX_Marshal ¶
func (m *InspectDelegationTokenResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*InspectDelegationTokenResponse) XXX_Merge ¶
func (m *InspectDelegationTokenResponse) XXX_Merge(src proto.Message)
func (*InspectDelegationTokenResponse) XXX_Size ¶
func (m *InspectDelegationTokenResponse) XXX_Size() int
func (*InspectDelegationTokenResponse) XXX_Unmarshal ¶
func (m *InspectDelegationTokenResponse) XXX_Unmarshal(b []byte) error
type InspectMachineTokenRequest ¶
type InspectMachineTokenRequest struct { // The type of token being checked. // // Currently only LUCI_MACHINE_TOKEN is supported. This is also the default. TokenType api.MachineTokenType `protobuf:"varint,1,opt,name=token_type,json=tokenType,proto3,enum=tokenserver.MachineTokenType" json:"token_type,omitempty"` // The token body. Exact meaning depends on token_type. Token string `protobuf:"bytes,2,opt,name=token,proto3" json:"token,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
InspectMachineTokenRequest is body of InspectMachineToken RPC call.
It contains machine token of some kind.
func (*InspectMachineTokenRequest) Descriptor ¶
func (*InspectMachineTokenRequest) Descriptor() ([]byte, []int)
func (*InspectMachineTokenRequest) GetToken ¶
func (m *InspectMachineTokenRequest) GetToken() string
func (*InspectMachineTokenRequest) GetTokenType ¶
func (m *InspectMachineTokenRequest) GetTokenType() api.MachineTokenType
func (*InspectMachineTokenRequest) ProtoMessage ¶
func (*InspectMachineTokenRequest) ProtoMessage()
func (*InspectMachineTokenRequest) Reset ¶
func (m *InspectMachineTokenRequest) Reset()
func (*InspectMachineTokenRequest) String ¶
func (m *InspectMachineTokenRequest) String() string
func (*InspectMachineTokenRequest) XXX_DiscardUnknown ¶
func (m *InspectMachineTokenRequest) XXX_DiscardUnknown()
func (*InspectMachineTokenRequest) XXX_Marshal ¶
func (m *InspectMachineTokenRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*InspectMachineTokenRequest) XXX_Merge ¶
func (m *InspectMachineTokenRequest) XXX_Merge(src proto.Message)
func (*InspectMachineTokenRequest) XXX_Size ¶
func (m *InspectMachineTokenRequest) XXX_Size() int
func (*InspectMachineTokenRequest) XXX_Unmarshal ¶
func (m *InspectMachineTokenRequest) XXX_Unmarshal(b []byte) error
type InspectMachineTokenResponse ¶
type InspectMachineTokenResponse struct { // True if the token is valid. // // A token is valid if its signature is correct, it hasn't expired yet and // the credentials it was built from (e.g. a certificate) wasn't revoked. Valid bool `protobuf:"varint,1,opt,name=valid,proto3" json:"valid,omitempty"` // Human readable summary of why token is invalid. // // Summarizes the rest of the fields of this struct. Set only if 'valid' is // false. InvalidityReason string `protobuf:"bytes,2,opt,name=invalidity_reason,json=invalidityReason,proto3" json:"invalidity_reason,omitempty"` // True if the token signature was verified. // // It means the token was generated by the token server and its body is not // a garbage. Note that a token can be correctly signed, but invalid (if it // has expired or was revoked). // // If 'signed' is false, the fields below may (or may not) be a garbage. // // The token server uses private keys managed by Google Cloud Platform, they // are constantly being rotated and "old" signatures become invalid over time // (when corresponding keys are rotated out of existence). // // If 'signed' is false, use the rest of the response only as FYI, possibly // invalid or even maliciously constructed. Signed bool `protobuf:"varint,3,opt,name=signed,proto3" json:"signed,omitempty"` // True if the token signature was verified and token hasn't expired yet. // // We use "non_" prefix to make default 'false' value safer. NonExpired bool `protobuf:"varint,4,opt,name=non_expired,json=nonExpired,proto3" json:"non_expired,omitempty"` // True if the token signature was verified and the token wasn't revoked. // // It is possible for an expired token to be non revoked. They are independent // properties. // // We use "non_" prefix to make default 'false' value safer. NonRevoked bool `protobuf:"varint,5,opt,name=non_revoked,json=nonRevoked,proto3" json:"non_revoked,omitempty"` // Id of a private key used to sign this token, if applicable. SigningKeyId string `protobuf:"bytes,6,opt,name=signing_key_id,json=signingKeyId,proto3" json:"signing_key_id,omitempty"` // Name of a CA that issued the cert the token is based on, if applicable. // // Resolved from 'ca_id' field of the token body. CertCaName string `protobuf:"bytes,7,opt,name=cert_ca_name,json=certCaName,proto3" json:"cert_ca_name,omitempty"` // The decoded token body (depends on token_type request parameter). Empty if // token was malformed and couldn't be deserialized. // // Types that are valid to be assigned to TokenType: // *InspectMachineTokenResponse_LuciMachineToken TokenType isInspectMachineTokenResponse_TokenType `protobuf_oneof:"token_type"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
InspectMachineTokenResponse is return value of InspectMachineToken RPC call.
func (*InspectMachineTokenResponse) Descriptor ¶
func (*InspectMachineTokenResponse) Descriptor() ([]byte, []int)
func (*InspectMachineTokenResponse) GetCertCaName ¶
func (m *InspectMachineTokenResponse) GetCertCaName() string
func (*InspectMachineTokenResponse) GetInvalidityReason ¶
func (m *InspectMachineTokenResponse) GetInvalidityReason() string
func (*InspectMachineTokenResponse) GetLuciMachineToken ¶
func (m *InspectMachineTokenResponse) GetLuciMachineToken() *api.MachineTokenBody
func (*InspectMachineTokenResponse) GetNonExpired ¶
func (m *InspectMachineTokenResponse) GetNonExpired() bool
func (*InspectMachineTokenResponse) GetNonRevoked ¶
func (m *InspectMachineTokenResponse) GetNonRevoked() bool
func (*InspectMachineTokenResponse) GetSigned ¶
func (m *InspectMachineTokenResponse) GetSigned() bool
func (*InspectMachineTokenResponse) GetSigningKeyId ¶
func (m *InspectMachineTokenResponse) GetSigningKeyId() string
func (*InspectMachineTokenResponse) GetTokenType ¶
func (m *InspectMachineTokenResponse) GetTokenType() isInspectMachineTokenResponse_TokenType
func (*InspectMachineTokenResponse) GetValid ¶
func (m *InspectMachineTokenResponse) GetValid() bool
func (*InspectMachineTokenResponse) ProtoMessage ¶
func (*InspectMachineTokenResponse) ProtoMessage()
func (*InspectMachineTokenResponse) Reset ¶
func (m *InspectMachineTokenResponse) Reset()
func (*InspectMachineTokenResponse) String ¶
func (m *InspectMachineTokenResponse) String() string
func (*InspectMachineTokenResponse) XXX_DiscardUnknown ¶
func (m *InspectMachineTokenResponse) XXX_DiscardUnknown()
func (*InspectMachineTokenResponse) XXX_Marshal ¶
func (m *InspectMachineTokenResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*InspectMachineTokenResponse) XXX_Merge ¶
func (m *InspectMachineTokenResponse) XXX_Merge(src proto.Message)
func (*InspectMachineTokenResponse) XXX_OneofFuncs ¶
func (*InspectMachineTokenResponse) XXX_OneofFuncs() (func(msg proto.Message, b *proto.Buffer) error, func(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error), func(msg proto.Message) (n int), []interface{})
XXX_OneofFuncs is for the internal use of the proto package.
func (*InspectMachineTokenResponse) XXX_Size ¶
func (m *InspectMachineTokenResponse) XXX_Size() int
func (*InspectMachineTokenResponse) XXX_Unmarshal ¶
func (m *InspectMachineTokenResponse) XXX_Unmarshal(b []byte) error
type InspectMachineTokenResponse_LuciMachineToken ¶
type InspectMachineTokenResponse_LuciMachineToken struct {
LuciMachineToken *api.MachineTokenBody `protobuf:"bytes,20,opt,name=luci_machine_token,json=luciMachineToken,proto3,oneof"`
}
type InspectOAuthTokenGrantRequest ¶
type InspectOAuthTokenGrantRequest struct { // The token body. Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
InspectOAuthTokenGrantRequest is body of InspectOAuthTokenGrant RPC call.
func (*InspectOAuthTokenGrantRequest) Descriptor ¶
func (*InspectOAuthTokenGrantRequest) Descriptor() ([]byte, []int)
func (*InspectOAuthTokenGrantRequest) GetToken ¶
func (m *InspectOAuthTokenGrantRequest) GetToken() string
func (*InspectOAuthTokenGrantRequest) ProtoMessage ¶
func (*InspectOAuthTokenGrantRequest) ProtoMessage()
func (*InspectOAuthTokenGrantRequest) Reset ¶
func (m *InspectOAuthTokenGrantRequest) Reset()
func (*InspectOAuthTokenGrantRequest) String ¶
func (m *InspectOAuthTokenGrantRequest) String() string
func (*InspectOAuthTokenGrantRequest) XXX_DiscardUnknown ¶
func (m *InspectOAuthTokenGrantRequest) XXX_DiscardUnknown()
func (*InspectOAuthTokenGrantRequest) XXX_Marshal ¶
func (m *InspectOAuthTokenGrantRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*InspectOAuthTokenGrantRequest) XXX_Merge ¶
func (m *InspectOAuthTokenGrantRequest) XXX_Merge(src proto.Message)
func (*InspectOAuthTokenGrantRequest) XXX_Size ¶
func (m *InspectOAuthTokenGrantRequest) XXX_Size() int
func (*InspectOAuthTokenGrantRequest) XXX_Unmarshal ¶
func (m *InspectOAuthTokenGrantRequest) XXX_Unmarshal(b []byte) error
type InspectOAuthTokenGrantResponse ¶
type InspectOAuthTokenGrantResponse struct { // True if the token is valid. // // A token is valid if its signature is correct, it hasn't expired yet and // token server rules still allow it. Valid bool `protobuf:"varint,1,opt,name=valid,proto3" json:"valid,omitempty"` // Human readable summary of why token is invalid. // // Summarizes the rest of the fields of this struct. Set only if 'valid' is // false. InvalidityReason string `protobuf:"bytes,2,opt,name=invalidity_reason,json=invalidityReason,proto3" json:"invalidity_reason,omitempty"` // True if the token signature was verified. // // It means the token was generated by the token server and its body is not // a garbage. Note that a token can be correctly signed, but invalid (if it // has expired). // // If 'signed' is false, the fields below may (or may not) be a garbage. // // The token server uses private keys managed by Google Cloud Platform, they // are constantly being rotated and "old" signatures become invalid over time // (when corresponding keys are rotated out of existence). // // If 'signed' is false, use the rest of the response only as FYI, possibly // invalid or even maliciously constructed. Signed bool `protobuf:"varint,3,opt,name=signed,proto3" json:"signed,omitempty"` // True if the token signature was verified and token hasn't expired yet. // // We use "non_" prefix to make default 'false' value safer. NonExpired bool `protobuf:"varint,4,opt,name=non_expired,json=nonExpired,proto3" json:"non_expired,omitempty"` // ID of a token server private key used to sign the token. SigningKeyId string `protobuf:"bytes,5,opt,name=signing_key_id,json=signingKeyId,proto3" json:"signing_key_id,omitempty"` // The deserialized token body. // // May be empty if token was malformed and couldn't be deserialized. TokenBody *api.OAuthTokenGrantBody `protobuf:"bytes,6,opt,name=token_body,json=tokenBody,proto3" json:"token_body,omitempty"` // The service_accounts.cfg rule that governs the service account usage. // // May be present even if the token is not allowed by it. MatchingRule *ServiceAccountRule `protobuf:"bytes,7,opt,name=matching_rule,json=matchingRule,proto3" json:"matching_rule,omitempty"` // True if current service_accounts.cfg rules allow this token. AllowedByRules bool `protobuf:"varint,8,opt,name=allowed_by_rules,json=allowedByRules,proto3" json:"allowed_by_rules,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
InspectOAuthTokenGrantResponse is return value of InspectOAuthTokenGrant RPC.
func (*InspectOAuthTokenGrantResponse) Descriptor ¶
func (*InspectOAuthTokenGrantResponse) Descriptor() ([]byte, []int)
func (*InspectOAuthTokenGrantResponse) GetAllowedByRules ¶
func (m *InspectOAuthTokenGrantResponse) GetAllowedByRules() bool
func (*InspectOAuthTokenGrantResponse) GetInvalidityReason ¶
func (m *InspectOAuthTokenGrantResponse) GetInvalidityReason() string
func (*InspectOAuthTokenGrantResponse) GetMatchingRule ¶
func (m *InspectOAuthTokenGrantResponse) GetMatchingRule() *ServiceAccountRule
func (*InspectOAuthTokenGrantResponse) GetNonExpired ¶
func (m *InspectOAuthTokenGrantResponse) GetNonExpired() bool
func (*InspectOAuthTokenGrantResponse) GetSigned ¶
func (m *InspectOAuthTokenGrantResponse) GetSigned() bool
func (*InspectOAuthTokenGrantResponse) GetSigningKeyId ¶
func (m *InspectOAuthTokenGrantResponse) GetSigningKeyId() string
func (*InspectOAuthTokenGrantResponse) GetTokenBody ¶
func (m *InspectOAuthTokenGrantResponse) GetTokenBody() *api.OAuthTokenGrantBody
func (*InspectOAuthTokenGrantResponse) GetValid ¶
func (m *InspectOAuthTokenGrantResponse) GetValid() bool
func (*InspectOAuthTokenGrantResponse) ProtoMessage ¶
func (*InspectOAuthTokenGrantResponse) ProtoMessage()
func (*InspectOAuthTokenGrantResponse) Reset ¶
func (m *InspectOAuthTokenGrantResponse) Reset()
func (*InspectOAuthTokenGrantResponse) String ¶
func (m *InspectOAuthTokenGrantResponse) String() string
func (*InspectOAuthTokenGrantResponse) XXX_DiscardUnknown ¶
func (m *InspectOAuthTokenGrantResponse) XXX_DiscardUnknown()
func (*InspectOAuthTokenGrantResponse) XXX_Marshal ¶
func (m *InspectOAuthTokenGrantResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*InspectOAuthTokenGrantResponse) XXX_Merge ¶
func (m *InspectOAuthTokenGrantResponse) XXX_Merge(src proto.Message)
func (*InspectOAuthTokenGrantResponse) XXX_Size ¶
func (m *InspectOAuthTokenGrantResponse) XXX_Size() int
func (*InspectOAuthTokenGrantResponse) XXX_Unmarshal ¶
func (m *InspectOAuthTokenGrantResponse) XXX_Unmarshal(b []byte) error
type IsRevokedCertRequest ¶
type IsRevokedCertRequest struct { Ca string `protobuf:"bytes,1,opt,name=ca,proto3" json:"ca,omitempty"` Sn string `protobuf:"bytes,2,opt,name=sn,proto3" json:"sn,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
IsRevokedCertRequest contains a name of the CA and a cert serial number.
func (*IsRevokedCertRequest) Descriptor ¶
func (*IsRevokedCertRequest) Descriptor() ([]byte, []int)
func (*IsRevokedCertRequest) GetCa ¶
func (m *IsRevokedCertRequest) GetCa() string
func (*IsRevokedCertRequest) GetSn ¶
func (m *IsRevokedCertRequest) GetSn() string
func (*IsRevokedCertRequest) ProtoMessage ¶
func (*IsRevokedCertRequest) ProtoMessage()
func (*IsRevokedCertRequest) Reset ¶
func (m *IsRevokedCertRequest) Reset()
func (*IsRevokedCertRequest) String ¶
func (m *IsRevokedCertRequest) String() string
func (*IsRevokedCertRequest) XXX_DiscardUnknown ¶
func (m *IsRevokedCertRequest) XXX_DiscardUnknown()
func (*IsRevokedCertRequest) XXX_Marshal ¶
func (m *IsRevokedCertRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*IsRevokedCertRequest) XXX_Merge ¶
func (m *IsRevokedCertRequest) XXX_Merge(src proto.Message)
func (*IsRevokedCertRequest) XXX_Size ¶
func (m *IsRevokedCertRequest) XXX_Size() int
func (*IsRevokedCertRequest) XXX_Unmarshal ¶
func (m *IsRevokedCertRequest) XXX_Unmarshal(b []byte) error
type IsRevokedCertResponse ¶
type IsRevokedCertResponse struct { Revoked bool `protobuf:"varint,1,opt,name=revoked,proto3" json:"revoked,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
IsRevokedCertResponse is returned by IsRevokedCert
func (*IsRevokedCertResponse) Descriptor ¶
func (*IsRevokedCertResponse) Descriptor() ([]byte, []int)
func (*IsRevokedCertResponse) GetRevoked ¶
func (m *IsRevokedCertResponse) GetRevoked() bool
func (*IsRevokedCertResponse) ProtoMessage ¶
func (*IsRevokedCertResponse) ProtoMessage()
func (*IsRevokedCertResponse) Reset ¶
func (m *IsRevokedCertResponse) Reset()
func (*IsRevokedCertResponse) String ¶
func (m *IsRevokedCertResponse) String() string
func (*IsRevokedCertResponse) XXX_DiscardUnknown ¶
func (m *IsRevokedCertResponse) XXX_DiscardUnknown()
func (*IsRevokedCertResponse) XXX_Marshal ¶
func (m *IsRevokedCertResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*IsRevokedCertResponse) XXX_Merge ¶
func (m *IsRevokedCertResponse) XXX_Merge(src proto.Message)
func (*IsRevokedCertResponse) XXX_Size ¶
func (m *IsRevokedCertResponse) XXX_Size() int
func (*IsRevokedCertResponse) XXX_Unmarshal ¶
func (m *IsRevokedCertResponse) XXX_Unmarshal(b []byte) error
type ListCAsResponse ¶
type ListCAsResponse struct { Cn []string `protobuf:"bytes,1,rep,name=cn,proto3" json:"cn,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
ListCAsResponse is returned by ListCAs.
func (*ListCAsResponse) Descriptor ¶
func (*ListCAsResponse) Descriptor() ([]byte, []int)
func (*ListCAsResponse) GetCn ¶
func (m *ListCAsResponse) GetCn() []string
func (*ListCAsResponse) ProtoMessage ¶
func (*ListCAsResponse) ProtoMessage()
func (*ListCAsResponse) Reset ¶
func (m *ListCAsResponse) Reset()
func (*ListCAsResponse) String ¶
func (m *ListCAsResponse) String() string
func (*ListCAsResponse) XXX_DiscardUnknown ¶
func (m *ListCAsResponse) XXX_DiscardUnknown()
func (*ListCAsResponse) XXX_Marshal ¶
func (m *ListCAsResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*ListCAsResponse) XXX_Merge ¶
func (m *ListCAsResponse) XXX_Merge(src proto.Message)
func (*ListCAsResponse) XXX_Size ¶
func (m *ListCAsResponse) XXX_Size() int
func (*ListCAsResponse) XXX_Unmarshal ¶
func (m *ListCAsResponse) XXX_Unmarshal(b []byte) error
type ServiceAccountRule ¶
type ServiceAccountRule struct { // A descriptive name of this rule, for the audit log. Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` // Email of developers that own this rule, to know who to contact. Owner []string `protobuf:"bytes,2,rep,name=owner,proto3" json:"owner,omitempty"` // Email of service accounts that this rule applies to. // // Can be used to explicitly list service accounts in the config. ServiceAccount []string `protobuf:"bytes,3,rep,name=service_account,json=serviceAccount,proto3" json:"service_account,omitempty"` // Name of a group with service account emails this rules applies to. // // Works in addition to the explicit service account listing. ServiceAccountGroup []string `protobuf:"bytes,9,rep,name=service_account_group,json=serviceAccountGroup,proto3" json:"service_account_group,omitempty"` // OAuth scopes we allow to be granted to the OAuth token. // // Any subset of given scopes is allowed. This field is evaluated in // MintOAuthTokenViaGrant RPC handler, right before generating the OAuth // token. // // Merged with corresponding list from ServiceAccountRuleDefaults. AllowedScope []string `protobuf:"bytes,4,rep,name=allowed_scope,json=allowedScope,proto3" json:"allowed_scope,omitempty"` // A set of identities that are allowed to act as the service account (perhaps // indirectly through some other intermediary "proxy" service like Swarming). // // Users listed here are ultimately able to grab an OAuth token belonging to // the service account. // // Each element is either: // * An identity string ("user:<email>"). // * A group reference ("group:<name>"). EndUser []string `protobuf:"bytes,5,rep,name=end_user,json=endUser,proto3" json:"end_user,omitempty"` // A set of identities that are allowed to act on behalf of end users when // grabbing an OAuth token for the service account. // // These identities represent "proxy" services that do something with service // accounts on behalf of end users. Only identities in this set are allowed // to perform MintOAuthTokenGrant RPC. // // Each element is either: // * An identity string ("user:<email>"). // * A group reference ("group:<name>"). Proxy []string `protobuf:"bytes,6,rep,name=proxy,proto3" json:"proxy,omitempty"` // Same as 'proxy', except for proxies specified here the end_user check is // skipped: these proxies can grab a token for _any_ service account listed // in the rule, regardless of who the end user is. // // The trusted proxies are assumed to authorize the end user already and // the token server trusts this decision (thus the name of the field). TrustedProxy []string `protobuf:"bytes,8,rep,name=trusted_proxy,json=trustedProxy,proto3" json:"trusted_proxy,omitempty"` // Maximum allowed validity duration (sec) of OAuth token grants. // // The grant is minted by MintOAuthTokenGrant RPC (called, for example, when // Swarming task is posted), and checked by MintOAuthTokenViaGrant RPC (called // when the task actually runs). So the allowed validity duration should // account for possible queuing delays. // // This duration has no relation to the OAuth token lifetime. The OAuth token // produced by MintOAuthTokenViaGrant can always live up to 1h regardless of // validity duration of the grant. // // Default is taken from ServiceAccountRuleDefaults or 48 hours if not // specified there. MaxGrantValidityDuration int64 `` /* 138-byte string literal not displayed */ XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
ServiceAccountRule describes a single allowed case of using service accounts.
The usage of a service account is initiated by an end user, through some "proxy" service. For example, when a user posts a Swarming task that uses a service account, the end user is whoever posts the task, and the proxy is Swarming service itself.
This rule specifies which end users are allowed to act as an account, and through which proxies.
Some proxies can be declared as "trusted", in which case they are allowed to use any service account declared by the rule, regardless of an end user.
func (*ServiceAccountRule) Descriptor ¶
func (*ServiceAccountRule) Descriptor() ([]byte, []int)
func (*ServiceAccountRule) GetAllowedScope ¶
func (m *ServiceAccountRule) GetAllowedScope() []string
func (*ServiceAccountRule) GetEndUser ¶
func (m *ServiceAccountRule) GetEndUser() []string
func (*ServiceAccountRule) GetMaxGrantValidityDuration ¶
func (m *ServiceAccountRule) GetMaxGrantValidityDuration() int64
func (*ServiceAccountRule) GetName ¶
func (m *ServiceAccountRule) GetName() string
func (*ServiceAccountRule) GetOwner ¶
func (m *ServiceAccountRule) GetOwner() []string
func (*ServiceAccountRule) GetProxy ¶
func (m *ServiceAccountRule) GetProxy() []string
func (*ServiceAccountRule) GetServiceAccount ¶
func (m *ServiceAccountRule) GetServiceAccount() []string
func (*ServiceAccountRule) GetServiceAccountGroup ¶
func (m *ServiceAccountRule) GetServiceAccountGroup() []string
func (*ServiceAccountRule) GetTrustedProxy ¶
func (m *ServiceAccountRule) GetTrustedProxy() []string
func (*ServiceAccountRule) ProtoMessage ¶
func (*ServiceAccountRule) ProtoMessage()
func (*ServiceAccountRule) Reset ¶
func (m *ServiceAccountRule) Reset()
func (*ServiceAccountRule) String ¶
func (m *ServiceAccountRule) String() string
func (*ServiceAccountRule) XXX_DiscardUnknown ¶
func (m *ServiceAccountRule) XXX_DiscardUnknown()
func (*ServiceAccountRule) XXX_Marshal ¶
func (m *ServiceAccountRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*ServiceAccountRule) XXX_Merge ¶
func (m *ServiceAccountRule) XXX_Merge(src proto.Message)
func (*ServiceAccountRule) XXX_Size ¶
func (m *ServiceAccountRule) XXX_Size() int
func (*ServiceAccountRule) XXX_Unmarshal ¶
func (m *ServiceAccountRule) XXX_Unmarshal(b []byte) error
type ServiceAccountRuleDefaults ¶
type ServiceAccountRuleDefaults struct { // OAuth scopes we allow to be granted to all generated OAuth tokens. // // Always merged with 'allowed_scope' fields of ServiceAccountRule rule to // get the final list of scopes. AllowedScope []string `protobuf:"bytes,1,rep,name=allowed_scope,json=allowedScope,proto3" json:"allowed_scope,omitempty"` // Default value for corresponding ServiceAccountRule field, if not specified // there. // // Default is 48 hours. MaxGrantValidityDuration int64 `` /* 138-byte string literal not displayed */ XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
ServiceAccountRuleDefaults specifies some default values applied to all service account rules, to reduce duplication.
func (*ServiceAccountRuleDefaults) Descriptor ¶
func (*ServiceAccountRuleDefaults) Descriptor() ([]byte, []int)
func (*ServiceAccountRuleDefaults) GetAllowedScope ¶
func (m *ServiceAccountRuleDefaults) GetAllowedScope() []string
func (*ServiceAccountRuleDefaults) GetMaxGrantValidityDuration ¶
func (m *ServiceAccountRuleDefaults) GetMaxGrantValidityDuration() int64
func (*ServiceAccountRuleDefaults) ProtoMessage ¶
func (*ServiceAccountRuleDefaults) ProtoMessage()
func (*ServiceAccountRuleDefaults) Reset ¶
func (m *ServiceAccountRuleDefaults) Reset()
func (*ServiceAccountRuleDefaults) String ¶
func (m *ServiceAccountRuleDefaults) String() string
func (*ServiceAccountRuleDefaults) XXX_DiscardUnknown ¶
func (m *ServiceAccountRuleDefaults) XXX_DiscardUnknown()
func (*ServiceAccountRuleDefaults) XXX_Marshal ¶
func (m *ServiceAccountRuleDefaults) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*ServiceAccountRuleDefaults) XXX_Merge ¶
func (m *ServiceAccountRuleDefaults) XXX_Merge(src proto.Message)
func (*ServiceAccountRuleDefaults) XXX_Size ¶
func (m *ServiceAccountRuleDefaults) XXX_Size() int
func (*ServiceAccountRuleDefaults) XXX_Unmarshal ¶
func (m *ServiceAccountRuleDefaults) XXX_Unmarshal(b []byte) error
type ServiceAccountsPermissions ¶
type ServiceAccountsPermissions struct { // Rules specify how MintOAuthTokenViaGrant can be used. // // Rules define a mapping {service account email -> authorization config}, // where 'service account email' is matched to a set of emails specified via // 'service_account' and 'service_account_group' fields of ServiceAccountRule, // and 'authorization config' is the rest of fields in ServiceAccountRule that // define how exactly the given service account is allowed to be used. // // If a service account email matches two (or more) rules, perhaps via // different groups, an error will be returned. Ambiguity is not allowed. // // See ServiceAccountRule comments for more details. Rules []*ServiceAccountRule `protobuf:"bytes,1,rep,name=rules,proto3" json:"rules,omitempty"` // Defaults specifies some default values applied to all rules, to reduce // duplication. // // See docs for individual fields to figure out how defaults are merged into // the rules. Defaults *ServiceAccountRuleDefaults `protobuf:"bytes,2,opt,name=defaults,proto3" json:"defaults,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
ServiceAccountsPermissions is read from service_accounts.cfg in luci-config.
func (*ServiceAccountsPermissions) Descriptor ¶
func (*ServiceAccountsPermissions) Descriptor() ([]byte, []int)
func (*ServiceAccountsPermissions) GetDefaults ¶
func (m *ServiceAccountsPermissions) GetDefaults() *ServiceAccountRuleDefaults
func (*ServiceAccountsPermissions) GetRules ¶
func (m *ServiceAccountsPermissions) GetRules() []*ServiceAccountRule
func (*ServiceAccountsPermissions) ProtoMessage ¶
func (*ServiceAccountsPermissions) ProtoMessage()
func (*ServiceAccountsPermissions) Reset ¶
func (m *ServiceAccountsPermissions) Reset()
func (*ServiceAccountsPermissions) String ¶
func (m *ServiceAccountsPermissions) String() string
func (*ServiceAccountsPermissions) XXX_DiscardUnknown ¶
func (m *ServiceAccountsPermissions) XXX_DiscardUnknown()
func (*ServiceAccountsPermissions) XXX_Marshal ¶
func (m *ServiceAccountsPermissions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*ServiceAccountsPermissions) XXX_Merge ¶
func (m *ServiceAccountsPermissions) XXX_Merge(src proto.Message)
func (*ServiceAccountsPermissions) XXX_Size ¶
func (m *ServiceAccountsPermissions) XXX_Size() int
func (*ServiceAccountsPermissions) XXX_Unmarshal ¶
func (m *ServiceAccountsPermissions) XXX_Unmarshal(b []byte) error
type TokenServerConfig ¶
type TokenServerConfig struct { // List of CAs we trust. CertificateAuthority []*CertificateAuthorityConfig `protobuf:"bytes,1,rep,name=certificate_authority,json=certificateAuthority,proto3" json:"certificate_authority,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
TokenServerConfig is read from tokenserver.cfg in luci-config.
func (*TokenServerConfig) Descriptor ¶
func (*TokenServerConfig) Descriptor() ([]byte, []int)
func (*TokenServerConfig) GetCertificateAuthority ¶
func (m *TokenServerConfig) GetCertificateAuthority() []*CertificateAuthorityConfig
func (*TokenServerConfig) ProtoMessage ¶
func (*TokenServerConfig) ProtoMessage()
func (*TokenServerConfig) Reset ¶
func (m *TokenServerConfig) Reset()
func (*TokenServerConfig) String ¶
func (m *TokenServerConfig) String() string
func (*TokenServerConfig) XXX_DiscardUnknown ¶
func (m *TokenServerConfig) XXX_DiscardUnknown()
func (*TokenServerConfig) XXX_Marshal ¶
func (m *TokenServerConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*TokenServerConfig) XXX_Merge ¶
func (m *TokenServerConfig) XXX_Merge(src proto.Message)
func (*TokenServerConfig) XXX_Size ¶
func (m *TokenServerConfig) XXX_Size() int
func (*TokenServerConfig) XXX_Unmarshal ¶
func (m *TokenServerConfig) XXX_Unmarshal(b []byte) error