protocol

package
v0.0.0-...-51f9457 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 9, 2021 License: Apache-2.0 Imports: 4 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	ServiceLinkResponse_Status_name = map[int32]string{
		0: "SUCCESS",
		1: "TRANSPORT_ERROR",
		2: "BAD_TICKET",
		3: "AUTH_ERROR",
	}
	ServiceLinkResponse_Status_value = map[string]int32{
		"SUCCESS":         0,
		"TRANSPORT_ERROR": 1,
		"BAD_TICKET":      2,
		"AUTH_ERROR":      3,
	}
)

Enum value maps for ServiceLinkResponse_Status.

View Source
var (
	ReplicationPushResponse_Status_name = map[int32]string{
		0: "APPLIED",
		1: "SKIPPED",
		2: "TRANSIENT_ERROR",
		3: "FATAL_ERROR",
	}
	ReplicationPushResponse_Status_value = map[string]int32{
		"APPLIED":         0,
		"SKIPPED":         1,
		"TRANSIENT_ERROR": 2,
		"FATAL_ERROR":     3,
	}
)

Enum value maps for ReplicationPushResponse_Status.

View Source
var (
	ReplicationPushResponse_ErrorCode_name = map[int32]string{
		0: "ERROR_UNKNOWN",
		1: "NOT_A_REPLICA",
		2: "FORBIDDEN",
		3: "MISSING_SIGNATURE",
		4: "BAD_SIGNATURE",
		5: "BAD_REQUEST",
	}
	ReplicationPushResponse_ErrorCode_value = map[string]int32{
		"ERROR_UNKNOWN":     0,
		"NOT_A_REPLICA":     1,
		"FORBIDDEN":         2,
		"MISSING_SIGNATURE": 3,
		"BAD_SIGNATURE":     4,
		"BAD_REQUEST":       5,
	}
)

Enum value maps for ReplicationPushResponse_ErrorCode.

View Source
var File_components_auth_proto_realms_proto protoreflect.FileDescriptor
View Source
var File_components_auth_proto_replication_proto protoreflect.FileDescriptor
View Source
var File_components_auth_proto_security_config_proto protoreflect.FileDescriptor

Functions

This section is empty.

Types

type AuthDB

type AuthDB struct {

	// OAuth2 client_id to use to mint new OAuth2 tokens.
	OauthClientId string `protobuf:"bytes,1,opt,name=oauth_client_id,json=oauthClientId,proto3" json:"oauth_client_id,omitempty"`
	// OAuth2 client secret. Not so secret really, since it's passed to clients.
	OauthClientSecret string `protobuf:"bytes,2,opt,name=oauth_client_secret,json=oauthClientSecret,proto3" json:"oauth_client_secret,omitempty"`
	// Additional OAuth2 client_ids allowed to access the services.
	OauthAdditionalClientIds []string `` /* 137-byte string literal not displayed */
	// All groups.
	Groups []*AuthGroup `protobuf:"bytes,4,rep,name=groups,proto3" json:"groups,omitempty"`
	// All IP whitelists.
	IpWhitelists []*AuthIPWhitelist `protobuf:"bytes,6,rep,name=ip_whitelists,json=ipWhitelists,proto3" json:"ip_whitelists,omitempty"`
	// Mapping 'account -> IP whitlist to use for that account'.
	IpWhitelistAssignments []*AuthIPWhitelistAssignment `` /* 129-byte string literal not displayed */
	// URL of a token server to use to generate delegation tokens.
	TokenServerUrl string `protobuf:"bytes,8,opt,name=token_server_url,json=tokenServerUrl,proto3" json:"token_server_url,omitempty"`
	// Serialized security_config.SecurityConfig proto with security-related
	// configuration to distribute across all services.
	//
	// It is distributed in a serialized form to make sure old services ingest it
	// fully, even if they don't understand some SecurityConfig proto fields
	// (yet). As soon as their code is updated, they SHOULD start using all
	// SecurityConfig fields, without waiting for another push from Auth Service.
	//
	// If we use SecurityConfig directly here, old services would just drop fields
	// they don't understand when accepting an AuthDB push.
	SecurityConfig []byte `protobuf:"bytes,9,opt,name=security_config,json=securityConfig,proto3" json:"security_config,omitempty"`
	// Definition of all known permissions and realms in a LUCI deployment.
	//
	// It is ultimately used by LUCI services for authorizing access to resources.
	// See realms.proto for more details.
	Realms *Realms `protobuf:"bytes,11,opt,name=realms,proto3" json:"realms,omitempty"`
	// contains filtered or unexported fields
}

An entire database of auth configuration that is being replicated.

func (*AuthDB) Descriptor deprecated

func (*AuthDB) Descriptor() ([]byte, []int)

Deprecated: Use AuthDB.ProtoReflect.Descriptor instead.

func (*AuthDB) GetGroups

func (x *AuthDB) GetGroups() []*AuthGroup

func (*AuthDB) GetIpWhitelistAssignments

func (x *AuthDB) GetIpWhitelistAssignments() []*AuthIPWhitelistAssignment

func (*AuthDB) GetIpWhitelists

func (x *AuthDB) GetIpWhitelists() []*AuthIPWhitelist

func (*AuthDB) GetOauthAdditionalClientIds

func (x *AuthDB) GetOauthAdditionalClientIds() []string

func (*AuthDB) GetOauthClientId

func (x *AuthDB) GetOauthClientId() string

func (*AuthDB) GetOauthClientSecret

func (x *AuthDB) GetOauthClientSecret() string

func (*AuthDB) GetRealms

func (x *AuthDB) GetRealms() *Realms

func (*AuthDB) GetSecurityConfig

func (x *AuthDB) GetSecurityConfig() []byte

func (*AuthDB) GetTokenServerUrl

func (x *AuthDB) GetTokenServerUrl() string

func (*AuthDB) ProtoMessage

func (*AuthDB) ProtoMessage()

func (*AuthDB) ProtoReflect

func (x *AuthDB) ProtoReflect() protoreflect.Message

func (*AuthDB) Reset

func (x *AuthDB) Reset()

func (*AuthDB) String

func (x *AuthDB) String() string

type AuthDBRevision

type AuthDBRevision struct {

	// GAE App ID of a service holding primary copy of Auth DB.
	PrimaryId string `protobuf:"bytes,1,opt,name=primary_id,json=primaryId,proto3" json:"primary_id,omitempty"`
	// Revision of Auth DB being pushed.
	AuthDbRev int64 `protobuf:"varint,2,opt,name=auth_db_rev,json=authDbRev,proto3" json:"auth_db_rev,omitempty"`
	// Timestamp of that revision by Primary's clock, microseconds since epoch.
	ModifiedTs int64 `protobuf:"varint,3,opt,name=modified_ts,json=modifiedTs,proto3" json:"modified_ts,omitempty"`
	// contains filtered or unexported fields
}

Information about some particular revision of auth DB.

func (*AuthDBRevision) Descriptor deprecated

func (*AuthDBRevision) Descriptor() ([]byte, []int)

Deprecated: Use AuthDBRevision.ProtoReflect.Descriptor instead.

func (*AuthDBRevision) GetAuthDbRev

func (x *AuthDBRevision) GetAuthDbRev() int64

func (*AuthDBRevision) GetModifiedTs

func (x *AuthDBRevision) GetModifiedTs() int64

func (*AuthDBRevision) GetPrimaryId

func (x *AuthDBRevision) GetPrimaryId() string

func (*AuthDBRevision) ProtoMessage

func (*AuthDBRevision) ProtoMessage()

func (*AuthDBRevision) ProtoReflect

func (x *AuthDBRevision) ProtoReflect() protoreflect.Message

func (*AuthDBRevision) Reset

func (x *AuthDBRevision) Reset()

func (*AuthDBRevision) String

func (x *AuthDBRevision) String() string

type AuthGroup

type AuthGroup struct {

	// Name of the group.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// List of members that are explicitly in this group.
	Members []string `protobuf:"bytes,2,rep,name=members,proto3" json:"members,omitempty"`
	// List of identity-glob expressions (like 'user:*@example.com').
	Globs []string `protobuf:"bytes,3,rep,name=globs,proto3" json:"globs,omitempty"`
	// List of nested group names.
	Nested []string `protobuf:"bytes,4,rep,name=nested,proto3" json:"nested,omitempty"`
	// Human readable description.
	Description string `protobuf:"bytes,5,opt,name=description,proto3" json:"description,omitempty"`
	// When the group was created. Microseconds since epoch.
	CreatedTs int64 `protobuf:"varint,6,opt,name=created_ts,json=createdTs,proto3" json:"created_ts,omitempty"`
	// Who created the group.
	CreatedBy string `protobuf:"bytes,7,opt,name=created_by,json=createdBy,proto3" json:"created_by,omitempty"`
	// When the group was modified last time. Microseconds since epoch.
	ModifiedTs int64 `protobuf:"varint,8,opt,name=modified_ts,json=modifiedTs,proto3" json:"modified_ts,omitempty"`
	// Who modified the group last time.
	ModifiedBy string `protobuf:"bytes,9,opt,name=modified_by,json=modifiedBy,proto3" json:"modified_by,omitempty"`
	// A name of the group that can modify or delete this group.
	Owners string `protobuf:"bytes,10,opt,name=owners,proto3" json:"owners,omitempty"`
	// contains filtered or unexported fields
}

Some user group. Corresponds to AuthGroup entity in model.py.

func (*AuthGroup) Descriptor deprecated

func (*AuthGroup) Descriptor() ([]byte, []int)

Deprecated: Use AuthGroup.ProtoReflect.Descriptor instead.

func (*AuthGroup) GetCreatedBy

func (x *AuthGroup) GetCreatedBy() string

func (*AuthGroup) GetCreatedTs

func (x *AuthGroup) GetCreatedTs() int64

func (*AuthGroup) GetDescription

func (x *AuthGroup) GetDescription() string

func (*AuthGroup) GetGlobs

func (x *AuthGroup) GetGlobs() []string

func (*AuthGroup) GetMembers

func (x *AuthGroup) GetMembers() []string

func (*AuthGroup) GetModifiedBy

func (x *AuthGroup) GetModifiedBy() string

func (*AuthGroup) GetModifiedTs

func (x *AuthGroup) GetModifiedTs() int64

func (*AuthGroup) GetName

func (x *AuthGroup) GetName() string

func (*AuthGroup) GetNested

func (x *AuthGroup) GetNested() []string

func (*AuthGroup) GetOwners

func (x *AuthGroup) GetOwners() string

func (*AuthGroup) ProtoMessage

func (*AuthGroup) ProtoMessage()

func (*AuthGroup) ProtoReflect

func (x *AuthGroup) ProtoReflect() protoreflect.Message

func (*AuthGroup) Reset

func (x *AuthGroup) Reset()

func (*AuthGroup) String

func (x *AuthGroup) String() string

type AuthIPWhitelist

type AuthIPWhitelist struct {

	// Name of the IP whitelist.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// The list of IP subnets.
	Subnets []string `protobuf:"bytes,2,rep,name=subnets,proto3" json:"subnets,omitempty"`
	// Human readable description.
	Description string `protobuf:"bytes,3,opt,name=description,proto3" json:"description,omitempty"`
	// When the list was created. Microseconds since epoch.
	CreatedTs int64 `protobuf:"varint,4,opt,name=created_ts,json=createdTs,proto3" json:"created_ts,omitempty"`
	// Who created the list.
	CreatedBy string `protobuf:"bytes,5,opt,name=created_by,json=createdBy,proto3" json:"created_by,omitempty"`
	// When the list was modified. Microseconds since epoch.
	ModifiedTs int64 `protobuf:"varint,6,opt,name=modified_ts,json=modifiedTs,proto3" json:"modified_ts,omitempty"`
	// Who modified the list the last time.
	ModifiedBy string `protobuf:"bytes,7,opt,name=modified_by,json=modifiedBy,proto3" json:"modified_by,omitempty"`
	// contains filtered or unexported fields
}

A named set of whitelisted IP addresses. Corresponds to AuthIPWhitelist entity in model.py.

func (*AuthIPWhitelist) Descriptor deprecated

func (*AuthIPWhitelist) Descriptor() ([]byte, []int)

Deprecated: Use AuthIPWhitelist.ProtoReflect.Descriptor instead.

func (*AuthIPWhitelist) GetCreatedBy

func (x *AuthIPWhitelist) GetCreatedBy() string

func (*AuthIPWhitelist) GetCreatedTs

func (x *AuthIPWhitelist) GetCreatedTs() int64

func (*AuthIPWhitelist) GetDescription

func (x *AuthIPWhitelist) GetDescription() string

func (*AuthIPWhitelist) GetModifiedBy

func (x *AuthIPWhitelist) GetModifiedBy() string

func (*AuthIPWhitelist) GetModifiedTs

func (x *AuthIPWhitelist) GetModifiedTs() int64

func (*AuthIPWhitelist) GetName

func (x *AuthIPWhitelist) GetName() string

func (*AuthIPWhitelist) GetSubnets

func (x *AuthIPWhitelist) GetSubnets() []string

func (*AuthIPWhitelist) ProtoMessage

func (*AuthIPWhitelist) ProtoMessage()

func (*AuthIPWhitelist) ProtoReflect

func (x *AuthIPWhitelist) ProtoReflect() protoreflect.Message

func (*AuthIPWhitelist) Reset

func (x *AuthIPWhitelist) Reset()

func (*AuthIPWhitelist) String

func (x *AuthIPWhitelist) String() string

type AuthIPWhitelistAssignment

type AuthIPWhitelistAssignment struct {

	// Identity name to limit by IP whitelist.
	Identity string `protobuf:"bytes,1,opt,name=identity,proto3" json:"identity,omitempty"`
	// Name of IP whitelist to use (see AuthIPWhitelist).
	IpWhitelist string `protobuf:"bytes,2,opt,name=ip_whitelist,json=ipWhitelist,proto3" json:"ip_whitelist,omitempty"`
	// Why the assignment was created.
	Comment string `protobuf:"bytes,3,opt,name=comment,proto3" json:"comment,omitempty"`
	// When the assignment was created. Microseconds since epoch.
	CreatedTs int64 `protobuf:"varint,4,opt,name=created_ts,json=createdTs,proto3" json:"created_ts,omitempty"`
	// Who created the assignment.
	CreatedBy string `protobuf:"bytes,5,opt,name=created_by,json=createdBy,proto3" json:"created_by,omitempty"`
	// contains filtered or unexported fields
}

A pair (identity, IP whitelist name) plus some metadata. Corresponds to AuthIPWhitelistAssignments.Assignment model in model.py.

func (*AuthIPWhitelistAssignment) Descriptor deprecated

func (*AuthIPWhitelistAssignment) Descriptor() ([]byte, []int)

Deprecated: Use AuthIPWhitelistAssignment.ProtoReflect.Descriptor instead.

func (*AuthIPWhitelistAssignment) GetComment

func (x *AuthIPWhitelistAssignment) GetComment() string

func (*AuthIPWhitelistAssignment) GetCreatedBy

func (x *AuthIPWhitelistAssignment) GetCreatedBy() string

func (*AuthIPWhitelistAssignment) GetCreatedTs

func (x *AuthIPWhitelistAssignment) GetCreatedTs() int64

func (*AuthIPWhitelistAssignment) GetIdentity

func (x *AuthIPWhitelistAssignment) GetIdentity() string

func (*AuthIPWhitelistAssignment) GetIpWhitelist

func (x *AuthIPWhitelistAssignment) GetIpWhitelist() string

func (*AuthIPWhitelistAssignment) ProtoMessage

func (*AuthIPWhitelistAssignment) ProtoMessage()

func (*AuthIPWhitelistAssignment) ProtoReflect

func (*AuthIPWhitelistAssignment) Reset

func (x *AuthIPWhitelistAssignment) Reset()

func (*AuthIPWhitelistAssignment) String

func (x *AuthIPWhitelistAssignment) String() string

type Binding

type Binding struct {

	// Permissions in increasing order of their indexes.
	//
	// This set is a subset of `permissions` in the Realms message. Each element
	// is an index of a permission in the `permissions` list in the Realms
	// message.
	//
	// These indexes are not stable across different copies of Realms message.
	// They must not be stored or processed in isolation from the containing
	// Realms message.
	Permissions []uint32 `protobuf:"varint,1,rep,packed,name=permissions,proto3" json:"permissions,omitempty"`
	// A set of principals to grant all above permissions to.
	//
	// Each entry can either be an identity string (like "user:<email>") or a
	// LUCI group reference "group:<name>".
	//
	// Ordered alphabetically.
	Principals []string `protobuf:"bytes,2,rep,name=principals,proto3" json:"principals,omitempty"`
	// contains filtered or unexported fields
}

Binding assigns all specified permissions to all specified principals.

func (*Binding) Descriptor deprecated

func (*Binding) Descriptor() ([]byte, []int)

Deprecated: Use Binding.ProtoReflect.Descriptor instead.

func (*Binding) GetPermissions

func (x *Binding) GetPermissions() []uint32

func (*Binding) GetPrincipals

func (x *Binding) GetPrincipals() []string

func (*Binding) ProtoMessage

func (*Binding) ProtoMessage()

func (*Binding) ProtoReflect

func (x *Binding) ProtoReflect() protoreflect.Message

func (*Binding) Reset

func (x *Binding) Reset()

func (*Binding) String

func (x *Binding) String() string

type ChangeNotification

type ChangeNotification struct {

	// New revision of the AuthDB.
	Revision *AuthDBRevision `protobuf:"bytes,1,opt,name=revision,proto3" json:"revision,omitempty"`
	// contains filtered or unexported fields
}

Published by Primary into 'auth-db-changed' PubSub topic. The body of the message is base64 encoded serialized ChangeNotification. Additional attributes are:

X-AuthDB-SigKey-v1: <id of a public key>
X-AuthDB-SigVal-v1: <base64 encoded RSA-SHA256(blob) signature>

func (*ChangeNotification) Descriptor deprecated

func (*ChangeNotification) Descriptor() ([]byte, []int)

Deprecated: Use ChangeNotification.ProtoReflect.Descriptor instead.

func (*ChangeNotification) GetRevision

func (x *ChangeNotification) GetRevision() *AuthDBRevision

func (*ChangeNotification) ProtoMessage

func (*ChangeNotification) ProtoMessage()

func (*ChangeNotification) ProtoReflect

func (x *ChangeNotification) ProtoReflect() protoreflect.Message

func (*ChangeNotification) Reset

func (x *ChangeNotification) Reset()

func (*ChangeNotification) String

func (x *ChangeNotification) String() string

type Permission

type Permission struct {
	Name     string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`          // "<service>.<subject>.<verb>"
	Internal bool   `protobuf:"varint,2,opt,name=internal,proto3" json:"internal,omitempty"` // internal permissions cannot be used in project realms
	// contains filtered or unexported fields
}

Permission is a symbol that has form "<service>.<subject>.<verb>", which describes some elementary action ("<verb>") that can be done to some category of resources ("<subject>"), managed by some particular kind of LUCI service ("<service>").

Within each individual realm (see Realm message), a principal (such as an end user or a service account) can have zero or more permissions that describe what this user can actually do to resources belonging to the realm. See Realm message for the definition of what "belonging to the realm" means.

Examples of permissions:

  • buildbucket.build.create
  • swarming.pool.listBots
  • swarming.task.cancel

Note that permission names are composed of generic terms, not some specific IDs of service deployments or resources. Generally, using a concrete permission name in the service's source code as a constant should look natural.

A permission can be marked as "internal". Internal permissions are not allowed to appear in custom roles in user-defined project realms.cfg files. They can be used in internal realms (defined in realms.cfg in the LUCI Auth service config set, see comments for Realm message) and they are added to some predefined roles by the LUCI Auth service itself. They are used to setup ACLs for internal interactions between LUCI components.

Each individual LUCI service should document what permissions it checks and when. It becomes a part of service's public API. Usually services should check only permissions of resources they own (e.g. "<service>.<subject>.*"), but in exceptional cases they may also check permissions intended for other services. This is primarily useful for services that somehow "proxy" access to resources.

Field `permissions` in Realms message describes all permissions known to the LUCI Auth service. The LUCI Auth service guarantees that all permissions mentioned in all realms (in `realms` field) are among `permissions` set.

If a LUCI service checks a permission that is no longer (or not yet) listed in the `permissions` set, the check should succeed with "no permission" result, and produce a warning in service's logs.

func (*Permission) Descriptor deprecated

func (*Permission) Descriptor() ([]byte, []int)

Deprecated: Use Permission.ProtoReflect.Descriptor instead.

func (*Permission) GetInternal

func (x *Permission) GetInternal() bool

func (*Permission) GetName

func (x *Permission) GetName() string

func (*Permission) ProtoMessage

func (*Permission) ProtoMessage()

func (*Permission) ProtoReflect

func (x *Permission) ProtoReflect() protoreflect.Message

func (*Permission) Reset

func (x *Permission) Reset()

func (*Permission) String

func (x *Permission) String() string

type Realm

type Realm struct {

	// Name of the realm as "<project>:<realm>" string, where:
	//   "<project>" matches `^([a-z0-9\-_]{1,100}|@internal)$`.
	//   "<realm>" matches `^([a-z0-9_\.\-/]{1,400}|@root|@legacy)$`.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// A list of bindings in lexicographical order of their `permissions` fields.
	Bindings []*Binding `protobuf:"bytes,2,rep,name=bindings,proto3" json:"bindings,omitempty"`
	// Associated data extracted from the realms.cfg project config.
	Data *RealmData `protobuf:"bytes,3,opt,name=data,proto3" json:"data,omitempty"`
	// contains filtered or unexported fields
}

Realm is a named collection of (<principal>, <permission>) pairs.

Realms are primarily defined in realms.cfg project config files. Such realms are called project realms. They are controlled by respective **project** owners and used to define ACLs for resources owned by these projects.

There's a special set of realms (called internal realms or, sometimes, global realms) that are defined in realms.cfg in the LUCI Auth service config set. They are controlled by LUCI **deployment** owners and used to define ACLs for resources that are associated with LUCI deployment or LUCI services (and do not belong to any particular LUCI project). They are also allowed to use internal roles and permissions to define administrative-level ACLs (i.e. ACLs that transcend project boundaries).

A full realm name has form "<project>:<realm>", where:

  • "<project>" is a name of the LUCI project that defined the realm or literal "@internal" for internal realms.
  • "<realm>" is a name of the realm from a realms.cfg config file. This name is also known as a project-scoped name, since it makes sense only within a scope of some concrete LUCI project.

A LUCI resource can point to exactly one realm by referring to its full "<project>:<realm>" name. Such reference can either be calculated on the fly from other resource's properties, or be stored alongside the resource's data. We say that such resource "belongs to the realm" or "lives in the realm" or is just "in the realm". We also say that such resource belongs to the project "<project>". The corresponding Realm message then describes who can do what to the resource.

The logic of how resources get assigned to realms is a part of the public API of the service that owns resources. Some services may use a static realm assignment via project configuration files, others may do it dynamically by accepting a realm when a resource is created via an RPC.

There are two special realms (both optional) that a project can have: "<project>:@root" and "<project>:@legacy".

The root realm should be used as a fallback when an existing resource points to a realm that doesn't exist. Without the root realm, such resources become effectively inaccessible and this may be undesirable. The root realm usually contains only administrative-level bindings.

The legacy realm should be used for legacy resources created before the realms mechanism was introduced in case the service can't figure out a more appropriate realm based on resource's properties. The service must clearly document when and how it uses the legacy realm (if it uses it at all).

The actual list of (<principal>, <permission>) pairs is defined via a list of bindings, where each binding basically says "all these principals have all these permissions". In other words, each binding defines some subset of permissions and the overall realm permissions is a union of all such subsets. Subsets defined by bindings may potentially intersect or be empty.

The LUCI Auth service constructs bindings by interpreting realms.cfg files using some set of rules. Individual LUCI services **must not care** about what these rules really are. They should use only the end result (in the form of bindings) provided in the Realm message. This allows to decouple the high-level user-facing language for defining permissions from the implementation of each individual LUCI service that checks permissions.

A realm can also carry some small amount of data (usually auth related) that LUCI services use when dealing with this realm. It should be something that all (or at least more than one) LUCI services use. Configuration specific to a single service should be in this service's project config instead.

func (*Realm) Descriptor deprecated

func (*Realm) Descriptor() ([]byte, []int)

Deprecated: Use Realm.ProtoReflect.Descriptor instead.

func (*Realm) GetBindings

func (x *Realm) GetBindings() []*Binding

func (*Realm) GetData

func (x *Realm) GetData() *RealmData

func (*Realm) GetName

func (x *Realm) GetName() string

func (*Realm) ProtoMessage

func (*Realm) ProtoMessage()

func (*Realm) ProtoReflect

func (x *Realm) ProtoReflect() protoreflect.Message

func (*Realm) Reset

func (x *Realm) Reset()

func (*Realm) String

func (x *Realm) String() string

type RealmData

type RealmData struct {

	// Used only during Realms migration to gradually roll out the enforcement.
	EnforceInService []string `protobuf:"bytes,1,rep,name=enforce_in_service,json=enforceInService,proto3" json:"enforce_in_service,omitempty"`
	// contains filtered or unexported fields
}

RealmData is semi-arbitrary non-ACL data extracted from the realms.cfg project config and attached to a realm.

func (*RealmData) Descriptor deprecated

func (*RealmData) Descriptor() ([]byte, []int)

Deprecated: Use RealmData.ProtoReflect.Descriptor instead.

func (*RealmData) GetEnforceInService

func (x *RealmData) GetEnforceInService() []string

func (*RealmData) ProtoMessage

func (*RealmData) ProtoMessage()

func (*RealmData) ProtoReflect

func (x *RealmData) ProtoReflect() protoreflect.Message

func (*RealmData) Reset

func (x *RealmData) Reset()

func (*RealmData) String

func (x *RealmData) String() string

type Realms

type Realms struct {

	// API version is incremented whenever the semantic meaning of Realms message
	// changes in some backward incompatible way (e.g. some message grows a new
	// field that *must* be checked by services). LUCI services must reject Realms
	// messages that have API versions they don't recognize. It is a precaution
	// against misinterpreting the realms configuration.
	//
	// The current version is 1.
	ApiVersion int64 `protobuf:"varint,1,opt,name=api_version,json=apiVersion,proto3" json:"api_version,omitempty"`
	// List of all possible permissions in alphabetical order.
	//
	// Acts as a universal set of permissions in Binding messages.
	//
	// Services may also use this field to check that permissions they are about
	// to use are actually known to the LUCI auth system. This is useful for
	// debugging when adding or removing permissions.
	//
	// See Permission message for more details.
	Permissions []*Permission `protobuf:"bytes,2,rep,name=permissions,proto3" json:"permissions,omitempty"`
	// List of all registered realms in alphabetical order.
	//
	// See Realm message for more details.
	Realms []*Realm `protobuf:"bytes,3,rep,name=realms,proto3" json:"realms,omitempty"`
	// contains filtered or unexported fields
}

Realms is a complete definition of all known permissions and realms in a LUCI deployment.

It is generated and distributed across all LUCI services (as part of the AuthDB) by the LUCI Auth service.

Note that this is a denormalized internal representation of realms which is derived from the high level user-facing representation supplied via multiple realms.cfg config files in various config sets. See comments for Realm message for details.

The internal representation doesn't have a notion of roles or realm inheritance. These concepts are handled by the LUCI Auth service and individual downstream services generally **must not care** how it works. Instead they should follow the rules outlined in comments in this file (or equivalently just use the Realms API exposed by the LUCI auth libraries).

func (*Realms) Descriptor deprecated

func (*Realms) Descriptor() ([]byte, []int)

Deprecated: Use Realms.ProtoReflect.Descriptor instead.

func (*Realms) GetApiVersion

func (x *Realms) GetApiVersion() int64

func (*Realms) GetPermissions

func (x *Realms) GetPermissions() []*Permission

func (*Realms) GetRealms

func (x *Realms) GetRealms() []*Realm

func (*Realms) ProtoMessage

func (*Realms) ProtoMessage()

func (*Realms) ProtoReflect

func (x *Realms) ProtoReflect() protoreflect.Message

func (*Realms) Reset

func (x *Realms) Reset()

func (*Realms) String

func (x *Realms) String() string

type ReplicationPushRequest

type ReplicationPushRequest struct {

	// Revision that is being pushed.
	Revision *AuthDBRevision `protobuf:"bytes,1,opt,name=revision,proto3" json:"revision,omitempty"`
	// An entire database of auth configuration for specific revision.
	AuthDb *AuthDB `protobuf:"bytes,2,opt,name=auth_db,json=authDb,proto3" json:"auth_db,omitempty"`
	// Version of 'auth' component on Primary, see components/auth/version.py.
	AuthCodeVersion string `protobuf:"bytes,3,opt,name=auth_code_version,json=authCodeVersion,proto3" json:"auth_code_version,omitempty"`
	// contains filtered or unexported fields
}

Sent from Primary to Replica to update Replica's AuthDB.

Primary signs the entire serialized message with its private key and appends two headers to HTTP request that carries the blob:

X-AuthDB-SigKey-v1: <id of a public key>
X-AuthDB-SigVal-v1: <base64 encoded RSA-SHA256(SHA512(blob)) signature>

Binary serialization of ReplicationPushRequest is sometimes misleadingly called "AuthDB blob". It is stored in Datastore (as is) and in Google Storage (as serialized SignedAuthDB) for consumers that do not use Primary -> Replica protocol.

func (*ReplicationPushRequest) Descriptor deprecated

func (*ReplicationPushRequest) Descriptor() ([]byte, []int)

Deprecated: Use ReplicationPushRequest.ProtoReflect.Descriptor instead.

func (*ReplicationPushRequest) GetAuthCodeVersion

func (x *ReplicationPushRequest) GetAuthCodeVersion() string

func (*ReplicationPushRequest) GetAuthDb

func (x *ReplicationPushRequest) GetAuthDb() *AuthDB

func (*ReplicationPushRequest) GetRevision

func (x *ReplicationPushRequest) GetRevision() *AuthDBRevision

func (*ReplicationPushRequest) ProtoMessage

func (*ReplicationPushRequest) ProtoMessage()

func (*ReplicationPushRequest) ProtoReflect

func (x *ReplicationPushRequest) ProtoReflect() protoreflect.Message

func (*ReplicationPushRequest) Reset

func (x *ReplicationPushRequest) Reset()

func (*ReplicationPushRequest) String

func (x *ReplicationPushRequest) String() string

type ReplicationPushResponse

type ReplicationPushResponse struct {

	// Overall status of the operation.
	Status ReplicationPushResponse_Status `protobuf:"varint,1,opt,name=status,proto3,enum=components.auth.ReplicationPushResponse_Status" json:"status,omitempty"`
	// Revision known by Replica (set for APPLIED and SKIPPED statuses).
	CurrentRevision *AuthDBRevision `protobuf:"bytes,2,opt,name=current_revision,json=currentRevision,proto3" json:"current_revision,omitempty"`
	// Present for TRANSIENT_ERROR and FATAL_ERROR statuses.
	ErrorCode ReplicationPushResponse_ErrorCode `` /* 144-byte string literal not displayed */
	// Version of 'auth' component on Replica, see components/auth/version.py.
	AuthCodeVersion string `protobuf:"bytes,4,opt,name=auth_code_version,json=authCodeVersion,proto3" json:"auth_code_version,omitempty"`
	// contains filtered or unexported fields
}

Replica's response to ReplicationPushRequest.

func (*ReplicationPushResponse) Descriptor deprecated

func (*ReplicationPushResponse) Descriptor() ([]byte, []int)

Deprecated: Use ReplicationPushResponse.ProtoReflect.Descriptor instead.

func (*ReplicationPushResponse) GetAuthCodeVersion

func (x *ReplicationPushResponse) GetAuthCodeVersion() string

func (*ReplicationPushResponse) GetCurrentRevision

func (x *ReplicationPushResponse) GetCurrentRevision() *AuthDBRevision

func (*ReplicationPushResponse) GetErrorCode

func (*ReplicationPushResponse) GetStatus

func (*ReplicationPushResponse) ProtoMessage

func (*ReplicationPushResponse) ProtoMessage()

func (*ReplicationPushResponse) ProtoReflect

func (x *ReplicationPushResponse) ProtoReflect() protoreflect.Message

func (*ReplicationPushResponse) Reset

func (x *ReplicationPushResponse) Reset()

func (*ReplicationPushResponse) String

func (x *ReplicationPushResponse) String() string

type ReplicationPushResponse_ErrorCode

type ReplicationPushResponse_ErrorCode int32

Error codes, for TRANSIENT_ERROR and FATAL_ERROR statuses.

const (
	// Some unrecognized error.
	ReplicationPushResponse_ERROR_UNKNOWN ReplicationPushResponse_ErrorCode = 0
	// Trying to push an update to service that is not a replica.
	ReplicationPushResponse_NOT_A_REPLICA ReplicationPushResponse_ErrorCode = 1
	// Replica doesn't know about the service that pushing the update.
	ReplicationPushResponse_FORBIDDEN ReplicationPushResponse_ErrorCode = 2
	// Signature headers are missing.
	ReplicationPushResponse_MISSING_SIGNATURE ReplicationPushResponse_ErrorCode = 3
	// Signature is not valid.
	ReplicationPushResponse_BAD_SIGNATURE ReplicationPushResponse_ErrorCode = 4
	// Format of the request is not valid.
	ReplicationPushResponse_BAD_REQUEST ReplicationPushResponse_ErrorCode = 5
)

func (ReplicationPushResponse_ErrorCode) Descriptor

func (ReplicationPushResponse_ErrorCode) Enum

func (ReplicationPushResponse_ErrorCode) EnumDescriptor deprecated

func (ReplicationPushResponse_ErrorCode) EnumDescriptor() ([]byte, []int)

Deprecated: Use ReplicationPushResponse_ErrorCode.Descriptor instead.

func (ReplicationPushResponse_ErrorCode) Number

func (ReplicationPushResponse_ErrorCode) String

func (ReplicationPushResponse_ErrorCode) Type

type ReplicationPushResponse_Status

type ReplicationPushResponse_Status int32

Overall status of the operation.

const (
	// Replica accepted the push request and updated its copy of auth db.
	ReplicationPushResponse_APPLIED ReplicationPushResponse_Status = 0
	// Replica has a newer version of AuthDB, the push request is skipped.
	ReplicationPushResponse_SKIPPED ReplicationPushResponse_Status = 1
	// Non fatal error happened, the push request may be retried.
	ReplicationPushResponse_TRANSIENT_ERROR ReplicationPushResponse_Status = 2
	// Fatal error happened, the push request must not be retried.
	ReplicationPushResponse_FATAL_ERROR ReplicationPushResponse_Status = 3
)

func (ReplicationPushResponse_Status) Descriptor

func (ReplicationPushResponse_Status) Enum

func (ReplicationPushResponse_Status) EnumDescriptor deprecated

func (ReplicationPushResponse_Status) EnumDescriptor() ([]byte, []int)

Deprecated: Use ReplicationPushResponse_Status.Descriptor instead.

func (ReplicationPushResponse_Status) Number

func (ReplicationPushResponse_Status) String

func (ReplicationPushResponse_Status) Type

type SecurityConfig

type SecurityConfig struct {

	// A list of regular expressions matching hostnames that should be recognized
	// as being a part of single LUCI deployment.
	//
	// Different microservices within a single LUCI deployment may trust each
	// other. This setting (coupled with the TLS certificate check) allows
	// a service to recognize that a target of an RPC is another internal service
	// belonging to the same LUCI deployment.
	//
	// '^' and '$' are implied. The regexp language is intersection of Python and
	// Golang regexp languages and thus should use only very standard features
	// common to both.
	//
	// Example: "(.*-dot-)?chromium-swarm\.appspot\.com".
	InternalServiceRegexp []string `` /* 126-byte string literal not displayed */
	// contains filtered or unexported fields
}

SecurityConfig is read from 'security.cfg' by Auth Service and distributed to all linked services (in its serialized form) as part of AuthDB proto.

See AuthDB.security_config in replication.proto.

func (*SecurityConfig) Descriptor deprecated

func (*SecurityConfig) Descriptor() ([]byte, []int)

Deprecated: Use SecurityConfig.ProtoReflect.Descriptor instead.

func (*SecurityConfig) GetInternalServiceRegexp

func (x *SecurityConfig) GetInternalServiceRegexp() []string

func (*SecurityConfig) ProtoMessage

func (*SecurityConfig) ProtoMessage()

func (*SecurityConfig) ProtoReflect

func (x *SecurityConfig) ProtoReflect() protoreflect.Message

func (*SecurityConfig) Reset

func (x *SecurityConfig) Reset()

func (*SecurityConfig) String

func (x *SecurityConfig) String() string

type ServiceLinkRequest

type ServiceLinkRequest struct {

	// Same ticket that was passed to Replica via ServiceLinkTicket.
	Ticket []byte `protobuf:"bytes,1,opt,name=ticket,proto3" json:"ticket,omitempty"`
	// URL to use when making requests to Replica from Primary.
	ReplicaUrl string `protobuf:"bytes,2,opt,name=replica_url,json=replicaUrl,proto3" json:"replica_url,omitempty"`
	// Identity of a user that accepted the ticket and initiated this request.
	InitiatedBy string `protobuf:"bytes,3,opt,name=initiated_by,json=initiatedBy,proto3" json:"initiated_by,omitempty"`
	// contains filtered or unexported fields
}

Sent from Replica to Primary via direct service <-> service HTTP call, replicas app_id would be available via X-Appengine-Inbound-Appid header.

func (*ServiceLinkRequest) Descriptor deprecated

func (*ServiceLinkRequest) Descriptor() ([]byte, []int)

Deprecated: Use ServiceLinkRequest.ProtoReflect.Descriptor instead.

func (*ServiceLinkRequest) GetInitiatedBy

func (x *ServiceLinkRequest) GetInitiatedBy() string

func (*ServiceLinkRequest) GetReplicaUrl

func (x *ServiceLinkRequest) GetReplicaUrl() string

func (*ServiceLinkRequest) GetTicket

func (x *ServiceLinkRequest) GetTicket() []byte

func (*ServiceLinkRequest) ProtoMessage

func (*ServiceLinkRequest) ProtoMessage()

func (*ServiceLinkRequest) ProtoReflect

func (x *ServiceLinkRequest) ProtoReflect() protoreflect.Message

func (*ServiceLinkRequest) Reset

func (x *ServiceLinkRequest) Reset()

func (*ServiceLinkRequest) String

func (x *ServiceLinkRequest) String() string

type ServiceLinkResponse

type ServiceLinkResponse struct {
	Status ServiceLinkResponse_Status `protobuf:"varint,1,opt,name=status,proto3,enum=components.auth.ServiceLinkResponse_Status" json:"status,omitempty"`
	// contains filtered or unexported fields
}

Primary's response to ServiceLinkRequest. Always returned with HTTP code 200.

func (*ServiceLinkResponse) Descriptor deprecated

func (*ServiceLinkResponse) Descriptor() ([]byte, []int)

Deprecated: Use ServiceLinkResponse.ProtoReflect.Descriptor instead.

func (*ServiceLinkResponse) GetStatus

func (*ServiceLinkResponse) ProtoMessage

func (*ServiceLinkResponse) ProtoMessage()

func (*ServiceLinkResponse) ProtoReflect

func (x *ServiceLinkResponse) ProtoReflect() protoreflect.Message

func (*ServiceLinkResponse) Reset

func (x *ServiceLinkResponse) Reset()

func (*ServiceLinkResponse) String

func (x *ServiceLinkResponse) String() string

type ServiceLinkResponse_Status

type ServiceLinkResponse_Status int32

Status codes.

const (
	// The service is now linked and primary will be pushing updates to it.
	ServiceLinkResponse_SUCCESS ServiceLinkResponse_Status = 0
	// Primary do not replies.
	ServiceLinkResponse_TRANSPORT_ERROR ServiceLinkResponse_Status = 1
	// Linking ticket is invalid or expired.
	ServiceLinkResponse_BAD_TICKET ServiceLinkResponse_Status = 2
	// Linking ticket was generated for another app, not the calling one.
	ServiceLinkResponse_AUTH_ERROR ServiceLinkResponse_Status = 3
)

func (ServiceLinkResponse_Status) Descriptor

func (ServiceLinkResponse_Status) Enum

func (ServiceLinkResponse_Status) EnumDescriptor deprecated

func (ServiceLinkResponse_Status) EnumDescriptor() ([]byte, []int)

Deprecated: Use ServiceLinkResponse_Status.Descriptor instead.

func (ServiceLinkResponse_Status) Number

func (ServiceLinkResponse_Status) String

func (ServiceLinkResponse_Status) Type

type ServiceLinkTicket

type ServiceLinkTicket struct {

	// GAE application ID of Primary that generated this ticket. Replica will send
	// ServiceLinkRequest to this service when it processes the ticket.
	PrimaryId string `protobuf:"bytes,1,opt,name=primary_id,json=primaryId,proto3" json:"primary_id,omitempty"`
	// URL to the root page of a primary service, i.e. https://<...>.appspot.com.
	// Useful when testing on dev appserver and on non-default version.
	PrimaryUrl string `protobuf:"bytes,2,opt,name=primary_url,json=primaryUrl,proto3" json:"primary_url,omitempty"`
	// Identity of a user that generated this ticket.
	GeneratedBy string `protobuf:"bytes,3,opt,name=generated_by,json=generatedBy,proto3" json:"generated_by,omitempty"`
	// Opaque blob passed back to Primary in ServiceLinkRequest. Its exact
	// structure is an implementation detail of Primary. It contains app_id of
	// a replica this ticket is intended for, timestamp and HMAC tag.
	Ticket []byte `protobuf:"bytes,4,opt,name=ticket,proto3" json:"ticket,omitempty"`
	// contains filtered or unexported fields
}

Generated by Primary, passed to Replica to initiate linking process.

func (*ServiceLinkTicket) Descriptor deprecated

func (*ServiceLinkTicket) Descriptor() ([]byte, []int)

Deprecated: Use ServiceLinkTicket.ProtoReflect.Descriptor instead.

func (*ServiceLinkTicket) GetGeneratedBy

func (x *ServiceLinkTicket) GetGeneratedBy() string

func (*ServiceLinkTicket) GetPrimaryId

func (x *ServiceLinkTicket) GetPrimaryId() string

func (*ServiceLinkTicket) GetPrimaryUrl

func (x *ServiceLinkTicket) GetPrimaryUrl() string

func (*ServiceLinkTicket) GetTicket

func (x *ServiceLinkTicket) GetTicket() []byte

func (*ServiceLinkTicket) ProtoMessage

func (*ServiceLinkTicket) ProtoMessage()

func (*ServiceLinkTicket) ProtoReflect

func (x *ServiceLinkTicket) ProtoReflect() protoreflect.Message

func (*ServiceLinkTicket) Reset

func (x *ServiceLinkTicket) Reset()

func (*ServiceLinkTicket) String

func (x *ServiceLinkTicket) String() string

type SignedAuthDB

type SignedAuthDB struct {

	// Serialized ReplicationPushRequest message with actual data.
	//
	// Contains revision information and AuthDB itself.
	AuthDbBlob []byte `protobuf:"bytes,1,opt,name=auth_db_blob,json=authDbBlob,proto3" json:"auth_db_blob,omitempty"`
	// Service account name whose key was used to sign the AuthDB blob.
	SignerId string `protobuf:"bytes,2,opt,name=signer_id,json=signerId,proto3" json:"signer_id,omitempty"`
	// ID of the signing key.
	SigningKeyId string `protobuf:"bytes,3,opt,name=signing_key_id,json=signingKeyId,proto3" json:"signing_key_id,omitempty"`
	// The signature of auth_db_blob field.
	//
	// It is RS256(SHA512(auth_db_blob)).
	//
	// Where:
	//   * RS256 is RSASSA-PKCS1-v1_5 using SHA-256, see RS256 algo in RFC7518.
	//   * SHA512 is a byte string (64 bytes) with SHA-512 digest of its input.
	//
	// Such peculiar structure is due to limitations of GAE signing infrastructure
	// (RS256 function can accept at most 8KB of input).
	//
	// Consumers of SignedAuthDB are expected to do the following:
	//   1. Check 'signer_id' is what they expect.
	//   2. Use https://www.googleapis.com/service_accounts/v1/metadata/x509/...
	//      endpoint to get the signer's public key with ID 'signing_key_id'.
	//   3. Construct to-be-signed string as SHA512(auth_db_blob).
	//   4. Verify 'signature' matches to-be-signed string using the public key
	//      from step 2.
	Signature []byte `protobuf:"bytes,4,opt,name=signature,proto3" json:"signature,omitempty"`
	// contains filtered or unexported fields
}

SignedAuthDB contains serialized and signed AuthDB proto.

It is used to store AuthDB snapshots in Google Storage. Signing is used as a defense against unauthorized writes to the storage bucket.

func (*SignedAuthDB) Descriptor deprecated

func (*SignedAuthDB) Descriptor() ([]byte, []int)

Deprecated: Use SignedAuthDB.ProtoReflect.Descriptor instead.

func (*SignedAuthDB) GetAuthDbBlob

func (x *SignedAuthDB) GetAuthDbBlob() []byte

func (*SignedAuthDB) GetSignature

func (x *SignedAuthDB) GetSignature() []byte

func (*SignedAuthDB) GetSignerId

func (x *SignedAuthDB) GetSignerId() string

func (*SignedAuthDB) GetSigningKeyId

func (x *SignedAuthDB) GetSigningKeyId() string

func (*SignedAuthDB) ProtoMessage

func (*SignedAuthDB) ProtoMessage()

func (*SignedAuthDB) ProtoReflect

func (x *SignedAuthDB) ProtoReflect() protoreflect.Message

func (*SignedAuthDB) Reset

func (x *SignedAuthDB) Reset()

func (*SignedAuthDB) String

func (x *SignedAuthDB) String() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL