sidecar

package
v0.0.0-...-a70aae3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 14, 2024 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Overview

Package sidecar contains APIs exposed by LUCI Sidecar server.

Index

Constants

View Source 
const (
	Auth_Authenticate_FullMethodName  = "/luci.sidecar.Auth/Authenticate"
	Auth_IsMember_FullMethodName      = "/luci.sidecar.Auth/IsMember"
	Auth_HasPermission_FullMethodName = "/luci.sidecar.Auth/HasPermission"
)

Variables

View Source 
var (
	AuthenticateRequest_Protocol_name = map[int32]string{
		0: "PROTOCOL_UNSPECIFIED",
		1: "HTTP1",
		2: "HTTP2",
		3: "GRPC",
	}
	AuthenticateRequest_Protocol_value = map[string]int32{
		"PROTOCOL_UNSPECIFIED": 0,
		"HTTP1":                1,
		"HTTP2":                2,
		"GRPC":                 3,
	}
)

Enum value maps for AuthenticateRequest_Protocol.

View Source 
var Auth_ServiceDesc = grpc.ServiceDesc{
	ServiceName: "luci.sidecar.Auth",
	HandlerType: (*AuthServer)(nil),
	Methods: []grpc.MethodDesc{
		{
			MethodName: "Authenticate",
			Handler:    _Auth_Authenticate_Handler,
		},
		{
			MethodName: "IsMember",
			Handler:    _Auth_IsMember_Handler,
		},
		{
			MethodName: "HasPermission",
			Handler:    _Auth_HasPermission_Handler,
		},
	},
	Streams:  []grpc.StreamDesc{},
	Metadata: "go.chromium.org/luci/common/proto/sidecar/auth.proto",
}

Auth_ServiceDesc is the grpc.ServiceDesc for Auth service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)

View Source 
var File_go_chromium_org_luci_common_proto_sidecar_auth_proto protoreflect.FileDescriptor

Functions

func FileDescriptorSet 

func FileDescriptorSet() *descriptorpb.FileDescriptorSet

FileDescriptorSet returns a descriptor set for this proto package, which includes all defined services, and all transitive dependencies.

Will not return nil.

Do NOT modify the returned descriptor.

func RegisterAuthServer 

func RegisterAuthServer(s grpc.ServiceRegistrar, srv AuthServer)

Types

type AuthClient 

type AuthClient interface {
	// Authenticate receives metadata of the incoming call and uses it to
	// authenticate the caller, i.e. it extracts appropriate credentials and
	// verifies they are valid.
	//
	// Optionally checks if the authenticated identity is a member of groups
	// given by `groups` request field, returning groups the identity is a member
	// of in `groups` response field (which will be a subset of groups passed in
	// the request). This is useful for implementing simple broad group-based
	// authorization checks skipping extra RPCs. For more flexible checks see
	// IsMember and HasPermission RPCs.
	//
	// Returns:
	//   - OK if the server understood the request and performed the
	//     authentication. The outcome (which can include an error if credentials
	//     are invalid) is available as part of AuthenticateResponse. OK is
	//     returned as well if the request doesn't have credentials attached at
	//     all or they were invalid. In that case AuthenticateResponse contains
	//     `anonymous` or `error` outcomes respectively.
	//   - UNAUTHENTICATED if the call to the sidecar server itself failed due to
	//     invalid (corrupted, expired, etc) RPC credentials, i.e. credentials of
	//     the sidecar client itself, not credentials inside AuthenticateRequest.
	//     This response MUST be presented as INTERNAL error to the end user,
	//     since it indicates some internal misconfiguration between the
	//     application server and the sidecar service, unrelated to credentials
	//     sent by the end-user.
	//   - PERMISSION_DENIED if the call to the sidecar server itself is not
	//     allowed. This response MUST also be presented as INTERNAL error to
	//     the end user.
	//   - INTERNAL on transient internal errors that SHOULD be retried.
	Authenticate(ctx context.Context, in *AuthenticateRequest, opts ...grpc.CallOption) (*AuthenticateResponse, error)
	// IsMember checks if an identity belongs to any of the given groups.
	//
	// Returns:
	//   - OK with the outcome of the check (which may be negative) if the check
	//     was performed successfully.
	//   - INVALID_ARGUMENT if the request is malformed.
	//   - UNAUTHENTICATED if the call to the sidecar server failed due to invalid
	//     (corrupted, expired, etc) RPC credentials. This response MUST be
	//     presented as INTERNAL error to the end user, since it indicates some
	//     internal misconfiguration between the application server and the
	//     sidecar service.
	//   - PERMISSION_DENIED if the call to the sidecar server itself is not
	//     allowed. This response MUST also be presented as INTERNAL error to
	//     the end user.
	//   - INTERNAL on transient internal errors that SHOULD be retried.
	IsMember(ctx context.Context, in *IsMemberRequest, opts ...grpc.CallOption) (*IsMemberResponse, error)
	// HasPermission check if an identity has a permission in a realm.
	//
	// Can only check permissions registered when the sidecar server was started
	// via `-sidecar-subscribe-to-permission` command line flag. Checks for any
	// other permission will end up with INVALID_ARGUMENT error.
	//
	// Returns:
	//   - OK with the outcome of the check (which may be negative) if the check
	//     was performed successfully.
	//   - INVALID_ARGUMENT if the request is malformed or the specified
	//     permission was not registered with the sidecar server via
	//     `-sidecar-subscribe-to-permission` command line flag.
	//   - UNAUTHENTICATED if the call to the sidecar server failed due to invalid
	//     (corrupted, expired, etc) RPC credentials. This response MUST be
	//     presented as INTERNAL error to the end user, since it indicates some
	//     internal misconfiguration between the application server and the
	//     sidecar service.
	//   - PERMISSION_DENIED if the call to the sidecar server itself is not
	//     allowed. This response MUST also be presented as INTERNAL error to
	//     the end user.
	//   - INTERNAL on transient internal errors that SHOULD be retried.
	HasPermission(ctx context.Context, in *HasPermissionRequest, opts ...grpc.CallOption) (*HasPermissionResponse, error)
}

AuthClient is the client API for Auth service.

For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.

Auth exposes methods to authenticate user credentials and to make authorization checks.

func NewAuthClient 

func NewAuthClient(cc grpc.ClientConnInterface) AuthClient

type AuthServer 

type AuthServer interface {
	// Authenticate receives metadata of the incoming call and uses it to
	// authenticate the caller, i.e. it extracts appropriate credentials and
	// verifies they are valid.
	//
	// Optionally checks if the authenticated identity is a member of groups
	// given by `groups` request field, returning groups the identity is a member
	// of in `groups` response field (which will be a subset of groups passed in
	// the request). This is useful for implementing simple broad group-based
	// authorization checks skipping extra RPCs. For more flexible checks see
	// IsMember and HasPermission RPCs.
	//
	// Returns:
	//   - OK if the server understood the request and performed the
	//     authentication. The outcome (which can include an error if credentials
	//     are invalid) is available as part of AuthenticateResponse. OK is
	//     returned as well if the request doesn't have credentials attached at
	//     all or they were invalid. In that case AuthenticateResponse contains
	//     `anonymous` or `error` outcomes respectively.
	//   - UNAUTHENTICATED if the call to the sidecar server itself failed due to
	//     invalid (corrupted, expired, etc) RPC credentials, i.e. credentials of
	//     the sidecar client itself, not credentials inside AuthenticateRequest.
	//     This response MUST be presented as INTERNAL error to the end user,
	//     since it indicates some internal misconfiguration between the
	//     application server and the sidecar service, unrelated to credentials
	//     sent by the end-user.
	//   - PERMISSION_DENIED if the call to the sidecar server itself is not
	//     allowed. This response MUST also be presented as INTERNAL error to
	//     the end user.
	//   - INTERNAL on transient internal errors that SHOULD be retried.
	Authenticate(context.Context, *AuthenticateRequest) (*AuthenticateResponse, error)
	// IsMember checks if an identity belongs to any of the given groups.
	//
	// Returns:
	//   - OK with the outcome of the check (which may be negative) if the check
	//     was performed successfully.
	//   - INVALID_ARGUMENT if the request is malformed.
	//   - UNAUTHENTICATED if the call to the sidecar server failed due to invalid
	//     (corrupted, expired, etc) RPC credentials. This response MUST be
	//     presented as INTERNAL error to the end user, since it indicates some
	//     internal misconfiguration between the application server and the
	//     sidecar service.
	//   - PERMISSION_DENIED if the call to the sidecar server itself is not
	//     allowed. This response MUST also be presented as INTERNAL error to
	//     the end user.
	//   - INTERNAL on transient internal errors that SHOULD be retried.
	IsMember(context.Context, *IsMemberRequest) (*IsMemberResponse, error)
	// HasPermission check if an identity has a permission in a realm.
	//
	// Can only check permissions registered when the sidecar server was started
	// via `-sidecar-subscribe-to-permission` command line flag. Checks for any
	// other permission will end up with INVALID_ARGUMENT error.
	//
	// Returns:
	//   - OK with the outcome of the check (which may be negative) if the check
	//     was performed successfully.
	//   - INVALID_ARGUMENT if the request is malformed or the specified
	//     permission was not registered with the sidecar server via
	//     `-sidecar-subscribe-to-permission` command line flag.
	//   - UNAUTHENTICATED if the call to the sidecar server failed due to invalid
	//     (corrupted, expired, etc) RPC credentials. This response MUST be
	//     presented as INTERNAL error to the end user, since it indicates some
	//     internal misconfiguration between the application server and the
	//     sidecar service.
	//   - PERMISSION_DENIED if the call to the sidecar server itself is not
	//     allowed. This response MUST also be presented as INTERNAL error to
	//     the end user.
	//   - INTERNAL on transient internal errors that SHOULD be retried.
	HasPermission(context.Context, *HasPermissionRequest) (*HasPermissionResponse, error)
	// contains filtered or unexported methods
}

AuthServer is the server API for Auth service. All implementations must embed UnimplementedAuthServer for forward compatibility.

Auth exposes methods to authenticate user credentials and to make authorization checks.

type AuthenticateRequest 

type AuthenticateRequest struct {
	Protocol AuthenticateRequest_Protocol    `protobuf:"varint,1,opt,name=protocol,proto3,enum=luci.sidecar.AuthenticateRequest_Protocol" json:"protocol,omitempty"`
	Metadata []*AuthenticateRequest_Metadata `protobuf:"bytes,2,rep,name=metadata,proto3" json:"metadata,omitempty"`
	// List of groups to check an authenticated identity is a member of.
	//
	// The result of this check is returned via `groups` response field.
	Groups []string `protobuf:"bytes,3,rep,name=groups,proto3" json:"groups,omitempty"`
	// contains filtered or unexported fields
}

AuthenticateRequest contains information about an incoming request that needs to be authenticated.

To be forward compatible the application server should send all incoming headers (or metadata in gRPC case) and let the sidecar server decide which entries to use. If necessary, the application server can omit entries that are obviously not used for authentication (for example custom metadata entries used by the application server itself). But generally it should not be cherry-picking headers it thinks carry authentication credentials and sending only them.

Note that in environments where the application server runs behind a TLS-terminating load balancer (all cloud environments are like that), metadata with key `Host` (for HTTP v1) or `:authority` (for HTTP v2 and gRPC) is especially important to propagate, since it contains the verified (by the load balancer) hostname of the service being called. It is often needed to check JWT token audience. Omitting it may result in some JWT tokens not being authenticated.

If the application server terminates TLS itself, it MUST also itself verify `Host` header (or `:authority` pseudo-header) matches the expected service hostname before calling Authenticate.

func (*AuthenticateRequest) Descriptor deprecated 

func (*AuthenticateRequest) Descriptor() ([]byte, []int)

Deprecated: Use AuthenticateRequest.ProtoReflect.Descriptor instead.

func (*AuthenticateRequest) GetGroups 

func (x *AuthenticateRequest) GetGroups() []string

func (*AuthenticateRequest) GetMetadata 

func (x *AuthenticateRequest) GetMetadata() []*AuthenticateRequest_Metadata

func (*AuthenticateRequest) GetProtocol 

func (x *AuthenticateRequest) GetProtocol() AuthenticateRequest_Protocol

func (*AuthenticateRequest) ProtoMessage 

func (*AuthenticateRequest) ProtoMessage()

func (*AuthenticateRequest) ProtoReflect 

func (x *AuthenticateRequest) ProtoReflect() protoreflect.Message

func (*AuthenticateRequest) Reset 

func (x *AuthenticateRequest) Reset()

func (*AuthenticateRequest) String 

func (x *AuthenticateRequest) String() string

type AuthenticateRequest_Metadata 

type AuthenticateRequest_Metadata struct {

	// Metadata key. Case-insensitive.
	//
	// If `protocol` is `GRPC`, keys ending with `-bin` indicate the value
	// is base64-encoded. The application server MUST base64-encode binary
	// metadata values before passing them to the sidecar server.
	//
	// For other protocols, keys ending with `-bin` have no special meaning,
	// since they don't support arbitrary binary headers.
	Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
	// Metadata value.
	//
	// If `protocol` is `GRPC` and the key ends with `-bin`, this MUST be
	// the base64-encoded value. The sidecar server will decode it into its
	// original binary form before using it.
	//
	// For other protocols, keys ending with `-bin` have no special meaning,
	// since they don't support arbitrary binary headers.
	Value string `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"`
	// contains filtered or unexported fields
}

An HTTP header or gRPC metadatum.

func (*AuthenticateRequest_Metadata) Descriptor deprecated 

func (*AuthenticateRequest_Metadata) Descriptor() ([]byte, []int)

Deprecated: Use AuthenticateRequest_Metadata.ProtoReflect.Descriptor instead.

func (*AuthenticateRequest_Metadata) GetKey 

func (x *AuthenticateRequest_Metadata) GetKey() string

func (*AuthenticateRequest_Metadata) GetValue 

func (x *AuthenticateRequest_Metadata) GetValue() string

func (*AuthenticateRequest_Metadata) ProtoMessage 

func (*AuthenticateRequest_Metadata) ProtoMessage()

func (*AuthenticateRequest_Metadata) ProtoReflect 

func (x *AuthenticateRequest_Metadata) ProtoReflect() protoreflect.Message

func (*AuthenticateRequest_Metadata) Reset 

func (x *AuthenticateRequest_Metadata) Reset()

func (*AuthenticateRequest_Metadata) String 

func (x *AuthenticateRequest_Metadata) String() string

type AuthenticateRequest_Protocol 

type AuthenticateRequest_Protocol int32

The protocol used by the end user to call the application server. Affects how some metadata keys are interpreted. 

const (
	AuthenticateRequest_PROTOCOL_UNSPECIFIED AuthenticateRequest_Protocol = 0
	AuthenticateRequest_HTTP1                AuthenticateRequest_Protocol = 1
	AuthenticateRequest_HTTP2                AuthenticateRequest_Protocol = 2
	AuthenticateRequest_GRPC                 AuthenticateRequest_Protocol = 3
)

func (AuthenticateRequest_Protocol) Descriptor 

func (AuthenticateRequest_Protocol) Descriptor() protoreflect.EnumDescriptor

func (AuthenticateRequest_Protocol) Enum 

func (x AuthenticateRequest_Protocol) Enum() *AuthenticateRequest_Protocol

func (AuthenticateRequest_Protocol) EnumDescriptor deprecated 

func (AuthenticateRequest_Protocol) EnumDescriptor() ([]byte, []int)

Deprecated: Use AuthenticateRequest_Protocol.Descriptor instead.

func (AuthenticateRequest_Protocol) Number 

func (x AuthenticateRequest_Protocol) Number() protoreflect.EnumNumber

func (AuthenticateRequest_Protocol) String 

func (x AuthenticateRequest_Protocol) String() string

func (AuthenticateRequest_Protocol) Type 

func (AuthenticateRequest_Protocol) Type() protoreflect.EnumType

type AuthenticateResponse 

type AuthenticateResponse struct {

	// An authenticated identity (`<kind>:<value>`). Details are in `outcome`.
	Identity string `protobuf:"bytes,1,opt,name=identity,proto3" json:"identity,omitempty"`
	// Sidecar server information for logging and debugging.
	ServerInfo *ServerInfo `protobuf:"bytes,2,opt,name=server_info,json=serverInfo,proto3" json:"server_info,omitempty"`
	// List of groups the identity is a member of.
	//
	// This is a subset of groups passed via `groups` request field.
	Groups []string `protobuf:"bytes,3,rep,name=groups,proto3" json:"groups,omitempty"`
	// Types that are assignable to Outcome:
	//
	//	*AuthenticateResponse_Error
	//	*AuthenticateResponse_Anonymous_
	//	*AuthenticateResponse_User_
	//	*AuthenticateResponse_Project_
	Outcome isAuthenticateResponse_Outcome `protobuf_oneof:"outcome"`
	// contains filtered or unexported fields
}

AuthenticateResponse is a result of authentication (successful or not).

The primary result of the authentication is `identity` which is a LUCI identity string (`<kind>:<value>` pair, e.g. `user:someone@example.com`). It can be passed to methods that do authorization checks. Additional details are available via `outcome` oneof. If the request is anonymous or authentication failed, the identity is set to `anonymous:anonymous`.

If credentials are present, but invalid (e.g. expired JWT), error details are returned as part of `error` outcome.

func (*AuthenticateResponse) Descriptor deprecated 

func (*AuthenticateResponse) Descriptor() ([]byte, []int)

Deprecated: Use AuthenticateResponse.ProtoReflect.Descriptor instead.

func (*AuthenticateResponse) GetAnonymous 

func (x *AuthenticateResponse) GetAnonymous() *AuthenticateResponse_Anonymous

func (*AuthenticateResponse) GetError 

func (x *AuthenticateResponse) GetError() *status.Status

func (*AuthenticateResponse) GetGroups 

func (x *AuthenticateResponse) GetGroups() []string

func (*AuthenticateResponse) GetIdentity 

func (x *AuthenticateResponse) GetIdentity() string

func (*AuthenticateResponse) GetOutcome 

func (m *AuthenticateResponse) GetOutcome() isAuthenticateResponse_Outcome

func (*AuthenticateResponse) GetProject 

func (x *AuthenticateResponse) GetProject() *AuthenticateResponse_Project

func (*AuthenticateResponse) GetServerInfo 

func (x *AuthenticateResponse) GetServerInfo() *ServerInfo

func (*AuthenticateResponse) GetUser 

func (x *AuthenticateResponse) GetUser() *AuthenticateResponse_User

func (*AuthenticateResponse) ProtoMessage 

func (*AuthenticateResponse) ProtoMessage()

func (*AuthenticateResponse) ProtoReflect 

func (x *AuthenticateResponse) ProtoReflect() protoreflect.Message

func (*AuthenticateResponse) Reset 

func (x *AuthenticateResponse) Reset()

func (*AuthenticateResponse) String 

func (x *AuthenticateResponse) String() string

type AuthenticateResponse_Anonymous 

type AuthenticateResponse_Anonymous struct {
	// contains filtered or unexported fields
}

func (*AuthenticateResponse_Anonymous) Descriptor deprecated 

func (*AuthenticateResponse_Anonymous) Descriptor() ([]byte, []int)

Deprecated: Use AuthenticateResponse_Anonymous.ProtoReflect.Descriptor instead.

func (*AuthenticateResponse_Anonymous) ProtoMessage 

func (*AuthenticateResponse_Anonymous) ProtoMessage()

func (*AuthenticateResponse_Anonymous) ProtoReflect 

func (x *AuthenticateResponse_Anonymous) ProtoReflect() protoreflect.Message

func (*AuthenticateResponse_Anonymous) Reset 

func (x *AuthenticateResponse_Anonymous) Reset()

func (*AuthenticateResponse_Anonymous) String 

func (x *AuthenticateResponse_Anonymous) String() string

type AuthenticateResponse_Anonymous_ 

type AuthenticateResponse_Anonymous_ struct {
	// The request had no recognized credentials attached.
	Anonymous *AuthenticateResponse_Anonymous `protobuf:"bytes,11,opt,name=anonymous,proto3,oneof"`
}

type AuthenticateResponse_Error 

type AuthenticateResponse_Error struct {
	// Set if the RPC to the sidecar succeeded, but passed credentials are bad.
	Error *status.Status `protobuf:"bytes,10,opt,name=error,proto3,oneof"`
}

type AuthenticateResponse_Project 

type AuthenticateResponse_Project struct {

	// LUCI project name representing the context of the call.
	Project string `protobuf:"bytes,1,opt,name=project,proto3" json:"project,omitempty"`
	// Identity string of the LUCI service that makes the call.
	Service string `protobuf:"bytes,2,opt,name=service,proto3" json:"service,omitempty"`
	// contains filtered or unexported fields
}

func (*AuthenticateResponse_Project) Descriptor deprecated 

func (*AuthenticateResponse_Project) Descriptor() ([]byte, []int)

Deprecated: Use AuthenticateResponse_Project.ProtoReflect.Descriptor instead.

func (*AuthenticateResponse_Project) GetProject 

func (x *AuthenticateResponse_Project) GetProject() string

func (*AuthenticateResponse_Project) GetService 

func (x *AuthenticateResponse_Project) GetService() string

func (*AuthenticateResponse_Project) ProtoMessage 

func (*AuthenticateResponse_Project) ProtoMessage()

func (*AuthenticateResponse_Project) ProtoReflect 

func (x *AuthenticateResponse_Project) ProtoReflect() protoreflect.Message

func (*AuthenticateResponse_Project) Reset 

func (x *AuthenticateResponse_Project) Reset()

func (*AuthenticateResponse_Project) String 

func (x *AuthenticateResponse_Project) String() string

type AuthenticateResponse_Project_ 

type AuthenticateResponse_Project_ struct {
	// The request is an internal LUCI call from another LUCI service.
	Project *AuthenticateResponse_Project `protobuf:"bytes,13,opt,name=project,proto3,oneof"`
}

type AuthenticateResponse_User 

type AuthenticateResponse_User struct {

	// An authenticated user email. Always set.
	Email string `protobuf:"bytes,1,opt,name=email,proto3" json:"email,omitempty"`
	// A full user name, if available.
	Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
	// An URL to profile picture, if available.
	Picture string `protobuf:"bytes,3,opt,name=picture,proto3" json:"picture,omitempty"`
	// OAuth client ID if the request was authenticated using OAuth.
	ClientId string `protobuf:"bytes,4,opt,name=client_id,json=clientId,proto3" json:"client_id,omitempty"`
	// contains filtered or unexported fields
}

func (*AuthenticateResponse_User) Descriptor deprecated 

func (*AuthenticateResponse_User) Descriptor() ([]byte, []int)

Deprecated: Use AuthenticateResponse_User.ProtoReflect.Descriptor instead.

func (*AuthenticateResponse_User) GetClientId 

func (x *AuthenticateResponse_User) GetClientId() string

func (*AuthenticateResponse_User) GetEmail 

func (x *AuthenticateResponse_User) GetEmail() string

func (*AuthenticateResponse_User) GetName 

func (x *AuthenticateResponse_User) GetName() string

func (*AuthenticateResponse_User) GetPicture 

func (x *AuthenticateResponse_User) GetPicture() string

func (*AuthenticateResponse_User) ProtoMessage 

func (*AuthenticateResponse_User) ProtoMessage()

func (*AuthenticateResponse_User) ProtoReflect 

func (x *AuthenticateResponse_User) ProtoReflect() protoreflect.Message

func (*AuthenticateResponse_User) Reset 

func (x *AuthenticateResponse_User) Reset()

func (*AuthenticateResponse_User) String 

func (x *AuthenticateResponse_User) String() string

type AuthenticateResponse_User_ 

type AuthenticateResponse_User_ struct {
	// The request had an end-user credentials attached.
	User *AuthenticateResponse_User `protobuf:"bytes,12,opt,name=user,proto3,oneof"`
}

type HasPermissionRequest 

type HasPermissionRequest struct {

	// Identity to check a permission of as a `<kind>:<value>` string.
	//
	// This is the same identity as returned in AuthenticateResponse. Possible
	// formats:
	//   - `anonymous:anonymous` for an anonymous caller.
	//   - `user:<email>` for an end user or a service account.
	//   - `project:<name>` for a LUCI project calling a LUCI service.
	Identity string `protobuf:"bytes,1,opt,name=identity,proto3" json:"identity,omitempty"`
	// Permission to check as `<service>.<subject>.<verb>` string.
	//
	// The sidecar server can only check permissions registered when it was
	// started via `-sidecar-subscribe-to-permission` command line flag. Checks
	// for any other permission will end up with INVALID_ARGUMENT error.
	Permission string `protobuf:"bytes,2,opt,name=permission,proto3" json:"permission,omitempty"`
	// A realm to check the permission in as `<project>:<realm>` string.
	//
	// A non-existing realm is replaced with the corresponding root realm (e.g. if
	// `projectA:some/realm` doesn't exist, `projectA:@root` will be used in its
	// place). If the project doesn't exist, all its realms (including the root
	// realm) are considered empty. The permission check ends with negative
	// outcome in that case.
	Realm string `protobuf:"bytes,3,opt,name=realm,proto3" json:"realm,omitempty"`
	// Attributes are the context of this particular permission check and are used
	// as inputs to `conditions` predicates in conditional bindings. If a service
	// supports conditional bindings, it must document what attributes it passes
	// with each permission it checks.
	Attributes map[string]string `` /* 161-byte string literal not displayed */
	// contains filtered or unexported fields
}

HasPermissionRequest identifies an identity and a permission to check.

func (*HasPermissionRequest) Descriptor deprecated 

func (*HasPermissionRequest) Descriptor() ([]byte, []int)

Deprecated: Use HasPermissionRequest.ProtoReflect.Descriptor instead.

func (*HasPermissionRequest) GetAttributes 

func (x *HasPermissionRequest) GetAttributes() map[string]string

func (*HasPermissionRequest) GetIdentity 

func (x *HasPermissionRequest) GetIdentity() string

func (*HasPermissionRequest) GetPermission 

func (x *HasPermissionRequest) GetPermission() string

func (*HasPermissionRequest) GetRealm 

func (x *HasPermissionRequest) GetRealm() string

func (*HasPermissionRequest) ProtoMessage 

func (*HasPermissionRequest) ProtoMessage()

func (*HasPermissionRequest) ProtoReflect 

func (x *HasPermissionRequest) ProtoReflect() protoreflect.Message

func (*HasPermissionRequest) Reset 

func (x *HasPermissionRequest) Reset()

func (*HasPermissionRequest) String 

func (x *HasPermissionRequest) String() string

type HasPermissionResponse 

type HasPermissionResponse struct {

	// True if the identity has the requested permission.
	HasPermission bool `protobuf:"varint,1,opt,name=has_permission,json=hasPermission,proto3" json:"has_permission,omitempty"`
	// Sidecar server information for logging and debugging.
	ServerInfo *ServerInfo `protobuf:"bytes,2,opt,name=server_info,json=serverInfo,proto3" json:"server_info,omitempty"`
	// contains filtered or unexported fields
}

HasPermissionResponse contains outcome of a permission check.

func (*HasPermissionResponse) Descriptor deprecated 

func (*HasPermissionResponse) Descriptor() ([]byte, []int)

Deprecated: Use HasPermissionResponse.ProtoReflect.Descriptor instead.

func (*HasPermissionResponse) GetHasPermission 

func (x *HasPermissionResponse) GetHasPermission() bool

func (*HasPermissionResponse) GetServerInfo 

func (x *HasPermissionResponse) GetServerInfo() *ServerInfo

func (*HasPermissionResponse) ProtoMessage 

func (*HasPermissionResponse) ProtoMessage()

func (*HasPermissionResponse) ProtoReflect 

func (x *HasPermissionResponse) ProtoReflect() protoreflect.Message

func (*HasPermissionResponse) Reset 

func (x *HasPermissionResponse) Reset()

func (*HasPermissionResponse) String 

func (x *HasPermissionResponse) String() string

type IsMemberRequest 

type IsMemberRequest struct {

	// Identity to check a membership of as a `<kind>:<value>` string.
	//
	// This is the same identity as returned in AuthenticateResponse. Possible
	// formats:
	//   - `anonymous:anonymous` for an anonymous caller.
	//   - `user:<email>` for an end user or a service account.
	//   - `project:<name>` for a LUCI project calling a LUCI service.
	Identity string `protobuf:"bytes,1,opt,name=identity,proto3" json:"identity,omitempty"`
	// List of groups to check memberships in, must have at least one entry.
	//
	// The check is overall positive if `identity` is a member of at least one
	// group here.
	Groups []string `protobuf:"bytes,2,rep,name=groups,proto3" json:"groups,omitempty"`
	// contains filtered or unexported fields
}

IsMemberRequest specifies an identity and a list of groups to check.

func (*IsMemberRequest) Descriptor deprecated 

func (*IsMemberRequest) Descriptor() ([]byte, []int)

Deprecated: Use IsMemberRequest.ProtoReflect.Descriptor instead.

func (*IsMemberRequest) GetGroups 

func (x *IsMemberRequest) GetGroups() []string

func (*IsMemberRequest) GetIdentity 

func (x *IsMemberRequest) GetIdentity() string

func (*IsMemberRequest) ProtoMessage 

func (*IsMemberRequest) ProtoMessage()

func (*IsMemberRequest) ProtoReflect 

func (x *IsMemberRequest) ProtoReflect() protoreflect.Message

func (*IsMemberRequest) Reset 

func (x *IsMemberRequest) Reset()

func (*IsMemberRequest) String 

func (x *IsMemberRequest) String() string

type IsMemberResponse 

type IsMemberResponse struct {

	// True if the identity is a member of at least one group.
	IsMember bool `protobuf:"varint,1,opt,name=is_member,json=isMember,proto3" json:"is_member,omitempty"`
	// Sidecar server information for logging and debugging.
	ServerInfo *ServerInfo `protobuf:"bytes,2,opt,name=server_info,json=serverInfo,proto3" json:"server_info,omitempty"`
	// contains filtered or unexported fields
}

IsMemberResponse contains outcome of a groups membership check.

func (*IsMemberResponse) Descriptor deprecated 

func (*IsMemberResponse) Descriptor() ([]byte, []int)

Deprecated: Use IsMemberResponse.ProtoReflect.Descriptor instead.

func (*IsMemberResponse) GetIsMember 

func (x *IsMemberResponse) GetIsMember() bool

func (*IsMemberResponse) GetServerInfo 

func (x *IsMemberResponse) GetServerInfo() *ServerInfo

func (*IsMemberResponse) ProtoMessage 

func (*IsMemberResponse) ProtoMessage()

func (*IsMemberResponse) ProtoReflect 

func (x *IsMemberResponse) ProtoReflect() protoreflect.Message

func (*IsMemberResponse) Reset 

func (x *IsMemberResponse) Reset()

func (*IsMemberResponse) String 

func (x *IsMemberResponse) String() string

type ServerInfo 

type ServerInfo struct {

	// Service name of the LUCI Sidecar server to identify its monitoring metrics.
	SidecarService string `protobuf:"bytes,1,opt,name=sidecar_service,json=sidecarService,proto3" json:"sidecar_service,omitempty"`
	// Job name of the LUCI Sidecar server to identify its monitoring metrics.
	SidecarJob string `protobuf:"bytes,2,opt,name=sidecar_job,json=sidecarJob,proto3" json:"sidecar_job,omitempty"`
	// Hostname of the LUCI Sidecar server to identify its monitoring metrics.
	SidecarHost string `protobuf:"bytes,3,opt,name=sidecar_host,json=sidecarHost,proto3" json:"sidecar_host,omitempty"`
	// Version of the LUCI Sidecar server for logs.
	SidecarVersion string `protobuf:"bytes,4,opt,name=sidecar_version,json=sidecarVersion,proto3" json:"sidecar_version,omitempty"`
	// Hostname of LUCI Auth service that produced AuthDB.
	AuthDbService string `protobuf:"bytes,5,opt,name=auth_db_service,json=authDbService,proto3" json:"auth_db_service,omitempty"`
	// Revision of LUCI AuthDB used during authorization checks.
	AuthDbRev int64 `protobuf:"varint,6,opt,name=auth_db_rev,json=authDbRev,proto3" json:"auth_db_rev,omitempty"`
	// contains filtered or unexported fields
}

ServerInfo is returned with every response. It contains details about the sidecar server that handled the call and its current state. Useful for debugging. Should usually be logged by the application server in its internal logs. Do not return this to the end user.

func (*ServerInfo) Descriptor deprecated 

func (*ServerInfo) Descriptor() ([]byte, []int)

Deprecated: Use ServerInfo.ProtoReflect.Descriptor instead.

func (*ServerInfo) GetAuthDbRev 

func (x *ServerInfo) GetAuthDbRev() int64

func (*ServerInfo) GetAuthDbService 

func (x *ServerInfo) GetAuthDbService() string

func (*ServerInfo) GetSidecarHost 

func (x *ServerInfo) GetSidecarHost() string

func (*ServerInfo) GetSidecarJob 

func (x *ServerInfo) GetSidecarJob() string

func (*ServerInfo) GetSidecarService 

func (x *ServerInfo) GetSidecarService() string

func (*ServerInfo) GetSidecarVersion 

func (x *ServerInfo) GetSidecarVersion() string

func (*ServerInfo) ProtoMessage 

func (*ServerInfo) ProtoMessage()

func (*ServerInfo) ProtoReflect 

func (x *ServerInfo) ProtoReflect() protoreflect.Message

func (*ServerInfo) Reset 

func (x *ServerInfo) Reset()

func (*ServerInfo) String 

func (x *ServerInfo) String() string

type UnimplementedAuthServer 

type UnimplementedAuthServer struct{}

UnimplementedAuthServer must be embedded to have forward compatible implementations.

NOTE: this should be embedded by value instead of pointer to avoid a nil pointer dereference when methods are called.

func (UnimplementedAuthServer) Authenticate 

func (UnimplementedAuthServer) Authenticate(context.Context, *AuthenticateRequest) (*AuthenticateResponse, error)

func (UnimplementedAuthServer) HasPermission 

func (UnimplementedAuthServer) HasPermission(context.Context, *HasPermissionRequest) (*HasPermissionResponse, error)

func (UnimplementedAuthServer) IsMember 

func (UnimplementedAuthServer) IsMember(context.Context, *IsMemberRequest) (*IsMemberResponse, error)

type UnsafeAuthServer 

type UnsafeAuthServer interface {
	// contains filtered or unexported methods
}

UnsafeAuthServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to AuthServer will result in compilation errors.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.