sidecar

package
v0.0.0-...-add0f8d Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 22, 2024 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Overview

Package sidecar contains APIs exposed by LUCI Sidecar server.

Index

Constants

View Source
const (
	Auth_Authenticate_FullMethodName  = "/luci.sidecar.Auth/Authenticate"
	Auth_IsMember_FullMethodName      = "/luci.sidecar.Auth/IsMember"
	Auth_HasPermission_FullMethodName = "/luci.sidecar.Auth/HasPermission"
)

Variables

View Source
var (
	AuthenticateRequest_Protocol_name = map[int32]string{
		0: "PROTOCOL_UNSPECIFIED",
		1: "HTTP1",
		2: "HTTP2",
		3: "GRPC",
	}
	AuthenticateRequest_Protocol_value = map[string]int32{
		"PROTOCOL_UNSPECIFIED": 0,
		"HTTP1":                1,
		"HTTP2":                2,
		"GRPC":                 3,
	}
)

Enum value maps for AuthenticateRequest_Protocol.

View Source
var Auth_ServiceDesc = grpc.ServiceDesc{
	ServiceName: "luci.sidecar.Auth",
	HandlerType: (*AuthServer)(nil),
	Methods: []grpc.MethodDesc{
		{
			MethodName: "Authenticate",
			Handler:    _Auth_Authenticate_Handler,
		},
		{
			MethodName: "IsMember",
			Handler:    _Auth_IsMember_Handler,
		},
		{
			MethodName: "HasPermission",
			Handler:    _Auth_HasPermission_Handler,
		},
	},
	Streams:  []grpc.StreamDesc{},
	Metadata: "go.chromium.org/luci/common/proto/sidecar/auth.proto",
}

Auth_ServiceDesc is the grpc.ServiceDesc for Auth service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)

View Source
var File_go_chromium_org_luci_common_proto_sidecar_auth_proto protoreflect.FileDescriptor

Functions

func FileDescriptorSet

func FileDescriptorSet() *descriptorpb.FileDescriptorSet

FileDescriptorSet returns a descriptor set for this proto package, which includes all defined services, and all transitive dependencies.

Will not return nil.

Do NOT modify the returned descriptor.

func RegisterAuthServer

func RegisterAuthServer(s grpc.ServiceRegistrar, srv AuthServer)

Types

type AuthClient

type AuthClient interface {
	// Authenticate receives metadata of the incoming call and uses it to
	// authenticate the caller, i.e. it extracts appropriate credentials and
	// verifies they are valid.
	//
	// Optionally checks if the authenticated identity is a member of groups
	// given by `groups` request field, returning groups the identity is a member
	// of in `groups` response field (which will be a subset of groups passed in
	// the request). This is useful for implementing simple broad group-based
	// authorization checks skipping extra RPCs. For more flexible checks see
	// IsMember and HasPermission RPCs.
	//
	// Returns:
	//   - OK if the server understood the request and performed the
	//     authentication. The outcome (which can include an error if credentials
	//     are invalid) is available as part of AuthenticateResponse. OK is
	//     returned as well if the request doesn't have credentials attached at
	//     all or they were invalid. In that case AuthenticateResponse contains
	//     `anonymous` or `error` outcomes respectively.
	//   - UNAUTHENTICATED if the call to the sidecar server itself failed due to
	//     invalid (corrupted, expired, etc) RPC credentials, i.e. credentials of
	//     the sidecar client itself, not credentials inside AuthenticateRequest.
	//     This response MUST be presented as INTERNAL error to the end user,
	//     since it indicates some internal misconfiguration between the
	//     application server and the sidecar service, unrelated to credentials
	//     sent by the end-user.
	//   - PERMISSION_DENIED if the call to the sidecar server itself is not
	//     allowed. This response MUST also be presented as INTERNAL error to
	//     the end user.
	//   - INTERNAL on transient internal errors that SHOULD be retried.
	Authenticate(ctx context.Context, in *AuthenticateRequest, opts ...grpc.CallOption) (*AuthenticateResponse, error)
	// IsMember checks if an identity belongs to any of the given groups.
	//
	// Returns:
	//   - OK with the outcome of the check (which may be negative) if the check
	//     was performed successfully.
	//   - INVALID_ARGUMENT if the request is malformed.
	//   - UNAUTHENTICATED if the call to the sidecar server failed due to invalid
	//     (corrupted, expired, etc) RPC credentials. This response MUST be
	//     presented as INTERNAL error to the end user, since it indicates some
	//     internal misconfiguration between the application server and the
	//     sidecar service.
	//   - PERMISSION_DENIED if the call to the sidecar server itself is not
	//     allowed. This response MUST also be presented as INTERNAL error to
	//     the end user.
	//   - INTERNAL on transient internal errors that SHOULD be retried.
	IsMember(ctx context.Context, in *IsMemberRequest, opts ...grpc.CallOption) (*IsMemberResponse, error)
	// HasPermission check if an identity has a permission in a realm.
	//
	// Can only check permissions registered when the sidecar server was started
	// via `-sidecar-subscribe-to-permission` command line flag. Checks for any
	// other permission will end up with INVALID_ARGUMENT error.
	//
	// Returns:
	//   - OK with the outcome of the check (which may be negative) if the check
	//     was performed successfully.
	//   - INVALID_ARGUMENT if the request is malformed or the specified
	//     permission was not registered with the sidecar server via
	//     `-sidecar-subscribe-to-permission` command line flag.
	//   - UNAUTHENTICATED if the call to the sidecar server failed due to invalid
	//     (corrupted, expired, etc) RPC credentials. This response MUST be
	//     presented as INTERNAL error to the end user, since it indicates some
	//     internal misconfiguration between the application server and the
	//     sidecar service.
	//   - PERMISSION_DENIED if the call to the sidecar server itself is not
	//     allowed. This response MUST also be presented as INTERNAL error to
	//     the end user.
	//   - INTERNAL on transient internal errors that SHOULD be retried.
	HasPermission(ctx context.Context, in *HasPermissionRequest, opts ...grpc.CallOption) (*HasPermissionResponse, error)
}

AuthClient is the client API for Auth service.

For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.

Auth exposes methods to authenticate user credentials and to make authorization checks.

func NewAuthClient

func NewAuthClient(cc grpc.ClientConnInterface) AuthClient

type AuthServer

type AuthServer interface {
	// Authenticate receives metadata of the incoming call and uses it to
	// authenticate the caller, i.e. it extracts appropriate credentials and
	// verifies they are valid.
	//
	// Optionally checks if the authenticated identity is a member of groups
	// given by `groups` request field, returning groups the identity is a member
	// of in `groups` response field (which will be a subset of groups passed in
	// the request). This is useful for implementing simple broad group-based
	// authorization checks skipping extra RPCs. For more flexible checks see
	// IsMember and HasPermission RPCs.
	//
	// Returns:
	//   - OK if the server understood the request and performed the
	//     authentication. The outcome (which can include an error if credentials
	//     are invalid) is available as part of AuthenticateResponse. OK is
	//     returned as well if the request doesn't have credentials attached at
	//     all or they were invalid. In that case AuthenticateResponse contains
	//     `anonymous` or `error` outcomes respectively.
	//   - UNAUTHENTICATED if the call to the sidecar server itself failed due to
	//     invalid (corrupted, expired, etc) RPC credentials, i.e. credentials of
	//     the sidecar client itself, not credentials inside AuthenticateRequest.
	//     This response MUST be presented as INTERNAL error to the end user,
	//     since it indicates some internal misconfiguration between the
	//     application server and the sidecar service, unrelated to credentials
	//     sent by the end-user.
	//   - PERMISSION_DENIED if the call to the sidecar server itself is not
	//     allowed. This response MUST also be presented as INTERNAL error to
	//     the end user.
	//   - INTERNAL on transient internal errors that SHOULD be retried.
	Authenticate(context.Context, *AuthenticateRequest) (*AuthenticateResponse, error)
	// IsMember checks if an identity belongs to any of the given groups.
	//
	// Returns:
	//   - OK with the outcome of the check (which may be negative) if the check
	//     was performed successfully.
	//   - INVALID_ARGUMENT if the request is malformed.
	//   - UNAUTHENTICATED if the call to the sidecar server failed due to invalid
	//     (corrupted, expired, etc) RPC credentials. This response MUST be
	//     presented as INTERNAL error to the end user, since it indicates some
	//     internal misconfiguration between the application server and the
	//     sidecar service.
	//   - PERMISSION_DENIED if the call to the sidecar server itself is not
	//     allowed. This response MUST also be presented as INTERNAL error to
	//     the end user.
	//   - INTERNAL on transient internal errors that SHOULD be retried.
	IsMember(context.Context, *IsMemberRequest) (*IsMemberResponse, error)
	// HasPermission check if an identity has a permission in a realm.
	//
	// Can only check permissions registered when the sidecar server was started
	// via `-sidecar-subscribe-to-permission` command line flag. Checks for any
	// other permission will end up with INVALID_ARGUMENT error.
	//
	// Returns:
	//   - OK with the outcome of the check (which may be negative) if the check
	//     was performed successfully.
	//   - INVALID_ARGUMENT if the request is malformed or the specified
	//     permission was not registered with the sidecar server via
	//     `-sidecar-subscribe-to-permission` command line flag.
	//   - UNAUTHENTICATED if the call to the sidecar server failed due to invalid
	//     (corrupted, expired, etc) RPC credentials. This response MUST be
	//     presented as INTERNAL error to the end user, since it indicates some
	//     internal misconfiguration between the application server and the
	//     sidecar service.
	//   - PERMISSION_DENIED if the call to the sidecar server itself is not
	//     allowed. This response MUST also be presented as INTERNAL error to
	//     the end user.
	//   - INTERNAL on transient internal errors that SHOULD be retried.
	HasPermission(context.Context, *HasPermissionRequest) (*HasPermissionResponse, error)
	// contains filtered or unexported methods
}

AuthServer is the server API for Auth service. All implementations must embed UnimplementedAuthServer for forward compatibility.

Auth exposes methods to authenticate user credentials and to make authorization checks.

type AuthenticateRequest

type AuthenticateRequest struct {
	Protocol AuthenticateRequest_Protocol    `protobuf:"varint,1,opt,name=protocol,proto3,enum=luci.sidecar.AuthenticateRequest_Protocol" json:"protocol,omitempty"`
	Metadata []*AuthenticateRequest_Metadata `protobuf:"bytes,2,rep,name=metadata,proto3" json:"metadata,omitempty"`
	// List of groups to check an authenticated identity is a member of.
	//
	// The result of this check is returned via `groups` response field.
	Groups []string `protobuf:"bytes,3,rep,name=groups,proto3" json:"groups,omitempty"`
	// contains filtered or unexported fields
}

AuthenticateRequest contains information about an incoming request that needs to be authenticated.

To be forward compatible the application server should send all incoming headers (or metadata in gRPC case) and let the sidecar server decide which entries to use. If necessary, the application server can omit entries that are obviously not used for authentication (for example custom metadata entries used by the application server itself). But generally it should not be cherry-picking headers it thinks carry authentication credentials and sending only them.

Note that in environments where the application server runs behind a TLS-terminating load balancer (all cloud environments are like that), metadata with key `Host` (for HTTP v1) or `:authority` (for HTTP v2 and gRPC) is especially important to propagate, since it contains the verified (by the load balancer) hostname of the service being called. It is often needed to check JWT token audience. Omitting it may result in some JWT tokens not being authenticated.

If the application server terminates TLS itself, it MUST also itself verify `Host` header (or `:authority` pseudo-header) matches the expected service hostname before calling Authenticate.

func (*AuthenticateRequest) Descriptor deprecated

func (*AuthenticateRequest) Descriptor() ([]byte, []int)

Deprecated: Use AuthenticateRequest.ProtoReflect.Descriptor instead.

func (*AuthenticateRequest) GetGroups

func (x *AuthenticateRequest) GetGroups() []string

func (*AuthenticateRequest) GetMetadata

func (*AuthenticateRequest) GetProtocol

func (*AuthenticateRequest) ProtoMessage

func (*AuthenticateRequest) ProtoMessage()

func (*AuthenticateRequest) ProtoReflect

func (x *AuthenticateRequest) ProtoReflect() protoreflect.Message

func (*AuthenticateRequest) Reset

func (x *AuthenticateRequest) Reset()

func (*AuthenticateRequest) String

func (x *AuthenticateRequest) String() string

type AuthenticateRequest_Metadata

type AuthenticateRequest_Metadata struct {

	// Metadata key. Case-insensitive.
	//
	// If `protocol` is `GRPC`, keys ending with `-bin` indicate the value
	// is base64-encoded. The application server MUST base64-encode binary
	// metadata values before passing them to the sidecar server.
	//
	// For other protocols, keys ending with `-bin` have no special meaning,
	// since they don't support arbitrary binary headers.
	Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
	// Metadata value.
	//
	// If `protocol` is `GRPC` and the key ends with `-bin`, this MUST be
	// the base64-encoded value. The sidecar server will decode it into its
	// original binary form before using it.
	//
	// For other protocols, keys ending with `-bin` have no special meaning,
	// since they don't support arbitrary binary headers.
	Value string `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"`
	// contains filtered or unexported fields
}

An HTTP header or gRPC metadatum.

func (*AuthenticateRequest_Metadata) Descriptor deprecated

func (*AuthenticateRequest_Metadata) Descriptor() ([]byte, []int)

Deprecated: Use AuthenticateRequest_Metadata.ProtoReflect.Descriptor instead.

func (*AuthenticateRequest_Metadata) GetKey

func (*AuthenticateRequest_Metadata) GetValue

func (x *AuthenticateRequest_Metadata) GetValue() string

func (*AuthenticateRequest_Metadata) ProtoMessage

func (*AuthenticateRequest_Metadata) ProtoMessage()

func (*AuthenticateRequest_Metadata) ProtoReflect

func (*AuthenticateRequest_Metadata) Reset

func (x *AuthenticateRequest_Metadata) Reset()

func (*AuthenticateRequest_Metadata) String

type AuthenticateRequest_Protocol

type AuthenticateRequest_Protocol int32

The protocol used by the end user to call the application server. Affects how some metadata keys are interpreted.

const (
	AuthenticateRequest_PROTOCOL_UNSPECIFIED AuthenticateRequest_Protocol = 0
	AuthenticateRequest_HTTP1                AuthenticateRequest_Protocol = 1
	AuthenticateRequest_HTTP2                AuthenticateRequest_Protocol = 2
	AuthenticateRequest_GRPC                 AuthenticateRequest_Protocol = 3
)

func (AuthenticateRequest_Protocol) Descriptor

func (AuthenticateRequest_Protocol) Enum

func (AuthenticateRequest_Protocol) EnumDescriptor deprecated

func (AuthenticateRequest_Protocol) EnumDescriptor() ([]byte, []int)

Deprecated: Use AuthenticateRequest_Protocol.Descriptor instead.

func (AuthenticateRequest_Protocol) Number

func (AuthenticateRequest_Protocol) String

func (AuthenticateRequest_Protocol) Type

type AuthenticateResponse

type AuthenticateResponse struct {

	// An authenticated identity (`<kind>:<value>`). Details are in `outcome`.
	Identity string `protobuf:"bytes,1,opt,name=identity,proto3" json:"identity,omitempty"`
	// Sidecar server information for logging and debugging.
	ServerInfo *ServerInfo `protobuf:"bytes,2,opt,name=server_info,json=serverInfo,proto3" json:"server_info,omitempty"`
	// List of groups the identity is a member of.
	//
	// This is a subset of groups passed via `groups` request field.
	Groups []string `protobuf:"bytes,3,rep,name=groups,proto3" json:"groups,omitempty"`
	// Types that are assignable to Outcome:
	//
	//	*AuthenticateResponse_Error
	//	*AuthenticateResponse_Anonymous_
	//	*AuthenticateResponse_User_
	//	*AuthenticateResponse_Project_
	Outcome isAuthenticateResponse_Outcome `protobuf_oneof:"outcome"`
	// contains filtered or unexported fields
}

AuthenticateResponse is a result of authentication (successful or not).

The primary result of the authentication is `identity` which is a LUCI identity string (`<kind>:<value>` pair, e.g. `user:someone@example.com`). It can be passed to methods that do authorization checks. Additional details are available via `outcome` oneof. If the request is anonymous or authentication failed, the identity is set to `anonymous:anonymous`.

If credentials are present, but invalid (e.g. expired JWT), error details are returned as part of `error` outcome.

func (*AuthenticateResponse) Descriptor deprecated

func (*AuthenticateResponse) Descriptor() ([]byte, []int)

Deprecated: Use AuthenticateResponse.ProtoReflect.Descriptor instead.

func (*AuthenticateResponse) GetAnonymous

func (*AuthenticateResponse) GetError

func (x *AuthenticateResponse) GetError() *status.Status

func (*AuthenticateResponse) GetGroups

func (x *AuthenticateResponse) GetGroups() []string

func (*AuthenticateResponse) GetIdentity

func (x *AuthenticateResponse) GetIdentity() string

func (*AuthenticateResponse) GetOutcome

func (m *AuthenticateResponse) GetOutcome() isAuthenticateResponse_Outcome

func (*AuthenticateResponse) GetProject

func (*AuthenticateResponse) GetServerInfo

func (x *AuthenticateResponse) GetServerInfo() *ServerInfo

func (*AuthenticateResponse) GetUser

func (*AuthenticateResponse) ProtoMessage

func (*AuthenticateResponse) ProtoMessage()

func (*AuthenticateResponse) ProtoReflect

func (x *AuthenticateResponse) ProtoReflect() protoreflect.Message

func (*AuthenticateResponse) Reset

func (x *AuthenticateResponse) Reset()

func (*AuthenticateResponse) String

func (x *AuthenticateResponse) String() string

type AuthenticateResponse_Anonymous

type AuthenticateResponse_Anonymous struct {
	// contains filtered or unexported fields
}

func (*AuthenticateResponse_Anonymous) Descriptor deprecated

func (*AuthenticateResponse_Anonymous) Descriptor() ([]byte, []int)

Deprecated: Use AuthenticateResponse_Anonymous.ProtoReflect.Descriptor instead.

func (*AuthenticateResponse_Anonymous) ProtoMessage

func (*AuthenticateResponse_Anonymous) ProtoMessage()

func (*AuthenticateResponse_Anonymous) ProtoReflect

func (*AuthenticateResponse_Anonymous) Reset

func (x *AuthenticateResponse_Anonymous) Reset()

func (*AuthenticateResponse_Anonymous) String

type AuthenticateResponse_Anonymous_

type AuthenticateResponse_Anonymous_ struct {
	// The request had no recognized credentials attached.
	Anonymous *AuthenticateResponse_Anonymous `protobuf:"bytes,11,opt,name=anonymous,proto3,oneof"`
}

type AuthenticateResponse_Error

type AuthenticateResponse_Error struct {
	// Set if the RPC to the sidecar succeeded, but passed credentials are bad.
	Error *status.Status `protobuf:"bytes,10,opt,name=error,proto3,oneof"`
}

type AuthenticateResponse_Project

type AuthenticateResponse_Project struct {

	// LUCI project name representing the context of the call.
	Project string `protobuf:"bytes,1,opt,name=project,proto3" json:"project,omitempty"`
	// Identity string of the LUCI service that makes the call.
	Service string `protobuf:"bytes,2,opt,name=service,proto3" json:"service,omitempty"`
	// contains filtered or unexported fields
}

func (*AuthenticateResponse_Project) Descriptor deprecated

func (*AuthenticateResponse_Project) Descriptor() ([]byte, []int)

Deprecated: Use AuthenticateResponse_Project.ProtoReflect.Descriptor instead.

func (*AuthenticateResponse_Project) GetProject

func (x *AuthenticateResponse_Project) GetProject() string

func (*AuthenticateResponse_Project) GetService

func (x *AuthenticateResponse_Project) GetService() string

func (*AuthenticateResponse_Project) ProtoMessage

func (*AuthenticateResponse_Project) ProtoMessage()

func (*AuthenticateResponse_Project) ProtoReflect

func (*AuthenticateResponse_Project) Reset

func (x *AuthenticateResponse_Project) Reset()

func (*AuthenticateResponse_Project) String

type AuthenticateResponse_Project_

type AuthenticateResponse_Project_ struct {
	// The request is an internal LUCI call from another LUCI service.
	Project *AuthenticateResponse_Project `protobuf:"bytes,13,opt,name=project,proto3,oneof"`
}

type AuthenticateResponse_User

type AuthenticateResponse_User struct {

	// An authenticated user email. Always set.
	Email string `protobuf:"bytes,1,opt,name=email,proto3" json:"email,omitempty"`
	// A full user name, if available.
	Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
	// An URL to profile picture, if available.
	Picture string `protobuf:"bytes,3,opt,name=picture,proto3" json:"picture,omitempty"`
	// OAuth client ID if the request was authenticated using OAuth.
	ClientId string `protobuf:"bytes,4,opt,name=client_id,json=clientId,proto3" json:"client_id,omitempty"`
	// contains filtered or unexported fields
}

func (*AuthenticateResponse_User) Descriptor deprecated

func (*AuthenticateResponse_User) Descriptor() ([]byte, []int)

Deprecated: Use AuthenticateResponse_User.ProtoReflect.Descriptor instead.

func (*AuthenticateResponse_User) GetClientId

func (x *AuthenticateResponse_User) GetClientId() string

func (*AuthenticateResponse_User) GetEmail

func (x *AuthenticateResponse_User) GetEmail() string

func (*AuthenticateResponse_User) GetName

func (x *AuthenticateResponse_User) GetName() string

func (*AuthenticateResponse_User) GetPicture

func (x *AuthenticateResponse_User) GetPicture() string

func (*AuthenticateResponse_User) ProtoMessage

func (*AuthenticateResponse_User) ProtoMessage()

func (*AuthenticateResponse_User) ProtoReflect

func (*AuthenticateResponse_User) Reset

func (x *AuthenticateResponse_User) Reset()

func (*AuthenticateResponse_User) String

func (x *AuthenticateResponse_User) String() string

type AuthenticateResponse_User_

type AuthenticateResponse_User_ struct {
	// The request had an end-user credentials attached.
	User *AuthenticateResponse_User `protobuf:"bytes,12,opt,name=user,proto3,oneof"`
}

type HasPermissionRequest

type HasPermissionRequest struct {

	// Identity to check a permission of as a `<kind>:<value>` string.
	//
	// This is the same identity as returned in AuthenticateResponse. Possible
	// formats:
	//   - `anonymous:anonymous` for an anonymous caller.
	//   - `user:<email>` for an end user or a service account.
	//   - `project:<name>` for a LUCI project calling a LUCI service.
	Identity string `protobuf:"bytes,1,opt,name=identity,proto3" json:"identity,omitempty"`
	// Permission to check as `<service>.<subject>.<verb>` string.
	//
	// The sidecar server can only check permissions registered when it was
	// started via `-sidecar-subscribe-to-permission` command line flag. Checks
	// for any other permission will end up with INVALID_ARGUMENT error.
	Permission string `protobuf:"bytes,2,opt,name=permission,proto3" json:"permission,omitempty"`
	// A realm to check the permission in as `<project>:<realm>` string.
	//
	// A non-existing realm is replaced with the corresponding root realm (e.g. if
	// `projectA:some/realm` doesn't exist, `projectA:@root` will be used in its
	// place). If the project doesn't exist, all its realms (including the root
	// realm) are considered empty. The permission check ends with negative
	// outcome in that case.
	Realm string `protobuf:"bytes,3,opt,name=realm,proto3" json:"realm,omitempty"`
	// Attributes are the context of this particular permission check and are used
	// as inputs to `conditions` predicates in conditional bindings. If a service
	// supports conditional bindings, it must document what attributes it passes
	// with each permission it checks.
	Attributes map[string]string `` /* 161-byte string literal not displayed */
	// contains filtered or unexported fields
}

HasPermissionRequest identifies an identity and a permission to check.

func (*HasPermissionRequest) Descriptor deprecated

func (*HasPermissionRequest) Descriptor() ([]byte, []int)

Deprecated: Use HasPermissionRequest.ProtoReflect.Descriptor instead.

func (*HasPermissionRequest) GetAttributes

func (x *HasPermissionRequest) GetAttributes() map[string]string

func (*HasPermissionRequest) GetIdentity

func (x *HasPermissionRequest) GetIdentity() string

func (*HasPermissionRequest) GetPermission

func (x *HasPermissionRequest) GetPermission() string

func (*HasPermissionRequest) GetRealm

func (x *HasPermissionRequest) GetRealm() string

func (*HasPermissionRequest) ProtoMessage

func (*HasPermissionRequest) ProtoMessage()

func (*HasPermissionRequest) ProtoReflect

func (x *HasPermissionRequest) ProtoReflect() protoreflect.Message

func (*HasPermissionRequest) Reset

func (x *HasPermissionRequest) Reset()

func (*HasPermissionRequest) String

func (x *HasPermissionRequest) String() string

type HasPermissionResponse

type HasPermissionResponse struct {

	// True if the identity has the requested permission.
	HasPermission bool `protobuf:"varint,1,opt,name=has_permission,json=hasPermission,proto3" json:"has_permission,omitempty"`
	// Sidecar server information for logging and debugging.
	ServerInfo *ServerInfo `protobuf:"bytes,2,opt,name=server_info,json=serverInfo,proto3" json:"server_info,omitempty"`
	// contains filtered or unexported fields
}

HasPermissionResponse contains outcome of a permission check.

func (*HasPermissionResponse) Descriptor deprecated

func (*HasPermissionResponse) Descriptor() ([]byte, []int)

Deprecated: Use HasPermissionResponse.ProtoReflect.Descriptor instead.

func (*HasPermissionResponse) GetHasPermission

func (x *HasPermissionResponse) GetHasPermission() bool

func (*HasPermissionResponse) GetServerInfo

func (x *HasPermissionResponse) GetServerInfo() *ServerInfo

func (*HasPermissionResponse) ProtoMessage

func (*HasPermissionResponse) ProtoMessage()

func (*HasPermissionResponse) ProtoReflect

func (x *HasPermissionResponse) ProtoReflect() protoreflect.Message

func (*HasPermissionResponse) Reset

func (x *HasPermissionResponse) Reset()

func (*HasPermissionResponse) String

func (x *HasPermissionResponse) String() string

type IsMemberRequest

type IsMemberRequest struct {

	// Identity to check a membership of as a `<kind>:<value>` string.
	//
	// This is the same identity as returned in AuthenticateResponse. Possible
	// formats:
	//   - `anonymous:anonymous` for an anonymous caller.
	//   - `user:<email>` for an end user or a service account.
	//   - `project:<name>` for a LUCI project calling a LUCI service.
	Identity string `protobuf:"bytes,1,opt,name=identity,proto3" json:"identity,omitempty"`
	// List of groups to check memberships in, must have at least one entry.
	//
	// The check is overall positive if `identity` is a member of at least one
	// group here.
	Groups []string `protobuf:"bytes,2,rep,name=groups,proto3" json:"groups,omitempty"`
	// contains filtered or unexported fields
}

IsMemberRequest specifies an identity and a list of groups to check.

func (*IsMemberRequest) Descriptor deprecated

func (*IsMemberRequest) Descriptor() ([]byte, []int)

Deprecated: Use IsMemberRequest.ProtoReflect.Descriptor instead.

func (*IsMemberRequest) GetGroups

func (x *IsMemberRequest) GetGroups() []string

func (*IsMemberRequest) GetIdentity

func (x *IsMemberRequest) GetIdentity() string

func (*IsMemberRequest) ProtoMessage

func (*IsMemberRequest) ProtoMessage()

func (*IsMemberRequest) ProtoReflect

func (x *IsMemberRequest) ProtoReflect() protoreflect.Message

func (*IsMemberRequest) Reset

func (x *IsMemberRequest) Reset()

func (*IsMemberRequest) String

func (x *IsMemberRequest) String() string

type IsMemberResponse

type IsMemberResponse struct {

	// True if the identity is a member of at least one group.
	IsMember bool `protobuf:"varint,1,opt,name=is_member,json=isMember,proto3" json:"is_member,omitempty"`
	// Sidecar server information for logging and debugging.
	ServerInfo *ServerInfo `protobuf:"bytes,2,opt,name=server_info,json=serverInfo,proto3" json:"server_info,omitempty"`
	// contains filtered or unexported fields
}

IsMemberResponse contains outcome of a groups membership check.

func (*IsMemberResponse) Descriptor deprecated

func (*IsMemberResponse) Descriptor() ([]byte, []int)

Deprecated: Use IsMemberResponse.ProtoReflect.Descriptor instead.

func (*IsMemberResponse) GetIsMember

func (x *IsMemberResponse) GetIsMember() bool

func (*IsMemberResponse) GetServerInfo

func (x *IsMemberResponse) GetServerInfo() *ServerInfo

func (*IsMemberResponse) ProtoMessage

func (*IsMemberResponse) ProtoMessage()

func (*IsMemberResponse) ProtoReflect

func (x *IsMemberResponse) ProtoReflect() protoreflect.Message

func (*IsMemberResponse) Reset

func (x *IsMemberResponse) Reset()

func (*IsMemberResponse) String

func (x *IsMemberResponse) String() string

type ServerInfo

type ServerInfo struct {

	// Service name of the LUCI Sidecar server to identify its monitoring metrics.
	SidecarService string `protobuf:"bytes,1,opt,name=sidecar_service,json=sidecarService,proto3" json:"sidecar_service,omitempty"`
	// Job name of the LUCI Sidecar server to identify its monitoring metrics.
	SidecarJob string `protobuf:"bytes,2,opt,name=sidecar_job,json=sidecarJob,proto3" json:"sidecar_job,omitempty"`
	// Hostname of the LUCI Sidecar server to identify its monitoring metrics.
	SidecarHost string `protobuf:"bytes,3,opt,name=sidecar_host,json=sidecarHost,proto3" json:"sidecar_host,omitempty"`
	// Version of the LUCI Sidecar server for logs.
	SidecarVersion string `protobuf:"bytes,4,opt,name=sidecar_version,json=sidecarVersion,proto3" json:"sidecar_version,omitempty"`
	// Hostname of LUCI Auth service that produced AuthDB.
	AuthDbService string `protobuf:"bytes,5,opt,name=auth_db_service,json=authDbService,proto3" json:"auth_db_service,omitempty"`
	// Revision of LUCI AuthDB used during authorization checks.
	AuthDbRev int64 `protobuf:"varint,6,opt,name=auth_db_rev,json=authDbRev,proto3" json:"auth_db_rev,omitempty"`
	// contains filtered or unexported fields
}

ServerInfo is returned with every response. It contains details about the sidecar server that handled the call and its current state. Useful for debugging. Should usually be logged by the application server in its internal logs. Do not return this to the end user.

func (*ServerInfo) Descriptor deprecated

func (*ServerInfo) Descriptor() ([]byte, []int)

Deprecated: Use ServerInfo.ProtoReflect.Descriptor instead.

func (*ServerInfo) GetAuthDbRev

func (x *ServerInfo) GetAuthDbRev() int64

func (*ServerInfo) GetAuthDbService

func (x *ServerInfo) GetAuthDbService() string

func (*ServerInfo) GetSidecarHost

func (x *ServerInfo) GetSidecarHost() string

func (*ServerInfo) GetSidecarJob

func (x *ServerInfo) GetSidecarJob() string

func (*ServerInfo) GetSidecarService

func (x *ServerInfo) GetSidecarService() string

func (*ServerInfo) GetSidecarVersion

func (x *ServerInfo) GetSidecarVersion() string

func (*ServerInfo) ProtoMessage

func (*ServerInfo) ProtoMessage()

func (*ServerInfo) ProtoReflect

func (x *ServerInfo) ProtoReflect() protoreflect.Message

func (*ServerInfo) Reset

func (x *ServerInfo) Reset()

func (*ServerInfo) String

func (x *ServerInfo) String() string

type UnimplementedAuthServer

type UnimplementedAuthServer struct{}

UnimplementedAuthServer must be embedded to have forward compatible implementations.

NOTE: this should be embedded by value instead of pointer to avoid a nil pointer dereference when methods are called.

func (UnimplementedAuthServer) Authenticate

func (UnimplementedAuthServer) HasPermission

func (UnimplementedAuthServer) IsMember

type UnsafeAuthServer

type UnsafeAuthServer interface {
	// contains filtered or unexported methods
}

UnsafeAuthServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to AuthServer will result in compilation errors.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL