admin

package
v0.0.0-...-ff9afc2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 25, 2024 License: Apache-2.0 Imports: 14 Imported by: 28

Documentation

Overview

Package admin contains The Token Server Administrative and Config API.

Services defined here are used by service administrators.

Index

Constants

View Source 
const (
	Admin_ImportCAConfigs_FullMethodName                   = "/tokenserver.admin.Admin/ImportCAConfigs"
	Admin_ImportDelegationConfigs_FullMethodName           = "/tokenserver.admin.Admin/ImportDelegationConfigs"
	Admin_ImportProjectIdentityConfigs_FullMethodName      = "/tokenserver.admin.Admin/ImportProjectIdentityConfigs"
	Admin_ImportProjectOwnedAccountsConfigs_FullMethodName = "/tokenserver.admin.Admin/ImportProjectOwnedAccountsConfigs"
	Admin_InspectMachineToken_FullMethodName               = "/tokenserver.admin.Admin/InspectMachineToken"
	Admin_InspectDelegationToken_FullMethodName            = "/tokenserver.admin.Admin/InspectDelegationToken"
)
View Source 
const (
	CertificateAuthorities_FetchCRL_FullMethodName         = "/tokenserver.admin.CertificateAuthorities/FetchCRL"
	CertificateAuthorities_ListCAs_FullMethodName          = "/tokenserver.admin.CertificateAuthorities/ListCAs"
	CertificateAuthorities_GetCAStatus_FullMethodName      = "/tokenserver.admin.CertificateAuthorities/GetCAStatus"
	CertificateAuthorities_IsRevokedCert_FullMethodName    = "/tokenserver.admin.CertificateAuthorities/IsRevokedCert"
	CertificateAuthorities_CheckCertificate_FullMethodName = "/tokenserver.admin.CertificateAuthorities/CheckCertificate"
)

Variables

View Source 
var Admin_ServiceDesc = grpc.ServiceDesc{
	ServiceName: "tokenserver.admin.Admin",
	HandlerType: (*AdminServer)(nil),
	Methods: []grpc.MethodDesc{
		{
			MethodName: "ImportCAConfigs",
			Handler:    _Admin_ImportCAConfigs_Handler,
		},
		{
			MethodName: "ImportDelegationConfigs",
			Handler:    _Admin_ImportDelegationConfigs_Handler,
		},
		{
			MethodName: "ImportProjectIdentityConfigs",
			Handler:    _Admin_ImportProjectIdentityConfigs_Handler,
		},
		{
			MethodName: "ImportProjectOwnedAccountsConfigs",
			Handler:    _Admin_ImportProjectOwnedAccountsConfigs_Handler,
		},
		{
			MethodName: "InspectMachineToken",
			Handler:    _Admin_InspectMachineToken_Handler,
		},
		{
			MethodName: "InspectDelegationToken",
			Handler:    _Admin_InspectDelegationToken_Handler,
		},
	},
	Streams:  []grpc.StreamDesc{},
	Metadata: "go.chromium.org/luci/tokenserver/api/admin/v1/admin.proto",
}

Admin_ServiceDesc is the grpc.ServiceDesc for Admin service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)

View Source 
var CertificateAuthorities_ServiceDesc = grpc.ServiceDesc{
	ServiceName: "tokenserver.admin.CertificateAuthorities",
	HandlerType: (*CertificateAuthoritiesServer)(nil),
	Methods: []grpc.MethodDesc{
		{
			MethodName: "FetchCRL",
			Handler:    _CertificateAuthorities_FetchCRL_Handler,
		},
		{
			MethodName: "ListCAs",
			Handler:    _CertificateAuthorities_ListCAs_Handler,
		},
		{
			MethodName: "GetCAStatus",
			Handler:    _CertificateAuthorities_GetCAStatus_Handler,
		},
		{
			MethodName: "IsRevokedCert",
			Handler:    _CertificateAuthorities_IsRevokedCert_Handler,
		},
		{
			MethodName: "CheckCertificate",
			Handler:    _CertificateAuthorities_CheckCertificate_Handler,
		},
	},
	Streams:  []grpc.StreamDesc{},
	Metadata: "go.chromium.org/luci/tokenserver/api/admin/v1/certificate_authorities.proto",
}

CertificateAuthorities_ServiceDesc is the grpc.ServiceDesc for CertificateAuthorities service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)

View Source 
var File_go_chromium_org_luci_tokenserver_api_admin_v1_admin_proto protoreflect.FileDescriptor
View Source 
var File_go_chromium_org_luci_tokenserver_api_admin_v1_certificate_authorities_proto protoreflect.FileDescriptor
View Source 
var File_go_chromium_org_luci_tokenserver_api_admin_v1_config_proto protoreflect.FileDescriptor

Functions

func FileDescriptorSet 

func FileDescriptorSet() *descriptorpb.FileDescriptorSet

FileDescriptorSet returns a descriptor set for this proto package, which includes all defined services, and all transitive dependencies.

Will not return nil.

Do NOT modify the returned descriptor.

func RegisterAdminServer 

func RegisterAdminServer(s grpc.ServiceRegistrar, srv AdminServer)

func RegisterCertificateAuthoritiesServer 

func RegisterCertificateAuthoritiesServer(s grpc.ServiceRegistrar, srv CertificateAuthoritiesServer)

Types

type AdminClient 

type AdminClient interface {
	// ImportCAConfigs makes the server read 'tokenserver.cfg'.
	ImportCAConfigs(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*ImportedConfigs, error)
	// ImportDelegationConfigs makes the server read 'delegation.cfg'.
	ImportDelegationConfigs(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*ImportedConfigs, error)
	// ImportProjectIdentityConfigs makes the server read 'projects.cfg'.
	ImportProjectIdentityConfigs(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*ImportedConfigs, error)
	// ImportProjectOwnedAccountsConfigs makes the server read 'project_owned_accounts.cfg'.
	ImportProjectOwnedAccountsConfigs(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*ImportedConfigs, error)
	// InspectMachineToken decodes a machine token and verifies it is valid.
	//
	// It verifies the token was signed by a private key of the token server and
	// checks token's expiration time and revocation status.
	//
	// It tries to give as much information about the token and its status as
	// possible (e.g. it checks for revocation status even if token is already
	// expired).
	//
	// Administrators can use this call to debug issues with tokens.
	//
	// Returns:
	//
	//	InspectMachineTokenResponse for tokens of supported kind.
	//	grpc.InvalidArgument error for unsupported token kind.
	//	grpc.Internal error for transient errors.
	InspectMachineToken(ctx context.Context, in *InspectMachineTokenRequest, opts ...grpc.CallOption) (*InspectMachineTokenResponse, error)
	// InspectDelegationToken decodes a delegation token and verifies it is valid.
	//
	// It verifies the token was signed by a private key of the token server and
	// checks token's expiration time.
	//
	// It tries to give as much information about the token and its status as
	// possible (e.g. attempts to decode the body even if the signing key has been
	// rotated already).
	//
	// Administrators can use this call to debug issues with tokens.
	//
	// Returns:
	//
	//	InspectDelegationTokenResponse for tokens of supported kind.
	//	grpc.InvalidArgument error for unsupported token kind.
	//	grpc.Internal error for transient errors.
	InspectDelegationToken(ctx context.Context, in *InspectDelegationTokenRequest, opts ...grpc.CallOption) (*InspectDelegationTokenResponse, error)
}

AdminClient is the client API for Admin service.

For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.

Admin service is used by service administrators to manage the server.

func NewAdminClient 

func NewAdminClient(cc grpc.ClientConnInterface) AdminClient

type AdminServer 

type AdminServer interface {
	// ImportCAConfigs makes the server read 'tokenserver.cfg'.
	ImportCAConfigs(context.Context, *emptypb.Empty) (*ImportedConfigs, error)
	// ImportDelegationConfigs makes the server read 'delegation.cfg'.
	ImportDelegationConfigs(context.Context, *emptypb.Empty) (*ImportedConfigs, error)
	// ImportProjectIdentityConfigs makes the server read 'projects.cfg'.
	ImportProjectIdentityConfigs(context.Context, *emptypb.Empty) (*ImportedConfigs, error)
	// ImportProjectOwnedAccountsConfigs makes the server read 'project_owned_accounts.cfg'.
	ImportProjectOwnedAccountsConfigs(context.Context, *emptypb.Empty) (*ImportedConfigs, error)
	// InspectMachineToken decodes a machine token and verifies it is valid.
	//
	// It verifies the token was signed by a private key of the token server and
	// checks token's expiration time and revocation status.
	//
	// It tries to give as much information about the token and its status as
	// possible (e.g. it checks for revocation status even if token is already
	// expired).
	//
	// Administrators can use this call to debug issues with tokens.
	//
	// Returns:
	//
	//	InspectMachineTokenResponse for tokens of supported kind.
	//	grpc.InvalidArgument error for unsupported token kind.
	//	grpc.Internal error for transient errors.
	InspectMachineToken(context.Context, *InspectMachineTokenRequest) (*InspectMachineTokenResponse, error)
	// InspectDelegationToken decodes a delegation token and verifies it is valid.
	//
	// It verifies the token was signed by a private key of the token server and
	// checks token's expiration time.
	//
	// It tries to give as much information about the token and its status as
	// possible (e.g. attempts to decode the body even if the signing key has been
	// rotated already).
	//
	// Administrators can use this call to debug issues with tokens.
	//
	// Returns:
	//
	//	InspectDelegationTokenResponse for tokens of supported kind.
	//	grpc.InvalidArgument error for unsupported token kind.
	//	grpc.Internal error for transient errors.
	InspectDelegationToken(context.Context, *InspectDelegationTokenRequest) (*InspectDelegationTokenResponse, error)
	// contains filtered or unexported methods
}

AdminServer is the server API for Admin service. All implementations must embed UnimplementedAdminServer for forward compatibility.

Admin service is used by service administrators to manage the server.

type CRLStatus 

type CRLStatus struct {
	LastUpdateTime    *timestamppb.Timestamp `protobuf:"bytes,1,opt,name=last_update_time,json=lastUpdateTime,proto3" json:"last_update_time,omitempty"`           // time when CRL was generated by the CA
	LastFetchTime     *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=last_fetch_time,json=lastFetchTime,proto3" json:"last_fetch_time,omitempty"`              // time when CRL was fetched
	LastFetchEtag     string                 `protobuf:"bytes,3,opt,name=last_fetch_etag,json=lastFetchEtag,proto3" json:"last_fetch_etag,omitempty"`              // etag of last successfully fetched CRL
	RevokedCertsCount int64                  `protobuf:"varint,4,opt,name=revoked_certs_count,json=revokedCertsCount,proto3" json:"revoked_certs_count,omitempty"` // number of revoked certificates in the CRL
	// contains filtered or unexported fields
}

CRLStatus describes the latest known state of imported CRL.

func (*CRLStatus) Descriptor deprecated 

func (*CRLStatus) Descriptor() ([]byte, []int)

Deprecated: Use CRLStatus.ProtoReflect.Descriptor instead.

func (*CRLStatus) GetLastFetchEtag 

func (x *CRLStatus) GetLastFetchEtag() string

func (*CRLStatus) GetLastFetchTime 

func (x *CRLStatus) GetLastFetchTime() *timestamppb.Timestamp

func (*CRLStatus) GetLastUpdateTime 

func (x *CRLStatus) GetLastUpdateTime() *timestamppb.Timestamp

func (*CRLStatus) GetRevokedCertsCount 

func (x *CRLStatus) GetRevokedCertsCount() int64

func (*CRLStatus) ProtoMessage 

func (*CRLStatus) ProtoMessage()

func (*CRLStatus) ProtoReflect 

func (x *CRLStatus) ProtoReflect() protoreflect.Message

func (*CRLStatus) Reset 

func (x *CRLStatus) Reset()

func (*CRLStatus) String 

func (x *CRLStatus) String() string

type CertificateAuthoritiesClient 

type CertificateAuthoritiesClient interface {
	// FetchCRL makes the server fetch a CRL for some CA.
	FetchCRL(ctx context.Context, in *FetchCRLRequest, opts ...grpc.CallOption) (*FetchCRLResponse, error)
	// ListCAs returns a list of Common Names of registered CAs.
	ListCAs(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*ListCAsResponse, error)
	// GetCAStatus returns configuration of some CA defined in the config.
	GetCAStatus(ctx context.Context, in *GetCAStatusRequest, opts ...grpc.CallOption) (*GetCAStatusResponse, error)
	// IsRevokedCert says whether a certificate serial number is in the CRL.
	IsRevokedCert(ctx context.Context, in *IsRevokedCertRequest, opts ...grpc.CallOption) (*IsRevokedCertResponse, error)
	// CheckCertificate says whether a certificate is valid or not.
	CheckCertificate(ctx context.Context, in *CheckCertificateRequest, opts ...grpc.CallOption) (*CheckCertificateResponse, error)
}

CertificateAuthoritiesClient is the client API for CertificateAuthorities service.

For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.

CertificateAuthorities can be used by service administrators to manage and inspect CAs used by The Token Server.

It is callable by the token service itself and by the admins.

func NewCertificateAuthoritiesClient 

func NewCertificateAuthoritiesClient(cc grpc.ClientConnInterface) CertificateAuthoritiesClient

type CertificateAuthoritiesServer 

type CertificateAuthoritiesServer interface {
	// FetchCRL makes the server fetch a CRL for some CA.
	FetchCRL(context.Context, *FetchCRLRequest) (*FetchCRLResponse, error)
	// ListCAs returns a list of Common Names of registered CAs.
	ListCAs(context.Context, *emptypb.Empty) (*ListCAsResponse, error)
	// GetCAStatus returns configuration of some CA defined in the config.
	GetCAStatus(context.Context, *GetCAStatusRequest) (*GetCAStatusResponse, error)
	// IsRevokedCert says whether a certificate serial number is in the CRL.
	IsRevokedCert(context.Context, *IsRevokedCertRequest) (*IsRevokedCertResponse, error)
	// CheckCertificate says whether a certificate is valid or not.
	CheckCertificate(context.Context, *CheckCertificateRequest) (*CheckCertificateResponse, error)
	// contains filtered or unexported methods
}

CertificateAuthoritiesServer is the server API for CertificateAuthorities service. All implementations must embed UnimplementedCertificateAuthoritiesServer for forward compatibility.

CertificateAuthorities can be used by service administrators to manage and inspect CAs used by The Token Server.

It is callable by the token service itself and by the admins.

type CertificateAuthorityConfig 

type CertificateAuthorityConfig struct {
	UniqueId    int64    `protobuf:"varint,6,opt,name=unique_id,json=uniqueId,proto3" json:"unique_id,omitempty"`         // ID of this CA, will be embedded into tokens.
	Cn          string   `protobuf:"bytes,1,opt,name=cn,proto3" json:"cn,omitempty"`                                      // CA Common Name, must match Subject CN in the cert
	CertPath    string   `protobuf:"bytes,2,opt,name=cert_path,json=certPath,proto3" json:"cert_path,omitempty"`          // path to the root certificate file in luci-config
	CrlUrl      string   `protobuf:"bytes,3,opt,name=crl_url,json=crlUrl,proto3" json:"crl_url,omitempty"`                // where to fetch CRL from
	UseOauth    bool     `protobuf:"varint,4,opt,name=use_oauth,json=useOauth,proto3" json:"use_oauth,omitempty"`         // true to send Authorization header when fetching CRL
	OauthScopes []string `protobuf:"bytes,7,rep,name=oauth_scopes,json=oauthScopes,proto3" json:"oauth_scopes,omitempty"` // OAuth scopes to use when fetching CRL
	// KnownDomains describes parameters to use for each particular domain.
	KnownDomains []*DomainConfig `protobuf:"bytes,5,rep,name=known_domains,json=knownDomains,proto3" json:"known_domains,omitempty"`
	// contains filtered or unexported fields
}

CertificateAuthorityConfig defines a single CA we trust.

Such CA issues certificates for nodes that use The Token Service. Each node has a private key and certificate with Common Name set to the FQDN of this node, e.g. "CN=slave43-c1.c.chromecompute.google.com.internal".

The Token Server uses this CN to derive an identity string for a machine. It splits FQDN into a hostname ("slave43-c1") and a domain name ("c.chromecompute.google.com.internal"), searches for a domain name in "known_domains" set, and, if it is present, uses parameters described there for generating a token that contains machine's FQDN and certificate serial number (among other things, see MachineTokenBody in machine_token.proto).

func (*CertificateAuthorityConfig) Descriptor deprecated 

func (*CertificateAuthorityConfig) Descriptor() ([]byte, []int)

Deprecated: Use CertificateAuthorityConfig.ProtoReflect.Descriptor instead.

func (*CertificateAuthorityConfig) GetCertPath 

func (x *CertificateAuthorityConfig) GetCertPath() string

func (*CertificateAuthorityConfig) GetCn 

func (x *CertificateAuthorityConfig) GetCn() string

func (*CertificateAuthorityConfig) GetCrlUrl 

func (x *CertificateAuthorityConfig) GetCrlUrl() string

func (*CertificateAuthorityConfig) GetKnownDomains 

func (x *CertificateAuthorityConfig) GetKnownDomains() []*DomainConfig

func (*CertificateAuthorityConfig) GetOauthScopes 

func (x *CertificateAuthorityConfig) GetOauthScopes() []string

func (*CertificateAuthorityConfig) GetUniqueId 

func (x *CertificateAuthorityConfig) GetUniqueId() int64

func (*CertificateAuthorityConfig) GetUseOauth 

func (x *CertificateAuthorityConfig) GetUseOauth() bool

func (*CertificateAuthorityConfig) ProtoMessage 

func (*CertificateAuthorityConfig) ProtoMessage()

func (*CertificateAuthorityConfig) ProtoReflect 

func (x *CertificateAuthorityConfig) ProtoReflect() protoreflect.Message

func (*CertificateAuthorityConfig) Reset 

func (x *CertificateAuthorityConfig) Reset()

func (*CertificateAuthorityConfig) String 

func (x *CertificateAuthorityConfig) String() string

type CheckCertificateRequest 

type CheckCertificateRequest struct {
	CertPem string `protobuf:"bytes,1,opt,name=cert_pem,json=certPem,proto3" json:"cert_pem,omitempty"` // pem encoded certificate to check for validity
	// contains filtered or unexported fields
}

CheckCertificateRequest contains a pem encoded certificate to check.

func (*CheckCertificateRequest) Descriptor deprecated 

func (*CheckCertificateRequest) Descriptor() ([]byte, []int)

Deprecated: Use CheckCertificateRequest.ProtoReflect.Descriptor instead.

func (*CheckCertificateRequest) GetCertPem 

func (x *CheckCertificateRequest) GetCertPem() string

func (*CheckCertificateRequest) ProtoMessage 

func (*CheckCertificateRequest) ProtoMessage()

func (*CheckCertificateRequest) ProtoReflect 

func (x *CheckCertificateRequest) ProtoReflect() protoreflect.Message

func (*CheckCertificateRequest) Reset 

func (x *CheckCertificateRequest) Reset()

func (*CheckCertificateRequest) String 

func (x *CheckCertificateRequest) String() string

type CheckCertificateResponse 

type CheckCertificateResponse struct {
	IsValid       bool   `protobuf:"varint,1,opt,name=is_valid,json=isValid,proto3" json:"is_valid,omitempty"`                  // true when certificate is valid
	InvalidReason string `protobuf:"bytes,2,opt,name=invalid_reason,json=invalidReason,proto3" json:"invalid_reason,omitempty"` // a reason for certificate invalidity if it is invalid
	// contains filtered or unexported fields
}

CheckCertificateResponse is returned by CheckCertificate.

func (*CheckCertificateResponse) Descriptor deprecated 

func (*CheckCertificateResponse) Descriptor() ([]byte, []int)

Deprecated: Use CheckCertificateResponse.ProtoReflect.Descriptor instead.

func (*CheckCertificateResponse) GetInvalidReason 

func (x *CheckCertificateResponse) GetInvalidReason() string

func (*CheckCertificateResponse) GetIsValid 

func (x *CheckCertificateResponse) GetIsValid() bool

func (*CheckCertificateResponse) ProtoMessage 

func (*CheckCertificateResponse) ProtoMessage()

func (*CheckCertificateResponse) ProtoReflect 

func (x *CheckCertificateResponse) ProtoReflect() protoreflect.Message

func (*CheckCertificateResponse) Reset 

func (x *CheckCertificateResponse) Reset()

func (*CheckCertificateResponse) String 

func (x *CheckCertificateResponse) String() string

type DelegationPermissions 

type DelegationPermissions struct {

	// Rules specify what calls to MintDelegationToken are allowed.
	//
	// Rules are evaluated independently. One and only one rule should match the
	// request to allow the operation. If none rules or more than one rule match,
	// the request will be denied.
	//
	// See DelegationRule comments for more details.
	Rules []*DelegationRule `protobuf:"bytes,1,rep,name=rules,proto3" json:"rules,omitempty"`
	// contains filtered or unexported fields
}

DelegationPermissions is read from delegation.cfg in luci-config.

func (*DelegationPermissions) Descriptor deprecated 

func (*DelegationPermissions) Descriptor() ([]byte, []int)

Deprecated: Use DelegationPermissions.ProtoReflect.Descriptor instead.

func (*DelegationPermissions) GetRules 

func (x *DelegationPermissions) GetRules() []*DelegationRule

func (*DelegationPermissions) ProtoMessage 

func (*DelegationPermissions) ProtoMessage()

func (*DelegationPermissions) ProtoReflect 

func (x *DelegationPermissions) ProtoReflect() protoreflect.Message

func (*DelegationPermissions) Reset 

func (x *DelegationPermissions) Reset()

func (*DelegationPermissions) String 

func (x *DelegationPermissions) String() string

type DelegationRule 

type DelegationRule struct {

	// A descriptive name of this rule, for the audit log.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// Email of developers that own this rule, to know who to contact.
	Owner []string `protobuf:"bytes,2,rep,name=owner,proto3" json:"owner,omitempty"`
	// A set of callers to which this rule applies.
	//
	// Matched against verified credentials of a caller of MintDelegationToken.
	//
	// Each element is either:
	//   - An identity string ("user:<email>").
	//   - A group reference ("group:<name>").
	//
	// The groups specified here are expanded when MintDelegationTokenRequest is
	// evaluated.
	Requestor []string `protobuf:"bytes,3,rep,name=requestor,proto3" json:"requestor,omitempty"`
	// Identities that are allowed to be delegated/impersonated by the requestor.
	//
	// Matched against 'delegated_identity' field of MintDelegationTokenRequest.
	//
	// Each element is either:
	//   - An identity string ("user:<email>").
	//   - A group reference ("group:<name>").
	//   - A special identifier "REQUESTOR" that is substituted by the requestor
	//     identity when evaluating the rule.
	//
	// "REQUESTOR" allows one to generate tokens that delegate their own identity
	// to some target audience.
	//
	// The groups specified here are expanded when MintDelegationTokenRequest is
	// evaluated.
	AllowedToImpersonate []string `protobuf:"bytes,4,rep,name=allowed_to_impersonate,json=allowedToImpersonate,proto3" json:"allowed_to_impersonate,omitempty"`
	// A set of identities that should be able to use the new token.
	//
	// Matched against 'audience' field of MintDelegationTokenRequest.
	//
	// Each element is either:
	//   - An identity string ("user:<email>").
	//   - A group reference ("group:<name>").
	//   - A special identifier "REQUESTOR" that is substituted by the requestor
	//     identity when evaluating the rule.
	//   - A special token "*" that means "any bearer can use the new token,
	//     including anonymous".
	//
	// "REQUESTOR" is typically used here for rules that allow requestors to
	// impersonate someone else. The corresponding tokens have the requestor as
	// the only allowed audience.
	//
	// The groups specified here are NOT expanded when MintDelegationTokenRequest
	// is evaluated. To match the rule, MintDelegationTokenRequest must specify
	// subset of 'allowed_audience' groups explicitly in 'audience' field.
	AllowedAudience []string `protobuf:"bytes,5,rep,name=allowed_audience,json=allowedAudience,proto3" json:"allowed_audience,omitempty"`
	// A set of services that should be able to accept the new token.
	//
	// Matched against 'services' field of MintDelegationTokenRequest.
	//
	// Each element is either:
	//   - A service identity string ("service:<id>").
	//   - A special token "*" that mean "any LUCI service should accept the
	//     token".
	TargetService []string `protobuf:"bytes,6,rep,name=target_service,json=targetService,proto3" json:"target_service,omitempty"`
	// Maximum allowed validity duration (sec) of minted delegation tokens.
	//
	// Default is 12 hours.
	MaxValidityDuration int64 `protobuf:"varint,7,opt,name=max_validity_duration,json=maxValidityDuration,proto3" json:"max_validity_duration,omitempty"`
	// contains filtered or unexported fields
}

DelegationRule describes a single allowed case of using delegation tokens.

An incoming MintDelegationTokenRequest is basically a tuple of:

  • 'requestor_id' - an identity of whoever makes the request.
  • 'delegated_identity' - an identity to delegate.
  • 'audience' - a set of identities that will be able to use the token.
  • 'services' - a set of services that should accept the token.

A request matches a rule iff:

  • 'requestor_id' is in 'requestor' set.
  • 'delegated_identity' is in 'allowed_to_impersonate' set.
  • 'audience' is a subset of 'allowed_audience' set.
  • 'services' is a subset of 'target_service' set.

The presence of a matching rule permits to mint the token. The rule also provides an upper bound on allowed validity_duration, and the rule's name is logged in the audit trail.

func (*DelegationRule) Descriptor deprecated 

func (*DelegationRule) Descriptor() ([]byte, []int)

Deprecated: Use DelegationRule.ProtoReflect.Descriptor instead.

func (*DelegationRule) GetAllowedAudience 

func (x *DelegationRule) GetAllowedAudience() []string

func (*DelegationRule) GetAllowedToImpersonate 

func (x *DelegationRule) GetAllowedToImpersonate() []string

func (*DelegationRule) GetMaxValidityDuration 

func (x *DelegationRule) GetMaxValidityDuration() int64

func (*DelegationRule) GetName 

func (x *DelegationRule) GetName() string

func (*DelegationRule) GetOwner 

func (x *DelegationRule) GetOwner() []string

func (*DelegationRule) GetRequestor 

func (x *DelegationRule) GetRequestor() []string

func (*DelegationRule) GetTargetService 

func (x *DelegationRule) GetTargetService() []string

func (*DelegationRule) ProtoMessage 

func (*DelegationRule) ProtoMessage()

func (*DelegationRule) ProtoReflect 

func (x *DelegationRule) ProtoReflect() protoreflect.Message

func (*DelegationRule) Reset 

func (x *DelegationRule) Reset()

func (*DelegationRule) String 

func (x *DelegationRule) String() string

type DomainConfig 

type DomainConfig struct {

	// Domain is domain names of hosts this config applies to.
	//
	// Machines that reside in a subdomain of given domain are also considered
	// part of it, e.g. both FQDNs "host.example.com" and "host.abc.example.com"
	// match domain "example.com".
	Domain []string `protobuf:"bytes,1,rep,name=domain,proto3" json:"domain,omitempty"`
	// MachineTokenLifetime is how long generated machine tokens live, in seconds.
	//
	// If 0, machine tokens are not allowed.
	MachineTokenLifetime int64 `protobuf:"varint,5,opt,name=machine_token_lifetime,json=machineTokenLifetime,proto3" json:"machine_token_lifetime,omitempty"`
	// contains filtered or unexported fields
}

DomainConfig is used inside CertificateAuthorityConfig.

func (*DomainConfig) Descriptor deprecated 

func (*DomainConfig) Descriptor() ([]byte, []int)

Deprecated: Use DomainConfig.ProtoReflect.Descriptor instead.

func (*DomainConfig) GetDomain 

func (x *DomainConfig) GetDomain() []string

func (*DomainConfig) GetMachineTokenLifetime 

func (x *DomainConfig) GetMachineTokenLifetime() int64

func (*DomainConfig) ProtoMessage 

func (*DomainConfig) ProtoMessage()

func (*DomainConfig) ProtoReflect 

func (x *DomainConfig) ProtoReflect() protoreflect.Message

func (*DomainConfig) Reset 

func (x *DomainConfig) Reset()

func (*DomainConfig) String 

func (x *DomainConfig) String() string

type FetchCRLRequest 

type FetchCRLRequest struct {
	Cn    string `protobuf:"bytes,1,opt,name=cn,proto3" json:"cn,omitempty"`        // Common Name of the CA
	Force bool   `protobuf:"varint,2,opt,name=force,proto3" json:"force,omitempty"` // fetch and parse CRL even if we have it already
	// contains filtered or unexported fields
}

FetchCRLRequest identifies a name of CA to fetch CRL for.

func (*FetchCRLRequest) Descriptor deprecated 

func (*FetchCRLRequest) Descriptor() ([]byte, []int)

Deprecated: Use FetchCRLRequest.ProtoReflect.Descriptor instead.

func (*FetchCRLRequest) GetCn 

func (x *FetchCRLRequest) GetCn() string

func (*FetchCRLRequest) GetForce 

func (x *FetchCRLRequest) GetForce() bool

func (*FetchCRLRequest) ProtoMessage 

func (*FetchCRLRequest) ProtoMessage()

func (*FetchCRLRequest) ProtoReflect 

func (x *FetchCRLRequest) ProtoReflect() protoreflect.Message

func (*FetchCRLRequest) Reset 

func (x *FetchCRLRequest) Reset()

func (*FetchCRLRequest) String 

func (x *FetchCRLRequest) String() string

type FetchCRLResponse 

type FetchCRLResponse struct {
	CrlStatus *CRLStatus `protobuf:"bytes,1,opt,name=crl_status,json=crlStatus,proto3" json:"crl_status,omitempty"` // status of the CRL after the fetch
	// contains filtered or unexported fields
}

FetchCRLResponse is returned by FetchCRL.

func (*FetchCRLResponse) Descriptor deprecated 

func (*FetchCRLResponse) Descriptor() ([]byte, []int)

Deprecated: Use FetchCRLResponse.ProtoReflect.Descriptor instead.

func (*FetchCRLResponse) GetCrlStatus 

func (x *FetchCRLResponse) GetCrlStatus() *CRLStatus

func (*FetchCRLResponse) ProtoMessage 

func (*FetchCRLResponse) ProtoMessage()

func (*FetchCRLResponse) ProtoReflect 

func (x *FetchCRLResponse) ProtoReflect() protoreflect.Message

func (*FetchCRLResponse) Reset 

func (x *FetchCRLResponse) Reset()

func (*FetchCRLResponse) String 

func (x *FetchCRLResponse) String() string

type GetCAStatusRequest 

type GetCAStatusRequest struct {
	Cn string `protobuf:"bytes,1,opt,name=cn,proto3" json:"cn,omitempty"` // Common Name of the CA
	// contains filtered or unexported fields
}

GetCAStatusRequest identifies a name of CA to fetch.

func (*GetCAStatusRequest) Descriptor deprecated 

func (*GetCAStatusRequest) Descriptor() ([]byte, []int)

Deprecated: Use GetCAStatusRequest.ProtoReflect.Descriptor instead.

func (*GetCAStatusRequest) GetCn 

func (x *GetCAStatusRequest) GetCn() string

func (*GetCAStatusRequest) ProtoMessage 

func (*GetCAStatusRequest) ProtoMessage()

func (*GetCAStatusRequest) ProtoReflect 

func (x *GetCAStatusRequest) ProtoReflect() protoreflect.Message

func (*GetCAStatusRequest) Reset 

func (x *GetCAStatusRequest) Reset()

func (*GetCAStatusRequest) String 

func (x *GetCAStatusRequest) String() string

type GetCAStatusResponse 

type GetCAStatusResponse struct {
	Config     *CertificateAuthorityConfig `protobuf:"bytes,1,opt,name=config,proto3" json:"config,omitempty"`                           // current config
	Cert       string                      `protobuf:"bytes,2,opt,name=cert,proto3" json:"cert,omitempty"`                               // pem-encoded CA certificate
	Removed    bool                        `protobuf:"varint,3,opt,name=removed,proto3" json:"removed,omitempty"`                        // true if this CA was removed from the config
	Ready      bool                        `protobuf:"varint,4,opt,name=ready,proto3" json:"ready,omitempty"`                            // true if this CA is ready for usage
	AddedRev   string                      `protobuf:"bytes,5,opt,name=added_rev,json=addedRev,proto3" json:"added_rev,omitempty"`       // config rev when this CA appeared
	UpdatedRev string                      `protobuf:"bytes,6,opt,name=updated_rev,json=updatedRev,proto3" json:"updated_rev,omitempty"` // config rev when this CA was updated
	RemovedRev string                      `protobuf:"bytes,7,opt,name=removed_rev,json=removedRev,proto3" json:"removed_rev,omitempty"` // config rev when this CA was removed
	CrlStatus  *CRLStatus                  `protobuf:"bytes,8,opt,name=crl_status,json=crlStatus,proto3" json:"crl_status,omitempty"`    // last known status of the CRL for this CA
	// contains filtered or unexported fields
}

GetCAStatusResponse is returned by GetCAStatus method.

If requested CA doesn't exist, all fields are empty.

func (*GetCAStatusResponse) Descriptor deprecated 

func (*GetCAStatusResponse) Descriptor() ([]byte, []int)

Deprecated: Use GetCAStatusResponse.ProtoReflect.Descriptor instead.

func (*GetCAStatusResponse) GetAddedRev 

func (x *GetCAStatusResponse) GetAddedRev() string

func (*GetCAStatusResponse) GetCert 

func (x *GetCAStatusResponse) GetCert() string

func (*GetCAStatusResponse) GetConfig 

func (x *GetCAStatusResponse) GetConfig() *CertificateAuthorityConfig

func (*GetCAStatusResponse) GetCrlStatus 

func (x *GetCAStatusResponse) GetCrlStatus() *CRLStatus

func (*GetCAStatusResponse) GetReady 

func (x *GetCAStatusResponse) GetReady() bool

func (*GetCAStatusResponse) GetRemoved 

func (x *GetCAStatusResponse) GetRemoved() bool

func (*GetCAStatusResponse) GetRemovedRev 

func (x *GetCAStatusResponse) GetRemovedRev() string

func (*GetCAStatusResponse) GetUpdatedRev 

func (x *GetCAStatusResponse) GetUpdatedRev() string

func (*GetCAStatusResponse) ProtoMessage 

func (*GetCAStatusResponse) ProtoMessage()

func (*GetCAStatusResponse) ProtoReflect 

func (x *GetCAStatusResponse) ProtoReflect() protoreflect.Message

func (*GetCAStatusResponse) Reset 

func (x *GetCAStatusResponse) Reset()

func (*GetCAStatusResponse) String 

func (x *GetCAStatusResponse) String() string

type ImportedConfigs 

type ImportedConfigs struct {

	// The revision of the configs that are now in the datastore.
	//
	// It's either the imported revision, if configs change, or a previously known
	// revision, if configs at HEAD are same.
	Revision string `protobuf:"bytes,1,opt,name=revision,proto3" json:"revision,omitempty"`
	// contains filtered or unexported fields
}

ImportedConfigs is returned by Import<something>Configs methods on success.

func (*ImportedConfigs) Descriptor deprecated 

func (*ImportedConfigs) Descriptor() ([]byte, []int)

Deprecated: Use ImportedConfigs.ProtoReflect.Descriptor instead.

func (*ImportedConfigs) GetRevision 

func (x *ImportedConfigs) GetRevision() string

func (*ImportedConfigs) ProtoMessage 

func (*ImportedConfigs) ProtoMessage()

func (*ImportedConfigs) ProtoReflect 

func (x *ImportedConfigs) ProtoReflect() protoreflect.Message

func (*ImportedConfigs) Reset 

func (x *ImportedConfigs) Reset()

func (*ImportedConfigs) String 

func (x *ImportedConfigs) String() string

type InspectDelegationTokenRequest 

type InspectDelegationTokenRequest struct {

	// The token body.
	Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"`
	// contains filtered or unexported fields
}

InspectDelegationTokenRequest is body of InspectDelegationToken RPC call.

func (*InspectDelegationTokenRequest) Descriptor deprecated 

func (*InspectDelegationTokenRequest) Descriptor() ([]byte, []int)

Deprecated: Use InspectDelegationTokenRequest.ProtoReflect.Descriptor instead.

func (*InspectDelegationTokenRequest) GetToken 

func (x *InspectDelegationTokenRequest) GetToken() string

func (*InspectDelegationTokenRequest) ProtoMessage 

func (*InspectDelegationTokenRequest) ProtoMessage()

func (*InspectDelegationTokenRequest) ProtoReflect 

func (x *InspectDelegationTokenRequest) ProtoReflect() protoreflect.Message

func (*InspectDelegationTokenRequest) Reset 

func (x *InspectDelegationTokenRequest) Reset()

func (*InspectDelegationTokenRequest) String 

func (x *InspectDelegationTokenRequest) String() string

type InspectDelegationTokenResponse 

type InspectDelegationTokenResponse struct {

	// True if the token is valid.
	//
	// A token is valid if its signature is correct and it hasn't expired yet.
	Valid bool `protobuf:"varint,1,opt,name=valid,proto3" json:"valid,omitempty"`
	// Human readable summary of why token is invalid.
	//
	// Summarizes the rest of the fields of this struct. Set only if 'valid' is
	// false.
	InvalidityReason string `protobuf:"bytes,2,opt,name=invalidity_reason,json=invalidityReason,proto3" json:"invalidity_reason,omitempty"`
	// True if the token signature was verified.
	//
	// It means the token was generated by the token server and its body is not
	// a garbage. Note that a token can be correctly signed, but invalid (if it
	// has expired).
	//
	// If 'signed' is false, the fields below may (or may not) be a garbage.
	//
	// The token server uses private keys managed by Google Cloud Platform, they
	// are constantly being rotated and "old" signatures become invalid over time
	// (when corresponding keys are rotated out of existence).
	//
	// If 'signed' is false, use the rest of the response only as FYI, possibly
	// invalid or even maliciously constructed.
	Signed bool `protobuf:"varint,3,opt,name=signed,proto3" json:"signed,omitempty"`
	// True if the token signature was verified and token hasn't expired yet.
	//
	// We use "non_" prefix to make default 'false' value safer.
	NonExpired bool `protobuf:"varint,4,opt,name=non_expired,json=nonExpired,proto3" json:"non_expired,omitempty"`
	// The deserialized token envelope.
	//
	// May be empty if token was malformed and couldn't be deserialized.
	Envelope *messages.DelegationToken `protobuf:"bytes,5,opt,name=envelope,proto3" json:"envelope,omitempty"`
	// The deserialized token body (deserialized 'envelope.serialized_subtoken').
	//
	// May be empty if token was malformed and couldn't be deserialized.
	Subtoken *messages.Subtoken `protobuf:"bytes,6,opt,name=subtoken,proto3" json:"subtoken,omitempty"`
	// contains filtered or unexported fields
}

InspectDelegationTokenResponse is return value of InspectDelegationToken RPC.

func (*InspectDelegationTokenResponse) Descriptor deprecated 

func (*InspectDelegationTokenResponse) Descriptor() ([]byte, []int)

Deprecated: Use InspectDelegationTokenResponse.ProtoReflect.Descriptor instead.

func (*InspectDelegationTokenResponse) GetEnvelope 

func (x *InspectDelegationTokenResponse) GetEnvelope() *messages.DelegationToken

func (*InspectDelegationTokenResponse) GetInvalidityReason 

func (x *InspectDelegationTokenResponse) GetInvalidityReason() string

func (*InspectDelegationTokenResponse) GetNonExpired 

func (x *InspectDelegationTokenResponse) GetNonExpired() bool

func (*InspectDelegationTokenResponse) GetSigned 

func (x *InspectDelegationTokenResponse) GetSigned() bool

func (*InspectDelegationTokenResponse) GetSubtoken 

func (x *InspectDelegationTokenResponse) GetSubtoken() *messages.Subtoken

func (*InspectDelegationTokenResponse) GetValid 

func (x *InspectDelegationTokenResponse) GetValid() bool

func (*InspectDelegationTokenResponse) ProtoMessage 

func (*InspectDelegationTokenResponse) ProtoMessage()

func (*InspectDelegationTokenResponse) ProtoReflect 

func (x *InspectDelegationTokenResponse) ProtoReflect() protoreflect.Message

func (*InspectDelegationTokenResponse) Reset 

func (x *InspectDelegationTokenResponse) Reset()

func (*InspectDelegationTokenResponse) String 

func (x *InspectDelegationTokenResponse) String() string

type InspectMachineTokenRequest 

type InspectMachineTokenRequest struct {

	// The type of token being checked.
	//
	// Currently only LUCI_MACHINE_TOKEN is supported. This is also the default.
	TokenType api.MachineTokenType `protobuf:"varint,1,opt,name=token_type,json=tokenType,proto3,enum=tokenserver.MachineTokenType" json:"token_type,omitempty"`
	// The token body. Exact meaning depends on token_type.
	Token string `protobuf:"bytes,2,opt,name=token,proto3" json:"token,omitempty"`
	// contains filtered or unexported fields
}

InspectMachineTokenRequest is body of InspectMachineToken RPC call.

It contains machine token of some kind.

func (*InspectMachineTokenRequest) Descriptor deprecated 

func (*InspectMachineTokenRequest) Descriptor() ([]byte, []int)

Deprecated: Use InspectMachineTokenRequest.ProtoReflect.Descriptor instead.

func (*InspectMachineTokenRequest) GetToken 

func (x *InspectMachineTokenRequest) GetToken() string

func (*InspectMachineTokenRequest) GetTokenType 

func (x *InspectMachineTokenRequest) GetTokenType() api.MachineTokenType

func (*InspectMachineTokenRequest) ProtoMessage 

func (*InspectMachineTokenRequest) ProtoMessage()

func (*InspectMachineTokenRequest) ProtoReflect 

func (x *InspectMachineTokenRequest) ProtoReflect() protoreflect.Message

func (*InspectMachineTokenRequest) Reset 

func (x *InspectMachineTokenRequest) Reset()

func (*InspectMachineTokenRequest) String 

func (x *InspectMachineTokenRequest) String() string

type InspectMachineTokenResponse 

type InspectMachineTokenResponse struct {

	// True if the token is valid.
	//
	// A token is valid if its signature is correct, it hasn't expired yet and
	// the credentials it was built from (e.g. a certificate) wasn't revoked.
	Valid bool `protobuf:"varint,1,opt,name=valid,proto3" json:"valid,omitempty"`
	// Human readable summary of why token is invalid.
	//
	// Summarizes the rest of the fields of this struct. Set only if 'valid' is
	// false.
	InvalidityReason string `protobuf:"bytes,2,opt,name=invalidity_reason,json=invalidityReason,proto3" json:"invalidity_reason,omitempty"`
	// True if the token signature was verified.
	//
	// It means the token was generated by the token server and its body is not
	// a garbage. Note that a token can be correctly signed, but invalid (if it
	// has expired or was revoked).
	//
	// If 'signed' is false, the fields below may (or may not) be a garbage.
	//
	// The token server uses private keys managed by Google Cloud Platform, they
	// are constantly being rotated and "old" signatures become invalid over time
	// (when corresponding keys are rotated out of existence).
	//
	// If 'signed' is false, use the rest of the response only as FYI, possibly
	// invalid or even maliciously constructed.
	Signed bool `protobuf:"varint,3,opt,name=signed,proto3" json:"signed,omitempty"`
	// True if the token signature was verified and token hasn't expired yet.
	//
	// We use "non_" prefix to make default 'false' value safer.
	NonExpired bool `protobuf:"varint,4,opt,name=non_expired,json=nonExpired,proto3" json:"non_expired,omitempty"`
	// True if the token signature was verified and the token wasn't revoked.
	//
	// It is possible for an expired token to be non revoked. They are independent
	// properties.
	//
	// We use "non_" prefix to make default 'false' value safer.
	NonRevoked bool `protobuf:"varint,5,opt,name=non_revoked,json=nonRevoked,proto3" json:"non_revoked,omitempty"`
	// Id of a private key used to sign this token, if applicable.
	SigningKeyId string `protobuf:"bytes,6,opt,name=signing_key_id,json=signingKeyId,proto3" json:"signing_key_id,omitempty"`
	// Name of a CA that issued the cert the token is based on, if applicable.
	//
	// Resolved from 'ca_id' field of the token body.
	CertCaName string `protobuf:"bytes,7,opt,name=cert_ca_name,json=certCaName,proto3" json:"cert_ca_name,omitempty"`
	// The decoded token body (depends on token_type request parameter). Empty if
	// token was malformed and couldn't be deserialized.
	//
	// Types that are assignable to TokenType:
	//
	//	*InspectMachineTokenResponse_LuciMachineToken
	TokenType isInspectMachineTokenResponse_TokenType `protobuf_oneof:"token_type"`
	// contains filtered or unexported fields
}

InspectMachineTokenResponse is return value of InspectMachineToken RPC call.

func (*InspectMachineTokenResponse) Descriptor deprecated 

func (*InspectMachineTokenResponse) Descriptor() ([]byte, []int)

Deprecated: Use InspectMachineTokenResponse.ProtoReflect.Descriptor instead.

func (*InspectMachineTokenResponse) GetCertCaName 

func (x *InspectMachineTokenResponse) GetCertCaName() string

func (*InspectMachineTokenResponse) GetInvalidityReason 

func (x *InspectMachineTokenResponse) GetInvalidityReason() string

func (*InspectMachineTokenResponse) GetLuciMachineToken 

func (x *InspectMachineTokenResponse) GetLuciMachineToken() *api.MachineTokenBody

func (*InspectMachineTokenResponse) GetNonExpired 

func (x *InspectMachineTokenResponse) GetNonExpired() bool

func (*InspectMachineTokenResponse) GetNonRevoked 

func (x *InspectMachineTokenResponse) GetNonRevoked() bool

func (*InspectMachineTokenResponse) GetSigned 

func (x *InspectMachineTokenResponse) GetSigned() bool

func (*InspectMachineTokenResponse) GetSigningKeyId 

func (x *InspectMachineTokenResponse) GetSigningKeyId() string

func (*InspectMachineTokenResponse) GetTokenType 

func (m *InspectMachineTokenResponse) GetTokenType() isInspectMachineTokenResponse_TokenType

func (*InspectMachineTokenResponse) GetValid 

func (x *InspectMachineTokenResponse) GetValid() bool

func (*InspectMachineTokenResponse) ProtoMessage 

func (*InspectMachineTokenResponse) ProtoMessage()

func (*InspectMachineTokenResponse) ProtoReflect 

func (x *InspectMachineTokenResponse) ProtoReflect() protoreflect.Message

func (*InspectMachineTokenResponse) Reset 

func (x *InspectMachineTokenResponse) Reset()

func (*InspectMachineTokenResponse) String 

func (x *InspectMachineTokenResponse) String() string

type InspectMachineTokenResponse_LuciMachineToken 

type InspectMachineTokenResponse_LuciMachineToken struct {
	LuciMachineToken *api.MachineTokenBody `protobuf:"bytes,20,opt,name=luci_machine_token,json=luciMachineToken,proto3,oneof"`
}

type IsRevokedCertRequest 

type IsRevokedCertRequest struct {
	Ca string `protobuf:"bytes,1,opt,name=ca,proto3" json:"ca,omitempty"` // Common Name of the CA
	Sn string `protobuf:"bytes,2,opt,name=sn,proto3" json:"sn,omitempty"` // cert's serial number (big.Int encoded as a decimal string)
	// contains filtered or unexported fields
}

IsRevokedCertRequest contains a name of the CA and a cert serial number.

func (*IsRevokedCertRequest) Descriptor deprecated 

func (*IsRevokedCertRequest) Descriptor() ([]byte, []int)

Deprecated: Use IsRevokedCertRequest.ProtoReflect.Descriptor instead.

func (*IsRevokedCertRequest) GetCa 

func (x *IsRevokedCertRequest) GetCa() string

func (*IsRevokedCertRequest) GetSn 

func (x *IsRevokedCertRequest) GetSn() string

func (*IsRevokedCertRequest) ProtoMessage 

func (*IsRevokedCertRequest) ProtoMessage()

func (*IsRevokedCertRequest) ProtoReflect 

func (x *IsRevokedCertRequest) ProtoReflect() protoreflect.Message

func (*IsRevokedCertRequest) Reset 

func (x *IsRevokedCertRequest) Reset()

func (*IsRevokedCertRequest) String 

func (x *IsRevokedCertRequest) String() string

type IsRevokedCertResponse 

type IsRevokedCertResponse struct {
	Revoked bool `protobuf:"varint,1,opt,name=revoked,proto3" json:"revoked,omitempty"` // true if the cert with given SN is in CRL
	// contains filtered or unexported fields
}

IsRevokedCertResponse is returned by IsRevokedCert

func (*IsRevokedCertResponse) Descriptor deprecated 

func (*IsRevokedCertResponse) Descriptor() ([]byte, []int)

Deprecated: Use IsRevokedCertResponse.ProtoReflect.Descriptor instead.

func (*IsRevokedCertResponse) GetRevoked 

func (x *IsRevokedCertResponse) GetRevoked() bool

func (*IsRevokedCertResponse) ProtoMessage 

func (*IsRevokedCertResponse) ProtoMessage()

func (*IsRevokedCertResponse) ProtoReflect 

func (x *IsRevokedCertResponse) ProtoReflect() protoreflect.Message

func (*IsRevokedCertResponse) Reset 

func (x *IsRevokedCertResponse) Reset()

func (*IsRevokedCertResponse) String 

func (x *IsRevokedCertResponse) String() string

type ListCAsResponse 

type ListCAsResponse struct {
	Cn []string `protobuf:"bytes,1,rep,name=cn,proto3" json:"cn,omitempty"` // Common Name of the CA
	// contains filtered or unexported fields
}

ListCAsResponse is returned by ListCAs.

func (*ListCAsResponse) Descriptor deprecated 

func (*ListCAsResponse) Descriptor() ([]byte, []int)

Deprecated: Use ListCAsResponse.ProtoReflect.Descriptor instead.

func (*ListCAsResponse) GetCn 

func (x *ListCAsResponse) GetCn() []string

func (*ListCAsResponse) ProtoMessage 

func (*ListCAsResponse) ProtoMessage()

func (*ListCAsResponse) ProtoReflect 

func (x *ListCAsResponse) ProtoReflect() protoreflect.Message

func (*ListCAsResponse) Reset 

func (x *ListCAsResponse) Reset()

func (*ListCAsResponse) String 

func (x *ListCAsResponse) String() string

type ServiceAccountsProjectMapping 

type ServiceAccountsProjectMapping struct {

	// Each entry maps a bunch of service accounts to one or more projects.
	Mapping []*ServiceAccountsProjectMapping_Mapping `protobuf:"bytes,1,rep,name=mapping,proto3" json:"mapping,omitempty"`
	// A list of LUCI project names for which service account impersonation should
	// be done using LUCI project-scoped account as a delegate. This allows to
	// move "LUCI project => allowed service account" mapping into IAM policies,
	// making `mapping` above obsolete.
	//
	// If a LUCI project belongs to this list, it must not have any entries in
	// the `mapping` field above.
	UseProjectScopedAccount []string `` /* 134-byte string literal not displayed */
	// contains filtered or unexported fields
}

ServiceAccountsProjectMapping defines what service accounts belong to what LUCI projects.

Used by MintServiceAccountToken RPC as a final authorization step, after checking that the usage of the service account is allowed by Realms ACLs.

This is a stop gap solution until the Token Server learns to use project-scoped accounts when calling Cloud IAM. Once this happens, we can move information contained in ServiceAccountsProjectMapping into Cloud IAM permissions.

This message is stored as project_owned_accounts.cfg in luci-config.

func (*ServiceAccountsProjectMapping) Descriptor deprecated 

func (*ServiceAccountsProjectMapping) Descriptor() ([]byte, []int)

Deprecated: Use ServiceAccountsProjectMapping.ProtoReflect.Descriptor instead.

func (*ServiceAccountsProjectMapping) GetMapping 

func (x *ServiceAccountsProjectMapping) GetMapping() []*ServiceAccountsProjectMapping_Mapping

func (*ServiceAccountsProjectMapping) GetUseProjectScopedAccount 

func (x *ServiceAccountsProjectMapping) GetUseProjectScopedAccount() []string

func (*ServiceAccountsProjectMapping) ProtoMessage 

func (*ServiceAccountsProjectMapping) ProtoMessage()

func (*ServiceAccountsProjectMapping) ProtoReflect 

func (x *ServiceAccountsProjectMapping) ProtoReflect() protoreflect.Message

func (*ServiceAccountsProjectMapping) Reset 

func (x *ServiceAccountsProjectMapping) Reset()

func (*ServiceAccountsProjectMapping) String 

func (x *ServiceAccountsProjectMapping) String() string

type ServiceAccountsProjectMapping_Mapping 

type ServiceAccountsProjectMapping_Mapping struct {

	// Names of LUCI projects.
	Project []string `protobuf:"bytes,1,rep,name=project,proto3" json:"project,omitempty"`
	// Emails of service accounts allowed to be used by all these projects.
	ServiceAccount []string `protobuf:"bytes,2,rep,name=service_account,json=serviceAccount,proto3" json:"service_account,omitempty"`
	// contains filtered or unexported fields
}

func (*ServiceAccountsProjectMapping_Mapping) Descriptor deprecated 

func (*ServiceAccountsProjectMapping_Mapping) Descriptor() ([]byte, []int)

Deprecated: Use ServiceAccountsProjectMapping_Mapping.ProtoReflect.Descriptor instead.

func (*ServiceAccountsProjectMapping_Mapping) GetProject 

func (x *ServiceAccountsProjectMapping_Mapping) GetProject() []string

func (*ServiceAccountsProjectMapping_Mapping) GetServiceAccount 

func (x *ServiceAccountsProjectMapping_Mapping) GetServiceAccount() []string

func (*ServiceAccountsProjectMapping_Mapping) ProtoMessage 

func (*ServiceAccountsProjectMapping_Mapping) ProtoMessage()

func (*ServiceAccountsProjectMapping_Mapping) ProtoReflect 

func (x *ServiceAccountsProjectMapping_Mapping) ProtoReflect() protoreflect.Message

func (*ServiceAccountsProjectMapping_Mapping) Reset 

func (x *ServiceAccountsProjectMapping_Mapping) Reset()

func (*ServiceAccountsProjectMapping_Mapping) String 

func (x *ServiceAccountsProjectMapping_Mapping) String() string

type TokenServerConfig 

type TokenServerConfig struct {

	// List of CAs we trust.
	CertificateAuthority []*CertificateAuthorityConfig `protobuf:"bytes,1,rep,name=certificate_authority,json=certificateAuthority,proto3" json:"certificate_authority,omitempty"`
	// contains filtered or unexported fields
}

TokenServerConfig is read from tokenserver.cfg in luci-config.

func (*TokenServerConfig) Descriptor deprecated 

func (*TokenServerConfig) Descriptor() ([]byte, []int)

Deprecated: Use TokenServerConfig.ProtoReflect.Descriptor instead.

func (*TokenServerConfig) GetCertificateAuthority 

func (x *TokenServerConfig) GetCertificateAuthority() []*CertificateAuthorityConfig

func (*TokenServerConfig) ProtoMessage 

func (*TokenServerConfig) ProtoMessage()

func (*TokenServerConfig) ProtoReflect 

func (x *TokenServerConfig) ProtoReflect() protoreflect.Message

func (*TokenServerConfig) Reset 

func (x *TokenServerConfig) Reset()

func (*TokenServerConfig) String 

func (x *TokenServerConfig) String() string

type UnimplementedAdminServer 

type UnimplementedAdminServer struct{}

UnimplementedAdminServer must be embedded to have forward compatible implementations.

NOTE: this should be embedded by value instead of pointer to avoid a nil pointer dereference when methods are called.

func (UnimplementedAdminServer) ImportCAConfigs 

func (UnimplementedAdminServer) ImportCAConfigs(context.Context, *emptypb.Empty) (*ImportedConfigs, error)

func (UnimplementedAdminServer) ImportDelegationConfigs 

func (UnimplementedAdminServer) ImportDelegationConfigs(context.Context, *emptypb.Empty) (*ImportedConfigs, error)

func (UnimplementedAdminServer) ImportProjectIdentityConfigs 

func (UnimplementedAdminServer) ImportProjectIdentityConfigs(context.Context, *emptypb.Empty) (*ImportedConfigs, error)

func (UnimplementedAdminServer) ImportProjectOwnedAccountsConfigs 

func (UnimplementedAdminServer) ImportProjectOwnedAccountsConfigs(context.Context, *emptypb.Empty) (*ImportedConfigs, error)

func (UnimplementedAdminServer) InspectDelegationToken 

func (UnimplementedAdminServer) InspectDelegationToken(context.Context, *InspectDelegationTokenRequest) (*InspectDelegationTokenResponse, error)

func (UnimplementedAdminServer) InspectMachineToken 

func (UnimplementedAdminServer) InspectMachineToken(context.Context, *InspectMachineTokenRequest) (*InspectMachineTokenResponse, error)

type UnimplementedCertificateAuthoritiesServer 

type UnimplementedCertificateAuthoritiesServer struct{}

UnimplementedCertificateAuthoritiesServer must be embedded to have forward compatible implementations.

NOTE: this should be embedded by value instead of pointer to avoid a nil pointer dereference when methods are called.

func (UnimplementedCertificateAuthoritiesServer) CheckCertificate 

func (UnimplementedCertificateAuthoritiesServer) CheckCertificate(context.Context, *CheckCertificateRequest) (*CheckCertificateResponse, error)

func (UnimplementedCertificateAuthoritiesServer) FetchCRL 

func (UnimplementedCertificateAuthoritiesServer) FetchCRL(context.Context, *FetchCRLRequest) (*FetchCRLResponse, error)

func (UnimplementedCertificateAuthoritiesServer) GetCAStatus 

func (UnimplementedCertificateAuthoritiesServer) GetCAStatus(context.Context, *GetCAStatusRequest) (*GetCAStatusResponse, error)

func (UnimplementedCertificateAuthoritiesServer) IsRevokedCert 

func (UnimplementedCertificateAuthoritiesServer) IsRevokedCert(context.Context, *IsRevokedCertRequest) (*IsRevokedCertResponse, error)

func (UnimplementedCertificateAuthoritiesServer) ListCAs 

func (UnimplementedCertificateAuthoritiesServer) ListCAs(context.Context, *emptypb.Empty) (*ListCAsResponse, error)

type UnsafeAdminServer 

type UnsafeAdminServer interface {
	// contains filtered or unexported methods
}

UnsafeAdminServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to AdminServer will result in compilation errors.

type UnsafeCertificateAuthoritiesServer 

type UnsafeCertificateAuthoritiesServer interface {
	// contains filtered or unexported methods
}

UnsafeCertificateAuthoritiesServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to CertificateAuthoritiesServer will result in compilation errors.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.