Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	Subtoken_Kind_name = map[int32]string{
		0: "UNKNOWN_KIND",
		1: "BEARER_DELEGATION_TOKEN",
	}
	Subtoken_Kind_value = map[string]int32{
		"UNKNOWN_KIND":            0,
		"BEARER_DELEGATION_TOKEN": 1,
	}
)

    Enum value maps for Subtoken_Kind.

    View Source
    var File_go_chromium_org_luci_server_auth_delegation_messages_delegation_proto protoreflect.FileDescriptor

    Functions

    This section is empty.

    Types

    type DelegationToken

    type DelegationToken struct {
    
    	// Identity of a service that signed this token.
    	//
    	// It can be a 'service:<app-id>' string or 'user:<service-account-email>'
    	// string.
    	//
    	// In both cases the appropriate certificate store will be queried (via SSL)
    	// for the public key to use for signature verification.
    	SignerId string `protobuf:"bytes,2,opt,name=signer_id,json=signerId,proto3" json:"signer_id,omitempty"`
    	// ID of a key used for making the signature.
    	//
    	// There can be multiple active keys at any moment in time: one used for new
    	// signatures, and one being rotated out (but still valid for verification).
    	//
    	// The lifetime of the token indirectly depends on the lifetime of the signing
    	// key, which is 24h. So delegation tokens can't live longer than 24h.
    	SigningKeyId string `protobuf:"bytes,3,opt,name=signing_key_id,json=signingKeyId,proto3" json:"signing_key_id,omitempty"`
    	// The signature: PKCS1_v1_5+SHA256(serialized_subtoken, signing_key_id).
    	Pkcs1Sha256Sig []byte `protobuf:"bytes,4,opt,name=pkcs1_sha256_sig,json=pkcs1Sha256Sig,proto3" json:"pkcs1_sha256_sig,omitempty"`
    	// Serialized Subtoken message. It's signature is stored in pkcs1_sha256_sig.
    	SerializedSubtoken []byte `protobuf:"bytes,5,opt,name=serialized_subtoken,json=serializedSubtoken,proto3" json:"serialized_subtoken,omitempty"`
    	// contains filtered or unexported fields
    }

      Signed serialized Subtoken.

      This message is just an envelope that carries the serialized Subtoken message and its signature.

      Next ID: 6.

      func (*DelegationToken) Descriptor

      func (*DelegationToken) Descriptor() ([]byte, []int)

        Deprecated: Use DelegationToken.ProtoReflect.Descriptor instead.

        func (*DelegationToken) GetPkcs1Sha256Sig

        func (x *DelegationToken) GetPkcs1Sha256Sig() []byte

        func (*DelegationToken) GetSerializedSubtoken

        func (x *DelegationToken) GetSerializedSubtoken() []byte

        func (*DelegationToken) GetSignerId

        func (x *DelegationToken) GetSignerId() string

        func (*DelegationToken) GetSigningKeyId

        func (x *DelegationToken) GetSigningKeyId() string

        func (*DelegationToken) ProtoMessage

        func (*DelegationToken) ProtoMessage()

        func (*DelegationToken) ProtoReflect

        func (x *DelegationToken) ProtoReflect() protoreflect.Message

        func (*DelegationToken) Reset

        func (x *DelegationToken) Reset()

        func (*DelegationToken) String

        func (x *DelegationToken) String() string

        type Subtoken

        type Subtoken struct {
        
        	// What kind of token is this.
        	//
        	// Defines how it can be used. See comments for Kind enum.
        	Kind Subtoken_Kind `protobuf:"varint,8,opt,name=kind,proto3,enum=messages.Subtoken_Kind" json:"kind,omitempty"`
        	// Identifier of this subtoken as generated by the token server.
        	//
        	// Used for logging and tracking purposes.
        	SubtokenId int64 `protobuf:"varint,4,opt,name=subtoken_id,json=subtokenId,proto3" json:"subtoken_id,omitempty"`
        	// Identity whose authority is delegated.
        	//
        	// A string of the form "user:<email>".
        	DelegatedIdentity string `protobuf:"bytes,1,opt,name=delegated_identity,json=delegatedIdentity,proto3" json:"delegated_identity,omitempty"`
        	// Who requested this token.
        	//
        	// This can match delegated_identity if the user is delegating their own
        	// identity or it can be a different id if the token is actually
        	// an impersonation token.
        	RequestorIdentity string `protobuf:"bytes,7,opt,name=requestor_identity,json=requestorIdentity,proto3" json:"requestor_identity,omitempty"`
        	// When the token was generated (and when it becomes valid).
        	//
        	// Number of seconds since epoch (Unix timestamp).
        	CreationTime int64 `protobuf:"varint,2,opt,name=creation_time,json=creationTime,proto3" json:"creation_time,omitempty"`
        	// How long the token is considered valid (in seconds).
        	ValidityDuration int32 `protobuf:"varint,3,opt,name=validity_duration,json=validityDuration,proto3" json:"validity_duration,omitempty"`
        	// Who can present this token.
        	//
        	// Each item can be an identity string (e.g. "user:<email>"), a "group:<name>"
        	// string, or special "*" string which means "Any bearer can use the token".
        	Audience []string `protobuf:"bytes,5,rep,name=audience,proto3" json:"audience,omitempty"`
        	// What services should accept this token.
        	//
        	// List of services (specified as service identities, e.g. "service:app-id")
        	// that should accept this token. May also contain special "*" string, which
        	// means "All services".
        	Services []string `protobuf:"bytes,6,rep,name=services,proto3" json:"services,omitempty"`
        	// Arbitrary key:value pairs embedded into the token by whoever requested it.
        	// Convey circumstance of why the token is created.
        	//
        	// Services that accept the token may use them for additional authorization
        	// decisions. Please use extremely carefully, only when you control both sides
        	// of the delegation link and can guarantee that services involved understand
        	// the tags.
        	Tags []string `protobuf:"bytes,9,rep,name=tags,proto3" json:"tags,omitempty"`
        	// contains filtered or unexported fields
        }

          Identifies who delegates what authority to whom where.

          Next ID: 10.

          func (*Subtoken) Descriptor

          func (*Subtoken) Descriptor() ([]byte, []int)

            Deprecated: Use Subtoken.ProtoReflect.Descriptor instead.

            func (*Subtoken) GetAudience

            func (x *Subtoken) GetAudience() []string

            func (*Subtoken) GetCreationTime

            func (x *Subtoken) GetCreationTime() int64

            func (*Subtoken) GetDelegatedIdentity

            func (x *Subtoken) GetDelegatedIdentity() string

            func (*Subtoken) GetKind

            func (x *Subtoken) GetKind() Subtoken_Kind

            func (*Subtoken) GetRequestorIdentity

            func (x *Subtoken) GetRequestorIdentity() string

            func (*Subtoken) GetServices

            func (x *Subtoken) GetServices() []string

            func (*Subtoken) GetSubtokenId

            func (x *Subtoken) GetSubtokenId() int64

            func (*Subtoken) GetTags

            func (x *Subtoken) GetTags() []string

            func (*Subtoken) GetValidityDuration

            func (x *Subtoken) GetValidityDuration() int32

            func (*Subtoken) ProtoMessage

            func (*Subtoken) ProtoMessage()

            func (*Subtoken) ProtoReflect

            func (x *Subtoken) ProtoReflect() protoreflect.Message

            func (*Subtoken) Reset

            func (x *Subtoken) Reset()

            func (*Subtoken) String

            func (x *Subtoken) String() string

            type Subtoken_Kind

            type Subtoken_Kind int32
            const (
            	// This is to catch old tokens that don't have 'kind' field yet.
            	//
            	// Tokens of this kind are interpreted as 'BEARER_DELEGATION_TOKEN' for now,
            	// for compatibility. But eventually (when all backends are updated), they
            	// will become invalid (and there will be no way to generate them). This is
            	// needed to avoid old servers accidentally interpret tokens of kind != 0 as
            	// BEARER_DELEGATION_TOKEN tokens.
            	Subtoken_UNKNOWN_KIND Subtoken_Kind = 0
            	// The token of this kind can be sent in X-Delegation-Token-V1 HTTP header.
            	// The services will check all restrictions of the token, and will
            	// authenticate requests as coming from 'delegated_identity'.
            	Subtoken_BEARER_DELEGATION_TOKEN Subtoken_Kind = 1
            )

            func (Subtoken_Kind) Descriptor

            func (Subtoken_Kind) Enum

            func (x Subtoken_Kind) Enum() *Subtoken_Kind

            func (Subtoken_Kind) EnumDescriptor

            func (Subtoken_Kind) EnumDescriptor() ([]byte, []int)

              Deprecated: Use Subtoken_Kind.Descriptor instead.

              func (Subtoken_Kind) Number

              func (Subtoken_Kind) String

              func (x Subtoken_Kind) String() string

              func (Subtoken_Kind) Type