Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	ServiceLinkResponse_Status_name = map[int32]string{
		0: "SUCCESS",
		1: "TRANSPORT_ERROR",
		2: "BAD_TICKET",
		3: "AUTH_ERROR",
	}
	ServiceLinkResponse_Status_value = map[string]int32{
		"SUCCESS":         0,
		"TRANSPORT_ERROR": 1,
		"BAD_TICKET":      2,
		"AUTH_ERROR":      3,
	}
)

    Enum value maps for ServiceLinkResponse_Status.

    View Source
    var (
    	ReplicationPushResponse_Status_name = map[int32]string{
    		0: "APPLIED",
    		1: "SKIPPED",
    		2: "TRANSIENT_ERROR",
    		3: "FATAL_ERROR",
    	}
    	ReplicationPushResponse_Status_value = map[string]int32{
    		"APPLIED":         0,
    		"SKIPPED":         1,
    		"TRANSIENT_ERROR": 2,
    		"FATAL_ERROR":     3,
    	}
    )

      Enum value maps for ReplicationPushResponse_Status.

      View Source
      var (
      	ReplicationPushResponse_ErrorCode_name = map[int32]string{
      		0: "ERROR_UNKNOWN",
      		1: "NOT_A_REPLICA",
      		2: "FORBIDDEN",
      		3: "MISSING_SIGNATURE",
      		4: "BAD_SIGNATURE",
      		5: "BAD_REQUEST",
      	}
      	ReplicationPushResponse_ErrorCode_value = map[string]int32{
      		"ERROR_UNKNOWN":     0,
      		"NOT_A_REPLICA":     1,
      		"FORBIDDEN":         2,
      		"MISSING_SIGNATURE": 3,
      		"BAD_SIGNATURE":     4,
      		"BAD_REQUEST":       5,
      	}
      )

        Enum value maps for ReplicationPushResponse_ErrorCode.

        View Source
        var File_components_auth_proto_realms_proto protoreflect.FileDescriptor
        View Source
        var File_components_auth_proto_replication_proto protoreflect.FileDescriptor
        View Source
        var File_components_auth_proto_security_config_proto protoreflect.FileDescriptor

        Functions

        This section is empty.

        Types

        type AuthDB

        type AuthDB struct {
        
        	// OAuth2 client_id to use to mint new OAuth2 tokens.
        	OauthClientId string `protobuf:"bytes,1,opt,name=oauth_client_id,json=oauthClientId,proto3" json:"oauth_client_id,omitempty"`
        	// OAuth2 client secret. Not so secret really, since it's passed to clients.
        	OauthClientSecret string `protobuf:"bytes,2,opt,name=oauth_client_secret,json=oauthClientSecret,proto3" json:"oauth_client_secret,omitempty"`
        	// Additional OAuth2 client_ids allowed to access the services.
        	OauthAdditionalClientIds []string `` /* 137-byte string literal not displayed */
        	// All groups.
        	Groups []*AuthGroup `protobuf:"bytes,4,rep,name=groups,proto3" json:"groups,omitempty"`
        	// All IP whitelists.
        	IpWhitelists []*AuthIPWhitelist `protobuf:"bytes,6,rep,name=ip_whitelists,json=ipWhitelists,proto3" json:"ip_whitelists,omitempty"`
        	// Mapping 'account -> IP whitlist to use for that account'.
        	IpWhitelistAssignments []*AuthIPWhitelistAssignment `` /* 129-byte string literal not displayed */
        	// URL of a token server to use to generate delegation tokens.
        	TokenServerUrl string `protobuf:"bytes,8,opt,name=token_server_url,json=tokenServerUrl,proto3" json:"token_server_url,omitempty"`
        	// Serialized security_config.SecurityConfig proto with security-related
        	// configuration to distribute across all services.
        	//
        	// It is distributed in a serialized form to make sure old services ingest it
        	// fully, even if they don't understand some SecurityConfig proto fields
        	// (yet). As soon as their code is updated, they SHOULD start using all
        	// SecurityConfig fields, without waiting for another push from Auth Service.
        	//
        	// If we use SecurityConfig directly here, old services would just drop fields
        	// they don't understand when accepting an AuthDB push.
        	SecurityConfig []byte `protobuf:"bytes,9,opt,name=security_config,json=securityConfig,proto3" json:"security_config,omitempty"`
        	// Definition of all known permissions and realms in a LUCI deployment.
        	//
        	// It is ultimately used by LUCI services for authorizing access to resources.
        	// See realms.proto for more details.
        	Realms *Realms `protobuf:"bytes,11,opt,name=realms,proto3" json:"realms,omitempty"`
        	// contains filtered or unexported fields
        }

          An entire database of auth configuration that is being replicated.

          func (*AuthDB) Descriptor

          func (*AuthDB) Descriptor() ([]byte, []int)

            Deprecated: Use AuthDB.ProtoReflect.Descriptor instead.

            func (*AuthDB) GetGroups

            func (x *AuthDB) GetGroups() []*AuthGroup

            func (*AuthDB) GetIpWhitelistAssignments

            func (x *AuthDB) GetIpWhitelistAssignments() []*AuthIPWhitelistAssignment

            func (*AuthDB) GetIpWhitelists

            func (x *AuthDB) GetIpWhitelists() []*AuthIPWhitelist

            func (*AuthDB) GetOauthAdditionalClientIds

            func (x *AuthDB) GetOauthAdditionalClientIds() []string

            func (*AuthDB) GetOauthClientId

            func (x *AuthDB) GetOauthClientId() string

            func (*AuthDB) GetOauthClientSecret

            func (x *AuthDB) GetOauthClientSecret() string

            func (*AuthDB) GetRealms

            func (x *AuthDB) GetRealms() *Realms

            func (*AuthDB) GetSecurityConfig

            func (x *AuthDB) GetSecurityConfig() []byte

            func (*AuthDB) GetTokenServerUrl

            func (x *AuthDB) GetTokenServerUrl() string

            func (*AuthDB) ProtoMessage

            func (*AuthDB) ProtoMessage()

            func (*AuthDB) ProtoReflect

            func (x *AuthDB) ProtoReflect() protoreflect.Message

            func (*AuthDB) Reset

            func (x *AuthDB) Reset()

            func (*AuthDB) String

            func (x *AuthDB) String() string

            type AuthDBRevision

            type AuthDBRevision struct {
            
            	// GAE App ID of a service holding primary copy of Auth DB.
            	PrimaryId string `protobuf:"bytes,1,opt,name=primary_id,json=primaryId,proto3" json:"primary_id,omitempty"`
            	// Revision of Auth DB being pushed.
            	AuthDbRev int64 `protobuf:"varint,2,opt,name=auth_db_rev,json=authDbRev,proto3" json:"auth_db_rev,omitempty"`
            	// Timestamp of that revision by Primary's clock, microseconds since epoch.
            	ModifiedTs int64 `protobuf:"varint,3,opt,name=modified_ts,json=modifiedTs,proto3" json:"modified_ts,omitempty"`
            	// contains filtered or unexported fields
            }

              Information about some particular revision of auth DB.

              func (*AuthDBRevision) Descriptor

              func (*AuthDBRevision) Descriptor() ([]byte, []int)

                Deprecated: Use AuthDBRevision.ProtoReflect.Descriptor instead.

                func (*AuthDBRevision) GetAuthDbRev

                func (x *AuthDBRevision) GetAuthDbRev() int64

                func (*AuthDBRevision) GetModifiedTs

                func (x *AuthDBRevision) GetModifiedTs() int64

                func (*AuthDBRevision) GetPrimaryId

                func (x *AuthDBRevision) GetPrimaryId() string

                func (*AuthDBRevision) ProtoMessage

                func (*AuthDBRevision) ProtoMessage()

                func (*AuthDBRevision) ProtoReflect

                func (x *AuthDBRevision) ProtoReflect() protoreflect.Message

                func (*AuthDBRevision) Reset

                func (x *AuthDBRevision) Reset()

                func (*AuthDBRevision) String

                func (x *AuthDBRevision) String() string

                type AuthGroup

                type AuthGroup struct {
                
                	// Name of the group.
                	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
                	// List of members that are explicitly in this group.
                	Members []string `protobuf:"bytes,2,rep,name=members,proto3" json:"members,omitempty"`
                	// List of identity-glob expressions (like 'user:*@example.com').
                	Globs []string `protobuf:"bytes,3,rep,name=globs,proto3" json:"globs,omitempty"`
                	// List of nested group names.
                	Nested []string `protobuf:"bytes,4,rep,name=nested,proto3" json:"nested,omitempty"`
                	// Human readable description.
                	Description string `protobuf:"bytes,5,opt,name=description,proto3" json:"description,omitempty"`
                	// When the group was created. Microseconds since epoch.
                	CreatedTs int64 `protobuf:"varint,6,opt,name=created_ts,json=createdTs,proto3" json:"created_ts,omitempty"`
                	// Who created the group.
                	CreatedBy string `protobuf:"bytes,7,opt,name=created_by,json=createdBy,proto3" json:"created_by,omitempty"`
                	// When the group was modified last time. Microseconds since epoch.
                	ModifiedTs int64 `protobuf:"varint,8,opt,name=modified_ts,json=modifiedTs,proto3" json:"modified_ts,omitempty"`
                	// Who modified the group last time.
                	ModifiedBy string `protobuf:"bytes,9,opt,name=modified_by,json=modifiedBy,proto3" json:"modified_by,omitempty"`
                	// A name of the group that can modify or delete this group.
                	Owners string `protobuf:"bytes,10,opt,name=owners,proto3" json:"owners,omitempty"`
                	// contains filtered or unexported fields
                }

                  Some user group. Corresponds to AuthGroup entity in model.py.

                  func (*AuthGroup) Descriptor

                  func (*AuthGroup) Descriptor() ([]byte, []int)

                    Deprecated: Use AuthGroup.ProtoReflect.Descriptor instead.

                    func (*AuthGroup) GetCreatedBy

                    func (x *AuthGroup) GetCreatedBy() string

                    func (*AuthGroup) GetCreatedTs

                    func (x *AuthGroup) GetCreatedTs() int64

                    func (*AuthGroup) GetDescription

                    func (x *AuthGroup) GetDescription() string

                    func (*AuthGroup) GetGlobs

                    func (x *AuthGroup) GetGlobs() []string

                    func (*AuthGroup) GetMembers

                    func (x *AuthGroup) GetMembers() []string

                    func (*AuthGroup) GetModifiedBy

                    func (x *AuthGroup) GetModifiedBy() string

                    func (*AuthGroup) GetModifiedTs

                    func (x *AuthGroup) GetModifiedTs() int64

                    func (*AuthGroup) GetName

                    func (x *AuthGroup) GetName() string

                    func (*AuthGroup) GetNested

                    func (x *AuthGroup) GetNested() []string

                    func (*AuthGroup) GetOwners

                    func (x *AuthGroup) GetOwners() string

                    func (*AuthGroup) ProtoMessage

                    func (*AuthGroup) ProtoMessage()

                    func (*AuthGroup) ProtoReflect

                    func (x *AuthGroup) ProtoReflect() protoreflect.Message

                    func (*AuthGroup) Reset

                    func (x *AuthGroup) Reset()

                    func (*AuthGroup) String

                    func (x *AuthGroup) String() string

                    type AuthIPWhitelist

                    type AuthIPWhitelist struct {
                    
                    	// Name of the IP whitelist.
                    	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
                    	// The list of IP subnets.
                    	Subnets []string `protobuf:"bytes,2,rep,name=subnets,proto3" json:"subnets,omitempty"`
                    	// Human readable description.
                    	Description string `protobuf:"bytes,3,opt,name=description,proto3" json:"description,omitempty"`
                    	// When the list was created. Microseconds since epoch.
                    	CreatedTs int64 `protobuf:"varint,4,opt,name=created_ts,json=createdTs,proto3" json:"created_ts,omitempty"`
                    	// Who created the list.
                    	CreatedBy string `protobuf:"bytes,5,opt,name=created_by,json=createdBy,proto3" json:"created_by,omitempty"`
                    	// When the list was modified. Microseconds since epoch.
                    	ModifiedTs int64 `protobuf:"varint,6,opt,name=modified_ts,json=modifiedTs,proto3" json:"modified_ts,omitempty"`
                    	// Who modified the list the last time.
                    	ModifiedBy string `protobuf:"bytes,7,opt,name=modified_by,json=modifiedBy,proto3" json:"modified_by,omitempty"`
                    	// contains filtered or unexported fields
                    }

                      A named set of whitelisted IP addresses. Corresponds to AuthIPWhitelist entity in model.py.

                      func (*AuthIPWhitelist) Descriptor

                      func (*AuthIPWhitelist) Descriptor() ([]byte, []int)

                        Deprecated: Use AuthIPWhitelist.ProtoReflect.Descriptor instead.

                        func (*AuthIPWhitelist) GetCreatedBy

                        func (x *AuthIPWhitelist) GetCreatedBy() string

                        func (*AuthIPWhitelist) GetCreatedTs

                        func (x *AuthIPWhitelist) GetCreatedTs() int64

                        func (*AuthIPWhitelist) GetDescription

                        func (x *AuthIPWhitelist) GetDescription() string

                        func (*AuthIPWhitelist) GetModifiedBy

                        func (x *AuthIPWhitelist) GetModifiedBy() string

                        func (*AuthIPWhitelist) GetModifiedTs

                        func (x *AuthIPWhitelist) GetModifiedTs() int64

                        func (*AuthIPWhitelist) GetName

                        func (x *AuthIPWhitelist) GetName() string

                        func (*AuthIPWhitelist) GetSubnets

                        func (x *AuthIPWhitelist) GetSubnets() []string

                        func (*AuthIPWhitelist) ProtoMessage

                        func (*AuthIPWhitelist) ProtoMessage()

                        func (*AuthIPWhitelist) ProtoReflect

                        func (x *AuthIPWhitelist) ProtoReflect() protoreflect.Message

                        func (*AuthIPWhitelist) Reset

                        func (x *AuthIPWhitelist) Reset()

                        func (*AuthIPWhitelist) String

                        func (x *AuthIPWhitelist) String() string

                        type AuthIPWhitelistAssignment

                        type AuthIPWhitelistAssignment struct {
                        
                        	// Identity name to limit by IP whitelist.
                        	Identity string `protobuf:"bytes,1,opt,name=identity,proto3" json:"identity,omitempty"`
                        	// Name of IP whitelist to use (see AuthIPWhitelist).
                        	IpWhitelist string `protobuf:"bytes,2,opt,name=ip_whitelist,json=ipWhitelist,proto3" json:"ip_whitelist,omitempty"`
                        	// Why the assignment was created.
                        	Comment string `protobuf:"bytes,3,opt,name=comment,proto3" json:"comment,omitempty"`
                        	// When the assignment was created. Microseconds since epoch.
                        	CreatedTs int64 `protobuf:"varint,4,opt,name=created_ts,json=createdTs,proto3" json:"created_ts,omitempty"`
                        	// Who created the assignment.
                        	CreatedBy string `protobuf:"bytes,5,opt,name=created_by,json=createdBy,proto3" json:"created_by,omitempty"`
                        	// contains filtered or unexported fields
                        }

                          A pair (identity, IP whitelist name) plus some metadata. Corresponds to AuthIPWhitelistAssignments.Assignment model in model.py.

                          func (*AuthIPWhitelistAssignment) Descriptor

                          func (*AuthIPWhitelistAssignment) Descriptor() ([]byte, []int)

                            Deprecated: Use AuthIPWhitelistAssignment.ProtoReflect.Descriptor instead.

                            func (*AuthIPWhitelistAssignment) GetComment

                            func (x *AuthIPWhitelistAssignment) GetComment() string

                            func (*AuthIPWhitelistAssignment) GetCreatedBy

                            func (x *AuthIPWhitelistAssignment) GetCreatedBy() string

                            func (*AuthIPWhitelistAssignment) GetCreatedTs

                            func (x *AuthIPWhitelistAssignment) GetCreatedTs() int64

                            func (*AuthIPWhitelistAssignment) GetIdentity

                            func (x *AuthIPWhitelistAssignment) GetIdentity() string

                            func (*AuthIPWhitelistAssignment) GetIpWhitelist

                            func (x *AuthIPWhitelistAssignment) GetIpWhitelist() string

                            func (*AuthIPWhitelistAssignment) ProtoMessage

                            func (*AuthIPWhitelistAssignment) ProtoMessage()

                            func (*AuthIPWhitelistAssignment) ProtoReflect

                            func (*AuthIPWhitelistAssignment) Reset

                            func (x *AuthIPWhitelistAssignment) Reset()

                            func (*AuthIPWhitelistAssignment) String

                            func (x *AuthIPWhitelistAssignment) String() string

                            type Binding

                            type Binding struct {
                            
                            	// Permissions in increasing order of their indexes.
                            	//
                            	// This set is a subset of `permissions` in the Realms message. Each element
                            	// is an index of a permission in the `permissions` list in the Realms
                            	// message.
                            	//
                            	// These indexes are not stable across different copies of Realms message.
                            	// They must not be stored or processed in isolation from the containing
                            	// Realms message.
                            	Permissions []uint32 `protobuf:"varint,1,rep,packed,name=permissions,proto3" json:"permissions,omitempty"`
                            	// A set of principals to grant all above permissions to.
                            	//
                            	// Each entry can either be an identity string (like "user:<email>") or a
                            	// LUCI group reference "group:<name>".
                            	//
                            	// Ordered alphabetically.
                            	Principals []string `protobuf:"bytes,2,rep,name=principals,proto3" json:"principals,omitempty"`
                            	// contains filtered or unexported fields
                            }

                              Binding assigns all specified permissions to all specified principals.

                              func (*Binding) Descriptor

                              func (*Binding) Descriptor() ([]byte, []int)

                                Deprecated: Use Binding.ProtoReflect.Descriptor instead.

                                func (*Binding) GetPermissions

                                func (x *Binding) GetPermissions() []uint32

                                func (*Binding) GetPrincipals

                                func (x *Binding) GetPrincipals() []string

                                func (*Binding) ProtoMessage

                                func (*Binding) ProtoMessage()

                                func (*Binding) ProtoReflect

                                func (x *Binding) ProtoReflect() protoreflect.Message

                                func (*Binding) Reset

                                func (x *Binding) Reset()

                                func (*Binding) String

                                func (x *Binding) String() string

                                type ChangeNotification

                                type ChangeNotification struct {
                                
                                	// New revision of the AuthDB.
                                	Revision *AuthDBRevision `protobuf:"bytes,1,opt,name=revision,proto3" json:"revision,omitempty"`
                                	// contains filtered or unexported fields
                                }

                                  Published by Primary into 'auth-db-changed' PubSub topic. The body of the message is base64 encoded serialized ChangeNotification. Additional attributes are:

                                  X-AuthDB-SigKey-v1: <id of a public key>
                                  X-AuthDB-SigVal-v1: <base64 encoded RSA-SHA256(blob) signature>
                                  

                                  func (*ChangeNotification) Descriptor

                                  func (*ChangeNotification) Descriptor() ([]byte, []int)

                                    Deprecated: Use ChangeNotification.ProtoReflect.Descriptor instead.

                                    func (*ChangeNotification) GetRevision

                                    func (x *ChangeNotification) GetRevision() *AuthDBRevision

                                    func (*ChangeNotification) ProtoMessage

                                    func (*ChangeNotification) ProtoMessage()

                                    func (*ChangeNotification) ProtoReflect

                                    func (x *ChangeNotification) ProtoReflect() protoreflect.Message

                                    func (*ChangeNotification) Reset

                                    func (x *ChangeNotification) Reset()

                                    func (*ChangeNotification) String

                                    func (x *ChangeNotification) String() string

                                    type Permission

                                    type Permission struct {
                                    	Name     string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`          // "<service>.<subject>.<verb>"
                                    	Internal bool   `protobuf:"varint,2,opt,name=internal,proto3" json:"internal,omitempty"` // internal permissions cannot be used in project realms
                                    	// contains filtered or unexported fields
                                    }

                                      Permission is a symbol that has form "<service>.<subject>.<verb>", which describes some elementary action ("<verb>") that can be done to some category of resources ("<subject>"), managed by some particular kind of LUCI service ("<service>").

                                      Within each individual realm (see Realm message), a principal (such as an end user or a service account) can have zero or more permissions that describe what this user can actually do to resources belonging to the realm. See Realm message for the definition of what "belonging to the realm" means.

                                      Examples of permissions:

                                      * buildbucket.build.create
                                      * swarming.pool.listBots
                                      * swarming.task.cancel
                                      

                                      Note that permission names are composed of generic terms, not some specific IDs of service deployments or resources. Generally, using a concrete permission name in the service's source code as a constant should look natural.

                                      A permission can be marked as "internal". Internal permissions are not allowed to appear in custom roles in user-defined project realms.cfg files. They can be used in internal realms (defined in realms.cfg in the LUCI Auth service config set, see comments for Realm message) and they are added to some predefined roles by the LUCI Auth service itself. They are used to setup ACLs for internal interactions between LUCI components.

                                      Each individual LUCI service should document what permissions it checks and when. It becomes a part of service's public API. Usually services should check only permissions of resources they own (e.g. "<service>.<subject>.*"), but in exceptional cases they may also check permissions intended for other services. This is primarily useful for services that somehow "proxy" access to resources.

                                      Field `permissions` in Realms message describes all permissions known to the LUCI Auth service. The LUCI Auth service guarantees that all permissions mentioned in all realms (in `realms` field) are among `permissions` set.

                                      If a LUCI service checks a permission that is no longer (or not yet) listed in the `permissions` set, the check should succeed with "no permission" result, and produce a warning in service's logs.

                                      func (*Permission) Descriptor

                                      func (*Permission) Descriptor() ([]byte, []int)

                                        Deprecated: Use Permission.ProtoReflect.Descriptor instead.

                                        func (*Permission) GetInternal

                                        func (x *Permission) GetInternal() bool

                                        func (*Permission) GetName

                                        func (x *Permission) GetName() string

                                        func (*Permission) ProtoMessage

                                        func (*Permission) ProtoMessage()

                                        func (*Permission) ProtoReflect

                                        func (x *Permission) ProtoReflect() protoreflect.Message

                                        func (*Permission) Reset

                                        func (x *Permission) Reset()

                                        func (*Permission) String

                                        func (x *Permission) String() string

                                        type Realm

                                        type Realm struct {
                                        
                                        	// Name of the realm as "<project>:<realm>" string, where:
                                        	//   "<project>" matches `^([a-z0-9\-_]{1,100}|@internal)$`.
                                        	//   "<realm>" matches `^([a-z0-9_\.\-/]{1,400}|@root|@legacy)$`.
                                        	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
                                        	// A list of bindings in lexicographical order of their `permissions` fields.
                                        	Bindings []*Binding `protobuf:"bytes,2,rep,name=bindings,proto3" json:"bindings,omitempty"`
                                        	// Associated data extracted from the realms.cfg project config.
                                        	Data *RealmData `protobuf:"bytes,3,opt,name=data,proto3" json:"data,omitempty"`
                                        	// contains filtered or unexported fields
                                        }

                                          Realm is a named collection of (<principal>, <permission>) pairs.

                                          Realms are primarily defined in realms.cfg project config files. Such realms are called project realms. They are controlled by respective **project** owners and used to define ACLs for resources owned by these projects.

                                          There's a special set of realms (called internal realms or, sometimes, global realms) that are defined in realms.cfg in the LUCI Auth service config set. They are controlled by LUCI **deployment** owners and used to define ACLs for resources that are associated with LUCI deployment or LUCI services (and do not belong to any particular LUCI project). They are also allowed to use internal roles and permissions to define administrative-level ACLs (i.e. ACLs that transcend project boundaries).

                                          A full realm name has form "<project>:<realm>", where:

                                          * "<project>" is a name of the LUCI project that defined the realm or
                                            literal "@internal" for internal realms.
                                          * "<realm>" is a name of the realm from a realms.cfg config file. This name
                                            is also known as a project-scoped name, since it makes sense only within
                                            a scope of some concrete LUCI project.
                                          

                                          A LUCI resource can point to exactly one realm by referring to its full "<project>:<realm>" name. Such reference can either be calculated on the fly from other resource's properties, or be stored alongside the resource's data. We say that such resource "belongs to the realm" or "lives in the realm" or is just "in the realm". We also say that such resource belongs to the project "<project>". The corresponding Realm message then describes who can do what to the resource.

                                          The logic of how resources get assigned to realms is a part of the public API of the service that owns resources. Some services may use a static realm assignment via project configuration files, others may do it dynamically by accepting a realm when a resource is created via an RPC.

                                          There are two special realms (both optional) that a project can have: "<project>:@root" and "<project>:@legacy".

                                          The root realm should be used as a fallback when an existing resource points to a realm that doesn't exist. Without the root realm, such resources become effectively inaccessible and this may be undesirable. The root realm usually contains only administrative-level bindings.

                                          The legacy realm should be used for legacy resources created before the realms mechanism was introduced in case the service can't figure out a more appropriate realm based on resource's properties. The service must clearly document when and how it uses the legacy realm (if it uses it at all).

                                          The actual list of (<principal>, <permission>) pairs is defined via a list of bindings, where each binding basically says "all these principals have all these permissions". In other words, each binding defines some subset of permissions and the overall realm permissions is a union of all such subsets. Subsets defined by bindings may potentially intersect or be empty.

                                          The LUCI Auth service constructs bindings by interpreting realms.cfg files using some set of rules. Individual LUCI services **must not care** about what these rules really are. They should use only the end result (in the form of bindings) provided in the Realm message. This allows to decouple the high-level user-facing language for defining permissions from the implementation of each individual LUCI service that checks permissions.

                                          A realm can also carry some small amount of data (usually auth related) that LUCI services use when dealing with this realm. It should be something that all (or at least more than one) LUCI services use. Configuration specific to a single service should be in this service's project config instead.

                                          func (*Realm) Descriptor

                                          func (*Realm) Descriptor() ([]byte, []int)

                                            Deprecated: Use Realm.ProtoReflect.Descriptor instead.

                                            func (*Realm) GetBindings

                                            func (x *Realm) GetBindings() []*Binding

                                            func (*Realm) GetData

                                            func (x *Realm) GetData() *RealmData

                                            func (*Realm) GetName

                                            func (x *Realm) GetName() string

                                            func (*Realm) ProtoMessage

                                            func (*Realm) ProtoMessage()

                                            func (*Realm) ProtoReflect

                                            func (x *Realm) ProtoReflect() protoreflect.Message

                                            func (*Realm) Reset

                                            func (x *Realm) Reset()

                                            func (*Realm) String

                                            func (x *Realm) String() string

                                            type RealmData

                                            type RealmData struct {
                                            
                                            	// Used only during Realms migration to gradually roll out the enforcement.
                                            	EnforceInService []string `protobuf:"bytes,1,rep,name=enforce_in_service,json=enforceInService,proto3" json:"enforce_in_service,omitempty"`
                                            	// contains filtered or unexported fields
                                            }

                                              RealmData is semi-arbitrary non-ACL data extracted from the realms.cfg project config and attached to a realm.

                                              func (*RealmData) Descriptor

                                              func (*RealmData) Descriptor() ([]byte, []int)

                                                Deprecated: Use RealmData.ProtoReflect.Descriptor instead.

                                                func (*RealmData) GetEnforceInService

                                                func (x *RealmData) GetEnforceInService() []string

                                                func (*RealmData) ProtoMessage

                                                func (*RealmData) ProtoMessage()

                                                func (*RealmData) ProtoReflect

                                                func (x *RealmData) ProtoReflect() protoreflect.Message

                                                func (*RealmData) Reset

                                                func (x *RealmData) Reset()

                                                func (*RealmData) String

                                                func (x *RealmData) String() string

                                                type Realms

                                                type Realms struct {
                                                
                                                	// API version is incremented whenever the semantic meaning of Realms message
                                                	// changes in some backward incompatible way (e.g. some message grows a new
                                                	// field that *must* be checked by services). LUCI services must reject Realms
                                                	// messages that have API versions they don't recognize. It is a precaution
                                                	// against misinterpreting the realms configuration.
                                                	//
                                                	// The current version is 1.
                                                	ApiVersion int64 `protobuf:"varint,1,opt,name=api_version,json=apiVersion,proto3" json:"api_version,omitempty"`
                                                	// List of all possible permissions in alphabetical order.
                                                	//
                                                	// Acts as a universal set of permissions in Binding messages.
                                                	//
                                                	// Services may also use this field to check that permissions they are about
                                                	// to use are actually known to the LUCI auth system. This is useful for
                                                	// debugging when adding or removing permissions.
                                                	//
                                                	// See Permission message for more details.
                                                	Permissions []*Permission `protobuf:"bytes,2,rep,name=permissions,proto3" json:"permissions,omitempty"`
                                                	// List of all registered realms in alphabetical order.
                                                	//
                                                	// See Realm message for more details.
                                                	Realms []*Realm `protobuf:"bytes,3,rep,name=realms,proto3" json:"realms,omitempty"`
                                                	// contains filtered or unexported fields
                                                }

                                                  Realms is a complete definition of all known permissions and realms in a LUCI deployment.

                                                  It is generated and distributed across all LUCI services (as part of the AuthDB) by the LUCI Auth service.

                                                  Note that this is a denormalized internal representation of realms which is derived from the high level user-facing representation supplied via multiple realms.cfg config files in various config sets. See comments for Realm message for details.

                                                  The internal representation doesn't have a notion of roles or realm inheritance. These concepts are handled by the LUCI Auth service and individual downstream services generally **must not care** how it works. Instead they should follow the rules outlined in comments in this file (or equivalently just use the Realms API exposed by the LUCI auth libraries).

                                                  func (*Realms) Descriptor

                                                  func (*Realms) Descriptor() ([]byte, []int)

                                                    Deprecated: Use Realms.ProtoReflect.Descriptor instead.

                                                    func (*Realms) GetApiVersion

                                                    func (x *Realms) GetApiVersion() int64

                                                    func (*Realms) GetPermissions

                                                    func (x *Realms) GetPermissions() []*Permission

                                                    func (*Realms) GetRealms

                                                    func (x *Realms) GetRealms() []*Realm

                                                    func (*Realms) ProtoMessage

                                                    func (*Realms) ProtoMessage()

                                                    func (*Realms) ProtoReflect

                                                    func (x *Realms) ProtoReflect() protoreflect.Message

                                                    func (*Realms) Reset

                                                    func (x *Realms) Reset()

                                                    func (*Realms) String

                                                    func (x *Realms) String() string

                                                    type ReplicationPushRequest

                                                    type ReplicationPushRequest struct {
                                                    
                                                    	// Revision that is being pushed.
                                                    	Revision *AuthDBRevision `protobuf:"bytes,1,opt,name=revision,proto3" json:"revision,omitempty"`
                                                    	// An entire database of auth configuration for specific revision.
                                                    	AuthDb *AuthDB `protobuf:"bytes,2,opt,name=auth_db,json=authDb,proto3" json:"auth_db,omitempty"`
                                                    	// Version of 'auth' component on Primary, see components/auth/version.py.
                                                    	AuthCodeVersion string `protobuf:"bytes,3,opt,name=auth_code_version,json=authCodeVersion,proto3" json:"auth_code_version,omitempty"`
                                                    	// contains filtered or unexported fields
                                                    }

                                                      Sent from Primary to Replica to update Replica's AuthDB.

                                                      Primary signs the entire serialized message with its private key and appends two headers to HTTP request that carries the blob:

                                                      X-AuthDB-SigKey-v1: <id of a public key>
                                                      X-AuthDB-SigVal-v1: <base64 encoded RSA-SHA256(SHA512(blob)) signature>
                                                      

                                                      Binary serialization of ReplicationPushRequest is sometimes misleadingly called "AuthDB blob". It is stored in Datastore (as is) and in Google Storage (as serialized SignedAuthDB) for consumers that do not use Primary -> Replica protocol.

                                                      func (*ReplicationPushRequest) Descriptor

                                                      func (*ReplicationPushRequest) Descriptor() ([]byte, []int)

                                                        Deprecated: Use ReplicationPushRequest.ProtoReflect.Descriptor instead.

                                                        func (*ReplicationPushRequest) GetAuthCodeVersion

                                                        func (x *ReplicationPushRequest) GetAuthCodeVersion() string

                                                        func (*ReplicationPushRequest) GetAuthDb

                                                        func (x *ReplicationPushRequest) GetAuthDb() *AuthDB

                                                        func (*ReplicationPushRequest) GetRevision

                                                        func (x *ReplicationPushRequest) GetRevision() *AuthDBRevision

                                                        func (*ReplicationPushRequest) ProtoMessage

                                                        func (*ReplicationPushRequest) ProtoMessage()

                                                        func (*ReplicationPushRequest) ProtoReflect

                                                        func (x *ReplicationPushRequest) ProtoReflect() protoreflect.Message

                                                        func (*ReplicationPushRequest) Reset

                                                        func (x *ReplicationPushRequest) Reset()

                                                        func (*ReplicationPushRequest) String

                                                        func (x *ReplicationPushRequest) String() string

                                                        type ReplicationPushResponse

                                                        type ReplicationPushResponse struct {
                                                        
                                                        	// Overall status of the operation.
                                                        	Status ReplicationPushResponse_Status `protobuf:"varint,1,opt,name=status,proto3,enum=components.auth.ReplicationPushResponse_Status" json:"status,omitempty"`
                                                        	// Revision known by Replica (set for APPLIED and SKIPPED statuses).
                                                        	CurrentRevision *AuthDBRevision `protobuf:"bytes,2,opt,name=current_revision,json=currentRevision,proto3" json:"current_revision,omitempty"`
                                                        	// Present for TRANSIENT_ERROR and FATAL_ERROR statuses.
                                                        	ErrorCode ReplicationPushResponse_ErrorCode `` /* 144-byte string literal not displayed */
                                                        	// Version of 'auth' component on Replica, see components/auth/version.py.
                                                        	AuthCodeVersion string `protobuf:"bytes,4,opt,name=auth_code_version,json=authCodeVersion,proto3" json:"auth_code_version,omitempty"`
                                                        	// contains filtered or unexported fields
                                                        }

                                                          Replica's response to ReplicationPushRequest.

                                                          func (*ReplicationPushResponse) Descriptor

                                                          func (*ReplicationPushResponse) Descriptor() ([]byte, []int)

                                                            Deprecated: Use ReplicationPushResponse.ProtoReflect.Descriptor instead.

                                                            func (*ReplicationPushResponse) GetAuthCodeVersion

                                                            func (x *ReplicationPushResponse) GetAuthCodeVersion() string

                                                            func (*ReplicationPushResponse) GetCurrentRevision

                                                            func (x *ReplicationPushResponse) GetCurrentRevision() *AuthDBRevision

                                                            func (*ReplicationPushResponse) GetErrorCode

                                                            func (*ReplicationPushResponse) GetStatus

                                                            func (*ReplicationPushResponse) ProtoMessage

                                                            func (*ReplicationPushResponse) ProtoMessage()

                                                            func (*ReplicationPushResponse) ProtoReflect

                                                            func (x *ReplicationPushResponse) ProtoReflect() protoreflect.Message

                                                            func (*ReplicationPushResponse) Reset

                                                            func (x *ReplicationPushResponse) Reset()

                                                            func (*ReplicationPushResponse) String

                                                            func (x *ReplicationPushResponse) String() string

                                                            type ReplicationPushResponse_ErrorCode

                                                            type ReplicationPushResponse_ErrorCode int32

                                                              Error codes, for TRANSIENT_ERROR and FATAL_ERROR statuses.

                                                              const (
                                                              	// Some unrecognized error.
                                                              	ReplicationPushResponse_ERROR_UNKNOWN ReplicationPushResponse_ErrorCode = 0
                                                              	// Trying to push an update to service that is not a replica.
                                                              	ReplicationPushResponse_NOT_A_REPLICA ReplicationPushResponse_ErrorCode = 1
                                                              	// Replica doesn't know about the service that pushing the update.
                                                              	ReplicationPushResponse_FORBIDDEN ReplicationPushResponse_ErrorCode = 2
                                                              	// Signature headers are missing.
                                                              	ReplicationPushResponse_MISSING_SIGNATURE ReplicationPushResponse_ErrorCode = 3
                                                              	// Signature is not valid.
                                                              	ReplicationPushResponse_BAD_SIGNATURE ReplicationPushResponse_ErrorCode = 4
                                                              	// Format of the request is not valid.
                                                              	ReplicationPushResponse_BAD_REQUEST ReplicationPushResponse_ErrorCode = 5
                                                              )

                                                              func (ReplicationPushResponse_ErrorCode) Descriptor

                                                              func (ReplicationPushResponse_ErrorCode) Enum

                                                              func (ReplicationPushResponse_ErrorCode) EnumDescriptor

                                                              func (ReplicationPushResponse_ErrorCode) EnumDescriptor() ([]byte, []int)

                                                                Deprecated: Use ReplicationPushResponse_ErrorCode.Descriptor instead.

                                                                func (ReplicationPushResponse_ErrorCode) Number

                                                                func (ReplicationPushResponse_ErrorCode) String

                                                                func (ReplicationPushResponse_ErrorCode) Type

                                                                type ReplicationPushResponse_Status

                                                                type ReplicationPushResponse_Status int32

                                                                  Overall status of the operation.

                                                                  const (
                                                                  	// Replica accepted the push request and updated its copy of auth db.
                                                                  	ReplicationPushResponse_APPLIED ReplicationPushResponse_Status = 0
                                                                  	// Replica has a newer version of AuthDB, the push request is skipped.
                                                                  	ReplicationPushResponse_SKIPPED ReplicationPushResponse_Status = 1
                                                                  	// Non fatal error happened, the push request may be retried.
                                                                  	ReplicationPushResponse_TRANSIENT_ERROR ReplicationPushResponse_Status = 2
                                                                  	// Fatal error happened, the push request must not be retried.
                                                                  	ReplicationPushResponse_FATAL_ERROR ReplicationPushResponse_Status = 3
                                                                  )

                                                                  func (ReplicationPushResponse_Status) Descriptor

                                                                  func (ReplicationPushResponse_Status) Enum

                                                                  func (ReplicationPushResponse_Status) EnumDescriptor

                                                                  func (ReplicationPushResponse_Status) EnumDescriptor() ([]byte, []int)

                                                                    Deprecated: Use ReplicationPushResponse_Status.Descriptor instead.

                                                                    func (ReplicationPushResponse_Status) Number

                                                                    func (ReplicationPushResponse_Status) String

                                                                    func (ReplicationPushResponse_Status) Type

                                                                    type SecurityConfig

                                                                    type SecurityConfig struct {
                                                                    
                                                                    	// A list of regular expressions matching hostnames that should be recognized
                                                                    	// as being a part of single LUCI deployment.
                                                                    	//
                                                                    	// Different microservices within a single LUCI deployment may trust each
                                                                    	// other. This setting (coupled with the TLS certificate check) allows
                                                                    	// a service to recognize that a target of an RPC is another internal service
                                                                    	// belonging to the same LUCI deployment.
                                                                    	//
                                                                    	// '^' and '$' are implied. The regexp language is intersection of Python and
                                                                    	// Golang regexp languages and thus should use only very standard features
                                                                    	// common to both.
                                                                    	//
                                                                    	// Example: "(.*-dot-)?chromium-swarm\.appspot\.com".
                                                                    	InternalServiceRegexp []string `` /* 126-byte string literal not displayed */
                                                                    	// contains filtered or unexported fields
                                                                    }

                                                                      SecurityConfig is read from 'security.cfg' by Auth Service and distributed to all linked services (in its serialized form) as part of AuthDB proto.

                                                                      See AuthDB.security_config in replication.proto.

                                                                      func (*SecurityConfig) Descriptor

                                                                      func (*SecurityConfig) Descriptor() ([]byte, []int)

                                                                        Deprecated: Use SecurityConfig.ProtoReflect.Descriptor instead.

                                                                        func (*SecurityConfig) GetInternalServiceRegexp

                                                                        func (x *SecurityConfig) GetInternalServiceRegexp() []string

                                                                        func (*SecurityConfig) ProtoMessage

                                                                        func (*SecurityConfig) ProtoMessage()

                                                                        func (*SecurityConfig) ProtoReflect

                                                                        func (x *SecurityConfig) ProtoReflect() protoreflect.Message

                                                                        func (*SecurityConfig) Reset

                                                                        func (x *SecurityConfig) Reset()

                                                                        func (*SecurityConfig) String

                                                                        func (x *SecurityConfig) String() string

                                                                        type ServiceLinkRequest

                                                                        type ServiceLinkRequest struct {
                                                                        
                                                                        	// Same ticket that was passed to Replica via ServiceLinkTicket.
                                                                        	Ticket []byte `protobuf:"bytes,1,opt,name=ticket,proto3" json:"ticket,omitempty"`
                                                                        	// URL to use when making requests to Replica from Primary.
                                                                        	ReplicaUrl string `protobuf:"bytes,2,opt,name=replica_url,json=replicaUrl,proto3" json:"replica_url,omitempty"`
                                                                        	// Identity of a user that accepted the ticket and initiated this request.
                                                                        	InitiatedBy string `protobuf:"bytes,3,opt,name=initiated_by,json=initiatedBy,proto3" json:"initiated_by,omitempty"`
                                                                        	// contains filtered or unexported fields
                                                                        }

                                                                          Sent from Replica to Primary via direct service <-> service HTTP call, replicas app_id would be available via X-Appengine-Inbound-Appid header.

                                                                          func (*ServiceLinkRequest) Descriptor

                                                                          func (*ServiceLinkRequest) Descriptor() ([]byte, []int)

                                                                            Deprecated: Use ServiceLinkRequest.ProtoReflect.Descriptor instead.

                                                                            func (*ServiceLinkRequest) GetInitiatedBy

                                                                            func (x *ServiceLinkRequest) GetInitiatedBy() string

                                                                            func (*ServiceLinkRequest) GetReplicaUrl

                                                                            func (x *ServiceLinkRequest) GetReplicaUrl() string

                                                                            func (*ServiceLinkRequest) GetTicket

                                                                            func (x *ServiceLinkRequest) GetTicket() []byte

                                                                            func (*ServiceLinkRequest) ProtoMessage

                                                                            func (*ServiceLinkRequest) ProtoMessage()

                                                                            func (*ServiceLinkRequest) ProtoReflect

                                                                            func (x *ServiceLinkRequest) ProtoReflect() protoreflect.Message

                                                                            func (*ServiceLinkRequest) Reset

                                                                            func (x *ServiceLinkRequest) Reset()

                                                                            func (*ServiceLinkRequest) String

                                                                            func (x *ServiceLinkRequest) String() string

                                                                            type ServiceLinkResponse

                                                                            type ServiceLinkResponse struct {
                                                                            	Status ServiceLinkResponse_Status `protobuf:"varint,1,opt,name=status,proto3,enum=components.auth.ServiceLinkResponse_Status" json:"status,omitempty"`
                                                                            	// contains filtered or unexported fields
                                                                            }

                                                                              Primary's response to ServiceLinkRequest. Always returned with HTTP code 200.

                                                                              func (*ServiceLinkResponse) Descriptor

                                                                              func (*ServiceLinkResponse) Descriptor() ([]byte, []int)

                                                                                Deprecated: Use ServiceLinkResponse.ProtoReflect.Descriptor instead.

                                                                                func (*ServiceLinkResponse) GetStatus

                                                                                func (*ServiceLinkResponse) ProtoMessage

                                                                                func (*ServiceLinkResponse) ProtoMessage()

                                                                                func (*ServiceLinkResponse) ProtoReflect

                                                                                func (x *ServiceLinkResponse) ProtoReflect() protoreflect.Message

                                                                                func (*ServiceLinkResponse) Reset

                                                                                func (x *ServiceLinkResponse) Reset()

                                                                                func (*ServiceLinkResponse) String

                                                                                func (x *ServiceLinkResponse) String() string

                                                                                type ServiceLinkResponse_Status

                                                                                type ServiceLinkResponse_Status int32

                                                                                  Status codes.

                                                                                  const (
                                                                                  	// The service is now linked and primary will be pushing updates to it.
                                                                                  	ServiceLinkResponse_SUCCESS ServiceLinkResponse_Status = 0
                                                                                  	// Primary do not replies.
                                                                                  	ServiceLinkResponse_TRANSPORT_ERROR ServiceLinkResponse_Status = 1
                                                                                  	// Linking ticket is invalid or expired.
                                                                                  	ServiceLinkResponse_BAD_TICKET ServiceLinkResponse_Status = 2
                                                                                  	// Linking ticket was generated for another app, not the calling one.
                                                                                  	ServiceLinkResponse_AUTH_ERROR ServiceLinkResponse_Status = 3
                                                                                  )

                                                                                  func (ServiceLinkResponse_Status) Descriptor

                                                                                  func (ServiceLinkResponse_Status) Enum

                                                                                  func (ServiceLinkResponse_Status) EnumDescriptor

                                                                                  func (ServiceLinkResponse_Status) EnumDescriptor() ([]byte, []int)

                                                                                    Deprecated: Use ServiceLinkResponse_Status.Descriptor instead.

                                                                                    func (ServiceLinkResponse_Status) Number

                                                                                    func (ServiceLinkResponse_Status) String

                                                                                    func (ServiceLinkResponse_Status) Type

                                                                                    type ServiceLinkTicket

                                                                                    type ServiceLinkTicket struct {
                                                                                    
                                                                                    	// GAE application ID of Primary that generated this ticket. Replica will send
                                                                                    	// ServiceLinkRequest to this service when it processes the ticket.
                                                                                    	PrimaryId string `protobuf:"bytes,1,opt,name=primary_id,json=primaryId,proto3" json:"primary_id,omitempty"`
                                                                                    	// URL to the root page of a primary service, i.e. https://<...>.appspot.com.
                                                                                    	// Useful when testing on dev appserver and on non-default version.
                                                                                    	PrimaryUrl string `protobuf:"bytes,2,opt,name=primary_url,json=primaryUrl,proto3" json:"primary_url,omitempty"`
                                                                                    	// Identity of a user that generated this ticket.
                                                                                    	GeneratedBy string `protobuf:"bytes,3,opt,name=generated_by,json=generatedBy,proto3" json:"generated_by,omitempty"`
                                                                                    	// Opaque blob passed back to Primary in ServiceLinkRequest. Its exact
                                                                                    	// structure is an implementation detail of Primary. It contains app_id of
                                                                                    	// a replica this ticket is intended for, timestamp and HMAC tag.
                                                                                    	Ticket []byte `protobuf:"bytes,4,opt,name=ticket,proto3" json:"ticket,omitempty"`
                                                                                    	// contains filtered or unexported fields
                                                                                    }

                                                                                      Generated by Primary, passed to Replica to initiate linking process.

                                                                                      func (*ServiceLinkTicket) Descriptor

                                                                                      func (*ServiceLinkTicket) Descriptor() ([]byte, []int)

                                                                                        Deprecated: Use ServiceLinkTicket.ProtoReflect.Descriptor instead.

                                                                                        func (*ServiceLinkTicket) GetGeneratedBy

                                                                                        func (x *ServiceLinkTicket) GetGeneratedBy() string

                                                                                        func (*ServiceLinkTicket) GetPrimaryId

                                                                                        func (x *ServiceLinkTicket) GetPrimaryId() string

                                                                                        func (*ServiceLinkTicket) GetPrimaryUrl

                                                                                        func (x *ServiceLinkTicket) GetPrimaryUrl() string

                                                                                        func (*ServiceLinkTicket) GetTicket

                                                                                        func (x *ServiceLinkTicket) GetTicket() []byte

                                                                                        func (*ServiceLinkTicket) ProtoMessage

                                                                                        func (*ServiceLinkTicket) ProtoMessage()

                                                                                        func (*ServiceLinkTicket) ProtoReflect

                                                                                        func (x *ServiceLinkTicket) ProtoReflect() protoreflect.Message

                                                                                        func (*ServiceLinkTicket) Reset

                                                                                        func (x *ServiceLinkTicket) Reset()

                                                                                        func (*ServiceLinkTicket) String

                                                                                        func (x *ServiceLinkTicket) String() string

                                                                                        type SignedAuthDB

                                                                                        type SignedAuthDB struct {
                                                                                        
                                                                                        	// Serialized ReplicationPushRequest message with actual data.
                                                                                        	//
                                                                                        	// Contains revision information and AuthDB itself.
                                                                                        	AuthDbBlob []byte `protobuf:"bytes,1,opt,name=auth_db_blob,json=authDbBlob,proto3" json:"auth_db_blob,omitempty"`
                                                                                        	// Service account name whose key was used to sign the AuthDB blob.
                                                                                        	SignerId string `protobuf:"bytes,2,opt,name=signer_id,json=signerId,proto3" json:"signer_id,omitempty"`
                                                                                        	// ID of the signing key.
                                                                                        	SigningKeyId string `protobuf:"bytes,3,opt,name=signing_key_id,json=signingKeyId,proto3" json:"signing_key_id,omitempty"`
                                                                                        	// The signature of auth_db_blob field.
                                                                                        	//
                                                                                        	// It is RS256(SHA512(auth_db_blob)).
                                                                                        	//
                                                                                        	// Where:
                                                                                        	//   * RS256 is RSASSA-PKCS1-v1_5 using SHA-256, see RS256 algo in RFC7518.
                                                                                        	//   * SHA512 is a byte string (64 bytes) with SHA-512 digest of its input.
                                                                                        	//
                                                                                        	// Such peculiar structure is due to limitations of GAE signing infrastructure
                                                                                        	// (RS256 function can accept at most 8KB of input).
                                                                                        	//
                                                                                        	// Consumers of SignedAuthDB are expected to do the following:
                                                                                        	//   1. Check 'signer_id' is what they expect.
                                                                                        	//   2. Use https://www.googleapis.com/service_accounts/v1/metadata/x509/...
                                                                                        	//      endpoint to get the signer's public key with ID 'signing_key_id'.
                                                                                        	//   3. Construct to-be-signed string as SHA512(auth_db_blob).
                                                                                        	//   4. Verify 'signature' matches to-be-signed string using the public key
                                                                                        	//      from step 2.
                                                                                        	Signature []byte `protobuf:"bytes,4,opt,name=signature,proto3" json:"signature,omitempty"`
                                                                                        	// contains filtered or unexported fields
                                                                                        }

                                                                                          SignedAuthDB contains serialized and signed AuthDB proto.

                                                                                          It is used to store AuthDB snapshots in Google Storage. Signing is used as a defense against unauthorized writes to the storage bucket.

                                                                                          func (*SignedAuthDB) Descriptor

                                                                                          func (*SignedAuthDB) Descriptor() ([]byte, []int)

                                                                                            Deprecated: Use SignedAuthDB.ProtoReflect.Descriptor instead.

                                                                                            func (*SignedAuthDB) GetAuthDbBlob

                                                                                            func (x *SignedAuthDB) GetAuthDbBlob() []byte

                                                                                            func (*SignedAuthDB) GetSignature

                                                                                            func (x *SignedAuthDB) GetSignature() []byte

                                                                                            func (*SignedAuthDB) GetSignerId

                                                                                            func (x *SignedAuthDB) GetSignerId() string

                                                                                            func (*SignedAuthDB) GetSigningKeyId

                                                                                            func (x *SignedAuthDB) GetSigningKeyId() string

                                                                                            func (*SignedAuthDB) ProtoMessage

                                                                                            func (*SignedAuthDB) ProtoMessage()

                                                                                            func (*SignedAuthDB) ProtoReflect

                                                                                            func (x *SignedAuthDB) ProtoReflect() protoreflect.Message

                                                                                            func (*SignedAuthDB) Reset

                                                                                            func (x *SignedAuthDB) Reset()

                                                                                            func (*SignedAuthDB) String

                                                                                            func (x *SignedAuthDB) String() string