Documentation

Overview

    Package admin contains The Token Server Administrative and Config API.

    Services defined here are used by service administrators.

    Index

    Constants

    This section is empty.

    Variables

    View Source
    var Admin_ServiceDesc = grpc.ServiceDesc{
    	ServiceName: "tokenserver.admin.Admin",
    	HandlerType: (*AdminServer)(nil),
    	Methods: []grpc.MethodDesc{
    		{
    			MethodName: "ImportCAConfigs",
    			Handler:    _Admin_ImportCAConfigs_Handler,
    		},
    		{
    			MethodName: "ImportDelegationConfigs",
    			Handler:    _Admin_ImportDelegationConfigs_Handler,
    		},
    		{
    			MethodName: "ImportServiceAccountsConfigs",
    			Handler:    _Admin_ImportServiceAccountsConfigs_Handler,
    		},
    		{
    			MethodName: "ImportProjectIdentityConfigs",
    			Handler:    _Admin_ImportProjectIdentityConfigs_Handler,
    		},
    		{
    			MethodName: "ImportProjectOwnedAccountsConfigs",
    			Handler:    _Admin_ImportProjectOwnedAccountsConfigs_Handler,
    		},
    		{
    			MethodName: "InspectMachineToken",
    			Handler:    _Admin_InspectMachineToken_Handler,
    		},
    		{
    			MethodName: "InspectDelegationToken",
    			Handler:    _Admin_InspectDelegationToken_Handler,
    		},
    		{
    			MethodName: "InspectOAuthTokenGrant",
    			Handler:    _Admin_InspectOAuthTokenGrant_Handler,
    		},
    	},
    	Streams:  []grpc.StreamDesc{},
    	Metadata: "go.chromium.org/luci/tokenserver/api/admin/v1/admin.proto",
    }

      Admin_ServiceDesc is the grpc.ServiceDesc for Admin service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)

      View Source
      var CertificateAuthorities_ServiceDesc = grpc.ServiceDesc{
      	ServiceName: "tokenserver.admin.CertificateAuthorities",
      	HandlerType: (*CertificateAuthoritiesServer)(nil),
      	Methods: []grpc.MethodDesc{
      		{
      			MethodName: "FetchCRL",
      			Handler:    _CertificateAuthorities_FetchCRL_Handler,
      		},
      		{
      			MethodName: "ListCAs",
      			Handler:    _CertificateAuthorities_ListCAs_Handler,
      		},
      		{
      			MethodName: "GetCAStatus",
      			Handler:    _CertificateAuthorities_GetCAStatus_Handler,
      		},
      		{
      			MethodName: "IsRevokedCert",
      			Handler:    _CertificateAuthorities_IsRevokedCert_Handler,
      		},
      		{
      			MethodName: "CheckCertificate",
      			Handler:    _CertificateAuthorities_CheckCertificate_Handler,
      		},
      	},
      	Streams:  []grpc.StreamDesc{},
      	Metadata: "go.chromium.org/luci/tokenserver/api/admin/v1/certificate_authorities.proto",
      }

        CertificateAuthorities_ServiceDesc is the grpc.ServiceDesc for CertificateAuthorities service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)

        View Source
        var File_go_chromium_org_luci_tokenserver_api_admin_v1_admin_proto protoreflect.FileDescriptor
        View Source
        var File_go_chromium_org_luci_tokenserver_api_admin_v1_certificate_authorities_proto protoreflect.FileDescriptor
        View Source
        var File_go_chromium_org_luci_tokenserver_api_admin_v1_config_proto protoreflect.FileDescriptor

        Functions

        func FileDescriptorSet

        func FileDescriptorSet() *descriptorpb.FileDescriptorSet

          FileDescriptorSet returns a descriptor set for this proto package, which includes all defined services, and all transitive dependencies.

          Will not return nil.

          Do NOT modify the returned descriptor.

          func RegisterAdminServer

          func RegisterAdminServer(s grpc.ServiceRegistrar, srv AdminServer)

          func RegisterCertificateAuthoritiesServer

          func RegisterCertificateAuthoritiesServer(s grpc.ServiceRegistrar, srv CertificateAuthoritiesServer)

          Types

          type AdminClient

          type AdminClient interface {
          	// ImportCAConfigs makes the server read 'tokenserver.cfg'.
          	ImportCAConfigs(ctx context.Context, in *empty.Empty, opts ...grpc.CallOption) (*ImportedConfigs, error)
          	// ImportDelegationConfigs makes the server read 'delegation.cfg'.
          	ImportDelegationConfigs(ctx context.Context, in *empty.Empty, opts ...grpc.CallOption) (*ImportedConfigs, error)
          	// ImportServiceAccountsConfigs makes the server read 'service_accounts.cfg'.
          	ImportServiceAccountsConfigs(ctx context.Context, in *empty.Empty, opts ...grpc.CallOption) (*ImportedConfigs, error)
          	// ImportProjectIdentityConfigs makes the server read 'projects.cfg'.
          	ImportProjectIdentityConfigs(ctx context.Context, in *empty.Empty, opts ...grpc.CallOption) (*ImportedConfigs, error)
          	// ImportProjectOwnedAccountsConfigs makes the server read 'project_owned_accounts.cfg'.
          	ImportProjectOwnedAccountsConfigs(ctx context.Context, in *empty.Empty, opts ...grpc.CallOption) (*ImportedConfigs, error)
          	// InspectMachineToken decodes a machine token and verifies it is valid.
          	//
          	// It verifies the token was signed by a private key of the token server and
          	// checks token's expiration time and revocation status.
          	//
          	// It tries to give as much information about the token and its status as
          	// possible (e.g. it checks for revocation status even if token is already
          	// expired).
          	//
          	// Administrators can use this call to debug issues with tokens.
          	//
          	// Returns:
          	//   InspectMachineTokenResponse for tokens of supported kind.
          	//   grpc.InvalidArgument error for unsupported token kind.
          	//   grpc.Internal error for transient errors.
          	InspectMachineToken(ctx context.Context, in *InspectMachineTokenRequest, opts ...grpc.CallOption) (*InspectMachineTokenResponse, error)
          	// InspectDelegationToken decodes a delegation token and verifies it is valid.
          	//
          	// It verifies the token was signed by a private key of the token server and
          	// checks token's expiration time.
          	//
          	// It tries to give as much information about the token and its status as
          	// possible (e.g. attempts to decode the body even if the signing key has been
          	// rotated already).
          	//
          	// Administrators can use this call to debug issues with tokens.
          	//
          	// Returns:
          	//   InspectDelegationTokenResponse for tokens of supported kind.
          	//   grpc.InvalidArgument error for unsupported token kind.
          	//   grpc.Internal error for transient errors.
          	InspectDelegationToken(ctx context.Context, in *InspectDelegationTokenRequest, opts ...grpc.CallOption) (*InspectDelegationTokenResponse, error)
          	// InspectOAuthTokenGrant decodes OAuth token grant and verifies it is valid.
          	//
          	// It verifies the token was signed by a private key of the token server and
          	// checks token's expiration time.
          	//
          	// It tries to give as much information about the token and its status as
          	// possible (e.g. attempts to decode the body even if the signing key has been
          	// rotated already).
          	//
          	// Administrators can use this call to debug issues with tokens.
          	//
          	// Returns:
          	//   InspectOAuthTokenGrantResponse for tokens of supported kind.
          	//   grpc.InvalidArgument error for unsupported token kind.
          	//   grpc.Internal error for transient errors.
          	InspectOAuthTokenGrant(ctx context.Context, in *InspectOAuthTokenGrantRequest, opts ...grpc.CallOption) (*InspectOAuthTokenGrantResponse, error)
          }

            AdminClient is the client API for Admin service.

            For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.

            func NewAdminClient

            func NewAdminClient(cc grpc.ClientConnInterface) AdminClient

            type AdminServer

            type AdminServer interface {
            	// ImportCAConfigs makes the server read 'tokenserver.cfg'.
            	ImportCAConfigs(context.Context, *empty.Empty) (*ImportedConfigs, error)
            	// ImportDelegationConfigs makes the server read 'delegation.cfg'.
            	ImportDelegationConfigs(context.Context, *empty.Empty) (*ImportedConfigs, error)
            	// ImportServiceAccountsConfigs makes the server read 'service_accounts.cfg'.
            	ImportServiceAccountsConfigs(context.Context, *empty.Empty) (*ImportedConfigs, error)
            	// ImportProjectIdentityConfigs makes the server read 'projects.cfg'.
            	ImportProjectIdentityConfigs(context.Context, *empty.Empty) (*ImportedConfigs, error)
            	// ImportProjectOwnedAccountsConfigs makes the server read 'project_owned_accounts.cfg'.
            	ImportProjectOwnedAccountsConfigs(context.Context, *empty.Empty) (*ImportedConfigs, error)
            	// InspectMachineToken decodes a machine token and verifies it is valid.
            	//
            	// It verifies the token was signed by a private key of the token server and
            	// checks token's expiration time and revocation status.
            	//
            	// It tries to give as much information about the token and its status as
            	// possible (e.g. it checks for revocation status even if token is already
            	// expired).
            	//
            	// Administrators can use this call to debug issues with tokens.
            	//
            	// Returns:
            	//   InspectMachineTokenResponse for tokens of supported kind.
            	//   grpc.InvalidArgument error for unsupported token kind.
            	//   grpc.Internal error for transient errors.
            	InspectMachineToken(context.Context, *InspectMachineTokenRequest) (*InspectMachineTokenResponse, error)
            	// InspectDelegationToken decodes a delegation token and verifies it is valid.
            	//
            	// It verifies the token was signed by a private key of the token server and
            	// checks token's expiration time.
            	//
            	// It tries to give as much information about the token and its status as
            	// possible (e.g. attempts to decode the body even if the signing key has been
            	// rotated already).
            	//
            	// Administrators can use this call to debug issues with tokens.
            	//
            	// Returns:
            	//   InspectDelegationTokenResponse for tokens of supported kind.
            	//   grpc.InvalidArgument error for unsupported token kind.
            	//   grpc.Internal error for transient errors.
            	InspectDelegationToken(context.Context, *InspectDelegationTokenRequest) (*InspectDelegationTokenResponse, error)
            	// InspectOAuthTokenGrant decodes OAuth token grant and verifies it is valid.
            	//
            	// It verifies the token was signed by a private key of the token server and
            	// checks token's expiration time.
            	//
            	// It tries to give as much information about the token and its status as
            	// possible (e.g. attempts to decode the body even if the signing key has been
            	// rotated already).
            	//
            	// Administrators can use this call to debug issues with tokens.
            	//
            	// Returns:
            	//   InspectOAuthTokenGrantResponse for tokens of supported kind.
            	//   grpc.InvalidArgument error for unsupported token kind.
            	//   grpc.Internal error for transient errors.
            	InspectOAuthTokenGrant(context.Context, *InspectOAuthTokenGrantRequest) (*InspectOAuthTokenGrantResponse, error)
            	// contains filtered or unexported methods
            }

              AdminServer is the server API for Admin service. All implementations must embed UnimplementedAdminServer for forward compatibility

              type CRLStatus

              type CRLStatus struct {
              	LastUpdateTime    *timestamppb.Timestamp `protobuf:"bytes,1,opt,name=last_update_time,json=lastUpdateTime,proto3" json:"last_update_time,omitempty"`           // time when CRL was generated by the CA
              	LastFetchTime     *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=last_fetch_time,json=lastFetchTime,proto3" json:"last_fetch_time,omitempty"`              // time when CRL was fetched
              	LastFetchEtag     string                 `protobuf:"bytes,3,opt,name=last_fetch_etag,json=lastFetchEtag,proto3" json:"last_fetch_etag,omitempty"`              // etag of last successfully fetched CRL
              	RevokedCertsCount int64                  `protobuf:"varint,4,opt,name=revoked_certs_count,json=revokedCertsCount,proto3" json:"revoked_certs_count,omitempty"` // number of revoked certificates in the CRL
              	// contains filtered or unexported fields
              }

                CRLStatus describes the latest known state of imported CRL.

                func (*CRLStatus) Descriptor

                func (*CRLStatus) Descriptor() ([]byte, []int)

                  Deprecated: Use CRLStatus.ProtoReflect.Descriptor instead.

                  func (*CRLStatus) GetLastFetchEtag

                  func (x *CRLStatus) GetLastFetchEtag() string

                  func (*CRLStatus) GetLastFetchTime

                  func (x *CRLStatus) GetLastFetchTime() *timestamppb.Timestamp

                  func (*CRLStatus) GetLastUpdateTime

                  func (x *CRLStatus) GetLastUpdateTime() *timestamppb.Timestamp

                  func (*CRLStatus) GetRevokedCertsCount

                  func (x *CRLStatus) GetRevokedCertsCount() int64

                  func (*CRLStatus) ProtoMessage

                  func (*CRLStatus) ProtoMessage()

                  func (*CRLStatus) ProtoReflect

                  func (x *CRLStatus) ProtoReflect() protoreflect.Message

                  func (*CRLStatus) Reset

                  func (x *CRLStatus) Reset()

                  func (*CRLStatus) String

                  func (x *CRLStatus) String() string

                  type CertificateAuthoritiesClient

                  type CertificateAuthoritiesClient interface {
                  	// FetchCRL makes the server fetch a CRL for some CA.
                  	FetchCRL(ctx context.Context, in *FetchCRLRequest, opts ...grpc.CallOption) (*FetchCRLResponse, error)
                  	// ListCAs returns a list of Common Names of registered CAs.
                  	ListCAs(ctx context.Context, in *empty.Empty, opts ...grpc.CallOption) (*ListCAsResponse, error)
                  	// GetCAStatus returns configuration of some CA defined in the config.
                  	GetCAStatus(ctx context.Context, in *GetCAStatusRequest, opts ...grpc.CallOption) (*GetCAStatusResponse, error)
                  	// IsRevokedCert says whether a certificate serial number is in the CRL.
                  	IsRevokedCert(ctx context.Context, in *IsRevokedCertRequest, opts ...grpc.CallOption) (*IsRevokedCertResponse, error)
                  	// CheckCertificate says whether a certificate is valid or not.
                  	CheckCertificate(ctx context.Context, in *CheckCertificateRequest, opts ...grpc.CallOption) (*CheckCertificateResponse, error)
                  }

                    CertificateAuthoritiesClient is the client API for CertificateAuthorities service.

                    For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.

                    type CertificateAuthoritiesServer

                    type CertificateAuthoritiesServer interface {
                    	// FetchCRL makes the server fetch a CRL for some CA.
                    	FetchCRL(context.Context, *FetchCRLRequest) (*FetchCRLResponse, error)
                    	// ListCAs returns a list of Common Names of registered CAs.
                    	ListCAs(context.Context, *empty.Empty) (*ListCAsResponse, error)
                    	// GetCAStatus returns configuration of some CA defined in the config.
                    	GetCAStatus(context.Context, *GetCAStatusRequest) (*GetCAStatusResponse, error)
                    	// IsRevokedCert says whether a certificate serial number is in the CRL.
                    	IsRevokedCert(context.Context, *IsRevokedCertRequest) (*IsRevokedCertResponse, error)
                    	// CheckCertificate says whether a certificate is valid or not.
                    	CheckCertificate(context.Context, *CheckCertificateRequest) (*CheckCertificateResponse, error)
                    	// contains filtered or unexported methods
                    }

                      CertificateAuthoritiesServer is the server API for CertificateAuthorities service. All implementations must embed UnimplementedCertificateAuthoritiesServer for forward compatibility

                      type CertificateAuthorityConfig

                      type CertificateAuthorityConfig struct {
                      	UniqueId    int64    `protobuf:"varint,6,opt,name=unique_id,json=uniqueId,proto3" json:"unique_id,omitempty"`         // ID of this CA, will be embedded into tokens.
                      	Cn          string   `protobuf:"bytes,1,opt,name=cn,proto3" json:"cn,omitempty"`                                      // CA Common Name, must match Subject CN in the cert
                      	CertPath    string   `protobuf:"bytes,2,opt,name=cert_path,json=certPath,proto3" json:"cert_path,omitempty"`          // path to the root certificate file in luci-config
                      	CrlUrl      string   `protobuf:"bytes,3,opt,name=crl_url,json=crlUrl,proto3" json:"crl_url,omitempty"`                // where to fetch CRL from
                      	UseOauth    bool     `protobuf:"varint,4,opt,name=use_oauth,json=useOauth,proto3" json:"use_oauth,omitempty"`         // true to send Authorization header when fetching CRL
                      	OauthScopes []string `protobuf:"bytes,7,rep,name=oauth_scopes,json=oauthScopes,proto3" json:"oauth_scopes,omitempty"` // OAuth scopes to use when fetching CRL
                      	// KnownDomains describes parameters to use for each particular domain.
                      	KnownDomains []*DomainConfig `protobuf:"bytes,5,rep,name=known_domains,json=knownDomains,proto3" json:"known_domains,omitempty"`
                      	// contains filtered or unexported fields
                      }

                        CertificateAuthorityConfig defines a single CA we trust.

                        Such CA issues certificates for nodes that use The Token Service. Each node has a private key and certificate with Common Name set to the FQDN of this node, e.g. "CN=slave43-c1.c.chromecompute.google.com.internal".

                        The Token Server uses this CN to derive an identity string for a machine. It splits FQDN into a hostname ("slave43-c1") and a domain name ("c.chromecompute.google.com.internal"), searches for a domain name in "known_domains" set, and, if it is present, uses parameters described there for generating a token that contains machine's FQDN and certificate serial number (among other things, see MachineTokenBody in machine_token.proto).

                        func (*CertificateAuthorityConfig) Descriptor

                        func (*CertificateAuthorityConfig) Descriptor() ([]byte, []int)

                          Deprecated: Use CertificateAuthorityConfig.ProtoReflect.Descriptor instead.

                          func (*CertificateAuthorityConfig) GetCertPath

                          func (x *CertificateAuthorityConfig) GetCertPath() string

                          func (*CertificateAuthorityConfig) GetCn

                          func (*CertificateAuthorityConfig) GetCrlUrl

                          func (x *CertificateAuthorityConfig) GetCrlUrl() string

                          func (*CertificateAuthorityConfig) GetKnownDomains

                          func (x *CertificateAuthorityConfig) GetKnownDomains() []*DomainConfig

                          func (*CertificateAuthorityConfig) GetOauthScopes

                          func (x *CertificateAuthorityConfig) GetOauthScopes() []string

                          func (*CertificateAuthorityConfig) GetUniqueId

                          func (x *CertificateAuthorityConfig) GetUniqueId() int64

                          func (*CertificateAuthorityConfig) GetUseOauth

                          func (x *CertificateAuthorityConfig) GetUseOauth() bool

                          func (*CertificateAuthorityConfig) ProtoMessage

                          func (*CertificateAuthorityConfig) ProtoMessage()

                          func (*CertificateAuthorityConfig) ProtoReflect

                          func (*CertificateAuthorityConfig) Reset

                          func (x *CertificateAuthorityConfig) Reset()

                          func (*CertificateAuthorityConfig) String

                          func (x *CertificateAuthorityConfig) String() string

                          type CheckCertificateRequest

                          type CheckCertificateRequest struct {
                          	CertPem string `protobuf:"bytes,1,opt,name=cert_pem,json=certPem,proto3" json:"cert_pem,omitempty"` // pem encoded certificate to check for validity
                          	// contains filtered or unexported fields
                          }

                            CheckCertificateRequest contains a pem encoded certificate to check.

                            func (*CheckCertificateRequest) Descriptor

                            func (*CheckCertificateRequest) Descriptor() ([]byte, []int)

                              Deprecated: Use CheckCertificateRequest.ProtoReflect.Descriptor instead.

                              func (*CheckCertificateRequest) GetCertPem

                              func (x *CheckCertificateRequest) GetCertPem() string

                              func (*CheckCertificateRequest) ProtoMessage

                              func (*CheckCertificateRequest) ProtoMessage()

                              func (*CheckCertificateRequest) ProtoReflect

                              func (x *CheckCertificateRequest) ProtoReflect() protoreflect.Message

                              func (*CheckCertificateRequest) Reset

                              func (x *CheckCertificateRequest) Reset()

                              func (*CheckCertificateRequest) String

                              func (x *CheckCertificateRequest) String() string

                              type CheckCertificateResponse

                              type CheckCertificateResponse struct {
                              	IsValid       bool   `protobuf:"varint,1,opt,name=is_valid,json=isValid,proto3" json:"is_valid,omitempty"`                  // true when certificate is valid
                              	InvalidReason string `protobuf:"bytes,2,opt,name=invalid_reason,json=invalidReason,proto3" json:"invalid_reason,omitempty"` // a reason for certificate invalidity if it is invalid
                              	// contains filtered or unexported fields
                              }

                                CheckCertificateResponse is returned by CheckCertificate.

                                func (*CheckCertificateResponse) Descriptor

                                func (*CheckCertificateResponse) Descriptor() ([]byte, []int)

                                  Deprecated: Use CheckCertificateResponse.ProtoReflect.Descriptor instead.

                                  func (*CheckCertificateResponse) GetInvalidReason

                                  func (x *CheckCertificateResponse) GetInvalidReason() string

                                  func (*CheckCertificateResponse) GetIsValid

                                  func (x *CheckCertificateResponse) GetIsValid() bool

                                  func (*CheckCertificateResponse) ProtoMessage

                                  func (*CheckCertificateResponse) ProtoMessage()

                                  func (*CheckCertificateResponse) ProtoReflect

                                  func (x *CheckCertificateResponse) ProtoReflect() protoreflect.Message

                                  func (*CheckCertificateResponse) Reset

                                  func (x *CheckCertificateResponse) Reset()

                                  func (*CheckCertificateResponse) String

                                  func (x *CheckCertificateResponse) String() string

                                  type DelegationPermissions

                                  type DelegationPermissions struct {
                                  
                                  	// Rules specify what calls to MintDelegationToken are allowed.
                                  	//
                                  	// Rules are evaluated independently. One and only one rule should match the
                                  	// request to allow the operation. If none rules or more than one rule match,
                                  	// the request will be denied.
                                  	//
                                  	// See DelegationRule comments for more details.
                                  	Rules []*DelegationRule `protobuf:"bytes,1,rep,name=rules,proto3" json:"rules,omitempty"`
                                  	// contains filtered or unexported fields
                                  }

                                    DelegationPermissions is read from delegation.cfg in luci-config.

                                    func (*DelegationPermissions) Descriptor

                                    func (*DelegationPermissions) Descriptor() ([]byte, []int)

                                      Deprecated: Use DelegationPermissions.ProtoReflect.Descriptor instead.

                                      func (*DelegationPermissions) GetRules

                                      func (x *DelegationPermissions) GetRules() []*DelegationRule

                                      func (*DelegationPermissions) ProtoMessage

                                      func (*DelegationPermissions) ProtoMessage()

                                      func (*DelegationPermissions) ProtoReflect

                                      func (x *DelegationPermissions) ProtoReflect() protoreflect.Message

                                      func (*DelegationPermissions) Reset

                                      func (x *DelegationPermissions) Reset()

                                      func (*DelegationPermissions) String

                                      func (x *DelegationPermissions) String() string

                                      type DelegationRule

                                      type DelegationRule struct {
                                      
                                      	// A descriptive name of this rule, for the audit log.
                                      	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
                                      	// Email of developers that own this rule, to know who to contact.
                                      	Owner []string `protobuf:"bytes,2,rep,name=owner,proto3" json:"owner,omitempty"`
                                      	// A set of callers to which this rule applies.
                                      	//
                                      	// Matched against verified credentials of a caller of MintDelegationToken.
                                      	//
                                      	// Each element is either:
                                      	//  * An identity string ("user:<email>").
                                      	//  * A group reference ("group:<name>").
                                      	//
                                      	// The groups specified here are expanded when MintDelegationTokenRequest is
                                      	// evaluated.
                                      	Requestor []string `protobuf:"bytes,3,rep,name=requestor,proto3" json:"requestor,omitempty"`
                                      	// Identities that are allowed to be delegated/impersonated by the requestor.
                                      	//
                                      	// Matched against 'delegated_identity' field of MintDelegationTokenRequest.
                                      	//
                                      	// Each element is either:
                                      	//  * An identity string ("user:<email>").
                                      	//  * A group reference ("group:<name>").
                                      	//  * A special identifier "REQUESTOR" that is substituted by the requestor
                                      	//    identity when evaluating the rule.
                                      	//
                                      	// "REQUESTOR" allows one to generate tokens that delegate their own identity
                                      	// to some target audience.
                                      	//
                                      	// The groups specified here are expanded when MintDelegationTokenRequest is
                                      	// evaluated.
                                      	AllowedToImpersonate []string `protobuf:"bytes,4,rep,name=allowed_to_impersonate,json=allowedToImpersonate,proto3" json:"allowed_to_impersonate,omitempty"`
                                      	// A set of identities that should be able to use the new token.
                                      	//
                                      	// Matched against 'audience' field of MintDelegationTokenRequest.
                                      	//
                                      	// Each element is either:
                                      	//  * An identity string ("user:<email>").
                                      	//  * A group reference ("group:<name>").
                                      	//  * A special identifier "REQUESTOR" that is substituted by the requestor
                                      	//    identity when evaluating the rule.
                                      	//  * A special token "*" that means "any bearer can use the new token,
                                      	//    including anonymous".
                                      	//
                                      	// "REQUESTOR" is typically used here for rules that allow requestors to
                                      	// impersonate someone else. The corresponding tokens have the requestor as
                                      	// the only allowed audience.
                                      	//
                                      	// The groups specified here are NOT expanded when MintDelegationTokenRequest
                                      	// is evaluated. To match the rule, MintDelegationTokenRequest must specify
                                      	// subset of 'allowed_audience' groups explicitly in 'audience' field.
                                      	AllowedAudience []string `protobuf:"bytes,5,rep,name=allowed_audience,json=allowedAudience,proto3" json:"allowed_audience,omitempty"`
                                      	// A set of services that should be able to accept the new token.
                                      	//
                                      	// Matched against 'services' field of MintDelegationTokenRequest.
                                      	//
                                      	// Each element is either:
                                      	//  * A service identity string ("service:<id>").
                                      	//  * A special token "*" that mean "any LUCI service should accept the
                                      	//    token".
                                      	TargetService []string `protobuf:"bytes,6,rep,name=target_service,json=targetService,proto3" json:"target_service,omitempty"`
                                      	// Maximum allowed validity duration (sec) of minted delegation tokens.
                                      	//
                                      	// Default is 12 hours.
                                      	MaxValidityDuration int64 `protobuf:"varint,7,opt,name=max_validity_duration,json=maxValidityDuration,proto3" json:"max_validity_duration,omitempty"`
                                      	// contains filtered or unexported fields
                                      }

                                        DelegationRule describes a single allowed case of using delegation tokens.

                                        An incoming MintDelegationTokenRequest is basically a tuple of:

                                        * 'requestor_id' - an identity of whoever makes the request.
                                        * 'delegated_identity' - an identity to delegate.
                                        * 'audience' - a set of identities that will be able to use the token.
                                        * 'services' - a set of services that should accept the token.
                                        

                                        A request matches a rule iff:

                                        * 'requestor_id' is in 'requestor' set.
                                        * 'delegated_identity' is in 'allowed_to_impersonate' set.
                                        * 'audience' is a subset of 'allowed_audience' set.
                                        * 'services' is a subset of 'target_service' set.
                                        

                                        The presence of a matching rule permits to mint the token. The rule also provides an upper bound on allowed validity_duration, and the rule's name is logged in the audit trail.

                                        func (*DelegationRule) Descriptor

                                        func (*DelegationRule) Descriptor() ([]byte, []int)

                                          Deprecated: Use DelegationRule.ProtoReflect.Descriptor instead.

                                          func (*DelegationRule) GetAllowedAudience

                                          func (x *DelegationRule) GetAllowedAudience() []string

                                          func (*DelegationRule) GetAllowedToImpersonate

                                          func (x *DelegationRule) GetAllowedToImpersonate() []string

                                          func (*DelegationRule) GetMaxValidityDuration

                                          func (x *DelegationRule) GetMaxValidityDuration() int64

                                          func (*DelegationRule) GetName

                                          func (x *DelegationRule) GetName() string

                                          func (*DelegationRule) GetOwner

                                          func (x *DelegationRule) GetOwner() []string

                                          func (*DelegationRule) GetRequestor

                                          func (x *DelegationRule) GetRequestor() []string

                                          func (*DelegationRule) GetTargetService

                                          func (x *DelegationRule) GetTargetService() []string

                                          func (*DelegationRule) ProtoMessage

                                          func (*DelegationRule) ProtoMessage()

                                          func (*DelegationRule) ProtoReflect

                                          func (x *DelegationRule) ProtoReflect() protoreflect.Message

                                          func (*DelegationRule) Reset

                                          func (x *DelegationRule) Reset()

                                          func (*DelegationRule) String

                                          func (x *DelegationRule) String() string

                                          type DomainConfig

                                          type DomainConfig struct {
                                          
                                          	// Domain is domain names of hosts this config applies to.
                                          	//
                                          	// Machines that reside in a subdomain of given domain are also considered
                                          	// part of it, e.g. both FQDNs "host.example.com" and "host.abc.example.com"
                                          	// match domain "example.com".
                                          	Domain []string `protobuf:"bytes,1,rep,name=domain,proto3" json:"domain,omitempty"`
                                          	// MachineTokenLifetime is how long generated machine tokens live, in seconds.
                                          	//
                                          	// If 0, machine tokens are not allowed.
                                          	MachineTokenLifetime int64 `protobuf:"varint,5,opt,name=machine_token_lifetime,json=machineTokenLifetime,proto3" json:"machine_token_lifetime,omitempty"`
                                          	// contains filtered or unexported fields
                                          }

                                            DomainConfig is used inside CertificateAuthorityConfig.

                                            func (*DomainConfig) Descriptor

                                            func (*DomainConfig) Descriptor() ([]byte, []int)

                                              Deprecated: Use DomainConfig.ProtoReflect.Descriptor instead.

                                              func (*DomainConfig) GetDomain

                                              func (x *DomainConfig) GetDomain() []string

                                              func (*DomainConfig) GetMachineTokenLifetime

                                              func (x *DomainConfig) GetMachineTokenLifetime() int64

                                              func (*DomainConfig) ProtoMessage

                                              func (*DomainConfig) ProtoMessage()

                                              func (*DomainConfig) ProtoReflect

                                              func (x *DomainConfig) ProtoReflect() protoreflect.Message

                                              func (*DomainConfig) Reset

                                              func (x *DomainConfig) Reset()

                                              func (*DomainConfig) String

                                              func (x *DomainConfig) String() string

                                              type FetchCRLRequest

                                              type FetchCRLRequest struct {
                                              	Cn    string `protobuf:"bytes,1,opt,name=cn,proto3" json:"cn,omitempty"`        // Common Name of the CA
                                              	Force bool   `protobuf:"varint,2,opt,name=force,proto3" json:"force,omitempty"` // fetch and parse CRL even if we have it already
                                              	// contains filtered or unexported fields
                                              }

                                                FetchCRLRequest identifies a name of CA to fetch CRL for.

                                                func (*FetchCRLRequest) Descriptor

                                                func (*FetchCRLRequest) Descriptor() ([]byte, []int)

                                                  Deprecated: Use FetchCRLRequest.ProtoReflect.Descriptor instead.

                                                  func (*FetchCRLRequest) GetCn

                                                  func (x *FetchCRLRequest) GetCn() string

                                                  func (*FetchCRLRequest) GetForce

                                                  func (x *FetchCRLRequest) GetForce() bool

                                                  func (*FetchCRLRequest) ProtoMessage

                                                  func (*FetchCRLRequest) ProtoMessage()

                                                  func (*FetchCRLRequest) ProtoReflect

                                                  func (x *FetchCRLRequest) ProtoReflect() protoreflect.Message

                                                  func (*FetchCRLRequest) Reset

                                                  func (x *FetchCRLRequest) Reset()

                                                  func (*FetchCRLRequest) String

                                                  func (x *FetchCRLRequest) String() string

                                                  type FetchCRLResponse

                                                  type FetchCRLResponse struct {
                                                  	CrlStatus *CRLStatus `protobuf:"bytes,1,opt,name=crl_status,json=crlStatus,proto3" json:"crl_status,omitempty"` // status of the CRL after the fetch
                                                  	// contains filtered or unexported fields
                                                  }

                                                    FetchCRLResponse is returned by FetchCRL.

                                                    func (*FetchCRLResponse) Descriptor

                                                    func (*FetchCRLResponse) Descriptor() ([]byte, []int)

                                                      Deprecated: Use FetchCRLResponse.ProtoReflect.Descriptor instead.

                                                      func (*FetchCRLResponse) GetCrlStatus

                                                      func (x *FetchCRLResponse) GetCrlStatus() *CRLStatus

                                                      func (*FetchCRLResponse) ProtoMessage

                                                      func (*FetchCRLResponse) ProtoMessage()

                                                      func (*FetchCRLResponse) ProtoReflect

                                                      func (x *FetchCRLResponse) ProtoReflect() protoreflect.Message

                                                      func (*FetchCRLResponse) Reset

                                                      func (x *FetchCRLResponse) Reset()

                                                      func (*FetchCRLResponse) String

                                                      func (x *FetchCRLResponse) String() string

                                                      type GetCAStatusRequest

                                                      type GetCAStatusRequest struct {
                                                      	Cn string `protobuf:"bytes,1,opt,name=cn,proto3" json:"cn,omitempty"` // Common Name of the CA
                                                      	// contains filtered or unexported fields
                                                      }

                                                        GetCAStatusRequest identifies a name of CA to fetch.

                                                        func (*GetCAStatusRequest) Descriptor

                                                        func (*GetCAStatusRequest) Descriptor() ([]byte, []int)

                                                          Deprecated: Use GetCAStatusRequest.ProtoReflect.Descriptor instead.

                                                          func (*GetCAStatusRequest) GetCn

                                                          func (x *GetCAStatusRequest) GetCn() string

                                                          func (*GetCAStatusRequest) ProtoMessage

                                                          func (*GetCAStatusRequest) ProtoMessage()

                                                          func (*GetCAStatusRequest) ProtoReflect

                                                          func (x *GetCAStatusRequest) ProtoReflect() protoreflect.Message

                                                          func (*GetCAStatusRequest) Reset

                                                          func (x *GetCAStatusRequest) Reset()

                                                          func (*GetCAStatusRequest) String

                                                          func (x *GetCAStatusRequest) String() string

                                                          type GetCAStatusResponse

                                                          type GetCAStatusResponse struct {
                                                          	Config     *CertificateAuthorityConfig `protobuf:"bytes,1,opt,name=config,proto3" json:"config,omitempty"`                           // current config
                                                          	Cert       string                      `protobuf:"bytes,2,opt,name=cert,proto3" json:"cert,omitempty"`                               // pem-encoded CA certificate
                                                          	Removed    bool                        `protobuf:"varint,3,opt,name=removed,proto3" json:"removed,omitempty"`                        // true if this CA was removed from the config
                                                          	Ready      bool                        `protobuf:"varint,4,opt,name=ready,proto3" json:"ready,omitempty"`                            // true if this CA is ready for usage
                                                          	AddedRev   string                      `protobuf:"bytes,5,opt,name=added_rev,json=addedRev,proto3" json:"added_rev,omitempty"`       // config rev when this CA appeared
                                                          	UpdatedRev string                      `protobuf:"bytes,6,opt,name=updated_rev,json=updatedRev,proto3" json:"updated_rev,omitempty"` // config rev when this CA was updated
                                                          	RemovedRev string                      `protobuf:"bytes,7,opt,name=removed_rev,json=removedRev,proto3" json:"removed_rev,omitempty"` // config rev when this CA was removed
                                                          	CrlStatus  *CRLStatus                  `protobuf:"bytes,8,opt,name=crl_status,json=crlStatus,proto3" json:"crl_status,omitempty"`    // last known status of the CRL for this CA
                                                          	// contains filtered or unexported fields
                                                          }

                                                            GetCAStatusResponse is returned by GetCAStatus method.

                                                            If requested CA doesn't exist, all fields are empty.

                                                            func (*GetCAStatusResponse) Descriptor

                                                            func (*GetCAStatusResponse) Descriptor() ([]byte, []int)

                                                              Deprecated: Use GetCAStatusResponse.ProtoReflect.Descriptor instead.

                                                              func (*GetCAStatusResponse) GetAddedRev

                                                              func (x *GetCAStatusResponse) GetAddedRev() string

                                                              func (*GetCAStatusResponse) GetCert

                                                              func (x *GetCAStatusResponse) GetCert() string

                                                              func (*GetCAStatusResponse) GetConfig

                                                              func (*GetCAStatusResponse) GetCrlStatus

                                                              func (x *GetCAStatusResponse) GetCrlStatus() *CRLStatus

                                                              func (*GetCAStatusResponse) GetReady

                                                              func (x *GetCAStatusResponse) GetReady() bool

                                                              func (*GetCAStatusResponse) GetRemoved

                                                              func (x *GetCAStatusResponse) GetRemoved() bool

                                                              func (*GetCAStatusResponse) GetRemovedRev

                                                              func (x *GetCAStatusResponse) GetRemovedRev() string

                                                              func (*GetCAStatusResponse) GetUpdatedRev

                                                              func (x *GetCAStatusResponse) GetUpdatedRev() string

                                                              func (*GetCAStatusResponse) ProtoMessage

                                                              func (*GetCAStatusResponse) ProtoMessage()

                                                              func (*GetCAStatusResponse) ProtoReflect

                                                              func (x *GetCAStatusResponse) ProtoReflect() protoreflect.Message

                                                              func (*GetCAStatusResponse) Reset

                                                              func (x *GetCAStatusResponse) Reset()

                                                              func (*GetCAStatusResponse) String

                                                              func (x *GetCAStatusResponse) String() string

                                                              type ImportedConfigs

                                                              type ImportedConfigs struct {
                                                              
                                                              	// The revision of the configs that are now in the datastore.
                                                              	//
                                                              	// It's either the imported revision, if configs change, or a previously known
                                                              	// revision, if configs at HEAD are same.
                                                              	Revision string `protobuf:"bytes,1,opt,name=revision,proto3" json:"revision,omitempty"`
                                                              	// contains filtered or unexported fields
                                                              }

                                                                ImportedConfigs is returned by Import<something>Configs methods on success.

                                                                func (*ImportedConfigs) Descriptor

                                                                func (*ImportedConfigs) Descriptor() ([]byte, []int)

                                                                  Deprecated: Use ImportedConfigs.ProtoReflect.Descriptor instead.

                                                                  func (*ImportedConfigs) GetRevision

                                                                  func (x *ImportedConfigs) GetRevision() string

                                                                  func (*ImportedConfigs) ProtoMessage

                                                                  func (*ImportedConfigs) ProtoMessage()

                                                                  func (*ImportedConfigs) ProtoReflect

                                                                  func (x *ImportedConfigs) ProtoReflect() protoreflect.Message

                                                                  func (*ImportedConfigs) Reset

                                                                  func (x *ImportedConfigs) Reset()

                                                                  func (*ImportedConfigs) String

                                                                  func (x *ImportedConfigs) String() string

                                                                  type InspectDelegationTokenRequest

                                                                  type InspectDelegationTokenRequest struct {
                                                                  
                                                                  	// The token body.
                                                                  	Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"`
                                                                  	// contains filtered or unexported fields
                                                                  }

                                                                    InspectDelegationTokenRequest is body of InspectDelegationToken RPC call.

                                                                    func (*InspectDelegationTokenRequest) Descriptor

                                                                    func (*InspectDelegationTokenRequest) Descriptor() ([]byte, []int)

                                                                      Deprecated: Use InspectDelegationTokenRequest.ProtoReflect.Descriptor instead.

                                                                      func (*InspectDelegationTokenRequest) GetToken

                                                                      func (x *InspectDelegationTokenRequest) GetToken() string

                                                                      func (*InspectDelegationTokenRequest) ProtoMessage

                                                                      func (*InspectDelegationTokenRequest) ProtoMessage()

                                                                      func (*InspectDelegationTokenRequest) ProtoReflect

                                                                      func (*InspectDelegationTokenRequest) Reset

                                                                      func (x *InspectDelegationTokenRequest) Reset()

                                                                      func (*InspectDelegationTokenRequest) String

                                                                      type InspectDelegationTokenResponse

                                                                      type InspectDelegationTokenResponse struct {
                                                                      
                                                                      	// True if the token is valid.
                                                                      	//
                                                                      	// A token is valid if its signature is correct and it hasn't expired yet.
                                                                      	Valid bool `protobuf:"varint,1,opt,name=valid,proto3" json:"valid,omitempty"`
                                                                      	// Human readable summary of why token is invalid.
                                                                      	//
                                                                      	// Summarizes the rest of the fields of this struct. Set only if 'valid' is
                                                                      	// false.
                                                                      	InvalidityReason string `protobuf:"bytes,2,opt,name=invalidity_reason,json=invalidityReason,proto3" json:"invalidity_reason,omitempty"`
                                                                      	// True if the token signature was verified.
                                                                      	//
                                                                      	// It means the token was generated by the token server and its body is not
                                                                      	// a garbage. Note that a token can be correctly signed, but invalid (if it
                                                                      	// has expired).
                                                                      	//
                                                                      	// If 'signed' is false, the fields below may (or may not) be a garbage.
                                                                      	//
                                                                      	// The token server uses private keys managed by Google Cloud Platform, they
                                                                      	// are constantly being rotated and "old" signatures become invalid over time
                                                                      	// (when corresponding keys are rotated out of existence).
                                                                      	//
                                                                      	// If 'signed' is false, use the rest of the response only as FYI, possibly
                                                                      	// invalid or even maliciously constructed.
                                                                      	Signed bool `protobuf:"varint,3,opt,name=signed,proto3" json:"signed,omitempty"`
                                                                      	// True if the token signature was verified and token hasn't expired yet.
                                                                      	//
                                                                      	// We use "non_" prefix to make default 'false' value safer.
                                                                      	NonExpired bool `protobuf:"varint,4,opt,name=non_expired,json=nonExpired,proto3" json:"non_expired,omitempty"`
                                                                      	// The deserialized token envelope.
                                                                      	//
                                                                      	// May be empty if token was malformed and couldn't be deserialized.
                                                                      	Envelope *messages.DelegationToken `protobuf:"bytes,5,opt,name=envelope,proto3" json:"envelope,omitempty"`
                                                                      	// The deserialized token body (deserialized 'envelope.serialized_subtoken').
                                                                      	//
                                                                      	// May be empty if token was malformed and couldn't be deserialized.
                                                                      	Subtoken *messages.Subtoken `protobuf:"bytes,6,opt,name=subtoken,proto3" json:"subtoken,omitempty"`
                                                                      	// contains filtered or unexported fields
                                                                      }

                                                                        InspectDelegationTokenResponse is return value of InspectDelegationToken RPC.

                                                                        func (*InspectDelegationTokenResponse) Descriptor

                                                                        func (*InspectDelegationTokenResponse) Descriptor() ([]byte, []int)

                                                                          Deprecated: Use InspectDelegationTokenResponse.ProtoReflect.Descriptor instead.

                                                                          func (*InspectDelegationTokenResponse) GetEnvelope

                                                                          func (*InspectDelegationTokenResponse) GetInvalidityReason

                                                                          func (x *InspectDelegationTokenResponse) GetInvalidityReason() string

                                                                          func (*InspectDelegationTokenResponse) GetNonExpired

                                                                          func (x *InspectDelegationTokenResponse) GetNonExpired() bool

                                                                          func (*InspectDelegationTokenResponse) GetSigned

                                                                          func (x *InspectDelegationTokenResponse) GetSigned() bool

                                                                          func (*InspectDelegationTokenResponse) GetSubtoken

                                                                          func (*InspectDelegationTokenResponse) GetValid

                                                                          func (x *InspectDelegationTokenResponse) GetValid() bool

                                                                          func (*InspectDelegationTokenResponse) ProtoMessage

                                                                          func (*InspectDelegationTokenResponse) ProtoMessage()

                                                                          func (*InspectDelegationTokenResponse) ProtoReflect

                                                                          func (*InspectDelegationTokenResponse) Reset

                                                                          func (x *InspectDelegationTokenResponse) Reset()

                                                                          func (*InspectDelegationTokenResponse) String

                                                                          type InspectMachineTokenRequest

                                                                          type InspectMachineTokenRequest struct {
                                                                          
                                                                          	// The type of token being checked.
                                                                          	//
                                                                          	// Currently only LUCI_MACHINE_TOKEN is supported. This is also the default.
                                                                          	TokenType api.MachineTokenType `protobuf:"varint,1,opt,name=token_type,json=tokenType,proto3,enum=tokenserver.MachineTokenType" json:"token_type,omitempty"`
                                                                          	// The token body. Exact meaning depends on token_type.
                                                                          	Token string `protobuf:"bytes,2,opt,name=token,proto3" json:"token,omitempty"`
                                                                          	// contains filtered or unexported fields
                                                                          }

                                                                            InspectMachineTokenRequest is body of InspectMachineToken RPC call.

                                                                            It contains machine token of some kind.

                                                                            func (*InspectMachineTokenRequest) Descriptor

                                                                            func (*InspectMachineTokenRequest) Descriptor() ([]byte, []int)

                                                                              Deprecated: Use InspectMachineTokenRequest.ProtoReflect.Descriptor instead.

                                                                              func (*InspectMachineTokenRequest) GetToken

                                                                              func (x *InspectMachineTokenRequest) GetToken() string

                                                                              func (*InspectMachineTokenRequest) GetTokenType

                                                                              func (*InspectMachineTokenRequest) ProtoMessage

                                                                              func (*InspectMachineTokenRequest) ProtoMessage()

                                                                              func (*InspectMachineTokenRequest) ProtoReflect

                                                                              func (*InspectMachineTokenRequest) Reset

                                                                              func (x *InspectMachineTokenRequest) Reset()

                                                                              func (*InspectMachineTokenRequest) String

                                                                              func (x *InspectMachineTokenRequest) String() string

                                                                              type InspectMachineTokenResponse

                                                                              type InspectMachineTokenResponse struct {
                                                                              
                                                                              	// True if the token is valid.
                                                                              	//
                                                                              	// A token is valid if its signature is correct, it hasn't expired yet and
                                                                              	// the credentials it was built from (e.g. a certificate) wasn't revoked.
                                                                              	Valid bool `protobuf:"varint,1,opt,name=valid,proto3" json:"valid,omitempty"`
                                                                              	// Human readable summary of why token is invalid.
                                                                              	//
                                                                              	// Summarizes the rest of the fields of this struct. Set only if 'valid' is
                                                                              	// false.
                                                                              	InvalidityReason string `protobuf:"bytes,2,opt,name=invalidity_reason,json=invalidityReason,proto3" json:"invalidity_reason,omitempty"`
                                                                              	// True if the token signature was verified.
                                                                              	//
                                                                              	// It means the token was generated by the token server and its body is not
                                                                              	// a garbage. Note that a token can be correctly signed, but invalid (if it
                                                                              	// has expired or was revoked).
                                                                              	//
                                                                              	// If 'signed' is false, the fields below may (or may not) be a garbage.
                                                                              	//
                                                                              	// The token server uses private keys managed by Google Cloud Platform, they
                                                                              	// are constantly being rotated and "old" signatures become invalid over time
                                                                              	// (when corresponding keys are rotated out of existence).
                                                                              	//
                                                                              	// If 'signed' is false, use the rest of the response only as FYI, possibly
                                                                              	// invalid or even maliciously constructed.
                                                                              	Signed bool `protobuf:"varint,3,opt,name=signed,proto3" json:"signed,omitempty"`
                                                                              	// True if the token signature was verified and token hasn't expired yet.
                                                                              	//
                                                                              	// We use "non_" prefix to make default 'false' value safer.
                                                                              	NonExpired bool `protobuf:"varint,4,opt,name=non_expired,json=nonExpired,proto3" json:"non_expired,omitempty"`
                                                                              	// True if the token signature was verified and the token wasn't revoked.
                                                                              	//
                                                                              	// It is possible for an expired token to be non revoked. They are independent
                                                                              	// properties.
                                                                              	//
                                                                              	// We use "non_" prefix to make default 'false' value safer.
                                                                              	NonRevoked bool `protobuf:"varint,5,opt,name=non_revoked,json=nonRevoked,proto3" json:"non_revoked,omitempty"`
                                                                              	// Id of a private key used to sign this token, if applicable.
                                                                              	SigningKeyId string `protobuf:"bytes,6,opt,name=signing_key_id,json=signingKeyId,proto3" json:"signing_key_id,omitempty"`
                                                                              	// Name of a CA that issued the cert the token is based on, if applicable.
                                                                              	//
                                                                              	// Resolved from 'ca_id' field of the token body.
                                                                              	CertCaName string `protobuf:"bytes,7,opt,name=cert_ca_name,json=certCaName,proto3" json:"cert_ca_name,omitempty"`
                                                                              	// The decoded token body (depends on token_type request parameter). Empty if
                                                                              	// token was malformed and couldn't be deserialized.
                                                                              	//
                                                                              	// Types that are assignable to TokenType:
                                                                              	//	*InspectMachineTokenResponse_LuciMachineToken
                                                                              	TokenType isInspectMachineTokenResponse_TokenType `protobuf_oneof:"token_type"`
                                                                              	// contains filtered or unexported fields
                                                                              }

                                                                                InspectMachineTokenResponse is return value of InspectMachineToken RPC call.

                                                                                func (*InspectMachineTokenResponse) Descriptor

                                                                                func (*InspectMachineTokenResponse) Descriptor() ([]byte, []int)

                                                                                  Deprecated: Use InspectMachineTokenResponse.ProtoReflect.Descriptor instead.

                                                                                  func (*InspectMachineTokenResponse) GetCertCaName

                                                                                  func (x *InspectMachineTokenResponse) GetCertCaName() string

                                                                                  func (*InspectMachineTokenResponse) GetInvalidityReason

                                                                                  func (x *InspectMachineTokenResponse) GetInvalidityReason() string

                                                                                  func (*InspectMachineTokenResponse) GetLuciMachineToken

                                                                                  func (x *InspectMachineTokenResponse) GetLuciMachineToken() *api.MachineTokenBody

                                                                                  func (*InspectMachineTokenResponse) GetNonExpired

                                                                                  func (x *InspectMachineTokenResponse) GetNonExpired() bool

                                                                                  func (*InspectMachineTokenResponse) GetNonRevoked

                                                                                  func (x *InspectMachineTokenResponse) GetNonRevoked() bool

                                                                                  func (*InspectMachineTokenResponse) GetSigned

                                                                                  func (x *InspectMachineTokenResponse) GetSigned() bool

                                                                                  func (*InspectMachineTokenResponse) GetSigningKeyId

                                                                                  func (x *InspectMachineTokenResponse) GetSigningKeyId() string

                                                                                  func (*InspectMachineTokenResponse) GetTokenType

                                                                                  func (m *InspectMachineTokenResponse) GetTokenType() isInspectMachineTokenResponse_TokenType

                                                                                  func (*InspectMachineTokenResponse) GetValid

                                                                                  func (x *InspectMachineTokenResponse) GetValid() bool

                                                                                  func (*InspectMachineTokenResponse) ProtoMessage

                                                                                  func (*InspectMachineTokenResponse) ProtoMessage()

                                                                                  func (*InspectMachineTokenResponse) ProtoReflect

                                                                                  func (*InspectMachineTokenResponse) Reset

                                                                                  func (x *InspectMachineTokenResponse) Reset()

                                                                                  func (*InspectMachineTokenResponse) String

                                                                                  func (x *InspectMachineTokenResponse) String() string

                                                                                  type InspectMachineTokenResponse_LuciMachineToken

                                                                                  type InspectMachineTokenResponse_LuciMachineToken struct {
                                                                                  	LuciMachineToken *api.MachineTokenBody `protobuf:"bytes,20,opt,name=luci_machine_token,json=luciMachineToken,proto3,oneof"`
                                                                                  }

                                                                                  type InspectOAuthTokenGrantRequest

                                                                                  type InspectOAuthTokenGrantRequest struct {
                                                                                  
                                                                                  	// The token body.
                                                                                  	Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"`
                                                                                  	// contains filtered or unexported fields
                                                                                  }

                                                                                    InspectOAuthTokenGrantRequest is body of InspectOAuthTokenGrant RPC call.

                                                                                    func (*InspectOAuthTokenGrantRequest) Descriptor

                                                                                    func (*InspectOAuthTokenGrantRequest) Descriptor() ([]byte, []int)

                                                                                      Deprecated: Use InspectOAuthTokenGrantRequest.ProtoReflect.Descriptor instead.

                                                                                      func (*InspectOAuthTokenGrantRequest) GetToken

                                                                                      func (x *InspectOAuthTokenGrantRequest) GetToken() string

                                                                                      func (*InspectOAuthTokenGrantRequest) ProtoMessage

                                                                                      func (*InspectOAuthTokenGrantRequest) ProtoMessage()

                                                                                      func (*InspectOAuthTokenGrantRequest) ProtoReflect

                                                                                      func (*InspectOAuthTokenGrantRequest) Reset

                                                                                      func (x *InspectOAuthTokenGrantRequest) Reset()

                                                                                      func (*InspectOAuthTokenGrantRequest) String

                                                                                      type InspectOAuthTokenGrantResponse

                                                                                      type InspectOAuthTokenGrantResponse struct {
                                                                                      
                                                                                      	// True if the token is valid.
                                                                                      	//
                                                                                      	// A token is valid if its signature is correct, it hasn't expired yet and
                                                                                      	// token server rules still allow it.
                                                                                      	Valid bool `protobuf:"varint,1,opt,name=valid,proto3" json:"valid,omitempty"`
                                                                                      	// Human readable summary of why token is invalid.
                                                                                      	//
                                                                                      	// Summarizes the rest of the fields of this struct. Set only if 'valid' is
                                                                                      	// false.
                                                                                      	InvalidityReason string `protobuf:"bytes,2,opt,name=invalidity_reason,json=invalidityReason,proto3" json:"invalidity_reason,omitempty"`
                                                                                      	// True if the token signature was verified.
                                                                                      	//
                                                                                      	// It means the token was generated by the token server and its body is not
                                                                                      	// a garbage. Note that a token can be correctly signed, but invalid (if it
                                                                                      	// has expired).
                                                                                      	//
                                                                                      	// If 'signed' is false, the fields below may (or may not) be a garbage.
                                                                                      	//
                                                                                      	// The token server uses private keys managed by Google Cloud Platform, they
                                                                                      	// are constantly being rotated and "old" signatures become invalid over time
                                                                                      	// (when corresponding keys are rotated out of existence).
                                                                                      	//
                                                                                      	// If 'signed' is false, use the rest of the response only as FYI, possibly
                                                                                      	// invalid or even maliciously constructed.
                                                                                      	Signed bool `protobuf:"varint,3,opt,name=signed,proto3" json:"signed,omitempty"`
                                                                                      	// True if the token signature was verified and token hasn't expired yet.
                                                                                      	//
                                                                                      	// We use "non_" prefix to make default 'false' value safer.
                                                                                      	NonExpired bool `protobuf:"varint,4,opt,name=non_expired,json=nonExpired,proto3" json:"non_expired,omitempty"`
                                                                                      	// ID of a token server private key used to sign the token.
                                                                                      	SigningKeyId string `protobuf:"bytes,5,opt,name=signing_key_id,json=signingKeyId,proto3" json:"signing_key_id,omitempty"`
                                                                                      	// The deserialized token body.
                                                                                      	//
                                                                                      	// May be empty if token was malformed and couldn't be deserialized.
                                                                                      	TokenBody *api.OAuthTokenGrantBody `protobuf:"bytes,6,opt,name=token_body,json=tokenBody,proto3" json:"token_body,omitempty"`
                                                                                      	// The service_accounts.cfg rule that governs the service account usage.
                                                                                      	//
                                                                                      	// May be present even if the token is not allowed by it.
                                                                                      	MatchingRule *ServiceAccountRule `protobuf:"bytes,7,opt,name=matching_rule,json=matchingRule,proto3" json:"matching_rule,omitempty"`
                                                                                      	// True if current service_accounts.cfg rules allow this token.
                                                                                      	AllowedByRules bool `protobuf:"varint,8,opt,name=allowed_by_rules,json=allowedByRules,proto3" json:"allowed_by_rules,omitempty"`
                                                                                      	// contains filtered or unexported fields
                                                                                      }

                                                                                        InspectOAuthTokenGrantResponse is return value of InspectOAuthTokenGrant RPC.

                                                                                        func (*InspectOAuthTokenGrantResponse) Descriptor

                                                                                        func (*InspectOAuthTokenGrantResponse) Descriptor() ([]byte, []int)

                                                                                          Deprecated: Use InspectOAuthTokenGrantResponse.ProtoReflect.Descriptor instead.

                                                                                          func (*InspectOAuthTokenGrantResponse) GetAllowedByRules

                                                                                          func (x *InspectOAuthTokenGrantResponse) GetAllowedByRules() bool

                                                                                          func (*InspectOAuthTokenGrantResponse) GetInvalidityReason

                                                                                          func (x *InspectOAuthTokenGrantResponse) GetInvalidityReason() string

                                                                                          func (*InspectOAuthTokenGrantResponse) GetMatchingRule

                                                                                          func (x *InspectOAuthTokenGrantResponse) GetMatchingRule() *ServiceAccountRule

                                                                                          func (*InspectOAuthTokenGrantResponse) GetNonExpired

                                                                                          func (x *InspectOAuthTokenGrantResponse) GetNonExpired() bool

                                                                                          func (*InspectOAuthTokenGrantResponse) GetSigned

                                                                                          func (x *InspectOAuthTokenGrantResponse) GetSigned() bool

                                                                                          func (*InspectOAuthTokenGrantResponse) GetSigningKeyId

                                                                                          func (x *InspectOAuthTokenGrantResponse) GetSigningKeyId() string

                                                                                          func (*InspectOAuthTokenGrantResponse) GetTokenBody

                                                                                          func (*InspectOAuthTokenGrantResponse) GetValid

                                                                                          func (x *InspectOAuthTokenGrantResponse) GetValid() bool

                                                                                          func (*InspectOAuthTokenGrantResponse) ProtoMessage

                                                                                          func (*InspectOAuthTokenGrantResponse) ProtoMessage()

                                                                                          func (*InspectOAuthTokenGrantResponse) ProtoReflect

                                                                                          func (*InspectOAuthTokenGrantResponse) Reset

                                                                                          func (x *InspectOAuthTokenGrantResponse) Reset()

                                                                                          func (*InspectOAuthTokenGrantResponse) String

                                                                                          type IsRevokedCertRequest

                                                                                          type IsRevokedCertRequest struct {
                                                                                          	Ca string `protobuf:"bytes,1,opt,name=ca,proto3" json:"ca,omitempty"` // Common Name of the CA
                                                                                          	Sn string `protobuf:"bytes,2,opt,name=sn,proto3" json:"sn,omitempty"` // cert's serial number (big.Int encoded as a decimal string)
                                                                                          	// contains filtered or unexported fields
                                                                                          }

                                                                                            IsRevokedCertRequest contains a name of the CA and a cert serial number.

                                                                                            func (*IsRevokedCertRequest) Descriptor

                                                                                            func (*IsRevokedCertRequest) Descriptor() ([]byte, []int)

                                                                                              Deprecated: Use IsRevokedCertRequest.ProtoReflect.Descriptor instead.

                                                                                              func (*IsRevokedCertRequest) GetCa

                                                                                              func (x *IsRevokedCertRequest) GetCa() string

                                                                                              func (*IsRevokedCertRequest) GetSn

                                                                                              func (x *IsRevokedCertRequest) GetSn() string

                                                                                              func (*IsRevokedCertRequest) ProtoMessage

                                                                                              func (*IsRevokedCertRequest) ProtoMessage()

                                                                                              func (*IsRevokedCertRequest) ProtoReflect

                                                                                              func (x *IsRevokedCertRequest) ProtoReflect() protoreflect.Message

                                                                                              func (*IsRevokedCertRequest) Reset

                                                                                              func (x *IsRevokedCertRequest) Reset()

                                                                                              func (*IsRevokedCertRequest) String

                                                                                              func (x *IsRevokedCertRequest) String() string

                                                                                              type IsRevokedCertResponse

                                                                                              type IsRevokedCertResponse struct {
                                                                                              	Revoked bool `protobuf:"varint,1,opt,name=revoked,proto3" json:"revoked,omitempty"` // true if the cert with given SN is in CRL
                                                                                              	// contains filtered or unexported fields
                                                                                              }

                                                                                                IsRevokedCertResponse is returned by IsRevokedCert

                                                                                                func (*IsRevokedCertResponse) Descriptor

                                                                                                func (*IsRevokedCertResponse) Descriptor() ([]byte, []int)

                                                                                                  Deprecated: Use IsRevokedCertResponse.ProtoReflect.Descriptor instead.

                                                                                                  func (*IsRevokedCertResponse) GetRevoked

                                                                                                  func (x *IsRevokedCertResponse) GetRevoked() bool

                                                                                                  func (*IsRevokedCertResponse) ProtoMessage

                                                                                                  func (*IsRevokedCertResponse) ProtoMessage()

                                                                                                  func (*IsRevokedCertResponse) ProtoReflect

                                                                                                  func (x *IsRevokedCertResponse) ProtoReflect() protoreflect.Message

                                                                                                  func (*IsRevokedCertResponse) Reset

                                                                                                  func (x *IsRevokedCertResponse) Reset()

                                                                                                  func (*IsRevokedCertResponse) String

                                                                                                  func (x *IsRevokedCertResponse) String() string

                                                                                                  type ListCAsResponse

                                                                                                  type ListCAsResponse struct {
                                                                                                  	Cn []string `protobuf:"bytes,1,rep,name=cn,proto3" json:"cn,omitempty"` // Common Name of the CA
                                                                                                  	// contains filtered or unexported fields
                                                                                                  }

                                                                                                    ListCAsResponse is returned by ListCAs.

                                                                                                    func (*ListCAsResponse) Descriptor

                                                                                                    func (*ListCAsResponse) Descriptor() ([]byte, []int)

                                                                                                      Deprecated: Use ListCAsResponse.ProtoReflect.Descriptor instead.

                                                                                                      func (*ListCAsResponse) GetCn

                                                                                                      func (x *ListCAsResponse) GetCn() []string

                                                                                                      func (*ListCAsResponse) ProtoMessage

                                                                                                      func (*ListCAsResponse) ProtoMessage()

                                                                                                      func (*ListCAsResponse) ProtoReflect

                                                                                                      func (x *ListCAsResponse) ProtoReflect() protoreflect.Message

                                                                                                      func (*ListCAsResponse) Reset

                                                                                                      func (x *ListCAsResponse) Reset()

                                                                                                      func (*ListCAsResponse) String

                                                                                                      func (x *ListCAsResponse) String() string

                                                                                                      type ServiceAccountRule

                                                                                                      type ServiceAccountRule struct {
                                                                                                      
                                                                                                      	// A descriptive name of this rule, for the audit log.
                                                                                                      	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
                                                                                                      	// Email of developers that own this rule, to know who to contact.
                                                                                                      	Owner []string `protobuf:"bytes,2,rep,name=owner,proto3" json:"owner,omitempty"`
                                                                                                      	// Email of service accounts that this rule applies to.
                                                                                                      	//
                                                                                                      	// Can be used to explicitly list service accounts in the config.
                                                                                                      	ServiceAccount []string `protobuf:"bytes,3,rep,name=service_account,json=serviceAccount,proto3" json:"service_account,omitempty"`
                                                                                                      	// Name of a group with service account emails this rules applies to.
                                                                                                      	//
                                                                                                      	// Works in addition to the explicit service account listing.
                                                                                                      	ServiceAccountGroup []string `protobuf:"bytes,9,rep,name=service_account_group,json=serviceAccountGroup,proto3" json:"service_account_group,omitempty"`
                                                                                                      	// OAuth scopes we allow to be granted to the OAuth token.
                                                                                                      	//
                                                                                                      	// Any subset of given scopes is allowed. This field is evaluated in
                                                                                                      	// MintOAuthTokenViaGrant RPC handler, right before generating the OAuth
                                                                                                      	// token.
                                                                                                      	//
                                                                                                      	// Merged with corresponding list from ServiceAccountRuleDefaults.
                                                                                                      	AllowedScope []string `protobuf:"bytes,4,rep,name=allowed_scope,json=allowedScope,proto3" json:"allowed_scope,omitempty"`
                                                                                                      	// A set of identities that are allowed to act as the service account (perhaps
                                                                                                      	// indirectly through some other intermediary "proxy" service like Swarming).
                                                                                                      	//
                                                                                                      	// Users listed here are ultimately able to grab an OAuth token belonging to
                                                                                                      	// the service account.
                                                                                                      	//
                                                                                                      	// Each element is either:
                                                                                                      	//  * An identity string ("user:<email>").
                                                                                                      	//  * A group reference ("group:<name>").
                                                                                                      	EndUser []string `protobuf:"bytes,5,rep,name=end_user,json=endUser,proto3" json:"end_user,omitempty"`
                                                                                                      	// A set of identities that are allowed to act on behalf of end users when
                                                                                                      	// grabbing an OAuth token for the service account.
                                                                                                      	//
                                                                                                      	// These identities represent "proxy" services that do something with service
                                                                                                      	// accounts on behalf of end users. Only identities in this set are allowed
                                                                                                      	// to perform MintOAuthTokenGrant RPC.
                                                                                                      	//
                                                                                                      	// Each element is either:
                                                                                                      	//  * An identity string ("user:<email>").
                                                                                                      	//  * A group reference ("group:<name>").
                                                                                                      	Proxy []string `protobuf:"bytes,6,rep,name=proxy,proto3" json:"proxy,omitempty"`
                                                                                                      	// Same as 'proxy', except for proxies specified here the end_user check is
                                                                                                      	// skipped: these proxies can grab a token for _any_ service account listed
                                                                                                      	// in the rule, regardless of who the end user is.
                                                                                                      	//
                                                                                                      	// The trusted proxies are assumed to authorize the end user already and
                                                                                                      	// the token server trusts this decision (thus the name of the field).
                                                                                                      	TrustedProxy []string `protobuf:"bytes,8,rep,name=trusted_proxy,json=trustedProxy,proto3" json:"trusted_proxy,omitempty"`
                                                                                                      	// Maximum allowed validity duration (sec) of OAuth token grants.
                                                                                                      	//
                                                                                                      	// The grant is minted by MintOAuthTokenGrant RPC (called, for example, when
                                                                                                      	// Swarming task is posted), and checked by MintOAuthTokenViaGrant RPC (called
                                                                                                      	// when the task actually runs). So the allowed validity duration should
                                                                                                      	// account for possible queuing delays.
                                                                                                      	//
                                                                                                      	// This duration has no relation to the OAuth token lifetime. The OAuth token
                                                                                                      	// produced by MintOAuthTokenViaGrant can always live up to 1h regardless of
                                                                                                      	// validity duration of the grant.
                                                                                                      	//
                                                                                                      	// Default is taken from ServiceAccountRuleDefaults or 48 hours if not
                                                                                                      	// specified there.
                                                                                                      	MaxGrantValidityDuration int64 `` /* 138-byte string literal not displayed */
                                                                                                      	// contains filtered or unexported fields
                                                                                                      }

                                                                                                        ServiceAccountRule describes a single allowed case of using service accounts.

                                                                                                        The usage of a service account is initiated by an end user, through some "proxy" service. For example, when a user posts a Swarming task that uses a service account, the end user is whoever posts the task, and the proxy is Swarming service itself.

                                                                                                        This rule specifies which end users are allowed to act as an account, and through which proxies.

                                                                                                        Some proxies can be declared as "trusted", in which case they are allowed to use any service account declared by the rule, regardless of an end user.

                                                                                                        Note: in the process of being replaced with ServiceAccountsProjectMapping.

                                                                                                        func (*ServiceAccountRule) Descriptor

                                                                                                        func (*ServiceAccountRule) Descriptor() ([]byte, []int)

                                                                                                          Deprecated: Use ServiceAccountRule.ProtoReflect.Descriptor instead.

                                                                                                          func (*ServiceAccountRule) GetAllowedScope

                                                                                                          func (x *ServiceAccountRule) GetAllowedScope() []string

                                                                                                          func (*ServiceAccountRule) GetEndUser

                                                                                                          func (x *ServiceAccountRule) GetEndUser() []string

                                                                                                          func (*ServiceAccountRule) GetMaxGrantValidityDuration

                                                                                                          func (x *ServiceAccountRule) GetMaxGrantValidityDuration() int64

                                                                                                          func (*ServiceAccountRule) GetName

                                                                                                          func (x *ServiceAccountRule) GetName() string

                                                                                                          func (*ServiceAccountRule) GetOwner

                                                                                                          func (x *ServiceAccountRule) GetOwner() []string

                                                                                                          func (*ServiceAccountRule) GetProxy

                                                                                                          func (x *ServiceAccountRule) GetProxy() []string

                                                                                                          func (*ServiceAccountRule) GetServiceAccount

                                                                                                          func (x *ServiceAccountRule) GetServiceAccount() []string

                                                                                                          func (*ServiceAccountRule) GetServiceAccountGroup

                                                                                                          func (x *ServiceAccountRule) GetServiceAccountGroup() []string

                                                                                                          func (*ServiceAccountRule) GetTrustedProxy

                                                                                                          func (x *ServiceAccountRule) GetTrustedProxy() []string

                                                                                                          func (*ServiceAccountRule) ProtoMessage

                                                                                                          func (*ServiceAccountRule) ProtoMessage()

                                                                                                          func (*ServiceAccountRule) ProtoReflect

                                                                                                          func (x *ServiceAccountRule) ProtoReflect() protoreflect.Message

                                                                                                          func (*ServiceAccountRule) Reset

                                                                                                          func (x *ServiceAccountRule) Reset()

                                                                                                          func (*ServiceAccountRule) String

                                                                                                          func (x *ServiceAccountRule) String() string

                                                                                                          type ServiceAccountRuleDefaults

                                                                                                          type ServiceAccountRuleDefaults struct {
                                                                                                          
                                                                                                          	// OAuth scopes we allow to be granted to all generated OAuth tokens.
                                                                                                          	//
                                                                                                          	// Always merged with 'allowed_scope' fields of ServiceAccountRule rule to
                                                                                                          	// get the final list of scopes.
                                                                                                          	AllowedScope []string `protobuf:"bytes,1,rep,name=allowed_scope,json=allowedScope,proto3" json:"allowed_scope,omitempty"`
                                                                                                          	// Default value for corresponding ServiceAccountRule field, if not specified
                                                                                                          	// there.
                                                                                                          	//
                                                                                                          	// Default is 48 hours.
                                                                                                          	MaxGrantValidityDuration int64 `` /* 138-byte string literal not displayed */
                                                                                                          	// contains filtered or unexported fields
                                                                                                          }

                                                                                                            ServiceAccountRuleDefaults specifies some default values applied to all service account rules, to reduce duplication.

                                                                                                            Note: in the process of being replaced with ServiceAccountsProjectMapping.

                                                                                                            func (*ServiceAccountRuleDefaults) Descriptor

                                                                                                            func (*ServiceAccountRuleDefaults) Descriptor() ([]byte, []int)

                                                                                                              Deprecated: Use ServiceAccountRuleDefaults.ProtoReflect.Descriptor instead.

                                                                                                              func (*ServiceAccountRuleDefaults) GetAllowedScope

                                                                                                              func (x *ServiceAccountRuleDefaults) GetAllowedScope() []string

                                                                                                              func (*ServiceAccountRuleDefaults) GetMaxGrantValidityDuration

                                                                                                              func (x *ServiceAccountRuleDefaults) GetMaxGrantValidityDuration() int64

                                                                                                              func (*ServiceAccountRuleDefaults) ProtoMessage

                                                                                                              func (*ServiceAccountRuleDefaults) ProtoMessage()

                                                                                                              func (*ServiceAccountRuleDefaults) ProtoReflect

                                                                                                              func (*ServiceAccountRuleDefaults) Reset

                                                                                                              func (x *ServiceAccountRuleDefaults) Reset()

                                                                                                              func (*ServiceAccountRuleDefaults) String

                                                                                                              func (x *ServiceAccountRuleDefaults) String() string

                                                                                                              type ServiceAccountsPermissions

                                                                                                              type ServiceAccountsPermissions struct {
                                                                                                              
                                                                                                              	// Rules specify how MintOAuthTokenViaGrant can be used.
                                                                                                              	//
                                                                                                              	// Rules define a mapping {service account email -> authorization config},
                                                                                                              	// where 'service account email' is matched to a set of emails specified via
                                                                                                              	// 'service_account' and 'service_account_group' fields of ServiceAccountRule,
                                                                                                              	// and 'authorization config' is the rest of fields in ServiceAccountRule that
                                                                                                              	// define how exactly the given service account is allowed to be used.
                                                                                                              	//
                                                                                                              	// If a service account email matches two (or more) rules, perhaps via
                                                                                                              	// different groups, an error will be returned. Ambiguity is not allowed.
                                                                                                              	//
                                                                                                              	// See ServiceAccountRule comments for more details.
                                                                                                              	Rules []*ServiceAccountRule `protobuf:"bytes,1,rep,name=rules,proto3" json:"rules,omitempty"`
                                                                                                              	// Defaults specifies some default values applied to all rules, to reduce
                                                                                                              	// duplication.
                                                                                                              	//
                                                                                                              	// See docs for individual fields to figure out how defaults are merged into
                                                                                                              	// the rules.
                                                                                                              	Defaults *ServiceAccountRuleDefaults `protobuf:"bytes,2,opt,name=defaults,proto3" json:"defaults,omitempty"`
                                                                                                              	// contains filtered or unexported fields
                                                                                                              }

                                                                                                                ServiceAccountsPermissions is read from service_accounts.cfg in luci-config.

                                                                                                                Note: in the process of being replaced with ServiceAccountsProjectMapping.

                                                                                                                func (*ServiceAccountsPermissions) Descriptor

                                                                                                                func (*ServiceAccountsPermissions) Descriptor() ([]byte, []int)

                                                                                                                  Deprecated: Use ServiceAccountsPermissions.ProtoReflect.Descriptor instead.

                                                                                                                  func (*ServiceAccountsPermissions) GetDefaults

                                                                                                                  func (*ServiceAccountsPermissions) GetRules

                                                                                                                  func (*ServiceAccountsPermissions) ProtoMessage

                                                                                                                  func (*ServiceAccountsPermissions) ProtoMessage()

                                                                                                                  func (*ServiceAccountsPermissions) ProtoReflect

                                                                                                                  func (*ServiceAccountsPermissions) Reset

                                                                                                                  func (x *ServiceAccountsPermissions) Reset()

                                                                                                                  func (*ServiceAccountsPermissions) String

                                                                                                                  func (x *ServiceAccountsPermissions) String() string

                                                                                                                  type ServiceAccountsProjectMapping

                                                                                                                  type ServiceAccountsProjectMapping struct {
                                                                                                                  
                                                                                                                  	// Each entry maps a bunch of service accounts to one or more projects.
                                                                                                                  	Mapping []*ServiceAccountsProjectMapping_Mapping `protobuf:"bytes,1,rep,name=mapping,proto3" json:"mapping,omitempty"`
                                                                                                                  	// contains filtered or unexported fields
                                                                                                                  }

                                                                                                                    ServiceAccountsProjectMapping defines what service accounts belong to what LUCI projects.

                                                                                                                    Used by MintServiceAccountToken RPC as a final authorization step, after checking that the usage of the service account is allowed by Realms ACLs.

                                                                                                                    This is a stop gap solution until the Token Server learns to use project-scoped accounts when calling Cloud IAM. Once this happens, we can move information contained in ServiceAccountsProjectMapping into Cloud IAM permissions.

                                                                                                                    This message is stored as project_owned_accounts.cfg in luci-config.

                                                                                                                    func (*ServiceAccountsProjectMapping) Descriptor

                                                                                                                    func (*ServiceAccountsProjectMapping) Descriptor() ([]byte, []int)

                                                                                                                      Deprecated: Use ServiceAccountsProjectMapping.ProtoReflect.Descriptor instead.

                                                                                                                      func (*ServiceAccountsProjectMapping) GetMapping

                                                                                                                      func (*ServiceAccountsProjectMapping) ProtoMessage

                                                                                                                      func (*ServiceAccountsProjectMapping) ProtoMessage()

                                                                                                                      func (*ServiceAccountsProjectMapping) ProtoReflect

                                                                                                                      func (*ServiceAccountsProjectMapping) Reset

                                                                                                                      func (x *ServiceAccountsProjectMapping) Reset()

                                                                                                                      func (*ServiceAccountsProjectMapping) String

                                                                                                                      type ServiceAccountsProjectMapping_Mapping

                                                                                                                      type ServiceAccountsProjectMapping_Mapping struct {
                                                                                                                      
                                                                                                                      	// Names of LUCI projects.
                                                                                                                      	Project []string `protobuf:"bytes,1,rep,name=project,proto3" json:"project,omitempty"`
                                                                                                                      	// Emails of service accounts allowed to be used by all these projects.
                                                                                                                      	ServiceAccount []string `protobuf:"bytes,2,rep,name=service_account,json=serviceAccount,proto3" json:"service_account,omitempty"`
                                                                                                                      	// contains filtered or unexported fields
                                                                                                                      }

                                                                                                                      func (*ServiceAccountsProjectMapping_Mapping) Descriptor

                                                                                                                      func (*ServiceAccountsProjectMapping_Mapping) Descriptor() ([]byte, []int)

                                                                                                                        Deprecated: Use ServiceAccountsProjectMapping_Mapping.ProtoReflect.Descriptor instead.

                                                                                                                        func (*ServiceAccountsProjectMapping_Mapping) GetProject

                                                                                                                        func (*ServiceAccountsProjectMapping_Mapping) GetServiceAccount

                                                                                                                        func (x *ServiceAccountsProjectMapping_Mapping) GetServiceAccount() []string

                                                                                                                        func (*ServiceAccountsProjectMapping_Mapping) ProtoMessage

                                                                                                                        func (*ServiceAccountsProjectMapping_Mapping) ProtoMessage()

                                                                                                                        func (*ServiceAccountsProjectMapping_Mapping) ProtoReflect

                                                                                                                        func (*ServiceAccountsProjectMapping_Mapping) Reset

                                                                                                                        func (*ServiceAccountsProjectMapping_Mapping) String

                                                                                                                        type TokenServerConfig

                                                                                                                        type TokenServerConfig struct {
                                                                                                                        
                                                                                                                        	// List of CAs we trust.
                                                                                                                        	CertificateAuthority []*CertificateAuthorityConfig `protobuf:"bytes,1,rep,name=certificate_authority,json=certificateAuthority,proto3" json:"certificate_authority,omitempty"`
                                                                                                                        	// contains filtered or unexported fields
                                                                                                                        }

                                                                                                                          TokenServerConfig is read from tokenserver.cfg in luci-config.

                                                                                                                          func (*TokenServerConfig) Descriptor

                                                                                                                          func (*TokenServerConfig) Descriptor() ([]byte, []int)

                                                                                                                            Deprecated: Use TokenServerConfig.ProtoReflect.Descriptor instead.

                                                                                                                            func (*TokenServerConfig) GetCertificateAuthority

                                                                                                                            func (x *TokenServerConfig) GetCertificateAuthority() []*CertificateAuthorityConfig

                                                                                                                            func (*TokenServerConfig) ProtoMessage

                                                                                                                            func (*TokenServerConfig) ProtoMessage()

                                                                                                                            func (*TokenServerConfig) ProtoReflect

                                                                                                                            func (x *TokenServerConfig) ProtoReflect() protoreflect.Message

                                                                                                                            func (*TokenServerConfig) Reset

                                                                                                                            func (x *TokenServerConfig) Reset()

                                                                                                                            func (*TokenServerConfig) String

                                                                                                                            func (x *TokenServerConfig) String() string

                                                                                                                            type UnimplementedAdminServer

                                                                                                                            type UnimplementedAdminServer struct {
                                                                                                                            }

                                                                                                                              UnimplementedAdminServer must be embedded to have forward compatible implementations.

                                                                                                                              func (UnimplementedAdminServer) ImportCAConfigs

                                                                                                                              func (UnimplementedAdminServer) ImportDelegationConfigs

                                                                                                                              func (UnimplementedAdminServer) ImportDelegationConfigs(context.Context, *empty.Empty) (*ImportedConfigs, error)

                                                                                                                              func (UnimplementedAdminServer) ImportProjectIdentityConfigs

                                                                                                                              func (UnimplementedAdminServer) ImportProjectIdentityConfigs(context.Context, *empty.Empty) (*ImportedConfigs, error)

                                                                                                                              func (UnimplementedAdminServer) ImportProjectOwnedAccountsConfigs

                                                                                                                              func (UnimplementedAdminServer) ImportProjectOwnedAccountsConfigs(context.Context, *empty.Empty) (*ImportedConfigs, error)

                                                                                                                              func (UnimplementedAdminServer) ImportServiceAccountsConfigs

                                                                                                                              func (UnimplementedAdminServer) ImportServiceAccountsConfigs(context.Context, *empty.Empty) (*ImportedConfigs, error)

                                                                                                                              type UnimplementedCertificateAuthoritiesServer

                                                                                                                              type UnimplementedCertificateAuthoritiesServer struct {
                                                                                                                              }

                                                                                                                                UnimplementedCertificateAuthoritiesServer must be embedded to have forward compatible implementations.

                                                                                                                                func (UnimplementedCertificateAuthoritiesServer) CheckCertificate

                                                                                                                                func (UnimplementedCertificateAuthoritiesServer) FetchCRL

                                                                                                                                func (UnimplementedCertificateAuthoritiesServer) GetCAStatus

                                                                                                                                func (UnimplementedCertificateAuthoritiesServer) IsRevokedCert

                                                                                                                                func (UnimplementedCertificateAuthoritiesServer) ListCAs

                                                                                                                                type UnsafeAdminServer

                                                                                                                                type UnsafeAdminServer interface {
                                                                                                                                	// contains filtered or unexported methods
                                                                                                                                }

                                                                                                                                  UnsafeAdminServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to AdminServer will result in compilation errors.

                                                                                                                                  type UnsafeCertificateAuthoritiesServer

                                                                                                                                  type UnsafeCertificateAuthoritiesServer interface {
                                                                                                                                  	// contains filtered or unexported methods
                                                                                                                                  }

                                                                                                                                    UnsafeCertificateAuthoritiesServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to CertificateAuthoritiesServer will result in compilation errors.