Documentation

Overview

    Package tokenserver contains common protobuf messages for the token server.

    Index

    Constants

    This section is empty.

    Variables

    View Source
    var (
    	MachineTokenType_name = map[int32]string{
    		0: "UNKNOWN_TYPE",
    		2: "LUCI_MACHINE_TOKEN",
    	}
    	MachineTokenType_value = map[string]int32{
    		"UNKNOWN_TYPE":       0,
    		"LUCI_MACHINE_TOKEN": 2,
    	}
    )

      Enum value maps for MachineTokenType.

      View Source
      var File_go_chromium_org_luci_tokenserver_api_machine_token_proto protoreflect.FileDescriptor
      View Source
      var File_go_chromium_org_luci_tokenserver_api_oauth_token_grant_proto protoreflect.FileDescriptor
      View Source
      var File_go_chromium_org_luci_tokenserver_api_token_file_proto protoreflect.FileDescriptor

      Functions

      This section is empty.

      Types

      type MachineTokenBody

      type MachineTokenBody struct {
      
      	// Machine identity this token conveys (machine FQDN).
      	//
      	// It is extracted from a Common Name of a certificate used as a basis for
      	// the token.
      	MachineFqdn string `protobuf:"bytes,1,opt,name=machine_fqdn,json=machineFqdn,proto3" json:"machine_fqdn,omitempty"`
      	// Service account email that signed this token.
      	//
      	// When verifying the token backends will check that the issuer is in
      	// "auth-token-servers" group.
      	IssuedBy string `protobuf:"bytes,2,opt,name=issued_by,json=issuedBy,proto3" json:"issued_by,omitempty"`
      	// Unix timestamp in seconds when this token was issued. Required.
      	IssuedAt uint64 `protobuf:"varint,3,opt,name=issued_at,json=issuedAt,proto3" json:"issued_at,omitempty"`
      	// Number of seconds the token is considered valid.
      	//
      	// Usually 3600. Set by the token server. Required.
      	Lifetime uint64 `protobuf:"varint,4,opt,name=lifetime,proto3" json:"lifetime,omitempty"`
      	// Id of a CA that issued machine certificate used to make this token.
      	//
      	// These IDs are defined in token server config (via unique_id field).
      	CaId int64 `protobuf:"varint,5,opt,name=ca_id,json=caId,proto3" json:"ca_id,omitempty"`
      	// Serial number of the machine certificate used to make this token.
      	//
      	// ca_id and cert_sn together uniquely identify the certificate, and can be
      	// used to check for certificate revocation (by asking token server whether
      	// the given certificate is in CRL). Revocation checks are optional, most
      	// callers can rely on expiration checks only.
      	CertSn uint64 `protobuf:"varint,6,opt,name=cert_sn,json=certSn,proto3" json:"cert_sn,omitempty"`
      	// contains filtered or unexported fields
      }

        MachineTokenBody describes internal structure of the machine token.

        The token will be put in HTTP headers and its body shouldn't be too large. For that reason we use unix timestamps instead of google.protobuf.Timestamp (no need for microsecond precision), and assume certificate serial numbers are smallish uint64 integers (not random blobs).

        func (*MachineTokenBody) Descriptor

        func (*MachineTokenBody) Descriptor() ([]byte, []int)

          Deprecated: Use MachineTokenBody.ProtoReflect.Descriptor instead.

          func (*MachineTokenBody) GetCaId

          func (x *MachineTokenBody) GetCaId() int64

          func (*MachineTokenBody) GetCertSn

          func (x *MachineTokenBody) GetCertSn() uint64

          func (*MachineTokenBody) GetIssuedAt

          func (x *MachineTokenBody) GetIssuedAt() uint64

          func (*MachineTokenBody) GetIssuedBy

          func (x *MachineTokenBody) GetIssuedBy() string

          func (*MachineTokenBody) GetLifetime

          func (x *MachineTokenBody) GetLifetime() uint64

          func (*MachineTokenBody) GetMachineFqdn

          func (x *MachineTokenBody) GetMachineFqdn() string

          func (*MachineTokenBody) ProtoMessage

          func (*MachineTokenBody) ProtoMessage()

          func (*MachineTokenBody) ProtoReflect

          func (x *MachineTokenBody) ProtoReflect() protoreflect.Message

          func (*MachineTokenBody) Reset

          func (x *MachineTokenBody) Reset()

          func (*MachineTokenBody) String

          func (x *MachineTokenBody) String() string

          type MachineTokenEnvelope

          type MachineTokenEnvelope struct {
          	TokenBody []byte `protobuf:"bytes,1,opt,name=token_body,json=tokenBody,proto3" json:"token_body,omitempty"` // serialized MachineTokenBody
          	KeyId     string `protobuf:"bytes,2,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"`             // id of a token server private key used for signing
          	RsaSha256 []byte `protobuf:"bytes,3,opt,name=rsa_sha256,json=rsaSha256,proto3" json:"rsa_sha256,omitempty"` // signature of 'token_body'
          	// contains filtered or unexported fields
          }

            MachineTokenEnvelope is what is actually being serialized and represented as a machine token (after being encoded using base64 standard raw encoding).

            Resulting token (including base64 encoding) is usually ~500 bytes long.

            func (*MachineTokenEnvelope) Descriptor

            func (*MachineTokenEnvelope) Descriptor() ([]byte, []int)

              Deprecated: Use MachineTokenEnvelope.ProtoReflect.Descriptor instead.

              func (*MachineTokenEnvelope) GetKeyId

              func (x *MachineTokenEnvelope) GetKeyId() string

              func (*MachineTokenEnvelope) GetRsaSha256

              func (x *MachineTokenEnvelope) GetRsaSha256() []byte

              func (*MachineTokenEnvelope) GetTokenBody

              func (x *MachineTokenEnvelope) GetTokenBody() []byte

              func (*MachineTokenEnvelope) ProtoMessage

              func (*MachineTokenEnvelope) ProtoMessage()

              func (*MachineTokenEnvelope) ProtoReflect

              func (x *MachineTokenEnvelope) ProtoReflect() protoreflect.Message

              func (*MachineTokenEnvelope) Reset

              func (x *MachineTokenEnvelope) Reset()

              func (*MachineTokenEnvelope) String

              func (x *MachineTokenEnvelope) String() string

              type MachineTokenType

              type MachineTokenType int32

                The kinds of machine tokens the token server can mint.

                Passed to MintMachineToken and InspectMachineToken.

                Reserved: 1.

                const (
                	MachineTokenType_UNKNOWN_TYPE       MachineTokenType = 0 // used if the field is not initialized
                	MachineTokenType_LUCI_MACHINE_TOKEN MachineTokenType = 2 // matches serialized MachineTokenEnvelope
                )

                func (MachineTokenType) Descriptor

                func (MachineTokenType) Enum

                func (MachineTokenType) EnumDescriptor

                func (MachineTokenType) EnumDescriptor() ([]byte, []int)

                  Deprecated: Use MachineTokenType.Descriptor instead.

                  func (MachineTokenType) Number

                  func (MachineTokenType) String

                  func (x MachineTokenType) String() string

                  func (MachineTokenType) Type

                  type OAuthTokenGrantBody

                  type OAuthTokenGrantBody struct {
                  
                  	// Identifier of this token as generated by the token server.
                  	//
                  	// Used for logging and tracking purposes.
                  	//
                  	// TODO(vadimsh): It may later be used for revocation purposes.
                  	TokenId int64 `protobuf:"varint,1,opt,name=token_id,json=tokenId,proto3" json:"token_id,omitempty"`
                  	// Service account email the end user wants to act as.
                  	ServiceAccount string `protobuf:"bytes,2,opt,name=service_account,json=serviceAccount,proto3" json:"service_account,omitempty"`
                  	// Who can pass this token to MintOAuthTokenViaGrant to get an OAuth token.
                  	//
                  	// A string of the form "user:<email>". On Swarming, this is Swarming's own
                  	// service account name.
                  	Proxy string `protobuf:"bytes,3,opt,name=proxy,proto3" json:"proxy,omitempty"`
                  	// An end user that wants to act as the service account (perhaps indirectly).
                  	//
                  	// A string of the form "user:<email>". On Swarming, this is an identity of
                  	// a user that posted the task.
                  	//
                  	// Used by MintOAuthTokenViaGrant to recheck that the access is still allowed.
                  	EndUser string `protobuf:"bytes,4,opt,name=end_user,json=endUser,proto3" json:"end_user,omitempty"`
                  	// When the token was generated (and when it becomes valid).
                  	IssuedAt *timestamppb.Timestamp `protobuf:"bytes,5,opt,name=issued_at,json=issuedAt,proto3" json:"issued_at,omitempty"`
                  	// How long the token is considered valid (in seconds).
                  	//
                  	// It may become invalid sooner if the token server policy changes and the
                  	// new policy doesn't allow this token.
                  	ValidityDuration int64 `protobuf:"varint,6,opt,name=validity_duration,json=validityDuration,proto3" json:"validity_duration,omitempty"`
                  	// contains filtered or unexported fields
                  }

                    OAuthTokenGrantBody contains the internal guts of an oauth token grant.

                    It gets serialized, signed and stuffed into OAuthTokenGrantEnvelope, which then also gets serialized to get the final blob with the grant. This blob is then base64-encoded and returned to the caller of MintOAuthTokenGrant.

                    func (*OAuthTokenGrantBody) Descriptor

                    func (*OAuthTokenGrantBody) Descriptor() ([]byte, []int)

                      Deprecated: Use OAuthTokenGrantBody.ProtoReflect.Descriptor instead.

                      func (*OAuthTokenGrantBody) GetEndUser

                      func (x *OAuthTokenGrantBody) GetEndUser() string

                      func (*OAuthTokenGrantBody) GetIssuedAt

                      func (x *OAuthTokenGrantBody) GetIssuedAt() *timestamppb.Timestamp

                      func (*OAuthTokenGrantBody) GetProxy

                      func (x *OAuthTokenGrantBody) GetProxy() string

                      func (*OAuthTokenGrantBody) GetServiceAccount

                      func (x *OAuthTokenGrantBody) GetServiceAccount() string

                      func (*OAuthTokenGrantBody) GetTokenId

                      func (x *OAuthTokenGrantBody) GetTokenId() int64

                      func (*OAuthTokenGrantBody) GetValidityDuration

                      func (x *OAuthTokenGrantBody) GetValidityDuration() int64

                      func (*OAuthTokenGrantBody) ProtoMessage

                      func (*OAuthTokenGrantBody) ProtoMessage()

                      func (*OAuthTokenGrantBody) ProtoReflect

                      func (x *OAuthTokenGrantBody) ProtoReflect() protoreflect.Message

                      func (*OAuthTokenGrantBody) Reset

                      func (x *OAuthTokenGrantBody) Reset()

                      func (*OAuthTokenGrantBody) String

                      func (x *OAuthTokenGrantBody) String() string

                      type OAuthTokenGrantEnvelope

                      type OAuthTokenGrantEnvelope struct {
                      	TokenBody      []byte `protobuf:"bytes,1,opt,name=token_body,json=tokenBody,proto3" json:"token_body,omitempty"`                  // serialized OAuthTokenGrantBody
                      	KeyId          string `protobuf:"bytes,2,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"`                              // id of a token server private key used for signing
                      	Pkcs1Sha256Sig []byte `protobuf:"bytes,3,opt,name=pkcs1_sha256_sig,json=pkcs1Sha256Sig,proto3" json:"pkcs1_sha256_sig,omitempty"` // signature of 'token_body'
                      	// contains filtered or unexported fields
                      }

                        OAuthTokenGrantEnvelope is what is actually being serialized and send to the callers of MintOAuthTokenGrant (after being encoded using base64 standard raw encoding).

                        func (*OAuthTokenGrantEnvelope) Descriptor

                        func (*OAuthTokenGrantEnvelope) Descriptor() ([]byte, []int)

                          Deprecated: Use OAuthTokenGrantEnvelope.ProtoReflect.Descriptor instead.

                          func (*OAuthTokenGrantEnvelope) GetKeyId

                          func (x *OAuthTokenGrantEnvelope) GetKeyId() string

                          func (*OAuthTokenGrantEnvelope) GetPkcs1Sha256Sig

                          func (x *OAuthTokenGrantEnvelope) GetPkcs1Sha256Sig() []byte

                          func (*OAuthTokenGrantEnvelope) GetTokenBody

                          func (x *OAuthTokenGrantEnvelope) GetTokenBody() []byte

                          func (*OAuthTokenGrantEnvelope) ProtoMessage

                          func (*OAuthTokenGrantEnvelope) ProtoMessage()

                          func (*OAuthTokenGrantEnvelope) ProtoReflect

                          func (x *OAuthTokenGrantEnvelope) ProtoReflect() protoreflect.Message

                          func (*OAuthTokenGrantEnvelope) Reset

                          func (x *OAuthTokenGrantEnvelope) Reset()

                          func (*OAuthTokenGrantEnvelope) String

                          func (x *OAuthTokenGrantEnvelope) String() string

                          type TokenFile

                          type TokenFile struct {
                          
                          	// Google OAuth2 access token of a machine service account.
                          	AccessToken string `protobuf:"bytes,1,opt,name=access_token,proto3" json:"access_token,omitempty"`
                          	// OAuth2 access token type, usually "Bearer".
                          	TokenType string `protobuf:"bytes,2,opt,name=token_type,proto3" json:"token_type,omitempty"`
                          	// Machine token understood by LUCI backends (alternative to access_token).
                          	LuciMachineToken string `protobuf:"bytes,3,opt,name=luci_machine_token,proto3" json:"luci_machine_token,omitempty"`
                          	// Unix timestamp (in seconds) when this token expires.
                          	//
                          	// The token file is expected to be updated before the token expires, see
                          	// 'next_update' for next expected update time.
                          	Expiry int64 `protobuf:"varint,4,opt,name=expiry,proto3" json:"expiry,omitempty"`
                          	// Unix timestamp of when this file was updated the last time.
                          	LastUpdate int64 `protobuf:"varint,5,opt,name=last_update,proto3" json:"last_update,omitempty"`
                          	// Unix timestamp of when this file is expected to be updated next time.
                          	NextUpdate int64 `protobuf:"varint,6,opt,name=next_update,proto3" json:"next_update,omitempty"`
                          	// Email of the associated service account.
                          	ServiceAccountEmail string `protobuf:"bytes,7,opt,name=service_account_email,proto3" json:"service_account_email,omitempty"`
                          	// Unique stable ID of the associated service account.
                          	ServiceAccountUniqueId string `protobuf:"bytes,8,opt,name=service_account_unique_id,proto3" json:"service_account_unique_id,omitempty"`
                          	// Any information tokend daemon wishes to associate with the token.
                          	//
                          	// Consumers of the token file should ignore this field. It is used
                          	// exclusively by tokend daemon.
                          	TokendState []byte `protobuf:"bytes,50,opt,name=tokend_state,proto3" json:"tokend_state,omitempty"`
                          	// contains filtered or unexported fields
                          }

                            TokenFile is representation of a token file on disk (serialized as JSON).

                            The token file is consumed by whoever wishes to use machine tokens. It is intentionally made as simple as possible (e.g. uses unix timestamps instead of fancy protobuf ones).

                            func (*TokenFile) Descriptor

                            func (*TokenFile) Descriptor() ([]byte, []int)

                              Deprecated: Use TokenFile.ProtoReflect.Descriptor instead.

                              func (*TokenFile) GetAccessToken

                              func (x *TokenFile) GetAccessToken() string

                              func (*TokenFile) GetExpiry

                              func (x *TokenFile) GetExpiry() int64

                              func (*TokenFile) GetLastUpdate

                              func (x *TokenFile) GetLastUpdate() int64

                              func (*TokenFile) GetLuciMachineToken

                              func (x *TokenFile) GetLuciMachineToken() string

                              func (*TokenFile) GetNextUpdate

                              func (x *TokenFile) GetNextUpdate() int64

                              func (*TokenFile) GetServiceAccountEmail

                              func (x *TokenFile) GetServiceAccountEmail() string

                              func (*TokenFile) GetServiceAccountUniqueId

                              func (x *TokenFile) GetServiceAccountUniqueId() string

                              func (*TokenFile) GetTokenType

                              func (x *TokenFile) GetTokenType() string

                              func (*TokenFile) GetTokendState

                              func (x *TokenFile) GetTokendState() []byte

                              func (*TokenFile) ProtoMessage

                              func (*TokenFile) ProtoMessage()

                              func (*TokenFile) ProtoReflect

                              func (x *TokenFile) ProtoReflect() protoreflect.Message

                              func (*TokenFile) Reset

                              func (x *TokenFile) Reset()

                              func (*TokenFile) String

                              func (x *TokenFile) String() string

                              Directories

                              Path Synopsis
                              admin
                              v1
                              Package admin contains The Token Server Administrative and Config API.
                              Package admin contains The Token Server Administrative and Config API.
                              Package bq contains BigQuery tables schemas.
                              Package bq contains BigQuery tables schemas.
                              minter
                              v1
                              Package minter contains the main API of the token server.
                              Package minter contains the main API of the token server.