pb

type Alias struct {
	// MountType is the backend mount's type to which this identity belongs
	MountType string `sentinel:"" protobuf:"bytes,1,opt,name=mount_type,json=mountType" json:"mount_type,omitempty"`
	// MountAccessor is the identifier of the mount entry to which this
	// identity belongs
	MountAccessor string `sentinel:"" protobuf:"bytes,2,opt,name=mount_accessor,json=mountAccessor" json:"mount_accessor,omitempty"`
	// Name is the identifier of this identity in its authentication source
	Name string `sentinel:"" protobuf:"bytes,3,opt,name=name" json:"name,omitempty"`
}

type Auth struct {
	LeaseOptions *LeaseOptions `sentinel:"" protobuf:"bytes,1,opt,name=lease_options,json=leaseOptions" json:"lease_options,omitempty"`
	// InternalData is a JSON object that is stored with the auth struct.
	// This will be sent back during a Renew/Revoke for storing internal data
	// used for those operations.
	InternalData string `sentinel:"" protobuf:"bytes,2,opt,name=internal_data,json=internalData" json:"internal_data,omitempty"`
	// DisplayName is a non-security sensitive identifier that is
	// applicable to this Auth. It is used for logging and prefixing
	// of dynamic secrets. For example, DisplayName may be "armon" for
	// the github credential backend. If the client token is used to
	// generate a SQL credential, the user may be "github-armon-uuid".
	// This is to help identify the source without using audit tables.
	DisplayName string `sentinel:"" protobuf:"bytes,3,opt,name=display_name,json=displayName" json:"display_name,omitempty"`
	// Policies is the list of policies that the authenticated user
	// is associated with.
	Policies []string `sentinel:"" protobuf:"bytes,4,rep,name=policies" json:"policies,omitempty"`
	// Metadata is used to attach arbitrary string-type metadata to
	// an authenticated user. This metadata will be outputted into the
	// audit log.
	Metadata map[string]string `` /* 148-byte string literal not displayed */
	// ClientToken is the token that is generated for the authentication.
	// This will be filled in by Vault core when an auth structure is
	// returned. Setting this manually will have no effect.
	ClientToken string `sentinel:"" protobuf:"bytes,6,opt,name=client_token,json=clientToken" json:"client_token,omitempty"`
	// Accessor is the identifier for the ClientToken. This can be used
	// to perform management functionalities (especially revocation) when
	// ClientToken in the audit logs are obfuscated. Accessor can be used
	// to revoke a ClientToken and to lookup the capabilities of the ClientToken,
	// both without actually knowing the ClientToken.
	Accessor string `sentinel:"" protobuf:"bytes,7,opt,name=accessor" json:"accessor,omitempty"`
	// Period indicates that the token generated using this Auth object
	// should never expire. The token should be renewed within the duration
	// specified by this period.
	Period int64 `sentinel:"" protobuf:"varint,8,opt,name=period" json:"period,omitempty"`
	// Number of allowed uses of the issued token
	NumUses int64 `sentinel:"" protobuf:"varint,9,opt,name=num_uses,json=numUses" json:"num_uses,omitempty"`
	// EntityID is the identifier of the entity in identity store to which the
	// identity of the authenticating client belongs to.
	EntityID string `sentinel:"" protobuf:"bytes,10,opt,name=entity_id,json=entityId" json:"entity_id,omitempty"`
	// Alias is the information about the authenticated client returned by
	// the auth backend
	Alias *Alias `sentinel:"" protobuf:"bytes,11,opt,name=alias" json:"alias,omitempty"`
	// GroupAliases are the informational mappings of external groups which an
	// authenticated user belongs to. This is used to check if there are
	// mappings groups for the group aliases in identity store. For all the
	// matching groups, the entity ID of the user will be added.
	GroupAliases []*Alias `sentinel:"" protobuf:"bytes,12,rep,name=group_aliases,json=groupAliases" json:"group_aliases,omitempty"`
}

type BackendClient interface {
	// HandleRequest is used to handle a request and generate a response.
	// The plugins must check the operation type and handle appropriately.
	HandleRequest(ctx context.Context, in *HandleRequestArgs, opts ...grpc.CallOption) (*HandleRequestReply, error)
	// SpecialPaths is a list of paths that are special in some way.
	// See PathType for the types of special paths. The key is the type
	// of the special path, and the value is a list of paths for this type.
	// This is not a regular expression but is an exact match. If the path
	// ends in '*' then it is a prefix-based match. The '*' can only appear
	// at the end.
	SpecialPaths(ctx context.Context, in *Empty, opts ...grpc.CallOption) (*SpecialPathsReply, error)
	// HandleExistenceCheck is used to handle a request and generate a response
	// indicating whether the given path exists or not; this is used to
	// understand whether the request must have a Create or Update capability
	// ACL applied. The first bool indicates whether an existence check
	// function was found for the backend; the second indicates whether, if an
	// existence check function was found, the item exists or not.
	HandleExistenceCheck(ctx context.Context, in *HandleExistenceCheckArgs, opts ...grpc.CallOption) (*HandleExistenceCheckReply, error)
	// Cleanup is invoked during an unmount of a backend to allow it to
	// handle any cleanup like connection closing or releasing of file handles.
	// Cleanup is called right before Vault closes the plugin process.
	Cleanup(ctx context.Context, in *Empty, opts ...grpc.CallOption) (*Empty, error)
	// InvalidateKey may be invoked when an object is modified that belongs
	// to the backend. The backend can use this to clear any caches or reset
	// internal state as needed.
	InvalidateKey(ctx context.Context, in *InvalidateKeyArgs, opts ...grpc.CallOption) (*Empty, error)
	// Setup is used to set up the backend based on the provided backend
	// configuration. The plugin's setup implementation should use the provided
	// broker_id to create a connection back to Vault for use with the Storage
	// and SystemView clients.
	Setup(ctx context.Context, in *SetupArgs, opts ...grpc.CallOption) (*SetupReply, error)
	// Type returns the BackendType for the particular backend
	Type(ctx context.Context, in *Empty, opts ...grpc.CallOption) (*TypeReply, error)
}

type BackendServer interface {
	// HandleRequest is used to handle a request and generate a response.
	// The plugins must check the operation type and handle appropriately.
	HandleRequest(context.Context, *HandleRequestArgs) (*HandleRequestReply, error)
	// SpecialPaths is a list of paths that are special in some way.
	// See PathType for the types of special paths. The key is the type
	// of the special path, and the value is a list of paths for this type.
	// This is not a regular expression but is an exact match. If the path
	// ends in '*' then it is a prefix-based match. The '*' can only appear
	// at the end.
	SpecialPaths(context.Context, *Empty) (*SpecialPathsReply, error)
	// HandleExistenceCheck is used to handle a request and generate a response
	// indicating whether the given path exists or not; this is used to
	// understand whether the request must have a Create or Update capability
	// ACL applied. The first bool indicates whether an existence check
	// function was found for the backend; the second indicates whether, if an
	// existence check function was found, the item exists or not.
	HandleExistenceCheck(context.Context, *HandleExistenceCheckArgs) (*HandleExistenceCheckReply, error)
	// Cleanup is invoked during an unmount of a backend to allow it to
	// handle any cleanup like connection closing or releasing of file handles.
	// Cleanup is called right before Vault closes the plugin process.
	Cleanup(context.Context, *Empty) (*Empty, error)
	// InvalidateKey may be invoked when an object is modified that belongs
	// to the backend. The backend can use this to clear any caches or reset
	// internal state as needed.
	InvalidateKey(context.Context, *InvalidateKeyArgs) (*Empty, error)
	// Setup is used to set up the backend based on the provided backend
	// configuration. The plugin's setup implementation should use the provided
	// broker_id to create a connection back to Vault for use with the Storage
	// and SystemView clients.
	Setup(context.Context, *SetupArgs) (*SetupReply, error)
	// Type returns the BackendType for the particular backend
	Type(context.Context, *Empty) (*TypeReply, error)
}

type CachingDisabledReply struct {
	Disabled bool `sentinel:"" protobuf:"varint,1,opt,name=disabled" json:"disabled,omitempty"`
}

type Connection struct {
	// RemoteAddr is the network address that sent the request.
	RemoteAddr string `sentinel:"" protobuf:"bytes,1,opt,name=remote_addr,json=remoteAddr" json:"remote_addr,omitempty"`
}

type Empty struct {
}

type HandleExistenceCheckArgs struct {
	StorageID uint32   `sentinel:"" protobuf:"varint,1,opt,name=storage_id,json=storageId" json:"storage_id,omitempty"`
	Request   *Request `sentinel:"" protobuf:"bytes,2,opt,name=request" json:"request,omitempty"`
}

type HandleExistenceCheckReply struct {
	CheckFound bool        `sentinel:"" protobuf:"varint,1,opt,name=check_found,json=checkFound" json:"check_found,omitempty"`
	Exists     bool        `sentinel:"" protobuf:"varint,2,opt,name=exists" json:"exists,omitempty"`
	Err        *ProtoError `sentinel:"" protobuf:"bytes,3,opt,name=err" json:"err,omitempty"`
}

type HandleRequestArgs struct {
	StorageID uint32   `sentinel:"" protobuf:"varint,1,opt,name=storage_id,json=storageId" json:"storage_id,omitempty"`
	Request   *Request `sentinel:"" protobuf:"bytes,2,opt,name=request" json:"request,omitempty"`
}

type HandleRequestReply struct {
	Response *Response   `sentinel:"" protobuf:"bytes,1,opt,name=response" json:"response,omitempty"`
	Err      *ProtoError `sentinel:"" protobuf:"bytes,2,opt,name=err" json:"err,omitempty"`
}

type Header struct {
	Header []string `sentinel:"" protobuf:"bytes,1,rep,name=header" json:"header,omitempty"`
}

type InvalidateKeyArgs struct {
	Key string `sentinel:"" protobuf:"bytes,1,opt,name=key" json:"key,omitempty"`
}

type LeaseOptions struct {
	TTL       int64                      `sentinel:"" protobuf:"varint,1,opt,name=TTL" json:"TTL,omitempty"`
	Renewable bool                       `sentinel:"" protobuf:"varint,2,opt,name=renewable" json:"renewable,omitempty"`
	Increment int64                      `sentinel:"" protobuf:"varint,3,opt,name=increment" json:"increment,omitempty"`
	IssueTime *google_protobuf.Timestamp `sentinel:"" protobuf:"bytes,4,opt,name=issue_time,json=issueTime" json:"issue_time,omitempty"`
}

type LocalMountReply struct {
	Local bool `sentinel:"" protobuf:"varint,1,opt,name=local" json:"local,omitempty"`
}

type MlockEnabledReply struct {
	Enabled bool `sentinel:"" protobuf:"varint,1,opt,name=enabled" json:"enabled,omitempty"`
}

type Paths struct {
	// Root are the paths that require a root token to access
	Root []string `sentinel:"" protobuf:"bytes,1,rep,name=root" json:"root,omitempty"`
	// Unauthenticated are the paths that can be accessed without any auth.
	Unauthenticated []string `sentinel:"" protobuf:"bytes,2,rep,name=unauthenticated" json:"unauthenticated,omitempty"`
	// LocalStorage are paths (prefixes) that are local to this instance; this
	// indicates that these paths should not be replicated
	LocalStorage []string `sentinel:"" protobuf:"bytes,3,rep,name=local_storage,json=localStorage" json:"local_storage,omitempty"`
	// SealWrapStorage are storage paths that, when using a capable seal,
	// should be seal wrapped with extra encryption. It is exact matching
	// unless it ends with '/' in which case it will be treated as a prefix.
	SealWrapStorage []string `sentinel:"" protobuf:"bytes,4,rep,name=seal_wrap_storage,json=sealWrapStorage" json:"seal_wrap_storage,omitempty"`
}

type ProtoError struct {
	// Error type can be one of:
	// ErrTypeUnknown uint32 = iota
	// ErrTypeUserError
	// ErrTypeInternalError
	// ErrTypeCodedError
	// ErrTypeStatusBadRequest
	// ErrTypeUnsupportedOperation
	// ErrTypeUnsupportedPath
	// ErrTypeInvalidRequest
	// ErrTypePermissionDenied
	// ErrTypeMultiAuthzPending
	ErrType uint32 `sentinel:"" protobuf:"varint,1,opt,name=err_type,json=errType" json:"err_type,omitempty"`
	ErrMsg  string `sentinel:"" protobuf:"bytes,2,opt,name=err_msg,json=errMsg" json:"err_msg,omitempty"`
	ErrCode int64  `sentinel:"" protobuf:"varint,3,opt,name=err_code,json=errCode" json:"err_code,omitempty"`
}

type ReplicationStateReply struct {
	State int32 `sentinel:"" protobuf:"varint,1,opt,name=state" json:"state,omitempty"`
}

type Request struct {
	// ID is the uuid associated with each request
	ID string `sentinel:"" protobuf:"bytes,1,opt,name=id" json:"id,omitempty"`
	// If set, the name given to the replication secondary where this request
	// originated
	ReplicationCluster string `sentinel:"" protobuf:"bytes,2,opt,name=ReplicationCluster" json:"ReplicationCluster,omitempty"`
	// Operation is the requested operation type
	Operation string `sentinel:"" protobuf:"bytes,3,opt,name=operation" json:"operation,omitempty"`
	// Path is the part of the request path not consumed by the
	// routing. As an example, if the original request path is "prod/aws/foo"
	// and the AWS logical backend is mounted at "prod/aws/", then the
	// final path is "foo" since the mount prefix is trimmed.
	Path string `sentinel:"" protobuf:"bytes,4,opt,name=path" json:"path,omitempty"`
	// Request data is a JSON object that must have keys with string type.
	Data string `sentinel:"" protobuf:"bytes,5,opt,name=data" json:"data,omitempty"`
	// Secret will be non-nil only for Revoke and Renew operations
	// to represent the secret that was returned prior.
	Secret *Secret `sentinel:"" protobuf:"bytes,6,opt,name=secret" json:"secret,omitempty"`
	// Auth will be non-nil only for Renew operations
	// to represent the auth that was returned prior.
	Auth *Auth `sentinel:"" protobuf:"bytes,7,opt,name=auth" json:"auth,omitempty"`
	// Headers will contain the http headers from the request. This value will
	// be used in the audit broker to ensure we are auditing only the allowed
	// headers.
	Headers map[string]*Header `` /* 146-byte string literal not displayed */
	// ClientToken is provided to the core so that the identity
	// can be verified and ACLs applied. This value is passed
	// through to the logical backends but after being salted and
	// hashed.
	ClientToken string `sentinel:"" protobuf:"bytes,9,opt,name=client_token,json=clientToken" json:"client_token,omitempty"`
	// ClientTokenAccessor is provided to the core so that the it can get
	// logged as part of request audit logging.
	ClientTokenAccessor string `` /* 126-byte string literal not displayed */
	// DisplayName is provided to the logical backend to help associate
	// dynamic secrets with the source entity. This is not a sensitive
	// name, but is useful for operators.
	DisplayName string `sentinel:"" protobuf:"bytes,11,opt,name=display_name,json=displayName" json:"display_name,omitempty"`
	// MountPoint is provided so that a logical backend can generate
	// paths relative to itself. The `Path` is effectively the client
	// request path with the MountPoint trimmed off.
	MountPoint string `sentinel:"" protobuf:"bytes,12,opt,name=mount_point,json=mountPoint" json:"mount_point,omitempty"`
	// MountType is provided so that a logical backend can make decisions
	// based on the specific mount type (e.g., if a mount type has different
	// aliases, generating different defaults depending on the alias)
	MountType string `sentinel:"" protobuf:"bytes,13,opt,name=mount_type,json=mountType" json:"mount_type,omitempty"`
	// MountAccessor is provided so that identities returned by the authentication
	// backends can be tied to the mount it belongs to.
	MountAccessor string `sentinel:"" protobuf:"bytes,14,opt,name=mount_accessor,json=mountAccessor" json:"mount_accessor,omitempty"`
	// WrapInfo contains requested response wrapping parameters
	WrapInfo *RequestWrapInfo `sentinel:"" protobuf:"bytes,15,opt,name=wrap_info,json=wrapInfo" json:"wrap_info,omitempty"`
	// ClientTokenRemainingUses represents the allowed number of uses left on the
	// token supplied
	ClientTokenRemainingUses int64 `` /* 144-byte string literal not displayed */
	// EntityID is the identity of the caller extracted out of the token used
	// to make this request
	EntityID string `sentinel:"" protobuf:"bytes,17,opt,name=entity_id,json=entityId" json:"entity_id,omitempty"`
	// PolicyOverride indicates that the requestor wishes to override
	// soft-mandatory Sentinel policies
	PolicyOverride bool `sentinel:"" protobuf:"varint,18,opt,name=policy_override,json=policyOverride" json:"policy_override,omitempty"`
	// Whether the request is unauthenticated, as in, had no client token
	// attached. Useful in some situations where the client token is not made
	// accessible.
	Unauthenticated bool `sentinel:"" protobuf:"varint,19,opt,name=unauthenticated" json:"unauthenticated,omitempty"`
	// Connection will be non-nil only for credential providers to
	// inspect the connection information and potentially use it for
	// authentication/protection.
	Connection *Connection `sentinel:"" protobuf:"bytes,20,opt,name=connection" json:"connection,omitempty"`
}

type RequestWrapInfo struct {
	// Setting to non-zero specifies that the response should be wrapped.
	// Specifies the desired TTL of the wrapping token.
	TTL int64 `sentinel:"" protobuf:"varint,1,opt,name=TTL" json:"TTL,omitempty"`
	// The format to use for the wrapped response; if not specified it's a bare
	// token
	Format string `sentinel:"" protobuf:"bytes,2,opt,name=format" json:"format,omitempty"`
	// A flag to conforming backends that data for a given request should be
	// seal wrapped
	SealWrap bool `sentinel:"" protobuf:"varint,3,opt,name=seal_wrap,json=sealWrap" json:"seal_wrap,omitempty"`
}

type Response struct {
	// Secret, if not nil, denotes that this response represents a secret.
	Secret *Secret `sentinel:"" protobuf:"bytes,1,opt,name=secret" json:"secret,omitempty"`
	// Auth, if not nil, contains the authentication information for
	// this response. This is only checked and means something for
	// credential backends.
	Auth *Auth `sentinel:"" protobuf:"bytes,2,opt,name=auth" json:"auth,omitempty"`
	// Response data is a JSON object that must have string keys. For
	// secrets, this data is sent down to the user as-is. To store internal
	// data that you don't want the user to see, store it in
	// Secret.InternalData.
	Data string `sentinel:"" protobuf:"bytes,3,opt,name=data" json:"data,omitempty"`
	// Redirect is an HTTP URL to redirect to for further authentication.
	// This is only valid for credential backends. This will be blanked
	// for any logical backend and ignored.
	Redirect string `sentinel:"" protobuf:"bytes,4,opt,name=redirect" json:"redirect,omitempty"`
	// Warnings allow operations or backends to return warnings in response
	// to user actions without failing the action outright.
	Warnings []string `sentinel:"" protobuf:"bytes,5,rep,name=warnings" json:"warnings,omitempty"`
	// Information for wrapping the response in a cubbyhole
	WrapInfo *ResponseWrapInfo `sentinel:"" protobuf:"bytes,6,opt,name=wrap_info,json=wrapInfo" json:"wrap_info,omitempty"`
}

type ResponseWrapDataArgs struct {
	Data string `sentinel:"" protobuf:"bytes,1,opt,name=data" json:"data,omitempty"`
	TTL  int64  `sentinel:"" protobuf:"varint,2,opt,name=TTL" json:"TTL,omitempty"`
	JWT  bool   `sentinel:"" protobuf:"varint,3,opt,name=JWT" json:"JWT,omitempty"`
}

type ResponseWrapDataReply struct {
	WrapInfo *ResponseWrapInfo `sentinel:"" protobuf:"bytes,1,opt,name=wrap_info,json=wrapInfo" json:"wrap_info,omitempty"`
	Err      string            `sentinel:"" protobuf:"bytes,2,opt,name=err" json:"err,omitempty"`
}

type ResponseWrapInfo struct {
	// Setting to non-zero specifies that the response should be wrapped.
	// Specifies the desired TTL of the wrapping token.
	TTL int64 `sentinel:"" protobuf:"varint,1,opt,name=TTL" json:"TTL,omitempty"`
	// The token containing the wrapped response
	Token string `sentinel:"" protobuf:"bytes,2,opt,name=token" json:"token,omitempty"`
	// The token accessor for the wrapped response token
	Accessor string `sentinel:"" protobuf:"bytes,3,opt,name=accessor" json:"accessor,omitempty"`
	// The creation time. This can be used with the TTL to figure out an
	// expected expiration.
	CreationTime *google_protobuf.Timestamp `sentinel:"" protobuf:"bytes,4,opt,name=creation_time,json=creationTime" json:"creation_time,omitempty"`
	// If the contained response is the output of a token creation call, the
	// created token's accessor will be accessible here
	WrappedAccessor string `sentinel:"" protobuf:"bytes,5,opt,name=wrapped_accessor,json=wrappedAccessor" json:"wrapped_accessor,omitempty"`
	// WrappedEntityID is the entity identifier of the caller who initiated the
	// wrapping request
	WrappedEntityID string `sentinel:"" protobuf:"bytes,6,opt,name=wrapped_entity_id,json=wrappedEntityID" json:"wrapped_entity_id,omitempty"`
	// The format to use. This doesn't get returned, it's only internal.
	Format string `sentinel:"" protobuf:"bytes,7,opt,name=format" json:"format,omitempty"`
	// CreationPath is the original request path that was used to create
	// the wrapped response.
	CreationPath string `sentinel:"" protobuf:"bytes,8,opt,name=creation_path,json=creationPath" json:"creation_path,omitempty"`
	// Controls seal wrapping behavior downstream for specific use cases
	SealWrap bool `sentinel:"" protobuf:"varint,9,opt,name=seal_wrap,json=sealWrap" json:"seal_wrap,omitempty"`
}

type Secret struct {
	LeaseOptions *LeaseOptions `sentinel:"" protobuf:"bytes,1,opt,name=lease_options,json=leaseOptions" json:"lease_options,omitempty"`
	// InternalData is a JSON object that is stored with the secret.
	// This will be sent back during a Renew/Revoke for storing internal data
	// used for those operations.
	InternalData string `sentinel:"" protobuf:"bytes,2,opt,name=internal_data,json=internalData" json:"internal_data,omitempty"`
	// LeaseID is the ID returned to the user to manage this secret.
	// This is generated by Vault core. Any set value will be ignored.
	// For requests, this will always be blank.
	LeaseID string `sentinel:"" protobuf:"bytes,3,opt,name=lease_id,json=leaseId" json:"lease_id,omitempty"`
}

type SetupArgs struct {
	BrokerID uint32            `sentinel:"" protobuf:"varint,1,opt,name=broker_id,json=brokerId" json:"broker_id,omitempty"`
	Config   map[string]string `` /* 144-byte string literal not displayed */
}

type SetupReply struct {
	Err string `sentinel:"" protobuf:"bytes,1,opt,name=err" json:"err,omitempty"`
}

type SpecialPathsReply struct {
	Paths *Paths `sentinel:"" protobuf:"bytes,1,opt,name=paths" json:"paths,omitempty"`
}

type StorageClient interface {
	List(ctx context.Context, in *StorageListArgs, opts ...grpc.CallOption) (*StorageListReply, error)
	Get(ctx context.Context, in *StorageGetArgs, opts ...grpc.CallOption) (*StorageGetReply, error)
	Put(ctx context.Context, in *StoragePutArgs, opts ...grpc.CallOption) (*StoragePutReply, error)
	Delete(ctx context.Context, in *StorageDeleteArgs, opts ...grpc.CallOption) (*StorageDeleteReply, error)
}

type StorageDeleteArgs struct {
	Key string `sentinel:"" protobuf:"bytes,1,opt,name=key" json:"key,omitempty"`
}

type StorageDeleteReply struct {
	Err string `sentinel:"" protobuf:"bytes,1,opt,name=err" json:"err,omitempty"`
}

type StorageEntry struct {
	Key      string `sentinel:"" protobuf:"bytes,1,opt,name=key" json:"key,omitempty"`
	Value    []byte `sentinel:"" protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"`
	SealWrap bool   `sentinel:"" protobuf:"varint,3,opt,name=seal_wrap,json=sealWrap" json:"seal_wrap,omitempty"`
}

type StorageGetArgs struct {
	Key string `sentinel:"" protobuf:"bytes,1,opt,name=key" json:"key,omitempty"`
}

type StorageGetReply struct {
	Entry *StorageEntry `sentinel:"" protobuf:"bytes,1,opt,name=entry" json:"entry,omitempty"`
	Err   string        `sentinel:"" protobuf:"bytes,2,opt,name=err" json:"err,omitempty"`
}

type StorageListArgs struct {
	Prefix string `sentinel:"" protobuf:"bytes,1,opt,name=prefix" json:"prefix,omitempty"`
}

type StorageListReply struct {
	Keys []string `sentinel:"" protobuf:"bytes,1,rep,name=keys" json:"keys,omitempty"`
	Err  string   `sentinel:"" protobuf:"bytes,2,opt,name=err" json:"err,omitempty"`
}

type StoragePutArgs struct {
	Entry *StorageEntry `sentinel:"" protobuf:"bytes,1,opt,name=entry" json:"entry,omitempty"`
}

type StoragePutReply struct {
	Err string `sentinel:"" protobuf:"bytes,1,opt,name=err" json:"err,omitempty"`
}

type StorageServer interface {
	List(context.Context, *StorageListArgs) (*StorageListReply, error)
	Get(context.Context, *StorageGetArgs) (*StorageGetReply, error)
	Put(context.Context, *StoragePutArgs) (*StoragePutReply, error)
	Delete(context.Context, *StorageDeleteArgs) (*StorageDeleteReply, error)
}

type SudoPrivilegeArgs struct {
	Path  string `sentinel:"" protobuf:"bytes,1,opt,name=path" json:"path,omitempty"`
	Token string `sentinel:"" protobuf:"bytes,2,opt,name=token" json:"token,omitempty"`
}

type SudoPrivilegeReply struct {
	Sudo bool `sentinel:"" protobuf:"varint,1,opt,name=sudo" json:"sudo,omitempty"`
}

type SystemViewClient interface {
	// DefaultLeaseTTL returns the default lease TTL set in Vault configuration
	DefaultLeaseTTL(ctx context.Context, in *Empty, opts ...grpc.CallOption) (*TTLReply, error)
	// MaxLeaseTTL returns the max lease TTL set in Vault configuration; backend
	// authors should take care not to issue credentials that last longer than
	// this value, as Vault will revoke them
	MaxLeaseTTL(ctx context.Context, in *Empty, opts ...grpc.CallOption) (*TTLReply, error)
	// SudoPrivilege returns true if given path has sudo privileges
	// for the given client token
	SudoPrivilege(ctx context.Context, in *SudoPrivilegeArgs, opts ...grpc.CallOption) (*SudoPrivilegeReply, error)
	// Tainted, returns true if the mount is tainted. A mount is tainted if it is in the
	// process of being unmounted. This should only be used in special
	// circumstances; a primary use-case is as a guard in revocation functions.
	// If revocation of a backend's leases fails it can keep the unmounting
	// process from being successful. If the reason for this failure is not
	// relevant when the mount is tainted (for instance, saving a CRL to disk
	// when the stored CRL will be removed during the unmounting process
	// anyways), we can ignore the errors to allow unmounting to complete.
	Tainted(ctx context.Context, in *Empty, opts ...grpc.CallOption) (*TaintedReply, error)
	// CachingDisabled returns true if caching is disabled. If true, no caches
	// should be used, despite known slowdowns.
	CachingDisabled(ctx context.Context, in *Empty, opts ...grpc.CallOption) (*CachingDisabledReply, error)
	// ReplicationState indicates the state of cluster replication
	ReplicationState(ctx context.Context, in *Empty, opts ...grpc.CallOption) (*ReplicationStateReply, error)
	// ResponseWrapData wraps the given data in a cubbyhole and returns the
	// token used to unwrap.
	ResponseWrapData(ctx context.Context, in *ResponseWrapDataArgs, opts ...grpc.CallOption) (*ResponseWrapDataReply, error)
	// MlockEnabled returns the configuration setting for enabling mlock on
	// plugins.
	MlockEnabled(ctx context.Context, in *Empty, opts ...grpc.CallOption) (*MlockEnabledReply, error)
	// LocalMount, when run from a system view attached to a request, indicates
	// whether the request is affecting a local mount or not
	LocalMount(ctx context.Context, in *Empty, opts ...grpc.CallOption) (*LocalMountReply, error)
}

type SystemViewServer interface {
	// DefaultLeaseTTL returns the default lease TTL set in Vault configuration
	DefaultLeaseTTL(context.Context, *Empty) (*TTLReply, error)
	// MaxLeaseTTL returns the max lease TTL set in Vault configuration; backend
	// authors should take care not to issue credentials that last longer than
	// this value, as Vault will revoke them
	MaxLeaseTTL(context.Context, *Empty) (*TTLReply, error)
	// SudoPrivilege returns true if given path has sudo privileges
	// for the given client token
	SudoPrivilege(context.Context, *SudoPrivilegeArgs) (*SudoPrivilegeReply, error)
	// Tainted, returns true if the mount is tainted. A mount is tainted if it is in the
	// process of being unmounted. This should only be used in special
	// circumstances; a primary use-case is as a guard in revocation functions.
	// If revocation of a backend's leases fails it can keep the unmounting
	// process from being successful. If the reason for this failure is not
	// relevant when the mount is tainted (for instance, saving a CRL to disk
	// when the stored CRL will be removed during the unmounting process
	// anyways), we can ignore the errors to allow unmounting to complete.
	Tainted(context.Context, *Empty) (*TaintedReply, error)
	// CachingDisabled returns true if caching is disabled. If true, no caches
	// should be used, despite known slowdowns.
	CachingDisabled(context.Context, *Empty) (*CachingDisabledReply, error)
	// ReplicationState indicates the state of cluster replication
	ReplicationState(context.Context, *Empty) (*ReplicationStateReply, error)
	// ResponseWrapData wraps the given data in a cubbyhole and returns the
	// token used to unwrap.
	ResponseWrapData(context.Context, *ResponseWrapDataArgs) (*ResponseWrapDataReply, error)
	// MlockEnabled returns the configuration setting for enabling mlock on
	// plugins.
	MlockEnabled(context.Context, *Empty) (*MlockEnabledReply, error)
	// LocalMount, when run from a system view attached to a request, indicates
	// whether the request is affecting a local mount or not
	LocalMount(context.Context, *Empty) (*LocalMountReply, error)
}

type TTLReply struct {
	TTL int64 `sentinel:"" protobuf:"varint,1,opt,name=TTL" json:"TTL,omitempty"`
}

type TaintedReply struct {
	Tainted bool `sentinel:"" protobuf:"varint,1,opt,name=tainted" json:"tainted,omitempty"`
}

type TypeReply struct {
	Type uint32 `sentinel:"" protobuf:"varint,1,opt,name=type" json:"type,omitempty"`
}