protocol

package
v0.0.0-...-f0b372e Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 16, 2024 License: Apache-2.0 Imports: 4 Imported by: 7

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ServiceLinkResponse_Status_name = map[int32]string{
		0: "SUCCESS",
		1: "TRANSPORT_ERROR",
		2: "BAD_TICKET",
		3: "AUTH_ERROR",
	}
	ServiceLinkResponse_Status_value = map[string]int32{
		"SUCCESS":         0,
		"TRANSPORT_ERROR": 1,
		"BAD_TICKET":      2,
		"AUTH_ERROR":      3,
	}
)

Enum value maps for ServiceLinkResponse_Status.

View Source 
var (
	ReplicationPushResponse_Status_name = map[int32]string{
		0: "APPLIED",
		1: "SKIPPED",
		2: "TRANSIENT_ERROR",
		3: "FATAL_ERROR",
	}
	ReplicationPushResponse_Status_value = map[string]int32{
		"APPLIED":         0,
		"SKIPPED":         1,
		"TRANSIENT_ERROR": 2,
		"FATAL_ERROR":     3,
	}
)

Enum value maps for ReplicationPushResponse_Status.

View Source 
var (
	ReplicationPushResponse_ErrorCode_name = map[int32]string{
		0: "ERROR_UNKNOWN",
		1: "NOT_A_REPLICA",
		2: "FORBIDDEN",
		3: "MISSING_SIGNATURE",
		4: "BAD_SIGNATURE",
		5: "BAD_REQUEST",
	}
	ReplicationPushResponse_ErrorCode_value = map[string]int32{
		"ERROR_UNKNOWN":     0,
		"NOT_A_REPLICA":     1,
		"FORBIDDEN":         2,
		"MISSING_SIGNATURE": 3,
		"BAD_SIGNATURE":     4,
		"BAD_REQUEST":       5,
	}
)

Enum value maps for ReplicationPushResponse_ErrorCode.

View Source 
var File_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto protoreflect.FileDescriptor
View Source 
var File_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_replication_proto protoreflect.FileDescriptor
View Source 
var File_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_security_config_proto protoreflect.FileDescriptor

Functions

This section is empty.

Types

type AuthDB 

type AuthDB struct {

	// OAuth2 client_id to use to mint new OAuth2 tokens.
	OauthClientId string `protobuf:"bytes,1,opt,name=oauth_client_id,json=oauthClientId,proto3" json:"oauth_client_id,omitempty"`
	// OAuth2 client secret. Not so secret really, since it's passed to clients.
	OauthClientSecret string `protobuf:"bytes,2,opt,name=oauth_client_secret,json=oauthClientSecret,proto3" json:"oauth_client_secret,omitempty"`
	// Additional OAuth2 client_ids allowed to access the services.
	OauthAdditionalClientIds []string `` /* 137-byte string literal not displayed */
	// All groups.
	Groups []*AuthGroup `protobuf:"bytes,4,rep,name=groups,proto3" json:"groups,omitempty"`
	// All IP whitelists.
	IpWhitelists []*AuthIPWhitelist `protobuf:"bytes,6,rep,name=ip_whitelists,json=ipWhitelists,proto3" json:"ip_whitelists,omitempty"`
	// Mapping 'account -> IP whitlist to use for that account'.
	IpWhitelistAssignments []*AuthIPWhitelistAssignment `` /* 129-byte string literal not displayed */
	// URL of a token server to use to generate delegation tokens.
	TokenServerUrl string `protobuf:"bytes,8,opt,name=token_server_url,json=tokenServerUrl,proto3" json:"token_server_url,omitempty"`
	// Serialized security_config.SecurityConfig proto with security-related
	// configuration to distribute across all services.
	//
	// It is distributed in a serialized form to make sure old services ingest it
	// fully, even if they don't understand some SecurityConfig proto fields
	// (yet). As soon as their code is updated, they SHOULD start using all
	// SecurityConfig fields, without waiting for another push from Auth Service.
	//
	// If we use SecurityConfig directly here, old services would just drop fields
	// they don't understand when accepting an AuthDB push.
	SecurityConfig []byte `protobuf:"bytes,9,opt,name=security_config,json=securityConfig,proto3" json:"security_config,omitempty"`
	// Definition of all known permissions and realms in a LUCI deployment.
	//
	// It is ultimately used by LUCI services for authorizing access to resources.
	// See realms.proto for more details.
	Realms *Realms `protobuf:"bytes,11,opt,name=realms,proto3" json:"realms,omitempty"`
	// contains filtered or unexported fields
}

An entire database of auth configuration that is being replicated.

func (*AuthDB) Descriptor deprecated 

func (*AuthDB) Descriptor() ([]byte, []int)

Deprecated: Use AuthDB.ProtoReflect.Descriptor instead.

func (*AuthDB) GetGroups 

func (x *AuthDB) GetGroups() []*AuthGroup

func (*AuthDB) GetIpWhitelistAssignments 

func (x *AuthDB) GetIpWhitelistAssignments() []*AuthIPWhitelistAssignment

func (*AuthDB) GetIpWhitelists 

func (x *AuthDB) GetIpWhitelists() []*AuthIPWhitelist

func (*AuthDB) GetOauthAdditionalClientIds 

func (x *AuthDB) GetOauthAdditionalClientIds() []string

func (*AuthDB) GetOauthClientId 

func (x *AuthDB) GetOauthClientId() string

func (*AuthDB) GetOauthClientSecret 

func (x *AuthDB) GetOauthClientSecret() string

func (*AuthDB) GetRealms 

func (x *AuthDB) GetRealms() *Realms

func (*AuthDB) GetSecurityConfig 

func (x *AuthDB) GetSecurityConfig() []byte

func (*AuthDB) GetTokenServerUrl 

func (x *AuthDB) GetTokenServerUrl() string

func (*AuthDB) ProtoMessage 

func (*AuthDB) ProtoMessage()

func (*AuthDB) ProtoReflect 

func (x *AuthDB) ProtoReflect() protoreflect.Message

func (*AuthDB) Reset 

func (x *AuthDB) Reset()

func (*AuthDB) String 

func (x *AuthDB) String() string

type AuthDBRevision 

type AuthDBRevision struct {

	// GAE App ID of a service holding primary copy of Auth DB.
	PrimaryId string `protobuf:"bytes,1,opt,name=primary_id,json=primaryId,proto3" json:"primary_id,omitempty"`
	// Revision of Auth DB being pushed.
	AuthDbRev int64 `protobuf:"varint,2,opt,name=auth_db_rev,json=authDbRev,proto3" json:"auth_db_rev,omitempty"`
	// Timestamp of that revision by Primary's clock, microseconds since epoch.
	ModifiedTs int64 `protobuf:"varint,3,opt,name=modified_ts,json=modifiedTs,proto3" json:"modified_ts,omitempty"`
	// contains filtered or unexported fields
}

Information about some particular revision of auth DB.

func (*AuthDBRevision) Descriptor deprecated 

func (*AuthDBRevision) Descriptor() ([]byte, []int)

Deprecated: Use AuthDBRevision.ProtoReflect.Descriptor instead.

func (*AuthDBRevision) GetAuthDbRev 

func (x *AuthDBRevision) GetAuthDbRev() int64

func (*AuthDBRevision) GetModifiedTs 

func (x *AuthDBRevision) GetModifiedTs() int64

func (*AuthDBRevision) GetPrimaryId 

func (x *AuthDBRevision) GetPrimaryId() string

func (*AuthDBRevision) ProtoMessage 

func (*AuthDBRevision) ProtoMessage()

func (*AuthDBRevision) ProtoReflect 

func (x *AuthDBRevision) ProtoReflect() protoreflect.Message

func (*AuthDBRevision) Reset 

func (x *AuthDBRevision) Reset()

func (*AuthDBRevision) String 

func (x *AuthDBRevision) String() string

type AuthGroup 

type AuthGroup struct {

	// Name of the group.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// List of members that are explicitly in this group.
	Members []string `protobuf:"bytes,2,rep,name=members,proto3" json:"members,omitempty"`
	// List of identity-glob expressions (like 'user:*@example.com').
	Globs []string `protobuf:"bytes,3,rep,name=globs,proto3" json:"globs,omitempty"`
	// List of nested group names.
	Nested []string `protobuf:"bytes,4,rep,name=nested,proto3" json:"nested,omitempty"`
	// Human readable description.
	Description string `protobuf:"bytes,5,opt,name=description,proto3" json:"description,omitempty"`
	// When the group was created. Microseconds since epoch.
	CreatedTs int64 `protobuf:"varint,6,opt,name=created_ts,json=createdTs,proto3" json:"created_ts,omitempty"`
	// Who created the group.
	CreatedBy string `protobuf:"bytes,7,opt,name=created_by,json=createdBy,proto3" json:"created_by,omitempty"`
	// When the group was modified last time. Microseconds since epoch.
	ModifiedTs int64 `protobuf:"varint,8,opt,name=modified_ts,json=modifiedTs,proto3" json:"modified_ts,omitempty"`
	// Who modified the group last time.
	ModifiedBy string `protobuf:"bytes,9,opt,name=modified_by,json=modifiedBy,proto3" json:"modified_by,omitempty"`
	// A name of the group that can modify or delete this group.
	Owners string `protobuf:"bytes,10,opt,name=owners,proto3" json:"owners,omitempty"`
	// contains filtered or unexported fields
}

Some user group. Corresponds to AuthGroup entity in model.py.

func (*AuthGroup) Descriptor deprecated 

func (*AuthGroup) Descriptor() ([]byte, []int)

Deprecated: Use AuthGroup.ProtoReflect.Descriptor instead.

func (*AuthGroup) GetCreatedBy 

func (x *AuthGroup) GetCreatedBy() string

func (*AuthGroup) GetCreatedTs 

func (x *AuthGroup) GetCreatedTs() int64

func (*AuthGroup) GetDescription 

func (x *AuthGroup) GetDescription() string

func (*AuthGroup) GetGlobs 

func (x *AuthGroup) GetGlobs() []string

func (*AuthGroup) GetMembers 

func (x *AuthGroup) GetMembers() []string

func (*AuthGroup) GetModifiedBy 

func (x *AuthGroup) GetModifiedBy() string

func (*AuthGroup) GetModifiedTs 

func (x *AuthGroup) GetModifiedTs() int64

func (*AuthGroup) GetName 

func (x *AuthGroup) GetName() string

func (*AuthGroup) GetNested 

func (x *AuthGroup) GetNested() []string

func (*AuthGroup) GetOwners 

func (x *AuthGroup) GetOwners() string

func (*AuthGroup) ProtoMessage 

func (*AuthGroup) ProtoMessage()

func (*AuthGroup) ProtoReflect 

func (x *AuthGroup) ProtoReflect() protoreflect.Message

func (*AuthGroup) Reset 

func (x *AuthGroup) Reset()

func (*AuthGroup) String 

func (x *AuthGroup) String() string

type AuthIPWhitelist 

type AuthIPWhitelist struct {

	// Name of the IP whitelist.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// The list of IP subnets.
	Subnets []string `protobuf:"bytes,2,rep,name=subnets,proto3" json:"subnets,omitempty"`
	// Human readable description.
	Description string `protobuf:"bytes,3,opt,name=description,proto3" json:"description,omitempty"`
	// When the list was created. Microseconds since epoch.
	CreatedTs int64 `protobuf:"varint,4,opt,name=created_ts,json=createdTs,proto3" json:"created_ts,omitempty"`
	// Who created the list.
	CreatedBy string `protobuf:"bytes,5,opt,name=created_by,json=createdBy,proto3" json:"created_by,omitempty"`
	// When the list was modified. Microseconds since epoch.
	ModifiedTs int64 `protobuf:"varint,6,opt,name=modified_ts,json=modifiedTs,proto3" json:"modified_ts,omitempty"`
	// Who modified the list the last time.
	ModifiedBy string `protobuf:"bytes,7,opt,name=modified_by,json=modifiedBy,proto3" json:"modified_by,omitempty"`
	// contains filtered or unexported fields
}

A named set of whitelisted IP addresses. Corresponds to AuthIPWhitelist entity in model.py.

func (*AuthIPWhitelist) Descriptor deprecated 

func (*AuthIPWhitelist) Descriptor() ([]byte, []int)

Deprecated: Use AuthIPWhitelist.ProtoReflect.Descriptor instead.

func (*AuthIPWhitelist) GetCreatedBy 

func (x *AuthIPWhitelist) GetCreatedBy() string

func (*AuthIPWhitelist) GetCreatedTs 

func (x *AuthIPWhitelist) GetCreatedTs() int64

func (*AuthIPWhitelist) GetDescription 

func (x *AuthIPWhitelist) GetDescription() string

func (*AuthIPWhitelist) GetModifiedBy 

func (x *AuthIPWhitelist) GetModifiedBy() string

func (*AuthIPWhitelist) GetModifiedTs 

func (x *AuthIPWhitelist) GetModifiedTs() int64

func (*AuthIPWhitelist) GetName 

func (x *AuthIPWhitelist) GetName() string

func (*AuthIPWhitelist) GetSubnets 

func (x *AuthIPWhitelist) GetSubnets() []string

func (*AuthIPWhitelist) ProtoMessage 

func (*AuthIPWhitelist) ProtoMessage()

func (*AuthIPWhitelist) ProtoReflect 

func (x *AuthIPWhitelist) ProtoReflect() protoreflect.Message

func (*AuthIPWhitelist) Reset 

func (x *AuthIPWhitelist) Reset()

func (*AuthIPWhitelist) String 

func (x *AuthIPWhitelist) String() string

type AuthIPWhitelistAssignment 

type AuthIPWhitelistAssignment struct {

	// Identity name to limit by IP whitelist.
	Identity string `protobuf:"bytes,1,opt,name=identity,proto3" json:"identity,omitempty"`
	// Name of IP whitelist to use (see AuthIPWhitelist).
	IpWhitelist string `protobuf:"bytes,2,opt,name=ip_whitelist,json=ipWhitelist,proto3" json:"ip_whitelist,omitempty"`
	// Why the assignment was created.
	Comment string `protobuf:"bytes,3,opt,name=comment,proto3" json:"comment,omitempty"`
	// When the assignment was created. Microseconds since epoch.
	CreatedTs int64 `protobuf:"varint,4,opt,name=created_ts,json=createdTs,proto3" json:"created_ts,omitempty"`
	// Who created the assignment.
	CreatedBy string `protobuf:"bytes,5,opt,name=created_by,json=createdBy,proto3" json:"created_by,omitempty"`
	// contains filtered or unexported fields
}

A pair (identity, IP whitelist name) plus some metadata. Corresponds to AuthIPWhitelistAssignments.Assignment model in model.py.

func (*AuthIPWhitelistAssignment) Descriptor deprecated 

func (*AuthIPWhitelistAssignment) Descriptor() ([]byte, []int)

Deprecated: Use AuthIPWhitelistAssignment.ProtoReflect.Descriptor instead.

func (*AuthIPWhitelistAssignment) GetComment 

func (x *AuthIPWhitelistAssignment) GetComment() string

func (*AuthIPWhitelistAssignment) GetCreatedBy 

func (x *AuthIPWhitelistAssignment) GetCreatedBy() string

func (*AuthIPWhitelistAssignment) GetCreatedTs 

func (x *AuthIPWhitelistAssignment) GetCreatedTs() int64

func (*AuthIPWhitelistAssignment) GetIdentity 

func (x *AuthIPWhitelistAssignment) GetIdentity() string

func (*AuthIPWhitelistAssignment) GetIpWhitelist 

func (x *AuthIPWhitelistAssignment) GetIpWhitelist() string

func (*AuthIPWhitelistAssignment) ProtoMessage 

func (*AuthIPWhitelistAssignment) ProtoMessage()

func (*AuthIPWhitelistAssignment) ProtoReflect 

func (x *AuthIPWhitelistAssignment) ProtoReflect() protoreflect.Message

func (*AuthIPWhitelistAssignment) Reset 

func (x *AuthIPWhitelistAssignment) Reset()

func (*AuthIPWhitelistAssignment) String 

func (x *AuthIPWhitelistAssignment) String() string

type Binding 

type Binding struct {

	// Permissions in increasing order of their indexes.
	//
	// This set is a subset of `permissions` in the Realms message. Each element
	// is an index of a permission in the `permissions` list in the Realms
	// message.
	//
	// These indexes are not stable across different copies of Realms message.
	// They must not be stored or processed in isolation from the containing
	// Realms message.
	Permissions []uint32 `protobuf:"varint,1,rep,packed,name=permissions,proto3" json:"permissions,omitempty"`
	// A set of principals to grant all above permissions to.
	//
	// Each entry can either be an identity string (like "user:<email>") or a
	// LUCI group reference "group:<name>".
	//
	// Ordered alphabetically.
	Principals []string `protobuf:"bytes,2,rep,name=principals,proto3" json:"principals,omitempty"`
	// Conditions in increasing order of their indexes.
	//
	// Each element is an index of a condition in the `conditions` list in the
	// Realms message. These conditions are ANDed together. See the public API for
	// details of the semantics.
	//
	// These indexes are not stable across different copies of Realms message.
	// They must not be stored or processed in isolation from the containing
	// Realms message.
	Conditions []uint32 `protobuf:"varint,3,rep,packed,name=conditions,proto3" json:"conditions,omitempty"`
	// contains filtered or unexported fields
}

Binding assigns all specified permissions to all specified principals.

func (*Binding) Descriptor deprecated 

func (*Binding) Descriptor() ([]byte, []int)

Deprecated: Use Binding.ProtoReflect.Descriptor instead.

func (*Binding) GetConditions 

func (x *Binding) GetConditions() []uint32

func (*Binding) GetPermissions 

func (x *Binding) GetPermissions() []uint32

func (*Binding) GetPrincipals 

func (x *Binding) GetPrincipals() []string

func (*Binding) ProtoMessage 

func (*Binding) ProtoMessage()

func (*Binding) ProtoReflect 

func (x *Binding) ProtoReflect() protoreflect.Message

func (*Binding) Reset 

func (x *Binding) Reset()

func (*Binding) String 

func (x *Binding) String() string

type ChangeNotification 

type ChangeNotification struct {

	// New revision of the AuthDB.
	Revision *AuthDBRevision `protobuf:"bytes,1,opt,name=revision,proto3" json:"revision,omitempty"`
	// contains filtered or unexported fields
}

Published by Primary into 'auth-db-changed' PubSub topic. The body of the message is base64 encoded serialized ChangeNotification. Additional attributes are: 

X-AuthDB-SigKey-v1: <id of a public key>
X-AuthDB-SigVal-v1: <base64 encoded RSA-SHA256(blob) signature>

func (*ChangeNotification) Descriptor deprecated 

func (*ChangeNotification) Descriptor() ([]byte, []int)

Deprecated: Use ChangeNotification.ProtoReflect.Descriptor instead.

func (*ChangeNotification) GetRevision 

func (x *ChangeNotification) GetRevision() *AuthDBRevision

func (*ChangeNotification) ProtoMessage 

func (*ChangeNotification) ProtoMessage()

func (*ChangeNotification) ProtoReflect 

func (x *ChangeNotification) ProtoReflect() protoreflect.Message

func (*ChangeNotification) Reset 

func (x *ChangeNotification) Reset()

func (*ChangeNotification) String 

func (x *ChangeNotification) String() string

type Condition 

type Condition struct {

	// Types that are assignable to Op:
	//
	//	*Condition_Restrict
	Op isCondition_Op `protobuf_oneof:"op"`
	// contains filtered or unexported fields
}

Condition defines a predicate that takes a set of `attribute = value` pairs with a context of a particular permission check and returns True if the binding guarded by this condition should be respected.

When a service checks a permission, it should pass to the authorization library a string-valued dictionary of attributes that describe the context of the permission check. It may contain things like the name of the resource being accessed, or parameters of the incoming RPC request that triggered the check.

A list of available attributes and meaning of their values depends on the permission being checked and the service should document it in its API documentation.

func (*Condition) Descriptor deprecated 

func (*Condition) Descriptor() ([]byte, []int)

Deprecated: Use Condition.ProtoReflect.Descriptor instead.

func (*Condition) GetOp 

func (m *Condition) GetOp() isCondition_Op

func (*Condition) GetRestrict 

func (x *Condition) GetRestrict() *Condition_AttributeRestriction

func (*Condition) ProtoMessage 

func (*Condition) ProtoMessage()

func (*Condition) ProtoReflect 

func (x *Condition) ProtoReflect() protoreflect.Message

func (*Condition) Reset 

func (x *Condition) Reset()

func (*Condition) String 

func (x *Condition) String() string

type Condition_AttributeRestriction 

type Condition_AttributeRestriction struct {
	Attribute string   `protobuf:"bytes,1,opt,name=attribute,proto3" json:"attribute,omitempty"`
	Values    []string `protobuf:"bytes,2,rep,name=values,proto3" json:"values,omitempty"` // sorted alphabetically, no dups
	// contains filtered or unexported fields
}

AttributeRestriction checks that the attributes set (as a set of key-value pairs) contains a particular (attribute, value) pair. Checked values are given as a list. The check succeeds if ANY of (attribute, value) pairs are present: `any((attribute, value) in attrs for value in values)`.

func (*Condition_AttributeRestriction) Descriptor deprecated 

func (*Condition_AttributeRestriction) Descriptor() ([]byte, []int)

Deprecated: Use Condition_AttributeRestriction.ProtoReflect.Descriptor instead.

func (*Condition_AttributeRestriction) GetAttribute 

func (x *Condition_AttributeRestriction) GetAttribute() string

func (*Condition_AttributeRestriction) GetValues 

func (x *Condition_AttributeRestriction) GetValues() []string

func (*Condition_AttributeRestriction) ProtoMessage 

func (*Condition_AttributeRestriction) ProtoMessage()

func (*Condition_AttributeRestriction) ProtoReflect 

func (x *Condition_AttributeRestriction) ProtoReflect() protoreflect.Message

func (*Condition_AttributeRestriction) Reset 

func (x *Condition_AttributeRestriction) Reset()

func (*Condition_AttributeRestriction) String 

func (x *Condition_AttributeRestriction) String() string

type Condition_Restrict 

type Condition_Restrict struct {
	Restrict *Condition_AttributeRestriction `protobuf:"bytes,1,opt,name=restrict,proto3,oneof"`
}

type Permission 

type Permission struct {
	Name     string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`          // "<service>.<subject>.<verb>"
	Internal bool   `protobuf:"varint,2,opt,name=internal,proto3" json:"internal,omitempty"` // internal permissions cannot be used in project realms
	// contains filtered or unexported fields
}

Permission is a symbol that has form "<service>.<subject>.<verb>", which describes some elementary action ("<verb>") that can be done to some category of resources ("<subject>"), managed by some particular kind of LUCI service ("<service>").

Within each individual realm (see Realm message), a principal (such as an end user or a service account) can have zero or more permissions that describe what this user can actually do to resources belonging to the realm. See Realm message for the definition of what "belonging to the realm" means.

Examples of permissions:

  • buildbucket.build.create
  • swarming.pool.listBots
  • swarming.task.cancel

Note that permission names are composed of generic terms, not some specific IDs of service deployments or resources. Generally, using a concrete permission name in the service's source code as a constant should look natural.

A permission can be marked as "internal". Internal permissions are not allowed to appear in custom roles in user-defined project realms.cfg files. They can be used in internal realms (defined in realms.cfg in the LUCI Auth service config set, see comments for Realm message) and they are added to some predefined roles by the LUCI Auth service itself. They are used to setup ACLs for internal interactions between LUCI components.

Each individual LUCI service should document what permissions it checks and when. It becomes a part of service's public API. Usually services should check only permissions of resources they own (e.g. "<service>.<subject>.*"), but in exceptional cases they may also check permissions intended for other services. This is primarily useful for services that somehow "proxy" access to resources.

Field `permissions` in Realms message describes all permissions known to the LUCI Auth service. The LUCI Auth service guarantees that all permissions mentioned in all realms (in `realms` field) are among `permissions` set.

If a LUCI service checks a permission that is no longer (or not yet) listed in the `permissions` set, the check should succeed with "no permission" result, and produce a warning in service's logs.

func (*Permission) Descriptor deprecated 

func (*Permission) Descriptor() ([]byte, []int)

Deprecated: Use Permission.ProtoReflect.Descriptor instead.

func (*Permission) GetInternal 

func (x *Permission) GetInternal() bool

func (*Permission) GetName 

func (x *Permission) GetName() string

func (*Permission) ProtoMessage 

func (*Permission) ProtoMessage()

func (*Permission) ProtoReflect 

func (x *Permission) ProtoReflect() protoreflect.Message

func (*Permission) Reset 

func (x *Permission) Reset()

func (*Permission) String 

func (x *Permission) String() string

type Realm 

type Realm struct {

	// Name of the realm as "<project>:<realm>" string, where:
	//
	//	"<project>" matches `^([a-z0-9\-_]{1,100}|@internal)$`.
	//	"<realm>" matches `^([a-z0-9_\.\-/]{1,400}|@root|@legacy|@project)$`.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// A list of bindings in lexicographical order of their `permissions` fields.
	Bindings []*Binding `protobuf:"bytes,2,rep,name=bindings,proto3" json:"bindings,omitempty"`
	// Associated data extracted from the realms.cfg project config.
	Data *RealmData `protobuf:"bytes,3,opt,name=data,proto3" json:"data,omitempty"`
	// contains filtered or unexported fields
}

Realm is a named collection of (<principal>, <permission>) pairs.

Realms are primarily defined in realms.cfg project config files. Such realms are called project realms. They are controlled by respective **project** owners and used to define ACLs for resources owned by these projects.

There's a special set of realms (called internal realms or, sometimes, global realms) that are defined in realms.cfg in the LUCI Auth service config set. They are controlled by LUCI **deployment** owners and used to define ACLs for resources that are associated with LUCI deployment or LUCI services (and do not belong to any particular LUCI project). They are also allowed to use internal roles and permissions to define administrative-level ACLs (i.e. ACLs that transcend project boundaries).

A full realm name has form "<project>:<realm>", where:

  • "<project>" is a name of the LUCI project that defined the realm or literal "@internal" for internal realms.
  • "<realm>" is a name of the realm from a realms.cfg config file. This name is also known as a project-scoped name, since it makes sense only within a scope of some concrete LUCI project.

A LUCI resource can point to exactly one realm by referring to its full "<project>:<realm>" name. Such reference can either be calculated on the fly from other resource's properties, or be stored alongside the resource's data. We say that such resource "belongs to the realm" or "lives in the realm" or is just "in the realm". We also say that such resource belongs to the project "<project>". The corresponding Realm message then describes who can do what to the resource.

The logic of how resources get assigned to realms is a part of the public API of the service that owns resources. Some services may use a static realm assignment via project configuration files, others may do it dynamically by accepting a realm when a resource is created via an RPC.

There are three special realms (all optional) that a project can have: "<project>:@root", "<project>:@legacy" and "<project>:@project".

The root realm should be used as a fallback when an existing resource points to a realm that doesn't exist. Without the root realm, such resources become effectively inaccessible and this may be undesirable. The root realm usually contains only administrative-level bindings.

The legacy realm should be used for legacy resources created before the realms mechanism was introduced in case the service can't figure out a more appropriate realm based on resource's properties. The service must clearly document when and how it uses the legacy realm (if it uses it at all).

The project realm should be used as the realm for 'project global' resources, for example, the project configuration itself, or derivations thereof. Some LUCI services may use bindings in this realm to allow federation of administration responsibilities to the project (rather than relying on exclusively LUCI service administrators).

The actual list of (<principal>, <permission>) pairs is defined via a list of bindings, where each binding basically says "all these principals have all these permissions". In other words, each binding defines some subset of permissions and the overall realm permissions is a union of all such subsets. Subsets defined by bindings may potentially intersect or be empty.

The LUCI Auth service constructs bindings by interpreting realms.cfg files using some set of rules. Individual LUCI services **must not care** about what these rules really are. They should use only the end result (in the form of bindings) provided in the Realm message. This allows to decouple the high-level user-facing language for defining permissions from the implementation of each individual LUCI service that checks permissions.

A realm can also carry some small amount of data (usually auth related) that LUCI services use when dealing with this realm. It should be something that all (or at least more than one) LUCI services use. Configuration specific to a single service should be in this service's project config instead.

func (*Realm) Descriptor deprecated 

func (*Realm) Descriptor() ([]byte, []int)

Deprecated: Use Realm.ProtoReflect.Descriptor instead.

func (*Realm) GetBindings 

func (x *Realm) GetBindings() []*Binding

func (*Realm) GetData 

func (x *Realm) GetData() *RealmData

func (*Realm) GetName 

func (x *Realm) GetName() string

func (*Realm) ProtoMessage 

func (*Realm) ProtoMessage()

func (*Realm) ProtoReflect 

func (x *Realm) ProtoReflect() protoreflect.Message

func (*Realm) Reset 

func (x *Realm) Reset()

func (*Realm) String 

func (x *Realm) String() string

type RealmData 

type RealmData struct {

	// Used only during Realms migration to gradually roll out the enforcement.
	EnforceInService []string `protobuf:"bytes,1,rep,name=enforce_in_service,json=enforceInService,proto3" json:"enforce_in_service,omitempty"`
	// contains filtered or unexported fields
}

RealmData is semi-arbitrary non-ACL data extracted from the realms.cfg project config and attached to a realm.

func (*RealmData) Descriptor deprecated 

func (*RealmData) Descriptor() ([]byte, []int)

Deprecated: Use RealmData.ProtoReflect.Descriptor instead.

func (*RealmData) GetEnforceInService 

func (x *RealmData) GetEnforceInService() []string

func (*RealmData) ProtoMessage 

func (*RealmData) ProtoMessage()

func (*RealmData) ProtoReflect 

func (x *RealmData) ProtoReflect() protoreflect.Message

func (*RealmData) Reset 

func (x *RealmData) Reset()

func (*RealmData) String 

func (x *RealmData) String() string

type Realms 

type Realms struct {

	// API version is incremented whenever the semantic meaning of Realms message
	// changes in some backward incompatible way (e.g. some message grows a new
	// field that *must* be checked by services). LUCI services must reject Realms
	// messages that have API versions they don't recognize. It is a precaution
	// against misinterpreting the realms configuration.
	//
	// The current version is 1.
	ApiVersion int64 `protobuf:"varint,1,opt,name=api_version,json=apiVersion,proto3" json:"api_version,omitempty"`
	// List of all possible permissions in alphabetical order.
	//
	// Acts as a universal set of permissions in Binding messages.
	//
	// Services may also use this field to check that permissions they are about
	// to use are actually known to the LUCI auth system. This is useful for
	// debugging when adding or removing permissions.
	//
	// See Permission message for more details.
	Permissions []*Permission `protobuf:"bytes,2,rep,name=permissions,proto3" json:"permissions,omitempty"`
	// List of all conditions referenced by bindings.
	//
	// Bindings reference them by their zero-based index in this list.
	Conditions []*Condition `protobuf:"bytes,4,rep,name=conditions,proto3" json:"conditions,omitempty"`
	// List of all registered realms in alphabetical order.
	//
	// See Realm message for more details.
	Realms []*Realm `protobuf:"bytes,3,rep,name=realms,proto3" json:"realms,omitempty"`
	// contains filtered or unexported fields
}

Realms is a complete definition of all known permissions and realms in a LUCI deployment.

It is generated and distributed across all LUCI services (as part of the AuthDB) by the LUCI Auth service.

Note that this is a denormalized internal representation of realms which is derived from the high level user-facing representation supplied via multiple realms.cfg config files in various config sets. See comments for Realm message for details.

The internal representation doesn't have a notion of roles or realm inheritance. These concepts are handled by the LUCI Auth service and individual downstream services generally **must not care** how it works. Instead they should follow the rules outlined in comments in this file (or equivalently just use the Realms API exposed by the LUCI auth libraries).

Next ID: 5.

func (*Realms) Descriptor deprecated 

func (*Realms) Descriptor() ([]byte, []int)

Deprecated: Use Realms.ProtoReflect.Descriptor instead.

func (*Realms) GetApiVersion 

func (x *Realms) GetApiVersion() int64

func (*Realms) GetConditions 

func (x *Realms) GetConditions() []*Condition

func (*Realms) GetPermissions 

func (x *Realms) GetPermissions() []*Permission

func (*Realms) GetRealms 

func (x *Realms) GetRealms() []*Realm

func (*Realms) ProtoMessage 

func (*Realms) ProtoMessage()

func (*Realms) ProtoReflect 

func (x *Realms) ProtoReflect() protoreflect.Message

func (*Realms) Reset 

func (x *Realms) Reset()

func (*Realms) String 

func (x *Realms) String() string

type ReplicationPushRequest 

type ReplicationPushRequest struct {

	// Revision that is being pushed.
	Revision *AuthDBRevision `protobuf:"bytes,1,opt,name=revision,proto3" json:"revision,omitempty"`
	// An entire database of auth configuration for specific revision.
	AuthDb *AuthDB `protobuf:"bytes,2,opt,name=auth_db,json=authDb,proto3" json:"auth_db,omitempty"`
	// Version of 'auth' component on Primary, see components/auth/version.py.
	AuthCodeVersion string `protobuf:"bytes,3,opt,name=auth_code_version,json=authCodeVersion,proto3" json:"auth_code_version,omitempty"`
	// contains filtered or unexported fields
}

Sent from Primary to Replica to update Replica's AuthDB.

Primary signs the entire serialized message with its private key and appends two headers to HTTP request that carries the blob: 

X-AuthDB-SigKey-v1: <id of a public key>
X-AuthDB-SigVal-v1: <base64 encoded RSA-SHA256(SHA512(blob)) signature>

Binary serialization of ReplicationPushRequest is sometimes misleadingly called "AuthDB blob". It is stored in Datastore (as is) and in Google Storage (as serialized SignedAuthDB) for consumers that do not use Primary -> Replica protocol.

func (*ReplicationPushRequest) Descriptor deprecated 

func (*ReplicationPushRequest) Descriptor() ([]byte, []int)

Deprecated: Use ReplicationPushRequest.ProtoReflect.Descriptor instead.

func (*ReplicationPushRequest) GetAuthCodeVersion 

func (x *ReplicationPushRequest) GetAuthCodeVersion() string

func (*ReplicationPushRequest) GetAuthDb 

func (x *ReplicationPushRequest) GetAuthDb() *AuthDB

func (*ReplicationPushRequest) GetRevision 

func (x *ReplicationPushRequest) GetRevision() *AuthDBRevision

func (*ReplicationPushRequest) ProtoMessage 

func (*ReplicationPushRequest) ProtoMessage()

func (*ReplicationPushRequest) ProtoReflect 

func (x *ReplicationPushRequest) ProtoReflect() protoreflect.Message

func (*ReplicationPushRequest) Reset 

func (x *ReplicationPushRequest) Reset()

func (*ReplicationPushRequest) String 

func (x *ReplicationPushRequest) String() string

type ReplicationPushResponse 

type ReplicationPushResponse struct {

	// Overall status of the operation.
	Status ReplicationPushResponse_Status `protobuf:"varint,1,opt,name=status,proto3,enum=components.auth.ReplicationPushResponse_Status" json:"status,omitempty"`
	// Revision known by Replica (set for APPLIED and SKIPPED statuses).
	CurrentRevision *AuthDBRevision `protobuf:"bytes,2,opt,name=current_revision,json=currentRevision,proto3" json:"current_revision,omitempty"`
	// Present for TRANSIENT_ERROR and FATAL_ERROR statuses.
	ErrorCode ReplicationPushResponse_ErrorCode `` /* 144-byte string literal not displayed */
	// Version of 'auth' component on Replica, see components/auth/version.py.
	AuthCodeVersion string `protobuf:"bytes,4,opt,name=auth_code_version,json=authCodeVersion,proto3" json:"auth_code_version,omitempty"`
	// contains filtered or unexported fields
}

Replica's response to ReplicationPushRequest.

func (*ReplicationPushResponse) Descriptor deprecated 

func (*ReplicationPushResponse) Descriptor() ([]byte, []int)

Deprecated: Use ReplicationPushResponse.ProtoReflect.Descriptor instead.

func (*ReplicationPushResponse) GetAuthCodeVersion 

func (x *ReplicationPushResponse) GetAuthCodeVersion() string

func (*ReplicationPushResponse) GetCurrentRevision 

func (x *ReplicationPushResponse) GetCurrentRevision() *AuthDBRevision

func (*ReplicationPushResponse) GetErrorCode 

func (x *ReplicationPushResponse) GetErrorCode() ReplicationPushResponse_ErrorCode

func (*ReplicationPushResponse) GetStatus 

func (x *ReplicationPushResponse) GetStatus() ReplicationPushResponse_Status

func (*ReplicationPushResponse) ProtoMessage 

func (*ReplicationPushResponse) ProtoMessage()

func (*ReplicationPushResponse) ProtoReflect 

func (x *ReplicationPushResponse) ProtoReflect() protoreflect.Message

func (*ReplicationPushResponse) Reset 

func (x *ReplicationPushResponse) Reset()

func (*ReplicationPushResponse) String 

func (x *ReplicationPushResponse) String() string

type ReplicationPushResponse_ErrorCode 

type ReplicationPushResponse_ErrorCode int32

Error codes, for TRANSIENT_ERROR and FATAL_ERROR statuses. 

const (
	// Some unrecognized error.
	ReplicationPushResponse_ERROR_UNKNOWN ReplicationPushResponse_ErrorCode = 0
	// Trying to push an update to service that is not a replica.
	ReplicationPushResponse_NOT_A_REPLICA ReplicationPushResponse_ErrorCode = 1
	// Replica doesn't know about the service that pushing the update.
	ReplicationPushResponse_FORBIDDEN ReplicationPushResponse_ErrorCode = 2
	// Signature headers are missing.
	ReplicationPushResponse_MISSING_SIGNATURE ReplicationPushResponse_ErrorCode = 3
	// Signature is not valid.
	ReplicationPushResponse_BAD_SIGNATURE ReplicationPushResponse_ErrorCode = 4
	// Format of the request is not valid.
	ReplicationPushResponse_BAD_REQUEST ReplicationPushResponse_ErrorCode = 5
)

func (ReplicationPushResponse_ErrorCode) Descriptor 

func (ReplicationPushResponse_ErrorCode) Descriptor() protoreflect.EnumDescriptor

func (ReplicationPushResponse_ErrorCode) Enum 

func (x ReplicationPushResponse_ErrorCode) Enum() *ReplicationPushResponse_ErrorCode

func (ReplicationPushResponse_ErrorCode) EnumDescriptor deprecated 

func (ReplicationPushResponse_ErrorCode) EnumDescriptor() ([]byte, []int)

Deprecated: Use ReplicationPushResponse_ErrorCode.Descriptor instead.

func (ReplicationPushResponse_ErrorCode) Number 

func (x ReplicationPushResponse_ErrorCode) Number() protoreflect.EnumNumber

func (ReplicationPushResponse_ErrorCode) String 

func (x ReplicationPushResponse_ErrorCode) String() string

func (ReplicationPushResponse_ErrorCode) Type 

func (ReplicationPushResponse_ErrorCode) Type() protoreflect.EnumType

type ReplicationPushResponse_Status 

type ReplicationPushResponse_Status int32

Overall status of the operation. 

const (
	// Replica accepted the push request and updated its copy of auth db.
	ReplicationPushResponse_APPLIED ReplicationPushResponse_Status = 0
	// Replica has a newer version of AuthDB, the push request is skipped.
	ReplicationPushResponse_SKIPPED ReplicationPushResponse_Status = 1
	// Non fatal error happened, the push request may be retried.
	ReplicationPushResponse_TRANSIENT_ERROR ReplicationPushResponse_Status = 2
	// Fatal error happened, the push request must not be retried.
	ReplicationPushResponse_FATAL_ERROR ReplicationPushResponse_Status = 3
)

func (ReplicationPushResponse_Status) Descriptor 

func (ReplicationPushResponse_Status) Descriptor() protoreflect.EnumDescriptor

func (ReplicationPushResponse_Status) Enum 

func (x ReplicationPushResponse_Status) Enum() *ReplicationPushResponse_Status

func (ReplicationPushResponse_Status) EnumDescriptor deprecated 

func (ReplicationPushResponse_Status) EnumDescriptor() ([]byte, []int)

Deprecated: Use ReplicationPushResponse_Status.Descriptor instead.

func (ReplicationPushResponse_Status) Number 

func (x ReplicationPushResponse_Status) Number() protoreflect.EnumNumber

func (ReplicationPushResponse_Status) String 

func (x ReplicationPushResponse_Status) String() string

func (ReplicationPushResponse_Status) Type 

func (ReplicationPushResponse_Status) Type() protoreflect.EnumType

type SecurityConfig 

type SecurityConfig struct {

	// A list of regular expressions matching hostnames that should be recognized
	// as being a part of single LUCI deployment.
	//
	// Different microservices within a single LUCI deployment may trust each
	// other. This setting (coupled with the TLS certificate check) allows
	// a service to recognize that a target of an RPC is another internal service
	// belonging to the same LUCI deployment.
	//
	// '^' and '$' are implied. The regexp language is intersection of Python and
	// Golang regexp languages and thus should use only very standard features
	// common to both.
	//
	// Example: "(.*-dot-)?chromium-swarm\.appspot\.com".
	InternalServiceRegexp []string `` /* 126-byte string literal not displayed */
	// contains filtered or unexported fields
}

SecurityConfig is read from 'security.cfg' by Auth Service and distributed to all linked services (in its serialized form) as part of AuthDB proto.

See AuthDB.security_config in replication.proto.

func (*SecurityConfig) Descriptor deprecated 

func (*SecurityConfig) Descriptor() ([]byte, []int)

Deprecated: Use SecurityConfig.ProtoReflect.Descriptor instead.

func (*SecurityConfig) GetInternalServiceRegexp 

func (x *SecurityConfig) GetInternalServiceRegexp() []string

func (*SecurityConfig) ProtoMessage 

func (*SecurityConfig) ProtoMessage()

func (*SecurityConfig) ProtoReflect 

func (x *SecurityConfig) ProtoReflect() protoreflect.Message

func (*SecurityConfig) Reset 

func (x *SecurityConfig) Reset()

func (*SecurityConfig) String 

func (x *SecurityConfig) String() string

type ServiceLinkRequest 

type ServiceLinkRequest struct {

	// Same ticket that was passed to Replica via ServiceLinkTicket.
	Ticket []byte `protobuf:"bytes,1,opt,name=ticket,proto3" json:"ticket,omitempty"`
	// URL to use when making requests to Replica from Primary.
	ReplicaUrl string `protobuf:"bytes,2,opt,name=replica_url,json=replicaUrl,proto3" json:"replica_url,omitempty"`
	// Identity of a user that accepted the ticket and initiated this request.
	InitiatedBy string `protobuf:"bytes,3,opt,name=initiated_by,json=initiatedBy,proto3" json:"initiated_by,omitempty"`
	// contains filtered or unexported fields
}

Sent from Replica to Primary via direct service <-> service HTTP call, replicas app_id would be available via X-Appengine-Inbound-Appid header.

func (*ServiceLinkRequest) Descriptor deprecated 

func (*ServiceLinkRequest) Descriptor() ([]byte, []int)

Deprecated: Use ServiceLinkRequest.ProtoReflect.Descriptor instead.

func (*ServiceLinkRequest) GetInitiatedBy 

func (x *ServiceLinkRequest) GetInitiatedBy() string

func (*ServiceLinkRequest) GetReplicaUrl 

func (x *ServiceLinkRequest) GetReplicaUrl() string

func (*ServiceLinkRequest) GetTicket 

func (x *ServiceLinkRequest) GetTicket() []byte

func (*ServiceLinkRequest) ProtoMessage 

func (*ServiceLinkRequest) ProtoMessage()

func (*ServiceLinkRequest) ProtoReflect 

func (x *ServiceLinkRequest) ProtoReflect() protoreflect.Message

func (*ServiceLinkRequest) Reset 

func (x *ServiceLinkRequest) Reset()

func (*ServiceLinkRequest) String 

func (x *ServiceLinkRequest) String() string

type ServiceLinkResponse 

type ServiceLinkResponse struct {
	Status ServiceLinkResponse_Status `protobuf:"varint,1,opt,name=status,proto3,enum=components.auth.ServiceLinkResponse_Status" json:"status,omitempty"`
	// contains filtered or unexported fields
}

Primary's response to ServiceLinkRequest. Always returned with HTTP code 200.

func (*ServiceLinkResponse) Descriptor deprecated 

func (*ServiceLinkResponse) Descriptor() ([]byte, []int)

Deprecated: Use ServiceLinkResponse.ProtoReflect.Descriptor instead.

func (*ServiceLinkResponse) GetStatus 

func (x *ServiceLinkResponse) GetStatus() ServiceLinkResponse_Status

func (*ServiceLinkResponse) ProtoMessage 

func (*ServiceLinkResponse) ProtoMessage()

func (*ServiceLinkResponse) ProtoReflect 

func (x *ServiceLinkResponse) ProtoReflect() protoreflect.Message

func (*ServiceLinkResponse) Reset 

func (x *ServiceLinkResponse) Reset()

func (*ServiceLinkResponse) String 

func (x *ServiceLinkResponse) String() string

type ServiceLinkResponse_Status 

type ServiceLinkResponse_Status int32

Status codes. 

const (
	// The service is now linked and primary will be pushing updates to it.
	ServiceLinkResponse_SUCCESS ServiceLinkResponse_Status = 0
	// Primary do not replies.
	ServiceLinkResponse_TRANSPORT_ERROR ServiceLinkResponse_Status = 1
	// Linking ticket is invalid or expired.
	ServiceLinkResponse_BAD_TICKET ServiceLinkResponse_Status = 2
	// Linking ticket was generated for another app, not the calling one.
	ServiceLinkResponse_AUTH_ERROR ServiceLinkResponse_Status = 3
)

func (ServiceLinkResponse_Status) Descriptor 

func (ServiceLinkResponse_Status) Descriptor() protoreflect.EnumDescriptor

func (ServiceLinkResponse_Status) Enum 

func (x ServiceLinkResponse_Status) Enum() *ServiceLinkResponse_Status

func (ServiceLinkResponse_Status) EnumDescriptor deprecated 

func (ServiceLinkResponse_Status) EnumDescriptor() ([]byte, []int)

Deprecated: Use ServiceLinkResponse_Status.Descriptor instead.

func (ServiceLinkResponse_Status) Number 

func (x ServiceLinkResponse_Status) Number() protoreflect.EnumNumber

func (ServiceLinkResponse_Status) String 

func (x ServiceLinkResponse_Status) String() string

func (ServiceLinkResponse_Status) Type 

func (ServiceLinkResponse_Status) Type() protoreflect.EnumType

type ServiceLinkTicket 

type ServiceLinkTicket struct {

	// GAE application ID of Primary that generated this ticket. Replica will send
	// ServiceLinkRequest to this service when it processes the ticket.
	PrimaryId string `protobuf:"bytes,1,opt,name=primary_id,json=primaryId,proto3" json:"primary_id,omitempty"`
	// URL to the root page of a primary service, i.e. https://<...>.appspot.com.
	// Useful when testing on dev appserver and on non-default version.
	PrimaryUrl string `protobuf:"bytes,2,opt,name=primary_url,json=primaryUrl,proto3" json:"primary_url,omitempty"`
	// Identity of a user that generated this ticket.
	GeneratedBy string `protobuf:"bytes,3,opt,name=generated_by,json=generatedBy,proto3" json:"generated_by,omitempty"`
	// Opaque blob passed back to Primary in ServiceLinkRequest. Its exact
	// structure is an implementation detail of Primary. It contains app_id of
	// a replica this ticket is intended for, timestamp and HMAC tag.
	Ticket []byte `protobuf:"bytes,4,opt,name=ticket,proto3" json:"ticket,omitempty"`
	// contains filtered or unexported fields
}

Generated by Primary, passed to Replica to initiate linking process.

func (*ServiceLinkTicket) Descriptor deprecated 

func (*ServiceLinkTicket) Descriptor() ([]byte, []int)

Deprecated: Use ServiceLinkTicket.ProtoReflect.Descriptor instead.

func (*ServiceLinkTicket) GetGeneratedBy 

func (x *ServiceLinkTicket) GetGeneratedBy() string

func (*ServiceLinkTicket) GetPrimaryId 

func (x *ServiceLinkTicket) GetPrimaryId() string

func (*ServiceLinkTicket) GetPrimaryUrl 

func (x *ServiceLinkTicket) GetPrimaryUrl() string

func (*ServiceLinkTicket) GetTicket 

func (x *ServiceLinkTicket) GetTicket() []byte

func (*ServiceLinkTicket) ProtoMessage 

func (*ServiceLinkTicket) ProtoMessage()

func (*ServiceLinkTicket) ProtoReflect 

func (x *ServiceLinkTicket) ProtoReflect() protoreflect.Message

func (*ServiceLinkTicket) Reset 

func (x *ServiceLinkTicket) Reset()

func (*ServiceLinkTicket) String 

func (x *ServiceLinkTicket) String() string

type SignedAuthDB 

type SignedAuthDB struct {

	// Serialized ReplicationPushRequest message with actual data.
	//
	// Contains revision information and AuthDB itself.
	AuthDbBlob []byte `protobuf:"bytes,1,opt,name=auth_db_blob,json=authDbBlob,proto3" json:"auth_db_blob,omitempty"`
	// Service account name whose key was used to sign the AuthDB blob.
	SignerId string `protobuf:"bytes,2,opt,name=signer_id,json=signerId,proto3" json:"signer_id,omitempty"`
	// ID of the signing key.
	SigningKeyId string `protobuf:"bytes,3,opt,name=signing_key_id,json=signingKeyId,proto3" json:"signing_key_id,omitempty"`
	// The signature of auth_db_blob field.
	//
	// It is RS256(SHA512(auth_db_blob)).
	//
	// Where:
	//   - RS256 is RSASSA-PKCS1-v1_5 using SHA-256, see RS256 algo in RFC7518.
	//   - SHA512 is a byte string (64 bytes) with SHA-512 digest of its input.
	//
	// Such peculiar structure is due to limitations of GAE signing infrastructure
	// (RS256 function can accept at most 8KB of input).
	//
	// Consumers of SignedAuthDB are expected to do the following:
	//  1. Check 'signer_id' is what they expect.
	//  2. Use https://www.googleapis.com/service_accounts/v1/metadata/x509/...
	//     endpoint to get the signer's public key with ID 'signing_key_id'.
	//  3. Construct to-be-signed string as SHA512(auth_db_blob).
	//  4. Verify 'signature' matches to-be-signed string using the public key
	//     from step 2.
	Signature []byte `protobuf:"bytes,4,opt,name=signature,proto3" json:"signature,omitempty"`
	// contains filtered or unexported fields
}

SignedAuthDB contains serialized and signed AuthDB proto.

It is used to store AuthDB snapshots in Google Storage. Signing is used as a defense against unauthorized writes to the storage bucket.

func (*SignedAuthDB) Descriptor deprecated 

func (*SignedAuthDB) Descriptor() ([]byte, []int)

Deprecated: Use SignedAuthDB.ProtoReflect.Descriptor instead.

func (*SignedAuthDB) GetAuthDbBlob 

func (x *SignedAuthDB) GetAuthDbBlob() []byte

func (*SignedAuthDB) GetSignature 

func (x *SignedAuthDB) GetSignature() []byte

func (*SignedAuthDB) GetSignerId 

func (x *SignedAuthDB) GetSignerId() string

func (*SignedAuthDB) GetSigningKeyId 

func (x *SignedAuthDB) GetSigningKeyId() string

func (*SignedAuthDB) ProtoMessage 

func (*SignedAuthDB) ProtoMessage()

func (*SignedAuthDB) ProtoReflect 

func (x *SignedAuthDB) ProtoReflect() protoreflect.Message

func (*SignedAuthDB) Reset 

func (x *SignedAuthDB) Reset()

func (*SignedAuthDB) String 

func (x *SignedAuthDB) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.