tokenserver/api/admin/v1/config.pb.go - external/github.com/luci/luci-go - Git at Google

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // source: github.com/luci/luci-go/tokenserver/api/admin/v1/config.proto

 package admin

 import proto "github.com/golang/protobuf/proto"
 import fmt "fmt"
 import math "math"

 // Reference imports to suppress errors if they are not otherwise used.
 var _ = proto.Marshal
 var _ = fmt.Errorf
 var _ = math.Inf

 // TokenServerConfig is read from tokenserver.cfg in luci-config.
 type TokenServerConfig struct {
 	// List of CAs we trust.
 	CertificateAuthority []*CertificateAuthorityConfig `protobuf:"bytes,1,rep,name=certificate_authority,json=certificateAuthority" json:"certificate_authority,omitempty"`
 }

 func (m *TokenServerConfig) Reset()                    { *m = TokenServerConfig{} }
 func (m *TokenServerConfig) String() string            { return proto.CompactTextString(m) }
 func (*TokenServerConfig) ProtoMessage()               {}
 func (*TokenServerConfig) Descriptor() ([]byte, []int) { return fileDescriptor2, []int{0} }

 func (m *TokenServerConfig) GetCertificateAuthority() []*CertificateAuthorityConfig {
 	if m != nil {
 		return m.CertificateAuthority
 	}
 	return nil
 }

 // CertificateAuthorityConfig defines a single CA we trust.
 //
 // Such CA issues certificates for nodes that use The Token Service. Each node
 // has a private key and certificate with Common Name set to the FQDN of this
 // node, e.g. "CN=slave43-c1.c.chromecompute.google.com.internal".
 //
 // The Token Server uses this CN to derive an identity string for a machine. It
 // splits FQDN into a hostname ("slave43-c1") and a domain name
 // ("c.chromecompute.google.com.internal"), searches for a domain name in
 // "known_domains" set, and, if it is present, uses parameters described there
 // for generating a token that contains machine's FQDN and certificate serial
 // number (among other things, see MachineTokenBody in machine_token.proto).
 type CertificateAuthorityConfig struct {
 	UniqueId    int64    `protobuf:"varint,6,opt,name=unique_id,json=uniqueId" json:"unique_id,omitempty"`
 	Cn          string   `protobuf:"bytes,1,opt,name=cn" json:"cn,omitempty"`
 	CertPath    string   `protobuf:"bytes,2,opt,name=cert_path,json=certPath" json:"cert_path,omitempty"`
 	CrlUrl      string   `protobuf:"bytes,3,opt,name=crl_url,json=crlUrl" json:"crl_url,omitempty"`
 	UseOauth    bool     `protobuf:"varint,4,opt,name=use_oauth,json=useOauth" json:"use_oauth,omitempty"`
 	OauthScopes []string `protobuf:"bytes,7,rep,name=oauth_scopes,json=oauthScopes" json:"oauth_scopes,omitempty"`
 	// KnownDomains describes parameters to use for each particular domain.
 	KnownDomains []*DomainConfig `protobuf:"bytes,5,rep,name=known_domains,json=knownDomains" json:"known_domains,omitempty"`
 }

 func (m *CertificateAuthorityConfig) Reset()                    { *m = CertificateAuthorityConfig{} }
 func (m *CertificateAuthorityConfig) String() string            { return proto.CompactTextString(m) }
 func (*CertificateAuthorityConfig) ProtoMessage()               {}
 func (*CertificateAuthorityConfig) Descriptor() ([]byte, []int) { return fileDescriptor2, []int{1} }

 func (m *CertificateAuthorityConfig) GetUniqueId() int64 {
 	if m != nil {
 		return m.UniqueId
 	}
 	return 0
 }

 func (m *CertificateAuthorityConfig) GetCn() string {
 	if m != nil {
 		return m.Cn
 	}
 	return ""
 }

 func (m *CertificateAuthorityConfig) GetCertPath() string {
 	if m != nil {
 		return m.CertPath
 	}
 	return ""
 }

 func (m *CertificateAuthorityConfig) GetCrlUrl() string {
 	if m != nil {
 		return m.CrlUrl
 	}
 	return ""
 }

 func (m *CertificateAuthorityConfig) GetUseOauth() bool {
 	if m != nil {
 		return m.UseOauth
 	}
 	return false
 }

 func (m *CertificateAuthorityConfig) GetOauthScopes() []string {
 	if m != nil {
 		return m.OauthScopes
 	}
 	return nil
 }

 func (m *CertificateAuthorityConfig) GetKnownDomains() []*DomainConfig {
 	if m != nil {
 		return m.KnownDomains
 	}
 	return nil
 }

 // DomainConfig is used inside CertificateAuthorityConfig.
 type DomainConfig struct {
 	// Domain is domain names of hosts this config applies to.
 	//
 	// Machines that reside in a subdomain of given domain are also considered
 	// part of it, e.g. both FQDNs "host.example.com" and "host.abc.example.com"
 	// match domain "example.com".
 	Domain []string `protobuf:"bytes,1,rep,name=domain" json:"domain,omitempty"`
 	// MachineTokenLifetime is how long generated machine tokens live, in seconds.
 	//
 	// If 0, machine tokens are not allowed.
 	MachineTokenLifetime int64 `protobuf:"varint,5,opt,name=machine_token_lifetime,json=machineTokenLifetime" json:"machine_token_lifetime,omitempty"`
 }

 func (m *DomainConfig) Reset()                    { *m = DomainConfig{} }
 func (m *DomainConfig) String() string            { return proto.CompactTextString(m) }
 func (*DomainConfig) ProtoMessage()               {}
 func (*DomainConfig) Descriptor() ([]byte, []int) { return fileDescriptor2, []int{2} }

 func (m *DomainConfig) GetDomain() []string {
 	if m != nil {
 		return m.Domain
 	}
 	return nil
 }

 func (m *DomainConfig) GetMachineTokenLifetime() int64 {
 	if m != nil {
 		return m.MachineTokenLifetime
 	}
 	return 0
 }

 // DelegationPermissions is read from delegation.cfg in luci-config.
 type DelegationPermissions struct {
 	// Rules specify what calls to MintDelegationToken are allowed.
 	//
 	// Rules are evaluated independently. One and only one rule should match the
 	// request to allow the operation. If none rules or more than one rule match,
 	// the request will be denied.
 	//
 	// See DelegationRule comments for more details.
 	Rules []*DelegationRule `protobuf:"bytes,1,rep,name=rules" json:"rules,omitempty"`
 }

 func (m *DelegationPermissions) Reset()                    { *m = DelegationPermissions{} }
 func (m *DelegationPermissions) String() string            { return proto.CompactTextString(m) }
 func (*DelegationPermissions) ProtoMessage()               {}
 func (*DelegationPermissions) Descriptor() ([]byte, []int) { return fileDescriptor2, []int{3} }

 func (m *DelegationPermissions) GetRules() []*DelegationRule {
 	if m != nil {
 		return m.Rules
 	}
 	return nil
 }

 // DelegationRule describes a single allowed case of using delegation tokens.
 //
 // An incoming MintDelegationTokenRequest is basically a tuple of:
 //  * 'requestor_id' - an identity of whoever makes the request.
 //  * 'delegated_identity' - an identity to delegate.
 //  * 'audience' - a set of identities that will be able to use the token.
 //  * 'services' - a set of services that should accept the token.
 //
 // A request matches a rule iff:
 //  * 'requestor_id' is in 'requestor' set.
 //  * 'delegated_identity' is in 'allowed_to_impersonate' set.
 //  * 'audience' is a subset of 'allowed_audience' set.
 //  * 'services' is a subset of 'target_service' set.
 //
 // The presence of a matching rule permits to mint the token. The rule also
 // provides an upper bound on allowed validity_duration, and the rule's name
 // is logged in the audit trail.
 type DelegationRule struct {
 	// A descriptive name of this rule, for the audit log.
 	Name string `protobuf:"bytes,1,opt,name=name" json:"name,omitempty"`
 	// Email of developers that added this rule, to know who to contact.
 	Owner []string `protobuf:"bytes,2,rep,name=owner" json:"owner,omitempty"`
 	// A set of callers to which this rule applies.
 	//
 	// Matched against verified credentials of a caller of MintDelegationToken.
 	//
 	// Each element is either:
 	//  * An identity string ("user:<email>").
 	//  * A group reference ("group:<name>").
 	//
 	// The groups specified here are expanded when MintDelegationTokenRequest is
 	// evaluated.
 	Requestor []string `protobuf:"bytes,3,rep,name=requestor" json:"requestor,omitempty"`
 	// Identities that are allowed to be delegated/impersonated by the requestor.
 	//
 	// Matched against 'delegated_identity' field of MintDelegationTokenRequest.
 	//
 	// Each element is either:
 	//  * An identity string ("user:<email>").
 	//  * A group reference ("group:<name>").
 	//  * A special identifier "REQUESTOR" that is substituted by the requestor
 	//    identity when evaluating the rule.
 	//
 	// "REQUESTOR" allows one to generate tokens that delegate their own identity
 	// to some target audience.
 	//
 	// The groups specified here are expanded when MintDelegationTokenRequest is
 	// evaluated.
 	AllowedToImpersonate []string `protobuf:"bytes,4,rep,name=allowed_to_impersonate,json=allowedToImpersonate" json:"allowed_to_impersonate,omitempty"`
 	// A set of identities that should be able to use the new token.
 	//
 	// Matched against 'audience' field of MintDelegationTokenRequest.
 	//
 	// Each element is either:
 	//  * An identity string ("user:<email>").
 	//  * A group reference ("group:<name>").
 	//  * A special identifier "REQUESTOR" that is substituted by the requestor
 	//    identity when evaluating the rule.
 	//  * A special token "*" that means "any bearer can use the new token,
 	//    including anonymous".
 	//
 	// "REQUESTOR" is typically used here for rules that allow requestors to
 	// impersonate someone else. The corresponding tokens have the requestor as
 	// the only allowed audience.
 	//
 	// The groups specified here are NOT expanded when MintDelegationTokenRequest
 	// is evaluated. To match the rule, MintDelegationTokenRequest must specify
 	// subset of 'allowed_audience' groups explicitly in 'audience' field.
 	AllowedAudience []string `protobuf:"bytes,5,rep,name=allowed_audience,json=allowedAudience" json:"allowed_audience,omitempty"`
 	// A set of services that should be able to accept the new token.
 	//
 	// Matched against 'services' field of MintDelegationTokenRequest.
 	//
 	// Each element is either:
 	//  * A service identity string ("service:<id>").
 	//  * A special token "*" that mean "any LUCI service should accept the
 	//    token".
 	TargetService []string `protobuf:"bytes,6,rep,name=target_service,json=targetService" json:"target_service,omitempty"`
 	// Maximum allowed validity duration (sec) of minted delegation tokens.
 	//
 	// Default is 12 hours.
 	MaxValidityDuration int64 `protobuf:"varint,7,opt,name=max_validity_duration,json=maxValidityDuration" json:"max_validity_duration,omitempty"`
 }

 func (m *DelegationRule) Reset()                    { *m = DelegationRule{} }
 func (m *DelegationRule) String() string            { return proto.CompactTextString(m) }
 func (*DelegationRule) ProtoMessage()               {}
 func (*DelegationRule) Descriptor() ([]byte, []int) { return fileDescriptor2, []int{4} }

 func (m *DelegationRule) GetName() string {
 	if m != nil {
 		return m.Name
 	}
 	return ""
 }

 func (m *DelegationRule) GetOwner() []string {
 	if m != nil {
 		return m.Owner
 	}
 	return nil
 }

 func (m *DelegationRule) GetRequestor() []string {
 	if m != nil {
 		return m.Requestor
 	}
 	return nil
 }

 func (m *DelegationRule) GetAllowedToImpersonate() []string {
 	if m != nil {
 		return m.AllowedToImpersonate
 	}
 	return nil
 }

 func (m *DelegationRule) GetAllowedAudience() []string {
 	if m != nil {
 		return m.AllowedAudience
 	}
 	return nil
 }

 func (m *DelegationRule) GetTargetService() []string {
 	if m != nil {
 		return m.TargetService
 	}
 	return nil
 }

 func (m *DelegationRule) GetMaxValidityDuration() int64 {
 	if m != nil {
 		return m.MaxValidityDuration
 	}
 	return 0
 }

 // ServiceAccountsPermissions is read from service_accounts.cfg in luci-config.
 type ServiceAccountsPermissions struct {
 	// Rules specify how MintOAuthTokenViaGrant can be used.
 	//
 	// Rules are evaluated independently. One and only one rule should match the
 	// request to allow the operation. If none rules or more than one rule match,
 	// the request will be denied.
 	//
 	// See ServiceAccountRule comments for more details.
 	Rules []*ServiceAccountRule `protobuf:"bytes,1,rep,name=rules" json:"rules,omitempty"`
 }

 func (m *ServiceAccountsPermissions) Reset()                    { *m = ServiceAccountsPermissions{} }
 func (m *ServiceAccountsPermissions) String() string            { return proto.CompactTextString(m) }
 func (*ServiceAccountsPermissions) ProtoMessage()               {}
 func (*ServiceAccountsPermissions) Descriptor() ([]byte, []int) { return fileDescriptor2, []int{5} }

 func (m *ServiceAccountsPermissions) GetRules() []*ServiceAccountRule {
 	if m != nil {
 		return m.Rules
 	}
 	return nil
 }

 // ServiceAccountRule describes a single allowed case of using service accounts.
 //
 // TODO(vadimsh): Implement.
 type ServiceAccountRule struct {
 	// A descriptive name of this rule, for the audit log.
 	Name string `protobuf:"bytes,1,opt,name=name" json:"name,omitempty"`
 	// Email of developers that owns this rule, to know who to contact.
 	Owner []string `protobuf:"bytes,2,rep,name=owner" json:"owner,omitempty"`
 }

 func (m *ServiceAccountRule) Reset()                    { *m = ServiceAccountRule{} }
 func (m *ServiceAccountRule) String() string            { return proto.CompactTextString(m) }
 func (*ServiceAccountRule) ProtoMessage()               {}
 func (*ServiceAccountRule) Descriptor() ([]byte, []int) { return fileDescriptor2, []int{6} }

 func (m *ServiceAccountRule) GetName() string {
 	if m != nil {
 		return m.Name
 	}
 	return ""
 }

 func (m *ServiceAccountRule) GetOwner() []string {
 	if m != nil {
 		return m.Owner
 	}
 	return nil
 }

 func init() {
 	proto.RegisterType((*TokenServerConfig)(nil), "tokenserver.admin.TokenServerConfig")
 	proto.RegisterType((*CertificateAuthorityConfig)(nil), "tokenserver.admin.CertificateAuthorityConfig")
 	proto.RegisterType((*DomainConfig)(nil), "tokenserver.admin.DomainConfig")
 	proto.RegisterType((*DelegationPermissions)(nil), "tokenserver.admin.DelegationPermissions")
 	proto.RegisterType((*DelegationRule)(nil), "tokenserver.admin.DelegationRule")
 	proto.RegisterType((*ServiceAccountsPermissions)(nil), "tokenserver.admin.ServiceAccountsPermissions")
 	proto.RegisterType((*ServiceAccountRule)(nil), "tokenserver.admin.ServiceAccountRule")
 }

 func init() {
 	proto.RegisterFile("github.com/luci/luci-go/tokenserver/api/admin/v1/config.proto", fileDescriptor2)
 }

 var fileDescriptor2 = []byte{
 	// 597 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x94, 0xdf, 0x6a, 0xdb, 0x4a,
 	0x10, 0xc6, 0xb1, 0x24, 0xdb, 0xf2, 0xe6, 0xcf, 0x71, 0xf6, 0x38, 0x39, 0x4b, 0xce, 0x81, 0xe3,
 	0x18, 0x02, 0xee, 0x45, 0x6c, 0x9a, 0x16, 0x7a, 0x51, 0x5a, 0x08, 0xf1, 0x4d, 0x4c, 0xa1, 0x41,
 	0x49, 0x0b, 0xbd, 0x5a, 0x36, 0xab, 0x89, 0xbd, 0x44, 0xda, 0x75, 0x76, 0x57, 0x71, 0xf2, 0x00,
 	0x7d, 0x83, 0x3e, 0x70, 0xd1, 0x48, 0x69, 0x1c, 0xe2, 0x42, 0x6f, 0x8c, 0xe7, 0xfb, 0x7d, 0x33,
 	0xcb, 0x7c, 0x03, 0x22, 0x1f, 0x66, 0xca, 0xcf, 0x8b, 0xab, 0x91, 0x34, 0xf9, 0x38, 0x2b, 0xa4,
 	0xc2, 0x9f, 0xa3, 0x99, 0x19, 0x7b, 0x73, 0x03, 0xda, 0x81, 0xbd, 0x03, 0x3b, 0x16, 0x0b, 0x35,
 	0x16, 0x69, 0xae, 0xf4, 0xf8, 0xee, 0xf5, 0x58, 0x1a, 0x7d, 0xad, 0x66, 0xa3, 0x85, 0x35, 0xde,
 	0xd0, 0x9d, 0x15, 0xdb, 0x08, 0x2d, 0x83, 0x25, 0xd9, 0xb9, 0x2c, 0xc5, 0x0b, 0x14, 0x4f, 0xd1,
 	0x4d, 0xaf, 0xc8, 0xae, 0x04, 0xeb, 0xd5, 0xb5, 0x92, 0xc2, 0x03, 0x17, 0x85, 0x9f, 0x1b, 0xab,
 	0xfc, 0x03, 0x6b, 0xf4, 0xc3, 0xe1, 0xc6, 0xf1, 0xd1, 0xe8, 0xc5, 0x9c, 0xd1, 0xe9, 0x93, 0xff,
 	0xe4, 0xd1, 0x5e, 0x4d, 0x4b, 0x7a, 0x72, 0x0d, 0x1b, 0x7c, 0x0f, 0xc8, 0xfe, 0xef, 0x9b, 0xe8,
 	0xbf, 0xa4, 0x53, 0x68, 0x75, 0x5b, 0x00, 0x57, 0x29, 0x6b, 0xf5, 0x1b, 0xc3, 0x30, 0x89, 0x2b,
 	0xe1, 0x2c, 0xa5, 0xdb, 0x24, 0x90, 0x9a, 0x35, 0xfa, 0x8d, 0x61, 0x27, 0x09, 0xa4, 0x2e, 0xcd,
 	0xe5, 0x1b, 0x7c, 0x21, 0xfc, 0x9c, 0x05, 0x28, 0xc7, 0xa5, 0x70, 0x2e, 0xfc, 0x9c, 0xfe, 0x43,
 	0xda, 0xd2, 0x66, 0xbc, 0xb0, 0x19, 0x0b, 0x11, 0xb5, 0xa4, 0xcd, 0xbe, 0xd8, 0x0c, 0x9f, 0x70,
 	0xc0, 0x4d, 0xb9, 0x1e, 0x8b, 0xfa, 0x8d, 0x61, 0x9c, 0xc4, 0x85, 0x83, 0xcf, 0x65, 0x4d, 0x0f,
 	0xc8, 0x26, 0x02, 0xee, 0xa4, 0x59, 0x80, 0x63, 0xed, 0x7e, 0x38, 0xec, 0x24, 0x1b, 0xa8, 0x5d,
 	0xa0, 0x44, 0x27, 0x64, 0xeb, 0x46, 0x9b, 0xa5, 0xe6, 0xa9, 0xc9, 0x85, 0xd2, 0x8e, 0x35, 0x31,
 	0x9d, 0xff, 0xd7, 0xa4, 0x33, 0x41, 0x47, 0x9d, 0xc7, 0x26, 0x76, 0x55, 0x92, 0x1b, 0x78, 0xb2,
 	0xb9, 0x4a, 0xe9, 0x1e, 0x69, 0x55, 0xf3, 0x30, 0xec, 0x4e, 0x52, 0x57, 0xf4, 0x2d, 0xd9, 0xcb,
 	0x85, 0x9c, 0x2b, 0x0d, 0x1c, 0xe7, 0xf3, 0x4c, 0x5d, 0x83, 0x57, 0x39, 0xb0, 0x26, 0xa6, 0xd3,
 	0xab, 0x29, 0x5e, 0xf3, 0x53, 0xcd, 0xa6, 0x51, 0x1c, 0x74, 0xc3, 0x69, 0x14, 0x87, 0xdd, 0x68,
 	0x1a, 0xc5, 0x51, 0xb7, 0x39, 0x8d, 0xe2, 0x56, 0xb7, 0x3d, 0x38, 0x27, 0xbb, 0x13, 0xc8, 0x60,
 	0x26, 0xbc, 0x32, 0xfa, 0x1c, 0x6c, 0xae, 0x9c, 0x53, 0x46, 0x3b, 0xfa, 0x8e, 0x34, 0x6d, 0x91,
 	0x81, 0xab, 0x4f, 0x7d, 0xb0, 0x6e, 0x99, 0x5f, 0x8d, 0x49, 0x91, 0x41, 0x52, 0xf9, 0x07, 0x3f,
 	0x02, 0xb2, 0xfd, 0x9c, 0x50, 0x4a, 0x22, 0x2d, 0x72, 0xa8, 0x0f, 0x85, 0xff, 0x69, 0x8f, 0x34,
 	0xcd, 0x52, 0x83, 0x65, 0x01, 0x6e, 0x57, 0x15, 0xf4, 0x3f, 0xd2, 0xb1, 0x70, 0x5b, 0x80, 0xf3,
 	0xc6, 0xb2, 0x10, 0xc9, 0x93, 0x50, 0xae, 0x2e, 0xb2, 0xcc, 0x2c, 0x21, 0xe5, 0xde, 0x70, 0x95,
 	0x2f, 0xc0, 0x3a, 0xa3, 0x85, 0x07, 0x16, 0xa1, 0xb5, 0x57, 0xd3, 0x4b, 0x73, 0xf6, 0xc4, 0xe8,
 	0x2b, 0xd2, 0x7d, 0xec, 0x12, 0x45, 0xaa, 0x40, 0x4b, 0xc0, 0x0b, 0x75, 0x92, 0xbf, 0x6a, 0xfd,
 	0xa4, 0x96, 0xe9, 0x21, 0xd9, 0xf6, 0xc2, 0xce, 0xc0, 0xf3, 0x72, 0x51, 0x25, 0x81, 0xb5, 0xd0,
 	0xb8, 0x55, 0xa9, 0x17, 0x95, 0x48, 0x8f, 0xc9, 0x6e, 0x2e, 0xee, 0xf9, 0x9d, 0xc8, 0x54, 0xaa,
 	0xfc, 0x03, 0x4f, 0x0b, 0x8b, 0xcb, 0xb2, 0x36, 0x5e, 0xe0, 0xef, 0x5c, 0xdc, 0x7f, 0xad, 0xd9,
 	0xa4, 0x46, 0x83, 0x6f, 0x64, 0xbf, 0x6e, 0x3f, 0x91, 0xd2, 0x14, 0xda, 0xbb, 0xd5, 0xb4, 0xdf,
 	0x3f, 0x4f, 0xfb, 0x70, 0x4d, 0xda, 0xcf, 0xbb, 0x57, 0x13, 0xff, 0x48, 0xe8, 0x4b, 0xf8, 0xe7,
 	0xa1, 0x5f, 0xb5, 0xf0, 0xa3, 0xf0, 0xe6, 0x67, 0x00, 0x00, 0x00, 0xff, 0xff, 0xf6, 0xd6, 0xfd,
 	0x81, 0x55, 0x04, 0x00, 0x00,
 }
	// Code generated by protoc-gen-go. DO NOT EDIT.
	// source: github.com/luci/luci-go/tokenserver/api/admin/v1/config.proto

	package admin

	import proto "github.com/golang/protobuf/proto"
	import fmt "fmt"
	import math "math"

	// Reference imports to suppress errors if they are not otherwise used.
	var _ = proto.Marshal
	var _ = fmt.Errorf
	var _ = math.Inf

	// TokenServerConfig is read from tokenserver.cfg in luci-config.
	type TokenServerConfig struct {
	// List of CAs we trust.
	CertificateAuthority []*CertificateAuthorityConfig `protobuf:"bytes,1,rep,name=certificate_authority,json=certificateAuthority" json:"certificate_authority,omitempty"`
	}

	func (m TokenServerConfig) Reset() { m = TokenServerConfig{} }
	func (m *TokenServerConfig) String() string { return proto.CompactTextString(m) }
	func (*TokenServerConfig) ProtoMessage() {}
	func (*TokenServerConfig) Descriptor() ([]byte, []int) { return fileDescriptor2, []int{0} }

	func (m TokenServerConfig) GetCertificateAuthority() []CertificateAuthorityConfig {
	if m != nil {
	return m.CertificateAuthority
	}
	return nil
	}

	// CertificateAuthorityConfig defines a single CA we trust.
	//
	// Such CA issues certificates for nodes that use The Token Service. Each node
	// has a private key and certificate with Common Name set to the FQDN of this
	// node, e.g. "CN=slave43-c1.c.chromecompute.google.com.internal".
	//
	// The Token Server uses this CN to derive an identity string for a machine. It
	// splits FQDN into a hostname ("slave43-c1") and a domain name
	// ("c.chromecompute.google.com.internal"), searches for a domain name in
	// "known_domains" set, and, if it is present, uses parameters described there
	// for generating a token that contains machine's FQDN and certificate serial
	// number (among other things, see MachineTokenBody in machine_token.proto).
	type CertificateAuthorityConfig struct {
	UniqueId int64 `protobuf:"varint,6,opt,name=unique_id,json=uniqueId" json:"unique_id,omitempty"`
	Cn string `protobuf:"bytes,1,opt,name=cn" json:"cn,omitempty"`
	CertPath string `protobuf:"bytes,2,opt,name=cert_path,json=certPath" json:"cert_path,omitempty"`
	CrlUrl string `protobuf:"bytes,3,opt,name=crl_url,json=crlUrl" json:"crl_url,omitempty"`
	UseOauth bool `protobuf:"varint,4,opt,name=use_oauth,json=useOauth" json:"use_oauth,omitempty"`
	OauthScopes []string `protobuf:"bytes,7,rep,name=oauth_scopes,json=oauthScopes" json:"oauth_scopes,omitempty"`
	// KnownDomains describes parameters to use for each particular domain.
	KnownDomains []*DomainConfig `protobuf:"bytes,5,rep,name=known_domains,json=knownDomains" json:"known_domains,omitempty"`
	}

	func (m CertificateAuthorityConfig) Reset() { m = CertificateAuthorityConfig{} }
	func (m *CertificateAuthorityConfig) String() string { return proto.CompactTextString(m) }
	func (*CertificateAuthorityConfig) ProtoMessage() {}
	func (*CertificateAuthorityConfig) Descriptor() ([]byte, []int) { return fileDescriptor2, []int{1} }

	func (m *CertificateAuthorityConfig) GetUniqueId() int64 {
	if m != nil {
	return m.UniqueId
	}
	return 0
	}

	func (m *CertificateAuthorityConfig) GetCn() string {
	if m != nil {
	return m.Cn
	}
	return ""
	}

	func (m *CertificateAuthorityConfig) GetCertPath() string {
	if m != nil {
	return m.CertPath
	}
	return ""
	}

	func (m *CertificateAuthorityConfig) GetCrlUrl() string {
	if m != nil {
	return m.CrlUrl
	}
	return ""
	}

	func (m *CertificateAuthorityConfig) GetUseOauth() bool {
	if m != nil {
	return m.UseOauth
	}
	return false
	}

	func (m *CertificateAuthorityConfig) GetOauthScopes() []string {
	if m != nil {
	return m.OauthScopes
	}
	return nil
	}

	func (m CertificateAuthorityConfig) GetKnownDomains() []DomainConfig {
	if m != nil {
	return m.KnownDomains
	}
	return nil
	}

	// DomainConfig is used inside CertificateAuthorityConfig.
	type DomainConfig struct {
	// Domain is domain names of hosts this config applies to.
	//
	// Machines that reside in a subdomain of given domain are also considered
	// part of it, e.g. both FQDNs "host.example.com" and "host.abc.example.com"
	// match domain "example.com".
	Domain []string `protobuf:"bytes,1,rep,name=domain" json:"domain,omitempty"`
	// MachineTokenLifetime is how long generated machine tokens live, in seconds.
	//
	// If 0, machine tokens are not allowed.
	MachineTokenLifetime int64 `protobuf:"varint,5,opt,name=machine_token_lifetime,json=machineTokenLifetime" json:"machine_token_lifetime,omitempty"`
	}

	func (m DomainConfig) Reset() { m = DomainConfig{} }
	func (m *DomainConfig) String() string { return proto.CompactTextString(m) }
	func (*DomainConfig) ProtoMessage() {}
	func (*DomainConfig) Descriptor() ([]byte, []int) { return fileDescriptor2, []int{2} }

	func (m *DomainConfig) GetDomain() []string {
	if m != nil {
	return m.Domain
	}
	return nil
	}

	func (m *DomainConfig) GetMachineTokenLifetime() int64 {
	if m != nil {
	return m.MachineTokenLifetime
	}
	return 0
	}

	// DelegationPermissions is read from delegation.cfg in luci-config.
	type DelegationPermissions struct {
	// Rules specify what calls to MintDelegationToken are allowed.
	//
	// Rules are evaluated independently. One and only one rule should match the
	// request to allow the operation. If none rules or more than one rule match,
	// the request will be denied.
	//
	// See DelegationRule comments for more details.
	Rules []*DelegationRule `protobuf:"bytes,1,rep,name=rules" json:"rules,omitempty"`
	}

	func (m DelegationPermissions) Reset() { m = DelegationPermissions{} }
	func (m *DelegationPermissions) String() string { return proto.CompactTextString(m) }
	func (*DelegationPermissions) ProtoMessage() {}
	func (*DelegationPermissions) Descriptor() ([]byte, []int) { return fileDescriptor2, []int{3} }

	func (m DelegationPermissions) GetRules() []DelegationRule {
	if m != nil {
	return m.Rules
	}
	return nil
	}

	// DelegationRule describes a single allowed case of using delegation tokens.
	//
	// An incoming MintDelegationTokenRequest is basically a tuple of:
	// * 'requestor_id' - an identity of whoever makes the request.
	// * 'delegated_identity' - an identity to delegate.
	// * 'audience' - a set of identities that will be able to use the token.
	// * 'services' - a set of services that should accept the token.
	//
	// A request matches a rule iff:
	// * 'requestor_id' is in 'requestor' set.
	// * 'delegated_identity' is in 'allowed_to_impersonate' set.
	// * 'audience' is a subset of 'allowed_audience' set.
	// * 'services' is a subset of 'target_service' set.
	//
	// The presence of a matching rule permits to mint the token. The rule also
	// provides an upper bound on allowed validity_duration, and the rule's name
	// is logged in the audit trail.
	type DelegationRule struct {
	// A descriptive name of this rule, for the audit log.
	Name string `protobuf:"bytes,1,opt,name=name" json:"name,omitempty"`
	// Email of developers that added this rule, to know who to contact.
	Owner []string `protobuf:"bytes,2,rep,name=owner" json:"owner,omitempty"`
	// A set of callers to which this rule applies.
	//
	// Matched against verified credentials of a caller of MintDelegationToken.
	//
	// Each element is either:
	// * An identity string ("user:<email>").
	// * A group reference ("group:<name>").
	//
	// The groups specified here are expanded when MintDelegationTokenRequest is
	// evaluated.
	Requestor []string `protobuf:"bytes,3,rep,name=requestor" json:"requestor,omitempty"`
	// Identities that are allowed to be delegated/impersonated by the requestor.
	//
	// Matched against 'delegated_identity' field of MintDelegationTokenRequest.
	//
	// Each element is either:
	// * An identity string ("user:<email>").
	// * A group reference ("group:<name>").
	// * A special identifier "REQUESTOR" that is substituted by the requestor
	// identity when evaluating the rule.
	//
	// "REQUESTOR" allows one to generate tokens that delegate their own identity
	// to some target audience.
	//
	// The groups specified here are expanded when MintDelegationTokenRequest is
	// evaluated.
	AllowedToImpersonate []string `protobuf:"bytes,4,rep,name=allowed_to_impersonate,json=allowedToImpersonate" json:"allowed_to_impersonate,omitempty"`
	// A set of identities that should be able to use the new token.
	//
	// Matched against 'audience' field of MintDelegationTokenRequest.
	//
	// Each element is either:
	// * An identity string ("user:<email>").
	// * A group reference ("group:<name>").
	// * A special identifier "REQUESTOR" that is substituted by the requestor
	// identity when evaluating the rule.
	// * A special token "*" that means "any bearer can use the new token,
	// including anonymous".
	//
	// "REQUESTOR" is typically used here for rules that allow requestors to
	// impersonate someone else. The corresponding tokens have the requestor as
	// the only allowed audience.
	//
	// The groups specified here are NOT expanded when MintDelegationTokenRequest
	// is evaluated. To match the rule, MintDelegationTokenRequest must specify
	// subset of 'allowed_audience' groups explicitly in 'audience' field.
	AllowedAudience []string `protobuf:"bytes,5,rep,name=allowed_audience,json=allowedAudience" json:"allowed_audience,omitempty"`
	// A set of services that should be able to accept the new token.
	//
	// Matched against 'services' field of MintDelegationTokenRequest.
	//
	// Each element is either:
	// * A service identity string ("service:<id>").
	// * A special token "*" that mean "any LUCI service should accept the
	// token".
	TargetService []string `protobuf:"bytes,6,rep,name=target_service,json=targetService" json:"target_service,omitempty"`
	// Maximum allowed validity duration (sec) of minted delegation tokens.
	//
	// Default is 12 hours.
	MaxValidityDuration int64 `protobuf:"varint,7,opt,name=max_validity_duration,json=maxValidityDuration" json:"max_validity_duration,omitempty"`
	}

	func (m DelegationRule) Reset() { m = DelegationRule{} }
	func (m *DelegationRule) String() string { return proto.CompactTextString(m) }
	func (*DelegationRule) ProtoMessage() {}
	func (*DelegationRule) Descriptor() ([]byte, []int) { return fileDescriptor2, []int{4} }

	func (m *DelegationRule) GetName() string {
	if m != nil {
	return m.Name
	}
	return ""
	}

	func (m *DelegationRule) GetOwner() []string {
	if m != nil {
	return m.Owner
	}
	return nil
	}

	func (m *DelegationRule) GetRequestor() []string {
	if m != nil {
	return m.Requestor
	}
	return nil
	}

	func (m *DelegationRule) GetAllowedToImpersonate() []string {
	if m != nil {
	return m.AllowedToImpersonate
	}
	return nil
	}

	func (m *DelegationRule) GetAllowedAudience() []string {
	if m != nil {
	return m.AllowedAudience
	}
	return nil
	}

	func (m *DelegationRule) GetTargetService() []string {
	if m != nil {
	return m.TargetService
	}
	return nil
	}

	func (m *DelegationRule) GetMaxValidityDuration() int64 {
	if m != nil {
	return m.MaxValidityDuration
	}
	return 0
	}

	// ServiceAccountsPermissions is read from service_accounts.cfg in luci-config.
	type ServiceAccountsPermissions struct {
	// Rules specify how MintOAuthTokenViaGrant can be used.
	//
	// Rules are evaluated independently. One and only one rule should match the
	// request to allow the operation. If none rules or more than one rule match,
	// the request will be denied.
	//
	// See ServiceAccountRule comments for more details.
	Rules []*ServiceAccountRule `protobuf:"bytes,1,rep,name=rules" json:"rules,omitempty"`
	}

	func (m ServiceAccountsPermissions) Reset() { m = ServiceAccountsPermissions{} }
	func (m *ServiceAccountsPermissions) String() string { return proto.CompactTextString(m) }
	func (*ServiceAccountsPermissions) ProtoMessage() {}
	func (*ServiceAccountsPermissions) Descriptor() ([]byte, []int) { return fileDescriptor2, []int{5} }

	func (m ServiceAccountsPermissions) GetRules() []ServiceAccountRule {
	if m != nil {
	return m.Rules
	}
	return nil
	}

	// ServiceAccountRule describes a single allowed case of using service accounts.
	//
	// TODO(vadimsh): Implement.
	type ServiceAccountRule struct {
	// A descriptive name of this rule, for the audit log.
	Name string `protobuf:"bytes,1,opt,name=name" json:"name,omitempty"`
	// Email of developers that owns this rule, to know who to contact.
	Owner []string `protobuf:"bytes,2,rep,name=owner" json:"owner,omitempty"`
	}

	func (m ServiceAccountRule) Reset() { m = ServiceAccountRule{} }
	func (m *ServiceAccountRule) String() string { return proto.CompactTextString(m) }
	func (*ServiceAccountRule) ProtoMessage() {}
	func (*ServiceAccountRule) Descriptor() ([]byte, []int) { return fileDescriptor2, []int{6} }

	func (m *ServiceAccountRule) GetName() string {
	if m != nil {
	return m.Name
	}
	return ""
	}

	func (m *ServiceAccountRule) GetOwner() []string {
	if m != nil {
	return m.Owner
	}
	return nil
	}

	func init() {
	proto.RegisterType((*TokenServerConfig)(nil), "tokenserver.admin.TokenServerConfig")
	proto.RegisterType((*CertificateAuthorityConfig)(nil), "tokenserver.admin.CertificateAuthorityConfig")
	proto.RegisterType((*DomainConfig)(nil), "tokenserver.admin.DomainConfig")
	proto.RegisterType((*DelegationPermissions)(nil), "tokenserver.admin.DelegationPermissions")
	proto.RegisterType((*DelegationRule)(nil), "tokenserver.admin.DelegationRule")
	proto.RegisterType((*ServiceAccountsPermissions)(nil), "tokenserver.admin.ServiceAccountsPermissions")
	proto.RegisterType((*ServiceAccountRule)(nil), "tokenserver.admin.ServiceAccountRule")
	}

	func init() {
	proto.RegisterFile("github.com/luci/luci-go/tokenserver/api/admin/v1/config.proto", fileDescriptor2)
	}

	var fileDescriptor2 = []byte{
	// 597 bytes of a gzipped FileDescriptorProto
	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x94, 0xdf, 0x6a, 0xdb, 0x4a,
	0x10, 0xc6, 0xb1, 0x24, 0xdb, 0xf2, 0xe6, 0xcf, 0x71, 0xf6, 0x38, 0x39, 0x4b, 0xce, 0x81, 0xe3,
	0x18, 0x02, 0xee, 0x45, 0x6c, 0x9a, 0x16, 0x7a, 0x51, 0x5a, 0x08, 0xf1, 0x4d, 0x4c, 0xa1, 0x41,
	0x49, 0x0b, 0xbd, 0x5a, 0x36, 0xab, 0x89, 0xbd, 0x44, 0xda, 0x75, 0x76, 0x57, 0x71, 0xf2, 0x00,
	0x7d, 0x83, 0x3e, 0x70, 0xd1, 0x48, 0x69, 0x1c, 0xe2, 0x42, 0x6f, 0x8c, 0xe7, 0xfb, 0x7d, 0x33,
	0xcb, 0x7c, 0x03, 0x22, 0x1f, 0x66, 0xca, 0xcf, 0x8b, 0xab, 0x91, 0x34, 0xf9, 0x38, 0x2b, 0xa4,
	0xc2, 0x9f, 0xa3, 0x99, 0x19, 0x7b, 0x73, 0x03, 0xda, 0x81, 0xbd, 0x03, 0x3b, 0x16, 0x0b, 0x35,
	0x16, 0x69, 0xae, 0xf4, 0xf8, 0xee, 0xf5, 0x58, 0x1a, 0x7d, 0xad, 0x66, 0xa3, 0x85, 0x35, 0xde,
	0xd0, 0x9d, 0x15, 0xdb, 0x08, 0x2d, 0x83, 0x25, 0xd9, 0xb9, 0x2c, 0xc5, 0x0b, 0x14, 0x4f, 0xd1,
	0x4d, 0xaf, 0xc8, 0xae, 0x04, 0xeb, 0xd5, 0xb5, 0x92, 0xc2, 0x03, 0x17, 0x85, 0x9f, 0x1b, 0xab,
	0xfc, 0x03, 0x6b, 0xf4, 0xc3, 0xe1, 0xc6, 0xf1, 0xd1, 0xe8, 0xc5, 0x9c, 0xd1, 0xe9, 0x93, 0xff,
	0xe4, 0xd1, 0x5e, 0x4d, 0x4b, 0x7a, 0x72, 0x0d, 0x1b, 0x7c, 0x0f, 0xc8, 0xfe, 0xef, 0x9b, 0xe8,
	0xbf, 0xa4, 0x53, 0x68, 0x75, 0x5b, 0x00, 0x57, 0x29, 0x6b, 0xf5, 0x1b, 0xc3, 0x30, 0x89, 0x2b,
	0xe1, 0x2c, 0xa5, 0xdb, 0x24, 0x90, 0x9a, 0x35, 0xfa, 0x8d, 0x61, 0x27, 0x09, 0xa4, 0x2e, 0xcd,
	0xe5, 0x1b, 0x7c, 0x21, 0xfc, 0x9c, 0x05, 0x28, 0xc7, 0xa5, 0x70, 0x2e, 0xfc, 0x9c, 0xfe, 0x43,
	0xda, 0xd2, 0x66, 0xbc, 0xb0, 0x19, 0x0b, 0x11, 0xb5, 0xa4, 0xcd, 0xbe, 0xd8, 0x0c, 0x9f, 0x70,
	0xc0, 0x4d, 0xb9, 0x1e, 0x8b, 0xfa, 0x8d, 0x61, 0x9c, 0xc4, 0x85, 0x83, 0xcf, 0x65, 0x4d, 0x0f,
	0xc8, 0x26, 0x02, 0xee, 0xa4, 0x59, 0x80, 0x63, 0xed, 0x7e, 0x38, 0xec, 0x24, 0x1b, 0xa8, 0x5d,
	0xa0, 0x44, 0x27, 0x64, 0xeb, 0x46, 0x9b, 0xa5, 0xe6, 0xa9, 0xc9, 0x85, 0xd2, 0x8e, 0x35, 0x31,
	0x9d, 0xff, 0xd7, 0xa4, 0x33, 0x41, 0x47, 0x9d, 0xc7, 0x26, 0x76, 0x55, 0x92, 0x1b, 0x78, 0xb2,
	0xb9, 0x4a, 0xe9, 0x1e, 0x69, 0x55, 0xf3, 0x30, 0xec, 0x4e, 0x52, 0x57, 0xf4, 0x2d, 0xd9, 0xcb,
	0x85, 0x9c, 0x2b, 0x0d, 0x1c, 0xe7, 0xf3, 0x4c, 0x5d, 0x83, 0x57, 0x39, 0xb0, 0x26, 0xa6, 0xd3,
	0xab, 0x29, 0x5e, 0xf3, 0x53, 0xcd, 0xa6, 0x51, 0x1c, 0x74, 0xc3, 0x69, 0x14, 0x87, 0xdd, 0x68,
	0x1a, 0xc5, 0x51, 0xb7, 0x39, 0x8d, 0xe2, 0x56, 0xb7, 0x3d, 0x38, 0x27, 0xbb, 0x13, 0xc8, 0x60,
	0x26, 0xbc, 0x32, 0xfa, 0x1c, 0x6c, 0xae, 0x9c, 0x53, 0x46, 0x3b, 0xfa, 0x8e, 0x34, 0x6d, 0x91,
	0x81, 0xab, 0x4f, 0x7d, 0xb0, 0x6e, 0x99, 0x5f, 0x8d, 0x49, 0x91, 0x41, 0x52, 0xf9, 0x07, 0x3f,
	0x02, 0xb2, 0xfd, 0x9c, 0x50, 0x4a, 0x22, 0x2d, 0x72, 0xa8, 0x0f, 0x85, 0xff, 0x69, 0x8f, 0x34,
	0xcd, 0x52, 0x83, 0x65, 0x01, 0x6e, 0x57, 0x15, 0xf4, 0x3f, 0xd2, 0xb1, 0x70, 0x5b, 0x80, 0xf3,
	0xc6, 0xb2, 0x10, 0xc9, 0x93, 0x50, 0xae, 0x2e, 0xb2, 0xcc, 0x2c, 0x21, 0xe5, 0xde, 0x70, 0x95,
	0x2f, 0xc0, 0x3a, 0xa3, 0x85, 0x07, 0x16, 0xa1, 0xb5, 0x57, 0xd3, 0x4b, 0x73, 0xf6, 0xc4, 0xe8,
	0x2b, 0xd2, 0x7d, 0xec, 0x12, 0x45, 0xaa, 0x40, 0x4b, 0xc0, 0x0b, 0x75, 0x92, 0xbf, 0x6a, 0xfd,
	0xa4, 0x96, 0xe9, 0x21, 0xd9, 0xf6, 0xc2, 0xce, 0xc0, 0xf3, 0x72, 0x51, 0x25, 0x81, 0xb5, 0xd0,
	0xb8, 0x55, 0xa9, 0x17, 0x95, 0x48, 0x8f, 0xc9, 0x6e, 0x2e, 0xee, 0xf9, 0x9d, 0xc8, 0x54, 0xaa,
	0xfc, 0x03, 0x4f, 0x0b, 0x8b, 0xcb, 0xb2, 0x36, 0x5e, 0xe0, 0xef, 0x5c, 0xdc, 0x7f, 0xad, 0xd9,
	0xa4, 0x46, 0x83, 0x6f, 0x64, 0xbf, 0x6e, 0x3f, 0x91, 0xd2, 0x14, 0xda, 0xbb, 0xd5, 0xb4, 0xdf,
	0x3f, 0x4f, 0xfb, 0x70, 0x4d, 0xda, 0xcf, 0xbb, 0x57, 0x13, 0xff, 0x48, 0xe8, 0x4b, 0xf8, 0xe7,
	0xa1, 0x5f, 0xb5, 0xf0, 0xa3, 0xf0, 0xe6, 0x67, 0x00, 0x00, 0x00, 0xff, 0xff, 0xf6, 0xd6, 0xfd,
	0x81, 0x55, 0x04, 0x00, 0x00,
	}