go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/server/auth/service/protocol/realms.pb.go (about) 1 // Copyright 2020 The LUCI Authors. All rights reserved. 2 // Use of this source code is governed under the Apache License, Version 2.0 3 // that can be found in the LICENSE file. 4 5 // Messages that describe internal representation of LUCI Realms. 6 // 7 // They are produced and distributed by the LUCI Auth service based on a high 8 // level representation fetched via LUCI Config from realms.cfg project config 9 // files. See realms_config.proto in the auth service source code for schema. 10 // 11 // Comments in this file is the authoritative documentation of how LUCI services 12 // should interpret realms when making authorization decisions. 13 14 // Code generated by protoc-gen-go. DO NOT EDIT. 15 // versions: 16 // protoc-gen-go v1.31.0 17 // protoc v3.21.7 18 // source: go.chromium.org/luci/server/auth/service/protocol/components/auth/proto/realms.proto 19 20 package protocol 21 22 import ( 23 protoreflect "google.golang.org/protobuf/reflect/protoreflect" 24 protoimpl "google.golang.org/protobuf/runtime/protoimpl" 25 reflect "reflect" 26 sync "sync" 27 ) 28 29 const ( 30 // Verify that this generated code is sufficiently up-to-date. 31 _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) 32 // Verify that runtime/protoimpl is sufficiently up-to-date. 33 _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) 34 ) 35 36 // Realms is a complete definition of all known permissions and realms in a LUCI 37 // deployment. 38 // 39 // It is generated and distributed across all LUCI services (as part of the 40 // AuthDB) by the LUCI Auth service. 41 // 42 // Note that this is a denormalized internal representation of realms which is 43 // derived from the high level user-facing representation supplied via multiple 44 // realms.cfg config files in various config sets. See comments for Realm 45 // message for details. 46 // 47 // The internal representation doesn't have a notion of roles or realm 48 // inheritance. These concepts are handled by the LUCI Auth service and 49 // individual downstream services generally **must not care** how it works. 50 // Instead they should follow the rules outlined in comments in this file (or 51 // equivalently just use the Realms API exposed by the LUCI auth libraries). 52 // 53 // Next ID: 5. 54 type Realms struct { 55 state protoimpl.MessageState 56 sizeCache protoimpl.SizeCache 57 unknownFields protoimpl.UnknownFields 58 59 // API version is incremented whenever the semantic meaning of Realms message 60 // changes in some backward incompatible way (e.g. some message grows a new 61 // field that *must* be checked by services). LUCI services must reject Realms 62 // messages that have API versions they don't recognize. It is a precaution 63 // against misinterpreting the realms configuration. 64 // 65 // The current version is 1. 66 ApiVersion int64 `protobuf:"varint,1,opt,name=api_version,json=apiVersion,proto3" json:"api_version,omitempty"` 67 // List of all possible permissions in alphabetical order. 68 // 69 // Acts as a universal set of permissions in Binding messages. 70 // 71 // Services may also use this field to check that permissions they are about 72 // to use are actually known to the LUCI auth system. This is useful for 73 // debugging when adding or removing permissions. 74 // 75 // See Permission message for more details. 76 Permissions []*Permission `protobuf:"bytes,2,rep,name=permissions,proto3" json:"permissions,omitempty"` 77 // List of all conditions referenced by bindings. 78 // 79 // Bindings reference them by their zero-based index in this list. 80 Conditions []*Condition `protobuf:"bytes,4,rep,name=conditions,proto3" json:"conditions,omitempty"` 81 // List of all registered realms in alphabetical order. 82 // 83 // See Realm message for more details. 84 Realms []*Realm `protobuf:"bytes,3,rep,name=realms,proto3" json:"realms,omitempty"` 85 } 86 87 func (x *Realms) Reset() { 88 *x = Realms{} 89 if protoimpl.UnsafeEnabled { 90 mi := &file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_msgTypes[0] 91 ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) 92 ms.StoreMessageInfo(mi) 93 } 94 } 95 96 func (x *Realms) String() string { 97 return protoimpl.X.MessageStringOf(x) 98 } 99 100 func (*Realms) ProtoMessage() {} 101 102 func (x *Realms) ProtoReflect() protoreflect.Message { 103 mi := &file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_msgTypes[0] 104 if protoimpl.UnsafeEnabled && x != nil { 105 ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) 106 if ms.LoadMessageInfo() == nil { 107 ms.StoreMessageInfo(mi) 108 } 109 return ms 110 } 111 return mi.MessageOf(x) 112 } 113 114 // Deprecated: Use Realms.ProtoReflect.Descriptor instead. 115 func (*Realms) Descriptor() ([]byte, []int) { 116 return file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_rawDescGZIP(), []int{0} 117 } 118 119 func (x *Realms) GetApiVersion() int64 { 120 if x != nil { 121 return x.ApiVersion 122 } 123 return 0 124 } 125 126 func (x *Realms) GetPermissions() []*Permission { 127 if x != nil { 128 return x.Permissions 129 } 130 return nil 131 } 132 133 func (x *Realms) GetConditions() []*Condition { 134 if x != nil { 135 return x.Conditions 136 } 137 return nil 138 } 139 140 func (x *Realms) GetRealms() []*Realm { 141 if x != nil { 142 return x.Realms 143 } 144 return nil 145 } 146 147 // Permission is a symbol that has form "<service>.<subject>.<verb>", which 148 // describes some elementary action ("<verb>") that can be done to some category 149 // of resources ("<subject>"), managed by some particular kind of LUCI service 150 // ("<service>"). 151 // 152 // Within each individual realm (see Realm message), a principal (such as an end 153 // user or a service account) can have zero or more permissions that describe 154 // what this user can actually do to resources belonging to the realm. See Realm 155 // message for the definition of what "belonging to the realm" means. 156 // 157 // Examples of permissions: 158 // - buildbucket.build.create 159 // - swarming.pool.listBots 160 // - swarming.task.cancel 161 // 162 // Note that permission names are composed of generic terms, not some specific 163 // IDs of service deployments or resources. Generally, using a concrete 164 // permission name in the service's source code as a constant should look 165 // natural. 166 // 167 // A permission can be marked as "internal". Internal permissions are not 168 // allowed to appear in custom roles in user-defined project realms.cfg files. 169 // They can be used in internal realms (defined in realms.cfg in the LUCI Auth 170 // service config set, see comments for Realm message) and they are added to 171 // some predefined roles by the LUCI Auth service itself. They are used to setup 172 // ACLs for internal interactions between LUCI components. 173 // 174 // Each individual LUCI service should document what permissions it checks and 175 // when. It becomes a part of service's public API. Usually services should 176 // check only permissions of resources they own (e.g. "<service>.<subject>.*"), 177 // but in exceptional cases they may also check permissions intended for other 178 // services. This is primarily useful for services that somehow "proxy" access 179 // to resources. 180 // 181 // Field `permissions` in Realms message describes all permissions known to the 182 // LUCI Auth service. The LUCI Auth service guarantees that all permissions 183 // mentioned in all realms (in `realms` field) are among `permissions` set. 184 // 185 // If a LUCI service checks a permission that is no longer (or not yet) listed 186 // in the `permissions` set, the check should succeed with "no permission" 187 // result, and produce a warning in service's logs. 188 type Permission struct { 189 state protoimpl.MessageState 190 sizeCache protoimpl.SizeCache 191 unknownFields protoimpl.UnknownFields 192 193 Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` // "<service>.<subject>.<verb>" 194 Internal bool `protobuf:"varint,2,opt,name=internal,proto3" json:"internal,omitempty"` // internal permissions cannot be used in project realms 195 } 196 197 func (x *Permission) Reset() { 198 *x = Permission{} 199 if protoimpl.UnsafeEnabled { 200 mi := &file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_msgTypes[1] 201 ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) 202 ms.StoreMessageInfo(mi) 203 } 204 } 205 206 func (x *Permission) String() string { 207 return protoimpl.X.MessageStringOf(x) 208 } 209 210 func (*Permission) ProtoMessage() {} 211 212 func (x *Permission) ProtoReflect() protoreflect.Message { 213 mi := &file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_msgTypes[1] 214 if protoimpl.UnsafeEnabled && x != nil { 215 ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) 216 if ms.LoadMessageInfo() == nil { 217 ms.StoreMessageInfo(mi) 218 } 219 return ms 220 } 221 return mi.MessageOf(x) 222 } 223 224 // Deprecated: Use Permission.ProtoReflect.Descriptor instead. 225 func (*Permission) Descriptor() ([]byte, []int) { 226 return file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_rawDescGZIP(), []int{1} 227 } 228 229 func (x *Permission) GetName() string { 230 if x != nil { 231 return x.Name 232 } 233 return "" 234 } 235 236 func (x *Permission) GetInternal() bool { 237 if x != nil { 238 return x.Internal 239 } 240 return false 241 } 242 243 // Condition defines a predicate that takes a set of `attribute = value` pairs 244 // with a context of a particular permission check and returns True if the 245 // binding guarded by this condition should be respected. 246 // 247 // When a service checks a permission, it should pass to the authorization 248 // library a string-valued dictionary of attributes that describe the context 249 // of the permission check. It may contain things like the name of the resource 250 // being accessed, or parameters of the incoming RPC request that triggered 251 // the check. 252 // 253 // A list of available attributes and meaning of their values depends on 254 // the permission being checked and the service should document it in its API 255 // documentation. 256 type Condition struct { 257 state protoimpl.MessageState 258 sizeCache protoimpl.SizeCache 259 unknownFields protoimpl.UnknownFields 260 261 // Types that are assignable to Op: 262 // 263 // *Condition_Restrict 264 Op isCondition_Op `protobuf_oneof:"op"` 265 } 266 267 func (x *Condition) Reset() { 268 *x = Condition{} 269 if protoimpl.UnsafeEnabled { 270 mi := &file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_msgTypes[2] 271 ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) 272 ms.StoreMessageInfo(mi) 273 } 274 } 275 276 func (x *Condition) String() string { 277 return protoimpl.X.MessageStringOf(x) 278 } 279 280 func (*Condition) ProtoMessage() {} 281 282 func (x *Condition) ProtoReflect() protoreflect.Message { 283 mi := &file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_msgTypes[2] 284 if protoimpl.UnsafeEnabled && x != nil { 285 ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) 286 if ms.LoadMessageInfo() == nil { 287 ms.StoreMessageInfo(mi) 288 } 289 return ms 290 } 291 return mi.MessageOf(x) 292 } 293 294 // Deprecated: Use Condition.ProtoReflect.Descriptor instead. 295 func (*Condition) Descriptor() ([]byte, []int) { 296 return file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_rawDescGZIP(), []int{2} 297 } 298 299 func (m *Condition) GetOp() isCondition_Op { 300 if m != nil { 301 return m.Op 302 } 303 return nil 304 } 305 306 func (x *Condition) GetRestrict() *Condition_AttributeRestriction { 307 if x, ok := x.GetOp().(*Condition_Restrict); ok { 308 return x.Restrict 309 } 310 return nil 311 } 312 313 type isCondition_Op interface { 314 isCondition_Op() 315 } 316 317 type Condition_Restrict struct { 318 Restrict *Condition_AttributeRestriction `protobuf:"bytes,1,opt,name=restrict,proto3,oneof"` 319 } 320 321 func (*Condition_Restrict) isCondition_Op() {} 322 323 // Realm is a named collection of (<principal>, <permission>) pairs. 324 // 325 // Realms are primarily defined in realms.cfg project config files. Such realms 326 // are called project realms. They are controlled by respective **project** 327 // owners and used to define ACLs for resources owned by these projects. 328 // 329 // There's a special set of realms (called internal realms or, sometimes, global 330 // realms) that are defined in realms.cfg in the LUCI Auth service config set. 331 // They are controlled by LUCI **deployment** owners and used to define ACLs for 332 // resources that are associated with LUCI deployment or LUCI services (and do 333 // not belong to any particular LUCI project). They are also allowed to use 334 // internal roles and permissions to define administrative-level ACLs (i.e. ACLs 335 // that transcend project boundaries). 336 // 337 // A full realm name has form "<project>:<realm>", where: 338 // - "<project>" is a name of the LUCI project that defined the realm or 339 // literal "@internal" for internal realms. 340 // - "<realm>" is a name of the realm from a realms.cfg config file. This name 341 // is also known as a project-scoped name, since it makes sense only within 342 // a scope of some concrete LUCI project. 343 // 344 // A LUCI resource can point to exactly one realm by referring to its full 345 // "<project>:<realm>" name. Such reference can either be calculated on the fly 346 // from other resource's properties, or be stored alongside the resource's data. 347 // We say that such resource "belongs to the realm" or "lives in the realm" or 348 // is just "in the realm". We also say that such resource belongs to the project 349 // "<project>". The corresponding Realm message then describes who can do what 350 // to the resource. 351 // 352 // The logic of how resources get assigned to realms is a part of the public API 353 // of the service that owns resources. Some services may use a static realm 354 // assignment via project configuration files, others may do it dynamically by 355 // accepting a realm when a resource is created via an RPC. 356 // 357 // There are three special realms (all optional) that a project can have: 358 // "<project>:@root", "<project>:@legacy" and "<project>:@project". 359 // 360 // The root realm should be used as a fallback when an existing resource points 361 // to a realm that doesn't exist. Without the root realm, such resources become 362 // effectively inaccessible and this may be undesirable. The root realm usually 363 // contains only administrative-level bindings. 364 // 365 // The legacy realm should be used for legacy resources created before the 366 // realms mechanism was introduced in case the service can't figure out a more 367 // appropriate realm based on resource's properties. The service must clearly 368 // document when and how it uses the legacy realm (if it uses it at all). 369 // 370 // The project realm should be used as the realm for 'project global' resources, 371 // for example, the project configuration itself, or derivations thereof. Some 372 // LUCI services may use bindings in this realm to allow federation of 373 // administration responsibilities to the project (rather than relying on 374 // exclusively LUCI service administrators). 375 // 376 // The actual list of (<principal>, <permission>) pairs is defined via a list of 377 // bindings, where each binding basically says "all these principals have all 378 // these permissions". In other words, each binding defines some subset of 379 // permissions and the overall realm permissions is a union of all such subsets. 380 // Subsets defined by bindings may potentially intersect or be empty. 381 // 382 // The LUCI Auth service constructs bindings by interpreting realms.cfg files 383 // using some set of rules. Individual LUCI services **must not care** about 384 // what these rules really are. They should use only the end result (in the form 385 // of bindings) provided in the Realm message. This allows to decouple the 386 // high-level user-facing language for defining permissions from the 387 // implementation of each individual LUCI service that checks permissions. 388 // 389 // A realm can also carry some small amount of data (usually auth related) that 390 // LUCI services use when dealing with this realm. It should be something that 391 // all (or at least more than one) LUCI services use. Configuration specific to 392 // a single service should be in this service's project config instead. 393 type Realm struct { 394 state protoimpl.MessageState 395 sizeCache protoimpl.SizeCache 396 unknownFields protoimpl.UnknownFields 397 398 // Name of the realm as "<project>:<realm>" string, where: 399 // 400 // "<project>" matches `^([a-z0-9\-_]{1,100}|@internal)$`. 401 // "<realm>" matches `^([a-z0-9_\.\-/]{1,400}|@root|@legacy|@project)$`. 402 Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` 403 // A list of bindings in lexicographical order of their `permissions` fields. 404 Bindings []*Binding `protobuf:"bytes,2,rep,name=bindings,proto3" json:"bindings,omitempty"` 405 // Associated data extracted from the realms.cfg project config. 406 Data *RealmData `protobuf:"bytes,3,opt,name=data,proto3" json:"data,omitempty"` 407 } 408 409 func (x *Realm) Reset() { 410 *x = Realm{} 411 if protoimpl.UnsafeEnabled { 412 mi := &file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_msgTypes[3] 413 ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) 414 ms.StoreMessageInfo(mi) 415 } 416 } 417 418 func (x *Realm) String() string { 419 return protoimpl.X.MessageStringOf(x) 420 } 421 422 func (*Realm) ProtoMessage() {} 423 424 func (x *Realm) ProtoReflect() protoreflect.Message { 425 mi := &file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_msgTypes[3] 426 if protoimpl.UnsafeEnabled && x != nil { 427 ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) 428 if ms.LoadMessageInfo() == nil { 429 ms.StoreMessageInfo(mi) 430 } 431 return ms 432 } 433 return mi.MessageOf(x) 434 } 435 436 // Deprecated: Use Realm.ProtoReflect.Descriptor instead. 437 func (*Realm) Descriptor() ([]byte, []int) { 438 return file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_rawDescGZIP(), []int{3} 439 } 440 441 func (x *Realm) GetName() string { 442 if x != nil { 443 return x.Name 444 } 445 return "" 446 } 447 448 func (x *Realm) GetBindings() []*Binding { 449 if x != nil { 450 return x.Bindings 451 } 452 return nil 453 } 454 455 func (x *Realm) GetData() *RealmData { 456 if x != nil { 457 return x.Data 458 } 459 return nil 460 } 461 462 // Binding assigns all specified permissions to all specified principals. 463 type Binding struct { 464 state protoimpl.MessageState 465 sizeCache protoimpl.SizeCache 466 unknownFields protoimpl.UnknownFields 467 468 // Permissions in increasing order of their indexes. 469 // 470 // This set is a subset of `permissions` in the Realms message. Each element 471 // is an index of a permission in the `permissions` list in the Realms 472 // message. 473 // 474 // These indexes are not stable across different copies of Realms message. 475 // They must not be stored or processed in isolation from the containing 476 // Realms message. 477 Permissions []uint32 `protobuf:"varint,1,rep,packed,name=permissions,proto3" json:"permissions,omitempty"` 478 // A set of principals to grant all above permissions to. 479 // 480 // Each entry can either be an identity string (like "user:<email>") or a 481 // LUCI group reference "group:<name>". 482 // 483 // Ordered alphabetically. 484 Principals []string `protobuf:"bytes,2,rep,name=principals,proto3" json:"principals,omitempty"` 485 // Conditions in increasing order of their indexes. 486 // 487 // Each element is an index of a condition in the `conditions` list in the 488 // Realms message. These conditions are ANDed together. See the public API for 489 // details of the semantics. 490 // 491 // These indexes are not stable across different copies of Realms message. 492 // They must not be stored or processed in isolation from the containing 493 // Realms message. 494 Conditions []uint32 `protobuf:"varint,3,rep,packed,name=conditions,proto3" json:"conditions,omitempty"` 495 } 496 497 func (x *Binding) Reset() { 498 *x = Binding{} 499 if protoimpl.UnsafeEnabled { 500 mi := &file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_msgTypes[4] 501 ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) 502 ms.StoreMessageInfo(mi) 503 } 504 } 505 506 func (x *Binding) String() string { 507 return protoimpl.X.MessageStringOf(x) 508 } 509 510 func (*Binding) ProtoMessage() {} 511 512 func (x *Binding) ProtoReflect() protoreflect.Message { 513 mi := &file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_msgTypes[4] 514 if protoimpl.UnsafeEnabled && x != nil { 515 ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) 516 if ms.LoadMessageInfo() == nil { 517 ms.StoreMessageInfo(mi) 518 } 519 return ms 520 } 521 return mi.MessageOf(x) 522 } 523 524 // Deprecated: Use Binding.ProtoReflect.Descriptor instead. 525 func (*Binding) Descriptor() ([]byte, []int) { 526 return file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_rawDescGZIP(), []int{4} 527 } 528 529 func (x *Binding) GetPermissions() []uint32 { 530 if x != nil { 531 return x.Permissions 532 } 533 return nil 534 } 535 536 func (x *Binding) GetPrincipals() []string { 537 if x != nil { 538 return x.Principals 539 } 540 return nil 541 } 542 543 func (x *Binding) GetConditions() []uint32 { 544 if x != nil { 545 return x.Conditions 546 } 547 return nil 548 } 549 550 // RealmData is semi-arbitrary non-ACL data extracted from the realms.cfg 551 // project config and attached to a realm. 552 type RealmData struct { 553 state protoimpl.MessageState 554 sizeCache protoimpl.SizeCache 555 unknownFields protoimpl.UnknownFields 556 557 // Used only during Realms migration to gradually roll out the enforcement. 558 EnforceInService []string `protobuf:"bytes,1,rep,name=enforce_in_service,json=enforceInService,proto3" json:"enforce_in_service,omitempty"` 559 } 560 561 func (x *RealmData) Reset() { 562 *x = RealmData{} 563 if protoimpl.UnsafeEnabled { 564 mi := &file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_msgTypes[5] 565 ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) 566 ms.StoreMessageInfo(mi) 567 } 568 } 569 570 func (x *RealmData) String() string { 571 return protoimpl.X.MessageStringOf(x) 572 } 573 574 func (*RealmData) ProtoMessage() {} 575 576 func (x *RealmData) ProtoReflect() protoreflect.Message { 577 mi := &file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_msgTypes[5] 578 if protoimpl.UnsafeEnabled && x != nil { 579 ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) 580 if ms.LoadMessageInfo() == nil { 581 ms.StoreMessageInfo(mi) 582 } 583 return ms 584 } 585 return mi.MessageOf(x) 586 } 587 588 // Deprecated: Use RealmData.ProtoReflect.Descriptor instead. 589 func (*RealmData) Descriptor() ([]byte, []int) { 590 return file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_rawDescGZIP(), []int{5} 591 } 592 593 func (x *RealmData) GetEnforceInService() []string { 594 if x != nil { 595 return x.EnforceInService 596 } 597 return nil 598 } 599 600 // AttributeRestriction checks that the attributes set (as a set of key-value 601 // pairs) contains a particular (attribute, value) pair. Checked values are 602 // given as a list. The check succeeds if ANY of (attribute, value) pairs are 603 // present: `any((attribute, value) in attrs for value in values)`. 604 type Condition_AttributeRestriction struct { 605 state protoimpl.MessageState 606 sizeCache protoimpl.SizeCache 607 unknownFields protoimpl.UnknownFields 608 609 Attribute string `protobuf:"bytes,1,opt,name=attribute,proto3" json:"attribute,omitempty"` 610 Values []string `protobuf:"bytes,2,rep,name=values,proto3" json:"values,omitempty"` // sorted alphabetically, no dups 611 } 612 613 func (x *Condition_AttributeRestriction) Reset() { 614 *x = Condition_AttributeRestriction{} 615 if protoimpl.UnsafeEnabled { 616 mi := &file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_msgTypes[6] 617 ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) 618 ms.StoreMessageInfo(mi) 619 } 620 } 621 622 func (x *Condition_AttributeRestriction) String() string { 623 return protoimpl.X.MessageStringOf(x) 624 } 625 626 func (*Condition_AttributeRestriction) ProtoMessage() {} 627 628 func (x *Condition_AttributeRestriction) ProtoReflect() protoreflect.Message { 629 mi := &file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_msgTypes[6] 630 if protoimpl.UnsafeEnabled && x != nil { 631 ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) 632 if ms.LoadMessageInfo() == nil { 633 ms.StoreMessageInfo(mi) 634 } 635 return ms 636 } 637 return mi.MessageOf(x) 638 } 639 640 // Deprecated: Use Condition_AttributeRestriction.ProtoReflect.Descriptor instead. 641 func (*Condition_AttributeRestriction) Descriptor() ([]byte, []int) { 642 return file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_rawDescGZIP(), []int{2, 0} 643 } 644 645 func (x *Condition_AttributeRestriction) GetAttribute() string { 646 if x != nil { 647 return x.Attribute 648 } 649 return "" 650 } 651 652 func (x *Condition_AttributeRestriction) GetValues() []string { 653 if x != nil { 654 return x.Values 655 } 656 return nil 657 } 658 659 var File_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto protoreflect.FileDescriptor 660 661 var file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_rawDesc = []byte{ 662 0x0a, 0x54, 0x67, 0x6f, 0x2e, 0x63, 0x68, 0x72, 0x6f, 0x6d, 0x69, 0x75, 0x6d, 0x2e, 0x6f, 0x72, 663 0x67, 0x2f, 0x6c, 0x75, 0x63, 0x69, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2f, 0x61, 0x75, 664 0x74, 0x68, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 665 0x63, 0x6f, 0x6c, 0x2f, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2f, 0x61, 666 0x75, 0x74, 0x68, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x72, 0x65, 0x61, 0x6c, 0x6d, 0x73, 667 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x16, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 668 0x74, 0x73, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x72, 0x65, 0x61, 0x6c, 0x6d, 0x73, 0x22, 0xe9, 669 0x01, 0x0a, 0x06, 0x52, 0x65, 0x61, 0x6c, 0x6d, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x61, 0x70, 0x69, 670 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0a, 671 0x61, 0x70, 0x69, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x44, 0x0a, 0x0b, 0x70, 0x65, 672 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 673 0x22, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x61, 0x75, 0x74, 674 0x68, 0x2e, 0x72, 0x65, 0x61, 0x6c, 0x6d, 0x73, 0x2e, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 675 0x69, 0x6f, 0x6e, 0x52, 0x0b, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 676 0x12, 0x41, 0x0a, 0x0a, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x04, 677 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 678 0x73, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x72, 0x65, 0x61, 0x6c, 0x6d, 0x73, 0x2e, 0x43, 0x6f, 679 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0a, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 680 0x6f, 0x6e, 0x73, 0x12, 0x35, 0x0a, 0x06, 0x72, 0x65, 0x61, 0x6c, 0x6d, 0x73, 0x18, 0x03, 0x20, 681 0x03, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 682 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x72, 0x65, 0x61, 0x6c, 0x6d, 0x73, 0x2e, 0x52, 0x65, 0x61, 683 0x6c, 0x6d, 0x52, 0x06, 0x72, 0x65, 0x61, 0x6c, 0x6d, 0x73, 0x22, 0x3c, 0x0a, 0x0a, 0x50, 0x65, 684 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 685 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x08, 686 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 687 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x22, 0xb5, 0x01, 0x0a, 0x09, 0x43, 0x6f, 0x6e, 688 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x54, 0x0a, 0x08, 0x72, 0x65, 0x73, 0x74, 0x72, 0x69, 689 0x63, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x36, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 690 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x72, 0x65, 0x61, 0x6c, 0x6d, 691 0x73, 0x2e, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x41, 0x74, 0x74, 0x72, 692 0x69, 0x62, 0x75, 0x74, 0x65, 0x52, 0x65, 0x73, 0x74, 0x72, 0x69, 0x63, 0x74, 0x69, 0x6f, 0x6e, 693 0x48, 0x00, 0x52, 0x08, 0x72, 0x65, 0x73, 0x74, 0x72, 0x69, 0x63, 0x74, 0x1a, 0x4c, 0x0a, 0x14, 694 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x52, 0x65, 0x73, 0x74, 0x72, 0x69, 0x63, 695 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 696 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 697 0x74, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 698 0x28, 0x09, 0x52, 0x06, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x42, 0x04, 0x0a, 0x02, 0x6f, 0x70, 699 0x22, 0x8f, 0x01, 0x0a, 0x05, 0x52, 0x65, 0x61, 0x6c, 0x6d, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 700 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x3b, 701 0x0a, 0x08, 0x62, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 702 0x32, 0x1f, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x61, 0x75, 703 0x74, 0x68, 0x2e, 0x72, 0x65, 0x61, 0x6c, 0x6d, 0x73, 0x2e, 0x42, 0x69, 0x6e, 0x64, 0x69, 0x6e, 704 0x67, 0x52, 0x08, 0x62, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x35, 0x0a, 0x04, 0x64, 705 0x61, 0x74, 0x61, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 706 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x72, 0x65, 0x61, 0x6c, 707 0x6d, 0x73, 0x2e, 0x52, 0x65, 0x61, 0x6c, 0x6d, 0x44, 0x61, 0x74, 0x61, 0x52, 0x04, 0x64, 0x61, 708 0x74, 0x61, 0x22, 0x6b, 0x0a, 0x07, 0x42, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x12, 0x20, 0x0a, 709 0x0b, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 710 0x28, 0x0d, 0x52, 0x0b, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 711 0x1e, 0x0a, 0x0a, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x73, 0x18, 0x02, 0x20, 712 0x03, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x73, 0x12, 713 0x1e, 0x0a, 0x0a, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x03, 0x20, 714 0x03, 0x28, 0x0d, 0x52, 0x0a, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x22, 715 0x39, 0x0a, 0x09, 0x52, 0x65, 0x61, 0x6c, 0x6d, 0x44, 0x61, 0x74, 0x61, 0x12, 0x2c, 0x0a, 0x12, 716 0x65, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x5f, 0x69, 0x6e, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 717 0x63, 0x65, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x10, 0x65, 0x6e, 0x66, 0x6f, 0x72, 0x63, 718 0x65, 0x49, 0x6e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x42, 0x3c, 0x5a, 0x3a, 0x67, 0x6f, 719 0x2e, 0x63, 0x68, 0x72, 0x6f, 0x6d, 0x69, 0x75, 0x6d, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x6c, 0x75, 720 0x63, 0x69, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x2f, 0x73, 721 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x3b, 722 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, 723 } 724 725 var ( 726 file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_rawDescOnce sync.Once 727 file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_rawDescData = file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_rawDesc 728 ) 729 730 func file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_rawDescGZIP() []byte { 731 file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_rawDescOnce.Do(func() { 732 file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_rawDescData = protoimpl.X.CompressGZIP(file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_rawDescData) 733 }) 734 return file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_rawDescData 735 } 736 737 var file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_msgTypes = make([]protoimpl.MessageInfo, 7) 738 var file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_goTypes = []interface{}{ 739 (*Realms)(nil), // 0: components.auth.realms.Realms 740 (*Permission)(nil), // 1: components.auth.realms.Permission 741 (*Condition)(nil), // 2: components.auth.realms.Condition 742 (*Realm)(nil), // 3: components.auth.realms.Realm 743 (*Binding)(nil), // 4: components.auth.realms.Binding 744 (*RealmData)(nil), // 5: components.auth.realms.RealmData 745 (*Condition_AttributeRestriction)(nil), // 6: components.auth.realms.Condition.AttributeRestriction 746 } 747 var file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_depIdxs = []int32{ 748 1, // 0: components.auth.realms.Realms.permissions:type_name -> components.auth.realms.Permission 749 2, // 1: components.auth.realms.Realms.conditions:type_name -> components.auth.realms.Condition 750 3, // 2: components.auth.realms.Realms.realms:type_name -> components.auth.realms.Realm 751 6, // 3: components.auth.realms.Condition.restrict:type_name -> components.auth.realms.Condition.AttributeRestriction 752 4, // 4: components.auth.realms.Realm.bindings:type_name -> components.auth.realms.Binding 753 5, // 5: components.auth.realms.Realm.data:type_name -> components.auth.realms.RealmData 754 6, // [6:6] is the sub-list for method output_type 755 6, // [6:6] is the sub-list for method input_type 756 6, // [6:6] is the sub-list for extension type_name 757 6, // [6:6] is the sub-list for extension extendee 758 0, // [0:6] is the sub-list for field type_name 759 } 760 761 func init() { 762 file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_init() 763 } 764 func file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_init() { 765 if File_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto != nil { 766 return 767 } 768 if !protoimpl.UnsafeEnabled { 769 file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { 770 switch v := v.(*Realms); i { 771 case 0: 772 return &v.state 773 case 1: 774 return &v.sizeCache 775 case 2: 776 return &v.unknownFields 777 default: 778 return nil 779 } 780 } 781 file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { 782 switch v := v.(*Permission); i { 783 case 0: 784 return &v.state 785 case 1: 786 return &v.sizeCache 787 case 2: 788 return &v.unknownFields 789 default: 790 return nil 791 } 792 } 793 file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { 794 switch v := v.(*Condition); i { 795 case 0: 796 return &v.state 797 case 1: 798 return &v.sizeCache 799 case 2: 800 return &v.unknownFields 801 default: 802 return nil 803 } 804 } 805 file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { 806 switch v := v.(*Realm); i { 807 case 0: 808 return &v.state 809 case 1: 810 return &v.sizeCache 811 case 2: 812 return &v.unknownFields 813 default: 814 return nil 815 } 816 } 817 file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { 818 switch v := v.(*Binding); i { 819 case 0: 820 return &v.state 821 case 1: 822 return &v.sizeCache 823 case 2: 824 return &v.unknownFields 825 default: 826 return nil 827 } 828 } 829 file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { 830 switch v := v.(*RealmData); i { 831 case 0: 832 return &v.state 833 case 1: 834 return &v.sizeCache 835 case 2: 836 return &v.unknownFields 837 default: 838 return nil 839 } 840 } 841 file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} { 842 switch v := v.(*Condition_AttributeRestriction); i { 843 case 0: 844 return &v.state 845 case 1: 846 return &v.sizeCache 847 case 2: 848 return &v.unknownFields 849 default: 850 return nil 851 } 852 } 853 } 854 file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_msgTypes[2].OneofWrappers = []interface{}{ 855 (*Condition_Restrict)(nil), 856 } 857 type x struct{} 858 out := protoimpl.TypeBuilder{ 859 File: protoimpl.DescBuilder{ 860 GoPackagePath: reflect.TypeOf(x{}).PkgPath(), 861 RawDescriptor: file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_rawDesc, 862 NumEnums: 0, 863 NumMessages: 7, 864 NumExtensions: 0, 865 NumServices: 0, 866 }, 867 GoTypes: file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_goTypes, 868 DependencyIndexes: file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_depIdxs, 869 MessageInfos: file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_msgTypes, 870 }.Build() 871 File_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto = out.File 872 file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_rawDesc = nil 873 file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_goTypes = nil 874 file_go_chromium_org_luci_server_auth_service_protocol_components_auth_proto_realms_proto_depIdxs = nil 875 }