go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/tokenserver/api/minter/v1/token_minter_grpc.pb.go (about) 1 // Copyright 2016 The LUCI Authors. All rights reserved. 2 // Use of this source code is governed under the Apache License, Version 2.0 3 // that can be found in the LICENSE file. 4 5 // Code generated by protoc-gen-go-grpc. DO NOT EDIT. 6 // versions: 7 // - protoc-gen-go-grpc v1.3.0 8 // - protoc v3.21.7 9 // source: go.chromium.org/luci/tokenserver/api/minter/v1/token_minter.proto 10 11 package minter 12 13 import ( 14 context "context" 15 grpc "google.golang.org/grpc" 16 codes "google.golang.org/grpc/codes" 17 status "google.golang.org/grpc/status" 18 ) 19 20 // This is a compile-time assertion to ensure that this generated file 21 // is compatible with the grpc package it is being compiled against. 22 // Requires gRPC-Go v1.32.0 or later. 23 const _ = grpc.SupportPackageIsVersion7 24 25 const ( 26 TokenMinter_MintMachineToken_FullMethodName = "/tokenserver.minter.TokenMinter/MintMachineToken" 27 TokenMinter_MintDelegationToken_FullMethodName = "/tokenserver.minter.TokenMinter/MintDelegationToken" 28 TokenMinter_MintProjectToken_FullMethodName = "/tokenserver.minter.TokenMinter/MintProjectToken" 29 TokenMinter_MintServiceAccountToken_FullMethodName = "/tokenserver.minter.TokenMinter/MintServiceAccountToken" 30 ) 31 32 // TokenMinterClient is the client API for TokenMinter service. 33 // 34 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. 35 type TokenMinterClient interface { 36 // MintMachineToken generates a new token for an authenticated machine. 37 // 38 // It checks that provided certificate was signed by some trusted CA, and it 39 // is still valid (non-expired and hasn't been revoked). It then checks that 40 // the request was signed by the corresponding private key. Finally it checks 41 // that the caller is authorized to generate requested kind of token. 42 // 43 // If everything checks out, it generates and returns a new machine token. 44 // 45 // On fatal error it returns detailed error response via same 46 // MintMachineTokenResponse. On transient errors it returns generic 47 // grpc.Internal error. 48 MintMachineToken(ctx context.Context, in *MintMachineTokenRequest, opts ...grpc.CallOption) (*MintMachineTokenResponse, error) 49 // MintDelegationToken generates a new bearer delegation token. 50 // 51 // Such token can be sent in 'X-Delegation-Token-V1' header (alongside regular 52 // credentials like OAuth2 access token) to convey that the caller should be 53 // authentication as 'delegated_identity' specified in the token. 54 // 55 // The delegation tokens are subject to multiple restrictions (embedded in 56 // the token): 57 // - They have expiration time. 58 // - They are usable only if presented with a credential of someone from 59 // the 'audience' list. 60 // - They are usable only on services specified in the 'services' list. 61 // 62 // The token server must be configured in advance with all expected 63 // combinations of (caller identity, delegated identity, audience, service) 64 // tuples. See DelegationRule in config.proto. 65 MintDelegationToken(ctx context.Context, in *MintDelegationTokenRequest, opts ...grpc.CallOption) (*MintDelegationTokenResponse, error) 66 // MintProjectToken mints an OAuth2 access token that represents an identity 67 // associated with a LUCI project. 68 // 69 // Project-scoped tokens prevent accidental cross-project identity confusion 70 // when LUCI services access project specific resources such as a source code 71 // repository. 72 MintProjectToken(ctx context.Context, in *MintProjectTokenRequest, opts ...grpc.CallOption) (*MintProjectTokenResponse, error) 73 // MintServiceAccountToken mints an OAuth2 access token or OpenID ID token 74 // that belongs to some service account using LUCI Realms for authorization. 75 // 76 // As an input it takes a service account email and a name of a LUCI Realm the 77 // caller is operating in. To authorize the call the token server checks the 78 // following conditions: 79 // 1. The caller has luci.serviceAccounts.mintToken permission in the 80 // realm, allowing them to "impersonate" all service accounts belonging 81 // to this realm. 82 // 2. The service account has luci.serviceAccounts.existInRealm permission 83 // in the realm. This makes the account "belong" to the realm. 84 // 3. Realm's LUCI project is allowed to impersonate this service account: 85 // a. Legacy approach being deprecated: realm's LUCI project is NOT listed 86 // in `use_project_scoped_account` set in project_owned_accounts.cfg 87 // global config file, but it has service accounts associated with it 88 // there via `mapping` field. In that case LUCI Token Server will check 89 // `mapping` and then use its own service account when minting tokens. 90 // b. New approach being rolled out: realm's LUCI project is listed in 91 // `use_project_scoped_account` set in project_owned_accounts.cfg 92 // global config file. In that case LUCI Token Server will use 93 // project-scoped account associated with this LUCI project when 94 // minting service account tokens. This essentially shifts mapping 95 // between LUCI projects and service accounts they can use into 96 // service account IAM policies. 97 // 98 // Check (3) makes sure different LUCI projects can't arbitrarily use each 99 // others accounts by adding them to their respective realms.cfg. See also 100 // comments for ServiceAccountsProjectMapping in api/admin/v1/config.proto. 101 MintServiceAccountToken(ctx context.Context, in *MintServiceAccountTokenRequest, opts ...grpc.CallOption) (*MintServiceAccountTokenResponse, error) 102 } 103 104 type tokenMinterClient struct { 105 cc grpc.ClientConnInterface 106 } 107 108 func NewTokenMinterClient(cc grpc.ClientConnInterface) TokenMinterClient { 109 return &tokenMinterClient{cc} 110 } 111 112 func (c *tokenMinterClient) MintMachineToken(ctx context.Context, in *MintMachineTokenRequest, opts ...grpc.CallOption) (*MintMachineTokenResponse, error) { 113 out := new(MintMachineTokenResponse) 114 err := c.cc.Invoke(ctx, TokenMinter_MintMachineToken_FullMethodName, in, out, opts...) 115 if err != nil { 116 return nil, err 117 } 118 return out, nil 119 } 120 121 func (c *tokenMinterClient) MintDelegationToken(ctx context.Context, in *MintDelegationTokenRequest, opts ...grpc.CallOption) (*MintDelegationTokenResponse, error) { 122 out := new(MintDelegationTokenResponse) 123 err := c.cc.Invoke(ctx, TokenMinter_MintDelegationToken_FullMethodName, in, out, opts...) 124 if err != nil { 125 return nil, err 126 } 127 return out, nil 128 } 129 130 func (c *tokenMinterClient) MintProjectToken(ctx context.Context, in *MintProjectTokenRequest, opts ...grpc.CallOption) (*MintProjectTokenResponse, error) { 131 out := new(MintProjectTokenResponse) 132 err := c.cc.Invoke(ctx, TokenMinter_MintProjectToken_FullMethodName, in, out, opts...) 133 if err != nil { 134 return nil, err 135 } 136 return out, nil 137 } 138 139 func (c *tokenMinterClient) MintServiceAccountToken(ctx context.Context, in *MintServiceAccountTokenRequest, opts ...grpc.CallOption) (*MintServiceAccountTokenResponse, error) { 140 out := new(MintServiceAccountTokenResponse) 141 err := c.cc.Invoke(ctx, TokenMinter_MintServiceAccountToken_FullMethodName, in, out, opts...) 142 if err != nil { 143 return nil, err 144 } 145 return out, nil 146 } 147 148 // TokenMinterServer is the server API for TokenMinter service. 149 // All implementations must embed UnimplementedTokenMinterServer 150 // for forward compatibility 151 type TokenMinterServer interface { 152 // MintMachineToken generates a new token for an authenticated machine. 153 // 154 // It checks that provided certificate was signed by some trusted CA, and it 155 // is still valid (non-expired and hasn't been revoked). It then checks that 156 // the request was signed by the corresponding private key. Finally it checks 157 // that the caller is authorized to generate requested kind of token. 158 // 159 // If everything checks out, it generates and returns a new machine token. 160 // 161 // On fatal error it returns detailed error response via same 162 // MintMachineTokenResponse. On transient errors it returns generic 163 // grpc.Internal error. 164 MintMachineToken(context.Context, *MintMachineTokenRequest) (*MintMachineTokenResponse, error) 165 // MintDelegationToken generates a new bearer delegation token. 166 // 167 // Such token can be sent in 'X-Delegation-Token-V1' header (alongside regular 168 // credentials like OAuth2 access token) to convey that the caller should be 169 // authentication as 'delegated_identity' specified in the token. 170 // 171 // The delegation tokens are subject to multiple restrictions (embedded in 172 // the token): 173 // - They have expiration time. 174 // - They are usable only if presented with a credential of someone from 175 // the 'audience' list. 176 // - They are usable only on services specified in the 'services' list. 177 // 178 // The token server must be configured in advance with all expected 179 // combinations of (caller identity, delegated identity, audience, service) 180 // tuples. See DelegationRule in config.proto. 181 MintDelegationToken(context.Context, *MintDelegationTokenRequest) (*MintDelegationTokenResponse, error) 182 // MintProjectToken mints an OAuth2 access token that represents an identity 183 // associated with a LUCI project. 184 // 185 // Project-scoped tokens prevent accidental cross-project identity confusion 186 // when LUCI services access project specific resources such as a source code 187 // repository. 188 MintProjectToken(context.Context, *MintProjectTokenRequest) (*MintProjectTokenResponse, error) 189 // MintServiceAccountToken mints an OAuth2 access token or OpenID ID token 190 // that belongs to some service account using LUCI Realms for authorization. 191 // 192 // As an input it takes a service account email and a name of a LUCI Realm the 193 // caller is operating in. To authorize the call the token server checks the 194 // following conditions: 195 // 1. The caller has luci.serviceAccounts.mintToken permission in the 196 // realm, allowing them to "impersonate" all service accounts belonging 197 // to this realm. 198 // 2. The service account has luci.serviceAccounts.existInRealm permission 199 // in the realm. This makes the account "belong" to the realm. 200 // 3. Realm's LUCI project is allowed to impersonate this service account: 201 // a. Legacy approach being deprecated: realm's LUCI project is NOT listed 202 // in `use_project_scoped_account` set in project_owned_accounts.cfg 203 // global config file, but it has service accounts associated with it 204 // there via `mapping` field. In that case LUCI Token Server will check 205 // `mapping` and then use its own service account when minting tokens. 206 // b. New approach being rolled out: realm's LUCI project is listed in 207 // `use_project_scoped_account` set in project_owned_accounts.cfg 208 // global config file. In that case LUCI Token Server will use 209 // project-scoped account associated with this LUCI project when 210 // minting service account tokens. This essentially shifts mapping 211 // between LUCI projects and service accounts they can use into 212 // service account IAM policies. 213 // 214 // Check (3) makes sure different LUCI projects can't arbitrarily use each 215 // others accounts by adding them to their respective realms.cfg. See also 216 // comments for ServiceAccountsProjectMapping in api/admin/v1/config.proto. 217 MintServiceAccountToken(context.Context, *MintServiceAccountTokenRequest) (*MintServiceAccountTokenResponse, error) 218 mustEmbedUnimplementedTokenMinterServer() 219 } 220 221 // UnimplementedTokenMinterServer must be embedded to have forward compatible implementations. 222 type UnimplementedTokenMinterServer struct { 223 } 224 225 func (UnimplementedTokenMinterServer) MintMachineToken(context.Context, *MintMachineTokenRequest) (*MintMachineTokenResponse, error) { 226 return nil, status.Errorf(codes.Unimplemented, "method MintMachineToken not implemented") 227 } 228 func (UnimplementedTokenMinterServer) MintDelegationToken(context.Context, *MintDelegationTokenRequest) (*MintDelegationTokenResponse, error) { 229 return nil, status.Errorf(codes.Unimplemented, "method MintDelegationToken not implemented") 230 } 231 func (UnimplementedTokenMinterServer) MintProjectToken(context.Context, *MintProjectTokenRequest) (*MintProjectTokenResponse, error) { 232 return nil, status.Errorf(codes.Unimplemented, "method MintProjectToken not implemented") 233 } 234 func (UnimplementedTokenMinterServer) MintServiceAccountToken(context.Context, *MintServiceAccountTokenRequest) (*MintServiceAccountTokenResponse, error) { 235 return nil, status.Errorf(codes.Unimplemented, "method MintServiceAccountToken not implemented") 236 } 237 func (UnimplementedTokenMinterServer) mustEmbedUnimplementedTokenMinterServer() {} 238 239 // UnsafeTokenMinterServer may be embedded to opt out of forward compatibility for this service. 240 // Use of this interface is not recommended, as added methods to TokenMinterServer will 241 // result in compilation errors. 242 type UnsafeTokenMinterServer interface { 243 mustEmbedUnimplementedTokenMinterServer() 244 } 245 246 func RegisterTokenMinterServer(s grpc.ServiceRegistrar, srv TokenMinterServer) { 247 s.RegisterService(&TokenMinter_ServiceDesc, srv) 248 } 249 250 func _TokenMinter_MintMachineToken_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { 251 in := new(MintMachineTokenRequest) 252 if err := dec(in); err != nil { 253 return nil, err 254 } 255 if interceptor == nil { 256 return srv.(TokenMinterServer).MintMachineToken(ctx, in) 257 } 258 info := &grpc.UnaryServerInfo{ 259 Server: srv, 260 FullMethod: TokenMinter_MintMachineToken_FullMethodName, 261 } 262 handler := func(ctx context.Context, req interface{}) (interface{}, error) { 263 return srv.(TokenMinterServer).MintMachineToken(ctx, req.(*MintMachineTokenRequest)) 264 } 265 return interceptor(ctx, in, info, handler) 266 } 267 268 func _TokenMinter_MintDelegationToken_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { 269 in := new(MintDelegationTokenRequest) 270 if err := dec(in); err != nil { 271 return nil, err 272 } 273 if interceptor == nil { 274 return srv.(TokenMinterServer).MintDelegationToken(ctx, in) 275 } 276 info := &grpc.UnaryServerInfo{ 277 Server: srv, 278 FullMethod: TokenMinter_MintDelegationToken_FullMethodName, 279 } 280 handler := func(ctx context.Context, req interface{}) (interface{}, error) { 281 return srv.(TokenMinterServer).MintDelegationToken(ctx, req.(*MintDelegationTokenRequest)) 282 } 283 return interceptor(ctx, in, info, handler) 284 } 285 286 func _TokenMinter_MintProjectToken_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { 287 in := new(MintProjectTokenRequest) 288 if err := dec(in); err != nil { 289 return nil, err 290 } 291 if interceptor == nil { 292 return srv.(TokenMinterServer).MintProjectToken(ctx, in) 293 } 294 info := &grpc.UnaryServerInfo{ 295 Server: srv, 296 FullMethod: TokenMinter_MintProjectToken_FullMethodName, 297 } 298 handler := func(ctx context.Context, req interface{}) (interface{}, error) { 299 return srv.(TokenMinterServer).MintProjectToken(ctx, req.(*MintProjectTokenRequest)) 300 } 301 return interceptor(ctx, in, info, handler) 302 } 303 304 func _TokenMinter_MintServiceAccountToken_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { 305 in := new(MintServiceAccountTokenRequest) 306 if err := dec(in); err != nil { 307 return nil, err 308 } 309 if interceptor == nil { 310 return srv.(TokenMinterServer).MintServiceAccountToken(ctx, in) 311 } 312 info := &grpc.UnaryServerInfo{ 313 Server: srv, 314 FullMethod: TokenMinter_MintServiceAccountToken_FullMethodName, 315 } 316 handler := func(ctx context.Context, req interface{}) (interface{}, error) { 317 return srv.(TokenMinterServer).MintServiceAccountToken(ctx, req.(*MintServiceAccountTokenRequest)) 318 } 319 return interceptor(ctx, in, info, handler) 320 } 321 322 // TokenMinter_ServiceDesc is the grpc.ServiceDesc for TokenMinter service. 323 // It's only intended for direct use with grpc.RegisterService, 324 // and not to be introspected or modified (even as a copy) 325 var TokenMinter_ServiceDesc = grpc.ServiceDesc{ 326 ServiceName: "tokenserver.minter.TokenMinter", 327 HandlerType: (*TokenMinterServer)(nil), 328 Methods: []grpc.MethodDesc{ 329 { 330 MethodName: "MintMachineToken", 331 Handler: _TokenMinter_MintMachineToken_Handler, 332 }, 333 { 334 MethodName: "MintDelegationToken", 335 Handler: _TokenMinter_MintDelegationToken_Handler, 336 }, 337 { 338 MethodName: "MintProjectToken", 339 Handler: _TokenMinter_MintProjectToken_Handler, 340 }, 341 { 342 MethodName: "MintServiceAccountToken", 343 Handler: _TokenMinter_MintServiceAccountToken_Handler, 344 }, 345 }, 346 Streams: []grpc.StreamDesc{}, 347 Metadata: "go.chromium.org/luci/tokenserver/api/minter/v1/token_minter.proto", 348 }