token-server: Delegation config import, validation and evaluation.

tokenserver/api/admin/v1/config.pb.go

 // Code generated by protoc-gen-go.
 // source: github.com/luci/luci-go/tokenserver/api/admin/v1/config.proto
 // DO NOT EDIT!
 
 package admin
 
 import proto "github.com/golang/protobuf/proto"
 import fmt "fmt"
 import math "math"
 
@@ skipping 131 matching lines @@
         // "REQUESTOR" allows one to generate tokens that delegate their own identity
         // to some target audience.
         AllowedToImpersonate []string `protobuf:"bytes,4,rep,name=allowed_to_impersonate,json=allowedToImpersonate" json:"allowed_to_impersonate,omitempty"`
         // A set of identities that should be able to use the new token.
         //
         // Each element is either:
         //  * An identity string ("user:<email>").
         //  * A group reference ("group:<name>").
         //  * A special identifier "REQUESTOR" that is substituted by the requestor
         //    identity when evaluating the rule.
+        //  * A special token "*" that means "any bearer can use the new token,
+        //    including anonymous".
         //
         // "REQUESTOR" is typically used here for rules that allow requestors to
         // impersonate someone else. The corresponding tokens have the requestor as
         // the only allowed audience.
         AllowedAudience []string `protobuf:"bytes,5,rep,name=allowed_audience,json=allowedAudience" json:"allowed_audience,omitempty"`
         // A set of services that should be able to accept the new token.
         //
-        // Each element is a service identity string ("service:<id>").
+        // Each element is either:
+        //  * A service identity string ("service:<id>").
+        //  * A special token "*" that mean "any LUCI service should accept the
+        //    token".
         TargetService []string `protobuf:"bytes,6,rep,name=target_service,json=targetService" json:"target_service,omitempty"`
         // Maximum allowed validity duration (sec) of minted delegation tokens.
         //
         // Default is 12 hours.
         MaxValidityDuration int64 `protobuf:"varint,7,opt,name=max_validity_duration,json=maxValidityDuration" json:"max_validity_duration,omitempty"`
 }
 
 func (m *DelegationRule) Reset()                    { *m = DelegationRule{} }
 func (m *DelegationRule) String() string            { return proto.CompactTextString(m) }
 func (*DelegationRule) ProtoMessage()               {}
@@ skipping 41 matching lines @@
         0xa4, 0x83, 0xe6, 0x41, 0x63, 0x06, 0xce, 0x5d, 0x55, 0xd0, 0x67, 0xa4, 0xaf, 0x01, 0x83, 0x33,
         0x56, 0x69, 0x8c, 0xc0, 0x31, 0x7b, 0xc0, 0x59, 0xe7, 0x79, 0xae, 0x76, 0x90, 0xa2, 0x75, 0x26,
         0x8a, 0x0d, 0x68, 0xa3, 0x24, 0x7e, 0x11, 0x18, 0x89, 0x93, 0x8e, 0x6a, 0xf6, 0x56, 0x5d, 0xef,
         0x39, 0xfa, 0x8a, 0x0c, 0xef, 0xbb, 0x78, 0x99, 0x0a, 0x90, 0x09, 0xf8, 0x84, 0xfa, 0xf1, 0xff,
         0x35, 0x7e, 0x59, 0xc3, 0xf4, 0x25, 0x19, 0x58, 0xae, 0x33, 0xb0, 0xcc, 0x19, 0x15, 0x28, 0x0c,
         0xbc, 0xf0, 0xb8, 0x42, 0x6f, 0x2a, 0x90, 0x5e, 0x90, 0x71, 0xc1, 0xbf, 0xb1, 0x2d, 0xcf, 0x45,
         0x8a, 0x9f, 0x21, 0x4b, 0x4b, 0xed, 0xcd, 0x86, 0x5d, 0x9f, 0xc0, 0x23, 0x24, 0xbf, 0xd4, 0xdc,
         0xbc, 0xa6, 0x96, 0x81, 0xff, 0x5b, 0xbd, 0xf9, 0x15, 0x00, 0x00, 0xff, 0xff, 0x68, 0x96, 0x3b,
         0x9b, 0x97, 0x03, 0x00, 0x00,
 }